October 19, 2011
Today's corporate spies are increasingly likely to use malware and social media to steal sensitive data and intellectual property.
Mikko Hypponen, chief research officer at Finnish security software company F-Secure, is a wanted man—by the cyber-hackers.
So he keeps a low profile as he travels the world speaking and tweeting about the darker side of the internet. But he slipped up during a recent trip when one of his Twitter followers discovered his location and rapidly guessed the purpose of his visit—a meeting with Interpol.
Industrial espionage has gone digital and found a powerful ally in social networks. "It used to be about stealing pieces of paper, now it is done on computers," says Mr. Hypponen, who stresses that his visit to Interpol was not a secret and no damage was done by its discovery.
The gadgets and gizmos of the spy movies have not gone away. But today's corporate spies are more likely to trawl through Facebook pages and Twitter feeds for snippets of information they can build into valuable intelligence on a target organization.
Or they engage in what is known in the trade as "social engineering" —tricking employees to click on links in posts and emails that purport to come from colleagues or social networking friends. The links take them to rogue websites that silently install "Trojans" and other information-gathering malware on corporate IT systems.
One of the best-known examples of commercial cyber-espionage was Operation Aurora in early 2010, which hit Google and at least 30 other companies.
Continues ...read more ..
Dreamstime. Unlike cases where customer data or credit card numbers are stolen by hackers, organizations rarely admit to losing proprietary data or secrets in a cyber heist. Google, unusually, did admit to having lost intellectual property during Operation Aurora, which it called a "highly sophisticated and targeted attack" that originated in China.
McAfee, a U.S. security software vendor, claims global oil and gas companies have also been victims of persistent, targeted cyber attacks designed to steal proprietary information. Again, social engineering techniques were used to initiate this series of attacks, dubbed "Night Dragon" by McAfee.
John Colley, European managing director of the International Information Systems Security Certification Consortium, a not-for-profit body, says energy companies are an obvious target for espionage because they own high-value proprietary information. He knows of at least one major oil corporation that has suffered this type of attack but declined to name it.
The Night Dragon and Aurora attacks should serve as a wake-up call for other businesses. They show how spies have adapted to the internet age by employing malware to steal business secrets. But even without employing malicious tactics such as malware infection, social networks can be used to eavesdrop on companies and collect valuable information.
"People drop their guard on social networks," says Abhilash Sonwane, senior vice-president of Indian security software company Cyberoam. They unknowingly disclose information that can be extremely valuable to competitors— or enemies.
Like other leading figures of the IT security industry, Mr. Hypponen has made quite a few enemies among criminal hackers. He recently had to deny a fake news story claiming he had been indicted for credit card fraud.
Among his 19,000 followers on Twitter, there could be people with darker motives so he is careful about what he posts and rarely reveals his current location.
During a recent trip to Lyon, he waited until he was heading for home before posting a seemingly innocent Twitpic of an art installation that caught his eye. Half an hour later, one of his Twitter followers recognized the art and located it in downtown Lyon, close to Interpol headquarters. Even the most amateur spy would have little trouble guessing the reason for his trip.
"It would have been even easier if I had the GPS in my phone turned on," says Mr. Hypponen. That's because photos taken on a GPS-equipped phone are tagged with their coordinates. If seasoned security experts occasionally drop their guard, is their hope for the rest of us?
Not much, according to Mr. Sonwane. "People just do not realize that they are giving out more information than they are supposed to on social networks," he says.
He recently conducted a study of the 20 businesses whose employees posted on social networks. By monitoring the posts of individual employees, Mr. Sonwane was able to get sensitive information that, using traditional spying methods, would require a lot more time and ingenuity.
In one case, Mr. Sonwane played a digital variation on the honey pot seductress ploy. He impersonated a woman and engaged in Facebook chat sessions with a recently-divorced male financial director who was back on dating circuit, his posts revealed.
The man offered to take the woman to Broadway musicals and disclosed confidential financial information about his business—presumably to prove he could afford the best tickets
In another case, a large U.S. retail chain, none of its senior executives had a profile on social networks. But a vice-president did. That was sufficient for Mr. Sonwane to discover that the company was going to file for Chapter 11 protection and close many of its outlets—two months before it did.
Business awareness of the importance of IT security has improved dramatically in the past decade.
"But Web 2.0 technologies often fly under the radar and are much more difficult for the IT department to control," says Sarah Carter, vice president at Actiance, a U.S. security technology vendor.
As well as social networks, Web 2.0 technologies include instant messaging, online collaboration and internet telephony services such as Skype. All have security risks, but social media pose by far the greatest problems. Organizations are finally starting to wake up to the risks around social media.
"It is clear that we have seen some significant changes in attitude to social media in the last 12 months," says Andrew Wyatt, chief operating officer at security software firm ClearSwift.
Following a string of lapses and embarrassing incidents, some businesses, particularly those in regulated sectors, restrict or even ban employees from accessing social networking sites at work.
Vendors such as Actiance offer technological solutions designed to prevent employees posting sensitive data on social networks, maliciously or otherwise. Content can be moderated and riskier features such as chat or downloading can be disabled for certain employees.
But many employees see social media as an essential tool, particularly younger workers who might be less likely to use email. Mr. Colley says the best strategy is to educate users about the risks and to remember that, even in cyberspace, walls have ears.
"People always find a way to circumvent the controls and now there is a new generation that expects to be able to use social networks at work," he says.
Read full article at link
