There was a time not long ago when computer hacking brought to mind an image of an anti-social teenager hiding in his parents’ dark basement cracking code for the thrill of it and later posting his exploits online under a dangerous sounding nickname like “Plague.”
But recent hacks on some of the world’s most sophisticated technology companies have showcased another kind of cyber criminal, one that includes foreign governments and organized crime cartels, unconstrained by social norms and backed by nearly unlimited resources.
As attacks become ever more clever, is any computer user really safe?
“If you are dealing with a sophisticated nation state adversary then obviously there are a lot of resources they can bring to bear and it would be difficult for the private sector to face that sort of attack,” said Dmitri Alperovitch, vice president of threat research at McAfee Inc. “Just like we don’t expect private sector companies to be able to face an armed attack by an army.”
And just like the profile of the hacker has changed, so have the methods. When Google Inc. announced it had been hacked along with hundreds of other companies earlier this year, fingers – and evidence – pointed to the Chinese. The attack was accomplished through what security experts call social engineering. In other words, the hackers got into the system, not through sophisticated firewall breaching techniques, but through what security expert Robert Giesler calls the weakest link in the security system: people.
“Ironically it isn’t the technology that is the problem,” said Giesler, vice president of cyber programs at Science Applications International Corporation, which provides computer security solutions to the government as well as the private sector. “Probably 80-85% of all attacks against a secure network are accomplished through social engineering. They are targeting the weakest link, which is the human."
Giesler describes a process known in security circles as spear fishing, which involves a hacker seeking out an employee with system administrator privileges on a company’s network. With the advent of networking Websites like LinkedIn and others, such employees are not hard to find.
From there, the hacker can try a number of things, including masking an e-mail sent to the administrator to look like its coming from a trusted source. When the administrator opens the e-mail it releases a virus, or bot, into the company network.
“There are variations on the theme, but they are always looking for the user to do something that isn’t prudent,” Giesler said.
So if it is a war pitting hackers versus the security folks, who is winning?
“The cyber hackers will always be a step ahead,” said Jay Bavisi, a consultant who tests computer security. “First and foremost, they are playing by a different set of rules.”
Bavisi, co-founder and president of the International Council of Electronic Commerce Consultants, is an ethical hacker, one of the “good guys” who gets paid to use his hacking talents to expose vulnerabilities. To beat a hacker you must think like a hacker, Bavisi says.
According to Bavisi, constantly building a better mousetrap is not the answer, because as he puts it, “the good guys need to close every door, a hacker only needs to find one open one.”
Education is the key to the secure kingdom, Bavisi says. In high schools and colleges across the nation, burgeoning programmers are taught to write code. They learn a computer language and how to manipulate it. What they don’t learn, Bavisi said, is security.
“We are putting thousands of programmers out there that will be developing the tools of the future, but the tools will be written with ‘buggy’ code,” said Bavisi. ("Buggy” is the term programmers use to describe any code that is not secure, has holes or generally doesn’t work the way it should.) “We need to provide programmers with some sort of security knowledge.”
Second, Bavisi said, is legislation designed to hold computer companies liable if their products have holes that a hacker can exploit.
Toyota will likely face some liability for acceleration problems in millions of its cars, Bavisi said, so why shouldn’t Microsoft and other software companies face similar liability if their programs aren’t secure.
“We have said as long as you give me a tool that has a wonderful interface that does the things I want it to do, we are ok regardless of the security,” he said. “That must change.”
The final piece to the security puzzle is constant testing.
Earlier this month, the U.S. Department of Defense announced it would now require its security professionals to pass an ethical hacker certification course, which certifies that the cyber defender has the same knowledge as a hacker.
“Ethical hackers are trained to think exactly like the bad guys and we are arming them with a lot of the underground tools to ensure they are equipped to test the network using the same tools the hackers have,” he said.
But if computer networks are ever to be fully secure, what is needed, security pros agree, is a paradigm shift.
Symantec Corp, maker of Norton anti-virus software, thinks it has found that shift.
For years, security software focused on identifying threats and blocking them from entering a computer network. Viruses were dissected by techs who gave each one a fingerprint. The anti-virus software was designed to recognize the fingerprint and keep the threat out.
But the number of potential viruses has grown exponentially in recent years, from a few thousand per year, to hundreds of millions. Faced with the daunting task of identifying each threat, Symantec came to the conclusion that identifying safe programs and allowing them into a network would be more effective than trying to keep out threats that can change by the day.
With that in mind, the company began developing a reputation rating for every piece of software used by Symantec’s 50 million customers. If 10 million clients use a piece of software, it gets one rating, if the software appears only once, the rating is far lower.
Clients then set up a risk profile that allows only software that carries a certain reputation ranking into the network. For a company more concerned with risk, the anti-virus program may only allow programs used by millions of users into the system. For a user less concerned with risk, the number might drop to 1,000.
By focusing on the “safe” programs, the task becomes more manageable, said Carey Nachenberg, a vice president and fellow at Symantec.
“From our perspective, the industry has to go this way, or find another way because the traditional methods no longer work,” he said.
Symantec has been testing its new model and has been rolling it out slowly. This year, the technology will be part of their anti-virus software package available to all users.
Meanwhile, the beat goes on. About the same time that the Google attack occurred, another botnet known as Mariposa was discovered to have infected nearly 13 million computers worldwide, including half of the Fortune 100, as well as hundreds of government agencies.
The cyber criminals used the botnet to take control of the infected computers, stealing banking and other information. The ring was arrested in Spain earlier this month.
On Wednesday, McAfee security experts discovered a virus reportedly targeting social networking site Facebook and its 400 million users. The virus, which is spread through spam e-mail, warns the recipient that their password has been reset and provides a link to click for a new password. Once clicked the virus attempts to steal passwords and banking information from the infected computers.
There is no telling how many computers have been infected by the virus, known as a Trojan horse, but with 400 million users, even a small percentage amounts to a coup for hackers.
In an e-mail, a spokesman for Facebook said the company is investigating the scam and is warning users how to protect themselves via its security page.