Babbage

Science and technology

Internet insecurity

Once more unto the breach

Jun 3rd 2011, 11:02 by M.G. | SAN FRANCISCO

DEFENCE companies have been left defenceless. A prominent internet giant has found itself the target of an online plot that allowed outsiders to read some of its users’ emails. And a media organisation has hit the headlines after its own website was vandalised by digital intruders. The cyber attacks against Lockheed Martin and L-3 Communications, two American defence giants, as well as those against Google and America’s Public Broadcasting System (PBS) differ in their details. But they all highlight the fact that hackers are becoming ever more tenacious and creative in their attempts to get their hands on sensitive data.

It’s not just American firms that are under attack. On June 2nd, a group of hackers calling itself “LulzSec” claimed that it had been able to get into the network of Sony Pictures. In a statement, the group said it had accessed details of a million customer accounts, including email addresses and dates of birth. Sony’s executives are investgating the group’s claim. If it turns out to be true, it will be a huge embarrassment for the company, which is only just recovering from another recent attack that forced it to shutter its high-profile PlayStation network for several weeks, costing it millions of dollars.

LulzSec (which also uses the moniker “The Lulz Boat”) claims it is behind the hacking of PBS’s website too. Here the hackers stole passwords and other sensitive data, as well as posting a false story claiming that Tupac Shakur, a rapper who died in 1996, was in fact alive and kicking in New Zealand. They then sent tweets taunting the media outfit. One read: “Anyway, say hello to the insides of the PBS servers, folks.” LulzSec also separately posted a message justifying its attack on Sony, saying the company’s approach to handling sensitive data was “disgraceful and insecure”.

The rise of “hacktivism”, which involves groups of hackers not necessarily driven by financial gain (though this can be a handy by-product of their nefarious activities), poses a growing challenge to companies and governments. Often the motive is revenge. LulzSec claimed its attack on PBS was motivated by the media organisation’s decision to air an investigative report that included criticism of WikiLeaks, the organisation that has been publishing leaked diplomatic cables. Anonymous, a hacker collective that has gained global notoriety for penetrating the networks of credit-card companies and other organisations, has also justified some of its actions by saying they are protests at the way in which Julian Assange, the founder of WikiLeaks, has been persecuted by governments and courts.

Other hackers are launching what many reckon are government-backed intrusions over the internet. This week Google revealed that a cyber attack originating from China had used a technique known as “spear phishing” to extract Gmail passwords from unwary users. This was used to read the emails of senior American officials, journalists, Chinese political activists and government officials in several Asian countries, most notably South Korea. The Chinese government denied it had anything to do with the attacks, but some experts note that Chinese hackers often operate independently, but with the tacit approval of the state.

There is certainly evidence that some online intrusions are the result of a very different approach to the random assaults mounted by hacktivists. Earlier this year, RSA, the security division of EMC, a data-storage firm, admitted that it had been the victim of “an extremely aggressive cyber attack” that gave the hackers information about RSA products designed to protect customers’ systems. It is possible that some of that information may have been used in the attack on Lockheed Martin. 

The details of the intrusion are not fully known, but in Lockheed Martin’s case it is clear that hackers were able to install so-called “keylogger” software on a remote computer accessing Lockheed’s network. This allowed them to see the user’s password and any security codes entered from an RSA SecurID token, which companies such as Lockheed use to generate unique passcode numbers every 30 seconds for their employees as an additional level of protection. 

Harry Sverdlove, the chief technology officer of Bit9, a security company, thinks that the hackers may have used these data in combination with information gleaned during the RSA intrusion to penetrate Lockheed’s network. And he reckons that one consequence of this and other cyber attacks will be to get companies to tighten controls on vulnerable “endpoints”—portable computers and other devices that access networks from a distance. Another will be to stiffen official resolve in America and elsewhere to tackle cyber aggression more forcefully. It is surely no coincidence that Lockheed’s news came out at pretty much the same time that the Pentagon in America was floating the notion that cyber attacks launched by another nation constitute an act of war that justifies a riposte involving traditional military force.

Readers' comments

The Economist welcomes your views. Please stay on topic and be respectful of other readers. Review our comments policy.

