Posts Tagged ‘hackers’

hackerIn a Wall Street Journal report entitled “Information Security” (April 20, 2015), staff reporter Danny Yadron highlighted 5 key steps companies can take to improve their “cyberhygiene” that have a lot less to do with spy-grade technology and a lot more to do with boring things that companies too often skip, like:

Step One: Keep up with the patches.  Last year a third of new hacking tools discovered by security researchers at HP involved exploiting a flaw in Microsoft Windows that was discovered in 2010.  Microsoft issued the correction patch years ago.  Unfortunately, too many companies simply don’t keep their software up to date.  As security expert Alan Paller notes: with patches “you’d stop most of these attacks.”

Step Two: Keep your online doors closed.  The average family has five or more machines attached to the Internet (phones, tablets, PCs, TCs).  Businesses typically have many more – and often don’t even know which are online.  According to Verizon, last year nearly one-fourth of all breaches were the result of hackers getting into a machine that didn’t need to be online.  The solution is simple: make sure that only necessary machines are online, and that they’re protected.

Step Three: Encrypt your data.  For starters, be sure your credit card transactions are PCI Compliant.  You should not be holding customer credit card numbers anywhere.  Beyond that, internal encryption can get costly and can slow some operations down.  Home Depot spent $7 million to ensure encryption for its 2,200 stores.  The stolen data that makes headlines is always of the unencrypted variety, so companies must balance the cost against the public relations (and financial) debacle that ensues if a major breach occurs.  This is much more of a concern for the Big Guys, but we’ve always found that whatever affects those big guys trickles down to us Little Guys eventually.

Step Four: Get rid of passwords.  As the journal notes, “Users hate them.  Security staff dread them.  Hackers love them.”  According to Verizon 25% of all breaches could have been stopped if the victim companies had required more than a password to enter its networks.  Users often use the same passwords for networks, banking, password files and social media, to name a few.  New technologies are emerging, like a tiny USB token that verifies a user’s identity in conjunction with passwords  for an extra layer of security.  In early tests, it’s been effective and well received by employees.

Step Five: Check out your vendors.  About one-fourth of data breaches have been linked to hackers getting into a vendor or third party, and then backing their way into a larger target firm.  Target, Inc. traced its infamous breach back to a heating contractor.  Home Depot’s was linked to outsiders who had access to their corporate networks and were hacked first.  The solution lies in careful oversight.

That may not be foolproof, but it will plug the obvious holes.  And as you can see from the items above, most of the tactics that will increase your own network security are pretty low-tech.  Basic “blocking and tackling” one might say.  Start with the obvious.  Your odds can only go up from there.


Read Full Post »

hack sandsA recent story in Bloomberg BusinessWeek points out how vulnerable companies can be to determined hackers, and just how costly it can be.  This one was largely kept on the down-low by the company, but in fact was one of the biggest and most disruptive hacking intrusions last year.  It only highlights the importance of vigilance and safe backups.

In early February of last year, the offices of the world’s largest gaming company started going down.  Computers, phones, email… all down.  Many of the systems that ran the $14 billion Las Vegas Sands Corp. were laid low.  The company’s IT staff had never seen anything like it.

We’ll leave the details to you to read (the article appeared in the 12/15-20 issue, and was written by Ben Elgin and Michael Riley p. 60).  Here’s the gist of it…

It appears that Sands CEO Sheldon Adelson, at 87 one of the world’s wealthiest individuals and an outspoken political hawk, had the previous autumn given a speech at the Manhattan campus of Yeshiva University in which he made some rather disparaging remarks (some would say he took a “tough position”) regarding Iran’s nuclear prospects and intentions.  His words spread quickly via YouTube and around the Internet.  Two weeks later, Iran’s supreme leader responded via Iran’s quasi-official news agency with some disparaging remarks of his own.

A few months later, chaos ensued at The Sands.  While physically both Adelson and The Sands are as well protected as money can buy, his company had been slow to adapt to digital threats.  As the article points out, two years ago The Sands had a cybersecurity staff of 5 to protect 25,000 computers.  While a major upgrade was planned, it had yet to be rolled out.

Apparently, a month after Iran’s Ayatollah’s fiery speech in response to Adelson’s, hackers began poking around The Sands’ networks.  Eventually, they found a vulnerability inn a small slot-machine casino and resort within The Sands’ empire in Bethlehem, Pa.  In effect, it was a weak link in a very big chain, and it eventually provided access through a VPN (which Sands’ employees often used to access their files from home or the road).  The hackers ended up cracking passwords and logins through a brute-force technique that eventually worked – like safecracking tools that spin through every possibility until they scored their target.

Investigators from Dell SecureWorks eventually traced the hacking activities back to Iran, much after the hackers had “detonated a malware bomb” and ultimately wiped out about three-fourths of the company’s Las Vegas servers.  Ultimately, recovering what data they could and replacing servers would cost the firm $40 million or more.  And most people outside the firm never even heard about it.

On top of the recent and publicly acknowledged hacking attacks (Sony/Korea, Russian and Chinese attacks), the Sands disaster is just one more in a growing movement of cyberwar.  These are low-level digital skirmishes that can wreak havoc in ways we’ve not encountered before.  We’ll be hearing more about these in the future.

Meanwhile, how’s your backups?

Read Full Post »

shape securityEvery company is concerned about web hacking, or at least should be.  That’s why we install and maintain antivirus software so religiously.  So we were intrigued to see the latest new development in the field that holds promise for turning the tables on the attackers.

According to an article in the “Technology/Security” department of the Feb 10th issue of Forbes, a team of entrepreneurs out of Google and some defense companies have started a company called Shape Security.  Instead of the norm, which consists of anti-virus companies racing to detect a hacker’s weapons (which are always evolving), Shape’s team aims to create a small appliance that plugs into a company’s network and obscures or hides the code behind the customer’s website.

