Readaloo

The bloody little conflict between Russia and Georgia in August 2008 lasted just nine days, but it marked a turning point in the history of warfare. For the first time ever, the shooting was accompanied by a cyberattack.

In the opening hours of battle, unidentified hackers shut down Georgian government, media and banking Web sites. Georgian President Mikhail Saakashvili insisted that Russia was responsible for the cyberattack, and U.S. officials subsequently said he was probably right.

The timing was propitious. Just as Russian ground troops were engaging Georgian forces in combat, the Georgian government was forced to deal with malfunctioning computer systems. U.S. intelligence analysts were convinced that the actions were carefully coordinated.

The disruption was relatively minor, but an important threshold had been crossed. In announcing a cybersecurity initiative nine months later, President Obama referred back to the August events in Georgia, saying they offered "a glimpse of the future face of war."

That is now a widely held view.

America's Tech Edge: A Strength ... And A Weakness

"The next time there is a big war, it will include a cyberattack," says Richard Clarke, a former White House cybersecurity adviser and the author of a new book, Cyber War: The Next Threat to National Security and What to Do About It.

 

President Obama talks about U.S. cybersecurity in May 2009. Obama has described U.S. computer networks as a "strategic national asset," and promised to "deter, prevent, detect and defend against" cyberattacks.

President Obama talks about U.S. cybersecurity in May 2009. Obama has described U.S. computer networks as a "strategic national asset," and promised to "deter, prevent, detect and defend against" cyberattacks.

For the United States, the prospect is especially worrisome. The entire U.S. economy depends on operations in cyberspace. If computer networks shut down, so will the country.

Indeed, in a major cyberwar scenario, the United States would be uniquely vulnerable. No military is more dependent on data networking. Unmanned aircraft send video feeds back to Earth 24/7, while soldiers on the ground are guided by GPS signals and linked via computers to other units and command posts.

"In the first Persian Gulf War, we were able to overcome our opponent easily, largely because of our informational advantage," says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

"But as others realized that," he adds, "they began looking for ways to degrade that capability. How do I disrupt the data? How do I disrupt the communications? How do I monkey with GPS? And so, we have countries out there — big and small — who work every day to figure out how to break DOD's [Department of Defense] informational advantage."

Global Preparations For Cyberwar

Countries around the world are now preparing to fight a cyberwar. And none takes it more seriously than China, according to Lewis.

"Twelve years ago, they said, 'We're going to develop this capability,' " says Lewis. "And you know what? They did. They're very powerful. They're very effective. They're not the best in the world. But they have spent a lot of time and energy thinking about how to attack the United States in cyberspace."

Of course, the U.S. military is planning its own cyberattacks. Pentagon cyberwarriors have detailed plans to take down power, telecommunication and transportation systems just about anywhere.

There is just one problem: What if the other side strikes first? In cyberwar scenarios, pre-emptive attacks are favored, and effective retaliation can be difficult.

"We have extremely good cyberoffensive capabilities and almost nothing in the way of cyberdefense," Clarke says.

U.S. Not Ready To Fend Off Massive Cyberattack

The United States' lack of preparation for a cyberattack was highlighted in a recent exercise co-sponsored by the Bipartisan Policy Center and CNN.

The participants, playing top government roles, went through a simulation of an aggressive cyberattack. The scenario featured a cascading series of technology failures, beginning with mobile telephone networks. Internet traffic soon slowed to a crawl, and communication between financial centers came almost to a standstill.

The mock exercise, dubbed "Cyber Shockwave," was set in the White House Situation Room, with top U.S. security officials struggling to keep up with the developments.

"What do we have to do now to contain this?" asked Stephen Friedman, an economic adviser to President George W. Bush, playing the role of Treasury secretary for the purposes of the exercise.

No one had an answer.

Other former officials, including John Negroponte, the first director of National Intelligence, and Michael Chertoff, the former secretary of Homeland Security, also played key roles in the simulation. None found that their government experience prepared them for the decisions and policy actions that the cybercrisis required.

Some experts later disputed the likelihood of an attack as overwhelming and fast-moving as the one in the simulation, but they agreed it could not be ruled out. In any case, the exercise showed that the U.S. government is not prepared to deal with a massive cyberattack on its civilian infrastructure.

