The Rise of Cybercrime 1970s - 2010

  • 1,641 views
Uploaded on

Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.

Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,641
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
9
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1.                             The  Rise  of  Cybercrime   1970  through  2010     A  tour  of  the  conditions  that  gave  rise  to  cybercrime  and  the  crimes  themselves             Kelly  White                   ©  Kelly  White  –  2013   Page  1  
  • 2. Introduction   Computer   crime   has   changed   from   a   1970s   characterization   of   hobbyists   committing  pranks  and  ‘exploring’  computer  systems  to  a  present  day  horizontally   integrated  industry  of  exploit  researchers,  malware  writers,  hackers,  fraudster,  and   money  mules  that  cause  hundreds  of  millions  of  dollars  in  damages  annually.    The   articles  below  illustrate  the  juxtaposition  of  computer  crimes  from  earlier  decades   with  those  of  the  present.     Teaching Hackers Ethics Newsweek – January 14, 1985 The parents of "Echo Man," 16, "Thr ee Rocks," 15, and "Uncle Sam," 17, probably thought they were in their rooms doing homework. Instead, the Burlingame, Calif., teen-agers were programming their Apples to scan the Sprint telephone-service computers for valid access numbers, which they used to make free calls. The hackers then posted the numbers on an electronic bulletin board, so others could share in the spoils. That was their undoing. Local police, who had been monitoring the bulletin board, raided each of the hackers' homes last month and found enough evidence to charge them with felony theft and wire fraud. FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms1 Washington Post, Brian Krebs – October 26, 2009 Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim’s online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company’s online account…   How  do  you  explain  the  typical  computer  crime  making  the  leap  from  petty  phone   access   theft   in   the   70s   to   huge   heists   in   00s?   As   it   turns   out,   in   each   decade,   the   computer  crimes  fit  pretty  well  with  the  demographics  of  their  time.  The  type  and   frequency  of  computer  crime  occurring  in  each  decade  seems  to  have  been  shaped   by  three  demographics:   • The  number  of  computers  online   • The  type  and  amount  of  online  commerce   • The  globalization  of  Internet  use                                                                                                                     1  http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html     ©  Kelly  White  –  2013   Page  2  
  • 3. The   number   of   crime   targets   is   limited   by   the   number   of   computers   online.   The   profitability  of  a  target  is  dependent  on  the  type  of  commerce  being  conducted  on   the  computers.  And  the  likelihood  of  being  caught  is  positively  correlated  with  the   effectiveness   of   law   enforcement   in   prosecuting   crimes   that,   I   have   observed,   is   inversely  proportional  with  the  globalization  of  the  Internet.       As  these  demographics  evolved,  so  too  did  the  crime.       The Perfect Conditions for Crime   What  are  the  perfect  conditions  for  crime?  How  about  easy  targets,  high  profits,  and   very  little  chance  of  being  caught.       That  is  what  the  Internet  provides  –  lots  of  easy  targets  where  250  million  people   are   online   in   the   U.S.   alone   and   with   very   weak   security.   An   almost   guaranteed   high   return   –   over   72   million   people   in   the   U.S.   conducting   banking   online.   And   little   chance   of   being   caught   –   attribution   of   crime   on   the   Internet   is   nearly   impossible   and  governments  don’t  have  the  resources  to  handle  the  volume,  let  alone  the  high   cost  of  international  investigations.  They  successfully  prosecute  a  few  per  year  for   publicity,  but  little  else.  The  Internet  is  the  perfect  place  to  commit  crime.       It   took   until   the   late   1990s   for   these   conditions   to   converge   to   create   the   perfect   storm.   These   conditions   didn’t   mature   until   the   late   90s.   Before   that   essential   elements  were  missing  –  people,  connectivity,  commerce,  and  insecurity.       Computers and Connectivity The   first   dimension   to   set   in   to   motion   was   personal   and   commercial   use   of   computers   in   the   mid   1970s.   In   the   70s   there   weren’t   very   many   computer   systems   and   they   weren’t   interconnected.   In   the   80s   private   citizen   computer   ownership   started   ramping   up,   but   their   connectivity   was   limited   largely   to   computer-­‐to-­‐ computer  modem  services  and  access  to  the  Internet  was  restricted  to  government   and   university.   In   the   90s   the   government   opened   up   the   Internet   to   commercial   and   then   public   access.   By   the   end   of   the   decade,   about   half   of   the   U.S.   population   was  ‘online’.     ©  Kelly  White  –  2013   Page  3  
