A small local financial firm recently had its system hacked and its Web site copied and then posted in North Korea.
It took three to five days before the firm learned its home page was running somewhere else, explained Jeff Thon, vice president of sales and marketing at Fairport-based xDefenders Inc., a management security services provider.
“That organization had 40-some employees,” Thon said. He would not disclose the name of the firm.
During the time it took for the company to learn it had been hacked, clients logging onto the fake site would have been handing over their personal information directly to the hackers.
Such sites stay up and running for as long as possible, Thon said. Once the hackers are found out, they shut down the site and move on to the next target.
“Hackers are drilling down to lower levels to reach the lower-hanging fruit,” Thon said. And that means small businesses.
Computer hackers still are mistaken for vandalizing teenagers, but experts say hackers now are really businessmen looking for the best deal-the system that is going to cost the least amount of money and time to attack and yield the highest possible return.
James Moore, information security officer at Rochester Institute of Technology, said that for hackers the best deals can be found by breaking into the systems of small to midsize firms and other non-corporate organizations.
Hackers and large companies alike, he said, know the information assets at corporations are fortified well enough to make small to midsize businesses a far more feasible target.
In the past, small-business owners could hide in the shadows of large companies, whose disrupted infrastructure could produce more havoc than that of a small, 40-person firm somewhere in Rochester. Hackers now are scavengers, scouring private networks for intellectual property, customer databases and other private data to sell on the sly.
But when the hacker is no longer acting on a teenage whim but with the objective of making money, the hacker’s target changes and so does the way he takes aim. The result is methodical research that includes scouting for potential buyers of stolen data, such as company competitors.
The changing trend, which Moore estimated began to emerge three to five years ago, has local IT security consulting firm Pervasive Solutions LLC focusing its services on the midsize market segment.
“This segment isn’t looking to hire a Big Five consultancy and pay exorbitant rates (for security services),” said Josh Bouk, vice president of marketing at Pervasive. But, he adds, it remains difficult to convince smaller businesses to take security as seriously as they should.
What prompted the shift in customer focus at Pervasive ultimately is the result of the hackers’ change in target.
“They have found that the big companies, such as the Fortune 1000, have the personnel, tools and budgets to actively and competently defeat their best efforts,” Bouk said.
The small to midsize businesses, on the other hand, often have sensitive data but lack the resources to protect it adequately, and as a result, Bouk said, the bad guys are starting to attack small businesses with increasing frequency.
But it is not always about business. Sometimes hackers get personal, such as the odd college applicant who turns bitter after an unexpected rejection letter, said Allen Scalise, president of the Information Systems Security Association, Rochester chapter, and president of Great Lakes Networks LLC.
“Our organization has seen evidence of denial-of-service attacks for personal revenge and hacker attempts to access organizations that have lots of personal data stored on computers,” Scalise said.
Denial of service usually involves exploiting some weakness in the connections between an authorized user and system and leveraging it to slow down or stop data access.
“For example, there was a large university system outside of Rochester that was attacked by hackers to get at personal employee and student data.”
Last week, University of California, Los Angeles, reported what is being called the worst computer breach ever at a U.S. university.
Hackers infiltrated a personal information database on some 800,000 faculty members and former students. Equally alarming is that the attacks lasted for more than a year, beginning in October 2005 and continuing until last month.
“Hackers do it mostly for money; capture the data and resell it on the black market,” Scalise said. “However, the majority of attacks are perpetrated, not by kids having fun but by organized criminal gangs. This is a big change from years past when it was done for fame and notoriety.”
Generally, Scalise said, hackers are looking to prey on the unsophisticated.
The ways to penetrate an organization’s system are vast in variety. One example, which is prevalent during the holidays, Scalise said, is bogus electronic greeting cards.
“One accidental click and you unknowingly download spyware. Spyware then forwards the criminal an electronic log of all your keystrokes,” Scalise said.
Spyware is a type of malicious code that often is used to collect data on users’ Internet movements.
“Or your computer may be enslaved as a ‘bot’ used to attack computers outside the organization creating liability. Spam is another problem. There are about 200 criminal gangs across the globe that represent nearly 80 percent of spam,” he said.
Gaps in security are leading to rising incident response costs, Scalise said. As much as 40 percent of IT help desk calls are related to some form of malicious software such as spyware.
The avenues for hackers are multiple. Scalise said cyber criminals drive around in cars looking for unprotected wireless networks, the kind commonly found at small to midsize businesses, and many of those offices, he said, do not have up-to-date anti-virus signature files.
When users disable their virus software or allow software maintenance to lapse, hackers have an even greater advantage.
Hunting for data
What criminals are after is data. RIT’s
Moore said data can range from a breakthrough piece of intellectual property at a firm in Fairport or a customer database at a tree service company in some other suburban location. Everywhere, he said, small to midsize targets abound.
As bank deposits, customer sales and supplier purchase orders become more common electronic transactions, small companies amplify their risk.
Hackers, he said, often are looking for unauthorized data to steal identities but also to steal trade secrets, which they try to legitimize by selling the information as “marketing intelligence.”
To gauge how vulnerable a company is to a targeted attack depends on how novel and critical its intellectual property is, Moore explained. People need to evaluate their competitors carefully.
A hacker with stolen data, Moore said, could approach the company’s competitor with a deal, under the thinly veiled guise that he got the data from some thumb drive he found at a local hotel.
But sometimes, instead of stealing data, hackers may use a company’s storage capacity to hide their own data, such as pornography files, Moore said.
Now that the attention is focused on the easy targets, the pressure is off many large corporations, Moore said.
“The responsibility of big business is not that we have to lock everything up, just make it hard enough to make smaller companies more attractive,” he explained.
Everyone, he said, ought to be thinking about their information assets the way they think about their physical assets.
Spyware a big threat
Recent surveys confirm this. In May, Panda Software International S.L.-a private IT security protection company based in Bilbao, Spain-found 70 percent of malicious software detected during the first quarter was related to cyber crime and, more specifically, to generating financial returns.
The global survey tracked malwear and found that spyware was the most common variety of it, comprising nearly 40 percent from January to March.
The National Vulnerability Database shows that the major security vulnerabilities of yesteryear, such as flaws in Microsoft Corp. software, now have dropped; in contrast, the number of attacks on individual Web servers has jumped.
In the Panda survey published last May, Luis Corrons, director of PandaLabs, commented, “Epidemics caused by e-mail worms stir up too much publicity and are therefore no use when it comes to generating profits. Currently, the types of malware we are seeing more of are those such as spyware, Trojans and bots, which can be installed silently and remain hidden on systems while they operate maliciously.”
But Bouk at Pervasive said small companies continue to think they are safe and too insignificant to be targeted.
“Unfortunately, in the coming months, many of these companies are likely to find out how painful being wrong can be. We often hear, ‘Well, we have firewalls, so we’re safe.’ Firewalls are usually speed-bumps for good hackers,” Bouk said.
“But the perception of the general public is that as long as they have at least one (security) device, they’re safe from threats,” Bouk said. “That’s our greatest challenge-educating companies that think nothing can happen to them.”
email@example.com / 585-546-8303
12/29/06 (C) Rochester Business Journal