SEMA News—May 2013
By Joe Dysart
New Wave of Hacker Technology Threatens Unsuspecting Businesses
Regularly making chump meat of the most sophisticated of computer defenses, hackers will be unleashing a new wave of malware in the coming year on the unsuspecting—many of whom will be completely unprepared, according to Sophos, a computer-security firm.
“Cybercriminals tend to focus where the weak spots are,” said Gerhard Eschelbeck, chief technology officer at Sophos. “Protecting data in a world where systems are changing rapidly and information flows freely requires a coordinated ecosystem of security technologies.”
Perhaps even more disturbing, hackers will be increasingly targeting small- and medium-size businesses, according to Mark Brophy, director of information technology at Rogers Townsend & Thomas. The reason, he said, is that defenses of smaller business are generally weaker, and these less-protected systems are seen by hackers as easy back doors to the much larger clients those businesses trade with. Essentially, once hackers penetrate the relatively weak defenses of a small business, they can plunder the data on its network to go after their bigger-game clients, according to Brophy.
Not surprisingly, many giant and multinational corporations are hip to the trend, and they’re responding by performing tough security audits of their smaller trading partners. If they find a security risk, many decide to simply pull work from the offending business rather than risk a “break-in by association,” according to Brophy.
Small- and medium-size businesses looking to pass these hard-nosed audits—or reassure trading partners that their mutual data is safe—will need to convince trading partners that they have a hard IT perimeter. And they’ll need to show defenses against some of the newest threats looming in the coming year.
High on the list of the new and the brutal is cloud-server-snapshot software. An insidious intruder, snapshot software can infect a cloud server where a business stores its data and take a complete snapshot of all the data that’s there—including passwords, Eschelbeck said. Meanwhile, increasing numbers of hackers are also using text-messaging theft software, which is surreptitiously added to the phone of unsuspecting users. Once activated, the software forwards all text messages sent to that phone to a hacker, Eschelbeck said.
“The potential exists for attacks like these to target Internet banking services,” he said. “Many banks send authentication codes to your phone. Malware on your phone is capable of intercepting those messages.”
Sophos has also detected increasing use of “ransomware” against small- and medium-size businesses. These apps can infect both phones and computers and render the devices inoperable. Hackers inflicting the software on businesses often demand major dollars for its removal. Not surprisingly, they rarely—if ever—follow up on removal even if the business does pay the ransom, according to Eschelback.
A Sophos employee at work neutralizing would-be hackers.
Granted, businesses of all sizes should be using firewalls and other network protections to help neutralize hacker break-ins. And most businesses realize that even the most sterling of computer security defenses can be thwarted without similar vigilance at the individual-device level.
“End-user computers are the weakest spot,” said Shane Sims, director of investigations and forensic services for PriceWaterhouseCoopers. “Typically, these computers are protected only by antivirus software, and the most sophisticated hackers attack at that point.”
But dollar for dollar, the best return on an investment in computer security is employee education, according to Brophy. Take the time to educate new employees about the critical need for computer security, he said. And continually reinforce top-of-mind security with regular e-mail tips, tricks and news about IT security.
Once you have the organization sufficiently alerted, the computer security experts recommend these best practices:
Encrypt All Mobile Devices: Secure all mobile devices, including Android devices, by getting your IT department to fully encrypt the units, Eschelbeck said. Make sure all SID cards used in those devices are also encrypted. And ensure that all data and applications on the devices can be erased remotely if the mobile device is lost or stolen.
Encrypt All Cloud Data: Before cutting any deal with a cloud provider, ensure that your contract enables your company to encrypt all the data your business generates before it sends that data to the cloud, according to Ken Rashbaum, principal at Rashbaum Associates. With that safeguard, your data—and the data of your trading partners—should be impenetrable even if a hacker takes a snapshot of the cloud server that’s storing that data.
Defeat Ransomware: Ransomware programs such as Reventon, Citadel and Troj/Ransom can be neutralized by rebooting your computer with an anti-virus software program that contains its own operating system. Essentially, the tool runs your computer with its own operating system, finds the ransomware on your system and destroys it, restoring your computer, Eschelbeck said. Sophos’ solution for this problem is Sophos Bootable Anti-Virus. Unfortunately, there is still some ransomware so sophisticated that even these tools cannot defeat it, according to Eschelbeck.
Deep-Six the Superkits: While there’s no bulletproof shield against all the ravages of a superkit, there are some common-sense precautions. Be sure to install updates to all the software on your system as soon as possible, Eschelbeck said. And be sure to disable security-vulnerable software, such as Java and Flash, whenever you’re not using those programs.
Armor Passwords: Strictly forbid employees from using the same passwords at work and at home, Brophy said. Hackers are aware of this habit and regularly troll personal e-mail accounts, hoping to find passwords they can also use on employee work accounts.
Respect the Rule of 12: Prohibit the use of passwords shorter than 13 characters. The darker corners of the web are rife with programs that can auto-crack any password that is 12 characters or less. Essentially, hackers simply activate these programs on a specific e-mail account and let the program run indefinitely until the account’s password is revealed.