IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cybersecurity: How Well Are We Protecting Ourselves?

In the past few years, about one private record for every two Americans has been stolen via data breaches alone. Internet crime's total yearly cost to U.S. businesses, including indirect expenses like paying employees to repair hacked systems, has risen as high as $67 billion, according to an FBI analysis last year. And public entities have a much greater challenge than corporations in protecting their information from cybercrimes.

Beginning in March, 102 employees of the IRS received phone calls, purportedly from the computer help desk, requesting their user names and suggesting they adopt a new password.The callers were actually U.S. Treasury auditors testing how easily hackers could access Americans' personal financial information.

The result: Too easily. Sixty-one tax workers complied.

The auditors, from the Treasury Inspector General for Tax Administration, conducted similar exams in 2001 and 2004, recording failure rates of 71 percent and 35 percent, respectively. Both times, the IRS took "corrective actions" to raise awareness about data protection among agency staffers.

But, as Treasury auditors dryly noted, those actions "have not been effective."

The appalling IRS performance highlights a crisis within America's elaborate system of sensitive data: Internet users, businesses and guardians of information alike are doing a terrible job of self-protection.

From eBay to Ford, from UCLA to the laptop on your kitchen table, Americans have left themselves vulnerable to vicious cybercriminal assaults. Citizens unwittingly click on Internet links that drop malware on their computers; major corporations allow PCs inside their firewalls to be taken over remotely by criminals; bureaucrats in charge of our precious private information can easily be duped out of their passwords.

In the past few years, about one private record for every two Americans has been stolen via data breaches alone. Internet crime's total yearly cost to U.S. businesses, including indirect expenses like paying employees to repair hacked systems, has risen as high as $67 billion, according to an FBI analysis last year. Hundreds of millions more are lost by Americans who fall prey to online scams or malicious software. Many who don't consider themselves "victims" may face higher bank fees or depressed investments from companies that took losses as a result of Internet crime.

'Botnet' warning: Computer-breach alert issued
Rick Wesson thought Oracle would be alarmed when he told Mary Ann Davidson, its chief security officer, that online criminals were assimilating several Oracle computers into robot networks, or "botnets," then using them to send malicious e-mail to PayPal customers.

Wesson, who has testified before Congress on cybersecurity, runs Support Intelligence, a start-up that helps businesses identify and track malicious traffic spewing out of their systems. His firm has reported finding bot invasions inside companies such as Intel and Aflac.

Davidson was hardly alarmed. She directed Wesson and his partner to the Oracle security group that manages the door locks and cameras, and watches the parking lot. An Oracle spokesman recently shrugged off Wesson's charges, suggesting the spammers may have cloaked their e-mails to make it seem as if they came from Oracle computers.

But Wesson said his firm corrects for such spoofing. To him, the episode was the latest in a disappointing series of incidents of avoidance and neglect on the part of big business in responding to botnets. A few computers sending out spam may seem harmless to many organizations, but compromised corporate machines could allow thieves to access documents rife with trade secrets, insider data in executives' e-mail, and databases of private employee information. (Intel and Aflac both confirmed isolated problems in which no data was compromised, and have taken measures to correct the vulnerabilities.)

Others support Wesson's findings.

Symantec estimates 4 percent of malicious Internet activity comes from networks of the nation's 100 largest companies.

"This has gotten deep inside corporate America; this is in government; this is everywhere," said Ashar Aziz, chief executive of Menlo Park, Calif., anti-botnet start-up FireEye.

Holes unpatched: Convenience often trumps security
Botnets are only the most recent Web threat to hit corporate America. If companies fail to regularly update their Web sites with software patches, hackers can take information or leave malware behind.

Just before the Super Bowl in Miami, sports fans who visited the Dolphin Stadium Web site received a nasty surprise. Criminals had hacked the system, implanting malware designed to infect the computers of unwitting visitors. The attackers then could log their keystrokes to steal credit card and banking information.

Jeremiah Grossman, founder of White Hat Security, a Santa Clara, Calif., start-up that businesses pay to hunt down vulnerabilities in their Web sites, says his company often finds holes that should have been patched years ago, even in its big-name clients' sites.
Corporate users often put their own convenience ahead of safety. Even senior executives find ways around security protections -- such as using instant messaging to move files from one computer to the next.

These same executives also limit how many millions of dollars they spend to prevent cybercriminal intrusions. In a 2005 survey by trade publication Secure Enterprise, 44 percent of security tech folks described their teams as "moderately" understaffed, with 21 percent calling themselves "severely" understaffed. The problem is especially pronounced at smaller companies. But PCs inside car dealerships, travel agencies and community credit unions all hold sensitive data attractive to hackers.

