Hackers never sleep, it seems. Just when you think you've battened down the hatches and fully protected yourself or your business from electronic security risks, along comes a new exploit to keep you up at night. It might be an SMS text message with a malevolent payload or a stalker who dogs your every step online. Or maybe it's an emerging technology like in-car Wi-Fi that suddenly creates a whole new attack vector.
Whether you're an IT manager protecting employees and corporate systems or you're simply trying to keep your own personal data safe, these threats -- some rapidly growing, others still emerging -- pose a potential risk. Fortunately, there are some security procedures and tools available to help you win the fight against the bad guys.
1. Text-message malware
While smartphone viruses are still fairly rare, text-messaging attacks are becoming more common, according to Rodney Joffe, senior vice president and senior technologist at mobile messaging company Neustar and director of the Conficker Working Group coalition of security researchers. PCs are now fairly well protected, he says, so some hackers have moved on to mobile devices. Their incentive is mostly financial; text messaging provides a way for them to break in and make money.
Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone operating systems are becoming more common as people rely more on mobile devices. It's not just consumers who are at risk from these attacks, he adds. Any employee who falls for a text-message ruse using a company smartphone can jeopardize the business's network and data, and perhaps cause a compliance violation.
"This is a similar type of attack as [is used on] a computer -- an SMS or MMS message that includes an attachment, disguised as a funny or sexy picture, which asks the user to open it," Nguyen explains. "Once they download the picture, it will install malware on the device. Once loaded, it would acquire access privileges, and it spreads through contacts on the phone, [who] would then get a message from that user."
In this way, says Joffe, hackers create botnets for sending text-message spam with links to a product the hacker is selling, usually charging you per message. In some cases, he adds, the malware even starts buying ring tones that are charged on your wireless bill, lining the pocketbook of the hacker selling the ring tones.
Another ruse, says Nguyen, is a text-message link to download an app that supposedly allows free Internet access but is actually a Trojan that sends hundreds of thousands of SMS messages (usually at "premium SMS" rates of $2 each) from the phone.
Wireless carriers say they do try to stave off the attacks. For instance, Verizon spokeswoman Brenda Raney says the company scans for known malware attacks and isolates them on the cellular network, and even engages with federal crime units to block attacks.
Still, as Joffe notes jokingly, there is "no defense against being stupid" or against employee errors. For example, he recounts that he and other security professionals training corporate employees one-on-one about cell phone dangers would send them messages with a fake worm. And right after the training session, he says, many employees would still click the link.
To keep such malware off users' phones, Joffe recommends that businesses institute strict corporate policies limiting whom employees can text using company networks and phones, and what kind of work can be done via text. Another option is a policy that disallows text messaging entirely, at least until the industry figures out how to deal with the threats.
For consumers, common sense is the best defense. Avoid clicking on text-message links or attachments from anyone you don't know, and use extreme caution even with messages from known contacts, who might unwittingly be part of a botnet.
2. Hacking into smart grids
A common misconception is that only an open network -- say, your corporate wireless LAN for visitor access -- is hackable. Not true, says Justin Morehouse, a principal consultant at Stratum Security who spoke about network security at last year's DefCon security conference. Morehouse says it's actually not that difficult to find an access point into a so-called closed system.
There is an urgent need for penetration testing in smart grids, says Stratum Security's Justin Morehouse.
For example, the Stuxnet worm last year infected tens of thousands of Windows PCs running Siemens SCADA systems in manufacturing and utility companies, most notably in Iran, and it was largely spread via infected USB flash drives. Even some nuclear plants and power grids have wireless networks for employees to use.
"Stuxnet proved that it is relatively simple to cause potentially catastrophic damage" to an industrial control network, says Neustar's Joffe.
According to Morehouse, another new attack point will be smart grids, which use electronic metering to streamline power management. Utility companies around the world have begun testing and rolling out smart meters to customers' homes and businesses. The technology, which can send data to and receive it from a central system, can also be very helpful for IT: You can open a console to see the power usage for one section of a building, for example.
But smart grids might be vulnerable to attacks that would allow hackers to cut off electricity to homes and businesses and create other kinds of havoc. One possible attack vector is a smart grid's communications infrastructure. For example, Morehouse says, a German utility company called Yello Strom uses a consumer smart grid system that works like a home automation kit -- the sensors report energy usage back to the central server via the user's home Wi-Fi network.
Because of this, Morehouse says, it is possible for end users to tap into their own networks and gain access to the substation used for delivering power. "Often it's the case that these types of networks are not properly segmented or protected," he says. "Once in, the attacker may be treated as a trusted user and have access to other areas. Is there the potential that they could disrupt the substation or city? Absolutely. They may plant a back door that could allow the grid to be powered down at a particular time."
Utilities in the U.S. tend to use their own proprietary wired or wireless connections to sensors, but Morehouse is concerned that some may follow Yello Strom's example and use home networks instead.
