A hacker cracked into digital certificate supplier DigiNotar this summer and began issuing forged digital certificates for hundreds of web pages published by dozens of marquee companies.

Unable to cope with the fallout, the Dutch firm, a division of Vasco, filed for bankruptcy on 20Sept2011 and abruptly closed up shop. Two other digital certificate companies — New Jersey-based Comodo and Japanese-owned GlobalSign — were similarly hacked this summer, exposing a glaring weakness in the Internet’s underpinnings, security analysts say.

Sutton

“The infrastructure baked into the Internet, which is based on trust, is starting to fall apart,” says Michael Sutton, research vice-president at security firm Zscaler. “If somebody can issue faked digital certificates, it throws the entire process into chaos.”

The hacked firms are among more than 650 certificate authorities, or CAs, worldwide. CAs work behind the scenes with the five top web browsers — Microsoft’s Internet Explorer, Firefox, Opera, Apple’s Safari and Google’s Chrome — to assure the authenticity of web pages where consumers type in sensitive information, such as account logons, credit card numbers and personal data.

Digital certificates enable consumers to submit information that travels through an encrypted connection between the user’s web browser and a website server. The certificate assures the web page can be trusted as authentic. But the unprecedented attacks against CAs shows how fragile that trust can be.

Deep foothold

Upon gaining a foothold deep inside of DigiNotar’s systems, a counterfeiter was able to issue valid certificates for 531 faked pages, impersonating online properties of Google, Microsoft, Skype, Equifax, Twitter, Facebook, the CIA, among others, according to this report by consulting firm Fox-IT.

Shaul

This touched off a scramble to revoke bogus DigiNotar certificates and cut off the faked pages. Counterfeiting digital certificates isn’t trivial, says  Josh Shaul, chief technical officer at security firm AppSec.

“It takes a tremendous amount of planning and skillful execution to compromise a certificate authority,” says Shaul. “In other words, it’s a very expensive hack to pull off. For that reason, we won’t see wide spread compromise of CAs, however when the risk and costs are worth the reward, attackers with the means will not hesitate to act.”

Even so, the successful hacks demonstrated that it is possible to “impersonate any site on the Internet,” says  Shaul. “That’s like an Internet superpower, and like any superpower, it can be very dangerous in the wrong hands.”

The DigiNotar attack most likely was not aimed at carrying out garden-variety Web scams, says Mikko Hypponen, chief researcher at antivirus firm F-Secure. No banks or payment service websites were targeted, he says.

The hacker seemed much more interested in harvesting personal data from e-mail services, social networks, credit bureaus, blogging sites and anonymity services. The possible end game: espionage or political gain.

More  hacks likely

According to the Fox-IT report, the DigiNotar hacker issued 531 counterfeit digital certificates for web pages on google.com, android.com, microsoft.com, update.microsoft.com. login.live.com, login.yahoo.com, aol.com, wordpress.com, twitter.com, facebook.com, equifax.com and cia.gov, among other web domains.

Hypponen

The forged Google webpages were use to spy on some 300,000 Internet users in Iran. “We’ll likely see more attempts like this by the same attacker,” says Hypponen. “It’s good to note that many countries don’t have to resort to tactics like this in order to spy on their own people: if they have their own root CA, they can just issue the certificates they need themselves. There would be no need to hack a foreign CA.  The attacker claims he’s not directly involved with the Iranian government. He says he wants to help his government to catch people who are  ‘against Iranian government or Islam.’ ”

Roel Schouwenberg, senior researcher at Kaspersky Lab, shares similar concerns.  “I’m most concerned about disruption as a motive,” he says. “I’m talking about cyber-war but even more so about hacktivism.

“There’s not a whole lot which can be done here,” Schouwenberg continues. “There are many different angles in which disruption can be leveraged. There are no easy fixes – the trust model is broken and if someone’s only intent is to showcase that . . . well, nothing we can do currently.”

Google spokesman Jay Nancarrow noted that Google’s Chrome browser detected one of the faked certificates “that ultimately led to the revelation of the DigiNotar compromise.”

More hackproofing needed

The pressure is now on CAs worldwide to make themselves more hackproof. And for the browser makers to do more to identify and quickly eradicate counterfeit certificates and faked web pages, security experts say.

Symantec’s Michael Lin, Senior Director of Product Management, says the current system can be salvaged.

“We believe core SSL technology is perfectly viable,” says Lin. “The attacks have not demonstrated an ability to compromise the technology, they have attacked the infrastructure and practices around SSL.”

Symantec advises use of solidly trustworthy  CAs.  “In the market today, not all CA’s are created equal,” says Lin. “Customers who are protected with a CA should continue to transact online with confidence.”

Hudson

Even so, Jeff Hudson, CEO of digital certificate management firm Venafi, cautions that the hacks that unfolded this summer are just the beginning.

“Data is the new currency and cyber criminals have been trying to steal it since the beginning of the Internet,” say Hudson. “They’ll always target the most high-value target, like a CA responsible for establishing and validating trust on the web.”

Hudson says shoring up digital certificate authentication is “a huge issue with significant ramifications to business productivity and company brand. No one knows where the next breach will occur, or whether it will occur in a week or three months.”

Microsoft, maker of the world’s most widely used web browser, Internet Explorer, declined comment, as did Apple, maker of the Safari browser.

However, spokesmen for Mozilla, maker of the No. 2 Firefox browser, and Opera, a browser used widely in Europe and on cell phones, noted that steps are being taken to shore up the current system.

“The security of the Web is our collective responsibility,” says Johnathan Nightingale, Mozilla’s director of Firefox engineering. “To improve it, we need a continuing, and open, dialog supported by focused action.”

Adds  Opera’s Jan Standal, VP of  Desktop Product: “No system is perfect. The question is how to reduce the risk of compromise, and – -in case of a compromise — how to reduce the impact. In DigiNotar’s case, we need to uncover how they were compromised and how the impact got to be so widespread.”

–Byron Acohido

There is a rising threat to kids who habituate the Internet: the likelihood that a popular mobile app or social-networking service will invade their privacy.

The Federal Trade Commission last month announced a $50,000 settlement with app maker W3 Innovations for collecting and dispersing information of kids under 13 in violation of the Children’s Online Privacy and Protection Act, or COPPA.

