After studying this section you should be able to do the following:
- Understand the source and motivation of those initiating information security attacks.
- Relate examples of various infiltrations in a way that helps raise organizational awareness of threats.
Thieves, vandals, and other bad guys have always existed, but the environment has changed. Today, nearly every organization is online, making any Internet-connected network a potential entry point for the growing worldwide community of computer criminals. Software and hardware solutions are also more complex than ever. Different vendors, each with their own potential weaknesses, provide technology components that may be compromised by misuse, misconfiguration, or mismanagement. Corporations have become data packrats, hoarding information in hopes of turning bits into bucks by licensing databases, targeting advertisements, or cross-selling products. And flatter organizations also mean that lower-level employees may be able to use technology to reach deep into corporate assets—amplifying threats from operator error, a renegade employee, or one compromised by external forces.
There are a lot of bad guys out there, and motivations vary widely, including the following:
- Account theft and illegal funds transfer
- Stealing personal or financial data
- Compromising computing assets for use in other crimes
- Protest hacking (hacktivism)
- Revenge (disgruntled employees)
Criminals have stolen more than $100 million from U.S. banks in the first three quarters of 2009, and they did it “without drawing a gun or passing a note to a teller” (Kroft, 2009). While some steal cash for their own use, other resell their hacking take to others. There is a thriving cybercrime underworld market in which data harvesters sell to cash-out fraudsters: criminals who might purchase data from the harvesters in order to buy (then resell) goods using stolen credit cards or create false accounts via identity theft. These collection and resale operations are efficient and sophisticated. Law enforcement has taken down sites like DarkMarket and ShadowCrew, in which card thieves and hacking tool peddlers received eBay-style seller ratings vouching for the “quality” of their wares (Singel, 2008).
Hackers might also infiltrate computer systems to enlist hardware for subsequent illegal acts. A cybercrook might deliberately hop through several systems to make his path difficult to follow, slowing cross-border legal pursuit or even thwarting prosecution if launched from nations without extradition agreements.
In fact, your computer may be up for rent by cyber thieves right now. Botnets of zombie computers (networks of infiltrated and compromised machines controlled by a central command) are used for all sorts of nefarious activity. This includes sending spam from thousands of difficult-to-shut-down accounts, launching tough-to-track click fraud efforts or staging what’s known as distributed denial of service (DDoS) attacks (effectively shutting down Web sites by overwhelming them with a crushing load of seemingly legitimate requests sent simultaneously by thousands of machines). Botnets have been discovered that are capable of sending out 100 billion spam messages a day (Higgins, 2008), and botnets as large as 10 million zombies have been identified. Such systems theoretically control more computing power than the world’s fastest supercomputers (Krebs, 2007).
Extortionists might leverage botnets or hacked data to demand payment to avoid retribution. Three eastern European gangsters used a botnet and threatened DDoS to extort $4 million from UK sports bookmakers1, while an extortion plot against the state of Virginia threatened to reveal names, Social Security numbers, and prescription information stolen from a medical records database (Kroft, 2009). Competition has also lowered the price to inflict such pain. BusinessWeek reports that the cost of renting out ten thousand machines, enough to cripple a site like Twitter, has tumbled to just $200 a day (Schectman, 2009).
Corporate espionage might be performed by insiders, rivals, or even foreign governments. Gary Min, a scientist working for DuPont, was busted when he tried to sell information valued at some $400 million, including R&D documents and secret data on proprietary products (Vijayan, 2007). Spies also breached the $300 billion U.S. Joint Strike Fighter project, siphoning off terabytes of data on navigation and other electronics systems (Gorman, et. al., 2009).
Cyberwarfare has become a legitimate threat, with several attacks demonstrating how devastating technology disruptions by terrorists or a foreign power might be. Brazil has seen hacks that cut off power to millions.
The 60 Minutes news program showed a demonstration by “white hat” hackers that could compromise a key component in an oil refinery, force it to overheat, and cause an explosion. Taking out key components of the vulnerable U.S. power grid may be particularly devastating, as the equipment is expensive, much of it is no longer made in the United States, and some components may take three to four months to replace (Kroft, 2009).
“Hacker”: Good or Bad?