Security flaws: Millions of records exposed in attacks
Even the most alarmist security experts concede that corporate America is moving in the right direction. But the mounting list of successful cybercrime attacks are indicative of too many executives who have failed to take the problem seriously enough, or to act quickly enough to solve it.

More than 150 million records, from bank accounts to credit card numbers, have been exposed due to security breaches since January 2005. While only a fraction have led to fraud or identity theft, security experts agree that thousands of attacks go unreported each year.

Many companies still don't shield their most important information from outside hackers or rogue employees inside their own businesses. In fact, many are unaware how frequently sensitive digital files are left unprotected. Douglas Merrill, Google's chief information officer, said many businesses are stunned, after installing a Google device that searches through companies' digital documents, to learn how many files with critical information have been left unsecured.

Once criminals obtain account data, they can sell it on the black market, or use it to steal the identities of customers. And often the victims will never know exactly how it happened.

To this day, Emilie Johnson cannot say for sure how her identity was stolen, causing an East Coast company to bill her $800 for mobile phone charges in Pennsylvania.

Months later, Johnson, an environmental consultant, learned an impostor posing as a Ford Motor Credit employee had taken people's credit reports from credit bureau Experian -- mostly from affluent areas like Newport Beach, Calif., where she lived then. Johnson had financed the purchase of a 1999 Ford Explorer with a loan from the auto giant's credit subsidiary.

Johnson, like many identity-theft victims, spent hours convincing the phone company that she hadn't run up the charges. And like many others, she never reported the matter to police, though she did alert credit agencies.

The Experian impostor was caught and convicted, and Johnson thought the matter was behind her. But early last year, a collection agency pursued the debt yet again.

"You feel violated. Invaded," Johnson said of the experience. She now rarely makes purchases on the Web, worried that someone might break into servers somewhere and filch her information again.

TJX, the parent company of T.J. Maxx and Marshalls, revealed that during an 18-month period ending in January, hackers had stolen 45.6 million credit card numbers and other sensitive customer information. Many privacy advocates hoped the colossal attack would serve as a rallying cry for data security, just as a meltdown at Three Mile Island woke Americans to the dangers of nuclear power in the

late 1970s. But the flood of news stories abated, and most Americans either forgot about the TJX attack or never knew it happened.

"TJX was not Three Mile Island," said Paul Ferguson, Cupertino, Calif.-based network architect for Tokyo security vendor Trend Micro. "It was like a radiation leak in a government lab that they covered up."

States pass laws: Large companies disclose breaches
In the three years since California and more than three dozen other states began passing breach disclosure laws, the vast sum of notifications has illuminated a disease that's infected many of America's most prominent businesses. EBay, Pfizer and Monster.com are among the most recent of hundreds of corporations that have disclosed breaches of their customers' or employees' sensitive data, according to Privacy Rights Clearinghouse.

But because data breaches are expensive, and because privacy breach laws vary from state to state, nearly one in three security incidents goes unreported outside the affected corporation, according to the Computer Security Institute's annual survey of several hundred companies.

"Nobody reports unless they have to," said Bruce Schneier, chief technical officer of BT Counterpane. Disclosures of breaches rose as states passed notification laws. But, he said, "you know you had just as many breaches before there was a law."

Public entities: Tight budgets, slow bureaucracies
In some ways, public entities -- from the Department of Education to the local school district -- have a much greater challenge than corporations in protecting their information from cybercrimes. Compared with most businesses, they're short on cybersecurity money, and suffer from sluggish, bureaucratic cultures.

The federal government has an embarrassing collective performance: One-third of executive branch agencies received a grade of "F" in Congress' Federal Computer Security Report Card for 2006. The departments of Defense, Commerce, State and Treasury all failed, even though an "A" grade requires only basic protection measures, such as an inventory of technology systems and proper reporting of security incidents.

Even public institutions conscientious about protecting data find the battle difficult. And an isolated mistake can have terrible consequences.

"It's almost hard to find the words to describe how stressful it was," Jim Davis, a UCLA associate vice chancellor, said months after the university suffered a gigantic breach.

Davis was first notified of the intrusion by technical staff last November, as he was sitting down to Thanksgiving dinner. Criminals had hacked into a university database that housed the personal information, including Social Security numbers, of the entire student body, along with alumni, applicants, faculty and administrators, including Davis -- 803,000 people, all told.

The technical staff in charge of the network discovered that an abnormal amount of information was flowing out of one set of servers. They unplugged the computers from the Internet and notified their bosses.

By the time Davis returned to UCLA after the holiday, they knew the basics: Hackers had taken advantage of a single Web software vulnerability to steal data. The university runs hundreds of Web applications; at the time of the breach, the hacked server was scheduled for a security patch.