Earlier this year the FTC wrested a record $3 million settlement from online game developer Playdom, now a division of Disney, for similar COPPA violations.

Click here to access advice for  protecting kids online.

Child-safety advocates say identity thieves and pedophiles have begun taking advantage of youngsters’ increasing infatuation with mobile devices and Web apps.

Serwin

“Children are using these services more and more, opening themselves up to more information disclosures,” says Andrew Serwin, chairman of the privacy practice at law firm Foley & Lardner. “And there’s more and more mobile services directed to children, as well.”

W3 Innovations published Emily’s Girl World, Emily’s Dress Up and Emily’s Runway High Fashion, online services which encouraged kids to create virtual models and outfits and e-mail a fictitious character named Emily with comments and blog posts. Apple iPhone and iPad users downloaded Emily apps more than 50,000 times.

“We want to make it crystal clear, to app developers and to others in this new mobile space, that we believe the protection under COPPA is not platform specific,” says David Vladeck, director of the FTC’s consumer protection bureau. “If you can’t do it online, you can’t do it in an app.”

FTC staff is hammering out revisions to COPPA rules likely to include different guidelines for verifying parental permission for kids to use certain apps, and specific rules to protect children using Internet-connected mobile devices, Serwin says.

Meanwhile, more children than ever are using mobile devices and spending longer hours socializing online and and using cool Web apps designed to gather data in support of selling advertising.

A recent survey by anti-virus firm AVG found roughly half of children ages 6 through 9 regularly interact with friends online, yet 58% of their parents admitted to not being knowledgeable about social networks.

Rising commercial pressures for kids to get online add to already intense peer pressures, says Hanan Lavy, CEO of child security software maker United Parents.

Facebook is open to those 13 or older, though a recent Consumer Reports survey found 7.5 million Facebook users 12 and under. And Facebook CEO Mark Zuckerberg has said he would like to formally extend Facebook to kids.

“The risks to children from social networking at an early age are numerous,” Lavy says. “As pedophiles become more technologically sophisticated, they’re able to find and connect with kids easier than with previous methods.”

More time spent online also means higher risk of children getting exposed to inappropriate content and advertising. Identity thieves target minors’ names and Social Security numbers to create bogus credit accounts with a lower likelihood of getting discovered.

Last June,  AVG  released results of a survey of  6-to-9-year olds and their parents  in North America, Europe, Australia and New Zealand. Some findings:

• More than half (51%) of 6-to-9-year-olds use some kind of kids’ social network such as Club Penguin or WebKinz.
• Roughly one in five use email, and despite being under age, 14% are on Facebook, according to their parents.
• Forty-seven percent of 6 to 9-year-olds talk to their friends on the Internet.
• Almost one in six 6-to-9-year-olds and one in five 8-to-9-year olds have experienced what their parents consider objectionable or aggressive behavior online.
• American children average four hours online each week, slightly more than the worldwide average of 3.5 hours per week.
• 58 percent of parents admit they are not well-informed nor understand their children’s online social networks.
• Only 56 percent of parents were certain their family computer has parental controls or a safety program in place

Smith

“We believe that the opportunities for this digitally-savvy generation are endless, but they need to be taught ‘safety first’ much like any other life skill and guarded against dangers,” says said J.R. Smith, CEO, AVG Technologies. “Based on these findings, we’re excited to launch a new book as part of our effort to help nurture discussions around internet safety with kids.”

AVG makes available a digital book, titled Little Bird’s Internet Security Adventure, which teaches preschool children about the many dangers lurking online. Throughout Little Bird’s journey home to talk to her grandmother on the computer, she meets young zoo friends who have questions or concerns about online behavior.

From dealing with an online bully, computer viruses, “yucky pictures” and requests from strangers for personal information, Little Bird has a simple solution that teaches kids to stay on guard and always keep their parents informed.

The new book launches online in Kindle, iPad and desktop versions, just in time to educate and protect children spending more and more time online this summer and celebrate International Children’s Day. The company has also pledged a donation of more than 20,000 books to Head Start Organizations and other early childhood educators across the United States as part of a worldwide, multilingual initiative across the globe.

“I wouldn’t teach my children to ride a bike without a helmet or leave them by a pool without teaching them to swim, and I certainly wouldn’t sit them in front of a family computer or mobile device without up-to-date security software, parental controls and the know-how to handle inevitable situations,” said Smith, who co-created the book and wrote its foreword. “The goal in creating Little Bird was to facilitate conversations with children about how to handle bullies, strangers and other online dangers. Children need to know that they should always come to Mom, Dad or another adult with questions when other safeguards fail.”

SEATTLE — The odds that a cybergang will stealthily turn your PC into a bot this summer and use it to carry out all manner of cyberattacks just notched notably higher.

That’s the upshot of a premier hacker’s toolkit, called SpyEye, recently being made accessible to cybercriminals of all stripes.

Security analysts anticipate a surge in SpyEye attacks the rest of this year.

“Every level of criminal, from the lowest to the highest rungs, can now use one of the deadliest Swiss Army knife hacking toolkits in the world,” say Sean Bodmer, senior threat intelligence analyst and network security firm Damballa.

Bodmer

It’s been about a week since the keys to acessing SpyEye were publicly disclosed. So far 14 cyber rings have taken advantage, using SpyEye to send commands to tens of thousands of infected PCs in the U.S. and Europe, according to Damballa research findings.

In the first six months of the year, SpyEye was being used by 29 elite gangs that collectively commanded at least 2.2 million infected PCs worldwide. SpyEye normally sells for up to $10,000. But as of last week the latest, most potent version of SpyEye could be acquired for just $95, says Bodmer.

Advances in  cyber larceny

How this sudden discounting came to be — and the resultant security implications — highlight how complex  and dynamic larceny on the Web has become over the past few years.

SpyEye surfaced in late 2009 as a bigger, badder rival to ZueS, then the premier hacker’s toolkit.  SpyEye quickly surpassed ZeuS. By the end of 2010, it had evolved into a pricey, user-friendly software program, sold, updated and copyrighted, much like any legit business application.

Click here to see LW’s  profile of  ZueS creator A-Z

For a base price of $6,000, SpyEye put a sophisticated Internet-based management tool into the hands of the buyer. Optional plug-in programs pushed the price to $10,000.

