Andy Greenberg, 02.17.10, 07:00 PM EST
As cyberspies multiply and evolve, the military says many defense firms remain woefully insecure.
For anyone who has a security clearance and doesn’t believe the U.S. faces a cyber-espionage crisis, Steven Shirley has 102 stories to share with you.
That’s the number of cases in which Shirley’s team of Pentagon researchers discovered cyberspies breaching the networks of government agencies, defense contractors and other organizations with ties to the U.S. Department of Defense, gaining administrator-level access with the aim of stealing military secrets.
Almost every breach his agency investigated, Shirley says, began when an employee was sent a highly targeted and convincing phishing e-mail that spoofed a trusted sender. When the recipient opened a file attached to that message, it used a flaw in the target computer’s software to invisibly plant malicious software on the machine and give it access to the user’s network. (Finnish cybersecurity firm F-Secure recently found one such booby-trapped PDF intended to infect an Air Force computer using a vulnerability in Adobe Reader.)
"We were surprised to see that even companies that we regarded as tech savvy in a lot of cases had significant vulnerabilities correlated with inattention to the basic blocking and tackling of information assurance," says Shirley. "The most popular password in the world is still ‘password,’ and we still see that from time to time even in these companies."