By GEOFF NAIRN(Published in the Wall Street Journal Europe on October 18, 2011. Read the original here.)
Mikko Hypponen, chief research officer at Finnish security software company F-Secure is a wanted man—by the cyber-hackers. So he keeps a low profile as he travels the world speaking and tweeting about the darker side of the internet. But he slipped up during a recent trip when one of his Twitter followers discovered his location and rapidly guessed the purpose of his visit—a meeting with Interpol.
Industrial espionage has gone digital and found a powerful ally in social networks. “It used to be about stealing pieces of paper, now it is done on computers,” says Mr. Hypponen, who stresses that his visit to Interpol was not a secret and no damage was done by its discovery.
The gadgets and gizmos of the spy movies have not gone away. But today’s corporate spies are more likely to trawl through Facebook pages and Twitter feeds for snippets of information they can build into valuable intelligence on a target organization.
Or they engage in what is known in the trade as “social engineering” —tricking employees to click on links in posts and emails that purport to come from colleagues or social networking friends. The links take them to rogue websites that silently install “Trojans” and other information-gathering malware on corporate IT systems.
Unlike cases where customer data or credit card numbers are stolen by hackers, organizations rarely admit to losing proprietary data or secrets in a cyber heist. Google, unusually, did admit to having lost intellectual property during Operation Aurora, which it called a “highly sophisticated and targeted attack” that originated in China.
McAfee, a U.S. security software vendor, claims global oil and gas companies have also been victims of persistent, targeted cyber attacks designed to steal proprietary information. Again, social engineering techniques were used to initiate this series of attacks, dubbed “Night Dragon” by McAfee.
John Colley, European managing director of the International Information Systems Security Certification Consortium, a not-for-profit body, says energy companies are an obvious target for espionage because they own high-value proprietary information. He knows of at least one major oil corporation that has suffered this type of attack but declined to name it.
The Night Dragon and Aurora attacks should serve as a wake-up call for other businesses. They show how spies have adapted to the internet age by employing malware to steal business secrets. But even without employing malicious tactics such as malware infection, social networks can be used to eavesdrop on companies and collect valuable information.
“People drop their guard on social networks,” says Abhilash Sonwane, senior vice-president of Indian security software company Cyberoam. They unknowingly disclose information that can be extremely valuable to competitors— or enemies.
Like other leading figures of the IT security industry, Mr. Hypponen has made quite a few enemies among criminal hackers. He recently had to deny a fake news story claiming he had been indicted for credit card fraud.
Among his 19,000 followers on Twitter, there could be people with darker motives so he is careful about what he posts and rarely reveals his current location.
During a recent trip to Lyon, he waited until he was heading for home before posting a seemingly innocent Twitpic of an art installation that caught his eye. Half an hour later, one of his Twitter followers recognized the art and located it in downtown Lyon, close to Interpol headquarters. Even the most amateur spy would have little trouble guessing the reason for his trip.
“It would have been even easier if I had the GPS in my phone turned on,” says Mr. Hypponen. That’s because photos taken on a GPS-equipped phone are tagged with their coordinates. If seasoned security experts occasionally drop their guard, is their hope for the rest of us?
Not much, according to Mr. Sonwane. “People just do not realize that they are giving out more information than they are supposed to on social networks,” he says.
He recently conducted a study of the 20 businesses whose employees posted on social networks. By monitoring the posts of individual employees, Mr. Sonwane was able to get sensitive information that, using traditional spying methods, would require a lot more time and ingenuity.
In one case, Mr. Sonwane played a digital variation on the honey pot seductress ploy. He impersonated a woman and engaged in Facebook chat sessions with a recently-divorced male financial director who was back on dating circuit, his posts revealed.
The man offered to take the woman to Broadway musicals and disclosed confidential financial information about his business—presumably to prove he could afford the best tickets.
In another case, a large U.S. retail chain, none of its senior executives had a profile on social networks. But a vice-president did. That was sufficient for Mr. Sonwane to discover that the company was going to file for Chapter 11 protection and close many of its outlets—two months before it did.
Business awareness of the importance of IT security has improved dramatically in the past decade.
“But Web 2.0 technologies often fly under the radar and are much more difficult for the IT department to control,” says Sarah Carter, vice president at Actiance, a U.S. security technology vendor.
As well as social networks, Web 2.0 technologies include instant messaging, online collaboration and internet telephony services such as Skype. All have security risks, but social media pose by far the greatest problems. Organizations are finally starting to wake up to the risks around social media.
“It is clear that we have seen some significant changes in attitude to social media in the last 12 months,” says Andrew Wyatt, chief operating officer at security software firm ClearSwift.
Following a string of lapses and embarrassing incidents, some businesses, particularly those in regulated sectors, restrict or even ban employees from accessing social networking sites at work.
Vendors such as Actiance offer technological solutions designed to prevent employees posting sensitive data on social networks, maliciously or otherwise. Content can be moderated and riskier features such as chat or downloading can be disabled for certain employees.
But many employees see social media as an essential tool, particularly younger workers who might be less likely to use email. Mr. Colley says the best strategy is to educate users about the risks and to remember that, even in cyberspace, walls have ears.
“People always find a way to circumvent the controls and now there is a new generation that expects to be able to use social networks at work,” he says.
Case Study:Anti-Social Media
Mobile working and the trend for employees to use their own devices for work create big security challenges for businesses.
When the desktop PC was still king, life was more difficult for cyber-spies. They had to hack into a company’s network to find valuable information, which was like looking for a needle in a haystack if the network had hundreds of PCs.
With the growth of mobile working, today’s spies need only wait in an airport for valuable data to come walking to them.
Around 900 laptops are stolen or mislaid each week at London’s Heathrow airport, according to a survey by Ponemon Institute, a security research firm. (Figures for other European hubs like Paris Charles De Gaulle and Amsterdam Schipol are not much better.)
The same study found 53% of business travelers had sensitive information on their laptop and, of those, 65% admitted they did not take steps to protect the data.
A data thief can copy confidential information off a laptop to a USB key in a few minutes and then return the laptop, so that the forgetful owner is none the wiser.
Alternatively, spies can install key-logging software to steal passwords, or infect the laptop with information-gathering malware that covertly penetrates a corporate network when the mobile worker next logs on.
Security vendors offer solutions to minimize the risks if laptops and other devices are stolen or their security compromised. But as more employees bring their own iPads and smartphones for work, these personal devices can slip through the security net.
“The bring-your-own-device trend means IT departments no longer own the IT resources that they have to protect,” says Actiance’s Ms. Carter.
Policy is slowly catching up. Research by Sophos, a U.S. security software vendor, finds 55% of businesses have a company security policy that covers personal devices used at work. But mobile technology evolves rapidly and the hackers know it.
Android, Google’s smartphone platform, is so new that only 31% of businesses with a mobile security policy support it, according to Sophos. Earlier this year, security experts discovered a new variant of the notorious information-stealing Zeus malware developed specifically for Android—there are already flavors for the BlackBerry, Windows Mobile and iPhone.