Using SpyEye a criminal can issue commands to networks of thousands of bots. SpyEye-run botnets have proven to be unstoppable. Criminals use them to deliver spam scams pitching fake drugs or worthless antivirus programs, conduct hacktivists attacks and booby-trap legit websites with infections that create more bots.

What’s more, SpyEye may be best known for enabling thieves to orchestrate the systematic siphoning of cash from the online banking accounts of consumers and small organizations. Transactions security firm Trusteer has documented SpyEye-orchestrated banking account heists in action. SpyEye:

• Waits for the account holder to log into his or her online banking account.
• Collects the user’s balance figure, and determines whether the account is ripe for theft.
• Initiates money transfers invisibly, the victim sees nothing.
• Transfers funds into a mule account, set up and controlled by the thief to receive cash transfers.
• Erases any evidence of the fraudulent transfer.
• Adds back the stolen amount to the official account balance, as if nothing is amiss.

“SpyEye is very dynamic and versatile,” says Amit Klein, Trusteer’s chief technical officer. “We see it pushing new builds to the field on a weekly basis. These frequent updates enable SpyEye to be more elusive and less detectable.”

Perpetual arms race

In early August, a French researcher, using the online handle Xyliton and said to be  part of the Red (Reverse Engineers Dream) Crew,  discovered how to crack open SpyEye’s licensing key, which unlocks the software for full use, complete with a tutorial. In cracking SpyEye’s key,  Xyliton disabled a feature that requires licensed users to designate a name to their copy of the toolkit in an attribution field. Good-guy researchers use this attribution field to keep track of which crime rings are actively using SpyEye. Xyliton then published his findings on the Internet.

Skilled hackers quickly created simple programs to access full versions of SpyEye and began selling them for around $100, says Damballa’s Bodmer.

Because of how the crack was carried out, the free and discounted versions of SpyEye recently put to use in attacks are much harder to distinguish, says Bodmer. “Not only is the toolkit now free or very cheap, but attributing usage to a specific criminal operator has becoming significantly more difficult,” he says.

A debate in tech security circles has ensued as to whether Xyliton’s disclosure did more harm than good. Some experts argue that tech security companies now have more detail about how cutting-edge hacking tools work, which should help with detection and filtering.

Maor

“White hats may now gain insight into the workings of (SpyEye), but this will not be the end of the perpetual arms race,” says Etay Maor, cybercrime specialist at RSA, The Security Division of EMC.

Maor predicts that SpyEye’s creators will fix the cracked licensing key, improve the core toolkit and push out new advancements.

Others worry that botnets have been widely used this summer to conduct intensive Google searches — known as Google hacking or Google dorking — as part of campaigns to locate, then mass infect, more than 8 million web pages published by smaller online merchants and professional firms. The PC of anyone who navigates to one of these infected small business pages gets turned into a bot.

“Google hacking is often the first step to perform reconnaissance,” says Rob Rachwald, strategy director at security firm Imperva. “It’s very likely that SpyEye will be used for Google hacking, and leveraging SpyEye is imminent.”

A hint of SpyEye’s coming surge pattern  can be gleaned from the similar public disclosure of ZeuS coding last May,  which drew the tech security community’s attention.  RSA recorded  a 66% increase in  ZueS usage in the ensuing months.

“It is very likely we will  see yet another spike following SpyEye’s leak,” says Maor. ” We also have to keep in mind that more Trojan attacks are launched  because fraudsters can now buy Trojans priced per variant, without purchasing the whole kit, accounting for an increasing number of  ‘small-timers’.”

Criminals who infect websites are making the Internet much riskier for small business owners.

Since early June, one gang has been using a uniquely insidious type of automated attack to inject malicious code on some 20,000 to 30,000 sites, many of them small businesses that rely on the Internet to reach customers, says Wayne Huang, chief technical officer at website security firm Armorize.

Many small business owners don’t realize about how intently profit-minded hackers are striving to wrest control of their websites to run scams, says Maxim Weinstein executive director of the non-profit StopBadware public awareness group.

“A sophisticated and evolved criminal underground is constantly trying to avoid being detected while spreading their malware ever more effectively,” says Weinstein.

Mass injection attacks begin with the bad guys obtaining the usernames and passwords for the administrator accounts of smaller websites. They can purchase logins from data thieves, steal it for themselves, or get them free from hacktivist groups that publicly post stolen account data.

After logging on as the site administrator, the hacker then injects a small program, called a script, that gives him full control of the website server.

Because mass injection can be automated, such attacks have become a staple of the cyberunderground. IBM’s X-Force security division monitored and blocked fewer than 10,000 such attacks per month in early 2008. By mid-2009 it blocked more than 500,000 per month, according to the most recent data.

Hackers target small business websites because they know those companies “do not have the resources for sophisticated security measures,” says Michael Lin, vice president at VeriSign, a division of Symantec.

Criminals use corrupted websites to spread infections to other PCs, thereby fueling data theft as well as scams to sell fake drugs, pitch worthless antivirus protection and steal from online bank accounts. “Your website essentially serves as a surrogate host for malicious content,” says David Moeller, CEO of website monitoring and backup company CodeGuard.

The latest mass-injection attacks —including one that recently hit Passen Law Group, a two-man personal injury firm in Chicago — are extremely difficult to detect and remove, says Huang. About a month ago, attorney Matt Passen clicked to the main page of his firm’s website and says he saw “a series of letters and numbers that made no sense to me.”

Shortly afterward, Google notified Passen that his website was infected and blocked access to it. Over the next few weeks, Passen, who depends on his website to attract clients, hired experts to find and delete the viral script three times; the first two fixes lasted about a week each before the infection recurred.

“It will easily cost us a couple thousand dollars to remedy, and I can’t tell you what the costs are in terms of lost business opportunity,” Passen says.

Most often, the owner of a hacked website doesn’t see anything suspicious. The infected site eventually turns up on one of the blacklists maintained by Google, Microsoft and a handful of other entities that continually look for, and block access to, sites running malicious scripts.

Google’s blacklist, which is used by Google Chrome, Firefox and Apple’s Safari browsers, currently blocks access to some 700,000 sites, says StopBadware’s Weinstein.

