(Ric Saludo’s colleague Marishka Noelle M. Cabrera contributed today’s column.)
FOR the non-nerd, computer hacking is a nuisance at worst, perpetrated by losers with nothing else to do but wreak havoc in cyberspace just for kicks. But the fun is getting serious now, with hackers engineering security breaches in global corporations and institutions and exposing confidential financial data and personal account information.
The most recent known major victim is the International Monetary Fund. Earlier this year, reported The New York Times, the IMF suffered “a very major breach” of its secure systems by hackers intending to establish a “digital presence of insiders” in the Fund’s network. That got its sister institution stating: “The World Bank Group, like any large organization, is increasingly aware of potential threats to the security of our information system, and we are constantly working to improve our defenses.”
A CNN blog said the IMF attack might have been done by “spear phishing … tricking the end user to click on a link, reveal password information or download a malicious program” from a seemingly legitimate source. The Washington Post reported that FBI investigators believe the hack may have originated in China. Commentators expect Beijing to deny any charges, just as it did when accused of an unsuccessful cyber-attack in May on leading U.S. defense contractor Lockheed Martin.
Perhaps the most widely publicized and loathed hack was the April attack on the Sony PlayStation Network, shutting it down to the dismay of millions of online gamers around the world. The following month, hackers reportedly stole personal information of 24.6 million users of Sony Online Entertainment, by Wired.com’s account. Sony blames Anonymous, a ‘hacktivist’ group, which denied responsibility in a statement published in The Guardian of London.
An Anonymous representative did say, in a December 2010 interview with RussiaToday network, that the group was behind DDoS (distributed denial of service) attacks on Visa, MasterCard, and PayPal after those companies suspended services to the whistle-blowing website Wikileaks over the online posting of classified documents from U.S. embassies.
DDoS crashes a website’s server with a massive flood of bogus requests, but the bigger worry in credit card hacks is theft of confidential client account information. Citigroup and Google have been similarly victimized, as reported in PC World, with names, account numbers, log-in names and passwords of 210,000 North American cardholders reportedly being exposed.
If that’s not worrisome enough to Filipinos, we hear every now and then of government websites being vandalized. A hacker defaced the Bureau of Customs site the day after Malacañang announced its security review of government websites. GMA News also reported that a group called Philker breached the Philippine Nuclear Research Institute site and redirected users to its own site. There, a message said that the PNRI intrusion was meant to show vulnerabilities in the country’s cyber-security.
Then just this past Monday, Philker breached the website of the Office of the Vice President, declaring they are a group of hackers “that possess skills in the areas of cyber security, visual graphics and human manipulation that work on the progression of Philippine cyber culture.”
The password of GMA News’ Twitter account, likewise, was exposed. The hacker claimed, in an interview with the blog TechPinas, that he did it to bring to the fore security flaws.
So how do you protect yourself and your company from cyberattack? Here are six tips:
• Securing your organization begins with an awareness of personal security. Naked Security, a blog by IT security company Sophos, recommends in a video that one should refrain from using dictionary words as passwords. Instead, devise an alphanumeric key that is a jumble of capital and small letters, numbers, punctuation marks, and symbols, which is harder for people to decipher. Also, do not use the same password in all your accounts: email, social networking sites, PayPal, eBay, and the like.
• Include security in your company’s website design. The Hacker Club blog cautions that, more often than not, safeguards are considered after a website has been designed or launched. Make cybersecurity part of the site preparations from day one.
• Educate staff on cyber-crime dangers and the safety measures to block breaches, like deleting without opening file attachments from dubious sources or those with .exe or .com extensions. Business Insider site urges employees to always run antivirus or malware checks before downloading files, even if from a known sender.
• Job rotation and segregation of duties can prevent data theft within the organization. Lucius on Security blog suggests job rotation for sensitive functions because it “prevents an employee from covering his tracks as another employee takes on his role for a period of time”.
Segregate duties so that no one person possesses or controls all the data. Make sure to limit the access to privileged information, and install programs that automatically record whose computers access data.
• Keep anti-virus software updated. AllBusiness.com says it takes just “one malevolent virus to bring your network to its knees.” That could be the bug that was not in your security program’s keep-out list due to late updating by a single computer in the firm.
• Protect hardware. Lap-tops, smart phones, tablet computers, and USB flash drives are routinely shuttled between home and office, and thus, can contain sensitive, valuable or mission-critical information. A Philippines Free Press article on staying alive in the digital age says that these devices and “the blending of at-home and at-work technologies … are among the latest causes of data vulnerability.”
You’ve been warned.
[Marishka Cabrera is writer-analyst for The CenSEI Report, providing subscribers of the Center for Strategy, Enterprise & Intelligence analytic research on national, business and global issues.]
#WearMask #WashHands
#Distancing
#TakePicturesVideos
