There have been recent reports that University of Toronto researchers have been observing the workings of a cyber-espionage botnet. This botnet, called the "Shadow Network", appears to be a network that targeted government, business and academic computers at the United Nations and the Embassy of Pakistan in the US, among others including the Office of the Dalai Lama, Tibet's spiritual leader. The researchers also found that the cyberspies responsible for the botnet (who, once again appear to be in China) had gained access to Indian government documents, some of which were marked as "secret", "restricted" or "confidential".
In response to this report, Lt-General P Mohapatra of the Indian Army has stated "We have put into place a very secure network and I can confidently say that it cannot be tampered with". "There are various cryptographic controls that we have put in place and there are training activities to ensure that no loss of information takes place", he added.
These comments concern me somewhat. Historically, just about any public claims that a computer application, system or network is completely secure and cannot be hacked is like painting a big red target on your back. Security researchers and hackers love a challenge. Hackers in particular love to prove that they are able to hack or crack something that is publically claimed to be totally secure.
A high profile example of this type of situation occurred in 2001 when Oracle launched an advertising campaign claiming that their Oracle 9i database was "unbreakable". They claimed that unauthorized users couldn't "break it" or "break in". Well of course, security researchers and hackers set to work in finding vulnerabilities and security flaws in the system, and not surprisingly succeeded. This made a mockery of Oracle's claims.
Another example, albeit less high profile but just as typical, came last year when an email security company offered US$10,000 to anyone who could crack the email account of the company's CEO. Their security product involved a special security code to be sent to the cell phone of authorized users in order to log in to their account. So what did an ethical hacker do? He simply used a cross site scripting (XSS) script to exploit a vulnerability in the company's website to gain access to the CEO's email account. The embarrassed company paid the person the US$10,000 reward and vowed to close the vulnerability. The ethical hacker didn't break the service's security system; he simply found a hole in the company's infrastructure to achieve the desired result. Remember – "There's more than one way to skin a cat".
So keep that in mind. While you might think that your system is secure, there are many ways an attacker could gain access to your information. Therefore a "defense in depth" approach when it comes to computer security is always best.
Lt-General P Mohapatra may be correct in believing that their system is quite secure. But if information is taken from this system and copied onto a less secure system – even if it is just temporarily – the information may be compromised while on the less secure system. This appears to be the case with the documents exposed by the Shadow Network.
And publicly stating your system is totally secure and cannot be hacked is never a good idea. Even if you think that may be true (which is probably not the case), don't publically say so. Many people thrive on challenges and saying that your product or system cannot be hacked is like waving a red flag to a bull.
Don't let complacency be your downfall. Be aware that there are many ways you could be attacked, use a variety of security measures to cover all the bases, and keep on top of the latest threats and developments to ensure you are always well protected.
Senior Cybercrime Research Analyst
Author ESET Research, ESET