Remediation can be a real pain. A cottage industry of consultants and technicians has cropped up to help small business owners, but prices and quality of work varies. A good starting point for any small business owner is to seek free guidance at StopBadware.org.

CodeGuard offers a free service that backs up sites and then continuously monitors for fresh infection. Should a site be compromised, CodeGuard enables the owner to eradicate infections by returning the site to a known clean state.”

“The game is changing,” says CodeGuard’s Moeller. “Anyone who has a website can be attacked, and you have a responsibility to make sure you’re not hosting malicious content.”

Ripe for attack

Hackers target small firms because:

36% rely on free consumer antivirus applications.

31% have no anti-spam.

23% have no anti-spyware.

15% have no firewall.

13% have no security at all.

Source: Panda Security fall 2010 survey of companies with 2 to 1,000 computers in North America, Europe and Latin America.

USA TODAY, 20June2011, P1B

LulzSec, the upstart hackitivist group, was busy over the weekend. First, it disavowed responsibility for the hacking of video game company Sega. In fact it added a new twist by offering to help Sega (once long ago a big name in video games) track down the perpetrators.

And this morning, the group announced that it was partnering with the long established hacktivist crew, Anonymous, in launching what the two headline-grabbing gangs dub: Operation Anti-Security.

Related story: Who’s who in LulzSec

Essentially, LulzSec and Anonymous have just declared open cyberwarfare against big governments and giant corporations. An excerpt from LulzSec’s  declaration:

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path…Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments.

The rapid ascension of the hacker group LulzSec, if sustained, could signal a revival of cyberattacks carried out primarily to humiliate companies and government agencies.

“We’ve got some very powerful hackers apparently showing the world they’re powerful enough to break into any organization they want to,” says Josh Shaul, CTO at Application Security. “So why are they doing that? The best answer is because right now they can. And who knows what they’re setting themselves up to do in the future.”

Recent targets

After twice disrupting the U.S. Senate’s website last week, then knocking the CIA’s website off line, LulzSec on Friday issued a press release via Twitter declaring: “This is the Internet, where we screw each other over for a jolt of satisfaction.”

It’s no idle rant. LulzSec — which appears to have splintered from the renowned hacktivist group, Anonymous — has also successfully hacked Sony several times, as well as the FBI, Fox, PBS, Nintendo and others.

Hotz

The Sony hacks stemmed from the entertainment giant suing a young hacker, George Hotz, for reprogramming his PlayStation 3 gaming console; the PBS hack followed the network’s airing of a Frontline documentary LulzSec deemed unfair to WikiLeaks, the anti-secrecy group.

According to its press release, LulzSec is not seeking criminal profit nor participating in cyber espionage. “We do things just because we find it entertaining.” The group’s name is a play on LOL (laugh out loud) Security. It issues bombastic press releases, produces animated videos, and uses a mustachioed cartoon character as a logo.

“The organizations have mostly been targeted for political reasons and the data release or defacement is to display scorn for and humiliate the target,” says Kurt Baumgartner, senior researcher at Kaspersky Lab. “Sometimes  they claim they like the games too much and the hack is for pure sport. In other words, they feed on the public attention for their activity and are fairly eccentric.”

Smooth operations

Yet behind the surface frivolity lies a smootth running campaign orchestrated by highly-skilled programmers and creative multi-media artists, security analysts say.

The group maintains an impregnable website, lulzsecurity.com, where it posts data stolen as part of its escapades. Indeed, on Friday the group posted 62,000 random e-mail and social network account logons — with passwords. In the accompanying statement, LulzSec appears to encourage folks to use the logons to access the accounts and play practical jokes on the account holders.

“It’s a good reminder that we need to use strong passwords for all of the online systems that are important to us,” says Shaul.

Sutton

Groups like Anonymous and LulzSec are viable due to a confluence of developments, says Michael Sutton, vice president of research at security firm Zscaler. Role-paying video games and social networking has made collaborating with complete strangers second-nature; powerful, easy-to-use hacking and hiding programs are readily available; and corporations haven’t kept up, he says.

“Anonymous and LulzSec are determined and they have ignificant numbers,” says Sutton. “And when attackers band together with a common goal they often succeed.”

As hacktivist groups rise in profile, copycats will likely emerge, says Marcus Ranum, chief security officer of Tenable Network Security. “That’s part of the transition were seeing,” says Ranum. “There’s a tremendous amount of resentment against this idea that corporations own the Internet.”

‘Leaving breadcrumbs’

Frank Kenney, VP of Global Strategy at Ipswitch, says the more active the hacktivists become, the more likely some of them will be caught — and be made an example of.

Kenney

“When you impede the ability of a company to make money, when you put up a web site and start to have Twitter feeds, you start to leave enough breadcrumbs,” says Kenney. “This could lead to a very high-profile, I’m-going-to-make-an-example-of-you type of prosecution.”

Meanwhile, organizations would do well to keep LulzSec and Anonymous on their radar screen, says Mike Paquette, chief strategy officer at Top Layer Security.

Opines Paquette: “In general, if your organization has information that could be considered valuable by any group, or is doing anything that may be considered controversial amongst any constituent or affected community, and you’re not prepared for a cyber response, you’re probably not taking this seriously enough.”

The recent rash of disclosures about cyberspying — aimed at undermining the United States — comes as the White House is making its third attempt to push through a historic federal cybersecurity law.

The timing is no coincidence, some cybersecurity analysts say. After two previous bills went nowhere, the White House needs to garner public support for a new law that could equip America for cyberwarfare.

UPDATE -Click here: DHS has slightly reduced role in Langevin bill vs. White House and Senate versions

Adams

“The best way to do that is to get folks worried that we’re under attack from some foreign state like China or North Korea,” says Ed Adams, CEO of Security Innovation, which integrates security systems for government agencies. “Most people don’t realize how much of this is premeditated.”

Recent disclosures of cyberattacks against the International Monetary Fund, Google and several defense contractors coincided with an unprecedented pronouncement last week by CIA Director Leon Panetta, who warned a U.S. Senate panel that the U.S. needs to take “defensive measures as well as aggressive measures” to win at cyberwarfare.

The bill is gaining bipartisan support in Congress. It would establish a framework for distributing billions of dollars for new cybersecurity systems, while placing responsibility for securing cyberspace with the Department of Homeland Security.

