When Bad Things Happen to Good Companies

On This Page

	Viruses
	Email Spoofing and Identity Theft
	Stolen Computers
	War Driving
	Confidential Information
	Criminal Hacking
	Backing Up

Viruses

In April 2003, Internet users around the world started receiving emails containing pornography from friends and relatives. Others found their Internet access terminated because they were accused of sending spam emails. Still other people found themselves signed up to newsletters they didn't want. Clearly, something peculiar was going on.

As accusations flew around the Internet, people realized that a new virus known as 'Klez' was responsible. The Klez virus used several tricks that helped it spread quickly. First, it tricked users into thinking that infected emails were being sent by real people by using addresses from the infected users' own address books. This trick had the added effect of clogging up email systems with unnecessary warnings, replies, and recriminations. Then, the virus tempted users into opening infected messages with beguiling subject lines like "a very funny Web site" or "undeliverable mail."

As if this virus weren't enough, later versions of the virus made users' own files the vehicle for infection. Klez would trawl through an infected computer's hard disks, pick a likely looking document, infect the document, then forward the document to other users by email. In many cases, people's private files were sent out into the public domain in this way.

Klez exploited a problem in the Microsoft Outlook email software that had been discovered and fixed years earlier with free, downloadable updates from Microsoft. Antivirus software developers became aware of it and updated their detection software within hours, yet the virus raged for several months. In other words, this destructive and aggressive virus was preventable. Klez was one of the most destructive viruses of 2003, but it is only one of thousands of viruses that appear annually.

Email Spoofing and Identity Theft

"I admit it. I'm a big fan of eBay. I've been using it for years as a sales outlet for some of my more interesting merchandise. Recently, I got an official-looking eBay message letting me know that my service was about to be suspended. I clicked the link in the email, went to what I thought was an eBay site, filled in some personal information, and submitted it. Only later did I realize that something was wrong. I went to the eBay Web site and figured out that I'd been tricked into sending my personal information to some unknown source."

Sending email that looks like it comes from someone else is an old trick known as email spoofing. For the most part, email spoofing is used to get you to open a simple piece of spam because you think it's from someone legitimate — an annoying but fairly harmless activity. A different type of email spoofing, like the example described above, is known as "phishing" and is more dangerous. Typically, an attacker sends an email that looks very much like it comes from an official source (such as eBay or Microsoft). Links in the email take you to a Web site that also looks like the real thing. However, the site is just a front, and the goal of the scam is to trick you into giving away personal information, sometimes for spam lists, sometimes so that the perpetrators can steal your account information or even your identity.

Stolen Computers

"I was getting my boarding pass at the airport. I had my notebook bag right by my feet. I thought I was taking good care of it, but I didn't feel a thing when it was stolen." A stolen computer can fetch up to 50 percent of its retail price. No wonder tens of thousands of notebooks are stolen every year in the United States.

This story is repeated thousands of times a year, and it doesn't end when the notebook computer is replaced. Lose a notebook computer and you often lose vital, even confidential, information.

Nicholas Negroponte, founder of the Massachusetts Institute of Technology (MIT) Media Lab, was entering a secure building when a security guard asked him to state the value of the notebook computer he was carrying. Negroponte replied, "Roughly $1 to $2 million." Although the replacement value of the computer itself was only a couple of thousand dollars, the value of the information it contained was much greater.

Given the number of computers stolen every year, it is surprising how few users bother to encrypt their data or use strong passwords that prevent unauthorized access. It is also surprising how few small businesses train their staff on basic security measures.

War Driving

A war driver is a new breed of criminal hacker. Anyone with a notebook computer, an inexpensive wireless network card, freely downloaded software, and an antenna made from a can of potato chips can hack into wireless networks in homes and companies from hundreds of feet away.

Most wireless networks are completely unsecured. Indeed, many manufacturers of wireless devices leave encryption turned off by default. Users tend not to enable wireless encryption or use any other added security measures, making it a pretty easy task for anyone with a wireless setup to find and exploit the connection. War driving is more than a geek prank: Some intruders seek to access files and damage systems. Fortunately, securing a wireless network is relatively easy, and the majority of war drivers can be deterred or deflected by a few simple steps.

Confidential Information

James worked for a successful advertising firm. His computer had a problem, so he called his technical support person. The technician arrived quickly, logged into the network using an administrator password, and fixed the problem. Under pressure to get to the next job, the technician scuttled off as soon as he finished. He did not, however, log out of the system. James, being curious, decided to look around a bit. He quickly found a spreadsheet with information on the salaries of all his coworkers. He made a mental note to ask for a substantial pay rise.

Luckily for his employer, James was only after a raise. Imagine if he had been a disgruntled employee bent on revenge. Would you like your entire staff to know how much you are paid or have access to the entire company's payroll information? What would that information be worth to your competitors?

Technology can help prevent instances like this, but technology is only part of the answer. The best hardware and software are not enough if you don't also have good policies, procedures, and training in place.

Criminal Hacking

Jill, the manager of a small commercial Web site that sells niche software, was pleased with her new site, which was a big improvement on the old one. The company now had its own Web server and broadband connection, and they no longer had to pay someone else to host the site. Jill went home content on Friday night.

On Monday morning when Jill got back to work, it was a different story. Over the weekend, criminal hackers had gained access, deleted her carefully crafted site, and replaced it with pornography. In addition, hundreds of thousands of people had been avidly downloading pictures from the site over the weekend. Her bandwidth usage had shot through the roof, and the company was facing a bill for thousands of dollars. Jill's boss had already started to receive emails from customers complaining about the site.

An antivirus software developer reported earlier this year that corporate servers receive, on average, 30 attacks a week. Most of these attacks are from dedicated amateur attackers known as "script kiddies," who, without much knowledge, use tools that are freely available on the Internet to probe networks for weaknesses. These tools scan the Internet randomly looking for vulnerable systems, then exploit any weaknesses they find. With such tools available, a small anonymous company is potentially as much at risk as a well-known multinational corporation.

Many of these tools exploit known vulnerabilities that can be easily updated. For example, in 2001, a group of script kiddies calling themselves the Sm0ked Crew used a well-known and previously updated vulnerability in Web server software to deface Web sites belonging to Intel, Gateway, Disney, and The New York Times. An update to fix the vulnerability was available long before the attack, but many administrators had simply not installed it. Taking sensible precautions in general, and using up-to-date software in particular, would have easily prevented the attack.

If companies do not take basic security measures to protect themselves against teenagers with widely available tools, how can these companies defend themselves against skilled, experienced attackers with malicious intent?

Backing Up

Kevin was the managing director of a growing architectural firm. With 30 employees and a number of multinational clients, the company relied on its email system to keep in touch. In particular, employees used email to track change requests from their clients, so it was a vital part of the company's business. Then, one afternoon, the email server had a catastrophic hardware failure, and the data became corrupted.

"No problem," thought Kevin, "our support guy has a backup, so we can just restore it from that." In fact, the company had an elaborate tape library and dutifully kept offsite copies of its critical backups. It was only after a day's work of trying to restore the email system from the backup tapes that they realized the data hadn't been properly backed up. They had never noticed the problem and had never tested to see whether restoring the data worked properly. They did not have any kind of disaster recovery plan in place.

Information security isn't just about getting the right hardware and software; it is about getting the processes right and concentrating resources on business-critical systems.