War in the name of computer attacks

Google’s confrontation with China — over government censorship in general and specific attacks on its systems — is an exceptional case, of course, extending to human rights and international politics as well as high-tech spying. But the intrusion into Google’s computers and related attacks from within China on some 30 other companies point to the rising sophistication of such assaults and the vulnerability of even the best defenses, security experts say.

“The Google case shines a bright light on what can be done in terms of spying and getting into corporate networks,” said Edward Stroz, a former high-tech crime agent with the FBI who now heads a computer security investigation firm in New York.

Computer security is an ever-escalating competition between the black-hat attackers and white-hat defenders. One of the attackers’ main tools is malicious software, known as malware, which has steadily evolved in recent years. Malware was once mainly viruses and worms, digital pests that gummed up and sometimes damaged personal computers and networks.

Malware today, however, is likely to be more subtle and selective, nesting inside corporate networks. And it can be a tool for industrial espionage, transmitting digital copies of trade secrets, customer lists, future plans and contracts.

Corporations and government agencies spend billions of dollars a year on specialised security software to detect and combat malware. Still, the black hats seem to be gaining the upper hand.

In a survey of 443 companies and government agencies published last month, the Computer Security Institute found that 64 percent reported malware infections, up from 50 percent the previous year. The financial loss from security breaches was $234,000 on average for each organisation.

Security experts say employee awareness and training are a crucial defenses. Often, malware infections are a result of high-tech twists on old-fashioned cons. One scam, for example, involves small USB flash drives, left in a company parking lot, adorned with the company logo. Curious employees pick them up, put them in their computers and open what looks like an innocuous document. In fact, once run, it is software that collects passwords and other confidential information on a user’s computer and sends it to the attackers. More advanced malware can allow an outsider to completely take over the PC and, from there, explore a company’s network.

Other techniques for going inside companies involve exploiting weaknesses in website or network-routing software, using those openings as gateways for malware.

To combat leaks of confidential information, network security software looks for anomalies in network traffic - large files and rapid rates of data transmission, especially coming from corporate locations where confidential information is housed.

“Fighting computer crime is a balance of technology and behavioural science, understanding the human dimension of the threat,” said Stroz, the former FBI agent and security investigator.

As cellphones become more powerful, they offer new terrain for malware to exploit in new ways. Recently, security experts have started seeing malware that surreptitiously switches on a cellphone’s microphone and camera. “It turns a smartphone into a surveillance device,” said Mark D Rasch, a computer security consultant in Bethesda, who formerly prosecuted computer crime for the Justice Department.

Hacked cellphones, Rasch said, can also provide vital corporate intelligence because they can disclose their location. The whereabouts of a cellphone belonging to an investment banker who is representing a company in merger talks, he said, could provide telling clues to rival bidders.

Ideal approach

Security experts say the ideal approach is to carefully identify a corporation’s most valuable intellectual property and data, and place it on a separate computer network not linked to the internet.

“Sometimes the cheapest and best security solution is to lock the door and don’t connect,” said James P Litchko who is a manager at Cyber Security Professionals, a consulting firm. Some companies go further, building “Faraday cages” to house their most critical computers and data. These cages typically have a metal grid structure built into the walls, so no electromagnetic or cellphone transmissions can come in or out. defenses contractors, aerospace companies and some automakers have built Faraday cages, named for the 19th-century English scientist Michael Faraday, who designed them to shield electrical devices from lightning and other shocks.

But in the Internet era, isolationism is often an impractical approach for many companies. Sharing information and knowledge with industry partners and customers is seen as the path to greater flexibility and efficiency.

Most of that collaboration and communication is done over the internet, increasing the risk of outside attacks. And the ubiquity of internet access inside companies has its own risks. In a case of alleged industrial theft that became public recently, a software engineer at Goldman Sachs was accused last year of stealing proprietary software used in high-speed trading, just before he left for another firm. The engineer, who pleaded not guilty, had uploaded the software to a server computer in Germany, prosecutors say.
The complexity of software code from different suppliers, as it intermingles in corporate networks and across the internet, also opens the door to security weaknesses that malware writers exploit. One quip among computer security experts is: “The sum of the parts is a hole.”

The long-term answer, some experts assert, lies in setting the software business on a path to becoming a mature industry, with standards, defined responsibilities and liability for security gaps, guided by forceful self-regulation or by the government.

Just as the government eventually stepped in to mandate seat belts in cars and safety standards for aircraft, says James A Lewis, a computer security expert at the Centre for Strategic and International Studies, the time has come for software.

Lewis, who advised the Obama administration about online security last spring, recalled that he served on a White House advisory group on secure public networks in 1996. At the time, he recommended a hands-off approach, assuming that market incentives for the participants would deliver internet security.

Today, Lewis says he was mistaken. “It’s a classic market failure - the market hasn’t delivered security,” he said. “Our economy has become so dependent on this fabulous technology — the internet — but it’s not safe. And that’s an issue we’ll have to wrestle with.”