Langevin

In an op-ed piece Tuesday in The Hill, Rep. Jim Langevin, D-R.I., the bill’s chief sponsor, underscored the need to engage Americans “in a continuous dialogue about threats we face and steps taken to protect them.”

In that vein, the FBI will help investigate what’s believed to be the theft of e-mails and other documents related to the IMF’s role in stabilizing currency exchange rates and keeping global trade in balance.

“This is part of a wave of economic espionage putting additional pressure on the U.S. economy,” says Alan Paller, research director at SANS Institute, a cybersecurity think tank.

Mike Baker, president and co-founder of consultancy Diligence, agrees that the threats are palpable. The data thieves’  agenda could involve terrorists or military goals, such as disrupting critical  infrastructure, or economic cheating to influence currency exchange rates.

“At the end of the day if I’ve got more information than you, then I’m going to win — however I define winning,” says Baker.

The recent breach disclosures, which include losses of strategically important data at EMC’s RSA security division, Lockheed Martin, L-3 Communications and Northrop Grumman,  help provide  supporting evidence for the importance of a strong cybersecurity bill, says Harry Sverdlove, chief technology officer at security firm Bit9.

Sverdlove

“One of the provisions of the cybersecurity bill proposed by the White House is a federal data breach notification statute. Almost every state already has its own data breach notification law, but in today’s global economy, having a consistent set of guidelines that can be enforced across the nation is essential,” says Sverdlove.

Google recently voluntarily revealed that hackers pilfered information from the Gmail accounts of hundreds of high-profile individuals, including U.S. government officials. “The dialogue around cybersecurity has definitely become politicized and militarized,” says Dave Jevans, chairman of IronKey, which secures data and online access.

By pinpointing Jinan, China, as the origination point of the Gmail hack, Google “elevated the awareness of the enemy,” says  Sverdlove. “That could influence both the cybersecurity bill … (and) the rules of engagement for cyberwarfare being debated by the Pentagon,” says Sverdlove.

Sverdlove, for one, isn’t convinced that the traditionally tight-lipped  IMF was manipulated into making its disclosure to support the push for a new U.S. cybersecurity law.  Says Sverdlove:

When Google announced that the Gmail accounts of specific and highly influential individuals had been hacked, I speculated that the timing was designed to influence public policy. Google made their disclosure in the midst of news on the recent breaches at defense contractors Lockheed Martin, L-3 Communications, and Northrop Grumman. In that case, while the cyber attacks on the defense contractors were described as sophisticated and, at least in the Lockheed Martin case, related to the data breach at RSA months earlier, no one was publicly identifying the source of the attacks.

In the IMF case, however, I don’t believe an international organization within the United Nations has such overt and nation specific motives. More likely, assuming the timing was a conscious decision, the disclosure was more about hiding amidst the noise; there have been so many high profile attacks recently that, while this one might be the most frightening from a global impact perspective, it also just becomes one in a long list of recent breaches (RSA, Lockheed Martin, Citigroup, Sony, PBS, Gmail, …).

Companies are grappling with unforeseen security, privacy and legal conundrums introduced by a host of cool mobile devices flooding into the workplace.

Executives eager to sport the hottest tech gear and workers accustomed to mixing social and work activities on the go are multitasking on personally owned mobile devices in record numbers.

Workers are bringing mobile devices to work at such a scale that company security technicians can’t keep up. “It’s an impossible task,” says Patrick Sweeney, product management vice president at network security firm SonicWall. “Control of these devices has become very complex because of the varying software and device types.”

Results of a recent survey of 1,400 technology professionals in 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines. The poll was conducted by security firm McAfee, a division of Intel.

“A lot of organizations have yet to really lock down mobile access,” says Jamie Barnett, McAfee’s senior director of mobility products. “That tells me there is definitely an opportunity for security and compliance gaps.”

An obvious risk: employee-owned smartphones, tablets and e-readers containing work-related materials that turn up missing. Some 40% of organizations responding to McAfee’s survey reported mobile devices lost or stolen, often involving the loss of critical business data.

What’s more, the cyberunderground is adapting hacks and scams — proven to work profitably on desktops and laptops — to Internet-connected mobile devices, says Anup Gosh, founder of Web browser security firm Invincea.

Worldwide smartphone sales are on track to top 467 million units this year, tablet PC sales should approach 70 million, and e-readers, 14.7 million, according to research firm Gartner. Two years ago, smartphone sales rang in at 172 million units, tablets, zero and e-readers, 3 million.

“As mobile devices become a replacement for the desktop computers, the problem of malware (malicious software) will grow significantly on the mobile platform,” says Gosh. “Unfortunately, the security industry has not developed products suitable for battery-constrained mobile devices, which makes it ripe ground for malware writers.”

Underground and legitimate researchers flushed out 163 fresh security holes in mobile operating systems in 2010, compared with 115 in 2009, says Dean Turner global intelligence director for antivirus giant Symantec.

It won’t be long before cyberthieves steal information off mobile memory cards and run networks of corrupted computers from mobile devices, Turner testified at a congressional hearing on cybersecurity threats recently.

They already are creating tainted apps, several of which have surfaced in the Android Market, Google’s official online store, says Kevin Mahaffey, chief technology officer at Lookout Mobile Security.

One recent attack spread corrupted versions of 50 legitimate game and entertainment apps, which were downloaded at least 250,000 times, Mahaffey says.

One attacker recently corrupted 50 different game and entertainment apps which were downloaded at least 250,000 times.  On each infected  handset, the attacker opened a connection to a remote server from which malicious programs could have been embedded in the phone, Mahaffey says.

Of particular concern is location-tracking technology built into the hottest-selling smartphone and tablet models. Roughly one-third of the Web apps available in Android Market and in Apple’s App Store make use of location data that can pinpoint the whereabouts of the device user, says Mahaffey.

But location-tracking introduces unprecedented privacy and legal concerns, says Hugh Thompson, chairman of RSA Conference, the top cybersecurity conference held annually in San Francisco. “Time-bomb may not be the right word, but there certainly are some interesting unintended side effects coming to light,” says Thompson.

