physical/wireless incidents won’t happen to us!

From the “we’re too small/it won’t happen to us” file (and via infosecnews) comes this article about a crew of cyber-thieves who would break into business wireless networks or even physical buildings to do some digital mischief and steal money. This article seems well-written, and here are some key points I want to highlight:

The indictment accused the men of “wardriving” — cruising in a vehicle outfitted with a powerful Wi-Fi receiver to detect business wireless networks. They then would hack into the company’s network from outside, cracking the security code and accessing company computers and information.

Another way to say it, random guys wardrive and find random wireless networks to attack. And they do so!

In other cases, they would physically break into the company and install “malware” on a computer designed to “sniff out” passwords and security codes and relay that information back to the thieves.

Physically break into a business, and plant malware or other devices to try to get at juicier loot. That’s a pretty big deal and hard to find if you’re not specifically looking for something like that after a break-in.

It also means you have some decently intelligent criminals who aren’t necessarily doing what usually gets thieves caught: liquidating their loot or associations with other criminals. And they also can be pretty random with their attacks while they wardrive. Intelligent, random criminals with few opportunities to get caught until after the fact, are a typical nightmare for LEO.

As this next blurb says, debit cards and online purchases and things that make our lives convenient also make criminal lives convenient:

“Everything that makes it easy for us to do our business online makes it easy for them to commit crimes online,” Durkan said.

I also like this:

At Wednesday’s news conference, representatives from three of the victim businesses explained how they believed their networks were secure and how quickly the thefts occurred.

I really strongly believe all of the victims were small enough to not have a security role in their business, and likely no security interests other than anything learned in consumerland by employees and default physical security from their leasors.

The only way to fix that is continued proactive education and, unfortunately, examples and lessons from other victims. I’m not about to say they need to create a security role or get an in-house security expert, and maybe not even a high-end pen-test, but rather just pick up a local security expert for some verbal consultatation and some technical chops to do small-time assessments and fixes. That’s really all it takes to keep a business from being the easiest target on the block.

Also, don’t skip over the sidebar in the article, which contains some helpful tips. I’m actually a bit surprised by a few of them, as they’re good! (You can, however, skip over the comments, because they’ll make you feel dumber for having read them.