13.2 Why Is This Happening? Who Is Doing It? And What’s Their Motivation?
- Understand the source and motivation of those initiating information security attacks.
- Relate examples of various infiltrations in a way that helps raise organizational awareness of threats.
Thieves, vandals, and other bad guys have always existed, but the environment has changed. Today, nearly every organization is online, making any Internet-connected network a potential entry point for the growing worldwide community of computer criminals. Software and hardware solutions are also more complex than ever. Different vendors, each with their own potential weaknesses, provide technology components that may be compromised by misuse, misconfiguration, or mismanagement. Corporations have become data packrats, hoarding information in hopes of turning bits into bucks by licensing databases, targeting advertisements, or cross-selling products. And flatter organizations also mean that lower-level employees may be able to use technology to reach deep into corporate assets—amplifying threats from operator error, a renegade employee, or one compromised by external forces.
There are a lot of bad guys out there, and motivations vary widely, including the following:
- Account theft and illegal funds transfer
- Stealing personal or financial data
- Compromising computing assets for use in other crimes
- Protest hacking (hacktivism)
- Revenge (disgruntled employees)
Criminals stole more than $560 million from U.S. firms in 2009, and they did it “without drawing a gun or passing a note to a teller.”S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009; J. Leyden, “Cybercrime Losses Almost Double,” Register, March 15, 2010. While some steal cash for their own use, others resell their hacking take to others. There is a thriving cybercrime underworld market in which data harvestersCybercriminals who infiltrate systems and collect data for illegal resale. sell to cash-out fraudstersFirms that purchase assets from data harvesters. Actions may include using stolen credit card numbers to purchase goods, creating fake accounts via identity fraud, and more.: criminals who might purchase data from the harvesters in order to buy (then resell) goods using stolen credit cards or create false accounts via identity theft. These collection and resale operations are efficient and sophisticated. Law enforcement has taken down sites like DarkMarket and ShadowCrew, in which card thieves and hacking tool peddlers received eBay-style seller ratings vouching for the “quality” of their wares.R. Singel, “Underground Crime Economy Health, Security Group Finds,” Wired, November 24, 2008.
Hackers might also infiltrate computer systems to enlist hardware for subsequent illegal acts. A cybercrook might deliberately hop through several systems to make his path difficult to follow, slowing cross-border legal pursuit or even thwarting prosecution if launched from nations without extradition agreements.
In fact, your computer may be up for rent by cyber thieves right now. BotnetsHordes of surreptitiously infiltrated computers, linked and controlled remotely, also known as zombie networks of zombie computers (networks of infiltrated and compromised machines controlled by a central command) are used for all sorts of nefarious activity. This includes sending spam from thousands of difficult-to-shut-down accounts, launching tough-to-track click fraud efforts or staging what’s known as distributed denial of service (DDoS)An attack where a firm’s computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site’s use. DDoS attacks are often performed via botnets. attacks (effectively shutting down Web sites by overwhelming them with a crushing load of seemingly legitimate requests sent simultaneously by thousands of machines). Botnets have been discovered that are capable of sending out 100 billion spam messages a day,K. J. Higgins, “SecureWorks Unveils Research on Spamming Botnets,” DarkReading, April 9, 2008. and botnets as large as 10 million zombies have been identified. Such systems theoretically control more computing power than the world’s fastest supercomputers.B. Krebs, “Storm Worm Dwarfs World’s Top Supercomputer,” Washington Post, August 31, 2007.
Extortionists might leverage botnets or hacked data to demand payment to avoid retribution. Three eastern European gangsters used a botnet and threatened DDoS to extort $4 million from UK sports bookmakers,Trend Micro, “Web Threats Whitepaper,” March 2008. while an extortion plot against the state of Virginia threatened to reveal names, Social Security numbers, and prescription information stolen from a medical records database.S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009. Competition has also lowered the price to inflict such pain. BusinessWeek reports that the cost of renting out ten thousand machines, enough to cripple a site like Twitter, has tumbled to just $200 a day.J. Schectman, “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.
