Editorial: The Invisible Hand

Businesses and Consumers Must Brace for the Worst--and Protect Themselves

October 2008
    Gone are the days when you knew you could reasonably avoid peril by staying away from the dodgier realms of the Internet. Now, by simply visiting a legitimate website that hasn’t been secured—a city government’s, for example—you may actually be setting (virtual) foot into a hacker’s den and never even know it.

    When news broke last summer of the watershed Monster.com breach, consumers everywhere were socked with a terrifying reality check.  Hackers had used stolen job recruiter names and passwords, logged onto Monster.com and stole 1.3 million pieces of sensitive personal data from job seekers—all without tripping Monster’s alarms.  The collective fear was palpable: If something like this could be perpetrated through a trusted (and therefore supposedly safe) web site like Monster.com, who’s to say it couldn’t happen with other mainstream, trusted web sites?

    Since then, it has happened—and numerous times.

    What’s even more terrifying?  That technology has democratized the hacker playing field.

Not necessarily in the news

    If you look to the news for a definitive picture of the enemy we now face, for the most part, you won’t find it. Scan the headlines, and you might develop a healthy fear of data breaches—as well you should—but you might overlook a darker threat.  Data breaches like last year’s colossal TJX fiasco make news, in part, because laws in many states require organizations to notify affected consumers when data is either snatched or inadvertently released into the ether. However, no such mechanism exists when data is compromised through a keylogger program installed on a computer by a stealthy hacker. So many of these catastrophic events go unnoticed, under the radar. It’s the perfect cover for would-be identity thieves.

    Thus, we’re left to rely upon the tactical research of law enforcement organizations, non-profit groups and private security vendors (like Finjan) to keep us abreast of criminal cyber-activity. Through its blog and quarterly reports, Finjan’s Malicious Code Resource Center offers insight on how hackers organize and execute attacks on consumers. It’s prime reading material for anyone whose personal data has ever been transmitted over the Internet or entered onto a computer connected to the Internet.

    And how truly eye-opening something like Finjan’s blog is. For example, did you ever wonder how cyber-criminals pay for your stolen data? According to Finjan’s report, e-Gold and WebMoney were both viable options for one criminal group, as were Western Union and MoneyGram (evidently, cybercriminals don’t subscribe to the concept “never leave home without” their credit cards).

    Fortunately, more and more media outlets are catching on to this story. Earlier this summer, when Finjan reported that 1,000 governmental, retail, health care and advertising web sites were targeted by sophisticated SQL injection attacks, it generated interest not just in the high-tech press but in blogs affiliated with publications including the San Francisco Chronicle and The Guardian in the UK.

    Likewise, a finding from the Atlanta-based malware research firm SecureWorks earned a mention in an article appearing in the Technology section of The New York Times. SecureWorks’s director, Joe Stewart, had determined that a Russian gang was controlling as many as 100,000 infected computers across the Internet. According to the Times, the system relied on botnets (networks of afflicted computers) to infect PCs with a keystroke-recording program known as “Coreflood.” The network of infected computers collected as much as 500 gigabytes of data and sent it to a commercial Internet hosting computer center located in Wisconsin, according to the Times.

“Average Joe” hackers on the rise

    How else are hackers using keyloggers? At Canada’s Carleton University, one student hacktivist accessed 32 electronic accounts equipped to buy food, books and other school supplies by installing a keylogging program on a campus computer. With the information he obtained, the student was able to hack into fellow students’ emails and had full access to their accounts. He said he wasn’t out to commit financial fraud. In fact, he shared with university administrators a 16-page document detailing exactly how he did it—a gesture some observers took to be consistent with “white hat” hacking, motivated by a desire to point out security holes. Though the student hacker tried to remain pseudonymous, authorities identified him as 20-year-old Mansour Moufid. He now faces criminal charges. As a sidenote—Moufid reportedly wrote the software in “two hours,” according to CBCNews.

    This is where the democratizing effects of technology are becoming evident, and frighteningly so.  While many hackers—white hats and black hats—are certified pros, the idea that rank amateurs, more and more, are commandeering crimeware kits stands among Finjan’s more troubling findings. But it doesn’t stop there. By failing to secure their own sites, the amateurs then wind up releasing personal data into the great morass of information identifiable through Google web searches. It’s a sad day when hack identity thieves can do potentially more damage than old pros—but don’t blame Google for archiving their handiwork. The popular search engine is merely doing its job by cataloguing web information and making it searchable by keywords. It’s up to consumers and businesses to protect themselves, to make sure two- bit hackers don’t find ways to take their information and run with it—to Eastern Europe, Asia, or anywhere else that hackers operate remotely. Anyone with the ill intent and an Internet connection can now find a way to extract your personal data, largely without detection, especially if you’re not prepared for the threat.

Be afraid...be very afraid

So how exactly were so many mainstream, “trusted” web sites undermined by hackers in this latest wave?  Finjan says that the types of attacks it is detecting are intended to thwart security technology that is based on “signatures”—that is, technology that determines whether content is safe based on its origin. In the cases Finjan has studied, hackers have been able to insert malicious code into otherwise legitimate web sites, rendering signature-based security measures unable to detect the attacks. A number of companies, including Finjan, offer solutions intended to protect businesses and end-users (in Finjan’s case, a secure browser intended to protect consumers from malware is free).

Legislative strides

Senators Patrick Leahy and Arlen Specter have emerged as advocates in the fight against cybercrime. Late this month, the senators’ Identity Theft Enforcement and Restitution Act passed the Senate and House and was awaiting signature into law by President Bush.  Notably among other provisions, victims of identity theft and other cybercrimes are allowed to seek restitution in federal court, in the proposed bill, not only for any monies stolen from them directly, but also from the loss of time and money they incurred while trying to undo the damage done to their lives by identity thieves. The legislation also addresses emerging technological threats to our identities, making it a felony to infect computers with spyware or keyloggers.  Under this law, according to a statement by Specter, “the most egregious identity thieves will not escape with a minimal, or no, sentence.” We’re fervent advocates for strong penalties and deeply appreciate our lawmakers’ unwavering efforts to combat these crimes—the legislation is a considerable step in the right direction, to be sure.  But the ugly reality is that for every hacker who does get caught, there are countless others who escape detection—which unfortunately means that consumers and organizations still must remain on red alert.

Bottom line, consumers and businesses must look to good technology to fight the bad, to research commercially available products and choose the solutions that work for them. As Finjan has ascertained through its findings, organizations are caught off-guard when malicious code is inserted in their sites. It’s important, then, for organizations to not only employ strategies to ward off attackers, but to also employ technologies that keep tabs on attempted network intrusions. Hackers know a good offense responds to defensive strategies, and it’s important to adjust defenses accordingly. The stakes are simply too high to do otherwise.