Information Systems: A Manager's Guide to Harnessing Technology, v. 1.1

13.2 Why Is This Happening? Who Is Doing It? And What’s Their Motivation?

Thieves, vandals, and other bad guys have always existed, but the environment has changed. Today, nearly every organization is online, making any Internet-connected network a potential entry point for the growing worldwide community of computer criminals. Software and hardware solutions are also more complex than ever. Different vendors, each with their own potential weaknesses, provide technology components that may be compromised by misuse, misconfiguration, or mismanagement. Corporations have become data packrats, hoarding information in hopes of turning bits into bucks by licensing databases, targeting advertisements, or cross-selling products. And flatter organizations also mean that lower-level employees may be able to use technology to reach deep into corporate assets—amplifying threats from operator error, a renegade employee, or one compromised by external forces.

There are a lot of bad guys out there, and motivations vary widely, including the following:

• Account theft and illegal funds transfer
• Stealing personal or financial data
• Compromising computing assets for use in other crimes
• Extortion
• Espionage
• Cyberwarfare
• Terrorism
• Pranksters
• Protest hacking (hacktivism)
• Revenge (disgruntled employees)

Criminals have stolen more than $100 million from U.S. banks in the first three quarters of 2009, and they did it “without drawing a gun or passing a note to a teller.”S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009. While some steal cash for their own use, other resell their hacking take to others. There is a thriving cybercrime underworld market in which data harvestersCybercriminals who infiltrate systems and collect data for illegal resale. sell to cash-out fraudstersFirms that purchase assets from data harvesters. Actions may include using stolen credit card numbers to purchase goods, creating fake accounts via identity fraud, and more.: criminals who might purchase data from the harvesters in order to buy (then resell) goods using stolen credit cards or create false accounts via identity theft. These collection and resale operations are efficient and sophisticated. Law enforcement has taken down sites like DarkMarket and ShadowCrew, in which card thieves and hacking tool peddlers received eBay-style seller ratings vouching for the “quality” of their wares.R. Singel, “Underground Crime Economy Health, Security Group Finds,” Wired, November 24, 2008.

Hackers might also infiltrate computer systems to enlist hardware for subsequent illegal acts. A cybercrook might deliberately hop through several systems to make his path difficult to follow, slowing cross-border legal pursuit or even thwarting prosecution if launched from nations without extradition agreements.

In fact, your computer may be up for rent by cyber thieves right now. BotnetsHordes of surreptitiously infiltrated computers, linked and controlled remotely, also known as zombie networks of zombie computers (networks of infiltrated and compromised machines controlled by a central command) are used for all sorts of nefarious activity. This includes sending spam from thousands of difficult-to-shut-down accounts, launching tough-to-track click fraud efforts or staging what’s known as distributed denial of service (DDoS)An attack where a firm’s computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site’s use. DDoS attacks are often performed via botnets. attacks (effectively shutting down Web sites by overwhelming them with a crushing load of seemingly legitimate requests sent simultaneously by thousands of machines). Botnets have been discovered that are capable of sending out 100 billion spam messages a day,K. J. Higgins, “SecureWorks Unveils Research on Spamming Botnets,” DarkReading, April 9, 2008. and botnets as large as 10 million zombies have been identified. Such systems theoretically control more computing power than the world’s fastest supercomputers.B. Krebs, “Storm Worm Dwarfs World’s Top Supercomputer,” Washington Post, August 31, 2007.

Extortionists might leverage botnets or hacked data to demand payment to avoid retribution. Three eastern European gangsters used a botnet and threatened DDoS to extort $4 million from UK sports bookmakers,Trend Micro, “Web Threats Whitepaper,” March 2008. while an extortion plot against the state of Virginia threatened to reveal names, Social Security numbers, and prescription information stolen from a medical records database.S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009. Competition has also lowered the price to inflict such pain. BusinessWeek reports that the cost of renting out ten thousand machines, enough to cripple a site like Twitter, has tumbled to just $200 a day.J. Schectman, “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.

Corporate espionage might be performed by insiders, rivals, or even foreign governments. Gary Min, a scientist working for DuPont, was busted when he tried to sell information valued at some $400 million, including R&D documents and secret data on proprietary products.J. Vijayan, “Software Consultant Who Stole Data on 110,000 People Gets Five-Year Sentence,” Computerworld, July 10, 2007. Spies also breached the $300 billion U.S. Joint Strike Fighter project, siphoning off terabytes of data on navigation and other electronics systems.S. Gorman, A. Cole, and Y. Dreazen. “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, April 21, 2009.

Cyberwarfare has become a legitimate threat, with several attacks demonstrating how devastating technology disruptions by terrorists or a foreign power might be. Brazil has seen hacks that cut off power to millions.

The 60 Minutes news program showed a demonstration by “white hat” hackers that could compromise a key component in an oil refinery, force it to overheat, and cause an explosion. Taking out key components of the vulnerable U.S. power grid may be particularly devastating, as the equipment is expensive, much of it is no longer made in the United States, and some components may take three to four months to replace.S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009.

Other threats come from malicious pranksters, like the group that posted seizure-inducing images on Web sites frequented by epilepsy sufferers.M. Schwartz, “The Trolls among Us,” New York Times, August 3, 2008. Others are hacktivistsA protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage., targeting firms, Web sites, or even users as a protest measure. In 2009, Twitter was brought down and Facebook and LiveJournal were hobbled as Russian-sympathizing hacktivists targeted the social networking and blog accounts of the Georgian blogger known as Cyxymu. The silencing of millions of accounts was simply collateral damage in a massive DDoS attack meant to mute this single critic of the Russian government.J. Schectman, “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.

And as power and responsibility is concentrated in the hands of a few revenge-seeking employees can do great damage. The San Francisco city government lost control of a large portion of its own computer network over a ten-day period when a single disgruntled employee refused to divulge critical passwords.J. Vijayan, “After Verdict, Debate Rages in Terry Childs Case,” Computerworld, April 28, 2010.

The bad guys are legion and the good guys often seem outmatched and underresourced. Law enforcement agencies dealing with computer crime are increasingly outnumbered, outskilled, and underfunded. Many agencies are staffed with technically weak personnel who were trained in a prior era’s crime fighting techniques. Governments can rarely match the pay scale and stock bonuses offered by private industry. Organized crime networks now have their own R&D labs and are engaged in sophisticated development efforts to piece together methods to thwart current security measures.