Most eyes were on the world’s leaders this past weekend as they sought to limit the devastating effect of the downgrading of the United States financial rating. Meanwhile in Las Vegas a weekend contest dealt with a topic of almost equal concern. The world’s largest hacking convention showed one reason why big corporations seem to be such easy prey for cyber criminals: their workers are poorly trained in security.
The outcome was headlined as follows: Hackers shame Oracle, Apple, Delta and more as part of the DefCon corporate hacking contest
Hackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest U.S. companies to reveal information that can be used in planning cyber attacks against them.
The contestants also managed to get employees to use their corporate computers to browse websites the hackers suggested. Had these been criminal hackers, the websites could have loaded malicious software onto the PCs.
Defcon is organized by benevolent hackers, partly to promote research on security vulnerabilities in order to pressure companies to fix them. The contest was sponsored by so-called white-hat hackers to show companies how weak their security is and encourage them to better educate their employees about the risks of hacking. It was the second year that Defcon has held a contest in "social engineering," or the practice where hackers con people into handing over information or taking actions such as downloading malicious software.
Social engineering is frequently used in attacks where the hackers send a "spear phishing" e-mail in which they impersonate a friend of the recipient and ask him or her to open a tainted file or visit a malicious website. Security experts say spear phishing have led to many hacks over the past year, including ones on U.S. defense contractors, the IMF, EMC Corp’s RSA Security division and government agencies around the world.
This is not a new topic but does not receive the attention it should. One of the earliest examples on the record dates back to 1999 when Moore Publishing was the corporate hacking target for the prestigious law firm of Steptoe and Johnson.
Moore Publishing charged that, among other things, Steptoe employees cracked into Dig Dirt and other Moore Publishing sites some 750 times, posted defamatory messages about Moore on Usenet, and tried to cover it all up by doing their evil deeds under an e-identity swiped from an Alexandria, Virginia, furniture store owner. Dig Dirt was a site that fronted an enormous database of personal data gleaned from public records. Dig Dirt then sold the data to private investigators, lawyers, and law enforcement agencies.
Corporate hacking does not affect only corporations and indeed we are all now aware of documents and information that governments might not wish to reveal through the actions of WikiLeaks.
WikiLeaks is a non-profit media organization dedicated to bringing important news and information to the public. It provides an innovative, secure and anonymous way for independent sources around the world to leak information to journalists. It publishes material of ethical, political and historical significance while keeping the identity of their sources anonymous, thus providing a universal way for the revealing of suppressed and censored injustices.
WikiLeaks relies on its supporters in order to stay strong. Since 2007, when the organisation was officially launched, WikiLeaks has worked to report on and publish important information. It also develops and adapts technologies to support these activities.
If you need any further reminder of the major impact such corporate hacking can have, then just read a short history of corporate hacking as published by the Guardian in 2009. This shows some major intrusions into private data banks.
The scale of hacking activity from China and Russia has started to emerge through a series of frantic announcements. Rumours of the activities of Russian hackers and their involvement with organised crime had circulated since 2000 but it was not until 2003 that the Chinese emerged as big players.
Protracted attacks targeted networks at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA, and came to light in 2005. At around the same time the Russian Business Network, a cybercrime organisation that specialises in identity theft, denial of service, computer extortion and child pornography, emerged. The RBN established itself as prepared to do anything for a price.
Undoubtedly the scale of corporate hacking has continued to grow ceaselessly since then using ever more sophisticated technologies.
A lot of people are saying “hacker” is the wrong term, because “hacking” is supposedly good. However the use of this term to imply or refer to bad people breaking into other people’s (or company) computers made the word “hacking” a negative connotation. Is this true? Anyway what I’m also concerned about is the growing emergence of smartphones and smartphone computing and how the security on these devices are somewhat lacking. Often we do serious stuff on our phones such as check bank accounts, access servers, read our mails, etc… it is essential it is as protected as a regular computer.