Hacker highway

In January, the web search engine company Google "detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China", says David Drummond, its senior vice-president, corporate development and chief legal officer. The discovery left many small business owners wondering whether they stood a chance of defending their infrastructure if the search giant couldn't.

Thanks to the internet and the digitisation of commerce, attacks on computer systems are becoming common. When successful, they can erase data, steal money from staff and customers, and even destroy an entire business.

However, while showing that no defence is impregnable, the Google attack is not an excuse for small businesses to ignore the threat, experts say. There are several lines of defence available to owners that won't cost the earth but will help deter all but the most skilful and determined cyber criminals.

Cyber crime thrives on opportunity and motive. While computers were "digital islands" connected intermittently by floppy disks, viruses and other malicious software (malware) spread slowly. By joining up these islands the internet has created a superhighway not only for information but for malware too.

In the driver's seat is a new breed of organised cyber criminal with very different motives from the lone hackers who used to make mischief by incubating viruses in university computer laboratories. Instead, these criminals want to make money - and lots of it, says Lloyd Borrett, the marketing manager at internet security software maker AVG Australia and New Zealand.

"It moved away from the teenage hacker about 10 years ago [and] it is now about organised cyber criminals, investing millions into making billions," Borrett says.

Alarmingly, it is now possible for an aspiring Australian cyber criminal without any technical expertise to buy a malware, phishing or spam service (see 'Top net threats', page 33) from a growing number of Russian, other Eastern European and Chinese suppliers.

"You can monitor the success they are having by the market price for their services," Borrett says.

Kaspersky Lab Australia and New Zealand, another internet security software maker, says that the number of malware programs more than doubled last year to 33.9 million.

Calculating how many of these attacks on Australian businesses take place "is difficult and [the number is] not readily available, which makes it difficult for small businesses to easily comprehend the overall threat risk," Kaspersky managing director Alexey Gromyko says.

"But it is growing," he warns.

"There is evidence in overseas markets that hackers and virus writers are targeting the small business sector as they have less security protection than large corporates."

Experts even attribute the higher price hackers charge cyber criminals for access to a Gmail account (about $80) over a Hotmail account ($1.50) to the popularity of Google's email service with business users.

Worse, automation lets cyber criminals test the defences of thousands of small businesses at a time, AVG's Borrett says.

"This is all automated. They are not making a conscious decision as to what they hack."

Instead, they discover a weakness or "exploit" in a widely-used software program, such as Microsoft's Internet Explorer web browser, then "work out an automated way to go and look for all websites out there on the internet that have got that exploit and hack it", Borrett explains.

Small businesses can be the victims. For example, malware that logs key strokes can reveal the user names and passwords of business bank accounts. A common phishing scam involves billing a business for renewing its website's domain name, even though the name is registered with another company.

But small businesses can also be unwitting accomplices in crimes perpetrated on others. Spammers can infect their computers or servers with malware, then use them to send thousands of unwanted emails. As well as consuming internet bandwidth that a businesses has paid for, it looks to recipients that the unsuspecting business, and not the criminal, is sending spam.

Worse, Google and other search engines might also see it this way, and blacklist the small business from their listings. That is exactly what happened to several small business clients of a website developer on Victoria's Mornington Peninsula, Borrett recalls.

The developer was using website software that became the target of cyber criminals. "While it was a legitimate thing that he was doing, it was also one of the ways that the bad guys did bad things," Borrett says.

So Google banned all the developer's client's websites. "If you Googled any of them, it would come up in the listing with a warning: 'This site might damage your computer'. So, suddenly, there is no or very little traffic going to these websites," he says.

It took Borrett 18 months to get the websites taken off Google's blacklist - that was too long for an online retail client, which was forced to fold after a dismal Christmas trading period.

Fortunately, there are things that a small business can do to reduce the chances it will be a cyber crime victim or accomplice (see 'How to protect your business online', page 31). Internet security software from AVG, Kaspersky, McAfee, Symantec and other suppliers can catch all but the newest malware programs. And because their software also monitors computers and servers for any unusual activity, it can potentially block unknown malware threats too.

Until last year, national vending machine company NatVEND was typical of many small businesses. Individual computers and individual state offices were running different versions of antivirus software, often unlicensed and often only irregularly updated. "It was all over the place", IT manager Joseph Khoury recalls.

