Scared Yet About Hackers?

Exclusive Online Content from the April/May 2010 Issue.

If you are not yet concerned about hacking, the most recent news from the world of Network Security may not bother you. But it scares the hell out of me.

Consider a couple simple points:

1. A sustained cyber attack was launched last fall against hundreds of commercial websites and government sites, successfully penetrating the security of those systems and wreaking havoc on our ecommerce and defense systems.
2. Law enforcement services successfully shut down a hacking network that in just 30 days penetrated 2,411 corporate computers, ripping from them all sorts of individual and corporate details of financial records and passwords.

We’ve heard stories like this so often that it has almost become like the “Boy Who Cried Wolf.” After all, these are sophisticated hackers who have powerful skills and would never bother with small and mid-range companies, right?

Wrong.

The Internet underground has advanced to the point where anyone with $325 and even basic computer skills can hack their way into corporate data systems and steal critical information.

Here’s the problem, according to security firm SecureWorks: There is a powerful, simple-to-use hacking program called ‘ZeuS’ — usually used as a ‘Trojan virus’ against banks — that is readily available on criminal forums.

Current versions of the ZeuS hacking tool sell for up to $10,000, and are used by elite cyber gangs to wire funds from the online banking accounts of small- and medium-sized businesses to their own accounts. But older, free versions of ZeuS work just fine for turning an infected PC into a bot and harvesting all the PC’s account logons that are stored in Web browser cookies.

For an additional $25, a criminal can hire a spamming specialist to send out email lures to 250,000 people enticing them to click on a corrupted Web link that will infect their PCs with the free copy of ZeuS. Spend a bit more, and the criminal can customize his viral spam to spread via Facebook messages and Twitter microblogs.

The only other thing that needs to be done is shell out $300 to rent an Internet-connected server to collect and store the harvested account logons that the bots will obediently harvest, according to SecureWorks.

In today’s economy, that is a powerful inducement to become a hacker and try to probe corporate networks. Not the ones operated by the big guys, who are likely to have sophisticated security departments. But the smaller companies, like the ones most accountants have as clients. Amateur crooks may already be at work plundering your clients of their cash. And because we refuse to believe they can do it more easily than ever before, they may well get away with it.

So how does an accounting firm protect itself and its clients from these attacks? The answer lies in four fairly simple precautions, though it is amazing how often these are overlooked or ignored. Here they are: