- Text
For Cyber Gangs, Fooling Google Isn't That Hard to Do
(Credit:
AP)
And it works more times than you might assume.
The most recent case: the coordinated January cyber attackagainst computer networks run by Google and at least 20 other big companies. In what's since become known as Operation Aurora, corporate computer systems were penetrated after users innocently called up malicious web pages that they believed to be legitimate. At Google, the target reportedly was a company program, code-named named Gaia, which controlled worldwide user access to e-mail and business applications.
Reviewing the incident, cybersecurity officials familiar with the scenario note that it's become increasingly common for employees to inadvertently infect their machines after accessing Web sites booby trapped with malicious code. At that point, they say it's point, set, match with intruders able to steal passwords, impersonate the identities of real co-workers and waltz past a company's network defenses without much trouble.
"You can be smart and still get social-engineered," said Dave Marcus, the director of Security Research at McAfee. "They know what your hobbies are and what you're surfing."
With the gaining popularity of social networking and a Web 2.0 culture that more readily accepts openness, Marcus said the downside is that cyber criminals can more easily harvest personal data in preparing an attack.
"It is one of most difficult things to protect people against when someone knows about your habits, your likes and your dislikes," he said. "When they send you a message, there's a good chance that you'll click it. What you had with Aurora was some pretty sophisticated profiling of companies and the victims. When you're doing that level of reconnaissance, your measure of success goes up. They knew who they were targeting."
Mitnick: Nothing New Under the Sun
So much for building up supposedly impregnable - and expensive - network security systems. But to hacker-turned-consultant Kevin Mitnick, who helped popularize the social engineering as a computer security term, there's little new under the sun.
"I'm not surprised. When I was on the dark side, I was doing the same thing - except that I was going after source code for cell phones," Mitnick said in an interview with CBSNews.com. "Everyone seems surprised that they're trying to take source code. I was taking it 20 years ago. People must have forgotten.
In the 1980s and early 1990s, Mitnick gained notoriety for duping employees and gaining illegal entry to corporate computer networks. After a warrant was issued for his arrest, Mitnick became a fugitive for two and a half years. He was finally arrested in 1995 and served five years in prison.
Building a Business on the Art of Deception
Public and Private Entities Face Challenges in Addressing Cyber Threats
Cyber Attacks Jeopardize Superpower Status
The attack against Google and other companies naturally raises another uncomfortable question: are intruders getting smarter or are people getting dumber - or more likely, a combination of the two - when it comes to computer security?
"Some people are just busy and aren't always thinking about security when they are attacked," said SophosLabs's U.S. manager, Richard Wang. "Remember that attackers only need to find one person who falls for the social engineering."
While network defenses have improved in the last couple of decades, systems are only as strong as their weakest link, the individual employee. And as a new generation of cybercriminals has become more sophisticated about how to manipulate them into giving up protected information, the stakes have become even higher.
A 2007 GAO report didn't waste time with euphemisms: "Cybercrime has significant economic impacts and threatens U.S. national security interests." The fact is that cybercrime pays with financial data remaining the favored target of cybergangs. The most recently available FBI study put the annual loss due to cybercrime in the U.S. at more than $67 billion. It often comes down to a combination of social engineering and tricking a target into opening a document or visiting a web site with malicious code.
"Attackers are getting smarter and this will continue to go on and on and on," Mitnick said. "Attackers find out who is in a particular circle of trust, who they communicate with -and you have social networks to look that up - and then they strike."
"Back in my day, we broke in by attacking services that were exposed by servers," Mitnick recalled. "They had firewalls but we looked for vulnerabilities and tried to exploit them. Now, things have shifted to apps, or code by company employees that was done improperly."
"This stuff isn't new," he said.
-
Charles Cooper is an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet. E-mail Charlie.
Follow on Twitter »
- Simpsons Arcade finally makes it to Xbox 360, PS3
- Angry Birds take off in "space"
- Apple iPhone 5 rumors, reports say June release
- Apple MacBook Pro getting makeover, says new report
- Foxconn says it will raise salaries
- Facebook required for Spotify account, here's a trick
- Apple to build largest private solar farm in U.S.
- Is Final Fantasy XIII-2 worth your time?
- How to get the Diablo III beta test
- Microsoft redesigns Windows logo
- Mountain Lion, Apple OS may drop support for older Macs
- Shocking Stats on Texting While Driving
- Apple iPad 3 rumors resurface, sources say March release
- PS Vita launch day titles and pricing details
- Judge: Americans can be forced to decrypt
- Apple iPad 3 rumors: thicker, sharper, coming soon
- Apple closer to winning "iPad" name
- Sugarland blames fans for state fair injuries
- Vikings, UMinn reach tentative deal on TCF stadium
- Former US Rep. Katie Hall of Indiana dies at 73
- Ex-Senate aide gets jail for steak knife incident
on Facebook
- Santorum: Democrats are "anti-science," not me
- Carnival/Mardi Gras 2012
- Whitney Houston memorial
- Mozart of Chess: Magnus Carlsen
on CBS News