How To Deter? How To Retaliate?

That's not to say that no one in government had thought about the prospect of a cyberwar. In his May 2009 speech on cybersecurity, President Obama described U.S. computer networks as a "strategic national asset" and promised to "deter, prevent, detect and defend against" cyberattacks.

Secretary of State Hillary Clinton followed up that pledge in a speech in February 2010. "States, terrorists, and those who would act as their proxies, must know that the United States will protect our networks," she said.

However, Clinton did not explain what the government would do to protect those networks. A cyberstrike would come at the speed of light. Such an attack could not be stopped in midair, the way an incoming ballistic missile might be. Experts say the key to an effective cyberdefense is to establish an effective deterrent, so that countries would be dissuaded from attacking in the first place.

During the Cold War, when the United States faced the threat of a nuclear attack, U.S. administrations made clear that any strike would prompt an all-out retaliation. As a result, no one dared to make the first move.

To deter a cyberattack, however, is far more difficult. One of the gravest challenges is what experts call the "attribution problem." U.S. defense and intelligence agencies would likely have a hard time determining precisely where an attack came from and to whom it could be attributed.

In the "Cyber Shockwave" simulation, the U.S. players first concluded that the attack originated from a server in Irkutsk, Russia. But John McLaughlin, a top CIA official playing the role of CIA director in the simulation, interrupted the White House meeting to announce that his "analysts" had told him they could not confirm that the cyberattack actually came from Irkutsk.

"In fact, the prevailing theory is that these servers in Irkutsk may be only a hopping point for an attack that could be coming from somewhere else," McLaughlin said during the simulation. "We just don't know at this point."

If anything, the attribution problem is growing more complicated. Cyberwarriors can now hijack computers in other countries, working remotely through them, hopping from server to server. Because it's so hard to trace the attack to a perpetrator, direct retaliation may be impossible.

A Losing Battle

Cyberwarfare is an entirely new phenomenon, and for all its efforts to develop an offensive cybercapability, the U.S. military has yet to resolve some basic questions, such as when it would be justifiable to strike first, and how to prepare for an attack without aggravating international tensions.

"We're probably doing things on lots of networks around the world to get ready for cyberwar," says Clarke, "and yet we do not have a military strategy that has been shared with the Congress or the public. And I suspect we don't really have a military strategy at all."

For a country whose economy operates largely in cyberspace and whose military pioneered Net-centric warfare, this is a serious failing.

Lewis likes to cite the German military leaders 70 years ago who took pride in their ability to encrypt radio communication through their Enigma machines. What they did not realize, Lewis says, was that U.S. allies had cracked the Enigma code and were intercepting all those "secret" German messages.

"Unfortunately, today we've reversed the roles," says Lewis of the Center for Strategic and International Studies. "We're the people sitting there fat, dumb and happy, thinking we're getting all this advantage from our network and not realizing that our opponents are sitting in it and reaping all the benefits."

He adds, "I see this as possibly one of the gravest intelligence battles the U.S. has ever fought, and it's a battle we're currently losing."

On The Rachel Maddow Show host Rachel Maddow took on Fox News and their selective editing of the California ACORN tapes. Maddow played both the Fox News edit of the tapes, and the full tapes. Maddow said, “If you watched the footage these guys released, if you followed the wall to wall coverage on Fox…If you are a member of Congress who voted to defund ACORN…You were had.”

After playing the edited tape and the full tape side Maddow said, “If you watched the footage these guys released, if you followed the wall to wall coverage on Fox, if you read all of the fawning mainstream media coverage of what these guys did, if you were a member of Congress and you voted to defund ACORN because of the outrage portrayed in these tapes, you were had.”

Did ABC News doctor its report on how a Southern Illinois University professor was able to rig a Toyota Avalon to become a runaway with unintended acceleration?

Gawker.com is reporting that ABC News confirmed to them that footage in a news report showing Professor David Gilbert's test-car being driven by reporter Brian Ross was altered. Footage of the tachometer revving while driven was replaced by a shot of it revving while parked, because the driving shot was too blurry. ABC says this doesn't change the fact that a similar acceleration occurred, but Gawker says it was done to "make it look scarier."

Toyota is disputing the tests, producing a report Friday from its testing firm Exponent that says it was able to produce the same result on a wide variety of cars from different makers, none implicated in the unintended acceleration scandals. Thus, the report obtained by Drive On concludes:

 The way the Avalon was rigged to produce unintended acceleration for the tests is highly unlikely to ever occur on its own in the real world, Exponent says.

It was reported that Gilbert may meet with the research group to review the tests. It was not reported if the other vehicles did not return an error code, like the Toyota that Gilbert had tested.

More than 60 Toyota owners have complained to the National Highway Traffic Safety Administration about cars already repaired under the two major Toyota recalls, saying they aren't fixed and their throttles can still race out of control. This brought up a new slew of questions regarding the company's fixes and its throttle control system.

Toyota announced Thursday that it followed up with a number of the cars it could track down from the verified complaints and thoroughly tested them. The company's findings have been forwarded to NHTSA for review, but no word has been released yet from the government. Toyota said it found no defects with the repairs or the electronic throttle control.

Bernie Madoff, who is scheduled to be sentenced June 29 for perpetrating history's biggest Ponzi scheme, is just be the latest in a long line of industry titans turned crooks

Bernard Madoff

Bernard L. Madoff Investment Securities LLC

Pleaded guilty: March 12, 2009 to 11 charges of fraud

Next to Bernie Madoff, the rest of the sticky-fingered CEOs on this list seem like dime-store shoplifters. Madoff's decades-long, $65 billion Ponzi scheme, which came to a screeching halt with his Dec. 11, 2008 arrest and earned him 150 years in prison, is perhaps history's biggest financial swindle, and his trademark thin-lipped smile became the defining image of the avarice that last fall nearly brought the global financial system to its knees. What made his deception doubly painful was Madoff's sterling reputation—for years, he was regarded a pillar of the investment community, a taciturn superstar whose clockwork returns had clients nearly breaking down his door. From the 17th floor of the Lipstick Building in Manhattan, the 70-year-old money manager bilked thousands of investors, picking the deep pockets of his country-club counterparts, bankrupting charitable foundations, ransacking tycoons and celebrities alike. When he pleaded guilty in March to federal charges that carry up to 150 years in prison, millions cheered his comeuppance. What we've yet to come to terms with, however, is the way in which his unalloyed greed exposed our own.

Kenneth Lay & Jeffrey Skilling

CEOs: Enron

Convicted: May 25, 2006 of fraud and conspiracy

Enron imploded with breathtaking speed in the early 2000s, going virtually overnight from being the nation's seventh-largest company to a bankrupt shell synonymous with corporate greed and deceit. Kenneth Lay and Jeffrey Skilling were at the helm as the company collapsed, taking the jobs and savings of thousands along with it. Lay helped create Enron in 1985 as a natural gas provider and presided as it grew into an energy-trading behemoth worth some $68 billion in 2000. Skilling joined in 1990 and, as he rose, pushed an aggressive growth strategy that, in retrospect, relied on shady accounting to reflect chimerical profits. In 2001, Skilling briefly became the company's CEO while Lay moved to chairman; Skilling abruptly resigned months later as the energy giant neared the breaking point, later cashing out nearly $60 million in stock. The company filed for Chapter 11 on December 2, 2001 — at that point the largest bankruptcy in U.S. history.

Skilling and Lay were tried together and convicted in May 2006 on fraud and conspiracy charges. Lay died of heart disease two months later while awaiting a prison sentence that could have lasted 45 years. Skilling was fined $45 million and is currently serving a 24-year sentence in federal prison. He has appealed his conviction.

 

 

Dennis Kozlowski

CEO: Tyco International Ltd.

Convicted: 06/17/2005 of misappropriation of corporate funds

In a 60 Minutes interview defending his innocence, former Tyco CEO Dennis Kozlowski maintained that "nothing was hidden." That's for sure. Innocent or guilty, Kozlowski clearly wasn't modest, living a life of opulent luxury. The question of the case wasn't whether he took the money (he did), but rather whether he was authorized to do so — an issue he considered a jury unfit to rule on. "I was a guy sitting in a courtroom making $100 million a year and I think a juror sitting there just would have to say, 'All that money? He must have done something wrong.'"