Sort:

betamax

"Anonymous, a hacker collective that has gained global notoriety for penetrating the networks of credit-card companies and other organisations"

This is incorrect - certainly, Anonymous as a whole never gained access to any credit card networks, they merely launced a DDoS attack, slowing down their website and transaction traffic. Any claims otherwise were unfounded boasting and scaremongering, as such a feat would be impossible to accomplish by the vast majority of Anonymous, who are regular computer users, merely running DoS programs designed by more knowledgable members.

Brian Berger

This break in a security platform represents the ongoing challenges we as security professionals face. Security is an ever changing and adjusting technology for whereby organizations, standards and technology need to change as the threat model increases. As we see with many breaks of a security model, our enemies are mounted in force with the sole intention of capturing information, data and records for financial gain, political strength or espionage. It’s almost sounds like a Hollywood movie, but, the real world is seeing the battles moving to the network vs. the battlefield.
Standards have emerged to allow international peers to do a security review of a solution that can be more resilient and have a broad interest in preventing the most damaging threats. In the case in point, such organizations as the Trusted Computing Group (TCG), have developed security standards that have now been enabled in devices such as Trusted Platform Modules (TPM’s), Secure Encrypted Drives (SED’s) products. The distribution and availability is broad and deep, and these products have the security algorithms imbedded in hardware which creates a 1 to 1 attack profile vs. a broad secret model as we see in this report. Meaning, I as a hacker need the machine in my possession and then I need to crack the silicon chip and steal its secrets which if successful, highly unlikely, will only allow me the hacker to learn information on that single machine.
As a previously wise decision, layering security has always been a good idea, and now it’s a “Best Practice”. Using the TPM as the root of trust with appropriate software as a solution is what is needed this allows management of a user’s machine, their credentials and data access as rooted in hardware vs. software. The result is; only known users and machines can access the network, data and user privacy. Yes, we should look for new way and use the 500 million TPM’s, several million SED’s and move away from old security paradigms.

jouris

@Resolving Unfair Business I find it interesting that so many are attacking the "hackers" and not commenting on the bigger problem. Systems that are insecure.

Granted that a lot of companies do a terrible job on security of their software. But this sounds like you are focusing on blaming the victim.

It is as if you fault me for being mugged, just because I made the mistake of carrying some money with me. Granted, it might have been a poor decision on my part. But that doesn't excuse the mugger of his crime.

rewt66

chinaeagle:

Out of all my post, you ignore everything but one phrase, and you distort what I meant by that. This smells like a desperate attempt to change the subject.

As to the phrase you replied to: I never said that "the rest of the world" was only the US and Europe. I said that the rest of the world was too smart to fall for your propaganda. You replied by listing countries were you didn't think I knew what was going on. Does that make them children? Easily deceived? Easy prey for manipulation? I don't think so.

Reluctant Polluter

@ John Eh:

"If some bored teen in LA is caught hacking into Walmart's credit system, why not blow LA off the continent with a dozen or so ICBMs? "

Misplaced sarcasm, it is. Several generations of Western youth are raised assured by the lefty liberals who hijacked the childcare and education areas that there is no responsibility for whatever - in their boredom - it occurs to them to do, short of murder. The mantra of educationalists (likes of the ex-terrorist and presidential buddy Bill Ayers) is that crime it's society's, not perpetrator's guilt.

But it's a lie; a bored teen from LA hacking into Walmart's credit system is committing felony - he should go to the stir for several years; surely he'd be less bored there.

Reluctant Polluter

@ Resolving Unfair Business:

"There is no way the fact companies and governments are using, and continuing to use, insecure systems is the fault of the hackers. Companies and governments have made the choice to not put the necessary resources into securing their systems."

You're talking porkies mate. If someone chooses not to lock his door, he's a fool, but this doesn't make an opportunist who stole his stuff less criminal. So I say jail the brats who think it's funny to creep into people's life and pinch their property.

Nirvana-bound

Sometimes I wonder if hackers are not in the payroll of the anti-virus & web security providers?? Keeps them in business & a very lucrative & grqwing one at that. Hmmm..

commonsensical

@ zerge

"And discovering the identity of this hacker is nearly impossible."

I don't buy it. Especially with the technology that Pentagon and NSA, let alone Google, have at their disposal.

That is, assuming they want to get these guys! And more importantly they can DO something about it.

