More to fear in 2013

Banking fraud, advanced persistent threats and theft of intellectual property will cause cyber security headaches, says security analyst.

Read time 3min 00sec
Social engineering trumps two-factor authentication every time, says security analyst Patrick Gray.
Social engineering trumps two-factor authentication every time, says security analyst Patrick Gray.

Threats of cyber espionage, cyber theft and hacking were prominent in 2012, and will continue in 2013.

Speaking at the ITWeb Security Summit this week, security analyst and host of the Risky Business security podcast, Patrick Gray, discussed the LinkedIn attack of 2012 as an example of a growing trend of password hacking.

Passwords for 6.5 million user accounts were stolen by Russian cyber thieves, resulting in owners no longer being able to access their accounts. LinkedIn advised users to change their passwords following the incident. Gray said, according to PayPal, around 60% of users recycle their passwords, which adds to the problem.

Retail banking

Gray said we have known for a while that authentication that uses just a username and password is no longer good enough. This saw a move to two-factor authentication; however, a Trojan like Zeus can easily defeat two-factor authentication, rendering it not safe at all.

SMS authentication was also seen as a solution, using a one-time password or similar. "However, this is only as robust as the weakest link. It is still vulnerable, as a SIM can easily be socially engineered."

He uses the Twitter hack on Mat Honan, senior writer for Wired and co-founder of Longshot magazine, as an example. Honan's Twitter account was targeted, and the perpetrators only really needed his Apple ID e-mail address, billing address and the last four digits of his credit card to do this.

More concerning was the way in which they accessed this data. They used the fairly relaxed security policies at Apple and Amazon, and were able to add another credit card to Amazon, the same card from which the last four digits were used for authentication, when updating the account.

According to Gray, this proves that social engineering trumps two-factor authentication every time.

Advanced persistent threats

He said another trend in state-sponsored activity is going largely unreported. Last year, a group of hackers using the moniker "Cutting Sword of Justice" spread a malicious virus into the world's largest oil company, Saudi Aramco, destroying 30 000 of its computers. The attack was described as politically motivated and aimed at disrupting business.

Gray speculates that the attacks got in via spear phishing, and spread custom malware designed to wipe the boot sector. This takes a long time to clear up, and can be described as an economic spoiler attack.

He said a similar attack was carried out against several South Korean banks and broadcasters that infected their computer networks with a malicious program that slowed or shut systems down. He said we can expect more of this sort of attack in 2013.

Intellectual property theft

Another area that is not getting enough attention, says Gray, is China's systematic theft of western companies' intellectual property.

He says China has been doing this to benefit its economy, and international pressure won't stop it. IP protection is just not culturally held in the same regard for the Chinese as it is in the west. "It's almost a form of information communism, and you have to give it to them, it has benefited them hugely."

Login with