Book excerpt: Spies Among Us

1 2 3 Page 3
Page 3 of 3

This in no way removes the responsibility from the criminals for their actions. However, the fact that the systems were vulnerable to extremely basic attacks is completely unacceptable.

Storing unnecessary data

Alexey mentioned that in many of the systems he broke into, the computers held credit card numbers that were no longer necessary. They were remnants of previous transactions. Unnecessary storage of information, such as credit card numbers or other personally sensitive information, such as Social Security numbers, presents a vulnerability that should not exist.

Poor security awareness

The phishing tests that Alexey performed were extremely successful. This success is a result of poor awareness of the fact that you should never send personal information to a Web site that you are directed to by an e-mail. Although it could be claimed that Alexey, having performed his tests in early 2000, was an early pioneer in the phishing field, these attacks continue and are due to poor awareness.

From an alternative perspective, Alexey Ivanov himself demonstrated poor security awareness. He was committing major felonies and embarrassing his victims, and yet he gave out a great deal of his personal information. He and his accomplice bragged that they were untouchable by U.S. law enforcement and then they freely traveled to the United States for a job interview. Logical thought should have told Alexey to do otherwise.

Culture and international relations

This case demonstrates that Russia is a breeding ground for would-be computer criminals. There are many intelligent people who make little money. They have a basic computer education, and the information about hacking is widely available. They also have a large number of extremely vulnerable systems available to them, including systems that hold financial information. Again, this does not excuse criminal action but demonstrates the temptation to criminal action as a fact of life that no company can ignore.

This is compounded by the fact that an action considered criminal in the United States might not be criminal where the acts originated. That means that there is little likelihood that the local police will assist the victims, or even the U.S. government, in any way. You also have to consider that even if something is universally recognized as a criminal act, will local authorities actually care enough to take any actions against their citizens? In some cases, the criminal might be protected by the local police. Alexey's boldness was due to many of these issues. These are probably some of the reasons that the FBI decided to access the tech.net.ru computers without contacting Russian authorities first.

Password reuse

Alexey Ivanov demonstrated a common security vulnerability in using the same password for his laptop and for his account on tech.net.ru. After he gave up the laptop password, he gave the FBI all they needed to have full access to his most sensitive data.

This excerpt from Chapter 10 of Spies Among Us by Ira Winkler is reprinted with the permission of Wiley Publishing, copyright 2005.

Copyright © 2005 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon