HP reports 56% jump in cybercrime costs

Silicon Valley / San Jose Business Journal

The cost to business and government organizations of security and recovery connected to cybercrimes has risen 56 percent in the past year, a study released Tuesday said. The report by Hewlett-Packard Co . (NYSE:HPQ) said cybercrime costs to organizations it surveyed have risen to a median of $5.9 million a year, ranging from a low of $1.5 million to a high of $36.5 million.

Recovery and detection are the most costly internal activities, the report said. Over a four-week period, the organizations surveyed said they experienced 72 successful attacks per week, an increase of nearly 45 percent from last year. More than 90 percent of all cybercrime costs were caused by malicious code, denial of service, stolen devices and Web-based attacks.

The average time to resolve a cyberattack is 18 days, the report said, with an average cost of nearly $416,000. This is nearly a 70 percent increase from the estimated cost of $250,000 over a 14-day resolution period in last year’s study.

Results also showed that malicious insider attacks can be even more costly, taking more than 45 days to contain.

Read Hewlett-Packard's announcement of the cybercrime report findings by clicking here.

Written by Cromwell Schubarth.

Link to original article

Black Hat shows hacker exploits getting more sophisticated

By Byron Acohido, USA TODAY

LAS VEGAS — Fresh evidence that the Internet has become saturated with hacking groups relentlessly striving to crack into company networks grabbed attention as the Black Hat cybersecurity conference got underway here Wednesday.

• 
  By Sam Ward, USA TODAY

Enlarge

By Sam Ward, USA TODAY

Anti-virus giant McAfee revealed how a single hacking group, dubbed Shady Rat, has infiltrated at least 72 companies and governments over the past five years, including some 49 victim organizations in the U.S.

And Dell SecureWorks senior researcher Joe Stewartpresented results of his analysis of nearly 1,000 corrupted servers. Stewart isolated 18 servers actively being used to relay information to and from infiltrated PCs inside company networks to command servers in two regions of China.

Security analysts and researchers at the conference say that's the tip of the iceberg. Nation-state spies and cybergangs "are trying to get at sensitive intellectual property and government information every hour and every minute of the day," says Andy Grolnick, chief executive of tech systems-monitoring company LogRythm.

The majority of hacks fail, but "sophistication is increasing, and some are getting through," says Grolnick. "There's value in the data they're trying to get at."

McAfee has been aware of Shady Rat's activities since 2009. Then, last March, Dmitri Alperovitch, McAfee's vice president of threat research, located a server storing a list of successfully infiltrated organizations.

Some 49 of the 72 hacked companies were in the United States, four in Canada and the rest sprinkled through Europe and Asia.

The hackers most likely targeted a specific employee to receive an e-mail carrying an infected Web link or attachment, then tricked the employee into activating the infected link or file, McAfee says.

McAfee declined to name any of the 72 organizations that were infiltrated. The shortest time the hackers remained inside a company's network was less than a month; the longest, 28 months.

Stewart's research zoomed in on two hacking groups going after intellectual property.

"The final destination for all the activity we're seeing is a couple of hubs in China," says Stewart. "It tells us that somebody has invested specific resources to control this operation."

Link to original post on USAToday.com

How Apple (unintentionally) revolutionized corporate IT

IT'S NOT ITS POSH DESKTOPS AND LAPTOPS THAT HAVE CREATED MAJOR CHANGES IN ENTERPRISE TECHNOLOGY. IT'S MOBILE.

By Aaron Levie, contributor

FORTUNE -- In 1997, Michael Dellfamously declared that if he were CEO of Apple (AAPL), he would close shop and return the money to shareholders. Steve Jobs has had plenty of reasons to gloat since then, but even just a decade ago, Apple was a footnote in the story of modern computing. Despite the company's comeback success with the iMac, the vast majority of 'knowledge workers' still relied on their staid WinTel (Windows + Intel (INTC)) platform, with the occasional marketer, designer or developer opting for Apple's sleeker products. Naturally, Windows PCs were also the familiar, mainstream choice for our personal lives. And so it seemed that Apple would be relegated to devices for the hip digital consumer and creative elite.