  • 4.     +  Commerce   The  explosion  of  online  commerce  was  another  important  ingredient  in  creating  the   cyber  crime  environment.  Without  commerce,  all  the  potential  targets  connected  to   the   Internet   are   just   targets.   With   commerce,   computers   become   rich   targets   –   credit  card  processing  systems  and  automated  tellers.  In  2000,  40  million  people  in   the   U.S.   had   ever   bought   something   online2.   By   2008,   that   number   reached   201   million3.  Nearly  everyone  who  can  shop  online  does  shop  online.     In  1998  8  million  people  in  the  U.S.  were  conducting  banking  online.  By  2012  that   grew  to  72  million  –  28%  of  online  users  and  fully  23%  of  the  entire  U.S.  population!                                                                                                                       2http://www.pewInternet.org/Reports/2002/Getting-­‐Serious-­‐Online-­‐As-­‐Americans-­‐Gain-­‐Experience-­‐They-­‐Pursue-­‐More-­‐ Serious-­‐Activities.aspx   3  http://www.pewInternet.org/Reports/2008/Online-­‐Shopping.aspx?r=1     ©  Kelly  White  –  2013   Page  4  
  • 5.     +  Insecurity   The  build  out  of  the  Internet  network  infrastructure  and  the  connected  systems  was   fast   and   furious.   At   this   pace,   all   focus   was   on   feature   and   functionality.   Little   thought  was  given  to  the  consequences  of  the  risks  and  to  the  security  requirements   of   such   a   critical,   complex   infrastructure.     As   a   security   consultant   in   the   late   1990s,   I  examined  up  close  the  lack  of  security  controls  in  even  critical  infrastructure.  On   one  engagement,  my  co-­‐worker  and  I  were  called  up  on  short  notice  to  conduct  an   Internet   perimeter   test   of   a   company   that   provided   core   processing   services   to   credit  unions.  One  of  their  services  was  outsourced  Internet  Banking.  Compromising   their   perimeter   was   simple,   taking   about   10   minutes.   We   scanned   their   public   address   space   for   common   ports,   noticed   135   and   139   were   listening   on   their   Internet   Banking   server,   established   a   net   session   and   went   to   work   guessing   the   administrator   account   password.   The   password   was   ‘snow’.   It   was   easy   pickings   from   there.   Towards   the   end   of   the   engagement,   I   met   on-­‐site   with   the   company’s   system  administrators  to  discuss  the  findings.  In  response  to  my  recommendations   they  asked,  “What  is  a  firewall?”     +  Internationalization  and  No  Law  Enforcement   In   1998   –   1999   about   80%   of   the   people   using   the  Internet   were   U.S.   citizens   and   about   95%   were   U.S.   citizens   or   citizens   of   U.S.   allied   countries.4   Under   these   conditions,  serious  computer  crimes  could  be  investigated  and  prosecuted  because   the   crimes   were   largely   occurring   from   within   the   borders   of   governments   that   were   willing   to   cooperate   in   cyber   crime   investigations.   This   acted   as   a   deterrent   of   sorts,  deterring  many  people  from  committing  really  serious  cyber  crimes.       Even   in   to   2000,   people   using   the   Internet   in   developing   economies   were   limited   to   the   professional   class   –   people   in   government,   education,   and   industry,   due   to   Internet   access   constraints.   As   Internet   accessibility   increased   and   cost   decreased   non-­‐professionals   quickly   got   online.   By   2005,   the   number   of  Internet   users   in   BRIC   countries  –  Brazil,  Russia,  India,  and  China  –  surpassed  the  number  of  Internet  users                                                                                                                   4  http://datafinder.worldbank.org/Internet-­‐users   ©  Kelly  White  –  2013   Page  5  
  • 6. in   the   U.S.   Among   these   Internet   users   were,   as   in   other   countries,   criminals.   The   difference  this  time  though  was  that  governments  proved  inept  in  dealing  with  the   volume,  the  costs  and  international  legal  and  political  barriers  of  prosecuting  crime.     And   frankly,   non-­‐U.S.   allies   were   and   continue   to   not   be   seriously   interested   in   assisting   other   countries   in   criminal   investigations.   Ever   contact   a   bank   in   Russia   to   request  that  they  return  a  fraudulent  wire?  Ever  participated  in  an  FBI  investigation   that  requires  cooperation  of  Chinese  authorities?  Good  luck.         The   early   financially   driven   international   cyber   crime   spree   in   2001   –   2002   went   unchecked.   This   encouraged   additional   investment   in   cyber   crime.   Success   continued  to  meet  success,  which  continues  to  spiral  to  where  we  are  today.       