-
Suspected members of the hacker group Anonymous say they are surprised at the backlash.
July 26
Recently I attended a presentation by
I believe we are all aware on some level of the dangers of not protecting our personal and corporate data. It took seeing first-hand the actual threats in action to truly bring the impact of security breaches home for me.
Imagine leaving your highly secure financial services headquarters for lunch and bumping into a passerby as they are entering your building. The person politely says "pardon me" and continues on their way. What you don't know is that during this brief interaction the well dressed suit scanned the information on your corporate ID badge via a hidden device. They are now able to enter your facility as an employee using your credentials.
In another scenario a customer chats with the clerk at a retail store as they are checking out. While carrying on an engaging conversation the customer plugs a USB drive into the cash register. The USB device automatically loads software on the store's computer register that captures passwords, monitors for credit card numbers and makes the entire contents of the computer accessible to a remote computer. The friendly customer has now compromised the entire store network undetected and with minimal effort.
Do these situations sound like a Hollywood spy movie? Perhaps, but they are very real scenarios with dangerous ramifications.
Additionally, there is the threat represented by peer-to-peer file sharing networks. Although this was widely reported in security publications over a year ago, I've yet to speak with anyone outside of information security aware of the potential risk of these networks. In this case an employee installs file sharing software, like LimeWire, Kazaa, or BitTorrent, on their computer to access free music. Once installed, the software shares the entire contents of the user's hard disk, not just a limited set of music files. Once the files are shared, anyone on the peer-to-peer network who searches for the right file name can download the user's files. Considering that many people store passwords and important files on their computers, the seemingly harmless search for free music now becomes a security nightmare.
Just how easy is it to access files in a P2P file sharing situation? Have you ever written to your credit card company to explain an error on your account and request a correction? Your name, account number, date of birth or other confidential information is likely included in that letter. Microsoft Word uses the first sentence of your letter as a filename — for example, Dear Citibank. During his presentation Mr. Mitnick ran a live search for the phrase “Dear Citibank” that revealed hundreds of files with very complete, sensitive consumer information. Everything needed to compromise the account. It's just that easy.
The final example I'd like to share is related to WikiLeaks. As reported elsewhere, many of the documents that WikiLeaks claims were submitted to them anonymously were actually
Many organizations with strong security policies likely have employees who inadvertently share files over peer-to-peer networks, which completely bypass their security infrastructure when the user installs it. Perhaps the most startling aspect of all of these security attacks is that antivirus and anti-malware software is completely ineffective. It is only through attentive and cautious behaviors that users and consumers can protect themselves from these attacks.
I don't have a clear answer for how to solve this problem, but I certainly have a much greater understanding when the IT security team tells me that my USB device must be disabled and I cannot have privileges to install software on my work computer.
Eric Lindeen is the marketing director for Zoot Enterprises.
