If you thought that computer crime and hacking was still primarily perpetrated by student pranksters and curious colleagues, think again. In the words of Peter Gunning, head of business development at BT Security: “There are those for whom internet-based fraud is not something they dabble in as a diversion from work; it is their work.”
This is why the UK government in November announced a new cyber security strategy, involving dedicated teams within GCHQ and the Ministry of Defence working on our cyber defences. Around the same time, 87 UK banks and other financial institutions took part in a cyber warfare simulation to ensure that our economy could survive a major attack.
Online crime is no longer just about emails offering cheap Viagra or a share in Nigeria’s millions. Billions of devices are connected to the internet, from airline and railway departure boards to central heating thermostats and CCTV cameras.
In the US, the FBI recently issued an official denial after hackers claimed to have disrupted the water supply to thousands of homes by accessing a pumping station. Last year the Stuxnet virus targeted SCADA, the system through which computers talk to machinery such as factory production lines and nuclear power plants.
As the internet has matured over the past few years, so have the criminals who inhabit it. The pranksters and hobbyists no longer have the playground to themselves. Today’s cybercriminals are smart, elusive, organised and greedy. They want your personal and corporate information in order to make money and they have some pretty clever tricks up their sleeve in order to get it.
But hang on a minute. You update your antivirus software every week. You turned on your computer’s builtin firewall and your broadband router has another one. You run anti-spyware regularly and your email provider filters out most of the spam. Isn’t that enough? Not always.
One very common technique is for the hacker to persuade the legitimate user to unlock the door from the inside. Unfortunately this is all too easy, relying as it does on our gullibility and lack of computer knowledge. It is known as social engineering, the art of using psychology to make someone believe that you can be trusted.
“Social engineering is extremely hard to fight,” says Mickey Boodaei, chief executive at Trusteer. “Some experts believe that proper education could significantly reduce social engineering attacks, but the sad truth is that the average fraudster would always outsmart the average user. This is what fraudsters do for living - they keep thinking of creative and new ways to commit fraud. Users have their mind set on other things - they can’t keep analysing every email, link or website for fraud signs.”
In a typical scenario a hacker might email a potential victim promising some saucy pictures of Pippa Middleton, a free iPod, a breaking news story of Justin Bieber’s death, and so on. “Just click this link for more.” But clicking the link downloads a program giving the hacker full control of the computer, and because the legitimate user is installing the unlocker, rather than the hacker, the computer will allow it to run unchallenged if it does not have up-to-date security software installed.
The hacker can now use the compromised computer to send more spam, steal its users’ passwords, or perhaps send some more innocentseeming malicious emails direct to the victim’s friends on Facebook. Once the hacker has taken over a large number of machines, he can also rent them to other hackers by the hour as a so-called botnet, to launch coordinated attacks against large systems.
The internet’s greatest weakness is also the hackers’ favourite: it is trivially easy to send someone an email which appears to come from, well, anyone you want. As Paul Hennin at Proofpoint says: “If an email appears to be from your boss, a friend or important contact, you are far more likely to do what it asks and click that link, even if the request seems a little odd.”
As the internet has matured, so have the criminals who inhabit it
For those users who are sufficiently security-savvy not to click on links in email messages, the criminals have another trick up their cybersleeve. They hack into poorly protected websites and install malware there. From now on, anyone who visits the website and does not have adequate security software installed will become a victim of what is known as a drive-by attack.
Thankfully, detecting spam, cybercrime and other unwanted internet activity is becoming more sophisticated and successful. Internet host and online conferencing company ICUK said that, on a typical day last month, it handled 1,054 million incoming emails for its customers. Of those, just 8.76 per cent were legitimate. The remainder (91.21 per cent spam and 0.03 per cent viruses) were dealt with automatically by ICUK’s systems without troubling the targeted recipients.
Maybe one day, those behind cybercrime will turn their energies to legitimate business. Neil Fisher, vice president of global security solutions at Unisys, sits on the board of the UK Cybersecurity Challenge, which numbers the Cabinet Office among its sponsors. “Those who have the right cyber skills that Government and industry need come from all walks of life,” he says. “The Challenge aims to find those with advanced cyber skills and put them to good use, helping to combat threats rather than creating them.” Here’s hoping.
INCOMPLETE UPDATES ARE USELESS
It seems obvious that the best defence against malware is to ensure that all your computers are always up to date and have security software installed. Unfortunately this is not always easy. Turning on the automatic updating feature built into Windows and Macs is a good start but there is more to consider.
“Over half of users have more than 66 programs from more than 22 vendors installed on their computer,” says Stefan Frei, research analyst director at Secunia. “Patching them requires mastering at least 14 different update mechanisms so, on average, between 70 and 90 per cent of these users have at least one unpatched program present at any time.” And that is all it takes.