Either these are just a bunch of amateurs with nothing else to do in which case it's embarassing for Google but DoD has better things to do. Or these are pros who are either very well connected within the system or have been hired by official agencies. In which case I'd think DoD can't touch them. I mean we are not talking about a bunch of goat herders in South Waziristan! Of course they can "get back" in other ways.

zerge

Allow me to explain how it works:

1.- China has millions of computers using bootleg software. This software, being illegally obtained, hardly ever gets updated.

2.- As time passes, vulnerabilities are found in software. If the software is not updated ("patched"), it becomes easy to hack.

3.- A hacker sitting anywhere in the world hacks a Chinese server with unpatched bootlegged software and takes control of that server.

4.- The hacker, who again, can be anywhere in the world connected remotely to the Chinese server, launches all sorts of attachs from that Chinese server with a Chinese IP.

5.- The victim sees the attack coming from a Chinese IP, and assumes, wrongly so, that the attacker is Chinese.

This doesn't mean that China doesn't do cyberattacks. what it means is that the geographical origin of an IP tells us absolutely NOTHING about the nationality of the hacker. And discovering the identity of this hacker is nearly impossible.

AdityaMookerjee

The 'notion' that the Pentagon floats about the internet and acts of war is just bizzare. Why, simply, do we put sensitive data on the internet, when it is impossible to police the internet, because internet protocol keeps changing all the time? A time will come, when internet protocol will be able to be changed at unbelievably short periods of time. Trust the capitalists to want to make their businesses more easy to run, to make more profits, on the information super-highway.

sikko6

Internet is inherently unsafe! Never expect intenet become safe. If you use webmails (such as gmails, hotmails, etc.) and cloud service, and expect safe and privacy, you are an idiot! In Internet, there is no such thing. Use with discretion.

Lloron

You have not mentioned the little guy at home whose computer becomes inundated with tracking cookie sand other infestations such as trojans and worms.

On each of two successive scans my Internet security suite found over 50 tracking cookies. The manufacturer now has updated their product and SO FAR it seems fine.

Even downloading innocuous software is a hazardous undertaking.

I use my machine for serious research and reading.

Those who visit porn sites should be warned and have only themselves to blame

peoplesurge

When I send a e-mail to several, I receive a notification of "This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

ceshixinxiang2@hotmail.com

"
But this address in not in my mail list. I think that this is an intrusion by some "hacker" or inteligence office. Is this related to China?. I dont know. Mi activity is to write political notes on finance crisis, and economic theory. Very hard. Internet is transparent for inteligence services. , now I write my e-mails conscient of intrusión for inteligence units in USA, UK, France, China, Israel, Libya, and Haiti

JuanDSolano

Most data breaches originate inside the same companies.

When? How?

Companies outsource everthing: payroll, accounting, marketing, and... above all... collection of accounts receivable. Contractors are routinely given entire databases of employees, customers, suppliers, etc. And it's not rare that a contractor's clerk copies the database and sells it around.

In addition, many companies routinely sell their databases to advertisers. That's how they make money these days.

So, if you want names, emails, phones and credit card numbers of Sony Playstation users, you don't need to infiltrate Sony's web site. Istead, you go buy the database from any of Sony's trusted partners.

Hacking is just for people who insist in taking the long road.

Realities

#2H6JyFJkHX:

I know an Anonymous member(I won't tell his account name as it should remain Anonymous) and he has told me that this "LulzSec" is no subdivision of Anonymous. In fact, he condemned their release of personal information for the million Sony Music users. He also told me that Anonymous and "LulzSec" actually hate each other.

We should just try to end the attacks on Sony and bring "LulzSec" to justice.

ChinaEagle

@rewt66

"For that matter, the rest of the world is also too smart to believe it."

I often find that Westerners seem to have very little knowledge about the term "WORLD". When you say "the rest of the world", does it include Russia, Brazil, Pakistan, North Korea, Myanmar, Cambodia, Iran, Nigeria, Thailand, Kazakhstan, Turkmenistan, Turkey, and many other countries? I just want to let you know a simple face: there are many countries in the world. The U.S. is not a "world", neither is the U.K. or Europe.

About Babbage

In this blog, our correspondents report on the intersections between science, technology, culture and policy. The blog takes its name from Charles Babbage, a Victorian mathematician and engineer who designed a mechanical computer.

RSS feed

Advertisement

Babbage audio

Trending topics

Read comments on the site's most popular topics

Advertisement

Products & events