So NatVEND centralised internet security using software from AVG, which now protects all of the company's 60 machines. "We are catching viruses as they enter the organisation," and spending $30,000 less than before on internet security, Khoury says.

Borrett says a two-year licence costs $3500 for 50 computers connected by a central server, $880 for 10 machines and $575 for five. The fee is even lower for standalone computers ($384 for 10 computers and $220 for five machines).

The attacks on Google have been traced to two schools in China, one of which is linked to the military. While the Chinese government denies any involvement, the growing sophistication of internet attacks suggests that investing in security could pay for itself many times over.

How to protect your business online

1. Use a firewall

A firewall is your computer network's first line of defence against intruders. Firewalls can block all traffic between your network and the internet that is not explicitly allowed. Firewall software is built into operating systems and also comes in special purpose hardware.

2. Keep up to date with security patches

Most operating systems are supported by automatic updates - security patches - that fix vulnerabilities found in important software. You should either use the automatic update option, or subscribe to a security-related mailing list and install these patches when necessary.

3. Protect yourself against viruses

If you run an email server, you can install antivirus software at the server to filter out email viruses before they reach users. Each individual computer should also have up-to-date antivirus software. Viruses and worms spread fast, so your antivirus software must be updated regularly.

4. Use passwords that are difficult to guess

Mix upper and lower-case letters. Try to include some form of punctuation or digit in passwords. Do not use dates, dictionary words or things that can be easily determined such as phone numbers, car registration, friends' or relatives' names, or your name or employment details. Make sure you change passwords regularly and do not reuse them.

5. Delete suspicious emails immediately

Visiting websites through clicking on links in suspect emails may result in malware, such as a trojans, being downloaded to your computer. Only open an attachment to an email if the sender and the contents of the attachment are known to you.

Source: Australian Communications and Media Authority

Top net threats

1. Viruses and malware

Viruses and other malicious software (malware) can alter or erase data and allow spammers and other intruders to use your computer and network. For example, key-logging trojan horses can collect sensitive user information such as banking details, and send it to criminals. Malware may also replicate and spread itself to other users.

2. Phishing

Phishing emails are sent from falsified or "spoofed" email addresses. Many phishing emails often claim to be from a bank, online retailer or credit card company. These emails direct recipients to a website that looks like the genuine one of a retailer or financial institution, which is designed to encourage the visitor to reveal financial details such as credit card numbers, account names and passwords or other personal information.

3. Spam

Spam is electronic junk mail - unwanted messages sent to an email address or mobile phone. If you don't have effective security measures in place, spammers can infect your computer or server with malware and use it to send spam to other people without your knowledge or consent. If your computer is being used as a zombie, or your server is being exploited, the spam header information will show you as the source of the emails, even if you did not send them. This can result in search engines excluding your website.

Friends, twits and net flaws

Social networking sites can expose the minds and lives of "friends" in all their, often tedious, detail.

However, Facebook, Twitter and other sites expose small businesses to cyber criminals intent on stealing business and customer information.

"People often have a higher level of trust in clicking on items on social networks, so that can often lead to trouble," says Alexey Gromyko, managing director of internet security firm Kaspersky Lab Australia and New Zealand.

A United States survey by internet security firm AVG found that one in five social networkers accept "friend" requests from people they don't know.

"The fact that [sites] are so user-friendly makes them dangerous," the marketing manager, AVG Australia and New Zealand, Lloyd Borrett, says. "You don't mind your friends knowing where you live, or when your birthday is, or what your mother's maiden name is, but if the bad guys manage to hack into your friend's account, then they find out that information as well."

Information such as dates of birth and mothers' maiden names are often used by banks to verify identities.

One Victorian logistics company has gone as far as banning social networking sites and file-sharing sites such as BitTorrent. Kagan Logistics network systems team leader Adam Lemieszek says the company uses a PacketLogic device, which costs about $10,000, to enforce the ban.

Short of imposing an unpopular ban, there are several things a small business can do to protect itself online, Borrett says, starting with ensuring employees do not use work emails and passwords to access Facebook and Twitter.

"Be careful what applications you agree to install," he says. "There are a million people developing applications for these sites and something tells me they are not all good guys."

BRW