A July 29 webcast hosted by security vendor Sophos revealed what cybercrooks are up to of late. Evidently, we’re entering a third era of cybercrime, one that will be defined by cyberwarfare.
Delivered by Graham Cluley, senior technology consultant at Sophos, the presentation highlighted the latest tactics the bad guys are using to infect computer systems and steal info. Armed with the latest data from SophosLabs – where more than 50,000 new samples of malware are analyzed daily – Cluley revealed, not surprisingly, that social networking sites have become the primary target of hackers. With this in mind, the real security problem, he said, is “PEBKAC” – the Problem that Exists between the Keyboard And the Chair.
“We blame a lot of things on technology but ultimately it does its’ job pretty well,” he said. “When we involve humans that’s when we make mistakes . . . that’s what hackers take advantage of with social engineering threats and it’s the primary method of attack today.”
Speaking of which, hackers realize social networks can operate as a botnet — a network of compromised computers, scattered worldwide, that do the bidding of one single hacker.
“Hackers can do the same thing with social network accounts,” he explained. “They could for instance, order thousands of compromised Facebook accounts to send out spam . . . you really need to look after your username and passwords for that reason.”
Which begged the question: is it safe for businesses to use social networks?
“My feeling is more business is going to be done via social networks (than not) . . . most folks are using these networks for legitimate work,” he said. “Your marketing department, for instance, will use them to be ‘down with the kids’ or your HR department will want to be on LinkedIn in order to help find new staff. They have value but we have to be careful because of the threats.”
Citing a June 2010 online Sophos survey (600 respondents in all), Cluley highlighted 57 per cent of users reported being hit by spam via social networks (Twitter, Facebook, LinkedIn, MySpace), an increase of 70.6 per cent from 2009.
Of other Web threats: SEO poisoning is increasingly appearing (Google a popular search phrase and you might end up on a compromised page infected by scareware); as more companies store data online, data loss will become a huge factor; and beware of malicious mobile apps that target various devices.
But one of the most interesting online threats Cluley mentioned was cyberwarfare.
“We’re entering a third era of cybercrime,” he said. “We’re beginning to see cyberattacks that appear to have political or military motives and we have to be open-minded to the possibility of this happening . . . it was brought to light when Google publicly pointed a finger at China recently.”
Equally alarming perhaps were some of the findings revealed in the same survey when it asked people what their thoughts are on cyber-espionage and cyberwarfare. For instance, when queried if it is acceptable for your country to spy on other countries via hacking/malware, 23 per cent said ‘yes even in peace time’, 37 per cent said ‘no’, and 40 per cent said ‘yes but only in wartime’.
Respondents were also asked if it was acceptable to target companies in other countries? Sixty-eight per cent said ‘no’, 23 per cent said ‘yes in wartime’, and nine per cent said ‘yes’ outright.
“It’s staggering to me,” Cluley admitted. “Hacking and installing malware on companies’ computers; it’s interesting how these attitudes are beginning to ferment.”
What about Denial-of-Service attacks versus another country’s websites (i.e. online banks, utilities)? The survey revealed 49 per cent said ‘yes in a time of war’, 44 per cent said ‘no’, and seven per cent ‘yes’.
“I really don’t want to get into the backyard of people who think like that,” he remarked before adding as more users put personal information on the ’Net, we might see more attacks against cloud-based systems. Ergo, your personal data is only as secure as the passwords you choose.
For businesses, Cluley recommended companies look at the information staff shares online, review web 2.0 security settings, and consider filtering access to social networks while educating your workforce about all kinds of risks, not just those online. “Also, keep yourself informed of latest security threats. Stay ahead of the game, sign up for security alerts and read Sophos’ blogs,” he advised.