by Ondrej Krehel
With the New Year upon us, I’ve been thinking about some of the larger or more interesting security cases of 2010. One of the oddest happened in January, when hackers managed to steal carbon credits.
Yes, that’s right, the same carbon credits that may help prevent global warming. With the Kyoto Protocol, 191 countries, including all of Europe, agreed to a cap and trade system in which the total number of carbon emissions is limited per region. Businesses that produce less carbon then they’re allotted can sell those credits—the amount of pollution they aren’t polluting—to other companies.
This move created a huge market. More than 8 million tons of CO2 emissions were traded in Europe in 2009, worth more than $130 million. Then hackers got into the system.
With a rather conventional attack—a targeted phishing scam—they hit businesses connected to the German Emissions Trading Authority. Emails looking like they came from the Authority redirected the targets to a fake Authority site that asked them to re-register their accounts.
Seven companies fell for it. Using their login credentials, hackers drained 250,000 carbon permits worth $4 million and promptly resold them to other companies. One firm lost a reported $2.1 million.
Now people love to argue the ins and outs of global warming—is it due to man, is it a natural warming, etc., etc.—but this case demonstrates something there’s no argument about: the need for security education, as well as thorough security measures. Locked doors are great—but not particularly effective if there’s a window open.
It’s easy to blame the guy who fell for the phishing scam and jeopardized his company, but that’s hardly a solution, especially when hackers routinely look for the weakest link. In this case they sent 2,000 phishing emails and caught seven fish. We all know that a multilayered authentication process is better than a simple username and password.
Whatever the computer system, no matter how sophisticated the security, if people with access to the system don’t have proper security training—and at least understand the basics of staying safe and the methods of the most common scams—all that security could be for naught.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.