There's no denying Kozlowski led a lavish lifestyle. His $30 million New York City apartment was allegedly paid for by the company. (The shower curtains alone, it was revealed in court, cost $6,000.) Tyco also footed half of the $2 million bill for an extravagant birthday party for Kozlowski's second wife in 2001. Disguised as a shareholder meeting, it took place on an Italian island and featured an ice sculpture of the Statue of David urinating Stolichnaya vodka. The bash—which became known as the Tyco Roman Orgy—probably didn't help his case. Kozlowski is currently serving up to 25 years in prison.

 

 

John Rigas

CEO: Adelphia Communications Corporation

Convicted: 07/08/2004 of bank, wire and securities fraud.

John Rigas' story is an increasingly common version of the typical American dream: from rags to riches to Federal court. Born in a rural New York town to Greek immigrant parents, Rigas was busing tables by the age of nine, joined the Army during World War II and earned a bachelor degree in management engineering, working nights at his family's small movie theater. Starting with a stake in a small cable TV franchise, the Rigas family built the Adelphia Communications Corporation, the fifth largest cable provider in the country, with 5.6 million customers in 30 states. But he was forced to retire as CEO in 2002 after being indicted for securities, bank and wire fraud; prosecutors charged him with the personal misuse of corporate funds and with hiding $2.3 billion in liabilities from investors. Rigas was convicted and sentenced to 15 years in prison; Adelphia filed for bankruptcy after admitting that the former CEO and his two sons had failed to record $3.1 billion in loans. Rigas, who petitioned for a Presidential pardon in January 2009 and was rejected, will be 92 years old when his sentence runs out in 2017.

 

 

Joe Nacchio

CEO: Qwest International

Convicted: 4/19/2007 of insider trading. Appeal pending.

In the wake of a multibillion-dollar accounting scandal that nearly destroyed the Denver-based telecommunications company, former Qwest CEO Joe Nacchio was convicted in April 2007 on 19 counts of insider trading. Prosecutors said he illegally sold $52 million in stock in 2001, even as he knew the company was taking on water. Nacchio was sentenced to 6 years in prison but remained free on $2 million bail pending an appeal.

In 2008, a U.S. appeals court overturned Nacchio's conviction, saying a key expert witness had been wrongfully barred from testifying. But the ruling was hardly a vote of confidence in the disgraced executive: the judges also concluded there was sufficient evidence to convict him. This February the guilty verdict was reinstated, and Nacchio was ordered him to serve out the remainder of his term. In a last-ditch effort to stay out of the slammer, Nacchio asked a federal judge in March to reconsider his request to remain free on bail while he appealed to the Supreme Court for a new trial. No such luck: in April he was ordered to report to prison. Nacchio is now sharing a cell at a minimum-security Federal prison camp at Minersville, Pa. His Supreme Court appeal is still pending.

 

 

James McDermott Jr.

Canadian pornographic film actress Kathryn Gannon, known as "Marilyn Star," is accused of illegally profiting from inside information gained from an intimate relationship with James McDermott Jr., former chief executive at an investment bank.

CEO: Keefe, Bruyette & Woods

Convicted: April 27, 2000 of insider trading

Once upon a time, James McDermott earned $4 million a year as chairman and CEO of the Wall Street investment bank KBW, making regular appearing on CNBC and CNN to showcase his financial prowess. Until, that is, he brought his business expertise into the bedroom. In December 1999, McDermott, a married father of two, was arrested for leaking secrets about five pending bank mergers to his mistress. The "McDermott mess" took a turn for the tabloids when it was discovered that his mistress, Kathryn B. Gannon, had some secrets of her own — she was an X-rated film star with another lover on the sly who, along with Gannon, had made an estimated $80,000 off of McDermott's tips.

McDermott's lawyers blamed his lapse in judgment on alcohol, depression and family problems. "During this trial I was called a stud stock-picker and a master of the universe," he told the court. "Those things could not be further from the truth. I'm just an average person who's tried to work hard and to give back." In the end, U.S. District Judge Kimba Wood reduced his sentence from 24 months to just 8 months. (Reporters later overheard KBW attorney Mitch Kleinman in the courthouse saying, "She bought it hook, line and sinker.") Though an appeals court overturned McDermott's conviction in 2001, saying his mistress had been unfairly portrayed as a prostitute, McDermott decided against a new trial and instead pleaded guilty to one charge of insider trading. In the end, he lost $25,000 in fines and five months of freedom.

 

 

Sam Waksal

CEO: ImClone

Convicted: October 15, 2002 of securities fraud, bank fraud, obstruction of justice, and perjury

Known for his networking skills as much as for his scientific expertise, immunologist Sam Waksal founded ImClone in 1984. The New York-based biotech firm remained relatively unknown until 1999, when it announced the creation of Erbitux — a cancer-fighting drug so promising it convinced pharmaceutical giant Bristol-Myers to purchase $1 billion of ImClone stock in one of the largest biotechnology partnerships in U.S. history. But when the Food and Drug Administration rejected the drug, Waksal alerted several relatives and friends to dump their stock as soon as possible — before the FDA's decision had been made public. Waksal's father and daughter sold $9.2 million worth of ImClone, a move that caught the attention of the SEC and eventually led to his arrest.

Though Waksal pleaded guilty and publicly apologized to his family, his colleagues, and the millions of cancer patients who had held such high hopes for Erbitux, Judge William Pauley dismissed calls for leniency, noting that Waksal had contributed a mere one-half of 1 percent of his $133 million fortune to charity. In the end, the fallen entrepreneur paid $4.3 million in fines and tax restitution, and served 87 months in prison; he was released on Feb. 9, 2009. The scandal's most infamous casualty, however, turned out to be Waksal's pal, Martha Stewart, who had unloaded all 3,928 of her company shares just days before the FDA's decision had been announced to avoid losing an estimated $45,673; the domestic diva got five months in prison as a result.

 

 

Sam Israel

CEO: Bayou Group hedge fund

Convicted: Fraud in April 2008

Sam Israel III, 49, didn't hear any fat lady sing. After his conviction for defrauding investors of more than $450 million, the Connecticut-based executive decided 20 years in prison wasn't quite his style. Instead of reporting for jail in June 2008, he faked his own suicide — not very well, it must be said — by leaving his SUV on a bridge in upstate New York with the message "Suicide is Painless" (from the M.A.S.H. theme song) scrawled on the vehicle's dusty hood. Israel never really had authorities fooled. Video captured by a nearby security camera showed another car pulling up behind his GMC Envoy shortly before it was abandoned; police suspected it was a getaway car being driven by an accomplice. Days later, Israel's girlfriend Debra Ryan was arrested in connection with his disappearance. Finally, after about a month on the lam (and a place of honor on the U.S. Marshals' most wanted list), Israel rode a scooter to a Southwick, Mass. police station on July 2 and turned himself in at his mother's urging. She had been in touch with U.S. Marshals to let them know she had spoken to her son and coaxed him to do the right thing. For failing to report to prison, Israel faces an additional 10 years behind bars; he will be sentenced June 24.

 

 

Bernie Ebbers

CEO: WorldCom

Convicted: 03/15/2005 on nine counts of conspiracy, securities fraud and making false regulatory filings

Note to aspiring CEOs: If your company is staggering under massive debt, don't orchestrate an $11 billion accounting fraud to try to cover it up. It doesn't' work.

Bernie Ebbers turned WorldCom into the nation's second largest long distance telecommunications company through a series of rapid acquisitions that left it heavily in the red. In 2002, the Mississippi-based company admitted to improperly reporting $3.8 billion in expenses, prompting Justice Department to open a criminal investigation into its business practices. The Securities Exchange Commission, meanwhile, focused on $400 million that WorldCom personally loaned Ebbers.

WorldCom eventually filed for bankruptcy, and its stock price tumbled from $64 per share to a little over $1. Ebbers' "I had no idea what was going on" defense didn't work; he was convicted of securities fraud, conspiracy and seven counts of filing false reports with regulators. Ebbers is now serving a 25-year sentence in a minimum-security Louisiana prison.

Update: Gregory Reyes, former CEO of Brocade Communications Systems, has been removed from this list after his conviction on charges of backdating stock options was thrown out by a Federal appeals judge in August 2009.

 

"Hey Alice, look at the pics I took of us last weekend at the picnic. Bob"

That Facebook message, sent last fall between co-workers at a large U.S. financial firm, rang true enough. Alice had, in fact, attended a picnic with Bob, who mentioned the outing on his Facebook profile page.

So Alice clicked on the accompanying Web link, expecting to see Bob's photos. But the message had come from thieves who had hijacked Bob's Facebook account. And the link carried an infection. With a click of her mouse, Alice let the attackers usurp control of her Facebook account and company laptop. Later, they used Alice's company logon to slip deep inside the financial firm's network, where they roamed for weeks. They had managed to grab control of two servers, and were probing deeper, when they were detected.

Intrusions like this one — investigated by network infrastructure provider Terremark — can expose a company to theft of its most sensitive data. Such attacks illustrate a dramatic shift underway in the Internet underground. Cybercriminals are moving aggressively to take advantage of an unanticipated chink in corporate defenses: the use of social networks in workplace settings. They are taking tricks honed in the spamming world and adapting them to what's driving the growth of social networks: speed and openness of individuals communicating on the Internet.

"Social networks provide a rich repository of information cybercriminals can use to refine their phishing attacks," says Chris Day, Terremark's chief security architect.

This shift is gathering steam, tech security analysts say. One sign: The volume of spam and phishing scams — like the "LOL is this you?" viral messages sweeping through Twitter— more than doubled in the fourth quarter of 2009 compared with the same period in 2008, according to IBM's X-Force security research team. Such "phishing" lures — designed to trick you into clicking on an infectious Web link — are flooding e-mail inboxes, as well as social-network messages and postings, at unprecedented levels.

An infected PC, referred to as a "bot," gets slotted into a network of thousands of other bots. These "botnets" then are directed to execute all forms of cybercrime, from petty scams to cyberespionage. On Tuesday, authorities in Spain announced the breakup of a massive botnet, called Mariposa, comprising more than 12 million infected PCs in 190 countries.

Three Spanish citizens with no prior criminal records were arrested. Panda Security, of Bilbao, Spain, helped track down the alleged ringleader, who authorities say has been spreading infected links for about a year, mainly via Microsoft's free MSN instant messenger service.

"It became too big and too noticeable," says Pedro Bustamante, senior researcher at Panda Security. "They would have been smarter to stay under the radar."

What happened to Bob and Alice, the picnickers at the financial firm, illustrates how social networks help facilitate targeted attacks. As a rule, tech-security firms investigate breaches under non-disclosure agreements. Honoring such a policy, Terremark used pseudonyms for the affected employees in supplying USA TODAY with details of what happened at the financial institution.

Investigators increasingly find large botnets running inside corporate networks, where they can be particularly difficult to root out or disable. "Social networks represent a vehicle to distribute malicious programs in ways that are not easily blocked," says Tom Cross, IBM X-Force Manager.

Koobface gold mine

The attacks run the gamut. In just four weeks earlier this year, one band of low-level cyberthieves, known in security circles as the Kneber gang, pilfered 68,000 account logons from 2,411 companies, including user names and passwords for 3,644 Facebook accounts. Active since late 2008, the Kneber gang has probably cracked into "a much higher number" of companies, says Tim Belcher, CTO of security firm NetWitness, which rooted out one of the gang's storage computers.

"Every network we see today has a significant problem with some form of organized threat," Belcher says. The Kneber gang "happened to focus on collecting as many network-access credentials as possible."

Stolen credentials flow into eBay-like hacking forums where a batch of 1,000 Facebook user name and password pairs, guaranteed valid, sells for $75 to $200, depending on the number of friends tied to the accounts, says Sean-Paul Correll, researcher at Panda Security. From each account, cyberscammers can scoop up e-mail addresses, contact lists, birth dates, hometowns, mothers' maiden names, photos and recent gossip — all useful for targeting specific victims and turning his or her PC into an obedient bot, Correll says.

On the high end, the Koobface worm, initially set loose 19 months ago, continues to increase in sophistication as it spreads through Facebook, Twitter, MySpace and other social networks. At its peak last August, more than 1 million Koobface-infected PCs inside North American companies were taking instructions from criminal controllers to carry out typical botnet criminal activities, says Gunter Ollmann, vice president of research at security firm Damballa.

