You will be hacked
Each year Internet hackers steal millions of people's credit-card info, Social Security numbers, passwords and more. Why can't banks, retailers or the government stop them?
It wasn't a very happy holiday season for Sony Pictures Entertainment, which was hacked recently and had sensitive internal files compromised.
Five movies—four of them unreleased—were leaked along with personal data, including executive salaries, release schedules, employee criminal background checks and passwords (kept securely in a directory titled “passwords”). As a result, the company’s entire network was shut down, and employees couldn’t use their computers or laptops for more than a week.
While there were some resulting high-profile scandals—embarrassing emails, shocking financial revelations—the most notable consequence, perhaps, was Sony’s initial decision to cancel its theatrical release of The Interview, Seth Rogan and James Franco’s “political” comedy about the assassination of North Korean leader Kim Jong-Un, amid fears that its system had been infiltrated by North Korean hackers.
The irony of the Sony Pictures situation, however, is that its leaky security was exposed three years ago by two Arizona men in concert with LulzSec leader-turned-stoolie Sabu, a.k.a. Hector Xavier Monsegur. Then, the group released names, emails and passwords of 75,000 people.
Raynaldo Rivera, 20, and Cody Kretsinger, 24, were convicted in 2013, sent to prison for 12 months and ordered to pay $605,663.67 in restitution to cover Sony’s associated costs, including a full security overhaul that doesn’t appear worth the money spent.
The Sony Pictures mishap is only the latest in a disquieting trend of high-profile computer incursions, from The Home Depot and Target to JPMorgan Chase & Co. and Apple’s iCloud. Nearly everywhere we turn, our personal information, photos and credit-card information are getting compromised. In September, The Home Depot revealed that a cyber-attack in April had exposed more than 50 million customer credit cards and email addresses.
Consumer information never has been more imperiled, and yet very little is getting done to address the issue. In fact, although identity theft runs rampant, fraud seems little more than an entry in the ledger for companies that write it off as a business expense.
“Identity theft is kind of like flu deaths,” said Mark Patton, a University of Arizona computer researcher. “We freak about one Ebola death but just accept the fact that 40,000 people a year die of the flu. We’re just so used to identity theft that we’ve stopped putting out screaming headlines.”‘A problem of enormous significance’
Seemingly we’re racing toward a society where our watches pay bills, our cars drive themselves and our appliances are connected to the Web, yet even today’s relatively simple networks can’t remain secure.
What’s going to happen when the number of network access points increases a millionfold?
“This is a problem that has been building in magnitude and potential harm for 40 years,” said Julie Ryan, a George Washington University informational security researcher. “It only recently got so tightly coupled and so intertwined in our normal everyday life that it started becoming a problem of enormous significance.”
Good luck trying to apply a comprehensive fix.
“Up until now, there has been very little incentive for commercial businesses to spend an awful lot of time and money getting into security,” Ryan said.
The latest government numbers suggest about 17 million Americans suffered identity theft last year, or about 7 percent of those over age 16—with a total loss at about $25 billion.
Fraud has doubled in the United States over the past seven years, and cybercrime has increased across the board. According to a recent PricewaterhouseCoopers report, the number of detected information security breaches globally has increased by half over the past year.
The extent of network security problems has been put into sharper focus over the past 18 months, beginning with Edward Snowden’s revelations on the pervasiveness of state-sponsored spying and cybershenanigans of the sort hinted at by the Stuxnet worm that hit Iran’s nuclear centrifuges.
This was followed by 2013’s series of holiday retail thefts at Michaels, Neiman Marcus, Target and other retailers of more than 40 million credit-card numbers, the largest theft until the Home Depot breach in April.
The Home Depot and Target hackers found their way onto the retailers’ systems by acquiring a third-party vendor’s credentials—in the case of Target, from a Pennsylvania heating, ventilation and air-conditioning company. Once inside, they were able to use vulnerabilities in Windows to load malware onto the point-of-sale terminals that scan personal cards. Thereafter, every card scan was recorded and secretly published online for the thieves to scoop up.
“This is worrisome because this follows a classic route where open-source researchers see malware that targets the POS terminals that retailers use for swiping cards,” said Richard Stiennon, author of Surviving Cyberwar. “Retailers ignored that information because they weren’t looking for it. They’re just not looking outwards at new threats.”
And it’s no longer just big-box retailers facing such threats. In the past several months other POS malware has been discovered at more than 1,000 commercial businesses.
“The mom-and-pop stores, our hairdresser, dentist office. None of them has security that would detect a breach,” Stiennon said. “We’re entering a phase where every point-of-sale terminal that’s running a version of Windows is going to be compromised.”
