Involvement in hacking requires minimal technical ability, a Dublin summit was told
CYBER ATTACKS such as some of the recent incidents against Sony’s PlayStation Network exploited software flaws that information security professionals have known about for 15 years, a conference heard this week.
In April, Sony suffered a series of attacks against its websites, compromising the accounts of more than 75 million subscribers. The company had to suspend the PlayStation Network and Qriocity gaming services temporarily while it dealt with the problem, and the entire incident is said to have cost the company $170 million (€118 million).
At the Cyber Threat Summit in Dublin this week, James Lyne, director of technology strategy with security firm Sophos, gave a live demonstration of the hacking techniques used in some of the attacks on Sony.
Many websites have pages designed to let people log in to use services or look at information. By typing a simple logic statement into those spaces instead of the expected password – what’s known as SQL injection – Lyne was able to make the database display all its listings: the username, password and reward code for every single person in the database.
“This is a 15-year-old vulnerability that is very well understood, and people still fall victim to it,” he said, adding that the attack was “staggeringly easy”.
Lyne told The Irish Timeshe believed Sony acted responsibly in trying to identify where the weaknesses were in its systems once the breach was discovered, but it had to do so in the face of further attacks on its sites.
Having originally scheduled the cybercrime conference for early May, the organisers inadvertently benefited from the date change. Since then, the LulzSec collective’s 50-day hacking spree made headlines thanks to a series of high-profile targets that included not just Sony but the Central Intelligence Agency, the Arizona Police Department and Fox.com.
Other recent victims of cyber attacks include the International Monetary Fund, Citigroup and RSA, the security division of data storage firm EMC.
On the day of the event itself, Sony Music Ireland’s site was breached by unknown attackers who posted fake news stories about pop stars.
Paul Dwyer, founder of the International Cyber Threat Task Force and organiser of the Dublin event, said these incidents had helped to raise awareness of cybersecurity.
“LulzSec has done the world a favour. The sort of attacks they’ve been using, such as distributed denial of service (DDoS), are not intellectually stimulating, but they’ve been very effective. What they’ve shown is that the human controls have let organisations down as well as the technical controls, and even the biggest companies in the world can become victims of this,” he said.
Minimal technical skills are needed to get involved in cybercrime because the elements to create a cyber attack are available as services through highly developed underground economies, Dwyer said. For as little as £300 (€334), criminals can rent botnets – armies of infected computers – that can be controlled to attack a website for five hours and take it offline.
Dwyer said no single product could protect against all the attacks.
The best approach is a hybrid defence that includes not just technology but a company’s people and processes.
Lyne warned the high-profile nature of recent attacks can blind businesses to the real risks – failing to keep their security measures up to date. “We can all get caught up with Russian criminal gangs or Chinese hackers trying to come after our data, but that means that we’ll often miss users making mistakes.”
He challenged the perception that computers become infected with malicious software when their owners visit dubious websites.
“The majority of malicious code is distributed today through legitimate businesses having their websites hacked,” he said.
Darren Anstee, a solutions architect with Arbor Networks, said DDoS attacks are used by groups such as Anonymous for ideological reasons, or by criminals to extort money from e-commerce or gambling websites. The size and scope of these attacks doubled between 2009 and 2010, he said.
Rather than focusing on the effect, Lyne said industry and governments would be better served by tackling the cause of the problem.
“Botnets exist because computers get infected,” he said. “If we could all focus on that bit of the problem, make sure we’re patching our computers, running up-to-date protection, making life harder for bad guys to take computers over, then they won’t be able to get their bot networks together more easily.
“It will be much more expensive to launch DDoS attacks and we would be able to deal with that problem much more effectively.”
Part of the problem may be companies’ reluctance to own up to being victims of attacks, making it difficult for businesses to gauge the threat.
“Nobody wants to admit that they’ve been ‘DDoSed’. You will rarely hear a company officially recognise that it has been attacked. They will use phrases like ‘the service is offline’,” said Senan Largey, business development manager with Adversor.
Chuck Georgo, a security consultant with Team InfoSec, called for a Europe-wide information-sharing programme along the lines of the US’s Infragard initiative. This kind of forum allows stakeholders running critical national infrastructure to exchange useful security information with law enforcement agencies without releasing confidential information into the public domain.
“Maybe you can share characteristics of a breach without exposing the personal information behind it,” he said.
“This is a potential model for combating cybercrime in Europe. It takes a network to defeat a network.”
Peadar Duffy, founder of Risk Management International, said another part of the problem was that IT staff, who were normally responsible for information security, rarely had access to the boardroom.
“Tackling cyber threats is not an IT issue, it’s something that needs to be sponsored at board level. The higher the level of uncertainty in your organisation with regards to the critical organs of your business, the higher up it needs to be considered.”
BETTER PC SECURITY: KEEP SOFTWARE UP TO DATE AND GET THE BASICS RIGHT
AT HOME
Patch more than just the operating system – attacks against PDF documents or Flash movie files are more common, and security upgrades for these programs are usually free.
Keep your security software up to date. There are thousands of new variants of malicious software spotted every day, so this is a basic essential to protect your PC from unwanted programs. Do not rely on old software.
Use strong passwords – combinations of letters, numbers and symbols are best, and using the same one many times is not advisable.
IN BUSINESS
Get the basics right – don’t just react to the latest security threat, which may not affect your business. Understand where are the weaknesses in your critical systems and fix them first.
Have a back-up plan. If your site goes offline, ensure customers can still contact you with their questions and needs.
Regularly review your security plan and test for possible disruptions to your business.
Create a security culture in your organisation – don’t treat it as an IT problem.
Ensure senior management are aware of potential risks to the business.
Allocate time to staff awareness programmes – teach them how to spot and avoid potential social engineering tricks or online scams.