The code behind the software works, according to the Forbes article, by “replac[ing] variables with random strings of characters that change very time a page is loaded, all without the altering the way the site appears to human visitors.”  It’s a trick that goes by the name “polymorphism” and it makes it vastly more difficult for the bad guys to use scripts, bots or other automated tools to crack passwords, steal content or infect them with malware to spy on their banking transactions, for example.

So far, these alumni [pictured] of the Defense Department, Google and others have raised $26 million from top name venture investors, and already are in testing phase with about 20 customers.  Initially at least, their appliance solution won’t be cheap – a million dollars per year per customer.  But it will significantly raise the bar against the hackers, and one imagines that lower cost versions for smaller firms could one day result.

Of course, hackers and anti-hackers play a never ending game of leapfrog.  In this case, the article notes, cyber-criminals may find ways around if they can’t read the code to figure out what part of the site to attack.  They might “use image recognition to study now the website works or even hire humans to fill for the bots.”  Now that would be an interest step – backwards.  And a novel way to increase I.T. employment too, one would think.  Shape says they’ve already considered these ideas and it’s already filing patents for the next phase of the game, on which it’s keeping mum for obvious reasons.

Of course, the hackers will still attack sites not armed with the new technology.  It’s like the old saying about running away from a bear: you don’t have to be faster than the bear, just faster than the slowest guy running from the bear.  Or in this case, a little more secure than the guy not running Shape’s new solution.

Read Full Post »

chinese_hackersSeems you can’t go a day without reading about how the Chinese are hacking U.S. corporations and government offices – all officially denied of course.

Not wanting to add to the din, we do want to point out one of the best articles lately on the topic that we’ve seen, featured as Bloomberg BusinessWeek’s Feb. 18th cover story.  (Ironically, Bloomberg itself may have been hacked during its own reportage on the very topic, as described here.)

In the Bloomberg article authors Dune Lawrence and Michael Riley first re-tell the now familiar story about the New York Times’ recent hack attack, when it first started posting articles about suspicious money activities among China’s elite ruling class, as well as recounting the famous earlier (2010) tales of hacking done at Intel and Google, among others.

But then they turn their sights to a fellow named Joe Stewart.  He’s the director of malware research at Dell SecureWorks, a unit of Dell Computer, where he spends his days “hunting for Internet spies.”

And from there unfolds an intricate tale of sleuthing involving a labyrinthine network of hacking and network nodes from Eastern Europe all the way back to Shanghai.  And how through one small slip, he eventually followed the trail back, through a Hotmail account connection no less, to a blog containing musings on Buddhism, eventually back to something called the “PLA Information Engineering University,” one of China’s principal centers for electronic intelligence.

It’s a fascinating yarn of sleuthing, all worthy of a John Le Carre novel, and you should give the full article (linked above) a read.  This stuff is real.  And as the U.S. Attorney General pointed out recently, there are only two kinds of victims here: those that have been hacked and know it, and those that have been hacked but don’t yet know it.

A few days after the Bloomberg article, by the way, The Wall Street Journal made its section B headline about hackers strikes against Apple and Facebook.  Interestingly, the article points out that a report in February from a U.S. research firm, Trustwave Holdings, noted that in 2012, for its own clients, “data breaches around the world” showed 33% originating from Romania, and 29% from the U.S.  China, the report said, was only the fifth most common source.

And finally, Verizon Communications in a report published in 2012 exposing the geographic distribution of hackers said that of 855 intrusions it detected (in conjunction with the Secret Service) that fully two-thirds originated from Eastern Europe, 20% from the U.S., and only 2% from East Asia.

Proving, one supposes, that our enemies these days are… everywhere.


Read Full Post »

All businesses today need to be vigilant about keeping the bad guys out of our networks.  But a fellow named David Koretz (pictured at left), who owns a company that provides email services for businesses, has taken a rather novel approach, according to a recent article in the November 19th issue of Bloomberg Businessweek.  While maybe we can’t all do what Koretz does, the lessons are worth noting, and he does provide a valuable product/service that you may find of interest.

When Koretz’s business started getting hacked, he found that the various attackers all looked different – from jilted lovers, to organized crime figures seeking credit cards, to disgruntled employees seeking to get back at old bosses.

Koretz came up with an unorthodox approach that he turned into a company named Mykonos Software.  His idea was to design an “intrusion detection” software product that thwarts attackers by setting traps to confound them.  The goal is to slow hackers down, and make it too costly and not worth their while to attack his clients.  His software plants fake files on its customers’ websites to confuse intruders.  He also floods attackers’ scanning programs with information about vulnerabilities that don’t really exist.  The hackers can spend months chasing leads that go nowhere – and here’s the key – eventually give up.

Koretz says it’s like “putting all your data on top of Mt.Everest,” where it will be infinitely harder for hackers to get at it. 

And along the way, they have a little fun with it.  They empower geeks to fight back.

For example, once a hacker is spotted, the program starts messing with the attacker’s PCs.  One clever response is to flash a map of the hackers’ locations and provides recommendations for nearby defense attorneys.  Another disrupts the attack so it occurs in very slow motion.  Yet another serves up a pop-up on the attacker’s screen that offers hacking advice and offers them consolation for getting caught.

With his unique techniques, Koretz has gone beyond traditional detection intrusion and into the realm of thwarting attackers offensively.  As he says, “I don’t think perfect security is real.  What I want to do is build the biggest mountain I can.”

His work has caught the eye of the big guys.  Juniper Networks, a leading networking equipment manufacturer bought the company recently for $80 million.

Read Full Post »