SEMA News - May 2010
By Joe Dysart
Bulletproofing Your Online Business Life
Sophos’ Graham Cluley blog regularly tracks new threats to online security.
Hacking, once the province of teenage boys spreading graffiti for kicks and notoriety, is done today by organized, financially motivated gangs, said researchers of “Security Threat Report: 2010,” an extremely in-depth look at the evolution of the web’s criminal element. The report was recently published by cyber security firm Sophos.
“In the past, virus writers displayed offensive images and bragged about the malware they had written,” the researchers said. “Now, hackers target companies to steal intellectual property, build complex networks of compromised PCs and rob individuals of identities.”
Indeed, cyber-criminals have successfully launched capers that approach the mindboggling in just the past few years. In January 2007, for example, TJX Companies, which includes T.J. Maxx, Marshalls and Winners, lost key details associated with 45 million credit card accounts, according to Sophos. In 2008, 12.5 million account records were lost on backup tapes owned by BNY Mellon. And in January of last year, hackers penetrated the Heartland Payment Systems computer network, home of 130 million credit card accounts.
Moreover, as the web has evolved, so have the cyber punks. One of the newest and most pervasive online security threats is widespread employee use of social networks, such as Facebook, MySpace and LinkedIn. More than a third of companies surveyed said that they had picked up malware via social-networking sites, according to Sophos. And more than 72% believed that employee behavior on social networking sites could pose a threat to their business security.
“Computer users are spending more time on social networks, sharing sensitive and valuable personal information, and hackers have sniffed out where the money is to be made,” said Graham Cluley, a senior technology consultant for Sophos.
“The dramatic rise in attacks in the last year tells us that social networks and their millions of users have to do more to protect themselves from organized cyber-crime or risk falling prey to identity-theft schemes, scams and malware attacks.”
In fact, it seems that cyber-criminals instantly begin probing for vulnerabilities as soon as a new wrinkle on computing or social networking unfolds. Relatively new social-networking upstart Twitter, for example, has already been hit with spamming worms. Blackberry users have been hit by malicious PDFs. And even the seemingly omnipotent iPhone can become exceedingly vulnerable if users decide to “unlock” the phones and import applications not officially approved by Apple.
Meanwhile, phishing—loosely defined as e-mails and/or websites designed to trick users into believing that they are visiting and interacting with an official company web property—is becoming ever more sophisticated. One of the most brazen ruses victimized The New York Times last fall when hackers purchased ad space in the paper’s online edition and embedded a phishing scam in it.
The gang of hackers purchased ad space posing as Internet telephone company Vonage, Sophos’ Cluley said. “Visitors to The New York Times website who were served the poisoned advert saw pop-up messages warning them that their computers had been infected and urging them to install fake anti-virus software [also known as scareware].”
The solution to all the mayhem? Unrelenting diligence, of course—accompanied by these common sense remedies:
Limit Internet Access if Possible: Web use on the job has become so widespread that many employees see Internet access as a right. John Lavin, president of Edge3, a business consulting firm, saw things differently. “The use of the Internet on the job has skyrocketed,” Lavin said. “The amount of time wasted by employees really cuts into productivity. Internet use needs to be evaluated for each job description. If you do not need to give employees Internet access to perform their jobs, then do not. A solution that works for a couple of reasons may be this: Set up a network-isolated area that has Internet access and partial privacy for employees. Set some rules about use. Productivity will increase, and an added benefit is that viruses become nearly nonexistent if these PCs are isolated from the main network.”
Guard IDs and Passwords Like Family Jewels: This goes double for any IDs and passwords associated with the social networks that employees visit. “Social network log-on credentials have become as valuable as e-mail addresses because these [social network originating] e-mails are more likely to be opened and trusted than standard messages,” Sophos researchers said.
Establish a Policy on Social Network Use: You need a written policy that outlines what your expectation is with regard to social-networking interaction using company equipment and during company time, said Ben Becker, president of Becker Solutions (http://beckersolutions.com), a custom application and IT solution provider. The reason is simply that you have no ground to stand on when you may need it if you don’t have a policy in place.
Adopt Web-Filtering Technology—and Get Employee Buy-In on the Concept: The best thing a company can do to protect itself is to foolproof its environment, Becker said. The company should install filters, proxies, virus scanning, spam filtering and local security policy restrictions to make it as hard as possible for users to be faced with anything that may pose risk. This may irritate users, but they probably shouldn’t be doing whatever they are blocked from during business hours anyway. Very few people will come to you and say that they can’t do their jobs because they can’t update their status on Facebook or instant message their mother. Added Sophos’ researchers: “Those who are tempted to try to circumvent the protection should be educated about its value.”
Disable the Auto-Play Feature for Thumb-Drive Programs on Windows XP: Many hackers attempt to spread malware and viruses by engineering the software to migrate to thumb drives—which are often used interchangeably among many computers. The problem with that scenario is that Windows XP is programmed to “autoplay” any program resident on a thumb drive—whether it’s legitimate or malicious.
“The idea that someone can simply take a thumb drive from a friend or family member, insert it into a computer and then watch everything go bye-bye is a pretty scary oversight,” said Jay Correia, senior production coordinator at DreamCo Design.
IT managers should double-check that autoplay for programs on thumb drives is disabled on Windows XP. As for the new Windows 7, autoplay for programs on thumb drives is thankfully disabled by default.
Warn Employees About Porn-Dialers on Phones: Watching porn on the job can become a double-whammy for employees if they’re hit with embedded dialer programs posing as porn videos, software or utilities. When they are activated on a company mobile phone, these programs auto-dial expensive porn numbers owned by cybercriminals. They are then billed to the company as if they’re legitimate businesses.
Adopt Zero-Tolerance for Software Not Approved by Your Firm: “Companies should not allow individuals to install any software without management permission, and that should be stated clearly to employees upon being hired,” Correria said.
Take Heart That Sometimes the Good Guys Do Win: This past December, Albert Gonzalez pled guilty to masterminding the hacking of T.J. Maxx, Heartland Payment Systems, 7-Eleven and the supermarket chain Hannaford Brothers. He faces a prison term of at least 17 years, according to Sophos.