Jun 29 2011

The weakest link in computer hacking?

Category: Security AwarenessDISC @ 10:30 am

Image by copyfighting via Flickr

The weakest link in computer hacking? Human error
By Cliff Edwards, Olga Kharif,Michael Riley, Bloomberg News

The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.

“There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Va.’s Computer Sciences Corp.

The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cybercrimes.

In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.

It’s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara computer security company.

Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department’s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses.

“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington.

Tactics such as spear-phishing – sending a limited number of rigged e-mails to a select group of recipients – rely on human weaknesses like trust, laziness or even hubris.

That’s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA – the company that provides network-access tokens using random secondary passwords – was in a hiring campaign.

Two small groups of employees received e-mails with attached Excel spreadsheets titled “2011 Recruitment Plan,” the company said in April. The e-mails were caught by the junk-mail screen. Even so, one employee went into the folder, retrieved the file and opened it.

The spreadsheet contained an embedded Adobe Systems Inc. Flash file that exploited a bug, then unknown to San Jose’s Adobe, that allowed hackers to commandeer the employee’s PC. RSA said information related to its two-factor SecurID authentication process was taken.

Banks may be forced to pay $50 million to $100 million to distribute new RSA SecurID devices, according to Avivah Litan, a Gartner Inc. research analyst.

“The team that hacked us is very organized and had a lot of practice,” Uri Rivner, head of new technologies at RSA Security, said at a June 17 conference in Spain. “I can compare them to the Navy Seals Team Six, which hit Osama bin Laden.”

The FBI began warning in early 2009 about a rise in spear-phishing attacks. To succeed, they require the target to open a link presumably sent by someone they know or trust.

Total phishing attacks increased by 6.7 percent from June 2010 to May 2011, according to Symantec Corp.’s State of Spam & Phishing monthly report. The number of non-English phishing sites increased 18 percent month over month.

Spear-phishing is evolving into what Rasch calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information that rank-and-file workers.

Technology executives are attractive targets because their positions give them access to a trove of information, and they tend to believe they’re better protected from computer hackers than their employees, Rasch said.

Hackers research decision makers by browsing social networks, reading up on news about the company, and creating e-mails and links that appear to be genuine and come from people that the targets know.

“Phishing is on a different trajectory than it’s been in the past,” said Malcolm Harkins, Intel’s chief information-security officer.

This article appeared on page D – 2 of the San Francisco Chronicle on June 28, 2011

Hacking: The Art of Exploitation

Tags: hackers, International Monetary Fund, McAfee, phishing, RSA SecurID, RSA Security, RSA The Security Division of EMC, SecurID

10 Responses to “The weakest link in computer hacking?”

  1. disc7 says:

    “There’s no device known to mankind that will prevent people from being idiots”

    Human factor is the weakest link most of the time but at the same time. At the same time it is the job of security and privacy professional to train the masses and change their behavioral pattern. The security control applies to people, process and technology. The technology control are not the panacea for everything – it should be holistic approach which cover the policies and procedures and making sure these controls are implemented and observed.

  2. Choosing the Safest Browser–Part 2 « Infosec Communicator says:

    […] The weakest link in computer hacking? (deurainfosec.com) […]

  3. playmobil toys says:

    Hackers are now widely known because of their deeds in hacking a lot of government sites. I hope they could use their skills in improving the government sites security.

  4. plumbing says:

    As far as I know, hacking is consider bad since it involves stealing information from others. According to some site, hacking may also be refers to some other stuff.

  5. fire alarm systems says:

    This is very interesting information.This is really big issue.There’s no device known to mankind that will prevent people from being idiots.Thanks for the information.I like this article.

  6. Aico smoke alarms says:

    There was a time not long ago when computer hacking brought to mind an
    image of an anti-social teenager hiding in his parents’ dark 
    cracking code for the thrill of it and later posting his exploits online
    under a dangerous sounding nickname like Plague.

  7. Ibu_syarief says:

    goood news, let us beware pocket zone

  8. First Hour Trading says:

    I totally agree with you. Human factor will the weakest link in computer hacking. It is the job to put security on them.

  9. Choosing the Safest Browser, Part 2 | www.selfdefenseproducts.me says:

    […] The weakest link in computer hacking? (deurainfosec.com) […]

  10. Choosing the Safest Browser, Part 2 - BenWoelk.com says:

    […] The weakest link in computer hacking? (deurainfosec.com) […]

Leave a Reply

You must be logged in to post a comment. Login now.