The cyberthreat is hardly limited to retail. In September 2013, a Russian group started holding personal computers hostage with malware dubbed CryptoLocker. The software freezes the victim’s computer unless the correct key is entered.
More than a half-million individuals and companies were struck, including a Massachusetts police station that paid a $750 ransom to remedy the situation before European law enforcement arrested the Russian perpetrators in May.
Individuals aren’t the only targets of such cyber-ransoms. In June, Nokia acknowledged that several years earlier, a blackmailer had acquired the encryption key for its Symbian smartphone and threatened to reveal the source code. This would’ve been disastrous, making it simple for hackers to find its vulnerabilities and subsequently load customers’ phones with malware. Nokia teamed with the Finnish police, and the code never was released. But the perpetrator still got away with millions in ransom money.
Perhaps the most disturbing revelation came in August when it was discovered that hackers had infiltrated JPMorgan Chase’s computer networks, acquired high-level security access and moved about the system undetected for two months. Nine other financial institutions were also infiltrated, including Fidelity Investments. Only a hacker slipup (using the same IP address for attacks on different Chase servers) outed them and prevented an eventual breach of the bank’s accounts system.
Still, the hackers made off with personal (but not account) information of 83 million individuals and businesses, as well as a catalog of every program run on JPMorgan’s computers.
The hackers can check that list against known vulnerabilities to find other means of access. JPMorgan now is in the process of switching out all its software.
The attackers made use of previously unknown vulnerabilities (also called “zero-day” exploits), which suggests greater proficiency than the run-of-the-mill hacker, and the possibility of state sponsorship. Indeed, there are indications they’re part of an extensive Russian cybercriminal underground with ties to the Russian government. This and uncertainty over the hackers’ motivations has even the White House spooked.
“The question kept coming back, ’Is this plain old theft or is [Russian President Vladimir] Putin retaliating [for sanctions]?’” a White House senior official told The New York Times in October. “And the answer was, ’We don’t know for sure.’”
Former National Security Agency chief Keith Alexander—who now has his own cybersecurity firm— warned that this could be a shot over the bow by Russia to head off further sanctions. A large cybertheft from an institution the size and stature of JPMorgan damages confidence and could lead to a financial crisis.
There’s also a chance the break-in is related to another emergent hacking group, Fin4, which steals credentials and insider information. The group acquires executive email addresses and sends fake emails designed to trick the recipient into clicking a link that loads malware or uses a fake login to snare credentials.
A recent report suggested that the group might feature former investment bankers, based on their heavy use of insider Wall Street nomenclature in the emails. They’ve primarily targeted health and medical-device companies whose insider information on new trials, breakthroughs or impending acquisitions can cause especially steep short-term spikes or dives in stock prices.
Adding to the sense of general paranoia was a Europol report in mid-October of chatter on the so-called Dark Web, in the difficult-to-trace chat rooms where criminals congregate. The European law-enforcement agency’s moles suggest that Russian gangs are planning a massive $1 billion cyberbank heist.
Such news doesn’t exactly fill consumers with shopping confidence.
“I would have to say right now that we’re losing the war in terms of security,” Patton said.Network war games
Every few months, there are reports of newfound software vulnerabilities.
In April, there was Heartbleed, a coding bug that could reveal previous website users’ passwords and encryption keys. Some called it “catastrophic.” It was patched, but then, in September, came Shellshock, which the National Institute of Standards in Technology rated 10 out of 10 in terms of severity. You need only access an infected website to be attacked with malware, and there is little that can be done to ensure a site isn’t compromised or to protect yourself if it is.
How did we get in such a mess?
Some of it is endemic to the complexity of creating computers and software, especially without the same agreed-upon standards and practices.
Not only are there millions of lines of code, but the programs need to be compatible with a whole universe of programs and platforms. In the case of the Shellshock bug, it was legacy code around for years that hadn’t been properly debugged, and the error went unnoticed.
This doesn’t surprise Raynaldo Rivera, one of the original Sony Pictures hackers who lives in Phoenix and now works in game development.
“Who really wants to look at old batch code all day?” Rivera asked. “That’s what it comes down to. I could create something cool and new, or I could stare at old code and hope I get something.”
Security was an afterthought for most companies through the millennium, in part because there were so few people who really understood network security.
Indeed, Richard Stiennon reports that the U.S. government has spent the past 14 years developing a network-centered warfare platform with an informational grid, sensors and precision-guided munitions without giving any thought to the network’s security.
“When they started designing it, security by obscurity was good: The Chinese are not going to get a hold of our software. So even if they down one of our jets, it will be hard as hell for them to compromise them,” Stiennon said. “Since then, the Chinese have stolen the design data for a dozen weapons platforms, airplanes and missiles systems. Odds are, if they stole the software, they can find the vulnerabilities.”
