All the Texas Auto Center ex-employee needed for that attack were credentials. His were suspended, but as a former admin, he just used someone elses that he happened to remember. Texas Auto Center was sloppy about its access controls and authentication and paid for it.
For a primer in just how potentially dangerous these sorts of attacks are, check out a November 2009 episode of 60 Minutes, which showed the world how easily a logic bomb could damage or destroy physical machinery. A test attack (called Aurora) hacked into a SCADA system and caused a power generator to self-destruct.
The insider attacks above share an important trait with cyber-warfare: the main intent is to disrupt and damage. More troubling are the ones that actually want to steal classified information (or protected IP), or simply learn enough about the target to cause all sorts of problems.
The Google penetration falls into that camp, as do earlier Chinese breaches into the U.S. intelligence and defense systems. The ZeuS and Bugat Trojans, both of which focus on gaining financial data, seek to gather specific data in order to steal.
Now, take those sophisticated malware tools (which anyone can buy online for a few thousand dollars, by the way) mix them with disgruntled workers and an outside entity seeking to steal or do harm, and you have a perfect attack storm.
Is there any proof that this sort of thing is happening? No. But it's probably just a matter of time before it does.
There are two even more flammable ingredients: mobility and social networks. Malware used to be binary in nature, taking advantage of a particular vulnerability in a specific system, said Michael Sutton, VP of Security Research for Zscaler. Now, the software landscape is far more fragmented, with smartphones, tablets and other non-PC platforms complicating the picture, which is inspiring hackers to create more general-purpose malware.
The future of malware, Id argue, is Web-based worms. Then, it doesnt matter what device you are on, Sutton said. Malware also used to spread by hopping from device to device. The devices had to have the same vulnerabilities, or it didnt work. Now, malware is starting to target social networks, where it spreads from profile to profile to profile, growing exponentially, in minutes.
Twitter, Facebook and LinkedIn all have numerous security vulnerabilities. For social networking sites, the space is still a land grab and the point is to grow as big as you can as fast as you can. Security is considered a minor nuisance that the sites figure they can clean up later.
As fascinating as it is to study new threats like Stuxnet, the majority of the threats to business are what theyve always been, said Chris Larsen, head of Blue Coat Systems research lab. Social engineering attacks, especially for fake security products, are still some of the most common and most successful threats.
Larsen also discussed a particularly devious social engineering attack where the bad guys launched their targeted attack by focusing on a companys executives. However, instead of targeting the executives themselves, they went after spouses, the logic apparently being that at least one executive would have a poorly secured PC shared with a non-tech savvy spouse. That PC would then be the beachhead into the company.
Blue Coat just released its 2011 Web Security Report , which investigated the changing threat landscape in detail. One of the trends that is the most disturbing, Larsen said, is that hackers are becoming more and more patient. Theyll set up fake store fronts; theyll create "malvertising" campaigns; theyll build up a powerful botnet over time; and theyll often seek investments from other criminals to buy them the time to concoct slower, more elaborate attacks.
Hackers tend to be hackers, conventional wisdom goes, because theyre greedy and lazy. Emphasis on lazy. Patient, determined, high-achieving hackers who have even greedier backers? Now thats really scary.
Based in Santa Monica, California, Jeff Vance is the founder of www.sandstormmedia.net, a copywriting and content marketing firm. He regularly contributes stories about emerging technologies to this publication and many others. If you have ideas for future stories, contact him at firstname.lastname@example.org or visit.