Hackers Lurk in the Strangest Places

When hackers were unable to gain access to Target’s records through their main system, they went through its heating and cooling system. In other cases, hackers have used printers, thermostats, video-conferencing equipment and a Chinese takeout menu.

A Chinese takeout menu? Yes, when hackers couldn’t breach the computer network at a big oil company, they infected the online menu of a Chinese restaurant with malware that was popular with employees of the oil company. When workers browsed the menu, they inadvertently downloaded code that gave attackers a foothold in the business’ network.

Companies that are doing everything possible to seal up their systems are now having to look in the unlikeliest places for vulnerabilities. The situation has grown increasingly complex and urgent. Access to a network is given to all kinds of other computerized systems and services, including heating, ventilation and cooling systems, billing and expense systems, health insurance providers and even vending machines.

While security researchers are often employed to find such leaks in a system, it is now becoming as difficult as finding a needle in a haystack.

Read the full story online.

Research Universities Subject to Cyber Attacks

According to the New York Times, leading US research universities have been subject to millions of hacking attempts on a weekly basis. Professors at these universities, including MIT, receive thousands of patents each year in areas such as prescription drugs, computer chips, fuel cells, aircraft, medical devices, food production and more.

Bill Mellon of the University of Wisconsin told the Times they get 90,000 to 100,000 hacking attempts per day, from China alone, to penetrate their system.

Although it is difficult to track where the attacks are coming from, US government officials, security experts and university and corporate officials say that China is clearly the leading source of efforts to steal information. Other countries are Russia and Vietnam.

A growing number of schools no longer allow their professors to take their laptops and smart phones to certain countries. They  fear information will be copied or malware will be planted that will be activated when the device is taken home and connected to a network, allowing the thieves to get in.

Read this story online.

Protecting Your Twitter Account

Last week a group called the Syrian Electronic Army hijacked the Twitter account of the Associated Press and sent out an erroneous message reporting explosions at the White House that injured President Obama.

Moments later it was confirmed that the Twitter account had been hacked and the president was unharmed. Twitter suspended the account, but by then the post had moved markets. The Dow Jones Industrial average plummeted by 150 points and then surged back.

The AP’s account is the sixth prominent Twitter account to be hacked in recent months, according to the New York Times.

This causes some concern about the security measures put in place to protect Twitter accounts, especially those with high profiles. The info graphic in this article shows just how dangerous hacking can be when a news source that is trusted has been targeted by hackers.

Learn how to protect your Twitter account by following these five tips:

  1. Create unique passwords across all your social accounts. How strong are your passwords?
  2. Monitor your third-party apps.
  3. Don’t click on links from people you don’t know.
  4. Update your computer and operating system as well as your anti-virus software.
  5. Sign out when done, especially on public computers.

Know what to do if your account has already been hacked.

Is Your Site Hacked?

Google has launched a website “Help for Hacked Sites” with information to help web masters when their sites have been hacked. The site offers a series of articles and videos to help the website owners regain control of their sites and tighten their security.

Some preventative steps include being vigilant about keeping software updated for the site and understanding security practices of all applications, plug-ins, third-party software and other applications before you use them with your site.

Passwords: Now Cracked Faster

At a conference in Oslo last week, a presentation described how a cluster of 25 AMD Radeon GPUs  (read: very, very fast computers) using a combination of software (including a freely available password-cracking suite optimized for GPU computing) can make 348 billion guesses per second against NTLM hashed passwords (NTLM stands for NT LAN Manager, a suite of Microsoft security protocols that provides authentication, integrity and confidentiality to users). It makes 63 billion guesses against SHA-1 hashed passwords (SHA-1 is an algorithm used in cryptography).

In human speak: Passwords can now be cracked faster, giving password thieves even stronger tools to read your passwords.

The system described above operates against off-line password lists which are now available due to the large number of system breaches that led to password leaks.

What this means for users is that 8-character passwords are no longer sufficient and we should use longer passwords to help defeat brute force attacks and complex passwords to help defeat dictionary attacks. Of course, users should also not use the same password on multiple accounts. See these additional tips on passwords.

Read the story in the news.

Threat of Cyberattack on the U.S.

Are we facing a “cyber-Pearl Harbor?” Last week Defense Secretary Leon E. Panetta warned that the United States is increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation systems, financial networks and government.

He was apparently responding to a recent wave of cyber attacks on large American financial institutions. He cited an attack in August on the state oil company Saudi Aramaco, which infected and made useless more than 30,000 computers. He is also pushing for legislation on Capitol Hill, requiring new standards at infrastructure facilities, where a computer breach could cause significant casualties or economic damage.

Read the full story in the news.

Putting Data in the Cloud

The central question for anyone doing cloud computing is, “do you have control?” Reliance on a cloud vendor (like Dropbox, Google, Apple’s iCloud and Amazon’s EC2) could lead to breaches and in some recent high-profile cases, already has. Epsilon last year and Dropbox this year reported breaches of their systems.

The problem is that individuals can put personal- or business-sensitive data into a cloud storage service, where anyone with access to the server could potentially read the file. While the design of the cloud service allows third parties to access their user’s accounts, it also leaves the data less secure than a system that encrypted the data before sending it into the cloud.

These five best tips come from an article posted by CNN:

  1. Back up everything – in the cloud or on the ground
  2. Use a bunch (maybe hundreds) of different passwords
  3. Don’t link all of your accounts together
  4. Use two-factor authentication on Google and Facebook
  5. Don’t use “find my Mac” on Apple computers

For interest, read Mat Honan’s story, who lost all his photos and other data by using cloud-based services when he was hacked.