Hacking dates back to the pre-internet era, but with a seemingly continuous wave of attacks hitting the public and commercial sectors there has never been a more prodigious period for hackers.
In only the past few weeks, Sony alone has been breached no fewer than 16 times, CitiGroup has seen its servers hacked and Google has pointed the finger at China for targeted attacks on Gmail.
That’s not all. A recent breach of RSA’s verification system led to further attacks on defence company Lockheed Martin, while in the past few days the International Monetary Fund has admitted its network was breached and the NHS saw its security flaws exposed by a hacker group posting details on Twitter.
In the past, there might have been lot of houses in the street with the same vulnerability, but no-one was going along and knocking on all those doors
Where mainstream alerts used to be rare, they are now daily news fare. But what is behind this unprecedented level of attacks? Security professionals warn of a perfect storm of better-informed hackers, more accessible networks and corporate cost cutting – never before has it been so hard to secure a network. And that's without an outbreak of state-driven cyber warfare. Are we embarking on a golden age of hacking?
Rise of the social hacker
Hackers use social networks and bulletin boards to club together into groups such as Anonymous and Lulz Security – and from these platforms they publicise their work, highlight vulnerabilities and exploit a WikiLeaks-inspired wave of public civil disobedience.
“It is something of a golden age because there are so many issues and people are highlighting those issues more than ever,” said Kevin Wharram, a senior security consultant at the Financial Services Authority. “A lot of this stems from WikiLeaks, because people suddenly realised there's much more information around and they're interested in what information they can get.”
Ease of access to tools has also led to an explosion in the numbers of people actively looking for companies with weakened defences; whereas a break-in might previously have been opportunistic, current attacks are far more methodical.
“In the past, there might have been lot of houses in the street with the same vulnerability, but no-one was going along and knocking on all those doors,” said Wharram. “But now they have been highlighted, so people are looking to expose more data.”
Twitter has also provided a highly visible noticeboard for hackers, many of whom are primarily motivated by the kudos of being the first to discover a vulnerability and expose companies that haven't patched publicised weaknesses. Lulz Security, for example, was virtually unheard of until it hacked into Sony Pictures at the beginning of June and now boasts 130,000 followers. Perfect fodder for anyone with an appetite for attention and a set of hacking skills they wish to show off.
Security experts remain suspicious of hacking groups because they cannot be sure of their motives, and even suspect they might be connected to other security companies. “You wouldn't even know who it is – it's just like a front,” said Wharram. “The Anonymous guys are a group, but they are claiming to be anonymous so they can work around the world.
“For all we know, it could be security people that are involved - you could have someone saying to the NHS 'You have a security problem', and then a security company going in and saying they can fix it. You actually never know.”
For all we know, it could be security people that are involved
The hackers are aided by a support network that sees the latest vulnerabilities posted and traded on forums, with tools available to automatically sweep networks to see whether they are protected against certain attacks.
“Hackers use Twitter and Facebook, but also IRC and bulletin boards, and there are loads of sites that make it easy to discover information about current threats,” said Jonathan Care, director of security company Lacunae Risk. “It's often automated and the system will scan for information about current weaknesses and post it – there's more information available to hackers.”
Huge rewards
The rose-tinted portrayal of hackers is that they highlight security issues to embarrass companies into rectifying problems. Yet, there's an equally active – if less vocal – breed of hacker that is in it purely for the money and shuns the limelight.
Whether it's harvesting and selling credit-cards details – such as those reportedly stolen in the 77 million-account strike on Sony - or stealing corporate information to order, a successful attack can be hugely lucrative for its perpetrators.
“I suspect the rewards these days are higher,” said Paul Bradbury, an independent security consultant. “Who would have thought that Sony's stock price could be impacted so heavily by a hacking attack? [It fell by almost 4% in the week following the initial attack.] That may well be funded by a competitor or commercial motivation.”
“As the rewards from hacking increase, there will be more hacking,” added Bradbury. “However, the term 'hacking' is too much of a pleasantry for what is really going on here - plain old-fashioned extortion and theft.”
With the rewards increasing, hackers are willing to play the long game, taking weeks or months to put together a multi-layered attack. The RSA attack is a prime example: the company admitted to a security breach that may have left details of its two-tier authentication products in the hands of hackers, who could then target other companies.
“If the rumours around the lifting of the RSA data for security devices are correct, then we are seeing 'strategic co-ordinated' hacking attacks,” said Bradbury. “Lifting tools from RSA to enable a targeted hack on Lockheed Martin... this is much more sinister than a group of geeks breaking into a central system and leaving a message alerting people to security flaws. We are talking the difference between casually walking across someone's lawn and deliberately breaking and entering and stealing from their house.”