The 1970s Environment   In   the   early   1970s   computers   were   limited   to   large,   expensive   timesharing   mainframe   and   Unix   systems   owned   by   universities,   large   corporations,   and   government  agencies.  In  1975  Ed  Roberts  released  the  first  microcomputer  for  sale   to  the  public  –  the  MITS  Altair  8080.  No  keyboard,  no  screen  –  just  a  box  with  toggle   switches   for   programming   and   LED   lights   to   show   the   output   of   the   program.   He   sold   2,000   of   the   systems   the   first   year.   The   following   year,   Steve   Jobs   and   Steve   Wozniak   released   the   Apple   I.   Again,   no   keyboard   or   screen.   By   the   end   of   1976   computing  enthusiasts  had  purchased  40,000  microcomputers.5  In  1977,  the  Apple   II,   the   Tandy   TRS-­‐80   (I   cut   my   teeth   programming   on   this   model),   and   the   Commodore   PET   brought   visual   displays   and   keyboards   to   the   market.   People   purchased  150,000  of  these  systems.6                                                                                                                   5  http://jeremyreimer.com/postman/node/329   6http://arstechnica.com/old/content/2005/12/total-­‐share.ars   http://en.wikipedia.org/wiki/File:WIntHosts1981-­‐2009.jpg     ©  Kelly  White  –  2013   Page  6  
  • 7.   Computer  communications  were  pretty  limited.  The  government,  military,  and  a  few   universities   had   ARPA   net   and   X25   networks.   The   public   was   limited   to   modem-­‐ based   computer-­‐to-­‐computer   phone   calls,   which   was   fine   for   dialing   computers   in   your  area,  but  a  bit  of  a  problem  for  those  a  long  distance  call  away.  The  killer  app   for   computer   communications   was   Bulletin   Board   System   software,   which   first   came   to   public   life,   courtesy   of   Randy   Seuss,   during   a   snowstorm   in   February   1978.     This   development   connected   computer   enthusiasts   across   the   U.S.   in   an   electronic   underground   where   they   could   publish   ideas   and   communicate   within   their   own   realm  on  their  own  terms.  From  this  technology  the  computer  hacker  underground   took  root.     While   it   took   some   time   for   microcomputers   to   take   hold,   the   phone   system   was   already   built   out   and   available.   A   large   community   of   phone   system   fanatics   –   ‘phone  phreaks’  –  learned  how  to  control  the  switching  system  of  the  predominant   phone  switching  system  in  use  at  the  time,  largely  in  thanks  to  serious  security  flaws   in  the  system  and  the  publication  of  the  details  of  the  internal  switching  system  in   the  November  1954  issue  of  the  Bell  Labs  Technical  Journal.     Motives  and  Crimes   The   primary   motives   behind   the   cyber   crimes   of   the   60s   and   70s   were   desire   for   system   access,   curiosity,   and   the   sense   of   power   attained   from   defeating   security.   The   phone   system   was   the   first   and   favorite   computer   system   targeted.   The   attraction   to   the   phone   system   for   the   pioneers   of   phone   phreaking   was   not   free   calls,  but  the  desire  to  learn  the  system,  the  desire  to  beat  the  system,  and  the  desire   to  control  the  system.  John  Draper,  the  father  of  phone  phreaking,  when  asked  about   the   techniques   he   developed   for   gaining   operator   access   to   phone   systems,   published  in  the  October  1971  issue  of  Esquire  Magazine,  stated  his  motive  behind   unauthorized  system  access.                                                                                                                                                                                                                                                                                                                                                       ©  Kelly  White  –  2013   Page  7  
  • 8. From  Secrets  of  the  Little  Blue  Box  by  Ron  Rosenbaum,  Esquire   Magazine   (October  1971)     The   pioneers   of   ‘phone   phreaking’   mastered   the   techniques   for   controlling   the   phone   system   and   codified   it   in   what   is   now   called   a   ‘little   blue   box’.   The   box,   commonly  twice  the  size  of  a  cigarette  case,  had  buttons  on  the  front  that  emitted   tones.   These   tones   could   be   used,   if   emitted   at   the   right   time   and   in   the   right   sequence  during  a  call  would  yield  operator  access  to  the  phone  system.  The  benefit,   of  course,  was  free  calls  to  anywhere  in  the  world.     Computers   weren’t   left   alone.   The   first   edition   of   Creative   Computing   magazine,   published   in   1976,   had   an   article   titled   “Is   Breaking   Into   A   Timesharing   System   A   Crime?”7           Besides   the   intellectual   challenge   of   breaking   in   to   systems,   people   were   also   motivated  to  break  in  to  systems  simply  to  gain  access.  