The forensics team later deduced that the hackers were clever, blending stolen data in with normal Web traffic. It was just one slip-up by the crooks -- an atypical surge of data on Nov. 21 -- that revealed a yearlong hack had even taken place.

It's the nightmare scenario of any official in charge of guarding personal data. Davis worried about how the breach could have occurred, what the criminals might do with the information, and how the school should respond.

He and his colleagues went far beyond what California law required -- they notified all 803,000 potential victims, rapidly setting up the equivalent of a nationwide direct mail and marketing campaign.

They are not aware of any fraud as a result of the attack, which remains unsolved.

Nevertheless, Davis said of the experience, "I use terms like `life-altering.' People who go through this are not the same anymore."

Mortgage broker: E-mail appeared to be from eBay
If businesses and government agencies with million-dollar information technology departments are failing to adequately protect themselves, imagine the plight of private individuals who simply do not understand the risk, or momentarily let down their guard.

At times, the victims are Internet-savvy people like Danville, Calif., mortgage broker Robert Friedberg, who was tricked last year by a professional-looking e-mail that appeared to be from eBay.

Friedberg typed in his personal data: his Social Security number, bank account, ATM code. But as soon as he clicked "send," he broke into a cold sweat. Friedberg contacted eBay, learned he was the victim of a phishing scam, and put an alert on his credit record.

He turned out to be one of the lucky ones; no money was taken from his account.

One survey, by Gartner, estimated the average phishing victim lost $1,244 last year; another, by Javelin Strategy & Research, set the total five times greater. Gartner projected the total phishing losses to Americans last year as high as $2.8 billion. And that's just one of many crimes that result from Internet users' own errors.

There is an endless pool of inexperienced potential targets: Almost three in five Internet users admitted they had little to no knowledge of current online threats and scams, according to a Harris Interactive poll sponsored by Microsoft. About three new users worldwide log onto the Internet for the first time every second, according to Jupiter Research.

While nearly all PC owners have some kind of security software installed, less than half subscribe to a virus or security update service, according to preliminary data from an upcoming Gartner report. That leaves them vulnerable to the thousands of new Internet threats discovered every day, and those using unprotected wireless connections are even more at risk.

Even when they're aware of a threat, many still let their curiosity, fear and greed get in the way of Internet safety. Almost one in five Web users in the Harris-Microsoft poll said they had been the victim of an Internet scam, and 81 percent said they had taken an action that helped lead to the crime.

No doubt many Americans remain unaware of the danger. "Most people understand that if your car hits a wall, you are going to keep going through the window if you're not wearing a seat belt. But you kind of have to understand how a computer works to understand why a botnet matters," said Jose Nazario, a researcher at Arbor Networks.

While analysts quarrel over the true cost of cybercrime, the most conservative estimates place the amount, worldwide, in the tens of millions of dollars -- and some analysts peg the total at more than $100 billion.

The experiences of eBay lend credence to the more aggressive guesses.

In its 2006 fourth-quarter earnings report, eBay said the fraud loss rate at its payments subsidiary PayPal "increased significantly" during the second half of 2006 -- in a single quarter, eBay estimated losing more than $45 million on PayPal fraud alone, including cybercrimes. The problem continued in the first half of this year, though it declined during the most recent quarter.

At many companies that do business online, expenses like these are adding up. Banks and other financial services businesses, entities that stand to lose billions of dollars from cybercrime, are especially tight-lipped about the problem; they're required to submit reports of suspicious activities only in certain circumstances.

It's an issue the banks rarely discuss publicly, outside of campaigns to

convince their customers that Internet banking is safe if they take proper precautions.

"We don't believe that online banking or brokerage or insurance are any more risky than offline ones. In fact, we generally believe it's less risky," said Leigh Williams, former chief privacy officer at Fidelity Investments, now president of BITS, the technology arm of industry trade group the Financial Service Roundtable.

But many companies that provide security for banks say cybercrime is hitting the financial-services industry harder than it lets on. "I don't think we're being alarmist," said SophosLabs global director Mark Harris. "The banks won't say it publicly, but privately they are very concerned about it."

While Williams claims that banks shoulder most fraud losses, outside analysts expect that, sooner or later, those costs will be recovered in higher ATM fees or finance charges for all customers.

The real cost may be yet to come, as the money cybercriminals gather goes toward staging even more damaging attacks. Every time a bank gives a refund to a customer who is a victim of a phishing attack, "they just financed some hacker in Romania to the tune of 10 to twenty thousand dollars per month," said former Gartner analyst Richard Stiennon, now at Sunnyvale, Calif., security vendor Fortinet. "That's a lot of money that's going to be refocused on bigger and bigger targets."


------
(c) 2007, San Jose Mercury News (San Jose, Calif.). Distributed by McClatchy-Tribune Information Services via Newscom. Photo © Moise Parienti - Fotolia.com.