Chills ran down my spine as I read the first in a series of articles about hacking and organised crime in Russia in the May 18 edition of The Washington Post. In this three-day series, the Post described in detail how groups of Russian hackers broke into business networks in the US, harvested useful information ranging from credit card information to email files, and then extorted money from the victim companies. The targets covered a range of medium sized businesses, from financial institutions to e-commerce merchants to law firms.
The approach was always the same. Once the hackers had found the information they needed, they would usually leave a small file announcing their visit and leave. A few days later, they’d contact someone at the company and offer to fix the problem and provide continuing protection against hackers.
In other words, it was a classic protection scheme, modified for the digital age. The tab for such protection? Sometimes as much as a half-million dollars.
Occasionally, however, the Russian hackers would find something better than the credit card numbers that were their normal stock in trade. In one case, for example, they found a string of emails between a lawyer at a major firm and his mistress. The resulting blackmail scheme cost the lawyer $US15,000.
If it should do nothing else, this series of articles should convince you that hackers are no minor threat. While such activities may have once been carried out by bored high-school students, organised crime is moving in with a vengeance. Worse, these criminals are all but immune from prosecution: While hacking is illegal in Russia, it’s not considered a serious crime, and Russian authorities don’t consider hackers who target the US or other countries to be a priority. The only protections from non-US hackers are the steps you take yourself. Luckily, those steps are sometimes amazingly simple. The Russian hackers referenced in the Post articles said that the first thing they always tried when breaking into a computer system was to use the default passwords, and that most of the time they worked. After that, they tried known and proven vulnerabilities within Windows, and that worked the rest of the time. More obscure attacks were rarely needed, mainly because so many companies yielded to their first two tactics so easily.
So ask yourself: Are you certain you’ve purged every default password from everything on your network? Are you sure you don’t have any unauthorized connections to the Internet that bypass your firewall? Have you removed un-needed services from all your machines? Have you done your annual security audit?
Note that none of these steps involve buying expensive products (unless you don’t have a firewall), but they do involve being aware of how your network runs, and taking the trouble to manage things properly.
Sure, it’s easy to pretend that organised crime won’t reach across the world and find you, but that’s wishful thinking. There are hundreds of hackers involved in these criminal teams, and they are very good indeed. If you don’t make sure your network is properly secured, you can be sure they will find you eventually. Imagine how well that will go over with your board. Then think about how your customers will feel, knowing that they entrusted you with their personal information and you let it be stolen. The only traces these customers will leave behind are letters from their lawyers, seeking damages from you.