In  the  60s  and  early  70s  time   on  the  university-­‐owned  computer  systems  was  limited.  Students  who  wanted  more   time  developed  the  first  password  crackers  and  trojan  software  in  order  to  get  the   access  they  wanted.       With  the  introduction  of  microcomputers  and  Bulletin  Board  Systems  in  the  mid  to   late  70s  people  wanted  to  connect  to  other  computer  systems.  To  foot  the  bill  for  the   long-­‐distance   calls   many   resorted   to   stealing   long   distance   access   codes   –   wire   fraud.   Again,   the   primary   motive   to   steal   the   access   codes   was   not   for   profit,   but   curiosity  –  to  connect  and  learn.   The 1980s Environment   In  the  1980s  the  computer  solidified  its  position  in  the  upper  income  households,   growing  from  over  1  million  households  with  computers  to  in  excess  of  14  million   by  the  end  of  the  decade.  In  1979,  CompuServe  introduced  timesharing  services  to   the  public  through  a  100-­‐baud  service  called  ‘MicroNet’,  with  electronic  mail  as  their                                                                                                                   7  http://www.atariarchives.org/bcc1/showpage.php?page=4   ©  Kelly  White  –  2013   Page  8  
  • 9. first  application.  CompuServe  added  real-­‐time  messaging  in  1980.  By  the  end  of   1981  they  had  10,000  users.  By  1987  it  grew  to  380,000.  It  was  a  bit  pricey  -­‐  $10  /   hour.  YouTube.com  has  an  interesting  vintage  news  report  on  the  system  (search   ‘1981  primitive  Internet  report  on  KRON’).       Bulletin   Board   Systems   continued   to   proliferate   in   the   80s.   They   didn’t   have   monthly  access  fees  and  were  under  the  control  of  the  person  hosting  the  Board  –   not   a   corporation.     The   Internet   continued   to   remain   the   private   domain   of   the   government  and  some  universities.     In  the  1980s  the  cyber  world,  for  all  intents  and  purposes,  was  a  geography-­‐centric   system,   bounded   within   countries   by   telecommunications   infrastructure   borders   and   high   international   communications   costs.   Any   cyber   crimes   that   occurred   within   a   country   could   be   effectively   investigated   because   the   attack   was   likely   staged  within  the  same  country  and  there  just  weren’t  as  many  to  investigate.       Motives  and  Crimes   Hacking   in   the   1980s   was   primarily   about   pursuit   of   knowledge,   building   reputations,   a   bit   of   politics,   and   games   –   games   of   breaking   into   systems   and   pulling   off   pranks.   The   hacker   underground   gathered   and   flourished   in   the   anonymity  and  freedom  of  the  Bulletin  Board  System  where  boards  in  the  hundreds   such   as   Hack-­‐A-­‐Trip,   Hackers   of   America,   Hi-­‐Tech   Pirates,   Cult   of   the   Dead   Cow,   Legion   of   Doom,   PhoneLine   Phantoms,   and   the   Strata-­‐Crackers   formed.   Through   boards  hackers  shared  their  knowledge  and  displayed  the  trophies  of  their  system   exploits.       Curiosity  /  Reputation   The   Morris   Worm   was   among   the   most   significant   computer   security   event   of   the   1980s,   a   program   written   by   Robert   Morris,   a   graduate   student   at   Cornell   University.   Though   the   only   purpose   of   the   worm   was   to   propagate   itself   to   other   systems,   it   did   degrade   the   performance   of   systems   it   compromised,   causing   significant  impact  to  Internet-­‐connected  systems  it  invaded.    It  was  estimated  to       In   1988,   Prophet   of   Legion   of   Doom   compromised   AIMSX,   a   BellSouth   system.   He   did   no   damage,   just   explored.   In   his   probing   of   the   system   he   discovered   a   file   containing   information   related   to   administration   of   the   911   system.   Why   did   he   download  the  file?  It  was  a  trophy  –  proof  of  his  compromise  of  the  system.  Also,  it   was  forbidden  knowledge,  and  possession  of  forbidden  knowledge  was  the  currency   with  which  reputation  was  purchased.8     Pranking   Some  system  compromises  were  simply  to  pull  off  a  prank.    In  June  of  1989  a  person   compromised  a  Southern  Bell  phone  switch  and  redirected  calls  made  to  the  Palm                                                                                                                   8  The  Hacker  Crackdown  page  112-­‐113   ©  Kelly  White  –  2013   Page  9  
