About a year ago, a Kansas City-area clothing company wired $40,000 to China.
And why not? It had been doing business with a supplier in the country. It got word that payment was due. Gotta keep the gears of business turning.
But, you guessed it, the money went to the wrong place.
Someone had hacked into the company’s computer network, eavesdropped on the Kansas City firm’s emails with a legitimate Chinese partner and then fired off a cleverly disguised message posing as that same supplier.
“The hackers lie in wait long enough until the timing is right,” said Tony Sheets, the CEO of Umzuzu, a Mission-based firm that had helped the clothing company with security. “They copy the digital signature at the end of the email. They set up (an Internet) domain that looks like the real guy.”
It’s the sort of flub that looked so obviously avoidable in retrospect. (Sheets said it carries the cardinal lesson that when somebody asks for money online, pick up the phone to verify who’s asking.)
Yet the case illustrates a still-growing problem. The Internet isn’t as safe as we’d like. Keeping yourself or your employer sheltered from thieves or embarrassment is a hassle that’s not going away.
In the end, analysts see no way to be bulletproof against malicious hackers.
The best you can do, they say, is make it tough enough that they’ll prod at the defenses of someone else. Then back up everything and scramble it with encryption so you won’t be sunk when you ultimately get hacked.
Some 375-plus professionals gathered Wednesday at the Overland Park Convention Center for SecureWorld — where cybersecurity specialists schooled one another on the latest dirty online tricks and how to guard against them.
It’s an industry growing in tandem with black-hat hackers, often based overseas. They exploit technical gaps in computer firewalls and exploit the people on the other side — folks like you who think RufflesTheCat is a reasonable password or who don’t notice the difference between GreatBigCity.com and GreatBigClty.com (a “l” subbed in the second, bogus address for the “i” in the first).
The stakes climb with nearly every new “smart” technology in our amazingly wired world. Last year, two hackers working from a living room couch used a laptop to commandeer a Jeep over the Internet.
This month, researchers from the University of Michigan and Microsoft will present findings about how a Samsung “smart home” system can be hacked so outsiders can control a home’s lights or open a door without tripping alarms.
Meanwhile, FBI officials have told companies stung with ransomware — software that locks up your data and frees it only after you pay — that their best option might sometimes be to pony up bitcoins to the extortionists.
In a memo issued last year, U.S. defense officials described their far-flung computer networks as being under constant barrage from hackers.
“The vulnerability of these networks has grown substantially in parallel with our increasing dependency on them … (allowing intruders) to steal important information, expose non-public information, interfere with operations and conduct other malicious activity.”
It reported more than 30 million “malicious intrusions” from September 2014 through June 2015. Of those, less than 0.1 percent “compromised a cyber system.”
The Pentagon, Google, Apple and Microsoft are Fort Knox.
Their holdings are vast and invaluable, and guarded accordingly.
Your company’s computer network, by comparison, probably runs behind the equivalent of a home alarm system. It’s not easy to bust in, but it can be done.
Meanwhile, your home computer or iPhone — less tempting, but still holding some loot — operates, at best, protected by a flimsy door lock.
Consider the job of Jason Cradit, director of cloud architecture and security at TRC Cos. That includes the unending chore of keeping online hooligans from poking around in the engineering firm’s records on oil and gas pipelines.
“We get daily attack attempts,” he said.
Sometimes they can number in the dozens, people using “phishing” methods that try to trick people on the company’s network into sharing passwords or other keys to the kingdom on websites that look legitimate but aren’t.
Imagine the havoc if Iranian agents, or Islamic State terrorists, figured out where pipelines are corroded and thus especially vulnerable. Or if they could disrupt supplies to power plants and threaten the electrical grid.
For all the techno-locks baked into a computer network, Cradit said, “people are absolutely the weakest link.”
They click on the wrong website. They download spyware posing as a family photo in an email. Then they get too embarrassed to tell the tech guys who might be able to stop the resulting damage.
The problem, he said, comes in the various costs. What cubicle peasants haven’t rolled their eyes at changing their password every two months, at having to craft it with so many odd characters that it looks like something copied off the side of a pyramid?
Then you have to use two-factor authentication — pulling up a constantly changing number from an app in your smartphone. Security experts love the two-factor system, but it’s a pain in the ’net.
“It’s horrible,” Cradit said.
Workers could be spared some of that bother, and get more security, by investing in some gadgetry. Cradit points to biometric innovations like that sold by Kansas City-based EyeVerify, technology that authenticates users’ patterns of blood vessels in the whites of the eye.
But those things cost money. That, analysts say, is why some companies don’t adopt every protection they can.
Those in the cybersecurity industry say companies are reluctant to invest in protections. You only ever see the cost of not doing it, rather than some flashy profit it might generate.
“Companies need to realize how often other companies are getting infected and that it’s not worth it to put things off,” said Vinny Troia, the CEO of Night Lion Security in St. Louis. “It’s going to be even more expensive if you can’t get into company files some day.”
Sheets, the security expert at Umzuzu, also sees room for virtual street smarts.
Always look at the return email address. Does the message appear to come from the company it represents? (And beware that GreatBigClty.com-style ruse.)
Same goes for a website. If the address doesn’t start out with www.amazon.com, then it’s not really the giant retailer. Do the logos on a website or email look fuzzy? That probably means they’re cheap screen grabs from an imposter.
Is the grammar, punctuation or capitalization goofy? That’s a strong warning that a scammer from China or Eastern Europe is pretending to be someone they’re not.
“It comes down to telling your employees to be careful,” Sheets said. “Use some sense.”