Steve Goodbarn

I must applaud Brian Krebs for continuing to report on small businesses that are victimized by online banking fraud. His last several posts at Krebs on Security make me wonder why this problem does not get more publicity: N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss and IT Firm Loses $100,000 to Online Bank Fraud.

Small business cannot survive if banking is not secure. If your money is stolen from a bank during a holdup you don't go bankrupt, but if it is account-specific bank fraud you do.

Small businesses need to have the same protections as consumers. If online banking is not secure it should not be allowed. It's that simple.

Siobhan Gorman of The Wall Street Journal writes today about a widespread hacking attack that stole vast amounts of corporate, personal, and government data, including data from at least 10 federal agencies. And the attack is ongoing. See: Broad New Hacking Attack Detected Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running:

Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

These attacks are getting worse because the fundamental software and hardware running the web is not secure and never will be. Let's look at just a few examples TODAY of these weaknesses:

• Adobe Reader and Flash - essential for reading documents and watching videos online: Adobe offers flawed version of Reader to masses after update.
• Cisco - Cisco patches multiple holes in its security products
• Microsoft: Got Bluescreen? Check for Rootkits
• Mozilla Firefox - Attack code for Firefox zero-day goes wild, says researcher

This is just from today and I have to stop myself before I unplug this laptop and head for the hills. We will never be secure online with these products.

But these weaknesses tell only part of the story. Notice my bold in the Wall Street Journal article. The attacks were carried out "by enticing employees to click on contaminated web sites, email attachments or ads purporting to clean up viruses". No software can stop that.

Human engineering will always be a vulnerability. But if the web had authentication, so the employee could validate the email and authenticate the web site, the chances of this attack succeeding are greatly diminished. And with email authentication it is unlikely the spam bot could survive to send the bad email in the first place. It is odd to me that DNSSEC adoption - which provides the needed authentication - gets so little mention in these articles. It is the obvious and least expensive, least disruptive solution.

The US Commerce Department's National Institute of Standards (NIST) has a DNS operations group that is shepherding deployment of DNSSEC within the Federal Government. They recently set up a site to monitor DNSSEC adoption status within agencies. The site can be found here: USG DNSSEC Deployment Status.

The list is not 100% complete, with OMB.gov missing, and including several state and local .gov sites. But it does offer a way to follow compliance with the OMB memo that required adoption by the end of 2009. There may be slow progress on compliance but at least it is progress.

The Wall Street Journal Reported Monday on increasingly focused cyber attacks on small businesses. See Wanted: Defense Against Online Bank Fraud Small businesses have been hit by a wave of cybercrimes. Here's how to protect your accounts.

I'm happy to see this topic get some coverage but the advice on how to protect against these attacks is more of the same "band aids", "bodyguards", "be really diligent" suggestions that do nothing to change the current unsatisfactory nature of cyber security.

Brian Krebs has a series of articles on specific attacks that circumvent much of our current defenses. Follow this link and view some of his other postings for more: Comerica Phish Foiled 2-Factor Protection, Krebsonsecurity.com.

What makes these attacks so scary is that there are no statutory requirements for banks to reimburse businesses for losses. If this happens in an individual account you are usually protected.

Many of these attacks begin with spoofed emails that direct you to spoofed sites that load malware onto your computer. Authenticated email would make this type of attack very difficult if not impossible. And how about having the bank site do some authentication beyond 2 factor?

Banks should be required to improve online authentication or they should be prevented from offering on-line banking to businesses. Times are difficult enough for a small business without the added risk of on line bank fraud. We can do a better job with existing technologies, including DNSSEC.