InfoWorld Home / Security Central / Security Adviser / The world is hacked, and it's users' fault
February 19, 2010

The world is hacked, and it's users' fault

Until you equip and educate users to avoid hackers' traps, your organization is at risk

| Print | 10 comments|
972 Recommendations

I spoke to a large, multinational client the other day that is in the middle of a malicious hacking attack. A large percentage of the company's workstation computers are compromised. The attackers have access to nearly every server in the global environment. Executive email is being read, confidential data is no longer confidential, and state secrets are no longer secret.

Chinese hackers? We got 'em. Russian hackers? Check! Spearfishing malformed PDFs? Naturally. Socially engineered Trojans all over the place? You betcha! Accounting department's banking system compromised? Of course -- it wouldn't be a party without it.

Here's the kicker: In the middle of the call, I actually forgot which client I was talking to -- because every company I've worked with over the past two years is in the same situation.

[ Juniper and Symantec are investigating widespread cyber espionage that has hit dozens of technology companies. | InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

Is it because of my job that I'm the only person aware of companies in these types of dire straits? It's not only large firms -- it's nearly every enterprise I'm aware of. Also, it goes beyond the businesses sector; my city is infected and has been nearly shut down. It's also hit my friend's computer -- an iMac. It's the same story with my mom's computer and my neighbor's computer. It makes me wonder: Is anybody not exploited?

My (virtual) hat is off to the hackers. They've managed to infect and exploit the world, and it doesn't appear that people care. It's so bad that this passes for life as usual. It's like learning to accept Mother Nature's natural disasters as inevitable -- though hackers can be stopped. I keep hoping that everyone will decide to come together in a "We Are the World"-type project to make it more difficult for malicious hackers to flourish on the Internet, but it doesn't seem likely anytime soon.

Related Content...
additional resources
White Paper - 7 Technologies Behind Ultimate Storage Efficiency

White Paper

7 Technologies Behind Ultimate Storage Efficiency

Get the most out of the storage you already own. Download this whitepaper today and examine 7 key technologies behind maximizing your storage efficiency.

Download now »
Insider Threat Deep Dive Report

White Paper

Insider Threat Deep Dive Report

Stop unscrupulous insiders. A clever criminal can lull the boss into believing nothing is amiss. Systems designed to monitor the network for patterns of criminal or destructive behavior are much harder to fool. Learn how to put the right countermeasures in place and vastly reduce the threat posed by insiders.

Download now »
White Paper - A Powerful Platform for Virtualization

White Paper

A Powerful Platform for Virtualization

Examine the 5 unique requirements that virtualization imposes on hardware, and discover how the next generation of HP's ProLiant server line can deliver virtualized, efficient data centers, rapid ROI and lower operational expenses.

Download now »
White Paper - Backup Best Practices for HP EVA and VMware

White Paper

Backup Best Practices for HP EVA and VMware

Address the backup and restore challenges created by virtualized server environments by following these technical recommendations. Learn how VMware Consolidated Backup in conjunction with HP Data Protector can realize a VMware ESX backup that surpasses the 1 TB/h performance threshold, while minimizing storage resources overhead.

Download now »
10 of 10 comments
Sign In or Register to comment
san 19-Feb-10 8:15am

Security researchers have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.