Recession bites security budgets
The biggest complaint levelled at Sony during this surge in attacks has been that it doesn’t take security seriously enough, but it is far from alone. One of the key catalysts for the increase in hacking stems from senior management being unwilling to spend money on security because there’s no tangible gain.
“It's all about cost. It's not enough to have a firewall and a burglar alarm - you need people to monitor them and they cost money too, and at the moment companies don't want to spend money on security,” said Care. “If there is spare money for IT, then bosses would rather see it spent on a faster database that does something for the company than on security, which isn't so visible.”
It's the extension of an old problem in which the boardroom fails to recognise the needs of the IT department – and it gets worse in a recession. “It all comes down to senior management,” said Wharram. “No matter what you do at the bottom level, it's not going to work if they don't give you the backing and support. And often it's not a priority – more a case of tick-box compliance.”
If you look at the Stuxnet attack, that was around for nine months before they even knew about it, and that was for a nuclear programme
That makes life frighteningly easy for hackers to gain access to corporate systems, and although the rash of show-and-tell hacks from groups such as Lulz and Anonymous might cause embarrassment, the alternative is worse.
“With someone like Lulz, where they are posting their findings, there's not that much for them to gain,” said Wharram. “It's the attacks that aren't made public that are more worrying, because they are from people that might do more damage.”
“A lot of organisations have been infiltrated and they don't even know it. If you look at the Stuxnet attack, that was around for nine months before they even knew about it, and that was for a nuclear programme.”
For a company that relies on intellectual property or product development, such a stealth attack could prove catastrophic. “These incidents could bring down a company,” said Wharram. “Take a company developing a game, for example, and think about how much it costs to develop. If somebody steals it and brings it to market quickly, then they might catch the intellectual property before it's protected and that could bring them [the games company] down. Corporate espionage is very hard to manage.”
Global hacker conventions
The lack of global law enforcement is another key incentive. Hackers operating in Asia can launch an attack on the West with impunity (and vice versa), knowing that cross-border legal processes are likely to keep them safe.
Although some countries are quick to share information and deport or extradite suspects, other states, particularly China, stand accused of actively assisting hackers. Others lack either the motivation, funding or technical expertise to clamp down on high-tech crime.
And it’s not only foreign countries who aren’t adequately equipped to investigate e-crime. “The Ministry of Defence is recruiting experienced cyber professionals, but there aren't enough cyber security experts in this country,” said Care. “The police here are making an effort but cross-border enforcement is a real challenge, especially where foreign authorities don't seem interested.”
The Gmail attack was just the latest in a series of acts of alleged cyberwar. Government departments in the US, Britain, France and China have all blamed foreign sovereign states for attacks on various departmental systems.
The global threat posed by state-sponsored attacks is exacerbated by the fact that well-educated IT professionals have been left jobless as a result of the worldwide recession. “The recession has had a double-edged effect – there's less spending on security and a bigger threat,” said Wharram. “The reason that so many East Europeans are in hacking is because there are no jobs and so they are looking for money from selling the data.”
“The most popular trojans come from Russia, Eastern Europe and China, which really isn't so much looking for financial gain, but is looking for information. With Russian and Eastern Europe it's more financial.”
Networks beyond control
If access to vulnerability data and financial rewards give hackers every reason to go after company networks, infrastructure managers are making it even easier for the data thieves.
“We are building increasingly complex and integrated systems that use information from disparate data sources and the more complex the systems, the more opportunities there are for a hacker to find a loophole,” said Care.
He cites multiple internal servers and services that companies want to make available online – either internally or externally - as well as outposts of data collection from infrastructure monitors, as potential backdoors for hackers. “When you have environmental control systems, for example, it's cheaper because you can log into them from your office rather than going out to check on their status, but so can anyone else if the security's not right.”
The pace of change, and the pressure to get systems up and running as quickly as possible also means that networks aren't locked down as tightly as they should be, which can leave back doors open for hackers.
“Because of the pace of development there is a tendency to throw something up temporarily to get it working, but then its ends up being permanent,” said Care. “And there are often web services on these makeshift systems that draw on data from other web services.”
IT departments can also inadvertently highlight the fact they are vulnerable, posting “please help” requests online that act like a candle to a moth.
“I see people posting on bulletin boards or forums, using a company email address and they're saying: 'I'm having trouble deploying this program or that program’. That lets anyone else with access to that forum know they are deploying it and it's probably in a vulnerable state,” said Care.
Read more: Is this the golden age of hacking? | Analysis | Features | PC Pro http://www.pcpro.co.uk/features/368041/is-this-the-golden-age-of-hacking/4#ixzz1Pwcb9kxF
No comments:
Post a Comment