The terms hacker and hack are widely used, but their meaning is often based on context. When referring to security issues, the media widely refers to hackers as bad guys who try to break into (hack) computer systems. Some geezer geeks object to this use, as the term hack in computer circles originally referred to a clever (often technical) solution and the term hacker referred to a particularly skilled programmer. Expect to see the terms used both positively and negatively.
You might also encounter the terms white hat hackers and black hat hackers. The white hats are the good guys who probe for weaknesses, but don’t exploit them. Instead, they share their knowledge in hopes that the holes they’ve found will be plugged and security will be improved. Many firms hire consultants to conduct “white hat” hacking expeditions on their own assets as part of their auditing and security process. “Black hats” are the bad guys. Some call them “crackers.” There’s even a well-known series of hacker conventions known as the Black Hat conference.
Other threats come from malicious pranksters, like the group that posted seizure-inducing images on Web sites frequented by epilepsy sufferers (Schwartz, 2008). Others are hacktivists, targeting firms, Web sites, or even users as a protest measure. In 2009, Twitter was brought down and Facebook and LiveJournal were hobbled as Russian-sympathizing hacktivists targeted the social networking and blog accounts of the Georgian blogger known as Cyxymu. The silencing of millions of accounts was simply collateral damage in a massive DDoS attack meant to mute this single critic of the Russian government (Schectman, 2009).
And as power and responsibility is concentrated in the hands of a few revenge-seeking employees can do great damage. The San Francisco city government lost control of a large portion of its own computer network over a ten-day period when a single disgruntled employee refused to divulge critical passwords Vijayan, 2010).
The bad guys are legion and the good guys often seem outmatched and underresourced. Law enforcement agencies dealing with computer crime are increasingly outnumbered, outskilled, and underfunded. Many agencies are staffed with technically weak personnel who were trained in a prior era’s crime fighting techniques. Governments can rarely match the pay scale and stock bonuses offered by private industry. Organized crime networks now have their own R&D labs and are engaged in sophisticated development efforts to piece together methods to thwart current security measures.
- Computer security threats have moved beyond the curious teen with a PC and are now sourced from a number of motivations, including theft, leveraging compromised computing assets, extortion, espionage, warfare, terrorism, pranks, protest, and revenge.
- Threats can come from both within the firm as well as from the outside.
- Cybercriminals operate in an increasingly sophisticated ecosystem where data harvesters and tool peddlers leverage sophisticated online markets to sell to cash-out fraudsters and other crooks.
- Technical and legal complexity make pursuit and prosecution difficult.
- Many law enforcement agencies are underfunded, underresourced, and underskilled to deal with the growing hacker threat.
Questions and Exercises
- What is a botnet? What sorts of exploits would use a botnet? Why would a botnet be useful to cybercriminals?
- Why are threats to the power grid potentially so concerning? What are the implications of power-grid failure and of property damage? Who might execute these kinds of attacks? What are the implications for firms and governments planning for the possibility of cyberwarfare and cyberterror?
- Scan the trade press for examples of hacking that apply to the various motivations mentioned in this chapter. What happened to the hacker? Were they caught? What penalties do they face?
- Why do cybercriminals execute attacks across national borders? What are the implications for pursuit, prosecution, and law enforcement?
- Why do law enforcement agencies struggle to cope with computer crime?
- A single rogue employee effectively held the city of San Francisco’s network hostage for ten days. What processes or controls might the city have created that could have prevented this kind of situation from taking place?
1Trend Micro, “Web Threats Whitepaper,” March 2008.
Gorman, S., A. Cole, and Y. Dreazen. “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, April 21, 2009.
Higgins, K. J., “SecureWorks Unveils Research on Spamming Botnets,” DarkReading, April 9, 2008.
Krebs, B., “Storm Worm Dwarfs World’s Top Supercomputer,” Washington Post, August 31, 2007.
Kroft, S., “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009.
Schectman, J., “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.
Schwartz, M., “The Trolls among Us,” New York Times, August 3, 2008.
Singel, R., “Underground Crime Economy Health, Security Group Finds,” Wired, November 24, 2008.
Vijayan, J., “After Verdict, Debate Rages in Terry Childs Case,” Computerworld, April 28, 2010.
Vijayan, J., “Software Consultant Who Stole Data on 110,000 People Gets Five-Year Sentence,” Computerworld, July 10, 2007.