Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Fasthosts hacked - are we all doomed?! By Stewart Twynham

by
19th Oct 2007
Save content
Have you found this content useful? Use the button above to save it to your profile.

This week, the UK’s largest web hosting company revealed that its network security was compromised. Stewart Twynham investigates cyber crime and its impact on SMEs today and asks whether or not we should simply all give up and go home.

Just five years ago, the threat of cyber crime to small businesses was pretty minimal. Small companies were hit, but though disruptive these tended to be relatively benign attacks, with email worms and viruses having the biggest and most obvious impact. All this has changed with the realisation by many criminals that there is money to be made out of this kind of activity.

The Fasthosts hack
Fasthosts is one of the largest web hosting companies and looks after websites and email accounts for thousands of individuals and businesses. According to an email sent to customers, one of Fasthosts' internal servers was compromised in a way that might have allowed the intruder to gain access to usernames and passwords for the various services and accounts. Internet services providers (ISPs) and hosting companies like Fasthosts have several things that would be of interest to an attacker, including e-mail addresses that can be harvested for spam and credit card numbers. A more likely possibility - though so far unconfirmed - would be to hijack websites to host phishing and spyware attacks. Phishing e-mails usually direct you to a website which looks like (for example) your bank. Sites used for phishing are shut down very quickly, so having a large stock of websites to host bogus sites would be very handy for a criminal. Fasthosts is not alone the only provider affected - last week we informed Pipex that at least one of its accounts was being used to host a spoof Nationwide website.

Plastic? That’ll do nicely
Most businesses believe that credit cards are the target of choice for most hackers. Certainly, they do get stolen, and often in large quantities. But the cards themselves are now almost worthless. In September, Symantec reported that credit card numbers are now worth as little as fifty cents a pop. You can even buy them on-line - presumably using an equally fraudulent credit card. Card providers are now quick to act when cards are used fraudulently, and can even spot abuse through ever more sophisticated anti-fraud software. So the ability to spend using a set of stolen numbers is therefore quite limited today.

The rise and rise of identity fraud
Personal identities are now a hot favourite for criminals, bought and sold for as much as hundreds of dollars on the black market. The reason is simple. With your name, address, bank account details, national insurance number, date of birth and so on, it’s relatively simple for a fraudster to establish a line of credit, open accounts or take out loans in your name. And where you can put a stop on a credit card, you cannot so easily put a stop on your name.

The role of SMEs
I am told by business owners on a weekly basis: “We have nothing here that might interest a criminal”. Even when I discuss the importance of personal information such as bank account details and dates of birth, I’m politely but firmly reminded, “We make widgets, we’re not a bank, we don’t hold personal information.”

That’s when I ask to see their payroll software - and then the penny drops. Bank accounts, National Insurance Numbers, it’s jackpot time!

The bad news
The current threat isn’t from someone directly targeting the business but from ever more sophisticated and integrated spyware, often integrated with trojans and phishing attacks. A combination of dodgy e-mails and compromised web sites laced with Trojan-horse software allows attackers to lay a veritable minefield while they sit back and wait for the "money" - your information - to roll in. It is quite likely (although still only speculation at this stage) that Fasthosts was attacked in order to provide a staging post (ie e-mail and web hosting) for such a minefield to be planted.

In ye-olden days of cyber crime - about five years ago - high profile viruses that hit the headlines usually resulted in arrests for those responsible, even if they ended up walking free in the end.

Today’s malware is different and is rarely developed by the people that make the money. It’s sold on, over the internet, possibly modified, sold on again and then distributed into the wild. Even when someone’s PC becomes infected, the information gleaned is collated then sold on again. Money is made by everyone in the chain, but not directly from the victims.

If the police are called, the real criminals are far removed from the scene of the crime. It is, instead, the "mules" - the people who have bought stolen card details or IDs off the net and used them - are the ones who are traced.

The spyware business today is sophisticated, co-ordinated, profitable and dare I say it: professional.

I am told by business owners on a weekly basis: “we have nothing here that might interest a criminal...” That’s when I ask to see their payroll software. That’s when the penny drops.

The really bad news
There is no simple cure that will protect you from the latest threats. Your integrated anti-virus / anti-spyware software will afford some protection, but will only be as good as the last update.

You need to patch your systems (for example by performing your Windows Updates), but again there are plenty of attacks out there that have taken place prior to people like Microsoft even knowing that the vulnerability existed - what are known in the industry as "zero-day" attacks.

Even firewalls rarely offer the protection people think they do. I have spent the last five years looking at firewalls in businesses up and down the country and have never come across one that was set up correctly. Even when they are configured correctly, they can’t stop Mandy from sales walking in with a virus on her iPod.

The really REALLY bad news
With all this criminal activity, it’s easy to overlook all of the other things that still happen to your important data. Hard disks will still fail, rivers will still burst their banks and leave your server room under water, the building next door will still catch fire.

Furthermore, Mandy from sales could decide to take your company database home on her iPod, while Mike from accounts will still leave his laptop down the pub after the quiz night - the very laptop that he’s supposed to be running the payroll on the next day.

So here’s the deal…
If you’re in business, the chances are you do have information that’s important to criminals. Whilst your business may not be targeted directly, spyware distributed around the net could easily end up on your computers, compromising your business data. Spending money on software and firewalls, making sure your PCs are up to date will all help, but won’t take the problem away.

The best thing you can do for your business is to apply a little common sense - there is no need to run for the hills at this point!

If trojans and spyware are rife on the internet, don’t allow your internet banking computer or payroll computer to be used for general surfing or e-mail. Better still, keep some tabs on web surfing right across the whole office. After all, internet access at work for personal gain is a privilege and not a right.

Don’t allow people to start plugging in USB data sticks without some form of security check. Put some training in place for laptop users, and tick the box in Windows that renders any stolen data useless.

This isn’t a definitive list, but so far you’ve not spent a penny and dramatically improved your business’s security. If you’re serious, you could implement ISO27001, the information security management standard - if you’re a 50-employee company, it’ll probably cost you about the same as replacing your firewall.

At the very least, try to build a response to the security threat that’s at least as sophisticated and co-ordinated as the latest spyware attacks. And remember: you’ll never be completely safe, and to be fair you don’t have to be. You just need to be a bit safer than your competitors.

And finally: a word about Fasthosts
Firehosts has already called in the police, and asked all its customers to change all their passwords, but details of what actually happened - including when and for how long - are still pretty sketchy.

Fasthosts is not the first UK hosting company and certainly won’t be the last to have had a major intrusion. The fallout from this may not be that great. Just imagine if it had been a job board or online CRM provider instead - both of which would be packed full of personal data. You have been warned.

Tags:

Replies (1)

Please login or register to join the discussion.

avatar
By User deleted
19th Oct 2007 18:02
Thanks (0)