They used to say that the most valuable thing was information. Then they said that the most valuable thing was people with information. Now it looks like the most valuable thing is information about information. That’s certainly what the new breed of computer hackers seems to believe.
Cyber security has been an issue for years. But cyber criminals — be they organized-crime gangsters, politically motivated “hackivists,” or even state-sponsored spies — are getting more clever. What’s particularly worrying is that their job is made easier by the very organizations they are all trying to penetrate.
That’s because of the amount of information that is publicly accessible — often inadvertently — through companies’ own web sites. The sites tell “spear phishing” cyber criminals much of what they need to know to launch targeted attacks, which in turn gets them what they’re ultimately looking for.
A recent report by KPMG highlights the threat: “Say, for example, that you made a donation to a local charity; in recognition, the organization lists your name on their website as a sponsor. Two days later, you receive an email from the Fundraising Chair asking you to confirm your donation. You open the email, fill out the form (being careful not to include any banking or sensitive information), and return it to the sender.
“But in reality, the email didn’t come from the charity at all; the attachment was, in fact, a high-quality fake containing a virus, allowing perpetrators to seize control of your computer, read your emails and record your passwords. Everything you know, they now know; everything you see, they now see. . . .”
Companies in Switzerland seem to be most guilty of so-called information leaking, followed by Japan, Spain, and Italy. Germany comes ninth in the top 10 countries leaking information. The United States is sixth, according to the study.
KPMG conducted research on the web sites of some of the largest companies in the world: the constituents of the Forbes 2000 annual ranking. It found that 78% of the sites leak some form of potentially useful information through document “meta-data”: information about a document or about its properties.
Using nothing but perfectly legal techniques, the audit firm downloaded almost 10 million publicly-available documents by carrying out the same preliminary steps that cyber criminals would, known as advanced persistent threats. It then used automated data tools on those documents to dig out such information as the user name of the creator, the network location where the document was filed, and the version of the software used to create the document. The information garnered included:
- 419,430 potential user names;
- 104,370 network folders and locations;
- 33,250 printer host names;
- 70,910 software applications and versions; and
- 342,040 e-mail addresses.
Those figures, the report says, show “the ease with which cyber attackers can target specific individuals and the vulnerable software versions that they may be using on their computers.”
It is, apparently, a simple thing to pay $200 (€160) on a web site for a bespoke Trojan e-mail that can use the accumulated data to target someone within a company.
Another part of the exercise studied Forbes 2000 web site structures in search of potentially sensitive file locations or “hidden functionality” that could be useful to hackers. Temporary files, administrative and private login portals for web masters, functionality that would allow software to be uploaded — all were found on corporate web sites. So, too, were file locations marked “private.” The banking sector was the worst offender when it came to revealing information about potentially sensitive file locations on web sites.
KPMG’s exercise also looked at postings on online forums and newsgroups, and found that information was being revealed in the postings themselves — put up by people with e-mail addresses from Forbes 2000 companies — that could be regarded as commercially sensitive.
The firm was also able to identify the specific web-server technologies and then cross-check that data against known security flaws: 8% of Apache web servers (the most commonly used technology) were found to be potentially vulnerable, as were 6% of Microsoft web servers. Switzerland, Liechtenstein, and Germany were among the top 10 countries having the most vulnerable web-server software.
Taking all these risks together, the banking and other financial institutions and the technology sectors were the biggest information leakers. That must be a surprise, given that these are the two sectors that would have been thought to be most aware of cyber threats and most familiar with the steps necessary to counter them.
Andrew Sawers is editor of CFO European Briefing, a CFO online publication.