Information Security: Where the Dangers Are
Sent: Wednesday, July 20, 2005 6:11 AM
Subject: Information Security: Where the Dangers Are
Where the Dangers Are
DAVID BANK and RIVA RICHMOND
Wall Street Journal
18 July 2005
In the world of cybercrime, the bad guys are getting smarter and more ambitious.In recent months, hackers have carried out a flurry of increasingly sophisticated attacks, highlighting the vulnerability of key computer networks around the world. Criminals penetrated the database of CardSystems Solutions Inc., nabbing up to 200,000 Visa, MasterCard, American Express and Discover card numbers and potentially exposing tens of millions more.
Leading high-tech companies in Israel allegedly planted surveillance software on the computers of their business rivals. British security officials warned of a computer attack aimed at stealing sensitive information from banks, insurers and other parts of that country's "critical infrastructure." Security experts fear things will only get worse. As technology gets more complex, more vulnerabilities are springing up in computer networks and more criminals, terrorists and mischief makers are rushing to exploit them.
"What people can do on computer networks and what they can find on them has increased tenfold from a few years ago," says Bill Hancock, chief security officer of Savvis Inc., a major Internet-service provider. Infiltrating those machines and using them for evil intent is easier than ever, he says. Some of the threats are well known; home-computer users for years have battled viruses and spam and more recently have been barraged with spyware, adware and fraudsters "phishing" for sensitive information.
Less visible is the constant probing of corporate networks by would-be intruders seeking trade secrets or competitive intelligence, and the data breaches caused by disgruntled or dishonest insiders. Meanwhile, government authorities report that hackers are stepping up attempts to attack critical systems such as water, electricity, finance, transportation and communications.
Last year, the Department of Homeland Security prepared a worst-case cyberdisaster scenario where criminals broke into financial-services facilities. Twenty million credit cards were canceled, automated teller machines failed nationwide, payroll checks couldn't be delivered, and computer malfunctions caused a weeklong shutdown of pension and mutual-fund companies. "Citizens no longer trust any part of the U.S. financial system," the scenario concluded.
Here's a look at the threats the security experts worry about the most and what businesses and consumers can do to protect themselves. TARGETED ATTACKSThe mass mailings of worms and viruses that clogged email in-boxes and corporate networks in recent years have given way to less visible but more dangerous attacks aimed at specific business and government targets. In many cases, these invasions involve a Trojan malicious software that hides inside another, innocuous program.
Once planted on a victim's computer system, the Trojan can, among other things, steal information at will and send it back to a criminal. Trojans that are customized for a specific target are particularly dangerous, since conventional antivirus programs are designed to spot and block previously identified threats. "Because these things are one-off, the virus scanners do not recognize them at all," says Bryan Sartin, director of technology for Ubizen, a unit of Cybertrust Inc. of Herndon, VA.
Criminals use a variety of methods to get Trojans onto their targets' systems. Often, they trick employees at a targeted company into installing the software. In the Israeli case, law-enforcement officials discovered that the alleged perpetrators gave victims floppy disks containing seemingly legitimate business proposals. The disks contained Trojans that used "key logger" software to record what users typed, and then transmitted that data, along with documents and emails, to a computer in London. Hackers also take advantage of security flaws in Web browsers.
Last year, hackers invaded the computer system of a large bank using a known, but unpatched, vulnerability in Microsoft Corp.'s Internet Explorer, says Alfred Huger, senior director of engineering for computer-security firm Symantec Corp., Cupertino, Calif., who investigated the break-in. For 90 days, the criminals collected network and database passwords and intercepted secure communications, among other things. Mr. Huger says he doesn't know how much money was lost. Security experts are increasingly concerned about break-ins that come via a company's partners and vendors.
These smaller companies often have privileged access to their larger partner's computer systems, but may not be as well protected. Last year, John Pironti, a security consultant with Unisys Corp., of Bluebell, Pa., says he helped discover a powerful Trojan that had been planted in the computer network of a major financial institution. A hacker penetrated one of the bank's custom-software suppliers and discovered the "open pipe" to the financial-services provider's network.
The most effective method for protecting against such attacks is also the simplest disconnect databases containing sensitive information, such as credit-card data, from the Internet. "Systems like that should not have Internet access, period," says Ubizen's Mr. Sartin. If that's not possible, all such systems should have "firewall" technology that monitors Internet connections and raises a red flag if it detects suspicious activity, such as high volumes of data sent at unusual times.