Smart meters like this one connect to a smart grid to streamline power management; experts say it may be possible to hack into them.
Another concern is vulnerabilities in the smart meters themselves -- a problem that affects corporate smart grids as well. Researchers from Seattle-based security services vendor IOActive, for instance, discovered several bugs in smart grid devices that hackers could exploit to access the smart grid network and cut power to customers.
"Hackers use press releases to find out the technologies [used in corporate smart grids] and go back to the infrastructure and find vulnerabilities. So, for example, if Wal-Mart announces a smart grid using Siemens technology, a hacker suddenly has many of the answers they need to find that controller and break in," Morehouse says.
The most effective preventive measure, says Morehouse, is rigid isolation -- a smart grid should not touch any other network, ever. He says there is an urgent need for penetration testing and making sure the firewall in a closed network is secure because of the possible dangers of gaining access to the power grid. He advises using tools such as Core Impact and Metasploit.
The "rigid isolation" rule applies to home users as well. "Consumers should never bridge smart grid networks with their home networks," says Morehouse. He also advises home users to become familiar with their smart meters so they can recognize whether they have been tampered with, and to ask their utility providers what security measures are in place to protect the meters and network.
3. Social network account spoofing
Many of us use Facebook, LinkedIn and other social networks to connect with friends, family and colleagues -- which leaves us vulnerable to a new technique called social network account spoofing. The idea is that a scammer poses as either someone you know or a friend of a friend to get close to you and fool you into revealing personal information. He then uses that information to gain access to your other accounts and eventually steal your identity.
In a typical exploit, says Joffe, someone contacts you on a service like Facebook or LinkedIn, posing as a friend of a friend or a co-worker of someone you trust. Then, the new "friend" contacts you directly, usually through text message or email. It might seem surprising to have this "friend" contact you outside the social network, but he seems legitimate because you believe he has a connection with someone you trust.
In another scenario, a scammer might impersonate someone you already know -- claiming to be an old friend from high school, for instance. Spoofers can find out your connections by following your public feeds or looking up the names of co-workers on sites like LinkedIn where you have posted your work info.
Once the scammer has established a connection with you, he uses devious means to steal personal data, such as chatting to find out the names of family members, favorite bands, hobbies and other seemingly innocuous information -- then trying those as passwords or answers to security questions at banking sites, webmail accounts or other sites.
As Joffe points out, the idea behind social network account spoofing is "thousands of years old." Conning you out of your personal information is an age-old trick. Today's social networks just provide a new avenue for con artists and criminals to get close to you. The trick works because there is often no way to know whether someone you've come to trust online is actually who he says he is.
"The problem with communication by Facebook or LinkedIn is that you are stuck in a Web interface -- you can't check the IP address or header information. Everything is in a nice friendly world," Joffe says.
Stratum Security's Morehouse says hackers are becoming increasingly crafty on social networks: They first identify a target, then do the research -- what is this person like, whom do they follow, what do they like to do?
What's more, social network attacks are sometimes combined with email and website spoofing, Morehouse says. You might develop a friendship on LinkedIn and then get an email from that person that looks like it was sent via LinkedIn but is actually a fake. When you click the link to reply to the message, you're taken to a fake LinkedIn site; logging in there reveals your LinkedIn username and password to the spoofer.
The email message above looks like it came from one of your LinkedIn friends, but look closely at the domain name and you'll see it's a fake.
If you click on a fake LinkedIn message, you'll see a fake site -- a ploy to steal your log-in and password.
Another type of attack Morehouse describes targets companies as well as individuals. The spoofer might set up a Facebook page pretending to be the official company page for, say, a retailer like office supply giant Staples. To make it seem credible, the spoofer might claim that the page is a formal method to contact the company or register complaints.
The page might offer free (but fake) coupons to entice people to join, and it soon goes viral as people share it with their network of friends. Once hundreds or thousands of users have joined the page, says Morehouse, the owner tricks them into giving out personal information, perhaps by signing up to receive additional coupons or special offers.
This is a double attack: Consumers are damaged because their personal data is compromised, and the company is damaged because its customers associate the fake Facebook page with the real company -- and decide not to buy from that company anymore.
As with text-message attacks, individuals' best defense against spoofing attacks is to use common sense, Joffe says -- hackers usually do not do a good job of impersonating a person or company, and they tend to send links and phishing scams to con you. They might try to mimic a friend but rarely manage to accurately convey their personality. In some cases, the attacks are traceable through e-mail headers or IP addresses, and most attacks are too general and untargeted to be believable to anyone who's careful.
Other precautions might seem obvious but are often overlooked. If someone says he's a friend of a friend or co-worker, make sure you confirm his identity with your common connection. And it's a good idea to lock down your privacy settings at social networking sites so that your contact info, posts, photos and more aren't visible to everyone. In Facebook, for example, select Account --> Privacy Settings --> Custom and click the "Customize settings" link at the bottom to gain control over exactly what you want to share with everyone, friends of friends, friends only or no one.