According to today’s Wall Street Journal, “data compiled by NetWitness . . .  showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.” 

Starting in late 2008, the hackers are said to have gotten into corporate networks using social engineering methods.  Employees were enticed to click on Web sites with malware or email ads purporting to clean up viruses.   NetWitness claims that in more than 100 cases, the hackers gained access to  servers holding large quantities of data such as databases and email.

As more firms deploy forensics experts such as NetWitness to audit their networks, we will see more and more Wall Street Journal articles demonstrating just how systemic these breaches are in corporate America.  Unfortunately, it is very difficult to “unlearn” clicking on images thrown your way on a computer screen.  It takes time and training.

According to a report by McAfee, in the last three months of 2009, about 1,095,000 computers in China and 1,057,000 computers in the United States were infected and made part of botnets used to send spam or attack Web sites.  Those numbers are in addition to the 10 million previously infected computers in each country. 

Stewart A. Baker, the former assistant secretary for policy at the Department of Homeland Security, points out the obvious in the Washington Post article describing the report when he says the number of botnet computers in a country says more about the vulnerability of the computers than about those who infected them.   Indeed, having so many hacked computers may indicate that China is not the source of as much malicious conduct attributed to it.   Baker points out:  “A nation that might want to use botnets as part of an attack probably would want to have its own computers bot-free and commandeer computers in other countries.”   Although it would be easy to cynically surmise that US interests are using Chinese computers while Chinese interests are simply commandeering US computers, we have a wide world of hackers that makes assigning blame much more complicated.

While the blame game plays out, China continues to deny any government role in hacking or network exploits and has purportedly cracked down on “hacking training sites” as per this recent article in China Daily.  According to the article, Black Hawk Safety Net was the largest hacker training site in China.  It openly recruited members,  disseminated hacker techniques, sold Trojan software and maintained online forums.  Those who ran the Black Hawk Safety Net were arrested under a new Chinese law that criminalized the offering of online attacking programs and software.   The article reports that Chinese Police used more than 50 officers to investigate the case.

Although it remains to be seen whether the widely publicized Google attacks  emanating from China were orchestrated by the Chinese Government, it does not really matter.  What is clear is that these sort of sophisticated attacks are not going away any time soon.  Whether attacks are caused by Chinese nationals, the Chinese Government or other foreign hackers,  companies need to put their combat boots on and throw away the old rules of engagement.  War is being waged against your business.  Protect your digital assets or risk everything.  It’s that simple.

After interviewing 5,000 folks, the latest annual Javelin study claims that the number of identity fraud victims in the United States increased 12 percent to 11.1 million adults in 2009, while the total annual fraud amount increased by 12.5 percent (or $6 billion) to $54 billion.  

The report claims that small businesses are sustaining the most hits:  “They suffer identity fraud at one and a half times the rate of all other adults. By using their own personal accounts for business transactions, they are at a greater risk of exposing themselves to identity fraud.”  And, the report suggests that because small businesses are more at risk they “need to implement safety precautions online and offline, and should consider employee background screening checks as a precautionary measure.”

According to the report:

The economic downturn is partially to blame for the rise in identity theft, and identity thieves are increasingly using more sophisticated and varied methods to obtain the personally identifiable information (PII) of consumers. Fraudsters are becoming more sophisticated and more aggressive, and their organized approach to online fraud through a myriad of threats and scams makes it harder to detect.  Fraudsters are also increasingly targeting – and taking over – multiple accounts of their victims, collectively going after checking accounts, credit card accounts, mobile phone accounts, and Internet accounts in one full sweep.

Using a combination of sophisticated malware, keystroke logging, and phishing attacks, fraudsters are able to use organized crime to steal identities. And social networking has introduced yet another means for consumers to exposure their personal information to wider audiences, providing another avenue for fraudsters to conduct their scams.

When it comes to pointing out security threats and exposures, the report’s above descriptions do not really shine a light on anything new or startling.   What is helpful, however, is their pointing out just how widespread and pervasive these exposures are to small businesses – helpful commentary that cannot repeated often enough.

Twitter disclosed yesterday that it had to reset some passwords due to an exploit that really could have hit any company.  In essence, certain visitors to a fake peer-to-peer search engine signed up for an account using the same username and password they used on their Twitter accounts.  The owners of the fake P2P search engine used this information to access the users’ Twitter accounts.  This exploit is not surprising given that a majority of online banking customers reuse their login credentials on other websites.  Accordingly, standing alone, this would have little impact on Twitter’s security standing.  Unfortunately, there have been more incidents.

On January 5, 2009, several dozen Twitter accounts were hacked, including one belonging to our president.  On May 21, 2009, Twitter’s name was used in a phishing exploit that sent users emails notifying them of new followers and included a link to a fake Twitter site.  There were also security incidents in April and June.  In fact, one analyst has gone so far as to claim Twitter’s security posture is weak enough to be called “security Swiss cheese.”

Why pick on Twitter?  Afterall, yesterday our Director of National Intelligence told members of the Senate’s Select Intelligence Committee that  malicious online activity is growing at an unprecedented rate.  As Dennis Blair put it, “in the dynamic of cyberspace, the technology balance right now favors malicious actors rather than legal actors, and is likely to continue that way for quite some time.”  

The reason to mention Twitter is because their new user growth has slowed down.  Big time.  According to a Hubspot Report, Twitter’s new user rate of growth has gone from 13% in March 2009 to 3.5% for October 2009 (the last month tracked).  

Although Twitter may have lost steam as a social networking tool simply because the novelty has worn thin, it is also likely the case that its public security failings have slowed growth.  It is very likely that the current stagnation in growth is even worse given that it is estimated about 25% of accounts have no followers and about 40% of accounts have never sent a single Tweet.  Why bother signing up for something you likely will not even use if you are skeptical of its security?   Simply put, there is no reason to take a chance on a new company if public security lapses make you feel insecure about your data.

All of this points to the need for better security; and more importantly, the use of a directed marketing message that highlights security best practices.  This strategy would not only serve to benefit social networking companies.  All companies holding personally identifiable information need to get their network security and privacy (NSAP) marketing message out to potential clients.  In other words, NSAP processes and procedures are not just tied to risk management and compliance, they directly relate to a marketing message that should lead to an increase in profitable new business.