  • 10. Beach   County   Probation   Department   to   “Tina,”   a   phone-­‐sex   worker   in   New   York   State.9     One   of   the   earliest   computer   viruses   was   created   as   a   joke.   Elk   Cloner,   written   by   Rich   Skrenta,   spread   to   Apple   II   systems   through   infected   floppy   disks.   The   payload   of   the   virus   simply   periodically   displayed   a   humorous   poem,   in   addition   to   replicating  itself  to  any  floppy  disk  inserted  into  an  infected  system.     Activism   The   department   of   defense   wasn’t   left   alone   either.   A   Defense   Data   Network   security  bulletin  was  published  on  October  18,  1989,  warning  of  a  malicious  worm   attacking  VMS  systems  on  the  SPAN  network.10           Money   In   1989,   a   sixteen-­‐year-­‐old   from   Indiana   gave   an   early   glimpse   of   the   future   financially  motivated  electronic  crime  wave  to  come  two  decades  later.  Fry  Guy,  so   referred   to   in   the   computer   underground   because   of   his   compromise   of   a   McDonald’s   mainframe,   developed   a   knack   for   pilfering   data   from   credit   reporting   agencies   and   for   compromising   phone-­‐switching   systems.   Combining   these   two   skills,  he  would  phone  Western  Union  and  ask  for  a  cash  advance  on  a  stolen  card.   To  ensure  the  security  of  transactions,  Western  Union  had  a  practice  of  calling  the   card  owner  back  to  verify  the  authenticity  of  the  request.  Having  changed  the  card   owner’s   phone   number   temporarily   to   a   public   pay   phone,   Fry   Guy   would   answer   the  phone  as  the  cardholder  and  authorize  the  transaction.11                                                                                                                      The  Hacker  Crackdown  page  95    http://www.textfiles.com/hacking/ddn03.hac   11  The  Hacker  Crackdown  page  100   9 10 ©  Kelly  White  –  2013   Page  10  
  • 11. The 1990s Environment   By  the  end  of  the  1990s,  the  perfect  conditions  for  cybercrime  had  formed:  everyone   was   online,   lots   of   people   conducting   online   banking   and   credit   card   transactions,   lack  of  legal  framework  and  resources  to  prosecute  cyber  crime,  and  poor  security.   Two  huge  events  in  the  1990s  made  this  happen.  The  first  was  the  invention  of  the   World   Wide   Web.   In   1990,   Tim   Berners-­‐Lee   completed   his   build   out   of   all   the   components   necessary   for   his   ‘WorldWideWeb’   project   -­‐   a   web   server,   a   web   browser,  a  web  editor,  and  the  first  web  pages.  In  1991,  he  made  his  project  publicly   available  on  the  Internet  as  the  ‘Web’.    In  a  single  decade,  the  Web  grew  from  non-­‐ existent  to  over  17  million  web  sites.  12     The  other  history-­‐altering  event  was  the  build  out  of  public  Internet  access  points.   In  1994,  the  National  Science  Foundation  sponsored  four  companies  to  build  public   Internet   access   points   –   Pacific   Bell,   WorldCom,   Sprint,   and   Ameritech.   Within   a   couple   of   years,   Joe   Public   declared   the   Internet   was   good   and   got   on-­‐line.     At   the   beginning  of  the  decade  there  were  two  million  people  on  the  Internet  in  the  U.S.  By   the  end  of  the  decade  there  were  135  million.     Companies  followed  the  public  and  moved  their  commerce  channels  online.  The  U.S.   Department  of  Commerce  reported   for   1999   $5.25   billion   in   online   travel   bookings,   $3.75  billion  in  online  brokerage  fees,  and  $15  billion  in  retail  sales.  Banks  got  on-­‐ line  too,  with  10  million  people  conducting  banking  online  in  2000.       Adoption  of  the  Internet  was  not  just  a  U.S.  phenomenon.  Though  lagging  developed   economies  by  about  five  years,  the  emerging  economies  got  online  too.  By  2000,  36   million  people  in  the  BRIC  countries  –  Brazil,  Russia,  India,  and  China  –  were  online.   While   the   U.S.   and   its   Allies   established   reasonably   functional   agreements   for   prosecuting   cyber   crime,   no   such   agreements   were   realized   with   the   rest   of   the   world.   The   result   was,   and   remains   today,   an   Internet   with   no   functional   legal   system  for  fighting  crime.     Motives  and  Crimes   With  the  millions  of  new  systems  coming  online,  the  1990s  was  a  target  rich  decade   for  hackers.    Fortunately  for  businesses  and  people  putting  their  private  information   online,   hackers   primarily   made   a   sport   of   defacing   websites,   rather   than   targeting   the   sensitive   information   stored   in   the   systems.   It   would   take   until   the   following   decade  for  the  criminal  profiteers  to  figure  out  how  to  monetize  computer  crime.       Sport   The   most   common   computer   crime   of   the   1990s   was   defacing   websites.   Hacking   for   ‘sport’   is   good   category   for   these   compromises.   There   really   was   no   knowledge   to   gain,   no   curiosity   to   satisfy   –   just   the   sport   of   compromising   web   sites.   Attrition.org                                                                                                                   12  http://www.cnn.com/2006/TECH/Internet/11/01/100millionwebsites/   ©  Kelly  White  –  2013   Page  11  