Other tools can take a snapshot of legitimate system configurations and sound alarms when changes occur. And, of course, all computers need to be kept up to date with security patches and antivirus software, and users need to be educated about opening unknown attachments or visiting suspicious Web sites. BOTNETSA single computer infected with a Trojan is bad enough. An army of infected computers is a weapon of mass digital destruction. "Botnets," short for robot networks, are made up of home and business PCs that have been taken over by hackers and joined together to create remote-controlled networks.
The hackers (sometimes called "bot herders") use the combined power of these machines to mount a variety of Internet attacks, right under the noses of the PCs' rightful owners. The size, and power, of such botnets is growing rapidly, as bot herders learn how to manage networks of tens of thousands of compromised "zombie" or "drone" PCs. Here's how it works: Hackers or criminals slip Trojans carrying the bot software onto the PCs of unwitting targets.
The infected computers are then programmed to listen for instructions, generally sent via instant-messaging channels. Once assembled, the botnet can be used to send spam, launch phishing attacks or disrupt a Web site by flooding it with visits, a so-called denial-of-service attack. One popular tactic of organized cybercriminals: denial-of-service attacks against Internet gambling sites.
The criminals then extort the sites for payment to halt the attack.Home computers, which generally lack sophisticated network-monitoring tools, are most vulnerable to becoming unwitting conscripts. Early last year, Time Warner Cable began sending Matt McKay "spam ticket" citations and threatened to turn off his Internet service. The 32-year-old Charlotte, NC, attorney wasn't moonlighting as a spammer.
A hacker had hijacked his computer. "I was spamming people, and I didn't know it," he says. The Federal Trade Commission in May urged Internet-service providers to more actively combat botnets, which the FTC estimated send as much as 80% of spam. The FTC suggested ISPs monitor their customers for suspicious emailing patterns, block Internet connections favored by bot herders and help consumers clean up infected machines.
BLACKOUTS In last season's television thriller "24," terrorists used the Internet to penetrate control systems at dozens of U.S. nuclear power plants and cause one to melt down. Hollywood fantasy? Security experts warn that such an attack is not as far-fetched as it might seem. The systems used to control the nation's water, power, transportation and communication systems are increasingly being connected to corporate networks that are in turn connected to the Internet.
That makes it easier to control and maintain the systems remotely, but also makes the systems vulnerable to viruses, worms and other Net-based threats. Cyberattacks that successfully penetrate such "supervisory control and data acquisition," or Scada, systems appear to be increasing. The British Columbia Institute of Technology and the PA Consulting Group in London, which documented a handful of such incidents through 2000, have reports of at least 80 successful attacks world-wide since 2001. "Some just snoop around, some do damage," says Eric Byres, who manages the research project. In May, the General Accounting Office reported similar findings.
Security consultants cited in the report said hackers are continuously probing the power grid for vulnerabilities; in some cases, intruders gained access to utilities' control systems and affected operations, though not causing serious damage. The vulnerability of vital networks was highlighted by the Northeast blackout of 2003. Though not caused by a cyberattack, the incident was exacerbated by one: The "Blaster" worm, which had been released days earlier, clogged communications links and hurt operators' ability to stem the cascading blackout. Security experts say such power-control systems are unlikely to be the primary target of terrorists, who arguably are more interested in spectacular physical attacks that generate casualties.
But experts are increasingly concerned that attacks on critical systems could be used in conjunction with more-violent tactics to compound the damage for instance, by disabling emergency-response systems. Some of the vulnerabilities of these control systems can be offset by rigorous compliance with standard cybersecurity practices. Congress is considering adding such requirements to the federal energy bill now pending. But many security experts say existing Scada systems are obsolete and need to be replaced by new sensors with multiple layers of security, including in the hardware, the network and the application.
Perhaps more important, says S. Shankar Sastry, a professor of electrical engineering at the University of California, Berkeley, are strategies for "graceful degradation," for example by installing several layers of defenses, to ensure that vital networks remain at least partly operational during and after a major attack. "We should expect in the future for attacks to succeed," Mr. Sastry says. "The question is: How do you keep the infrastructure from completely falling apart?"
CRASHING THE NET Hackers can take down a corporate computer
But could they crash the whole Internet? The same qualities of trust and openness that have made the Internet successful also make it vulnerable to major outages. The experts' top worry: an arcane mechanism known as the "border gateway protocol." The protocol is used by the hundreds of networks that make up the Internet to advertise their routes so they can carry each other's traffic. By falsifying such announcements, hackers could intercept Internet traffic, modify it or simply make it vanish by directing it to bogus or nonexistent routes.
