It's a story straight out of a crime movie: You are a not-so-scrupulous businessman trying to get, let us say, an out-of-turn permit from a government department. You are confronted with this brutally honest officer who can neither be forced nor be lured with a bribe. If you are not vicious, you may accept your situation. But if you are, and tech savvy too, there's help at hand. Get hold of a professional hacker, pay him to plant illegal content in the officer's computer, and then tip off his boss.
Chances are that the officer would either be moved or lose his job.
The trouble is, this movie-like scenario has become reality. A recent investigation highlights how malware can plant illegal content, like child porn, on innocent people's computers without their knowledge, And it is not just citizens who could find themselves victims in trouble with law enforcement. Experts say that employees of the government departments may be even more vulnerable to this kind of attack by hackers.
"Government officials, due to the sensitivity of their position, tend to be a pretty desirable target for hackers anyway. So as an expert I would be a little bit more concerned if I were working in the government than may be an average citizen or even a high profile corporate chief," says Jeff Michael Fischbach, a Los Angeles-based certified forensic technologist.
He says, with the sophistication and complexity of hacking crimes, there are now a plethora of techniques and viruses that can plant illegal content into the computers of innocent people without leaving a trail.
Fischbach added that government officers particularly face much greater risks because, in the U.S. at least, most of their emails addresses and other electronic contact details are listed and are thus very easy to find.
The threat isn't as far-fetched as some might suppose. Take what happened to Michael Fiola, an ex-investigator at the Massachusetts Workers' Compensation Advisory in Massachusetts. A few weeks ago, an Associated Press (AP) investigation revealed that in 2007 Fiola was charged and eventually fired by the Massachusetts attorney general's office for storing child porn in his state-issued laptop.
Fiola was innocent in so far as he didn't put the porn there. But it took him 11 months of court battle and a quarter million dollars of legal fees to prove that he not commit this crime.
Moreover, his acquittal came quite by chance. A defense finding stumbled upon a virus in his laptop that was programmed to implement the physically impossible task of visiting 40 child porn sites per minute, reported Associated Press.
Beyond just a curious case of creative cyber-crime, security experts view this as yet another example of how sophisticated cyber-crime is becoming.
"Hacking is getting increasingly sophisticated. There are now a growing number of viruses that not just simply change files, but, with the help of botnets, are usually able to install multiple functionalities with objectives like searching hard drives, sending out emails, attacking other users, and even dumping illegal content on hard drives for a framing-up," says Jonathan Logan, a UK-based expert, with Roque Holding, a boutique security consultancy outfit.
"Threats from these hacking methods increase manifold for government departments and officials because besides economic profits, there are many other motivations; an attack can disrupt the operations of the whole department" added Logan. "Imagine how easy it would be to implicate or replace for instance a building inspector, who doesn't take bribes."
Experts say hacking has not only become sophisticated, it has also become cheap -- very cheap in fact.
"Some of the things you can ask for on the black-market is a botnet operator who will attempt to access to a specific computer, based on details like an email address, or all users that have a particular email address in their address books," says Logan.
"All this can come for a mere US $50 per thousand hacked computers," added Logan, "and most importantly, in very large and sophisticated spying cases, it is tremendously hard to trace back the source of the attack."
Consequently hacking attempts are getting increasingly frequent and regular. Estimates suggest that at any point in time there are over 100 million hacked websites. And it is not uncommon today for a medium sized hosting platform to experience several hundred hacking attempts per day.
"For servers that host sensitive websites like government departments, stock market brokers, banks, etc, the frequency of attempts could be much higher," says Logan.
According to security software maker F-Secure Corp, millions of PCs worldwide get infected every day with viruses that could give hackers full control.
Unnerving numbers indeed, but a bigger concern is, as says Logan, "there's very little a government department can do to prevent such attacks."
Typically complex network like those found in government departments, financial institutions, etc, need very high level of security to be sufficiently tamper-proof. "But the problem is, in doing so, machines become very difficult to be used by an ordinary user," says Logan.
"The other problem is that most average individual users in government departments do not really understand their own computer security," says Fischbach "They are usually relying on somebody else to interpret security for them. And when another person manages somebody else's computer security, it is rarely a number-one priority."
So, can a government department really do something to stop hacking attacks or frame-up viruses? Unanimously, experts say no. But it is possible to make it very hard for a criminal to hack into a sensitive computer.
For that they suggest a few safeguards, the most effective of which is to ensure that the user's online identity remains hidden.
"The first step is maintenance of a strict communication hygiene, which means that the user should make sure that an official computer is not used for any sort of private communication in the workplace," says Logan. "Do not surf sites that are not directly work related. Do not go to the bank. Do not send emails to your family or friends from the office computer. These reduce the vector of attacks to a large extent."
Other useful safeguards include exposing only those government computers that need Internet access. "Not all government computers require Internet access," says Logan.
Making sure that the only way of communication within the department is through servers of the department, is another safeguard; and important too is ensuring anonymity for network connections through data encryption. These, according to Logan, make hacking extremely costly, which is a natural deterrent.
"But the most important thing to remember is that humans are hackers' biggest vulnerability," says Fischbach. "One human click on the wrong link or one wrong plugging-in can create havoc for the whole network."
Photo by Asbjørn Sørensen Poulsen. CC Attribution-Noncommercial-No Derivative Works 2.0 Generic