  • 12. documented   many   of   the   web   site   hacks   through   its   web   page   hack   mirror   at   http://attrition.org/mirror/.   According   to   Attrition’s   data,   four   web   sites   were   hacked  in  1995.    Attrition  reported  1905  websites  being  hacked  in  1999.     Number  of  Website  Defacements  Reported  by  Attrition.org13         Some   very   high   profile   sites   fell   during   the   decade.   In   1996,   the   top   sites   compromised   included   the   U.S.   Air   Force,   NASA,   and   the   site   of   the   British   Labour   Party.   Sites   compromised   in   1997   included   Stanford   University,   Farmers   &   Merchants  Bank,  Fox  News,  and  Yahoo.    Other  high  profile  sites  to  be  compromised   included   the   U.S.   Senate’s   www.senate.gov,   ebay.com,   alashdot.org,   and   nytimes.com.       The  content  placed  on  these  sites  ranged  from  ‘Free  Kevin!’,  to  pornography;  from   taunting  messages  like  ‘Look  you  sorry  ass  system  admin…’,  to  security  advice  such   as   ‘Stop   using   old   versions   of   FTP’.   A   screenshot   of   part   of   the   compromised   senate.gov  site  is  shown  below.14                                                                                                                       13  http://www.phrack.org/issues.html?issue=55&id=18&mode=txt   14  http://www.flashback.se/hack/1999/05/27/1/     ©  Kelly  White  –  2013   Page  12  
  • 13.   Money   There  were  a  few  notable  money-­‐driven  computer  crimes  in  the  1990s.  In  1994,  a   group  led  by  Vladimir  Levin,  broke  in  to  the  bank  accounts  of  several  corporations   held  at  Citibank.  Accessing  the  funds  through  Citi’s  dial-­‐up  wire  transfer  service,  he   transferred   $10.7   million   to   accounts   controlled   by   accomplices   in   Finland,   the   United  States,  Germany,  the  Netherlands,  and  Israel.       In  1999,  a  Russian  by  the  handle  of  ‘Maxus’  compromised  the  CD  Universe  web  site   and   stole   over   300,000   credit   card   records.     Attempting   to   profit   from   the   crime,   Maxus   faxed   an   extortion   note   to   CD   Universe   demanding   $100,000   in   return   for   silence   of   the   theft   and   destruction   of   the   stolen   data.   His   extortion   rejected,   he   published  25,000  of  the  records  on  a  website.  In  reporting  on  the  incident,  ZDNET   called  it  the  ‘biggest  hacking  fraud  ever’.15       Curiosity   Though   the   Melissa   Virus   wasn’t   the   first,   it   certainly   opened   the   eyes   of   corporations   and   system   administrators   to   the   fragility   and   vulnerability   of   computer  systems  and  the  Internet.  In  1999,  David  Smith,  a  network  programmer,   released   the   Melissa   Virus   to   the   Internet.   The   virus   was   contained   in   a   Microsoft   Word   document   macro.   When   an   infected   document   was   opened,   it   would   email   itself   to   the   first   50   addresses   in   the   MAPI   email   address   file   on   the   computer.   In   asking  why  he  did  it,  David  Smith  stated  that  he  just  wanted  to  see  if  it  would  work.       It   did   work   –   splendidly,   crashing   an   estimated   100,000   email   servers.   People   readily   opened   the   malicious   document   received   from   someone   they   knew   containing  a  moderately  convincing  subject  line  and  message.  Besides,  this  type  of   attack  was  new.  People  weren’t  used  to  being  on  their  guard  when  opening  up  email   attachments,  especially  from  people  they  knew.         Activism   A   few   activist   hacks   occurred   during   the   decade.   In   1998,   three   members   of   the   hacker   group   Milw0rm,   as   a   protest   of   the   Indian   government’s   nuclear   weapons   test  program,  broke  in  to  several  servers  of  the  India  Atomic  Research  Centre  and   modified   the   organizations   homepage   and   stole   thousands   of   emails   and   related   research  documents.16  That  same  year  hackers  compromised  and  disabled  filtering   on  a  half-­‐dozen  firewalls  used  by  China  to  filter  its  people’s  Internet  traffic.17   The 2000s Environment   Two   technological   innovations   really   changed   the   landscape   of   the   Internet   from   something   you   ‘go   on’   to   something   you   are   ‘always   on’   –   the   iPhone   and   cloud                                                                                                                    http://www.zdnet.com/biggest-­‐hacking-­‐fraud-­‐ever-­‐3002076252/    http://www.wired.com/science/discoveries/news/1998/06/12717   17  http://www.wired.com/politics/law/news/1998/12/16545   15 16 ©  Kelly  White  –  2013   Page  13  
