The lock that says ‘pick me’

The recent computer attacks on the mighty Google left every corporate
network in the world looking a little less safe.

          Google’s confrontation with China — over government
censorship in general and specific attacks on its systems — is an exceptional
case, of course, extending to human rights and international politics as well
as high-tech spying. But the intrusion into Google’s computers and related
attacks from within China on some 30 other companies point to the rising
sophistication of such assaults and the vulnerability of even the best defenses,
security experts say.

          “The Google case shines a bright light
on what can be done in terms of spying and getting into corporate
networks,” said Edward M. Stroz, a former high-tech crime agent with the
United States’ Federal Bureau of Investigation who now heads a computer
security investigation firm in New York.

          Computer security is an ever-escalating
competition between so-called black-hat attackers and white-hat defenders. One
of the attackers’ main tools is malicious software, known as malware, which has
steadily evolved in recent years. Malware was once mainly viruses and worms,
digital pests that gummed up and sometimes damaged personal computers and

          Malware today, however, is likely to be more
subtle and selective, nesting inside corporate networks. And it can be a tool
for industrial espionage, transmitting digital copies of trade secrets, customer
lists, future plans and contracts.

          Corporations and government agencies spend
billions of dollars a year on specialized security software to detect and
combat malware. Still, the black hats seem to be gaining the upper hand.

          In a survey of 443 companies and government
agencies published in December, the Computer Security Institute found that 64
percent reported malware infections, up from 50 percent the previous year. The
financial loss from security breaches was $234,000 on average for each organization.

          “Malware is a huge problem, and becoming
a bigger one,” said Robert Richardson, director of the institute, a
research and training organization. “And now the game is much more about
getting a foothold in the network, for spying.”

          Security experts say employee awareness and
training are a crucial defense. Often, malware infections are a result of
high-tech twists on old-fashioned cons. One scam, for example, involves small
USB flash drives, left in a company parking lot, adorned with the company logo.
Curious employees pick them up, put them in their computers and open what looks
like an innocuous document. In fact, once run, it is software that collects
passwords and other confidential information on a user’s computer and sends it
to the attackers. More advanced malware can allow an outsider to completely
take over the personal computer and, from there, explore a company’s network.

          With this approach, the hackers do not need
to break through a company’s network defenses, because a worker has unknowingly
invited them inside.

          Another approach, one used in the Google
attacks, is a variation on so-called phishing schemes, in which an e-mail
message purporting to be from the recipient’s bank or another institution
tricks the person into giving up passwords. Scammers send such messages to
thousands of people in hopes of ensnaring a few. But with so-called
spear-phishing, the bogus e-mail is sent to a specific person and appears to
come from a friend or colleague inside that person’s company, making it far
more believable. Again, an attached file, once opened, unleashes the spy

          Other techniques for going inside companies
involve exploiting weaknesses in Web-site or network-routing software, using
those openings as gateways for malware.

          To combat leaks of confidential information,
network security software looks for anomalies in network traffic — large files
and rapid rates of data transmission, especially coming from corporate locations
where confidential information is housed.

          “Fighting computer crime is a balance of
technology and behavioral science, understanding the human dimension of the
threat,” said Stroz, the former FBI agent and security investigator.
“There is no law in the books that will ever throw a computer in prison.”

          As cell phones become more powerful, they
offer new terrain for malware to exploit in new ways. Recently, security
experts have started seeing malware that surreptitiously switches on a cell
phone’s microphone and camera. “It turns a smartphone into a surveillance
device,” said Mark D. Rasch, a computer security consultant in Bethesda,
Maryland, who formerly prosecuted computer crime for the United States Justice

          Hacked cell phones, Rasch said, can also
provide vital corporate intelligence because they can disclose their location.
The whereabouts of a cell phone belonging to an investment banker who is
representing a company in merger talks, he said, could provide telling clues to
rival bidders, for example.

          Security experts say the ideal approach is to
carefully identify a corporation’s most valuable intellectual property and
data, and place it on a separate computer network not linked to the Internet,
leaving a so-called air gap.

          “Sometimes the cheapest and best
security solution is to lock the door and don’t connect,” said James P.
Litchko, a former government security official who is a manager at Cyber
Security Professionals, a consulting firm.

          Some companies go further, building “Faraday
cages” to house their most critical computers and data. These cages
typically have a metal grid structure built into the walls, so no
electromagnetic or cell phone transmissions can come in or out. Defense
contractors, aerospace companies and some automakers have built Faraday cages,
named for the 19th-century English scientist Michael Faraday, who designed them
to shield electrical devices from lightning and other shocks.

          But in the Internet era, isolationism is often
an impractical approach for many companies. Sharing information and knowledge
with industry partners and customers is seen as the path to greater flexibility
and efficiency. Work is routinely done by far-flung project teams. Mobile
professionals want vital company data to be accessible wherever they are.

          Most of that collaboration and communication
is done over the Internet, increasing the risk of outside attacks. And the
ubiquity of Internet access inside companies has its own risks. In a case of alleged
industrial theft that became public recently, a software engineer at Goldman
Sachs was accused last year of stealing proprietary software used in high-speed
trading, just before he left for another firm. The engineer, who pleaded not
guilty, had uploaded the software to a server computer in Germany, prosecutors

          The complexity of software code from different
suppliers, as it intermingles in corporate networks and across the Internet,
also opens the door to security weaknesses that malware writers exploit. One
quip among computer security experts is: “The sum of the parts is a

          But, security experts say, the problem goes
well beyond different kinds of software not playing well together. The software
products themselves, they say, are riddled with vulnerabilities — thousands of
such flaws are detected each year across the industry. Several weaknesses, it
seems, including one in the Microsoft Internet Explorer browser, were exploited
in the recent attacks on Google that were aimed at Chinese dissidents.

          The long-term answer, some experts assert,
lies in setting the software business on a path to becoming a mature industry,
with standards, defined responsibilities and liability for security gaps,
guided by forceful self-regulation or by the government.


          Just as the government eventually stepped in
to mandate seat belts in cars and safety standards for aircraft, says James A.
Lewis, a computer security expert at the Center for Strategic and International
Studies, the time has come for software.

          Lewis, who advised the Obama administration
about online security last spring, recalled that he served on a White House
advisory group on secure public networks in 1996. At the time, he recommended a
hands-off approach, assuming that market incentives for the participants would
deliver Internet security.

          Today, Lewis says he was mistaken. “It’s
a classic market failure — the market hasn’t delivered security,” he
said. “Our economy has become so dependent on this fabulous technology —
the Internet — but it’s not safe. And that’s an issue we’ll have to wrestle