Target. Michael’s. Neiman-Marcus. Sally Beauty Supply. Kickstarter. All familiar names in U.S. commerce and all victims of cyberattacks that compromised the identities of millions. How can you stay safe?
Maybe it’s a “spear phishing” attack, where a hacker sends a realistic email that loads a virus when the unsuspecting computer user clicks on the attachment. The hacker may even research who works for a firm to make the email appear to be from an employee.
Other times it’s the “strategic web compromise,” where a hacker finds a weakness in a firm’s website and inserts malware to infect anyone who visits it. Hackers may also probe all of the computers a company has linked to the Internet, searching for a weakness that allows them to penetrate
Then there’s the human element or “social engineering” in hacker parlance. A call to a lower-level employee from a traveling manager who can’t remember a password; the request sounds legitimate and a password is provided. Other times hackers rely on curiosity: someone sees a thumb drive in the parking lot and puts it into his computer — and unwittingly loads malware into the system.
Questions about the vulnerability of electronically stored consumer information exploded onto the national scene when mammoth retailer Target announced cyberthieves had stolen names, mailing addresses, phone numbers or email addresses of up to 70 million customers. A related penetration of the company’s cash register systems may have allowed thieves to capture credit and debit card information of perhaps 40 million customers over the 2013 holiday season. It appears hackers gained access to a network belonging to one of Target’s vendors, which gave them the ability to enter the retailer’s network.
The good news, computer security experts say, is that individuals are rarely targeted and that monitoring credit card and bank statements is the best way to stay safe. The bad news, however, is that customers can take precautions and still have their data stolen.
“People shouldn’t be scared to go onto the Internet,” says Michael Schearer, an analyst for McLean, Va.-based Booz Allen Hamilton, which handles computer security and information systems for a wide range of governmental and private industry clients. “There is a reason to be wary out there. For the most part, people aren’t being targeted themselves, but they might get caught up in a breach, like the Target breach.”
Schearer, a 1997 Bloomsburg graduate who makes his living testing computer network vulnerabilities, says while security has improved over the years “in general we find the weakest link is almost always human.”
“Most networks have fairly decent security to keep people out,” he says. “But once you get in, it’s typically much easier to move around because the security on the inside is usually not as good as on the outside.”
Tyler Oliver ’11, a security consultant with Mandiant, a FireEye company based in Alexandria, Va., says people shouldn’t think “the sky is falling,” but they also should be prepared to be impacted in some way.
Indeed, the 2013 Norton Report, released by antivirus software provider Symantec, found that some kind of cybercrime affects 1 million people worldwide each day and costs firms and individuals an estimated $113 billion annually.
“I would say people should definitely be aware,” Oliver says. “Don’t take online banking or your credit cards for granted. People need to know these things are happening and not think it won’t happen to them.”
The larger they are …
“Networks have become so large and everything is connected,” says Diane Barrett, assistant professor in Bloomsburg University’s nationally known digital forensics program. Students in the program learn the latest techniques in protecting computer systems, retrieving information and tracking down breaches.
“I’ve seen it even in the financial sectors where a bank website was hosted on the same machine as other websites. There was a vulnerability in the code for one of the websites and someone was able to compromise the entire server,” Barrett says. “The hacker was able to penetrate the bank’s system, though the bank had nothing to do with it, because the web hosting company had allowed the machine to be shared by third-party vendors.”
Barrett, who used to work for cybersecurity firm Kroll Inc. responding to data breaches and conducting security assessments, says the massive amounts of information flowing through networks makes it all but impossible to immediately spot a penetration, especially if the hacker is careful.
A common method to avoid detection is inserting what is called a “batch file,” or a small program designed to collect and send information about the network. Such a program may, for example, collect all the Internet addresses of computers on a network and account passwords, she says.
Bloomsburg professor Scott Inch, who was instrumental in creating the digital forensics program, says it’s not uncommon for a careful hacker to keep accessing a system for months or even years before the breach is discovered. Meanwhile, the hacker siphons off information, all the while creating his own backdoors and passages in the network.
“Hackers move laterally in the network they are in, trying to gain more credentials and move up to the next level,” Inch says. “It’s kind of a chess game.”
Sometimes, breaches occur when companies fail to keep software updated and to keep current on the latest security patches, Inch says. Hackers can use software tools easily available on the Internet to probe a firm’s computers connected to the Web. “Someone can then try to interact with those machines and if the system is set up right the attempt can be rebuffed,” Inch says. “But in a company with tens of thousands of computers, all it takes is one not configured properly.”
“It’s going to continue to happen,” Inch says of data breaches. “The folks in the community that deal with this don’t talk about repelling it all; they talk about how we have to be quicker about finding a breach and remediating it. We are always trying to play catch-up.”
In addition to the battle to keep networks safe from hackers, Inch says law enforcement monitors news groups on the Internet, searching for talk of breaches or of stolen information being offered at a price.
“You can log into certain chat rooms and buy credit card numbers by the thousands,” Inch says. “Law enforcement and credit card companies monitor these chat rooms for the availability of large blocks of credit card numbers. If they determine that they are all coming from the same place, they contact the company to say ‘We have information that you may have been breached.’ ”
It’s not unusual, Inch says, for a company to first learn of a breach from law enforcement or another outside source.
One outgrowth of the Target breach may be a new approach to credit card security. The magnetic strip now used on cards is easy to copy and forge, but cards used in Europe have a microchip that is much harder to duplicate. Target said it plans to start using “smart cards” with a microchip by 2015.
Barrett expects smart-chip credit cards will soon become the norm, even though they are more expensive to produce. “Eventually, because the cost of these breaches is so high – affecting insurance rates and hurting a company’s image – we’ll start seeing more secure credit cards,” she says.
Schearer, the computer security expert with Booz Allen Hamilton, advises individuals to take reasonable precautions. “My perspective is probably a little different from a lot of people. I think you have to trade off between security and usability, in the sense that it’s very possible to completely lock down everything you are using, to never click on links of any kind or go to any website. But then you are losing the experience of the Internet and what is out there.” •
Jack Sherzer is a professional writer and principal partner with Message Prose, a communications and public relations firm in Harrisburg.