Hackers Run Wild as the Internet Struggles to Lock Them Out This Holiday Season
Andrew J. Nilsen
It hasn't been a very happy holiday season for Sony Pictures, which was hacked recently and had sensitive internal files compromised.
Five movies -- four of them unreleased -- were leaked along with 11 terabytes of personal data, including executive salaries, release schedules, employee criminal background checks, and passwords (kept securely in a directory titled "passwords"). The company's entire network had to be shut down and employees couldn't even use their computers or laptops for more than a week.
The irony of the Sony Pictures situation is that their leaky security was exposed three years ago by two Arizona men in concert with LulzSec leader-turned-stoolie Sabu, a.k.a. Hector Xavier Monsegur. The group released names, e-mails, and passwords of 75,000 people.
Raynaldo Rivera, 20, and Cody Kretsinger, 24, were convicted last year, sent to prison for 12 months, and ordered to pay $605,663.67 in restitution to cover Sony's associated costs, including a full security overhaul that doesn't appear worth the money spent.
The Sony Pictures mishap is only the latest in a disquieting trend of high-profile computer incursions from Home Depot and Target to J.P. Morgan Chase to Apple's iCloud. Nearly everywhere we turn, our personal information, photos, and credit card information are getting compromised. In September, Home Depot revealed that a cyber attack in April had exposed more than 50 million customer credit cards and e-mail addresses.
Consumer information never has been more imperiled, and yet very little is getting done to address the issue. Here we are in shopping's high season, and nothing much has changed.
Though identity theft runs rampant, fraud seems little more than an entry in the ledger for companies that write it off as a business expense.
"Identity theft is kind of like flu deaths," says Mark Patton, a University of Arizona computer researcher. "We freak about one Ebola death but just accept the fact that 40,000 people a year die of the flu. We're just so used to identity theft that we've stopped putting out screaming headlines."
We're racing toward a society where our watches pay bills, our cars drive themselves, and our appliances are connected to the web, yet even today's relatively simple networks cannot remain secure. What's going to happen when the number of network access points increases a million-fold?
"This is a problem that has been building in magnitude and potential harm for 40 years," says Julie Ryan, a George Washington University informational security researcher. "It only recently got so tightly coupled and so intertwined in our normal everyday life that it started becoming a problem of enormous significance."
Ryan likes to compare computer and network security to the use of lightweight steel girders in bridge-building. It was a tremendous advance that greatly increased the size and scope of bridges -- long before bridge safety was understood completely.
"Something like 100 years ago all the bridges were shut down by federal mandate so they could figure out what the math was so the bridges would stop collapsing," Ryan says. "They started discovering elements they hadn't realized were issues."
A similar crisis besets computer networks, but good luck trying to shut them all down to apply a comprehensive fix.
"A whole industry grew up by accident very quickly," Ryan says. "Up until now, there has been very little incentive for commercial businesses to spend an awful lot of time and money getting into security."
Raynaldo Rivera helped perpetrate the first Sony hack, a paper cut compared to a recent hack attributed to North Korea.
Courtesy of Hacker
The latest government numbers suggest that about 17 million Americans suffered identity theft last year, or about 7 percent of those over age 16 -- with a total loss at about $25 billion.
Fraud has doubled in the United States over the past seven years and cyber-crime has increased across the board. According to a recent PricewaterhouseCoopers report, the number of detected information security breaches globally has increased by half over the past year.
The extent of network security problems has been put into sharper focus over the past 18 months, beginning with Edward Snowden's revelations on the pervasiveness of state-sponsored spying and cyber-shenanigans of the sort hinted at by the StuxNet worm that hit Iran's nuclear centrifuges.
This was followed by last year's series of holiday retail thefts at Michaels, Neiman Marcus, Target, and other retailers of more than 40 million credit card numbers, the largest theft until the Home Depot breach in April.
The Home Depot and Target hackers found their way onto the retailers' systems by acquiring a third-party vendor's credentials, in the case of Target, from a Pennsylvania heating, ventilation, and air-conditioning company. Once inside, they were able to use vulnerabilities in Windows to load malware onto the point-of-sale terminals that scan personal cards. Thereafter, every card scan was recorded and secretly published online for the thieves to scoop up.
