Electronic security is back in the news: eBay has announced that it was hacked a while ago and is asking users to change their passwords. There is also the Heartbleed bug – a serious flaw in secure connections that has affected a large number of hitherto secure websites, allowing secure connections to be mimicked or broken.
Veterinary websites and computer systems are no different. Don’t be tempted to believe we are too small or low-volume to be worthwhile working on. Much of “hacking” these days is automated by programs and can be set running, scanning the internet for computers that respond in a vulnerable way, and then set to work cracking those computers.
A security flaw in a computer or network can be exploited and used in a number of different ways, not just stealing credit card numbers (although that is the most obvious). Hacked computers can be used to steal user data, passwords and login information, or taken over as part of a “botnet” – a network of hacked computers all surreptitiously running programs like spam and junk mail senders, or being used to participate in Distributed Denial of Service (DDoS) attacks to deluge targeted computers with junk traffic to close them down.
I have seen a practice’s main records server set up as a games server so that people could log in and play Counter Strike or poker. This isn’t as harmless as it sounds because not only does it slow the computer down, but the computer’s address is broadcast all over the world as a compromised computer ripe for the taking.
Just as illness and medicine change so does computer security. One of the latest avenues of attack isn’t to try taking over computers themselves, but the boxes that connect them all together – the routers.
It is easy enough to write a prescription to improve any one computer or network’s security to the point where it’s more hassle than it’s worth for 95% of networked miscreants to try taking it over (a good antivirus suite, a firewall and some system settings are the minimum), but hardening a network router against attack is another kettle of fish entirely and can be highly technical.
It may be that a change in the market more than 10 years ago has finally come back to haunt us.
Stay with me here…
(Note: common reasons for updating firmware include fixing bugs or adding features to a device.)
In no time at all public-spirited people around the world had written alternative firmware for this one low-cost router, giving it features only seen on others costing hundreds or thousands of pounds. This turned routers from fairly dumb switches and boxes into low-power computers that could do stuff by themselves (most decent routers these days run versions of operating systems like Linux). In doing this, though, they seem to have opened the door to hacking in unexpected ways.
Many people, when they subscribe to a broadband provider, plug in the supplied router and leave it alone. This is fair enough; networking is an arcane and mysterious art which does not lend itself well to consumer adjustment. However, the result is that there are now thousands or millions of routers, all acting as gatekeepers to people’s home networks, which have been plugged in, switched on, and left alone. All of them running mini computers. All of them forgotten about because they are totally and utterly trusted. All of them carrying the information you send to, and receive from the internet, whether encrypted or not.
If and when a security vulnerability is found in one of them – for example, one of the routers supplied by BT or Sky or any broadband provider – there are instantly thousands or millions of them vulnerable to attack.
One of the most chilling things I have ever seen was a screen grab in a recent issue of PC Pro magazine in an article about the so-called “darknet” – anonymous and virtually untraceable global networks where anonymity is enforced by using special encryption and routing software (used for lots of perfectly legal as well as illegal purposes). On one website, accessible only via the darknet, people sell their skills for a price, and for about £500 someone advertises their skills as being able to “ruin somebody e.g. planting […] pornography”.
If nothing else this one advert should prompt you to take computer security seriously!
In a slightly more prosaic way the Information Commissioner’s Office (ICO) will also take a dim view of companies who lose or leak client information and who did not take precautions against the loss. Named and shamed companies can be found at http://ico.org.uk.