A company manager could theoretically track what employees do in off hours and factor that into decisions for bonuses or promotions. Or an aggressive salesman could use location-tracking apps tied to services like popular services like Foursquare and Linked-In to track a rival’s travel schedule. The salesman could then piece together who is rival is making pitches to, then subsequently undercut him, says Thompson.

Currently getting a lot of discussion in legal and privacy circles is a scenario whereby a company gets sued and the court orders data seized from an employee-owned smartphone. “If I get this device I also get access to all this interesting personal data about the employee too,” notes Thompson.

McAfee’s Barnett observes that technology departments are being “asked to offer access to, while manageing and securing, mobile devices in a much faster, more complex way than ever before.”

“In the past we asked IT to issue a company-owned laptop, gave a few privileged users locked-down BlackBerries.” Says Barnett. “Today they’re being asked to accomplish a far greater feat.”

Companies are grappling with unforeseen security, privacy and legal conundrums introduced by a host of cool mobile devices flooding into the workplace.

Executives eager to sport the hottest tech gear and workers accustomed to mixing social and work activities on the go are multitasking on personally owned mobile devices in record numbers.

Workers are bringing mobile devices to work at such a scale that company security technicians can’t keep up. “It’s an impossible task,” says Patrick Sweeney, product management vice president at network security firm SonicWall. “Control of these devices has become very complex because of the varying software and device types.”

Results of a recent survey of 1,400 technology professionals in 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines. The poll was conducted by security firm McAfee, a division of Intel.

“A lot of organizations have yet to really lock down mobile access,” says Jamie Barnett, McAfee’s senior director of mobility products. “That tells me there is definitely an opportunity for security and compliance gaps.”

An obvious risk: employee-owned smartphones, tablets and e-readers containing work-related materials that turn up missing. Some 40% of organizations responding to McAfee’s survey reported mobile devices lost or stolen, often involving the loss of critical business data.

What’s more, the cyberunderground is adapting hacks and scams — proven to work profitably on desktops and laptops — to Internet-connected mobile devices, says Anup Gosh, founder of Web browser security firm Invincea.

Worldwide smartphone sales are on track to top 467 million units this year, tablet PC sales should approach 70 million, and e-readers, 14.7 million, according to research firm Gartner. Two years ago, smartphone sales rang in at 172 million units, tablets, zero and e-readers, 3 million.

“As mobile devices become a replacement for the desktop computers, the problem of malware (malicious software) will grow significantly on the mobile platform,” says Gosh. “Unfortunately, the security industry has not developed products suitable for battery-constrained mobile devices, which makes it ripe ground for malware writers.”

Underground and legitimate researchers flushed out 163 fresh security holes in mobile operating systems in 2010, compared with 115 in 2009, says Dean Turner global intelligence director for antivirus giant Symantec.

It won’t be long before cyberthieves steal information off mobile memory cards and run networks of corrupted computers from mobile devices, Turner testified at a congressional hearing on cybersecurity threats recently.

They already are creating tainted apps, several of which have surfaced in the Android Market, Google’s official online store, says Kevin Mahaffey, chief technology officer at Lookout Mobile Security.

One recent attack spread corrupted versions of 50 legitimate game and entertainment apps, which were downloaded at least 250,000 times, Mahaffey says.

Of particular concern is location-tracking technology built into the hottest-selling smartphone and tablet models. Roughly one-third of the Web apps available in Android Market and in Apple’s App Store make use of location data that can pinpoint the whereabouts of the device user, says Mahaffey.

But location-tracking has introduced unprecedented privacy and legal concerns, says Hugh Thompson, chairman of RSA Conference, the nation’s top cybersecurity conference held annually in San Francisco. “Time bomb may not be the right word, but there certainly are some interesting unintended side effects coming to light,” says Thompson.

What if a company gets sued and the court seizes data from an employee-owned smartphone? Thompson posits. “If I get this device, I also get access to all this interesting personal data about the employee, too,” he notes.

McAfee’s Barnett says corporate technology staffers are asked to give corporate access to personal “mobile devices in a much faster, more complex way than ever before.”

“In the past, we asked them to issue company-owned laptops, give a few privileged users locked-down BlackBerrys, and that was it,” says Barnett. “Today, they’re being asked to accomplish a far greater feat.”

It’s not as if Google lacks privacy controversies to quell.

Yet Burson-Marsteller, a top-five public relations firm, is attempting to pile more on.

Burson last week stepped up a whisper campaign to get top-tier media outlets, including USA TODAY, to run news stories and editorials about how an obscure Google Gmail feature —Social Circle— ostensibly tramples the privacy of millions of Americans and violates federal fair trade rules.

Google said that Social Circle in fact allows Gmail users to make social connections based on public information and private connections across its products in ways that don’t skirt privacy.

Yet the PR stunt played out during a week in which Google was responding to a raid of its Seoul office by South Korean privacy regulators and was preparing for a U.S. Senate hearing today over the location-tracking feature in Android smartphones.

Pushed by two high-profile media figures — former CNBC news anchor Jim Goldman and former political columnist John Mercurio, both of whom recently joined Burson — the whisper campaign illustrates how privacy has become a lightning-rod issue. Goldman pitched the Social Circle issue as a huge privacy breach to Google users and an important story for consumers.

“Privacy issues are certainly complex,” says Maneesha Mithal, associate director of the Federal Trade Commission’s Division of Privacy and Identity Protection.

Goldman

Burson’s efforts, on behalf of an unnamed client, also highlight the delicate balancing act Google, Microsoft, Facebook and Apple face as they rush to profit from cutting-edge Internet services that tap into consumer data. Several pioneering privacy rights bills are gaining steam in Congress and in California. And Sen. Al Franken, D-Minn., chairs today’s hearing, where he is expected to grill executives from Apple and Google about how iPhones and Android smartphones keep precise track of each user’s whereabouts every day.

The tech giants “need to ensure that consumers understand their data is being accessed and used with proper controls to ensure its protection,” says Dan Hoffman, a mobile security expert at networking company Juniper.

Google, however, often pushes out new consumer services that affect privacy without clearly conveying what the technology does.

Earlier this year, it reached a settlement with the FTC for exposing Gmail users’ contacts as part of an ill-fated launch of its Buzz social network in February 2010.

And it faces probes in several nations and U.S. states for dispatching fleets of specially equipped cars through city streets to harvest data from wireless networks in homes and businesses.

“Much of Google’s privacy problems stem from the company’s culture,” says John Simpson, spokesman for the non-profit Consumer Watchdog. “They hire like-minded engineers who push the creepy line, then apologize when they get caught with their fingers in the cookie jar.”

Against this backdrop, Goldman and Mercurio began engaging reporters and technologists about Social Circle, casting it as a stealthy feature circulating potentially embarrassing information among Gmail users in ways that violate FTC rules.

Mercurio

In a May 3 e-mail to former FTC researcher and blogger Christopher Soghoian, Burson’s Mercurio offered to ghost write an op-ed column to that effect for Soghoian. Mercurio even offered in a widely circulated e-mail to help Soghoian get it published in The Washington Post, Politico, The Hill, Roll Call and The Huffington Post.

Meanwhile, Goldman connected with USA TODAY and outlined a news story critical of Social Circle.

However, Soghoian derailed Burson’s efforts by posting the full e-mail text of Mercurio’s pitch — along with his rejection — on the Internet. After Goldman’s pitch proved largely untrue, he subsequently declined USA TODAY’s requests for comment.

Meanwhile, Google began fielding media calls about the heretofore obscure Social Circle. The company acknowledges reviewing Mercurio’s pitch.

“We have seen this e-mail reportedly sent by a representative of the PR firm Burson-Marsteller,” says Chris Gaither, Google’s senior manager of global communications and public affairs, who assumes the e-mail exchange in fact took place. “We’re not going to comment further. Our focus is on delighting people with great products,” he said.

Social Circle’s intent

Gaither points out that Google’s Social Search, of which Social Circle is now part of, was launched in October 2009 as a tool to help remind Gmail users of the people they regularly e-mail or chat with, so-called direct connections.

The service also privately sends each Gmail user the names of “secondary connections,” a listing of the people each direct connection happens to be following publicly on the Web.

Google prompts Gmail users to voluntarily connect any accounts they have on Facebook, Yahoo, Flickr, LinkedIn, Quora, Twitter or Yelp to their Google profile.

Google then mines those connected accounts for individuals who become secondary connections.

“Social connections are based on publicly available information and private connections you have on Google products and services,” explains Gaither.

USA TODAY asked 26 avid Gmail users about Social Circle and found only two were vaguely aware of the service, while 14 said they would disable the service, if they could, citing privacy concerns.

Gaither attributes low awareness to the fact that Google purposely designs new features “to blend seamlessly … because that’s what our users prefer.”

That explanation works for Elizabeth Holst, 26, a grad student in Chicago, who acknowledges how difficult it has become to remain anonymous online.

“Why fight it?” Holst says. “And there is value in hearing about things from your friends.”

By contrast, Jason Gerdon, 29, a public relations professional in Costa Mesa, Calif., says he’d like to opt out of the service.

“I like having control over my connections,” Gerdon says. “Although this might be similar to Facebook or Twitter recommendations, this just feels more intrusive.”

Dion Moses, 25, a computer engineer in Ridgecrest, Calif., also wants out of Social Circle. “This is shocking,” Moses says. “I had no idea that Google was doing this, and I pay close attention to most technology news sites.”

The only way to disable Social Circle, Gaither says, is to stop using Gmail.

Chasing Facebook

Lee

Google’s push to proactively expand Gmail users’ connections, in fact, derives from Facebook’s stunning success at enticing its 500 million-plus users to voluntarily reveal their closest acquaintances, along with rich information about their preferences and online behaviors, says Kevin Lee, CEO of search consultancy Didit.

Google, by comparison, can really only profile Internet users based on their search queries and who they e-mail and chat with, Lee says.

The search giant generated $29.3 billion in revenue in 2010, mainly by selling sponsored ads to appear alongside specific search query results.

Facebook, a private company, is believed to generate about $2 billion in annual revenue by selling ads targeted to specific groups of friends, such as expectant mothers, recent retirees or frequent fliers, Lee says.

Social-networking sites — Facebook, in particular — are not without privacy problems. They face heightened scrutiny over their evolving privacy policies from consumers, privacy advocates and legislators.

While most Facebook users “freely provide information about themselves, it’s far less clear that they understand how that information is being used by Facebook or third parties to profile them,” says Opus Research analyst Greg Sterling.

Even so, Google has set out to emulate Facebook by using tracking programs and algorithms to connect more members from the top social networks to Gmail users.

“Google wants access to the dollars that Facebook is getting,” Lee says. “They’re trying to create a product that comes closer to mirroring Facebook’s ability to target specific groups of people for advertisers.”

As Google extends connections between Gmail and the top social networks, it risks upsetting at least some Gmailers.

“Users have a very high expectation of privacy in their e-mails,” says Kimberly Nguyen, consumer privacy counsel for EPIC.

Not long after airstrikes began in Libya earlier this month, certain attorneys at four U.S. law firms, known for having high-profile clients in the oil industry, each received a personally addressed e-mail message.

Each message carried an Adobe PDF attachment, purportedly an analyst report describing the impact of Libya’s uprising on oil futures. Each lawyer clicked on the attachment.

But the PDF was actually pre-set to deliver a quick-acting computer intrusion, says Chris Day, chief security architect at data security firm Terremark, who watched the attack unfold. Within a few seconds, the PC of each attorney who clicked on the attachment began sending a silent beacon to a command server controlled by the intruders.

Terremark alerted law enforcement, and the law firms were notified, cutting off yet another persistent intrusion — a distinctive type of hack that has quietly become a staple of the cyberunderground.

“We’re seeing criminal gangs using these tactics against commercial enterprises simply because they work so well,” says Day.

Such so-called spear-phishing attacks, which often enlist social-media tools to meticulously wedge into corporate networks, are increasingly used in computer thefts that pinpoint valuable corporate data, according to a report released today by IBM’s X-Force cybersecurity team.

“Cybercriminals have become more focused on quality of attacks, rather than quantity,” says Tom Cross, X-Force threat intelligence manager.

Elite cybercriminals are tapping into search engines and social networks to help them target specific employees for social-engineering trickery at a wide range of companies, professional firms and government agencies.

They wait patiently for an opportune moment to seed an infection, knowing they need only infect one well-placed PC to gain a foothold inside a company network. They then proceed to stealthily probe deeper over many months.

“It’s become very common for advanced groups to be in systems for a year or longer without being detected,” says Kim Peretti, forensics director at PricewaterhouseCoopers.

The booty of choice: intellectual property.

Proprietary intellectual property is generally considered twice as valuable as day-to-day financial and customer data, according to Forrester Research. A thriving criminal market has evolved for converting stolen trade secrets into cash, say security experts and law enforcement officials. Demand is being driven by Asian companies looking to undercut Western rivals, and by scam artists seeking to game stocks and commodities markets. Persistent intrusions keep stolen company secrets flowing into this underground market.

Cybercriminals have “shifted their focus to trade secrets and product planning documents,” says Simon Hunt, chief technology officer of McAfee’s Endpoint Security division.

Rampant attacks

Yet, only a minority of persistent intrusions are being detected, and fewer still are disclosed publicly, as companies are loath to announce that they’ve been breached. McAfee estimates that just three in 10 organizations report all data breaches.

Even so, a spate of high-visibility hacks that have recently come to light gives a glimpse at the scale and profitability of persistent intrusions.

Earlier this year, companies participating in Europe’s carbon registries lost some $50 million to an Eastern European gang that infiltrated their trading systems. Nasdaq last month admitted that intruders roamed undetected for at least a year deep inside its cloud-based collaboration service, called Director’s Desk, whose users are senior executives and board members of big public companies.

In a typical month, threat-detection company Mandiant is busy investigating some 30 to 40 persistent intrusions in organizations around the world. It’s just one of several security firms that specialize in such investigations.

“There have been thousands of compromised organizations in the United States alone over the last five years,” says Kevin Mandia, CEO of Mandiant. “In the last 18 months, we’ve responded to approximately 100 different organizations in North America and throughout the world who were hacked by criminals operating out of Asia.”

Criminal gangs in China, Russia and Ukraine, in particular, appear to be in the vanguard of such attacks, Mandia says. They’ve quickly and astutely moved to take full advantage of the corporate sector’s embrace of Internet-based technologies.

Social-media weapons

For instance, many attacks Mandiant has investigated began with the criminals doing reconnaissance on Google, Facebook, LinkedIn, Twitter and other popular Internet services to find companies to target — and pinpoint specific executives, researchers, analysts, engineers or key administrative assistants to attack.

The next step is to craft a spear-phishing lure designed to entice a specific employee to click on a viral attachment or Web page link, using information gleaned during the reconnaissance phase to make the attachment or link seem trustworthy. In 2010, criminals increasingly used e-mail, instant messages and social-network posts to spear phish targeted employees, says IBM’s Cross.

One enterprising gang recently put a twist into spear phishing by noticing that more than a few executives have a penchant for using Google Alert in connection with their names. Google’s free service will e-mail a Web link to the executive every time the search engine indexes a Web page containing a fresh news article mentioning the executive.

Boodaei

The intruders figured out how to inject an infection onto such Web pages at just the right moment, so the infection has a low chance of being detected and a high chance of appearing as part of a Google Alert arriving in the executive’s in-box, says Mickey Boodaei, CEO of security firm Trusteer. One way they do this is by putting up an infectious Web page that redirects to a legitimate Web page carrying a news article about the executive; the link between the bad and good sites is enabled just after Google indexing has occurred. “These targeted attacks are very powerful and should be taken very seriously,” Boodaei says.

Once an initial infection takes hold, persistent intruders seek to gain wider and deeper access to an organization’s network. This typically means pilfering a system administrator’s user name and password to gain escalated privileges; there are myriad proven techniques for accomplishing this.

With escalated privileges, the intruders can map the layout of the network and make note of key servers that control e-mail and store data. They also routinely disable antivirus protection and install “multiple backdoors with different configurations,” setting up options for re-infecting the network should they be detected, says Mandia.

In one case, a company discovered 100 infected computers, took them off line, and hired Mandiant to confirm its network was clean. Investigators found the intruders used backdoors to freshly infect 20 workstations and servers. By quickly removing the 100 infected PCs, the company alerted the intruders, who changed tactics. “The problem with immediately removing compromised systems is that it typically alerts the attacker and lets them know an infected system has been identified,” says Mandia.

Another pitfall for companies is not knowing what’s been stolen. Borrowing techniques developed in the cyberespionage world, persistent intruders can easily hide their tracks.

Few details have been disclosed about the Nasdaq breach last month, other than that “suspicious files” were found lurking for an extended period on a server supporting Directors Desk. Think of Directors Desk as a no-nonsense social network for very privileged users. Nasdaq describes it as a “complete turn-key, fully-hosted online board (of directors) technology solution, with over 5,000 users representing more than 175 organizations worldwide, including many Fortune 500 companies.”

Corporate treasures

Nasdaq quickly issued a statement saying “there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.”

Nicholas Percoco, who heads SpiderLabs at data security firm Trustwave, and Uri Rivner, head of new technologies, identity protection and verification at RSA, security division of EMC, say it seems most plausible that whoever inserted the suspicious files used a classic persistent-intrusion attack.

Rivner

“Whoever did this was definitely targeting the Holy Grail of insider information,” Rivner says. “In the past year, we’ve seen more and more evidence of cybercriminals targeting specific individuals in private-sector corporations.”

Percoco says the intruders were “probably going after very valuable, company-confidential information, such as financial results prior to their being announced, mergers and acquisitions under consideration, company plans, product roadmaps, IPOs, all those types of things that would be available to members of a board.”

The quickest route to profits would be for the intruders to harvest insider information, then make trades to game the stock market. But it could take months or years for cyberforensics and market experts to ferret out evidence.

McAfee and Science Applications International recently surveyed 1,000 senior information technology professionals in the U.S., United Kingdom, Japan, China, India, Brazil and the Middle East. Some 25% of organizations participating reported they had a merger, acquisition or product roll-out “stopped or slowed by a data breach or the credible threat of a data breach.” And 62% of respondents expressed concern that securing company secrets is going to get more problematic with the rising use of Internet-connected smartphones, tablet PCs and e-readers in workplaces.

“Criminals are attacking corporate intellectual capital, and they are often succeeding,” says McAfee’s Hunt.