  • 14. computing.   Prior   to   the   release   of   the   iPhone   in   2007,   getting   on   the   Internet   was   ‘expensive’   in   terms   of   time   and   location   –   you   had   to   be   at   your   desktop   or   your   laptop   and   the   system   had   to   be   connected   to   the   Internet.   Most   often   this   was   at   work  or  at  home,  sometimes  at  a  public  access  point.       The   iPhone,   and   smart   phones   that   followed,   essentially   put   the   Internet   in   the   owner’s  pocket  on  a  very  pleasantly  usable  device.  Now  you  always  had  the  Internet   with   you   and   didn’t   have   to   go   out   of   your   way   to   use   it.   With   this   always   on   connectivity,  individuals  moved  larger  portions  of  their  lives  to  Internet  connected   systems   and,   in   doing   so,   moved   larger   swaths   of   their   personal   data   to   more   systems  –  fitness  activities,  notes,  photos,  social,  even  their  homes.     Cloud  computing  it  made  it  easy  for  computing-­‐intensive  companies  to  set  up  shop.   No   longer   was   large   capital   investment   required   to   build   a   computing-­‐intensive   company.  With  rates  measured  and  charged  in  pennies  per  hour,  companies  could   expand  their  computing  infrastructure  as  needed.  And  they  could  do  it  easily,  with   much   of   the   traditional   heavy   lifting   of   data   center   operations   and   networking   already   completed   for   them.   The   result   has   been   an   increase   in   Internet-­‐based   companies  –  SAAS  providers  and  web  startups.      Motives  and  Crimes   In   the   first   decade   of   the   millennium,   the   financial   cybercrimes   evolved   from   infrequent,   one-­‐man   operations   to   frequent   events   perpetrated   through   a   highly   sophisticated,   horizontally   integrated   criminal   industry.   Other   criminal   activities   flourished   too.   While   many   of   the   crimes   had   been   seen   in   previous   decades,   the   frequency  and  magnitude  of  the  crimes  hadn’t.       Money  –  Bank  Account  Takeover   One   of   the   biggest   criminal   developments   of   the   2000s   was   the   formation   of   an   entire  industry  devoted  to  compromising  and  pilfering  online  bank  accounts.  One  of   the  earlier  online  account  compromises  occurred  in  June  of  2005,  when  a  fraudster   gained   unauthorized   access   to   a   Miami   businessman’s   online   bank   account   using   keystroke-­‐logging   malware   and   was   able   to   fraudulently   wire   over   $90,000   to   an   account   in   Latvia.18   By   the   third   quarter   of   2009,   fraudsters   successfully   hijacked   hundreds  of  U.S.  small  business  online  accounts,  hauling  away  over  $25  million.19       This   amount   of   criminal   opportunity   drove   specialization,   with   some   enterprises   selling   access   to   compromised   systems,   some   selling   custom   malware,   and   others   focusing  on  cashing  out  compromised  accounts.  A  specific  malware  class  of  ‘banking   trojans’   developed   to   enable   bypass   of   online   banking   controls,   such   as   Zeus,   Sinowal,   Carberp,   SpyEye,   and   others.   A   fully   featured   license   for   Zeus,   at   one   point,   was  selling  in  the  criminal  world  for  nearly  $20,000.                                                                                                                       18 19  http://www.finextra.com/news/fullstory.aspx?newsitemid=13194    http://krebsonsecurity.com/2010/03/cyber-­‐crooks-­‐leave-­‐bank-­‐robbers-­‐in-­‐the-­‐dust/   ©  Kelly  White  –  2013   Page  14  
  • 15. Money  -­‐  ATMs   ATMs   are   computer   driven   cash   dispensers.   If   the   account   balance   and   daily   withdraw  limit  line  up  with  an  authenticated  request,  then  the  machine  will  give  the   requested   amount   of   money.     So,   what   happens   when   you   steal   a   few   cards   and   modify   the   account   balances   and   daily   withdraw   limits?   The   WorldPay   division   of   Royal  Bank  of  Scotland  found  out.       On   November   8,   2008,   an   army   of   cashers   armed   with   compromised   WorldPay   pre-­‐ paid  payroll  cards  descended  on  ATMs  located  in  over  280  cities  around  the  world   and   withdrew   $9.5   million   in   cash   in   a   twelve-­‐hour   period.   The   cashers   kept   their   commission,   30-­‐50%   of   the   take,   and   wired   the   remainder   to   the   scheme   masterminds.   The   four   leaders   of   the   heist   had   previously   broken   in   to   the   Royal   Bank  of  Scotland  WorldPay  network  and  stolen  data  for  44  pre-­‐paid  payroll  cards,   cracked  the  payroll  card  PIN  encryption,  raised  the  funds  available  on  each  account   up   to   as   high   as   $500,000,   and   changed   the   daily   ATM   withdraw   limit   allowed.   During   the   heist   the   hackers   monitored   the   withdraw   transactions   remotely   from   the  RBS  WorldPay  systems  and,  once  the  heist  was  finished,  they  attempted  to  cover   their  tracks  on  the  RBS  network.20       Money  –  Payment  Card  Theft   Grand  scale  payment  card  theft  looks  like  Albert  Gonzalez’s  ‘Operation  Get  Rich  or   Die   Tryin’,   a   payment   card   hacking   crew   that   stole   over   90   million   payment   card   numbers   from   companies   including   Heartland   Payment   Systems,   TJ   Maxx,   7-­‐Eleven,   and   Office   Max   and   caused   over   $200   million   in   damages.   