The modern digital security arena sounds more like a cyber Olympics, with terms such as phishers, key loggers and Trojan horses, than a serious personal and corporate threat. But that’s exactly what it is, asks Ed MacNair, CEO of Marshal.
Targeted attacks proliferate today, and corporates find themselves in the trenches. Back in the ‘90s, the most common threat was viruses, and those were typically written by students showing off. They were the equivalent of a CV or résumé. Script kiddies arose from that culture. Script kiddie is a derogatory term in hacker culture used to describe inexperienced, malicious crackers who use other people’s programs to attack computer systems.
The big change in the past two to three years has been the organisation of the cyber underworld. Criminal gangs have surfaced. For example, Amsterdam police recently arrested 111 people as part of Operation Apollo and a seven-month long investigation into Internet fraud. They believe up to 2 000 people are involved in Internet fraud in the country.
Te gangs use two primary methods for defrauding people. One method employs e-mail to transfer malicious code, usually in the form of a Trojan horse. That’s a program that installs malicious code, such as a key logger, while pretending to be something harmless, useful or interesting. Key loggers were originally designed as a software development diagnostic tool for determining the sources of errors in standard computer programs. But hackers put them to use capturing password and other sensitive information.
Te other primary method is phishing. This is a social engineering technique, a means hackers use to manipulate people into divulging sensitive information such as usernames, passwords and credit card details. Hackers masquerade as a trustworthy source and either phone or, more commonly, e-mail their victims.
Fnancial institutions are popular targets with criminals attempting to steal passwords by e-mailing key loggers and trying to gain access to banking systems. In March 2007 three of South Africa’s major banks confirmed that some of their online clients’ accounts had been breached, transferring “hundreds of thousands of rands”, according to one news report originally printed in The Star and republished in IOL’s technology edition.
The fraudsters lured victims to a fake website, called a spoof, set up to look exactly like one of the banks’ websites and requested very specific information from clients, such as card numbers, PIN numbers and e-mail addresses.
Phishing has grown rapidly in South Africa in the past six months. Globally it’s big, big business worth $1,3-billion in the US alone. Internationally, criminals often use the boundary-less Internet to escape regulation and possibly punishment. In one case a spoof website was tracked to Russia and authorities there managed to shut it down. But it reappeared two days later in China.
Individuals are not the only victims. British police recently launched an investigation into how hackers were able to steal information from more than 45 million of cut-price fashion retailer TK Maxx’s credit and debit card users in the US and the UK. In 2005 MasterCard warned that hackers had stolen information for up to 40 million cards. In the wake of such events consumer confidence takes a knock, at the very least.
What do people and companies do about it?
Take necessary precautions. Cyber security systems should be able to track the legitimacy of websites and check that they are what they claim to be. That way, if employees are lured to spoofed sites through phishing the system will detect and report it.
Of course, the best way to protect a system is to unplug it. But that’s unrealistic. However, free rein is undoubtedly corporate suicide. And since employers have a duty of care and employees increasingly don’t have a fixed lunch hour, when are people supposed to take care of personal business? They need to use the Internet connection at their office for shopping, banking, communicating and personal administration. It’s not fair to stop them from doing these things at certain times of the day.
There’s no simple answer to the question of how much freedom people get on the corporate Internet, and it must be answered on a case-by-case basis and be handled in a sensitive manner.
One of the best ways of handling it is quota management. Through properly capable and configured systems companies can set quotas for Web browsing. For example, certain sites can be banned, but employees get 10 hours per week for browsing Amazon.com or using a Hotmail account. In addition to user quotas, the definition of a URL whitelist can also help.
This can be garnered by approving different categories in the URL filtering list, like the Marshal Filtering List or by manually compiling a known list of appropriate sites. A combination of both approaches allow organisations to give their employees the freedom they need and desire while protecting the business from cyber-slacking and the new potential security hazards that have emerged in the 21st century.
* Marshal is distributed in South Africa by 10Net ICT Solutions.