E is for Everywhere In March, 2010, over 100 drivers in Austin, Texas, found their cars inert on the pavement, refusing to start; some absently honked.
The dead cars were testament to the perils of interconnectedness: When networking is everywhere around us, so is vulnerability to attack.
The cars, it turned out, came from the same used-car dealer, who had installed a device that could deactivate cars if the owners stopped paying. A disgruntled former employee accessed the system and locked out the drivers.
More than one sci-fi franchise has postulated doom-by-computer network. And in today’s reality, computer networks reach into every corner of the world, from the lights on the CN Tower (controlled by a remote web interface) to life-or-death instruments like cars and medical equipment. “It’s something we haven’t dealt with in the security industry until recently,” says Brian Contos, a strategist at McAfee.
Vulnerability has many faces. In industrial settings, PCs that control critical processes in everything from manufacturing to power distribution don’t always get updated: Patches might change the way a computer works and introduce instability, and the last thing you want is the power grid conking out. This means that there’s still a backlog of very old, very vulnerable systems in critical roles.
The auto industry is another concern. Cars aren’t cars any more so much as networks on wheels, encompassing dozens of different processors and systems. A vehicle’s central computer software spans hundreds of millions of lines of code. RFID tags in the wheels sense pressure and send a wireless message to the car’s central computer to alert the driver should the tire need attention. Cadillacs have their own Wi-Fi hot spots. Infotainment systems talk to the Internet, log into Facebook, shunt audio/video around the car, and store your contact information. Systems like OnStar can remotely slow your engine to a stop in case of theft. But unlike desktop software that gets updates constantly, embedded computers tend to be updated less frequently, if at all, leaving vulnerabilities exposed for longer.
And if you don’t yet feel surrounded by suspect technology, consider that last year security whiz Barnaby Jack hacked an insulin pump in real time, on-stage, at a convention. McAfee’s Contos says a company investigation showed that IV pumps equipped with Bluetooth could be hacked to overdose patients; security apparently just hadn’t been considered in their design.
F is for Facebook Think that blocking employees from social networks will help secure your firm and boost productivity? Perhaps you’re right, but it also could backfire. Young employees don’t take well to being barred from Facebook, and rather than go cold turkey, they’ll look for options. “People find a way to get around it, and that’s where breaches happen,” says Hernan Barros, director of product management at Telus Security Solutions. “You’re routing around the security.”
Employees who are adventurous might find some way to work around the corporate web-filter. More likely, they’ll surf from their phone or bring in a tablet from home. “Facebook and using a mobile device for corporate use: Now you’ve got a deadly combination,” says Barros. Oftentimes, work ends up on the personal device. Details may leak out through a social network. Or, worse still, the device might wander off—taking the corporate data with it.
G is for Ghostnet A story to give diplomats and human-rights activists a chill: In 2009, Citizen Lab uncovered a secret network—which it dubbed Ghostnet—of at least 1,295 computers, all infected with malware that gave an unknown entity free rein to rummage through their documents, and spy in real time. Some 30% of those computers were “high-value” targets in places like embassies and government ministries. The infection was spread by convincing-looking e-mail attachments. The target list seemed tilted toward Tibetan targets, including the Dalai Lama. Three out of four of the servers controlling the network were based in China.
H is for Hackers In March, a 28-year old Manhattanite named Hector Xavier Monsegur was very publicly unveiled as “Sabu,” one of the leaders of LulzSec, a group that conducted aggressive hacking efforts (including an infamous Sony job; see “P” below) in loose affiliation with Anonymous. He was goateed, handsome and charismatic; he was an enemy of government censorship and a dabbler in drug-dealing and stolen goods. And, as it turned out, he was an FBI informant.