• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager
• BL Club
• Smartbuy
• Books
• Gallery

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth
• Events 2007

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

Cutting through the fence.

I’m not worried about a teenage hacker reading my email. I’m worried about you reading it.

Audience to Robert Muller, Director, FBI, in San Francisco.

This has been an eventful fortnight. Reputed e-mail service providers Hotmail and Gmail were both subjected to a massive attack that compromised the accounts of several thousands of their subscribers. Apart from causing them acute embarrassment, the episode showed how fragile were the security features the two operators claim to have installed.

Coming close on the heels of Microsoft introducing a new security package for all Windows users, viz. Microsoft Security Essentials (MSE), the intrusion, generally believed to be a Phishing exercise, made a mockery of all existing security arrangements to protect cyberspace.

It all happened this way on October 1. The details of more than 10,000 Hotmail accounts were pasted on pastebin.com, described to be a code snippets Web site. In course of time, the intruders expanded the list to nearly 30,000. I myself remember receiving several messages asking for my account information, along with a threat that if I did not respond immediately my account would be terminated. Checking with MS, I soon learnt that this was a Phisher who was trying to take me for a ride. Naturally I did not oblige him! I am not sure how many others bothered to so verify before deciding whether to disclose such sensitive information.

On the face of it, what was posted on pastebin.com seemed genuine information. Microsoft has also not disputed this. At first it was thought that MS was the lone victim. Within hours it transpired that others such as Google, AOL, Yahoo!, Comcast and EarthLink had also been breached.

Expert opinion was nearly unanimous that this was a classic Phishing attack that preyed on the credulity of subscribers.

Both MS and Google subscribed to this theory and took the stand that this was a sweeping industry-wise operation.

There was, however, dissent to this point of view from Mary Landesman, a Senior Researcher with ScanSafe, a Web security provider from San Francisco. In her opinion this was not a case of Phishing, but an intrusion with the help of botnets which had infected a large number of machines through keylogging or a data-stealing Trojan horse. The basis for her stand is the sheer number of passwords compromised.

Since the yield from Phishing is usually very modest, the present attack that compromised thousands of accounts should necessarily be the handiwork of groups that specialise in hijacking computers.

But according to the Anti-Phishing Working Group (APWG) a large-scale attack was not beyond the capacity of Phishers. This conflicting stand over a massive and outrageous attack is typical of cyber security debates. It also amplifies the view that knowledge in the area is still evolving, and no one expert is correct all the time. In a way this is good because it encourages more research.

In the ultimate analysis, whoever was responsible for the recent attacks and whatever be the means used, undeniably the motive was one of profit. All indications are that there is a lucrative underground market for stolen passwords.

It is Spammers who buy them to unleash spam for a variety of reasons, most important of which is commercial rivalry. In sum, this one episode alone illustrates that whatever education is imparted to users of cyberspace, it is no defence against a clever manipulator who has specialised in the art of deception.

More interestingly, an analysis of the information purloined revealed that the weakest aspect of cyber security anywhere in the world was the poor password management. Most of the victims used either a letter of the alphabet or a number, and not a combination as their password. Also, one’s date of birth, a piece of information not very difficult to obtain by an intruder, especially if the latter was the victim’s acquaintance, remains the most popular preference.

A lot has been done to impress on computer users that a weak password is an invitation to disaster. This has, however, not brought about a change of mindset.

The attacks against Hotmail and others emphasise the point that cyber crime is a factor to reckon with in our daily lives. We just cannot wish it away. Individuals and corporations will have to fortify themselves against it with diligence. One prerequisite is the raising of a corps of professionals who will be engaged full-time on how to ward off intrusions. At present such a group is small or non-existent in a majority of countries.

It looks as if the US will give a lead here. At the initiative of a Washington-based non-profit Partnership for Public Service and a private contractor Booz Allen Hamilton, a report, Cyber In-Security, was prepared last year, which highlighted the need for creating such a team of cyber security experts at the Federal government level.

There is support to this from several Federal officials and in particular from Pentagon, which feels it does not have enough number of experts in its ranks. The Department of Homeland Security is also equally concerned over bringing up a cadre of what it calls ‘cyber cops’.

To end this piece on a lighter note, the formidable FBI Director Robert Muller confessed recently that he very nearly became a Phishing victim. Speaking at a San Francisco conference, he told the audience that he received an e-mail purported to be from his bank, which was in order and nothing seemed sinister.

He therefore went about answering the questions asked by it in all seriousness, until he came to the one that sought his password. This is the point at which he thought he was being taken for a ride, and put an end to the whole exercise. He committed the mistake of mentioning this casually to his wife, who was taken aback by her husband’s initial credulity. She came to the quick conclusion that her husband could no longer be trusted to do online banking and peremptorily ordered a ban!

Muller will now have to reconcile himself to a situation where he is ‘prohibited’ from banking online. You will agree that this is pitiable for one of the most powerful men in the US government!

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Copyright © 2009, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line