Nobody is immune to cyberattack

Around the world, computer networks are getting more vulnerable even as they grow more sophisticated. They are being penetrated and looted by digital intruders.

The personal records of 100 million people were stolen in an attack on Sony Corp.’s video game networks. Up to 210,000 unemployed Massachusetts residents were put at risk by data theft software that infected computers at the state’s Executive Office of Labor and Workforce Development. And, in March, as mentioned in an earlier post, criminals stole vital information from data protection company RSA Security, a division of storage giant EMC Corp. The stolen RSA data was later used in a hacker raid on defense contractor Lockheed Martin Corp., an RSA client. The list of data breaches grows almost daily, and while consumers and businesses can take steps to reduce the risk of losing sensitive information, security analysts say that making our computer networks truly secure is virtually impossible.

Antivirus and other commercial security software products may be adequate against the kind of amateur hackers who vandalized websites in the Internet’s early days, but they often fail to detect the custom-made attack programs, or “malware,’’ created by today’s organized crime gangs and foreign intelligence agencies. Cybercrime by governments will probably be even tougher to fend off. In late 2009, computers at the search engine giant Google Inc. came under a severe attack aimed at getting access to the company’s software codes. A host of other companies, including Adobe Systems Inc. and Juniper Networks Inc., were also hit. In January 2010, Google attributed the attack to hackers working from within China, a claim the Chinese government rejected.



The International Monetary Fund was hit recently by what computer experts describe as a large and sophisticated cyberattack whose dimensions are still unknown. The fund said that it did not believe that the intrusion into its systems was related to a sophisticated digital break-in at RSA Security that took place in March, which compromised some information that companies and governments use to control access to their most sensitive computer systems. After that attack, the World Bank briefly shut down external access to its most sensitive systems, for fear that the stolen information could make it a target. But it quickly resumed its normal operations and says it has seen no evidence of any attacks.

Companies and public institutions are often hesitant to describe publicly the nature or success of attacks on their computer systems, partly for fear of providing information that would be useful to the individuals or countries mounting the efforts. Even so, Google has recently been aggressive in announcing attacks and, in one recent case, as mentioned above, of declaring that its origin was China, an accusation the Chinese government quickly denied.

But in the case of the I.M.F., officials declined to say where they believe the attack originated — a delicate subject because most nations are members of the fund. The attacks were likely to have been made possible by a technique known as “spear phishing,” in which an individual is fooled into clicking on a malicious Web link or running a program that allows open access to the recipient’s network. It is also possible that the attack was less specific, a case in which an intruder was testing the system merely to see what was available.

Caveat emptor.

HTML5 is now playing in the big leagues

The Financial Times (London) yesterday introduced a mobile Web application aimed at luring readers away from Apple’s iTunes App Store, throwing down the gauntlet over new business conditions that Apple is set to impose on publishers who sell digital subscriptions via iTunes.

A number of publishers have expressed their displeasure with Apple’s plan to retain 30 percent of the revenue from subscriptions sold on iTunes, and to keep customer data from such sales, beginning at the end of June. At the same time, mobile applications are a fast-growing source of new readers and revenue, so publishers have been reluctant to pull their applications from the iTunes store.

The Financial Times, the British daily, has tried to get around this problem by designing a new app that includes much of the functionality of an iPad or iPhone application, while residing on the open Web. It employs a new Web technology standard called HTML5, which allows programmers to create a single application that can run on a variety of devices, including Apple’s iPhone and iPad, Google’s Android system and the BlackBerry PlayBook, although the new app does not work on some versions of the devices.

The Financial Times said it would encourage users of its iPad and iPhone applications to migrate to the new app. It said it did not plan to comply with Apple’s proposed conditions, even if that meant Apple removed the existing applications from iTunes.




= = = = = = = = = = = = = = = = = = = = = =

Update on my earlier posts on SecurID tokens

RSA Security has offered to replace the SecurID tokens used by enterprises and government agencies to secure their networks after attackers attempted to hack a defense contractor’s network in May.

The SecurID two-factor authentication technology relies on a pseudo-random number that is generated every 30 to 60 seconds. Users have to enter their own username, self-selected password and the code displayed on the token. The authentication server knows what number was generated. Attackers also now know how to figure out what number is being generated, and it is easy to steal usernames and passwords using phishing or keyloggers.

There are an estimated 40 million SecurID tokens currently in use.

Click here for an open letter to RSA SecurID customers.