February 11, 2008

Cyberterrorism, Inc

A new report says that 2008 will see an expansion of economic espionage in which nation-states and companies will use cybertheft of data to gain economic advantage in multinational deals.

By Peter Buxbaum in Washington, DC for ISN Security Watch (11/02/08)

An unusual announcement from the US Central Intelligence Agency (CIA) has raised questions and caught the attention of skeptics in the cybersecurity community.

Senior analyst Tom Donahue told at a cybersecurity conference in New Orleans last month that the CIA had information about cyberintrusions into power and utility systems, followed by extortion demands, from multiple regions outside the US. The CIA suspected, Donahue added, that some of the attacks benefited from inside knowledge.

Although Donahue's report lacked specifics, leading to skepticism in some quarters, it did highlight a trend already identified by experts: Cyberespionage is moving beyond governments and into the world of international business, and that in many cases the spies are already inside the company.

To gain an advantage over competitors, many corporations are hiring ex-military and government agents trained in the art of intelligence gathering techniques, according to a report from the SANS Institute, a Washington-based cybersecurity training organization.

These individuals are used to head new company divisions whose mission is to spy on competitors and obtain intelligence. Companies spend over US$2 billion annually to spy on each other, according to the Society of Competitive Intelligence Professionals.

In 1999, North American companies lost more than US$45 billion to theft of trade secrets and other valuable corporate data, according to the SANS report. "Today's total losses are anyone's guess," the report continued.

The lack of quantifiable losses is hinted at by a computer crime and security survey undertaken by the Computer Security Institute and the Federal Bureau of Investigation (FBI). The survey indicates that the reporting of computer intrusions and data loss has declined over the past few years, not because incidents have abated, but due to companies' fears of negative publicity and to avoid public humiliation and class-action lawsuits.

Utility companies may be particularly vulnerable to cyber attacks because of their deployment of SCADA (system control and data acquisition) systems, which essentially automate the generation and delivery of electric power. SCADA systems make extensive use of wireless connections, rendering them all the more vulnerable to penetration.

"There are serious risks to SCADA systems," Bruce Schneier, a cybersecurity expert with Counterpane Systems in Santa Clara, California, told ISN Security Watch, "but I am more than a bit skeptical" of the CIA announcement.

"Cyberextortion is certainly on the rise but the primary targets have been fringe industries like online gambling and porn. It is going mainstream, but this is the first I've heard of it targeting power companies."

Still, the SANS Institute report indicates that 2008 will see an expansion of economic espionage in which nation-states and companies will use cyber theft of data to gain economic advantage in multinational deals.

"The attack of choice involves targeted spear phishing [email-based scams] with attachments,” said the report. “They are using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and are using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking."

Attackers will continue to refine the capabilities of their malicious code in 2008, according to SANS, particularly expanding techniques that obscure their infrastructure, making it harder to locate their servers.

"Tools will also increasingly target and dodge anti-virus, anti-spyware and anti-rootkit tools to help preserve the attacker's control of a victim machine for as long as possible," the SANS report said. "In short, malware will become stickier on target machines and more difficult to shut down."

Insider attacks

Increased use of insider attacks initiated by rogue employees, consultants or contractors will continue to emerge as a major risk in 2008, according to SANS. "Insider-related risk has long been exacerbated by the fact that insiders usually have been granted some degree of physical and logical access to the systems, databases and networks that they attack, giving them a significant head start in the attacks that they launch," said the SANS report.

Insiders use some less-than-obvious techniques to extract secret corporate data. Because they are already inside, they do not need to penetrate network perimeter defenses.

The network printer may be the Achilles heel for many organizations, according to SANS. "Most corporate security measures are rendered impotent once a user sends a document containing trade secrets to the network printer: Someone walks by and takes it before the user can walk down the hallway and around the corner to retrieve the document," the report noted.

There are available countermeasures that organizations can deploy to mitigate this vulnerability. These include biometric devices that hold a document in the print queue until the sender goes to the printer and places his finger on the biometric fingerprint scanner. Once the user has been authenticated, the print job proceeds. This ensures that the sender of the document is present at the printer to retrieve the document before anyone else gets their hands on it.

Small USB drives are also increasingly being used to steal corporate data. The capacity of USB drives have increased while their size has decreased, the SANS report noted, "making USB drives one of the best ways to transfer data, both into and out of a system." They are also very easy to sneak into and out of a workplace.

USB drives have been camouflaged by integrating them into other products, such as wristbands, making them easy to breeze by workplace security guards. "Normally the drive is emptied into a bowl along with the employees watch, change, pen and car keys," stated the SANS report. "Once the employee is safely on the other side of the metal detector, the guard smiles and politely hands the individual back his two-gig USB drive and off he goes to copy data."

If a corporate spy is wary about sneaking a USB drive in through the front door, there is an alternative: snail mail. The spy simply mails the USB storage device to himself at work, copies secret information and then mails the USB drive back to himself using a fictitious name and a secure mail drop.

"Most organizations do not scan or x-ray incoming or outgoing mail, and those that do, like government agencies, are usually only looking for explosive devices," the SANS report noted. A possible, but not foolproof, countermeasure to data theft by USB is to disable USB ports on the company system.

Protecting government and private computers

The cyberespionage explosion has not escaped the attention of the Bush administration. The president's budget, released on 4 February, proposes to allocate US$6 billion for a system designed to protect both government and private computer systems from attack.

According to an article in the Wall Street Journal, the White House proposal "would likely require the government to install sensors on private company networks."

This, in turn, has met with criticism from privacy experts and constitutional scholars, for three reasons.

"Private companies are understandably reluctant to permit the government to attach unknown hardware or software to their corporate systems," says Peter Swire, a senior fellow at the Center for American Progress, a liberal Washington think tank, and professor of law at Ohio State University.

"The risks of security breach and operational problems are too high, especially given the long history of computer security failures by the federal agencies themselves," he told ISN Security Watch.

One of the biggest security stories of 2007 in the US was disclosure in congressional hearings and by senior Department of Defense officials of the massive penetrations of federal agency and defense contractor systems, leading to the theft of massive amounts of data by China and other nation states.

The proposal also raises policy issues about privacy, the scope of government surveillance and the Fourth Amendment to the US constitution, which prohibits unreasonable searches and seizures.

"The new proposal also ignores sensible principles for cybersecurity," said Swire. "The federal government should adopt best security practices that apply to private systems. But the federal government should not try to install its equipment into private systems."

Peter Buxbaum, a Washington-based independent journalist, has been writing about defense, security, business and technology for 15 years. His work has appeared in publications such as Fortune, Forbes, Chief Executive, Information Week, Defense Technology International, Homeland Security and Computerworld. His website is www.buxbaum1.com.

No comments: