Two stories about the hacking of NASDAQ and the Japanese Parliament illustrate the danger of relying on others for IT security.
There was nothing new or particularly innovative about the attack that compromised the network serving Japan’s lower house of parliament. In July, an elected official opened an email attachment carrying a downloader. (Feel free to insert your own joke about politicians’ intelligence here.) The infection then spread to computers used by three other officials, and the Trojan phoned home to a server based in China and downloaded other information-stealing malware. It also compromised the network’s server, where the ID codes and passwords of all the members of the Lower House and their secretaries are stored.
The hacker likely used this information to access personal and professional confidential information. Considering we are just hearing about this now and the initial penetration was in July it is safe to assume the perpetrators got pretty much everything they might want. The only remedial action made public: Legislators have been advised to change their passwords. How about hitting them upside the head with sticks?
(Read Forget new threats: It’s the old-school attacks that keep getting you)
More troubling is the story of hackers who gained access to the NASDAQ computers and used them to get into the networks of a number of other companies.
According to Reuters, “The case is an example of a ‘blended attack,’ where elite hackers infiltrate one target to facilitate access to another. In March hackers stole digital security keys from EMC Corp’s RSA Security division that they later used to breach the networks of defense contractor Lockheed Martin Corp.”
While none of NASDAQ’s trading platforms were compromised in the attack, hackers were able to access a Web-based software program called Directors Desk, used by corporate boards to share documents and communicate with executives. This allowed them to access confidential information for scores of directors and companies.
As the case of the Japanese Parliament shows, there are few bigger threats to security than a user with a laptop. What is the most frustrating is that these cases are so easily avoided. Most of the time the users are just ignoring the basic computer safety training they’ve already been given. As they say in Texas, “You keep giving them books and giving them books and they keep chewing on the covers.”
Without more information it is difficult to say what allowed the NASDAQ intrusion to take place. Was this a case of overly trusting someone else’s security systems? We don’t know and, given the nature of the information that was taken, we may never find out. While the primary responsibility for this breach lies with NASDAQ, it is likely that others made the mistake of placing too much trust in someone else’s security.
There’s an old saying in journalism that politicians should be assumed guilty until proven. That same is true for any system that can gain access to your network.