But right when we thought we had Apple's place in the market pegged, they changed the world... with a phone. The iPhone's revolutionary combination of powerful apps, full web browsing, and all the media you could consume created an entirely new mobile experience for consumers and workers alike. Apple fed its newfound momentum with a deluge of subsequent products, ranging from updated iMacs to the Macbook Air. And with the iPad, Apple changed the world yet again only 36 months later. Fast forward to today, and Apple sits in the computer world's top position of power, controlling developers, devices, consumers, and much of the industry's overall direction.

Maybe its biggest impact of all, however, was one that Apple didn't necessarily intend.

For the better part of twenty years, Microsoft (MSFT) and a handful of other enterprise behemoths pretty much dominated the vertical stack of solutions that are core to the Fortune 500 and beyond. But if you ask around, not too many individuals or IT leaders are happy about this hegemony. Workers are quickly recognizing the stark contrast between the computing that occurs in their personal lives and the business status quo. In turn, they're bringing their own devices and apps to work, driving the emergence of an all-new technology landscape. This landscape isn't being targeted by Apple in any real way; the complexity, scale, security, and nuances of serving enterprises – not to mention the inherent need to work with all the major (non-Apple) platforms enterprises use – tend to keep Apple from building for this market. But even without making any direct enterprise play, Apple has had a profound influence on technology with its latest string of successes and by raising our standards along the way.

So while Apple isn't intentionally leading an enterprise technology revolution, its products are nonetheless catalyzing one. For instance, 88% of the Fortune 100 are testing or deploying applications on the iPhone last year. The downstream effect of more iPhones and iPads in the enterprise is more sales of Apple's flagship products, with Mac worldwide sales growing by nearly over 28% year over year – as Tim Cook, Apple's COO, puts it, "iPad clearly seems to be creating a halo effect for the Mac."

Why does this matter? Well, once an enterprise adopts iPhones, iPads, and Macs en masse (as they continue to, judging by Apple's most recent quarter), or even Android devices for that matter, many of the existing applications – be it a communication tool from IBM (IBM), or collaboration from Microsoft – serve less productive purposes given the new way people are working. The toolset today's workers interact with on an ongoing basis is experiencing a wholesale transition – a transition that's introducing us to the iEnterprise.

Take, for instance, Procter & Gamble (PG), who came to Box.net in 2008 looking for a solution that could help employees connect to and collaborate on their content remotely, when no existing vendor would suffice. Fast-forward to 2011, and they're now deploying Box cloud content management to 18,000 individuals, in large part due to the proliferation of new platforms and devices that have emerged in just the past couple of years. The same story is true for businesses of all sizes and industries, ranging from Pandora (P) to Dole. It's why we've seen adoption in 73% of the Fortune 500. And we're clearly not the only ones benefiting from and driving this dramatic evolution of needs and demands in the enterprise.

The iEnterprise isn't, as the moniker suggests, about enterprises that just implement products designed in Cupertino. It's about a fundamental change in how our enterprise technology is supported, adopted, and consumed. It's about the technology in our personal lives influencing and changing expectations in our professional lives. The iEnterprise isn't necessarily the convergence of the tools we use in these two worlds, but rather the consistency of ideals.

While Steve Jobs introduces new products with words like "delightful" and "amazing," this vocabulary is nonexistent within the enterprise software set. There are a number of reasons for this. There's often a lack of passion, and even a bit of apathy, that shows in the final product. Applications and services feel bloated and uninspiring. The apps and hardware that we spend most of our waking hours with - and the most money on - tend to be the most complex, clunky, and unnerving.

