I attended a presentation by Kevin Mitnick, a well-known computer hacker turned security expert, last week. While the hacks and exploits he described may not be news to those in info security, I was personally surprised at both the ease and effectiveness of current hacking techniques. In his presentation, he ran a live demo demonstrating some relatively simple, but very dangerous techniques for stealing data.
Several of the techniques he showed were right out of Hollywood spy movies. For example, a device easily worn under his suit jacket can read the information on the corporate ID badges used to secure most financial industry facilities and with a tap of a switch, transmit that same code to a nearby reader. In practice, this would allow a hacker to walk past a headquarters employee leaving for lunch, scan their badge, and then enter the facility as an employee.
Another technique is the use of a USB device that can automatically run software on a target computer. Once plugged in, the USB device can load the desired software, perhaps key logging software to capture passwords, a memory scanner that actively monitors for credit card numbers, or perhaps desktop sharing software that will make the entire contents of the computer accessible to a remote computer. The interesting aspect of this for me was thinking about the number of retailers whose cash registers are essentially a PC with a USB drive facing a customer. It would be so easy to plug a small USB device into the back of the computer while checking out and compromise the entire store network.
The most interesting demonstration was the threat represented by peer-to-peer (P2P) file sharing networks. Although the threat was widely reported in security publications over a year ago, I’ve yet to speak with anyone outside of info security aware of the potential risk. The compromise works like this: a user installs file sharing software, like LimeWire, Kazaa, or BitTorrent, on their computer to access free music. Once installed, the software shares the entire contents of the user’s hard disk, not just a limited set of music files. Once the files are shared, anyone on the peer-to-peer network who searches for the right file name can download the user’s files for whatever purpose they desire.
How great is the risk? Well, do you or anyone in your home or anyone at your company ever download free music? Another way to think of it is, do your kids have more music on their iPad then you can account for in iTunes charges? If so, you may be at risk. In fact, many organizations with strong security policies likely have employees who inadvertently share files over peer-to-peer networks, which completely bypasses their security infrastructure when the user installs it.
At this point, you might be wondering what types of data or files someone might find. I’d like to pass along three examples that Mr. Mitnick shared. First, imagine for a moment how many people write a letter to Citibank explaining an error in their account and requesting that it be corrected. Keep in mind that each of these users will likely include their name, account number, possibly even birthdates or other confidential information in the letter. Then, recall that Word uses the first sentence of the letter as a filename—in this case, Dear Citibank. Mr. Mitnick ran a live search for the phrase “Dear Citibank” that revealed hundreds of files. He showed one of the files with the extensive personal information grayed out to demonstrate how complete the information was for an attempted account takeover.
In the next example, he ran a search for the phrase “tax return”. Keep in mind that tax software saves your completed tax return with a filename like 2011_yourname_tax_return.pdf. A quick search revealed thousands of files containing the phrase “tax return”. This year the IRS has reported some 20,000 fraudulently filed tax returns where the fraudulent return was filed before W-2s were received by the IRS. The security protection that the IRS uses to identify a consumer is their adjusted gross income from last year, which is conveniently located on last year’s tax return which the hacker just stole. The fraudster simply creates fictitious information that results in large refunds to be distributed to temporary bank accounts. After the IRS receives the actual W-2 data, they will contact the consumer to request a refund. In most of these cases the consumer is not yet completed their taxes and has no idea that their tax information was stolen or how a fraudulent return could possibly have been approved by the IRS.
The final example I’d like to share is related to WikiLeaks. As reported elsewhere, many of the documents that WikiLeaks claims were submitted to them anonymously were actually acquired through P2P file sharing networks. The individuals who disclosed confidential State Department or military information were in fact doing nothing more than downloading music to listen to while at work. Some of the information released, such as family addresses for military personnel in Afghanistan, represent grave security threats. While leaks from financial institutions may be more difficult to identify, there is little doubt that at least one employee in at least one bank has chosen to look for some free music on company time.
Perhaps the most startling aspect of all of these security attacks is that antivirus and anti-malware software is completely ineffective. It is only through attentive and cautious behaviors that users and consumers can protect themselves from these attacks. Last year, I wrote an article titled, Can Consumers Be Trusted to Help Fight Identity Fraud? In short, the answer is that most consumers take virtually no security precautions with their personal computer or their personal data. As remarkable as it is, they seem to expect their financial institution to protect their identity while sharing confidential information with the world.
I don’t have a clear answer for how to solve this problem, but I certainly have a much greater sympathy when the IT security team tells me that my USB device must be disabled and I cannot have privileges to install software on my work computer. Now, I need to figure out how to implement that level of security at home.