Is it just my paranoia as a security pundit or are the bad guys winning the hacking battle at the moment? Ever since Stuxnet there seems to be no end of stories about hacks, leaks, massive attacks and shady “mafia” and nation state subversive activities.
Symantec’s mid-term Internet Security Threat Report shows that the advent of cloud technologies to bring affordable, untold power to businesses is being mirrored by the anti-cloud – a network of online services that offer a black marketplace for products and services.
Apart from this gloss of respectability, the companies are now publishing competitive pricing structures in their battle for customers. Multiple installs of the Zeus Trojan on a single computer cost up to £5,000 with modules available for between £300 and £1,250. Golod, a Russian botnet loader/encryption system for Windows, costs a basic £370, with free upgrades, but also offers unlimited support around the clock for customers paying an extra £550.
Added to this we have covert gangland plotting and international espionage creating an environment that makes the Wild West look tame.
Despite all of the crowbars and sledgehammers in the hacking toolshed, it is often unnecessary to blow the doors off when gentle persuasion can open them without waking up the IT guard dogs.
EMC’s RSA Security found this out to its cost when a poisoned spreadsheet was cast out to its lower-grade employees in a phishing attack. Floor-level workers are considered more vulnerable to attack because they are generally less aware of security issues but their security clearance is also at the base level which sounds like a suitable damage-limitation policy.
Unfortunately for RSA , that was probably the reasoning that started the problem. Once one of the employees opened the phishing mail containing the spreadsheet, the hackers were able to install a Trojan. This meant that password details of any employee accessing the email ware passed on to the hackers and, through more social engineering and hacking from inside the company’s networks, the attackers were able to escalate their security levels.
Stealth and persistence paid off and soon they were into RSA’s secret stash of SecurID seeds like rats up a drainpipe.
It seems that RSA’s mistake was the common one of assuming that securing the “doors and windows” would protect the corridors of the internal network. It’s similar to fixing locks and bolts on a house and not having an internal motion detector – or not checking that the system is working properly.
It is likely that RSA had log management systems in place but they were not being checked and analysed properly. Judging by the speed with which the company has been able to produce a forensic report on the attack implies that all the clues were there.
Computers are great at crunching numbers and finding where these figures don’t add up as they should. It makes them seem intelligent but they work on logic. Hackers don’t.
Attackers are masters of illogic. Take a fuzzing attack as an example. It hits a system with all manner of nonsensical data until the servers or firewalls appear to “blink”. Once this happens, the hacker brings learning and ingenuity to bear on how this can be used to their advantage. It requires a similar devious intelligence, that only the human brain is capable of, to combat it by spotting the signs and out-manoeuvring the forces ranged against the company.
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…