At this point in the evolution of information systems, given the current state of information security, we should all just accept the fact that every organization which has any data of value has probably already been compromised multiple times. This includes corporations, non-profits, and governments. I suppose the value of having this stuff in the news is that it brings security into the consciousness of the general public for a few minutes. But maybe they should start adding “As expected,” to the beginning of all such articles, rather than pretending to be surprised.

From a technical standpoint, I think more organizations need to start treating their internal networks as hostile environments. I know I’m not the first person to suggest this idea, and it’s the basic idea behind mitigating the insider threat. The difference is that these principles now apply not only to governments protecting national secrets, but to every meaningful organization on the Internet. It’s been several years since any reasonable security professional could recommend that you focus on protecting the network perimeter, especially given how porous and interconnected most modern corporations are.

Think of it this way. A determined hacker will get into your network. At that point, he becomes a malicious insider, even if the attack was initiated from the outside. Your incident response plan and team are critical. We can no longer design information systems with a hard, crunchy exterior and soft, gooey interior.

UPDATE: Another interesting perspective on this issue was posted by Marc Maiffret of eEye.

Google believes its systems are being attacked by China, in order to gain information on Chinese human rights activists who happen to use Gmail. Well, duh. What prominent company or government isn’t being targeted by Chinese state-sponsored hackers? (Perhaps the nation of Togo.)

The interesting part is Google’s response: a threat to stop doing business in China. That would mean closing its office there, and shutting down Google.cn (the Chinese version of its search engine, with government-friendly censored results). If Google follows through on this threat, it will send a simple message: play nice or we’ll take our ball and go home. Hopefully they will also release more details about the attacks, so that the rest of us can learn to better defend ourselves.

Of course, China’s economy is huge, and the loss of business with one foreign company probably wont have a measurable impact (unless it’s Walmart). However, it’s still a powerful symbolic gesture. If China wants to be treated as a serious member of our modern global society, they need to stop acting like Mongol invaders from the 13th century.

Maybe if more companies took a similar stance (and followed through), then China would rethink its hostile cyber strategies. Or would they just be sneakier about it?

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” Ben-Itzhak says. “It’s a very sophisticated technique.”

via Threat Level

npr.org

Perhaps the economic downturn does help cyber criminals become more successful, simply because there are more desperate people out there to be scammed. Suddenly, a chance to “win $50 from Bank of America” might be just too tempting to resist. After all, “it’s a ripe economy to take advantage of people,” ² according to a McAfee cybercrime strategist. (Nice job title.)

On the other hand, I’ve also seen claims ³ that corporations are performing more internal investigations into employee fraud and misuse of resources. I believe this type of criminal behavior is much more likely to rise, since people generally feel less guilty about taking advantage of their employers, as opposed to outright stealing from a stranger. It’s a bit like how taking home a box of pens from work might not be a big deal, whereas doing the same from a Staples store is much more obviously theft.

There is also one more reason why laid off or unemployed computer geeks might turn to criminal means: it’s the only job they can get. It’s obviously a tough job market, even considering that IT jobs are better off than most other fields. If you’ve got hacking skills and need to make some money, I suppose it’s possible that you might be tempted to work for a criminal organization. Once again, I don’t believe that usually-honest people will start joining the mob out of desperation; we’re just not that bad off yet. But I did come across at least one example ⁴ of an unethical corporation hiring hackers to help them exceed the limits on rain forest logging. It’s hard to know if this is an unusual case, or if it’s becoming more rampant.

The bottom line is that companies (and government agencies) need to be even more vigilant against the insider threat. It’s always been there, and it always will. The best we can do is try to mitigate it. Personally, I’m not too worried about IT workers turning to cybercrime – the crooked ones are already there.

As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search. [Threat Level from Wired.com]

This definitely makes a good case for two-factor authentication. That way just having the password would not be good enough to log in to her account – you would also need the physical token (like a SecurID) that she would own.