Sunday, February 23, 2014

Cyber Subterfuge

The New York Times


November 27, 2013

Cyber Subterfuge



I awoke one morning to a disturbing email from the software giant Adobe. The message warned that thieves had hacked into the company’s servers, stolen the source code for some of its software products and almost three million passwords and credit card details, among which might be mine. It included a link to reset my password.
But the link could have been an elaborate trap by criminals to infect my computer with malware and seize control of it. My first port of call was krebsonsecurity.com, the website of the tenacious cybercrime researcher Brian Krebs. Sure enough, he had posted details of the hack, and it was all true. I was instructed to click on that link and scrutinize my credit card bills for jewelry purchases in Djibouti or Moldova.
Give credit to Adobe for ’fessing up to the hack so fast. But if a company like Adobe, whose products are a core communications medium for web users, can’t keep the hackers out, who can?
The Internet has lost its innocence. Cybermalfeasance, or bad stuff happening on the web, is now so pervasive that if businesses and individuals fail to integrate security measures into their lives and operations, they are bound to regret it. And 2013 has been a momentous year for the extent and ingenuity of those launching attacks on networks around the world.
Innovation continues to alter our digital environment at breathtaking speed. And like all entrepreneurs, the criminals, spies and so-called hacktivists seek to exploit the changes in the architecture of the Internet  —  and in our behavior  —  for their own purposes.
The problem is that it’s not just thieves. In the past 10 years, state and nonstate actors  —  intelligence agencies, terrorist groups and cybermilitary operatives to name but a few  —  have become engaged in dubious practices on the Web. If we didn’t appreciate that before, Edward J. Snowden’s revelations about the National Security Agency have made it very plain.
Those in the cybersecurity industry who are trying to protect you now face a huge problem: ascertaining exactly who the perpetrator is when an attack happens. Criminals learn from hacktivists; cyberintelligence agents pick up tips from criminals, and in the background, military strategists are testing potential enemy defenses worldwide. This means the virtual world is awash with subterfuge, malware and deception.
They engage in this activity on the Surface Web, the part of the Internet that you and I can see  —  or, more accurately, those websites which can be indexed by search engines like Google or Bing. But the hackers, cybercops and criminals also make use of the still-weirder world of the Deep Web. The Deep Web is several hundred, possibly thousands, of times larger than the Surface Web, and a small but significant percentage of it is used as a place for criminal and hacking networks to hide. Within the Deep Web, there are places where users can swap files and information that are very hard to reach if you have not been granted access. Most computer users have no idea that the Deep Web exists.
The Silk Road, a website selling narcotics and extreme pornography, existed only on the Deep Web until the F.B.I. brought it down this fall and arrested one of its alleged founders, 29-year-old Ross William Ulbricht, better known in the business as “Dread Pirate Roberts.” To browse the “eBay of drugs,” as Silk Road was dubbed, the visitor would have to enter the Deep Web via the TOR network, a free system designed to prevent the monitoring of web activity and an important tool for those suffering from political persecution.
The existence of complex systems of communication beyond the Surface Web makes it hard to grasp exactly what is going on in the world of cybermalfeasance. It includes three primary areas of activity: crime; commercial and political espionage; and cyberwarfare and sabotage.
It’s often tough for law enforcement and analysts to identify where one activity ends and the next one starts.
In addition to these categories, there are two gray areas: hacktivism, notably by the group Anonymous, whose members appear to be motivated more by ideology than money, and whose zeal frequently takes them beyond the law; and intellectual copyright theft, a hugely vexing question for the creative industries, with no real solutions in sight.
The most familiar crime is the so-called high-volume, low-impact phenomenon of credit and debit card fraud. Despite occasional horror stories, credit card fraud remains at a manageable level for both the industry and consumers. In 2012, fraudsters got their hands on some $11.5 billion worldwide by stealing credit card data, but this crime has been falling steadily since the second half of the last decade, as most major territories around the world have adopted the so-called chip and pin system. The exception to that trend is the United States, where credit card fraud continues to rise steadily  —  a direct consequence of the lamentable failure of card issuers, banks and regulators to introduce chip and pin systems. U.S. cards continue to rely on magnetic strips that are easily copied, and on signatures, which are farcical as a security measure.
Still, card fraud is essentially an inconvenience, not a threat. The bigger threat comes from the occasional breathtaking heist, when hackers access databases with large stores of credit cards. The Adobe hack was one such case, and actually modest by some standards. In February, for example, criminals sucked a staggering $40 million from A.T.M.’s in at least two dozen countries around the world, in just 10 hours.
Using sophisticated hacking techniques, the gang broke into the database of the processing company in India and lifted the cap on hundreds of prepaid credit cards they had purchased in advance. Associates around the world then gutted A.T.M.’s of far more money than armed robbers could ever hope to get from a physical bank raid.
The case also suggests how levels of cybercriminal organization are rising. The lone-wolf hackers who dominated such activity a decade or so ago are being eclipsed by more disciplined groups that identify specific targets, usually companies, for their attacks.