"This is worrisome because this follows a classic route where open-source researchers see malware that targets the PoS terminals that retailers use for swiping cards," says Richard Stiennon, author of Surviving Cyberwar. "Retailers ignored that information because they weren't looking for it. They're just not looking outwards at new threats."
No longer is it only big-box retailers facing this threat. In the past three months other PoS malware has been discovered at over a thousand commercial businesses -- which shouldn't be reassuring to shoppers this holiday season.
"The mom-and-pop stores, our hairdresser, dentist office. None of them has security that would detect a breach," Stiennon says. "We're entering a phase where every point-of-sale terminal that's running a version of Windows is going to be compromised."
The cyber-threat is hardly limited to retail. Beginning last fall, a Russian group started holding personal computers hostage with malware dubbed CryptoLocker. The software freezes the victim's computer unless the correct key is entered.
More than a half-million individuals and companies were struck, including a Massachusetts police station that paid a $750 ransom to remedy the situation before European law enforcement arrested the Russian perpetrators in May. A few months later, more ransom-ware popped up, this time threatening to lock Android users out of their phones.
Individuals aren't the only targets of such cyber-ransoms. In June, Nokia acknowledged that several years earlier, a blackmailer had acquired the encryption key for its Symbian smart-phone and threatened to reveal the source code. This would've been disastrous, making it simple for hackers to find its vulnerabilities and subsequently load customers' phones with malware. Nokia teamed with the Finnish police, and the code never was released. But the perpetrator(s) still got away with millions in ransom money.
Perhaps the most disturbing revelation came in August when it was discovered that hackers had infiltrated J.P. Morgan Chase's computer networks, acquired high-level security access and moved about the system undetected for two months. Nine other financial institutions also were infiltrated, including Fidelity Investments. Only a hacker slip-up (using the same IP address for attacks on different Chase servers) outed them and prevented an eventual breach of the bank's accounts system.
Still, the hackers made off with personal (but not account) information of 83 million individuals and businesses as well as a catalog of every program run on J.P. Morgan's computers. The hackers can check that list against known vulnerabilities to find other means of access. (J.P. Morgan now is in the process of switching out all its software.)
The attackers made use of previously unknown vulnerabilities (also called "zero-day exploits"), which suggests greater proficiency than the run-of-the-mill hacker, and the possibility of state sponsorship. Indeed, there are indications they're part of the extensive Russian cyber-criminal underground with ties to the Russian government. This and uncertainty over the hackers' motivations has even the White House spooked.
"The question kept coming back, 'Is this plain old theft or is [Russian President Vladimir] Putin retaliating [for sanctions]?'" a senior official told the New York Times in October. "And the answer was, 'We don't know for sure.'"
That puzzling question remains months later: What were they doing there?
"[These] were pretty sophisticated attacks, which makes you wonder: If they were that good and in there that long, why didn't they manage to get the actual account information," Patton asks.
Former NSA chief Keith Alexander -- who now has his own cyber-security firm -- warned that this could be a shot over the bow by Russia to head off further sanctions. A large cyber-theft from an institution the size and stature of J.P. Morgan damages confidence and could lead to a financial crisis.
"Right now, Russia wouldn't attack U.S. banks destructively because all [its] is in those banks," Stiennon says. "But what if the U.S. cut off access to those funds for the Russian oligarchs. They could say, 'What the hell -- let's take them down. If we can't get our money, then nobody else can.'"
There's also a chance the break-in is related to another emergent hacking group, FIN4, which has been stealing credentials and insider information. The group acquires executive e-mail addresses and sends fake e-mails (spear-phishing) designed to trick the recipient into clicking a link that loads malware or uses a fake log-in to snare credentials.
A recent report suggested that the group might feature former investment bankers, based on their heavy use of insider Wall Street nomenclature in the e-mails. They've primarily targeted health and medical-device companies whose insider information on new trials, breakthroughs, or impending acquisitions can cause especially steep short-term spikes or dives in stock prices.
Adding to the sense of general paranoia was a Europol report in mid-October of chatter on the dark web, in the difficult-to-trace chat rooms where criminals congregate. The European law enforcement agency's moles suggest that Russian gangs are planning a massive $1 billion cyber-bank heist. While this sounds impressive, Ryan suggests "that's just a rounding error" for the $2.5 trillion banking giant.