But like Apple, the iEnterprise is about vendors building technology that excites and surprises users. It's about solutions that work together, and about open ecosystems. It's about marketplaces that compete to win, and innovate to compete – a major break from the status quo, where vendor lock-in enables long cycles of limited product enhancements, simply because the customer has nowhere else to go (Redmond, ahem).

We're especially seeing it show up in the changing mobility of our enterprise offerings. Mobility used to be defined by quick and easy access to email or a conference call, led by Blackberry in the '90s and early '00s. The iPhone and iPad took this much further, and dozens of popular Android devices are now even making their way into large corporations. We're further seeing it with HP (HPQ) and its WebOS platform. Businesses can enable access to critical data, projects, or content through services like Salesforce and Roambi, Basecamp and Yammer, or Box, respectively.

The iEnterprise is also about broadly useful, powerful platforms that connect and become enhanced through integration: cloud-delivered applications like Salesforce (CRM) to run your sales organization will connect to your business information on Box or HR information on Workday; Netsuite will plug into your social software from Yammer; GoodData will help visualize your client community results from GetSatisfaction; and Assistly plugs your customer support flow into Google Apps, which wraps all of this up in a robust marketplace for businesses. The mixing and matching of services that's common in our personal lives is now extending to the enterprise, and in turn driving vastly more open solutions that are changing the enterprise landscape.

No, the Windows franchise isn't going anywhere. Inertia alone gives Microsoft another decade as the de facto enterprise operating system and software provider. With minimal innovation this could be extended even longer, but Apple has already made a profound impact by pushing us to rethink technology's role in our lives. It's changing the whole industry, and will have a lasting impact on our businesses.

We have higher and more pronounced expectations for how technology can transform our personal lives – and now our business lives, making us more productive and connected than ever before. Welcome to the iEnterprise.

--Aaron Levie is the CEO and co-founder of Box.net.

Link to original article

Hackers Shift Attacks to Small Firms

By GEOFFREY A. FOWLER And BEN WORTHEN

Recent hacking attacks on Sony Corp. and Lockheed Martin Corp. grabbed headlines. What happened at City Newsstand Inc. last year did not.

Unbeknownst to owner Joe Angelastri, cyber thieves planted a software program on the cash registers at his two Chicago-area magazine shops that sent customer credit-card numbers to Russia. MasterCard Inc. demanded an investigation, at Mr. Angelastri's expense, and the whole ordeal left him out about $22,000.

View Full Image

Clayton Hauck for The Wall Street Journal

Joe Angelastri, owner of City Newsstand in the Chicago area, is out $22,000 because cyber hackers attacked his stores' payment system.

His experience highlights a growing threat to small businesses. Hackers are expanding their sights beyond multinationals to include any business that stores data in electronic form. Small companies, which are making the leap to computerized systems and digital records, have now become hackers' main target.

"Who would want to break into us?" asked Mr. Angelastri, who says the breach cut his annual profit in half. "We're not running a bank."

With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.

View Full Image

Hacking at small businesses "is a prolific problem," says Dean Kinsman, a special agent in the Federal Bureau of Investigation's cyber division, which has more than 400 active investigations into these crimes. "It's going to get much worse before it gets better."

Hackers are expanding their sites beyond big companies to include any business that stores data in electronic form. For small businesses, the impact could be crippling. Geoffrey Fowler reports for the Wall Street Journal.

In the time it takes to break into a major company like Citigroup Inc., a hacker could steal data from dozens of small businesses and not get detected, says Bryce Case Jr., a former hacker who broke into several government and corporate websites a decade ago and now runs an online message board for hackers called Digital Gangster. Now that small companies use computers, "the juice has become worth the squeeze," he says. "Even a pizza place has addresses, names and credit-card information."

Mr. Case, now a consultant in Colorado Springs, Colo., who helps small businesses identify security problems, has a trick for showing clients just how weak their systems are. He sometimes calls employees pretending to be a tech-department worker or consultant doing work for the boss and convinces them to tell him their passwords. "All you have to do is get a hold of one not-so-competent person and you're in," he says.

The fact that there are so many types of security threats makes it difficult for small firms to protect themselves. In April, the FBI issued an alert about a style of attack in which hackers steal a business's online banking login details and use them to transfer funds out of the business's account. That's what happened to Lease Duckwall just after 1 p.m. on Nov. 2, when someone logged into his company's bank account for Green Ford Sales Inc. in Abilene, Kan. The hacker added nine new employees to the car dealership's payroll and transferred $63,000 to them.

Mr. Duckwall learned about the transfers at 7:45 a.m. the next day. He called his bank, which froze the funds in six cases. But three payments had already been withdrawn by the recipients and the cash wired offshore.

"I don't have a clue" how or why his company was targeted, says Mr. Duckwall, who is still out about $22,000.

The costs of a breach can put a small company out of business. In 2006 and 2007, a Bellingham, Wash., restaurant called Burger Me LLC had its computerized cash register hacked. Criminals made untold numbers of fraudulent charges on customer credit cards.

After the incident, a credit-card company shut down Burger Me's account and put a hold on thousands of dollars in incoming payments, says Rich Griffith, its former owner. By late 2008, fees and lost business from not being able to accept credit cards put Mr. Griffith in so much debt—$12,000 for investigation and remediation costs alone—that he closed his formerly break-even burger joint.

The cyber attack "cost me my dream," says Mr. Griffith, 47 years old. The hacker who stole the data was never identified.

Financially motivated attacks typically rely on computer code that hackers plant on victims' computers, often as attachments or links in emails sent to employees. While these malicious programs are well known to security experts, hackers tweak them frequently enough to render them undetectable to antivirus software.

Bigger companies, while not immune, generally do a better job of protecting themselves. AT&TInc., for example, has a command center with giant screens that track all the traffic on its network. Other large companies mine data for warning signs, taking note when an employee swipes an identity badge in New York only to log onto the network from California, for instance.

Smaller companies are less likely to grasp the security threat. A 2010 survey by the National Retail Federation and First Data Corp. of small- and medium-size retailers in the U.S. found that 64% believed their businesses weren't vulnerable to card data theft and only 49% had assessed their security safeguards.

One of the most common styles of attack on small businesses targets credit-card information that a hacker can sell or use to make fraudulent purchases. To gird against this, the major credit-card companies in 2006 formed an industry group called the Payment Card Industry Security Standards Council, which establishes minimum technical protections for businesses that accept credit cards.

While credit-card companies require all businesses that accept their cards to comply with those standards, known as PCI, they have few measures to enforce them for small businesses. Bob Russo, general manager of the PCI Council, says many small businesses neglect basic security measures such as changing default passwords.

Mr. Angelastri's case shows how even a business that tries to protect itself can fall victim to hackers.

A Chicago native, Mr. Angelastri, 52, started his company in 1978 when he bought out the small street corner newsstand he started working at after high school. Over the years, he grew his business to two 1,500-square-foot locations in Chicago and Evanston, Ill., carrying more than 5,000 different magazines.

City Newsstand didn't have a computer technician on staff. But Mr. Angelastri had decades of experience with computers after converting to a computer-based cash register in 1990. That first computerized register, known as a point-of-sale, or POS, system, wasn't hooked into the Internet. Every time it needed to process a credit card, it would use a telephone modem to log into the bank.

Four years ago, he upgraded to a now-standard Microsoft Corp. Windows PC that connected directly to the Internet. Mr. Angelastri didn't ignore security. He regularly updated the payment software on his computer to keep up with the latest standards. About two years ago, he got a local technology contractor to install a payment processing system called PC Charge, made byVeriFone Systems Inc.

On April 14, 2010, he received an email from Accelerated Payment Technologies Inc.'s X-Charge, a sales agent for his credit-card processor, saying MasterCard had identified "some sort of breach or compromise" within his system. It didn't specify what, and asked him to fill out a questionnaire and return it within two weeks.

