In June, in his first public speech for two years, MI5 chief Jonathan Evans warned that the UK was fighting an "astonishing" level of cyber attacks. Internet "vulnerabilities" were being exploited by both states and criminals, he said, posing a threat not just to government but to business, too. The theme was picked up at the beginning of October by Foreign Secretary William Hague. At an international conference in Budapest he described cybercrime as "one of the greatest global and strategic challenges of our time." But how do hackers crack a corporation? Their top tool is you — and if you're on a business trip, you could be particularly vulnerable.
DANGER! USB STICK!
Let's start at the beginning. Say you're leaving tomorrow and you need to take your data with you — you plug your USB stick into your office computer and copy files onto it. And you're already in vulnerable territory. "There are viruses that have been specifically designed to sit on memory sticks," says Oliver Crofton of tailored security solutions company Vigilante Bespoke. "They come to life when plugged into a computer, download themselves and form a botnet." There's a high risk a USB stick used in internet cafés and at home (where your anti-virus software is past its sell-by date and your kids access dodgy sites and download YouTube videos) is carrying malware. USB sticks are the hackers' friends. One group recently loaded some with spyware and dropped them in the car park of multinational chemicals company DSM in the hope that an employee would pick one up and take it inside. The innocent worker with USB stick is even factored into the design of the most sophisticated cyber espionage toolkit yet. Flame, which activates computer microphones, takes screenshots, steals files and much, much more, can only get its findings from the high security air-gapped computers it targets to one with an internet link back to the hacker by waiting for a USB to be inserted, and then hopping aboard.
THE EMAIL ERROR
To be safe, you also email files to your Hotmail, Google or Yahoo account (for access on the move). But, says Crofton, "emailing outside the corporate network is an absolute no-no. Free email services are not designed for security. Hackers will crack most email passwords in minutes, even using off-the-shelf software. Corporate networks will pick up on the activity, whereas free email providers will not." Once hacked, your password is reset, ID fraud ensues, and your contacts, personal and professional, get spam sent from your account directing them to pages containing malware. So the next time you send out a press release, a corporate statement or even a picture of your puppy, no one wants to know. Companies storing email data files are constantly under attack. LinkedIn, Sony, Philips, Yahoo, Dropbox and eHarmony have all recently had their customers' personal records leaked and posted online. The data dumps give security experts an opportunity to demonstrate how pitiful our passwords are. In his blog, Sophos security expert Paul Ducklin explains how he converted 25 per cent of the 400 Philips password 'hashes' into plain text in two seconds using a popular open source dictionary password cracker: "I found 123456, 12345678, 999999 and (several times) the rather obvious Philips," he says. "A significant number of users chose passwords that as good as guessed themselves." Of the 1.5 million leaked eHarmony passwords, 80 per cent were cracked in 72 hours. Apparently 10,690 used the word 'love' and 41,700 chose one of the Top 100 Dog Names of 2011, part of every hacker's library of reference books. Companies are constantly admonished for leaks and not further encrypting, or 'salting', the password hash, but if you are using your date of birth or dog's name, you are a security breach.
Let's say that on your journey you let friends and family know what you are up to via Facebook and Twitter. Hackers select from a wide choice of scanning tools to monitor social media for keywords, specifically names of banks and mobile service providers, but also car hire companies and airlines. Inside information makes phishing seem plausible. If you have complained about poor mobile coverage and then discover you have been sent a £5 voucher from your network provider, then the chances of you entering personal details to redeem
the offer, or downloading a file slathered in malware,
are reasonably high. Social media provide the material hackers need for social engineering their way into organisations they are targeting.
WATCH OUT FOR WIFI
You avoid global roaming charges by using the free WiFi
at hotels, cafés and airports, but are you connected to a legitimate provider? "Anywhere there is a concentration of people, you get hackers," says Crofton. "They can flood the genuine network and prop up a new one in its place. You log on to a network and start working. It looks authentic, but it's not. It's a fake, and everything you do through that network can be seen by the hacker, who might even be sitting a few seats away from you, scanning for bank names." Hotspot hackers tend to be after credit card details (said to be worth £10 each) rather than corporate secrets. However, Crofton warns, vigilance is required even in the sanctity of a reputable hotel. One celebrity client "connected to what he thought was the hotel's network, but it was either a fake or someone was on the other end, monitoring it. The hacker downloaded malware onto his laptop and took ownership of it, nabbing pictures and gossip, which he then tried to sell." When an official-looking popup window from XP Antivirus pops up as you're checking football results in a bar, saying "Your computer is under attack from DeathBotViperHeadzz, click for the antivirus software NOW," maybe you're so paranoid that you click. This is a hacker joke to trick you into paying for fake software (and providing a card number). What you download is scareware, which in all likelihood will convert your computer into a spam-sending robot while logging your keystrokes. Remarkably, when accounts were accessed belonging to three gangs running scareware scams from 2008 to 2010, it was estimated that collectively they were earning $97m a year. While this scam is now old hat, it means people frequently also ignore the genuine virus warnings, giving malware a clear run.