This doesn't exactly fill you with confidence as the Christmas season is upon us.
"I would have to say right now that we're losing the war in terms of security," Patton says.
Network security is a longstanding problem whose peril is accelerating, says Dr. Julie Ryan.
Courtesy of Julie Ryan
Every few months, we read reports of new-found software vulnerabilities.
In April, there was Heartbleed, a coding bug that could reveal previous website users' passwords and encryption keys. Some called it "catastrophic." It was patched, but then, in September, came Shellshock, which the National Institute for Standards in Technology rated 10 out of 10 in terms of severity. You need only access an infected website to be attacked with malware, and there is little that can be done to ensure a site isn't compromised or to protect yourself if it is.
How did we get in such a mess?
Some of it is endemic to the complexity of creating computers and software, especially without the same agreed-upon standards and practices. (Compare this to the tightly regulated procedures of the medical profession.)
Not only are there millions of lines of code, but the programs need to be compatible with a whole universe of programs and platforms. In the case of the Bash bug, it was legacy code around for years that hadn't been properly debugged, and the error went unnoticed.
This doesn't surprise Reynaldo Rivera, one of the original Sony Pictures hackers who lives in Phoenix and now works in game development.
"Who really wants to look at old batch code all day," Rivera asks. "That's what it comes down to. I could create something cool and new, or I could stare at old code and hope I get something."
GWU's Julie Ryan concurs: "This is not sexy but enormously detailed-oriented, long, and laborious, and people who are ADHD simply cannot do it because it requires you to pay attention to details and display a great deal of dedication."
Security was an afterthought for most companies through the millennium, in part because there were so few people who really understood network security.
Indeed, Richard Stiennon reports that the U.S. government has spent the past 14 years developing a network-centered-warfare platform with an informational grid, sensors, and precision-guided munitions without giving any thought to the network's security.
"When they started designing it, security by obscurity was good: The Chinese are not going to get a hold of our software. So even if they down one of our jets, it will be hard as hell for them to compromise them," Stiennon says. "Since then, the Chinese have stolen the design data for a dozen weapons platforms, airplanes, and missiles systems. Odds are, if they stole the software, they can find the vulnerabilities."
Network security really began to change thanks to computer enthusiasts and a predecessor of Anonymous, Cult of the Dead Cow. The group was deeply involved in network security and released a series of tools around the millennium to probe networks for holes and vulnerabilities.
It also inaugurated a style of network war games where teams would compete to break into each other's computers. It's by now a well-established nostrum in the industry that those best at network security generally have spent significant time trying to break into systems. Rivera took part in similar network security "games" while in high school.
"Some schools claim they can teach it, but really they don't for the most part; all they're doing at best is guiding," says Rivera, who attended the University of Advancing Technology in Tempe before his arrest.
"Most people in network security have experimented themselves," he says, "or had someone who knew something help them out."
The tools were released publicly in the early 2000s, with the intent of making them available to any administrator interested in testing their network security. Since then, they've also been taken advantage of by those without pure intent. In fact, the tools have evolved dramatically in the past few years to the point where they're not only widely available but pretty much point-and-click, giving rise to what are known as "Script Kiddies."
Rivera says, "A 'Script Kiddie' is an individual who doesn't understand the underlying technology. They download scripts that can attack these servers without having to know anything about it. They just know that if they put the URL in this thing and push go, they'll get some outcome if it's vulnerable.
Adds Ryan, "You can go online and find a virus-creation tool that you can, with zero knowledge whatsoever, simply point and click and design a malicious software tool, and you can find forums that talk about this stuff and enthusiasts who don't intend to do bad things but are just really interested in understanding how things work and are motivated to share information with each other."
These are what are known as "gray hat" hackers because the allegiances aren't as cut-and-dried. A white hat works in security and a black hat typically is motivated solely by profit.
Gray hats often act out of a (perhaps misplaced) sense of justice. They've been involved in releasing information about software vulnerabilities and bugs publicly, sometimes rationalizing it as necessary to ensure quick action. They also tend to have a certain ego about their exploits, doing a little end-zone dance where a little decorum might be better appreciated.