This accounts for one of the most important recent developments in cybercrime: the emergence of a vibrant secondary market in “Zero-Day exploits.” Zero Days are glitches in software unnoticed by their manufactures. Hackers can use them as digital wormholes through which to crawl into a system and take control of it.
Increasingly, however, it makes more sense to sell them. Zero Days fetch from $10,000 to $250,000, and the market is not defined as illegal. Buyers come from everywhere  —  governments, spy agencies, criminal gangs, cybersecurity companies and the military are all eager to purchase them. For many cybercriminals who have done their apprenticeships in credit-card fraud or hacking systems, selling Zero Days is low risk, not especially onerous and very lucrative. Negotiations take place in the nether regions of the Deep Web or offline, for security reasons.
Once in possession of a Zero Day, the task of planning a targeted attack becomes much easier. And as most people in industry are now aware, the growth in criminal activity affects business worldwide. Government departments, charities and N.G.O.’s, corporations and small enterprises alike are now subject to regular targeted attacks, tailored very precisely. At first glance, the numbers are remarkable. This year, BP’s chief executive, Bob Dudley, revealed that his security department registers 50,000 attacks a day. Gen. Keith Alexander, double-hatted chief of the U.S. National Security Agency and the Department of Defense’s Cyber Command, testified to Congress that the Pentagon has to deal with 10 million attacks daily.
Most of these are mere irritants, digital flies that can be swatted with ease. But among them are a few bugs that are able to penetrate the epidermis of a networked system and inject debilitating poison. These attacks are generally very cheap to mount, but the costs can be devastating. This year, the Syrian Electronic Army, a group of pro-Assad hackers,  started to specialize in attacks with eye-popping consequences. In late April, the S.E.A. successfully hacked into The Associated Press’s Twitter account and used it to post a false report that the White House had been attacked and the president wounded. In the subsequent two minutes, the Standard & Poor’s 500-stock index lost $136.5 billion in value. The index recovered immediately, but the incident reflected the disproportionate impact that a very simple intrusion can have.
At the same time, some of the figures bandied about by politicians, police officials and intelligence agencies regarding the damage wrought by cybercrime have been greatly exaggerated. The cybersecurity giant McAfee announced this summer that losses in the United States to cybercrime could be up to $120 billion. Compare that to the $1 trillion worldwide figure that President Obama cited in 2009, with McAfee again as the source.
By contrast, thanks to Gartner, the computer consultancy and research firm, we have a much more precise idea of how much we are spending on cybersecurity. In 2013, global spending on protection will reach $67 billion, and by the end of the decade it is predicted to exceed $100 billion.
The biggest game changer this year, however, was not the costs, but the information leaked by Snowden about the extraordinary extent of the digital espionage activities of the N.S.A., notably in conjunction with its British partner, the Government Communications Headquarters, or G.C.H.Q.
The moral high ground, carefully constructed by the United States on the indiscriminate hacking and spy programs run by the Chinese and the Russians, has crumbled. Snowden’s countless dossiers have demonstrated beyond doubt that the United States has been engaging in precisely the type of systematic espionage that it accuses Beijing and Moscow of undertaking.
Michael V. Hayden, former chief of the N.S.A. and of the C.I.A., argued rather controversially in London in late September that there was nothing illegal about the N.S.A.’s activities and that nobody in the United States was unduly concerned about the Snowden revelations. That was damage control. The United States has lost the moral high ground, and the recent disclosures of its surveillance of the phones, email and browser of the Brazilian president Dilma Rousseff, not to mention the semi-state oil company, Petrobras, may well come back to haunt Washington.
Each week seems to bring a new revelation from the Snowden files, one more embarrassing than the next. Particularly awkward was the news that the United States has been listening to the phone conversations of the German chancellor, Angela Merkel. It is hard to assess how much of the targets’ indignant reactions is genuine and how much is just strutting in front of an outraged domestic public. But there are signs that the leaks are having an impact on global telecommunications policy.
Partly as a consequence of the criminal, espionage and military activity across the Internet, the issue of who controls the web has recently moved up the agenda of the International Telecommunication Union. The issue of who actually runs the basic infrastructure is being contested at the I.T.U. by a group of nations led by Russia and China, which seek to exercise ever-greater control of the web on their territory. Brazil and India are sympathetic to attempts to wrest greater control from the United States in particular, and the Snowden affair could help them.
And therein lies the paradox: the spread of malfeasance on the Internet is the result of its openness, but this very openness may also be the best way to combat the threats. 

Misha Glenny is a British journalist who writes about cybersecurity, organized crime and southeast Europe. His most recent book is “Dark Market: How Hackers Became the New Mafia.”
This article has been revised to reflect the following correction:
Correction: November 28, 2013
An earlier version of the biography with this article misstated the author’s most recent book. It is “Dark Market: How Hackers Became the New Mafia,” not “McMafia: Seriously Organized Crime.”

No comments:

Post a Comment