NOT SO SMARTPHONE
You text home, call work, upload a picture of your hotel room, download an app. You love your phone and take it everywhere, but you are among the 95 per cent without third-party security (Juniper Research) and 67 per cent without a password (Sophos). And you don't need to lose it for the personal information stored on it to get into the wrong hands. Hackers have a panoply of weapons to target your smartphone, such as SMSZombie, which intercepts and forwards text messages, rogue apps (the majority targeted at Android, and almost all from third-party sellers), and missed call scams in which you return a missed call only to have your contact list and financial
data removed. A third of mobile users surveyed by Norton had received a text message from someone they didn't know requesting that they click on
an embedded link or dial an unknown number
to retrieve a 'voicemail'. To further complicate matters, the prevalence of address spoofing means a text from your bank, airline, mother or boss might not be. Worst of all, your trusty phone can be turned against you. Crofton shows me something online: "With this piece of software someone can monitor every text you send and receive, as well as your photos, videos, calls and the websites you visit — and track you on GPS, all for $50." It's marketed to parents, who he's confident aren't the majority buyers, although most hackers will use something they've made themselves, designed to monitor maybe 100,000 phones. "But if this is commercially available, imagine what isn't." You dial into a conference call to discuss developments in the company's takeover bid. Unfortunately, because you keep the PIN code on your phone, and your phone has malware, so does the hacker, who sits on the line nice and quiet. The inherent risks were demonstrated by Scotland Yard and the FBI when a recording of a 16-minute call (in which they described a 15-year-old hacker as "a bit of an idiot") became an internet hit. Hackers themselves tend
to use internet relay chat (IRC) technology, which allows groups of people to communicate more securely.
You upload the report from your meeting to the cloud.
For years Apple has been shepherding customers into it, and now users of Windows 8 are roaming and syncing and uploading their lives to Microsoft's SkyDrive. There is nothing more convenient than saving everything in one virtual location where it can be accessed by you and authorised colleagues from a variety of devices. And it's all very convenient for cybercriminals too — tricky but more practical, ergonomically, than firing off infected Viagra offers and hoping, and with a far bigger potential pay-
off. Cloud operators have thought of this and protect their systems against all known risks but, given the speedy development cycle of new malware, there are also, as Donald Rumsfeld would say, the "unknown unknowns". Really, though, given the connectivity of people and things, a secure system depends
on its users, their contacts and their contacts' contacts. A daisy-chained life can quickly
be unravelled, as Wired journalist Mat Honan discovered when information from Amazon was used by hackers to access his iCloud account (wiping his iPhone, iPad and Macbook), and then access Gmail and Twitter. Says Honan: "Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing."
THE BOTTOM LINE
The internet provides opportunities for new forms of corporate sabotage, from hijacking administrative access and holding sites to ransom, to negative SEO campaigns that ensure a search for company information returns
fake sites, bad reviews and false allegations of criminal activities. Crofton's recent clients include a woman
who had such a volume of spam sent from her hacked company website that her company domain name was blacklisted, an oil company that discovered 92 imitation websites put up by a competitor claiming to be affiliated and using their good name to steal business, and several whose business deals have fallen through as a result of intercepted communication and dirty tricks. And companies whose stolen customer data is dumped online aren't chosen at random — a security breach has a direct commercial impact. A survey
for the Stop ID Fraud campaign found that 47 per cent of consumers would not use
such an organisation again. INTERPOL, EUROPOL, the
MoD, GCHQ, the Home Office, the Cyber Security Operations Centre and a whole host of new acronyms are now battling the hackers (whoever they are) on
the frontline (wherever that is). MI5 has asked anyone with "any good innovation ideas to improve covert surveillance and data monitoring skills" to get in touch. But there is good news amongst the doom and gloom — at least for some. Business is booming for the anti-hacking companies, who not only alert us to all the permutations of risk, but also sell us the support we
need to help us avert it. In the UK alone last year, we spent more than £600m on cybercrime protection
and clean-up. Let's hope it works.
WHAT YOU CAN DO
In the office:
Use long passwords that include numbers, symbols and upper- and lower-case characters and change them frequently
Check you have effective, up-to-date antivirus/antispyware software and firewall running before downloading anything. Only download from trusted sites, and treat executable files (.EXE), commonly used in viruses, with extreme caution.
Save Word documents as RTF (Rich Text Format) files, as doc files can harbour macro viruses.
Encrypt everything you put into the cloud using an encryption solution that operates outside the cloud.
Have popup blocking enabled, popups are not only annoying resource hogs, they can also host embedded malware directly or lure users into clicking on a link using social engineering tricks. For example, some popups can be ingeniously crafted to look like Windows dialogue boxes, and the mere act of clicking the 'X' to close the box can unleash a malware attack.
Unless there is a padlock in the browser window or 'https://' at the start of the URL, don't enter personal information on the site.
Keep your online accounts separate.
Don't link personal and work social media accounts.
Never click a link in an unsolicited email or SMS — always enter the URL manually.
On your mobile:
Set up a PIN number on your mobile.
Download apps from recognised sources only, such as Apple's App Store, Google's Android Market and Amazon's Appstore.
blog comments powered by