That's what happened when Andrew "Weev" Auernheimer found a flaw in AT&T's security that exposed iPad users' e-mail addresses, information he first gave to Gawker. Though he didn't break into any system or subvert any password authentication, Auernheimer was convicted and jailed. Later, in April, the ruling was vacated because of improper jurisdiction, though the justices sounded skeptical of the ruling's logic since Auernheimer only accessed information that was (inadvertently) publicly accessible.
This is an unfortunate riptide in the ongoing security crisis. Gray hats serve a very important function of exposing weaknesses for the sake of it rather than quietly profiting and letting bugs proliferate. (Essentially the NSA's approach.) Perhaps because of the difficulty of catching devious "black hat" hackers, law enforcement has focused more on the gray hats whose greatest crime oftentimes is little more than criminal mischief.
Meanwhile, an empire has grown up around the illegal exploits of the black hats. It boasts a sprawling infrastructure of hyper-specialized con men offering their skill and wares on underground eBays in the dark web on sites hidden by the anonymizing browser TOR.
Sites such as SWIPED traffic wholesale in credit cards and identities at anywhere from a quarter to a hundred bucks for freshly stolen cards. (Indeed, security companies watch these sites to determine whether their clients have been hacked.) An entire production chain has developed to diffuse risk among the bad actors, Patton states.
"The people who write attacks and then sell them, that's pretty safe; they're not actually committing the crime of launching the attack. Then there are people who use the attacks to steal credit cards, but they don't actually try to use the credit cards; [they] sell them in bundles online to people who buy credit cards and convert them into cash," he says. "Then, there are other people who maybe don't do credit cards, but they do bank accounts . . . So there's a lot of specialization online."
Many of those trafficking in stolen cards live in Russia. One of the most notorious hackers, who goes by the name Rescator, is said to have sold over 5 million credits cards just from December 2013 through February 2014. They're allegedly booty from last year's Target hack. Though the FBI knows the identities of some of the perpetrators, it's had little luck bringing them to justice.
"The reason there aren't very many criminal prosecutions for cyber-crime is that it's so hard to do cross-jurisdictional prosecution," says Stiennon, referring specifically to a case bought by Britain's UK National Hi-Tech Crime Unit in 2003. "If you engage in a three-year prosecution and investigation -- like . . . Andy Crocker did in Russia -- while the goal and purpose was great, your career is going to be set back."
In the end, Crocker was only able to get a handful of low-level convictions while the bigwigs faded into the woodwork. His department subsequently closed, and its responsibilities were transferred to the ludicrously named Serious Organized Crime Agency.
In 2008 and 2009, the FBI made its own run at Russian hackers, sparked by what was described as "unprecedented cooperation" from the Russians. In the end, nothing came of it. At least for this country. U.S. officials suspect the Russians used the FBI to identify promising hacking talent that could be recruited to do the state's bidding. This presumably in exchange for looking the other way at felonious activities, which they judiciously keep outside Russian borders.
According to Ryan, many Russian hackers are former scientists and mathematicians who found themselves out of work when the Soviet Union fell.
"You could take you Ph.D. in math and work on a farm herding cattle or you could go to work for the Russian mafia," she says. "An awful lot of people found themselves in a position where they had no choice but to go to work for the mafia or other [criminal] entities."
The rise of state-sponsored cyber-crime is a particularly worrisome aspect of the current environment. Early indications have suggested the North Koreans might've been responsible for the recent Sony Pictures hack. It supposedly was retaliating for the upcoming Sony Pictures Seth Rogen/James Franco movie The Interview, in which celebrity talk-show hosts are recruited by the CIA to assassinate North Korean leader Kim Jong-un. Of course, this could just be more marketing.
Iran's created its own cyber-army with which it's expressed a desire to get vengeance on the United States and Israel for their roles in unleashing the StuxNet worm upon the country's nuclear centrifuges. A report published recently suggested that Iran's cyber-army was involved in at least 50 attacks in more than 16 countries, including a San Diego Marine Corps computer network.
One expert estimated that there are as many as 1,000 annual state-sponsored cyber-attacks, though this is largely guesswork since attribution is next to impossible. The concern is that one of these covert cyber-attacks eventually will go too far and prompt real-world retaliation.
Gail-Joon Ahn asks whether we should even let retailers have our information.