Corporate espionage might be performed by insiders, rivals, or even foreign governments. Gary Min, a scientist working for DuPont, was busted when he tried to sell information valued at some $400 million, including R&D documents and secret data on proprietary products.J. Vijayan, “Software Consultant Who Stole Data on 110,000 People Gets Five-Year Sentence,” Computerworld, July 10, 2007. Spies also breached the $300 billion U.S. Joint Strike Fighter project, siphoning off terabytes of data on navigation and other electronics systems.S. Gorman, A. Cole, and Y. Dreazen. “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, April 21, 2009. Hackers infiltrated security firm RSA, stealing data keys used in the firm’s commercial authentication devices. The hackers then apparently leveraged the heist to enter the systems of RSA customers, U.S. Defense contractors L-3, Lockheed Martin, and Northrop Grumman.E. Mills, “China Linked to New Breaches Tied to RSA,” CNET, June 6, 2011. Google has identified China as the nation of origin for a series of hacks targeting the Google accounts of diplomats and activists.P. Eckert, “Analysis: Can Naming, Shaming Curb Cyber Attacks from China?” Reuters, June 3, 2011. And the government of Tunisia even attempted a whole-scale hacking of local users’ Facebook accounts during protests that eventually led to the ouster of the regime. The so-called man-in-the-middle style attack intercepted Facebook traffic at the state-affiliated ISP as it traveled between Tunisian Web surfers and Facebook’s servers, enabling the government to steal passwords and delete posts and photos that criticized the regime.A. Madrigal, “The Inside Story of How Facebook Responded to Tunisian Hacks,” Atlantic, January 24, 2011.
Cyberwarfare has also become a legitimate threat, with several attacks demonstrating how devastating technology disruptions by terrorists or a foreign power might be (see sidebar on Stuxnet). Brazil has seen hacks that cut off power to millions, and the 60 Minutes news program showed a demonstration by “white hat” hackers that could compromise a key component in an oil refinery, force it to overheat, and cause an explosion. Taking out key components of the vulnerable U.S. power grid may be particularly devastating, as the equipment is expensive, much of it is no longer made in the United States, and some components may take three to four months to replace.S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009.
Stuxnet: A New Era of Cyberwarfare
Stuxnet may be the most notorious known act of cyberwarfare effort to date (one expert called it “the most sophisticated worm ever created”).N. Firth, “Computer Super-Virus ‘Targeted Iranian Nuclear Power Station’ but Who Made It?” Daily Mail, September 24, 2010. Suspected to have been launched by either U.S. or Israeli intelligence (or both), Stuxnet infiltrated Iranian nuclear facilities and reprogramed the industrial control software operating hundreds of uranium-enriching centrifuges. The worm made the devices spin so fast that the centrifuges effectively destroyed themselves, in the process setting back any Iranian nuclear ambitions. The attack was so sophisticated that it even altered equipment readings to report normal activity so that operators didn’t even know something was wrong until it was too late.
Some might fear Stuxnet in the wild—what happens if the code spread to systems operated by peaceful nations or systems controlling critical infrastructure that could threaten lives if infected? All important questions, but in Stuxnet’s case the worm appears to have been designed to target very specific systems. If it got onto a nontarget machine, it would become inert. Propagation was also limited, with each copy designed to infect only three additional machines. And the virus was also designed to self-destruct at a future date.M. Gross, “A Declaration of Cyber-War,” Vanity Fair, April 2011.
Stuxnet showed that with computers at the heart of so many systems, it’s now possible to destroy critical infrastructure without firing a shot.T. Butterworth, “The War against Iran Has Already Started,” Forbes. September 21, 2010. While few want to see Iran get the bomb, what does the rise of cyberwarfare mean for future combat and for citizen vulnerability, and what might this mean for businesses whose products, services, or organizations may become targets?
Other threats come from malicious pranksters (sometimes called griefers or trolls), like the group that posted seizure-inducing images on Web sites frequented by epilepsy sufferers.M. Schwartz, “The Trolls among Us,” New York Times, August 3, 2008. Others are hacktivistsA protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage., targeting firms, Web sites, or even users as a protest measure. In 2009, Twitter was brought down and Facebook and LiveJournal were hobbled as Russian-sympathizing hacktivists targeted the social networking and blog accounts of the Georgian blogger known as Cyxymu. The silencing of millions of accounts was simply collateral damage in a massive DDoS attack meant to mute this single critic of the Russian government.J. Schectman, “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.