And by directing a flood of traffic onto a route too small to handle it, a hacker could overload and crash at least parts of the global Internet. "You can take out some portion of the Net for some amount of time," says Steven Bellovin, a longtime security expert at AT&T Labs and now professor of computer science at Columbia University.
If a sophisticated adversary sent out fraudulent routing announcements from a dozen different points, "you could have a very serious situation," he says. In the past decade, security specialists say, inadvertent glitches in the protocol have caused a half-dozen large network outages and many smaller ones.
In December 1999, such a mistake took down AT&T's Worldnet Internet service for most of a day, leaving 1.8 million customers without Web access. An even larger outage occurred two years earlier, when a small Internet-service provider mistakenly advertised incorrect routes, causing a two-hour disruption for large parts of the Internet. Now, security experts are seeing apparently intentional attacks exploiting the weaknesses in the protocol. In one case, the Web site of a large Internet-networking company vanished, meaning no traffic could reach it for several hours.
In another, some Internet traffic went into a "black hole" along an advertised route that didn't really exist; email, Web requests and so on simply disappeared. Neither incident was considered serious, but they showed "the threat is real," says Craig Labovitz, director of engineering at Arbor Networks Inc., a network-security firm in Lexington, Mass.
Spammers are also starting to take advantage of the technique. By advertising fake Internet addresses for just long enough to launch their spam, then withdrawing the addresses, it's possible to erase any trail that law enforcement might follow. "Nobody can find it," Mr. Bellovin says. "It's not in the database. You can't map your way to it. It's just gone." Because the Internet is used by nearly everybody but owned by no one, systemic vulnerabilities have proved difficult to correct. For starters, a change would require upgrades to thousands of routers.
And there's no consensus on how to fix the border-gateway protocol.Still, the Net has proved remarkably resilient against large-scale attacks. "We've been hearing these end-of-the-Internet stories for the last 10 years," Mr. Labovitz says. "But we haven't seen many of these mega-attacks." The most likely reason: Hackers, thieves and terrorists have come to depend on the Internet just like everybody else, and don't want it wrecked.PHRAUDInternet-related fraud accounted for 53% of all consumer-fraud complaints made to the Federal Trade Commission last year.
Among the biggest threats are those involving scammers who use elaborate ruses to pretend to be someone else.In "phishing" scams, fraudsters send emails that appear to come from a trusted source, like Citibank or eBay. Click on a link in the email, and you're directed to a fake Web site, where you're asked to reveal account numbers, passwords and other private information. In some cases, phishing sites plant hidden programs, such as key loggers, on victims' computers. So even if a visitor doesn't enter any data into the phony site, the phisher can try to filch it later.Then there's "pharming," where hackers attack the server computers where legitimate Web sites are housed.
Type in the address of the legitimate site, and you are redirected to a look-alike. In a similar ruse, hackers use Trojans to manipulate the browser cache on a victim's computer, where copies of Web pages are stored so that they don't have to be reloaded from scratch with each visit. When you visit a site stored in your cache, you are directed to a fake site instead. In "Evil Twin" attacks, hackers set up Wi-Fi hot spots that trick your computer into thinking it's accessing your home wireless network or a safe public network. While you use the network, attackers can monitor your moves and steal the information you enter into a Web site, if the site doesn't have the right safety measures.
To combat phishing, assume that any email asking for personal information is a fake, says Robert C. Chesnut, senior vice president of rules, trust and safety at eBay Inc. Consumers can also get help from new phishing-site blockers from service providers Time Warner Inc.'s America Online unit and EarthLink Inc. As for pharming, some banks are beginning to look at ways to help consumers distinguish real sites from fake ones, such as letting consumers choose personalized images that appear on the site whenever they visit.
To combat the variation on pharming that involves meddling with PCs, consumers should be sure to regularly sweep for Trojans with antivirus and antispyware programs available from companies such as Symantec, McAfee Inc. and Webroot Software Inc. For Evil Twin attacks, wireless users should enter private information only into sites that protect data with encryption technology, which is signified by a little lock on the bottom of the page.
HIJACKING Many hackers who covertly take control of your computer
are looking to draft it into a botnet.