The same uncertainty surrounding state-sponsored attacks afflicts the commercial world, as well.
Nobody likes to admit that they've been hacked. (Note that the eight other financial institutions struck along with J.P. Morgan remain unnamed.) Banks have conflicting interests in confessing the level of threat.
"They're very carefully not telling anybody else because they don't wan t to make it look too big so that other people are encouraged to jump on the bandwagon," Patton says. "But they also don't want to lie and make it sound like it's smaller than it is."
While we have a pretty good handle on the amount of identity theft out there, bank-fraud losses are harder to finger. This fuzziness plays a role in capitalization. If you don't really know how much potential loss is out there or how much you're already preventing, then how can you possibly determine your all-important return on investment?
Given the uncertainties, most banks and retailers use a risk-management approach that examines vulnerabilities and exposure and calculates a number -- as they do with the financial markets. Then they'll either invest more to change the number or buy more insurance. That's a problem for Stiennon.
"It doesn't work that way in cyber. You can't know what your exposure is because that attacker is not going to give up. So even if you're perfectly patched, the attacker will just use a zero-day vulnerability," he says. "Banks, in general in the United States, have been focusing too much on risk models and not enough on threat models."
Maybe that's because it's not the hacked institutions that bear the cost of the illegal egress but their customers. Insurance ultimately covered a substantial portion of Target's exposure, leaving it with a pre-tax bill of about $140 million, or 0.2 percent of last year's $73.7 billion in revenue.
"It's you and me who pay the cost," Ryan says. "Every time a successful exploit is done, a fraction of a cent is added to the cost things that we buy or a fraction of a cent in a credit card fee. Yeah, there is some bad publicity, but in the end, the cost is a pass-through to the consumer."
For their part, the credit card companies herald the incipient arrival of chip-and-PIN-style credit, debit, and ATM cards. Instead of just a metallic strip, these cards have an embedded microchip and are authenticated by entering the personal identification number. (Other "smartcards" are chip-and-signature.) It makes it very hard to clone the card, but it requires merchants to add whole new point-of-sale terminals for all their registers at $500 apiece.
America is the last major country to abandon the magnetic strip. The roll-out begins in earnest next year, ahead of the major U.S. credit card issuers' October 2015 deadline. Experts say stores won't be ready in time, but they have an incentive -- after the deadline liability for fraud shifts to the least-compliant party, merchants.
Unfortunately, chip-and-PIN is not the panacea it may once have been. Patton saw a British bank's presentation at a security conference in the Netherlands a couple of months ago.
"When they introduced chip-and-PIN, it went down to $350 million that year, and after that, they just found different attack vectors [so] now it's back at [the original level]," he says. "Chip-and-PIN is not the solution."
Of course, that's just human nature. If there's a way to make money, people will figure it out, and if there's a way to monetize shady cyber-behavior, certain people will find it.
"Talk to people in the security business, and they will tell you 10 percent of any population is bent," says Ryan, chuckling. "Then if you use a normal distribution, a whole bunch of them are going to have high IQs. Pretty soon, you are looking at a situation that makes you go, 'Uh-oh!'"
In November, Arizona State computer scientist Gail-Joon Ahn chaired the 21st Computer Machinery's Conference on Computer and Communications Security in Scottsdale.
Ahn is involved in creating a secure mobile wallet and has secured several patents for the technology.
Another of Ahn's research projects involves an unsecured "honeypot" server that waits like flypaper for malware to strike. The idea is to study it, identify its signatures and, using social media, try to identify its origin. Ahn believes all companies need to have their fingers to the wind and share what they glean. He notes that banks already have formed a consortium for just such information, creating sort of a police scanner for cyber-threats.
"We can share some of the trends so you can understand the current situation in each private sector and understand what you are facing," Ahn says. "I've been working on a similar notion with some of the intelligence agencies here to develop collaborative and collective intelligence for both parties so they can share immediately. We need this kind of intelligence and maybe a university, third party, or some nonprofit could have this role in the middle and help to do this."
Ahn suggests that a way around the spate of PoS and other credit card attacks on retailers may be to rethink our approach to financial transactions.
"Is it possible to make my payment without leaving my financial information with the merchant?" he asks. "Can I talk to my bank directly and my bank talk to these merchants regarding my approval? My bank has my personal information; why do I have to . . . give it to the merchant?"