And as power and responsibility is concentrated in the hands of a few revenge-seeking employees can do great damage. The San Francisco city government lost control of a large portion of its own computer network over a ten-day period when a single disgruntled employee refused to divulge critical passwords.J. Vijayan, “After Verdict, Debate Rages in Terry Childs Case,” Computerworld, April 28, 2010.
The bad guys are legion and the good guys often seem outmatched and underresourced. Law enforcement agencies dealing with computer crime are increasingly outnumbered, outskilled, and underfunded. Many agencies are staffed with technically weak personnel who were trained in a prior era’s crime fighting techniques. Governments can rarely match the pay scale and stock bonuses offered by private industry. Organized crime networks now have their own R&D labs and are engaged in sophisticated development efforts to piece together methods to thwart current security measures.
“Hacker”: Good or Bad?
The terms hackerA term that, depending on the context, may be applied to either 1) someone who breaks into computer systems, or 2) to a particularly clever programmer. and hackA term that may, depending on the context, refer to either 1) breaking into a computer system, or 2) a particularly clever solution. are widely used, but their meaning is often based on context. When referring to security issues, the media widely refers to hackers as bad guys who try to break into (hack) computer systems. Some geezer geeks object to this use, as the term hack in computer circles originally referred to a clever (often technical) solution and the term hacker referred to a particularly skilled programmer. Expect to see the terms used both positively and negatively.
You might also encounter the terms white hat hackersSomeone who uncovers computer weaknesses without exploiting them. The goal of the white hat hacker is to improve system security. and black hat hackersA computer criminal.. The white hats are the good guys who probe for weaknesses, but don’t exploit them. Instead, they share their knowledge in hopes that the holes they’ve found will be plugged and security will be improved. Many firms hire consultants to conduct “white hat” hacking expeditions on their own assets as part of their auditing and security process. “Black hats” are the bad guys. Some call them “crackers.” There’s even a well-known series of hacker conventions known as the Black Hat conference.
- Computer security threats have moved beyond the curious teen with a PC and are now sourced from a number of motivations, including theft, leveraging compromised computing assets, extortion, espionage, warfare, terrorism, pranks, protest, and revenge.
- Threats can come from both within the firm as well as from the outside.
- Cybercriminals operate in an increasingly sophisticated ecosystem where data harvesters and tool peddlers leverage sophisticated online markets to sell to cash-out fraudsters and other crooks.
- Technical and legal complexity make pursuit and prosecution difficult.
- Many law enforcement agencies are underfunded, underresourced, and underskilled to deal with the growing hacker threat.
Questions and Exercises
- What is a botnet? What sorts of exploits would use a botnet? Why would a botnet be useful to cybercriminals?
- Why are threats to the power grid potentially so concerning? What are the implications of power-grid failure and of property damage? Who might execute these kinds of attacks? What are the implications for firms and governments planning for the possibility of cyberwarfare and cyberterror?
- Scan the trade press for examples of hacking that apply to the various motivations mentioned in this chapter. What happened to the hacker? Were they caught? What penalties do they face?
- Why do cybercriminals execute attacks across national borders? What are the implications for pursuit, prosecution, and law enforcement?
- Why do law enforcement agencies struggle to cope with computer crime?
- A single rogue employee effectively held the city of San Francisco’s network hostage for ten days. What processes or controls might the city have created that could have prevented this kind of situation from taking place?
- The Geneva Conventions are a set of international treaties that in part set standards for protecting citizens in and around a war zone. Should we have similar rules that set the limits of cyberwarfare? Would such limits even be effective? Why or why not?
- What does the rise of cyberwarfare suggest for businesses and organizations? What sorts of contingencies should firms consider and possibly prepare for? How might considerations also impact a firm’s partners, customers, and suppliers?