Gonzalez   and   crew   compromised   the   payment   card   processing   systems   at   these   companies   by   exploiting   well-­‐known   vulnerabilities   in   their   wireless   networks   and   web   applications.   Upon   arresting   Gonzalez,   agents   found   $1.6   million   in   his   several   bank   accounts.   His   goal   was   $15   million,   at   which   point   he   planned   to   buy   a   yacht   and   retire.21       Money  –  Identity  Theft   Since   2001,   identity   theft   has   been   the   most   common   consumer   complaint   registered   to   the   Federal   Trade   Commission.   In   2012   16.6   million   U.S.   residents,   ages   16   and   older,   were   victims   of   identity   theft.   The   vast   majority   of   these   thefts   involved  fraudulent  use  of  an  existing  financial  account,  such  as  a  bank  account  or   credit   card   account.     The   total   cost   of   these   crimes   was   estimated   at   $24.7   billion   in   2012.22       Activism   Persons   with   a   potentially   more   aggressive   approach   to   activism   took   to   the   Internet   in   droves   in   the   2000s.   One   person’s   2010   New   Year’s   resolution   was   to                                                                                                                   20  http://www.wired.com/threatlevel/2009/11/rbs-­‐worldpay/   Federal  Indictment   http://www.justice.gov/opa/pr/2009/November/09-­‐crm-­‐1212.html   21  http://www.wired.com/threatlevel/2010/03/tjx-­‐sentencing   22  http://www.bjs.gov/content/pub/pdf/vit12.pdf   ©  Kelly  White  –  2013   Page  15  
  • 16. actively   disrupt   sites   he   deemed   to   support   “terrorists,   sympathizers,   fixers,   facilitators,   oppressive   regimes   and   other   general   bad   guys.”   Operating   under   the   handle  ‘The  Jester’,  he  frequently  delivered  on  his  resolution  by  launching  Denial  of   Service   attacks   against   sites   he   deemed   to   fit   within   in   his   objective.     His   primary   targets  were  wikileaks.org,  for  releasing  the  U.S.  State  Department  cable  messages,   and  sites  or  organizations  he  deemed  to  be  aligned  with  terrorism.     Unknown numbers of people took up a variety of ‘hacktivist’ campaigns under the banner of Anonymous. Taking the opposite position as ‘The Jester’, Anonymous launched DDOS attacks against serveral financial firms in response to their ban of Wikileaks from their payment networks for publishing the U.S. State Department cables. A small Anonymous unit was involved in raising the awareness of the Stubenville High rape case. Anonymous went after Sony to punish them for prosecuting George Hotz for successfully unlocking PlayStation 3 security system. Ilmars Polkans campaign to expose fraud within the Latvian government was very effective and is worth researching. When filing his tax returns, Ilmars ‘unintentionally’ stumbled on a vulnerability on the Latvia Revenue Site that allowed him to see all tax filings. What he found was fat salaries for government officials during a time when citizens of Latvia, both public and private, were being forced to endure deep pay cuts because of the recession. His campaign to expose the injustice literally resulted in a public rebellion against the government. So What Comes Next? I  am  hopeful  and  I  am  dismayed  all  at  the  same  time.  On  the  leading  edge,  there  is   really   exciting   stuff   happening   in   the   security   space,   particularly   in   the   areas   of   leveraging  big  data  and  data  analytics  to  detect  malicious  events  early  in  the  attack   stages.    In  the  middle,  the  people,  processes,  practices,  and  technology  for  building   and   maintaining   reasonably   secure   systems,   networks,   and   applications   is   readily   available.   I   see   a   lot   of   organizations   doing   the   right   security   stuff,   and   they   are   being  successful  in  protecting  their  businesses  and  their  customers.       Surprisingly,  there  are  also  still  a  lot  of  organizations  that  just  don’t  care.  They  don’t   even   do   the   basics.   They   have   database   servers   listening   on   the   Internet.   Their   systems   are   out   of   date   and   misconfigured.   Their   application   access   controls   are   ©  Kelly  White  –  2013   Page  16  
  • 17. easily  bypassed.  They  just  don’t  care.  And  there  is  no  excuse  for  it.  Frankly,  I  think   they  should  be  kicked  off  the  Internet  until  they  get  their  stuff  right.     And   there   lies   the   answer.   The   crime   will   continue   to   occur   and   it   will   most   commonly   occur   against   organizations   that   don’t   do   security   well.   People   will   continue  to  move  their  money  and  their  data  online  and  criminals  will  continue  to   steal  it  from  the  organizations,  most  commonly,  that  have  the  least  security.     ©  Kelly  White  –  2013   Page  17