There's not much hope under the tree this season. No one feels the network-security problem will be solved quickly. There's just so much border to cover that it's nearly impossible currently to prevent egress. Patton says most institutions price it into the cost of doing business.
"The stuff that's happening, it's expensive, but it's not like it's going anywhere. So people are getting credit card information, and they're selling it. And the financial institutions have a budget to absorb a certain amount of loss every year," he says. "In some ways, it's like the war on drugs. Yeah we can keep taking down drug cartels, but the drugs haven't gone anywhere. A lot of FBI agents have been promoted, but they haven't solved the problem."
Some of the issue is built into the incentive system. If it's hard to see the advantage, it's hard to invest. And even when risk is readily apparent, it's difficult to get people to spend money on insurance. That's why the government mandates flood insurance in certain regions.
"When the cost of reducing the risk is borne by the people it's decreased for -- and they're able to understand the decrease in risk -- it's pretty easy to [get them to pay for it]. A lot of people will pay for a car that has a five-star cash rating," Patton says.
Unfortunately, those capable of addressing the issue of computer fraud -- banks and retailers -- have little incentive to make costly changes when the fraud's already covered by consumers. "Not only do the cardholders not know what it's costing them, even if they were able to create savings, it wouldn't be passed through to [them]," he says.
This is the idea that resonates most with Ryan. Noting the indifference with which security has been handled and the general unwillingness of companies to heavily invest, she suggests that we insist that everyone who safeguards personal information, creates software or operates networks have a little more skin in the game.
"I'm hoping a new generation of lawyers will develop a legal strategy of negligence and liability, because that's the only thing that I believe will really change the culture," she says. Ryan compares the field of security to the evolution of medicine.
"The medical profession moved into guild structures that were regulated and controlled and eventually," she says, "into a system of testing and certification of capabilities and a professional credo of policing themselves."
Until that time, can we interest you in holiday pricing on some leeches?
Due Diligence 1. Track Your Credit. Probably the single most effective step you can take to protect yourself is vigilance. Keep an eye on your bank and credit card balances, but even more important, check your credit report regularly. Sites like CreditKarma can be used track any new credit applications under your Social Security number, and everyone in the United States is entitled to a free yearly credit report from the three majors reporting agencies (Equifax, Experian, and TransUnion). You can get yours at www.annualcreditreport.com. You also should be aware of the increasing incidence of "synthetic identity theft," in which a criminal changes part of a consumer's information -- such as a date of birth or single Social Security number digit -- to confuse computers. The credit agencies recognize the consumer and assume a typographical error has been made, granting access but storing the incorrect information in a separate profile such that the consumer often isn't alerted until creditors contact them.
2. Avoid Mall and Unfamiliar ATMS. Lately, thieves have gotten skillful in their subversion of ATMs. There are a variety of techniques from skimmers that are installed over card readers to read the cards with either a concealed camera to pick up the PIN code, or more recently, a keypad overlay. These can include transmitters, so thieves never have to return to the scene of the crime. There are even cases in which thieves have installed an entirely new kiosk cover over the original machine. "I would be vigilant about not using your ATM card at anything other than a bank," says Julie Ryan, a George Washington University informational security researcher. "Even if the skimmer wasn't attached to the ATM the opportunity for someone to observe your PIN and maybe pickpocket your card is higher."
3. Small Businesses Should Get Security Consultation. As security at the bigger retailers tightens and the tools used to subvert Target and Home Depot filter through the hacker communities, these cyber-attacks are going to increasingly focus on the weakest links -- small businesses. This means more than just compliance with Payment Card Industry standards. Richard Stiennon, author of Surviving Cyberwar, suggests that small businesses consider outsourcing to a managed security provider that can at least protect your Internet gateways and ensure that all firewall protocols are up to date. He encourages business owners to get a security consult. "Then, no matter what, you're going to learn a lot and improve your situation," he says. "If you hire one of the good ones, you'll end up with a plan that gets you to a pretty secure state."
Get the ICYMI: Today's Top Stories Newsletter
Catch up on the day's news and stay informed with our daily digest of the most popular news, music, food and arts stories in Phoenix, delivered to your inbox Monday through Friday.