In another measure of Koobface's ubiquity, Kaspersky Labs estimates that there are 500,000 Koobface-controlled PCs active on the Internet on an average day, 40% of which are in the U.S., 15% in Germany and the rest scattered through 31 other nations. "The personal information employees post day-by-day on Facebook is turning out to be a real gold mine," says Stefan Tanase, a Kaspersky Lab senior researcher.

Facebook, the dominant social network, with 400 million members and therefore the biggest target, says recent partnerships with Microsoft and security firm McAfee to filter malicious programs help keep compromised accounts to a small percentage. "We are constantly working to improve complex systems that quickly detect and block suspicious activity, delete malicious links and help people restore access to their accounts," says spokesman Simon Axten.

Still, social networks have grown popular because they foster open communication among friends and acquaintances, which plays into the bad guys' hands, says Eva Chen, CEO of anti-virus firm Trend Micro.

"These new communication platforms are where people go, so that's where the hackers are going," Chen says.

Meanwhile, discussions about restricting workplace use of social networks and training employees to be more circumspect are just beginning to percolate at venues like the big tech security trade show here this week sponsored by RSA, the security division of EMC. "Most larger businesses simply ask employees to watch their time spent on social-networking sites," Ollmann says.

A noisy attack

Each infected PC in a corporate network represents a potential path to valuable intellectual property, such as customer lists, patents or strategic documents. That's what the attackers who breached Google and 30 other tech, media, defense and financial companies in January were after. Those attacks — referred to in security circles as Operation Aurora — very likely were initiated by faked friendly messages sent to specific senior employees at the targeted companies, says George Kurtz, McAfee's chief technology officer.

The attack on the picnicking co-workers at the financial firm illustrates how targeted attacks work. Last fall, attackers somehow got access to Bob's Facebook account, logged into it, grabbed his contact list of 50 to 60 friends and began manually reviewing messages and postings on his profile page. Noting discussions about a recent picnic, the attackers next sent individual messages, purporting to carry a link to picnic photos, to about a dozen of Bob's closest Facebook friends, including Alice. The link in each message led to a malicious executable file, a small computer program.

Upon clicking on the bad file, Alice unknowingly downloaded a rudimentary keystroke logger, a program designed to save everything she typed at her keyboard and, once an hour, send a text file of her keystrokes to a free Gmail account controlled by the attacker. The keystroke logger was of a type that is widely available for free on the Internet.

The attackers reviewed the hourly keystroke reports from Alice's laptop and took note when she logged into a virtual private network account to access her company's network. With her username and password, the attackers logged on to the financial firm's network and roamed around it for two weeks.

First they ran a program, called a port scan, to map out key network connection points. Next they systematically scanned all of the company's computer servers looking for any that were not current on Windows security patches. Companies often leave servers unpatched, relying on perimeter firewalls to keep intruders at bay. The attackers eventually found a vulnerable server, and breached it, gaining a foothold to go deeper.

A short time later, the attackers were discovered and cut off. One of Bob's Facebook friends mentioned to Bob that the picnic photos he had sent had failed to render. That raised suspicions. A technician took a closer look at daily logs of data traffic on the company's network and spotted the vulnerability scans.

Terremark's Day says two or three collaborators, each with different skill sets, most likely worked together to pull off the attack. "They were noisy about how they went about this," Day says. "Had they been quieter they would've gotten much further."

USER SAFETY TIPS

Twitter and Facebook offer similar advice for dealing with bad links and compromised social-networking accounts. Twitter warns: If you receive a message with a phrase like "This you??" or "LOL is this you" followed by a link, do not click through; there's a phishing site on the other side. Suspicious links can show up in spam messages or via faked status updates. What to do if you've been hit: Run anti-virus software, and be sure to use the most current version of your Web browser, which contains the most up-to-date protection features. Reset your password. Never click suspicious links, even if they appear to come from a friend. Do not run any ".exe" files on your computer without knowing what they are. For more information: help.twitter.com; www.facebook.com/help. Or try www.antiphishing.org/consumer_recs.html and onguardonline.gov/phishing.html.