Mr. Angelastri checked his systems and called in an outside technology consultant. That investigator found one problem on his computer—a piece of hacking software known as malware—which the investigator removed. Still, X-Charge kept forwarding him emails between MasterCard and a payment processor called Global Payments Inc. that suspected fraud.

After a sixth email warning in June 2010, Mr. Angelastri says MasterCard demanded he hire a forensic investigator to do a thorough review of his system, essentially a digital version of the investigations that police often conduct at crime scenes. Mr. Angelastri hired Chicago-based Trustwave Inc.

A Trustwave investigator worked at Mr. Angelastri's newsstand until 2 a.m. one morning looking for cyber clues as to how his system might be leaking credit cards to hackers.

The investigator discovered a program called Kameo was capturing everything that came into Mr. Angelastri's system before it even reached the PC Charge payment software. Kameo was exporting that information over the Internet, giving hackers credit-card numbers, customer names and other details.

It turned out the hackers had been lurking in his system since April 15, 2009. They had gained access to Mr. Angelastri's computer through a program he used to periodically access his technology system from outside the shop. The program could be used by anyone who knew the password, and he had picked an especially weak one: "pos," a common nickname for the cash-register software that was also the system's user name.

Bob Cortopassi, Accelerated Payment Technologies' compliance security officer, said the breach happened because of a "lack of basic security requirements" and isn't the fault of its payment system. MasterCard declined comment on Mr. Angelastri's case, and Global Payments declined to comment.

Security experts say hackers routinely scan the Internet for computers configured this way. Such searches are fast and easy, and often the computers they find have weak passwords.

The hack on Mr. Angelastri's newsstand highlights another murky area of cyber attacks. The people whose information is stolen often are never informed, despite varying state laws that require breached organizations to notify them.

Small businesses like City Newsstand don't typically record the names and contact information of their customers and payment-card companies discourage businesses from keeping credit-card data. Mr. Angelastri never learned exactly which of his customers were affected, or how many.

Many small businesses complain they get little support from law enforcement or the credit-card industry once they are hit. After the investigation, Mr. Angelastri sent the report back to his credit-card processing company. It demanded he improve his technology, including installing a new higher-grade firewall. He also cut off access to the open Internet for the computers with the cash register software. Now all they can do is pass information to the credit-card processor.

Mr. Angelastri says he is still paying off the $22,000 he spent on the investigations and security improvements. City Newsstand has thin margins, he says, on about $1 million in annual sales.

He reported the incident to the Chicago and Evanston police, but he never followed up. A spokesman for the Evanston Police Department said the department only has jurisdiction to look into crimes committed in the city, which it defines based on where the hacker is located. The Chicago Police Department didn't respond to a request for comment.

Mr. Angelastri also spoke a few times with the Secret Service, the federal entity charged with investigating hacking attacks, but he says that investigation didn't go anywhere. The Secret Service declined to comment.

Mr. Angelastri still doesn't know who attacked his system, but the hackers left some clues. Trustwave's investigation found that a Yahoo email address was receiving the data being collected by the hacker's malware. A message sent to that address by The Wall Street Journal wasn't returned. Yahoo said it doesn't comment on individual account holders.

The data also was being sent to an Internet server in Russia hosted by a Russian hosting company called FirstVDS, according to the investigation.

Aleksandr Belykh, the head of the abuse department of FirstVDS, said the user of the virtual server identified in the City Newsstand investigation is Russian, and his firm hadn't received any complaints about it. The company shut the account down in June after its owner failed to pay the bill. Mr. Belykh wouldn't disclose other details.

Mr. Angelastri still marvels that his business was attacked at all. "We thought there would be very little chance that somebody would come into a business of our size to pull off something like this," he says.

—Nonna Fomenko contributed to this article.
Link to original article