apeshansky 19-Feb-10 2:16pm
First, implement an improved end-user education program. Teach end-users about the most frequent threats and how they can be tricked into installing malware.
Well, good luck with that. For 30 years Microsoft taught users that computers always crash, that reboot is a legitimate cure for a computer problem, that servers should run GUI, that GUI means simple, that anyone can administer their own computer...
And don't forget that it also taught users that malware is a fact of life: anyone remember virus-infected MSOffice CD? (Version 4.3 or so) And "always trust content from Microsoft" default even after MS signature key was compromised?
We suffer Microsoft for our sins ;-)
JimW 19-Feb-10 7:00pm
1 reply
I find it absolutely arrogant, pretentious and egotistical to blame users for the failure of the IT infrastructure and developers to provide adequate protection substance in the products that they create for uses to use, be it the Internet structure and design, hardware, and the software that runs it. It is my opinion that they are far to interested in quick fixes and profits rather than producing a solid foundation and robustness for their creations. Good design coding and QA requires significant time and effort, all of which to few companies/developers choose to fully support. Instead they either pray that things will no show up that their superficial testing, QA and designed failed to account for or leave it to someone else such as the antivirus companies to pick up the pieces while users continually are continually asked to pay for protection and upgrades to poor design - fixes that should well designed and fully tested products should not need to begin with. It all parallels concepts such has having to buy a fan to blow on a compressor in a refrigerator so it does not overheat and fail, causing all your food to spoil; having to calculate how much gas is being used by your automobile while you are driving based on miles per gallon, because the car company did not provide a fuel gauge' or having to stop signs on the road figuring that since drivers have eyes and cars have brakes, people will be able to avoid hitting each other. The infrastructure should be designed with the proper tools and protection in place to allow legitimate use of it while blocking those who wish to to harm. It sure allow its use without having to use and change a multitude of passwords when secure access is desired. Security issues and protection should be the responsibility of the designers, not the end users who just want to purchase a useful and reliable tools that just work effectively and efficiently. Before computers things got done reliably abet more crudely and less efficient. Computers have been marketed as a tool to improve our productively and make life more efficient, effective and simpler. How can that happen when uses have to spend a significant part of their lives installing updates, upgrades, antivirus tools, creating and remembering passwords, and all the other stuff that they have to do to protect their information from criminals through the portal that computers have creating into their very being? Without computers, the Internet, and software, hacking such as described or inferred to in this article would be next to impossible, especially on the scale that is described in this story. How dare you blame the Users for the nightmare that the IT industry has created on our society and culture!
Roger A. Grimes 22-Feb-10 1:33pm
I agree with you 100%. You obviously are not a long time reader of mine or you would know how much I blame my myself and breathen. I blame my entire profession (e.g. computer security) more than any other gorup. I think we have done a terrible job of protecting end-users, and we expect them to know too much about security to be safe. Still, there is some percentage of end-user accountability needed. First, end-users are to blame for accepting poor security. If end-users, in mass, didn't accept the current state, security would improve for all immediately. Also, although I expect my car and electrical appliances to be mostly safe, I'm still expected to exert some sort of commonsense safety precautions (e.g. such as don't use blow dryers in the tub, slow down when in poor driving conditions, don't give my credit card information to someone untrusted over the phone, etc.), to operate any device. Sadly, there are many things we can do to immediately, significantly improve security (we even already have the protocols). We need only agree on the goals, objectives, and fill in some values in common tables; and begin to develop software around those new agreed upon standards. However, getting any group to agree upon common goals and tactics ahead a tipping point event, is seemingly impossible. What slays me is that problem is so bad right now...in my mind it is a tipping point event, but we (as a society) are still doing nothing. People care more about watching reality television and "So you think you can dance?" than fixing computer security problems.
Kernos 20-Feb-10 9:57am
2 replies
I am curious exactly how your iMac friend got compromised. There are no OS X viruses, a few trojans which require profound stupidity to install and do not propagate and MS Word macro attacks. Phishing is of course OS independent. So what happened?
Roger A. Grimes 22-Feb-10 1:19pm
I've actually had three people I know with iMacs get exploited. The first two people downloaded trojan malware after being promised that it was a free music player, with access to very cheap commercial music. The third and most recent person got a phishing email that led them to a losing banking credentials to a fake banking web site, which led to their real account being drained. Roger
drinksoymilk 23-Feb-10 10:58am
I think it is so ridiculous for people running Mac's and non-Windows OS' feel they are somehow blessed or immune from viruses or trojans. I was talking to a Mac friend of mine and I told him 'nix based OS' make it so easy to change their systems to do my bidding. The shell is so rich and it is so easy to change the PATH variable to run my, for example, 'ls' script to perform some newly added feature and then runs the normal system 'ls'. I can pipe directory information to my server making them look however I need to so the firewall is ineffective. This is all very, very unsophisticated and basic work for anyone who has written any kind of shell script. It also does not require root or privileged access. If you're wondering how the script gets installed, read Mr. Grimes' blog again. It is all trusting (or greedy) users who fall for these scams every day. As is pointed out, no user connected to any network is protected from this kind of attack. Every one of us has to be responsible for our actions. I've helped so many people get rid of viruses and trojans on their systems (no tool really does it, it's always a manual effort). These users thought because they were running Norton or McAfee they were protected. Common sense tells you the attackers will always be ahead of the defenders. Again, your first line of defense is your behavior. Finally, to the person who feels the user is not responsible for him/herself, what do you do when the traffic light turns green? I very much doubt that you blissfully accelerate thinking, "The light is responsible for my safety so no need to check for cross-traffic."
LongHaul 23-Feb-10 5:02pm
1 reply
I think some of this is a matter of semantics. We are all "users" and we have all put up with shoddy workmanship. I remember the EXACT day this became the norm and we opened the door to malware and vulnerabilities. It was the day Win95 was released. We lined up at midnight to buy it EVEN AFTER Microsoft told us that there were still more than 200 bugs that needed fixing. We said, "That's all right, fix them later." On that day, the idea that a company had to produce a good product in order to sell it gave way to the realization that--if a company was big enough--they could sell us a shoddy product and get US to patch it. So, yes, the users are at fault. We asked for it and continue to do so.
Roger A. Grimes 24-Feb-10 6:36am
1 reply
You're blaming Microsoft and Windows in this case, but no popularly used vendor does security any better. OSX and Apple computers have far more security bugs than Windows. OSX and Apple lags on security as compared to any popular OS. It's the facts. But instead of initiating another Windows vs. Mac flame war, let me ask you if you run OpenBSD, Qmail, or DJBDNS; or do you run some other vendor flavor to get the same functionality? OpenBSD is demonstrably more secure than any other popular OS. Qmail is more secure than any other popular email server and DJBDNS is more secure than any other popular DNS. And they are all free? If you don't use them, why not? And don't tell me that work requires that you use such and such...do you use them at home? And 200 bugs? There isn't any popular product today (or even back in 1995) that didn't have thousands of bugs. The most respected metrics say that the average program has one bug per 10-50 lines of code. And most people don't care about bug counts anyway. The iMac is doing very well these days despite the fact that it has far more bugs than Windows or Redhat Linux. Features and functionality sell products, not security.
Rob Lewis 2-Mar-10 11:29am

Roger,

You are right that there is really no advantage in using one low assurance OS over another. However, with distributed computing came distributed risk, and the average computer user is not equipped to deal with the ever increasing number and severity of threats.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2010 Infoworld, Inc.