But there are a host of other ways to get hijacked. Aggressive marketers are using "adware" to hijack Web searches, display pop-up ads and drag surfers to unwanted Web sites. Adware's more insidious cousin, spyware, can capture users' keystrokes and follow their browsing activities. These programs often arrive bundled with free software or sneak onto users' computers when they visit dodgy Web sites.
Viruses, meanwhile, have become a tool for delivering malicious payloads and not just a form of causing mischief. Hackers are using them to install bots and Trojans that give them control of PCs, allowing them to send spam and steal private personal information silently. After Mr. McKay, the Charlotte attorney, cleared up his botnet problem, the home page of his Web browser was hijacked by an adware program, forcing him to view a "flashy, gaudy" page featuring links to mortgage lenders and pornography.
Only when his girlfriend refused to touch the computer did he cave. "I said, 'All right, this is embarrassing,' " he recalls. " 'I'm going to fix it.' "Mr. McKay had to undergo a crash course in Internet security to get rid of the programs that hijacked his computer. He ran a battery of different security programs, killing anything that looked suspicious. But after a slew of software failed to clean out his machine, he turned to extracting the pests manually.
Security experts advise consumers to make sure they install and use firewall and up-to-date antivirus programs, combined with regular sweeps with a spyware-removal program. Increasingly, Internet-service providers are offering their embattled customers security tools. Many people are also switching to Apple Computer Inc.'s Macintosh machines and the Firefox Web browser, which have rarely been the target of malicious code.
AIRBORNE ASSAULT In the future, security attacks will come out of
Smartphones and some personal digital assistants boast always-on wireless connections and run more-sophisticated software than standard cellphones, making them susceptible to viruses, worms and data theft just like PCs. The hackers' current pathway of choice: Bluetooth. This radio technology allows short-range wireless communication for sending messages, exchanging electronic business cards and using wireless headsets. But hackers can exploit flaws in Bluetooth to steal information from digital gadgets or spread viruses.
For now, mobile viruses have done little more than drain their victims' phone batteries and send off text messages using their account. But bigger threats may be coming. The invasions so far were merely "science projects" for hackers wanting to see if they could attack mobile devices, says Victor Kouznetsov, senior vice president of mobile solutions for McAfee.
"They discovered it's not that hard. "Mr. Pironti of Unisys says people should use built-in Bluetooth security features that let only authorized headsets and PCs talk to their phones. They should also change default passwords for wireless headsets. Meanwhile, security-software companies are rushing to offer antivirus protection for mobile devices. Japanese carrier NTT DoCoMo Inc. sells phones with built-in antivirus software from McAfee. A number of large carriers offer similar protection from F-Secure Corp. of Finland.
But the best defense will come from wireless carriers blocking attacks within their networks, before they can reach people's phones, says Gartner Inc. analyst John Pescatore. Cellphone users should start asking their providers what protection they offer or intend to provide, he says. F-Secure, for one, says its network-level technology has been deployed by nine wireless operators that altogether serve 32 million subscribers.
YOUR KIDS What's the quickest way to get your computer infested with spyware, bots and Trojans? Let your kids use it. Kids often use music and video file-sharing programs like Kazaa, LimeWire and BitTorrent, where they can unwittingly download adware and spyware. They also pick up nasty programs at "code and cheat" sites, which help them get higher rankings in online games. And curiosity will take them to plenty of other risky places, including porn sites.
Some security experts advise parents to have a separate computer for the kids. John Esposito of Ridgewood, NJ, keeps financial records on his own laptop, so they won't be endangered if nine-year-old Zoe or 13-year-old Zach inadvertently lets in a hacker program. In addition to protecting their PC with the usual array of security software, parents can use parental-control tools to restrict access to inappropriate sites.
Parry Aftab, executive director of WiredSafety Group, a New York-based advocate for online safety, recommends kid-safe search engines, such as Yahoo Inc.'s Yahooligans and Ask Jeeves Inc.'s Ask Jeeves Kids. These sites won't steer kids to sites meant for adults, including porn sites that try to lure visitors with misspellings of popular keywords.
Parents should also talk to their children about online dangers and set ground rules for computer use. Parents may even want to use some spyware tools of their own to monitor what kids do online. Ms. Aftab recommends monitoring software from SpectorSoft Corp. because it's able to capture instant messaging in multiple formats.
Mr. Bank is a staff reporter in the Wall Street Journal's San Francisco bureau, and Ms. Richmond is a reporter for Dow Jones Newswires in Jersey City, N.J.