Google was attacked by hackers in China. Microsoft reports that they’re the target of hackers all day, every day. Now Intel is stepping forward, and admitting in their annual 10-K filing that they were the target of a sophisticated attack. Intel observes that it might be industrial espionage, or it might be “hackers seeking to harm the company.” It makes you wonder how many attacks on smaller organizations go un-reported, or indeed even un-noticed.
The section from Intel’s 10-K is more than a little vague:
We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.
We regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software. These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google. We seek to detect and investigate these security incidents and to prevent their recurrence, but in some cases we might be unaware of an incident or its magnitude and effects. The theft and/or unauthorized use or publication of our trade secrets and other confidential business information as a result of such an incident could adversely affect our competitive position and reduce marketplace acceptance of our products; the value of our investment in R&D, product development, and marketing could be reduced; and third parties might assert against us or our customers claims related to resulting losses of confidential or proprietary information or end-user data and/or system reliability. Our business could be subject to significant disruption, and we could suffer monetary and other losses, including the cost of product recalls and returns and reputational harm, in the event of such incidents and claims.
The old adage “Security is inversely proportional to convenience” rings true time and time again. I don’t know anything about how Intel has their internal network structured, but if any of their research computers are directly connected to the Internet then they’re at risk. Of course, even if Intel is using a physically separate network for R&D, cut off from the Internet, removable media can still be used to inject nasty targeted malware. I don’t envy the jobs of the network security folks at organizations like these.