SPECIAL TO THE WEB
Contributing Writer, Fraud Magazine
"Israel, all your base are belong to us," tweeted hacker group Anonymous when, in support of Gaza militants, it launched millions of cyber attacks against Israeli government and corporate websites in November. According to media coverage, the hacktivist offensive brought down more than 600 Israeli websites, deleted the databases of the country's Ministry of Foreign Affairs and the Bank of Jerusalem, and exposed more than 2,000 email addresses and passwords.
"With cyber-attack losses on the front page yet again, CFEs should reiterate to clients that tomorrow's headlines might report the theft or disclosure of their most valuable and confidential information," said Jim Butterworth, CFE, an ACFE faculty member and chief security officer at HBGary, a cyber security firm in Sacramento, Calif.
"Such losses often have reputational, political or strategic consequences," he said. "But if management isn't equally mindful of a successful cyber attack's negative financial impact, information security will seem like a cost. In fact, it's an essential investment in organizational survival. Treating it as anything else is negligent."
An introduction to Butterworth's proactive recommendations on this subject appeared in Fraud-Magazine.com's November 2012 Special to the Web article, "Cyber-Attack Vector? Who, Me?" This article continues that discussion.
FAMOUS LAST WORDS
"It's just WordPress," a company's overconfident system administrator recently told Butterworth after bringing him in to perform a routine security audit of the HBGary client's corporate system. (WordPress is a free and open-source blogging tool and content management system.) Butterworth had drawn the admin's attention to PHP blogging software files on the company's Web-connected server — an apparently harmless presence that in fact was cleverly concealing the means through which hackers were surreptitiously accessing proprietary corporate information. Unfortunately, by the time the client engaged Butterworth, its server had already been infected and its data stolen.
Coined in the 1990s, the acronym PHP is short for Personal Home Page — the versatile open-source scripting language whose English-like syntax non-programmers use to automate commands in their WordPress blogs and other web applications. Savvy hackers now hide powerful malware in WordPress PHP files — where only trend-aware security professionals would think to look for it.
"Blog-embedded malware is a new weapon in the hacker arsenal," Butterworth said. "But note that WordPress is not innately an attack vector. The vulnerability occurs when a company that has WordPress on its server doesn't properly configure it to resist hacker intrusions. Every organization should employ IT professionals who know how to detect and prevent such attacks. A company will get more than its money's worth; those staff members will be very busy."
Recent history bears this out. A media report quoted analysts from Kapersky Lab, a global IT security consultancy headquartered in Moscow, as saying that as many as 100,000 WordPress installations were infected early in 2012 — 85 percent of them in the U.S.
Hackers reportedly loaded onto these blog sites programming code that silently redirected visitors to the hackers' servers, which detected the operating systems on victims' PCs and sent customized malware to do the hackers' bidding. Many of the infected computers were Macs.