Page 1 1 of 1 DOCUMENT Copyright 2010 The Washington Post All Rights Reserved The Washington Post April 21, 2010 Wednesday Suburban Edition SECTION: A-SECTION; Pg. A15 DISTRIBUTION: Maryland LENGTH: 692 words HEADLINE: Google hackers duped company personnel to penetrate networks; Cyberattacks growing more sophisticated, experts say BYLINE: Ellen Nakashima BODY: The hackers who penetrated the computer networks of Google and more than 30 other large companies used an in- creasingly common means of attack: duping system administrators and other executives who have access to passwords, intellectual property and other information, according to cybersecurity experts familiar with the cases. "Once you gain access to the directory of user names and passwords, in minutes you can take over a network," said George Kurtz, worldwide chief technology officer for McAfee, a Silicon Valley computer security firm that has been working with more than half a dozen of the targeted companies. Kurtz and others said hackers are mounting ever more sophisticated and effective attacks that often begin with a ruse familiar to many computer users -- a seemingly innocuous link or attachment that admits malicious software. The attacks were publicized in January when Google, one of the world's most advanced tech firms, announced that intruders had penetrated its network and compromised valuable intellectual property. Google asserted that the attacks originated in China; Chinese officials say they are investigating. The New York Times reported on its Web site Monday that the Google theft included source code for a password system that controls access to almost all of the company's Web services. But the cyber-espionage campaign went far beyond Google, targeting companies with apparently strong intrusion- detection systems, including Adobe, Northrop Grumman and Yahoo, industry sources said. A decade ago "it was the bad guys burrowing in, breaking through a firewall from the outside," Kurtz said. "Now, in essence, what they're doing is having good people on the inside unwittingly connect out to a malicious Web site where their machines can be infected." 2577415.1 Page 2 Google hackers duped company personnel to penetrate networks; Cyberattacks growing more sophisticated, experts say The Washington Post April 21, 2010 Wednesday Once a hacker can impersonate a system administrator or a senior executive, it becomes difficult to identify the at- tackers. "Many of these other companies don't know if source code has been stolen because the hackers have assumed the identities of people whose passwords have been stolen," Kurtz said. The hackers' goal, industry officials and analysts said, is to obtain information that benefits China in strategic in- dustries and in areas where the country seeks an advantage over U.S. firms. "The bottom line here is if your company has any business dealings with China or has extremely valuable technol- ogy or intellectual property, you have a high likelihood of being a target," said Rob Lee, a director with Mandiant, a security firm that is working with some of the targeted companies. He said he believes the same group or groups that have targeted Google and the other companies have penetrated "hundreds if not thousands" more firms. They target not only system administrators but anyone with privileged access to a company's network, he said. Figuring out whom to target and how is the result of research, said Shawn Carpenter, a principal forensics analyst at the security firm NetWitness whose former job involved trying to hack into government agencies' Web sites to help them find their weak spots. "One of the first things we do is build up a dossier," he said. "What conferences has this person spoken at? What people do they know? Are they likely to open up this type of e-mail attachment if I spoof it as coming from a person who has sat on a panel with them?" The essence of the attack is "exploiting those human tendencies of curiosity and trust," Carpenter said. The targeting of personnel is only one aspect of a larger, more sophisticated operation that involves planning the mode of attack, reconnaissance inside a company's network, deciding what type of data to go after, and harvesting and analyzing the data, experts said. "There's a life cycle of activities that occurs, involving many steps, both with human intelligence and electronic in- telligence, to ultimately penetrate these organizations," said Eddie Schwartz, NetWitness's chief security officer. "When you're combining all of these techniques, this is the work of a highly organized group or groups that has specific targets in mind." Staff researcher Julie Tate contributed to this report. LOAD-DATE: April 21, 2010 2577415.1 Project E V E R E S T Evaluation and Validation of Election Related Equipment, Standards and Testing REPO R T OF FINDINGS Ohio Secretary of State Jennifer L. Brunner Columbus, Ohio December 14, 2007 Project EVEREST (Evaluation & Validation of Election-Related Equipment, Standards, & Testing) Risk Assessment Study of Ohio Voting Systems Executive Report Ohio Secretary of State Jennifer Brunner December 14, 2007 2 Table of Contents INTRODUCTION...........................................................................................5 OBJECTIVES................................................................................................ 6 HISTORY ......................................................................................................7 OHIO’S PURCHASE OF ELECTRONIC VOTING MACHINES ...................................................... 7 PUBLIC CONFIDENCE IN ELECTRONIC VOTING..................................................................... 7 PROJECT EVEREST ............................................................................................................8 STRUCTURE OF STUDY ............................................................................. 12 SECURITY ASSESSMENT ...........................................................................14 MICROSOLVED .................................................................................................................. 14 Method......................................................................................................................... 14 Findings ....................................................................................................................... 15 Summary.................................................................................................................. 15 Penetration Testing: Specific Results .................................................................... 16 Premier................................................................................................................ 16 Description of the Premier System................................................................. 16 Physical Access Testing...................................................................................20 Network and Communications Access Testing..............................................22 File Systems Access Testing............................................................................22 Baseline Comparison ......................................................................................22 ES&S ....................................................................................................................22 Description of the ES&S Voting System.........................................................22 Physical Access Testing...................................................................................26 Network and Communications Access Testing..............................................27 File Systems Access Testing............................................................................28 Baseline Comparison ......................................................................................28 Hart InterCivic....................................................................................................28 Description of the Hart InterCivic Voting System .........................................28 Physical Access Testing................................................................................... 31 Network and Communications Access Testing..............................................32 File Systems Access Testing............................................................................32 Baseline Comparison ......................................................................................32 Suggested Improvements: All Voting Systems..........................................................32 Summary of Boards of Elections Officials’ Review of MicroSolved’s Findings on the Security Assessment of the State’s Voting Systems ...................................................33 UNIVERSITY RESEARCH TEAMS .........................................................................................35 Method.........................................................................................................................35 Findings .......................................................................................................................37 Summary..................................................................................................................37 Specific Results: Source Code Analysis and Red Team (Penetration) Testing ....38 ES&S ....................................................................................................................38 Failure to Protect Election
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages189 Page
-
File Size-