Steve Goodbarn

Siobhan Gorman of The Wall Street Journal writes today about a widespread hacking attack that stole vast amounts of corporate, personal, and government data, including data from at least 10 federal agencies. And the attack is ongoing. See: Broad New Hacking Attack Detected Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running:

Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

These attacks are getting worse because the fundamental software and hardware running the web is not secure and never will be. Let's look at just a few examples TODAY of these weaknesses:

• Adobe Reader and Flash - essential for reading documents and watching videos online: Adobe offers flawed version of Reader to masses after update.
• Cisco - Cisco patches multiple holes in its security products
• Microsoft: Got Bluescreen? Check for Rootkits
• Mozilla Firefox - Attack code for Firefox zero-day goes wild, says researcher

This is just from today and I have to stop myself before I unplug this laptop and head for the hills. We will never be secure online with these products.

But these weaknesses tell only part of the story. Notice my bold in the Wall Street Journal article. The attacks were carried out "by enticing employees to click on contaminated web sites, email attachments or ads purporting to clean up viruses". No software can stop that.

Human engineering will always be a vulnerability. But if the web had authentication, so the employee could validate the email and authenticate the web site, the chances of this attack succeeding are greatly diminished. And with email authentication it is unlikely the spam bot could survive to send the bad email in the first place. It is odd to me that DNSSEC adoption - which provides the needed authentication - gets so little mention in these articles. It is the obvious and least expensive, least disruptive solution.