Hackers and thieves a growing Web menace
Technology lag leaves systems vulnerable
On the Internet, there’s nowhere left to hide.
Around the world, computer networks are getting more vulnerable even as they grow more sophisticated. They are being penetrated and looted by digital intruders.
The personal records of 100 million people were stolen in an attack on Sony Corp.’s video game networks. Up to 210,000 unemployed Massachusetts residents were put at risk by data theft software that infected computers at the state’s Executive Office of Labor and Workforce Development. And in March, criminals stole vital information from Bedford data protection company RSA Security, a division of Hopkinton storage giant EMC Corp. The stolen RSA data was later used in a hacker raid on defense contractor Lock heed Martin Corp., an RSA client.
The list of data breaches grows almost daily, and while consumers and businesses can take steps to reduce the risk of losing sensitive information, security analysts say that making our computer networks truly secure is virtually impossible.
“It’s too hard,’’ said consultant Mischel Kwon, a former vice president at RSA and former director of the US government’s Computer Emergency Readiness Team, which responds to threats to the nation’s critical data networks. “It’s too expensive.’’
Kwon said the world’s computer systems have been infiltrated by a host of bad actors, from criminal gangs to radical political activists to digital secret agents working for foreign governments. “Every network has been breached,’’ she said.
Congressman Jim Langevin, a Democrat from Rhode Island, said the problem is only going to get worse. The current attacks will “look like amateur hour compared to what’s coming in the next decade,’’ said Langevin, member of the House Select Committee on Intelligence and chairman of the Congressional Cybersecurity Caucus. “We’re not moving fast enough to close the vulnerability.’’
The Privacy Rights Clearinghouse, a California nonprofit group that advocates for stronger privacy laws, has recorded 251 reported computer breaches involving the theft of personal information so far this year, up from 234 for the same period last year. A new major breach was revealed on Thursday, when the giant bank Citigroup Inc. said that the credit card numbers of about 200,000 customers had been compromised by data thieves sometime in early May.
One reason why corporations can’t get ahead of the attacks is that the technology is not yet available. Joshua Corman, research director for enterprise security at The 451 Group in Dover, N.H., said that the computer industry has failed to keep up with the changing methods and motives of hackers. “The chickens have come home to roost,’’ Corman said. “Many of our approaches have been incredibly static and unchanging.’’
Corman said that antivirus and other commercial security software products may be adequate against the kind of amateur hackers who vandalized websites in the Internet’s early days, but they often fail to detect the custom-made attack programs, or “malware,’’ created by today’s organized crime gangs and foreign intelligence agencies.
In addition, computer criminals have begun to play for higher stakes, Corman said. Data thieves like Albert Gonzalez, who stole about 90 million credit and debit card numbers from Framingham’s TJX Cos. and other retailers between 2005 and 2008, have glutted the underground market for stolen card numbers.
“The street value of a credit card has dropped a hundredfold because it’s so easy to steal [the numbers],’’ so gangsters are moving into the market for stolen corporate secrets, Corman said. “Law enforcement is ill-prepared for this on every level.’’
One reason why there are more accounts of hacker attacks is that more companies are admitting their systems have been breached. “It used to be you wouldn’t want to be the one guy who failed,’’ said Corman. “Now it’s become more commonplace.’’
Companies that lose large amounts of personal data, like names, addresses, or Social Security numbers, have no choice but to inform the public. Most states require companies to report such data breaches, even if the business isn’t based in the state. Massachusetts passed such a law in 2007, after the massive TJX data breach, and now state Attorney General Martha Coakley is questioning New-York-based Citigroup Inc., parent of Citibank, about the bank’s loss of credit card numbers. “We are in touch with Citibank and are taking all steps to make sure they fulfill their obligations under Massachusetts law,’’ a spokesman for Coakley said yesterday.
The worst network breaches are too big to conceal. The attack on Sony not only exposed vast amounts of personal data, but also took down the company’s worldwide video game network for a month, preventing millions of players from enjoying their favorite online games. Yesterday, police in Spain arrested three suspected members of a politically motivated international hacking group called Anonymous, charging them with participating in the Sony attack.
Such arrests may prove all too rare, because it’s easy for cybercriminals to hide amid the millions of computers on the Internet. Mark Rasch, former head of the computer crime unit of the Justice Department, said the last time a major hacking ring was successfully prosecuted was when Gonzalez was tried for the TJX breach. “These people are not worried about getting caught,’’ said Rasch, now director of cyber security and privacy consulting at CSC Corp. of Falls Church, Va., which builds data processing and security systems for large businesses and government agencies.
Cybercrime by governments will probably be even tougher to fend off. In late 2009, computers at the search engine giant Google Inc. came under a severe attack aimed at getting access to the company’s software codes. A host of other companies, including Adobe Systems Inc. and Juniper Networks Inc., were also hit. In January 2010, Google attributed the attack to hackers working from within China, a claim the Chinese government rejected.
“I think 2010 brought political or state-sponsored espionage to the mainstream,’’ Corman said, forcing US policy makers to confront hacking as a national security threat.
Hiawatha Bray can be reached at email@example.com.