Via:USA Today

Are you more vulnerable to credit card theft if you stay in a hotel?

No need to get paranoid, but it is a valid question, since online security firm Trustwave Spiderlabs consider hotels hackers' No. 1 target. It's also a timely question since Wyndham Hotels just yesterday announced that hackers stole customer credit card information by breaching its networks. It's Wyndham's third breach in 12 months.

To understand the problem better, I recently talked with online security expert Nicholas Percoco, who works as a security auditor and data breach investigator for the security firm Trustwave SpiderLabs. The firm investigates breaches for companies and figures out how they happen.

"This is a new trend. Prior to late 2008, we did not really see any investigations around hotels - maybe a handful," Percoco told me during our conversation. "But it was not something significant enough to call it a trend."

In the firm's recent study of 218 breach investigations across 24 countries last year, Trustwave found that hotels accounted for about 70 of them - making them hackers' favorite hackers, even over the financial services companies. 

His theory is that sometime in late 2008, a fairly sophisticated group hacked into a single hotel and they identified it as an easy system to extract information, Percoco told me. 

"The group doing this crime happened upon hotels and said this is easy," he said. "They figured that (individual) hotels are smaller in general and don't have dedicated IT staff. What they learned from that one attack they (repeated) as many times as possible over the course of 2009." 

Percoco wouldn't identify hotel clients, but he did suggest that some chains are being more proactive than others in trying to thwart hackers.

"Your larger hotel chains have started to take action," he said.

"Now where the larger risk probably lies - once the brand names lock up their systems - is with the independent hotels," Percoco said. "Many don't have the resources and don't have centralized staff to help them out."

So, why have hotels become such a favored target among hackers?

Hotels - with stretched staff and computer systems that vary by individual hotel - aren't always watching their network carefully, he said. That makes it relatively easy for hackers to gain access into one computer, and then use it as a doorway into a chain's central system. 

The cybercriminals have also had success staying undetected for months at a time once they hack into a hotel's system, Percoco said. The average breach last year wasn't discovered for an average of 156 days. 

"They were looking at people's data for five months on average, and no one knew about it," he said.

Hackers eventually get discovered - after they've stolen data

In a small percentage of cases, hotels discover a problem when their system crashes.

"As humorous as it sounds, we've had a number of cases where staff report that a mouse is moving around by itself and they weren't controlling it," Percoco said. "It turned out that somebody was on that system that shouldn't be."

The majority of cases, however, are detected by credit card companies - after hackers succeeded in stealing hotel guests names, credit card numbers and other sensitive data, he said.  The credit card companies - whether American Express, Visa or MasterCard - then start investigating once they receive a group of calls reporting fraudulent charges.

"Imagine if 500 people called their credit card companies," Percoco said. The credit card company then examines records to find patterns, and discover the individuals had all stayed in Hotel XYZ, he said.

Cybercriminals still targeting hotels this year

So are hackers moving on to another industry yet? No, according to Percoco.

"There has been a report that there's another batch of these that perhaps we'll be investigating in the next couple of weeks," he told me.

Will hotel guests be able to tell if their data has been compromised? Not usually, Percoco said, although he did have an alarming story of his own to tell...Last October, Percoco checked into a hotel and within two hours of handing over his credit card at the front desk for a swipe, he became a victim of identity theft.

"Later that evening, I got a call from the card issuer saying that they'd noticed some potentially fraudulent use and that I should call them," he said. "Turned out that someone went on a shopping spree and racked up close to $2,000 in random locations all over the place."

Cybercriminals have the ability to copy stolen credit card data onto a magnetic strip to create a phony, physical credit card and buy items with it in stores - all within a couple of hours, he said. Ultimately, his card issuer cancelled the card and issued him a new one, so he was inconvenienced but not out any money, he said.

Still, some hotel guests find the trend disturbing.

One of the most-recommended comments written on my previous post about hotel hackers came from Hotel Check-In reader Anonymous, who wrote:

"Hotels and airlines as well as every other business should be held accountable for failing to provide adequate security for their customers."

By the way, I asked Percoco for tips on how to avoid getting scammed, but he said there's little you can do. Your best bet? Monitor your credit card statements each month to check for fraudulent charges, he said.