Network security really began to change thanks to computer enthusiasts and a predecessor of Anonymous, Cult of the Dead Cow. The group was deeply involved in network security and released a series of tools around the millennium to probe networks for holes and vulnerabilities.
It also inaugurated a style of network war games where teams would compete to break into each other’s computers. It’s by now a well-established given in the industry that those best at network security generally have spent significant time trying to break into systems.
Rivera took part in similar network security “games” while in high school.
“Some schools claim they can teach it, but really they don’t for the most part; all they’re doing at best is guiding,” said Rivera, who attended the University of Advancing Technology in Tempe, Ariz., before his arrest.
“Most people in network security have experimented themselves,” he said, “or had someone who knew something help them out.”
The tools were released publicly in the early 2000s, with the intent of making them available to any administrator interested in testing their network security. Since then, they’ve also been taken advantage of by those with more nefarious intentions. In fact, the tools have evolved dramatically in the past few years to the point where they’re not only widely available but pretty much point and click, giving rise to what are known as “script kiddies.”
Rivera said, “A script kiddie is an individual who doesn’t understand the underlying technology. They download scripts that can attack these servers without having to know anything about it. They just know that if they put the URL in this thing and push go, they’ll get some outcome if it’s vulnerable.”
Added Ryan, “You can go online and find a virus-creation tool that you can, with zero knowledge whatsoever, simply point and click and design a malicious software tool, and you can find forums that talk about this stuff and enthusiasts who don’t intend to do bad things but are just really interested in understanding how things work and are motivated to share information with each other.”
These are what are known as “gray hat” hackers, because the allegiances aren’t as cut and dry. A white hat works in security, and a black hat typically is motivated solely by profit.
Gray hats often act out of a (perhaps misplaced) sense of justice. They’ve been involved in releasing information about software vulnerabilities and bugs publicly, sometimes rationalizing it as necessary to ensure quick action.
This is an unfortunate riptide in the ongoing security crisis. Gray hats serve a very important function of exposing weaknesses for the sake of it rather than quietly profiting and letting bugs proliferate (essentially the NSA’s approach). Perhaps because of the difficulty of catching devious black hat hackers, law enforcement has focused more on the gray hats, whose greatest crime oftentimes is little more than criminal mischief.
Meanwhile, an empire has grown up around the illegal exploits of the black hats. It boasts a sprawling infrastructure of hyperspecialized con men offering their skill and wares on underground bays, on sites hidden by Tor, an anonymizing browser.
Sites such as Swiped traffic wholesale in credit cards and identities at anywhere from a quarter to 100 bucks for freshly stolen cards. (Indeed, security companies watch these sites to determine whether their clients have been hacked.) An entire production chain has developed to diffuse risk among the bad actors, Patton said.
“The people who write attacks and then sell them, that’s pretty safe; they’re not actually committing the crime of launching the attack. Then there are people who use the attacks to steal credit cards, but they don’t actually try to use the credit cards; [they] sell them in bundles online to people who buy credit cards and convert them into cash,” he said. “Then there are other people who maybe don’t do credit cards, but they do bank accounts. … There’s a lot of specialization online.”
Many of those trafficking in stolen cards live in Russia. One of the most notorious hackers, who goes by the name Rescator, is said to have sold over 5 million credit cards between December 2013 and February 2014 alone—all allegedly booty from last year’s Target hack.
Though the FBI knows the identities of some of the perpetrators, it’s had little luck bringing them to justice.
“The reason there aren’t very many criminal prosecutions for cybercrime is that it’s difficult to pursue cross-jurisdictional prosecution.”
In 2008 and 2009, the FBI made its own run at Russian hackers, sparked by what was described as “unprecedented cooperation” from the Russians. In the end, nothing came of it.
At least for this country. U.S. officials suspect the Russians used the FBI to identify promising hacking talent that could be recruited to do the state’s bidding. This presumably in exchange for looking the other way at felonious activities, which they judiciously keep outside Russian borders.
According to Ryan, many Russian hackers are former scientists and mathematicians who found themselves out of work when the Soviet Union fell.
The rise of state-sponsored cybercrime is a particularly worrisome aspect of the current environment. Early indications have suggested the North Koreans might’ve been responsible for the recent Sony Pictures hack, supposedly in retaliation for The Interview, in which celebrity talk-show hosts are recruited by the CIA to assassinate Kim Jong-Un.
Iran created its own cyberarmy, with which it’s expressed a desire to get vengeance on the United States and Israel for their roles in unleashing the Stuxnet worm upon the country’s nuclear centrifuges. A report published recently suggested that Iran’s cyberarmy was involved in at least 50 attacks in more than 16 countries, including a San Diego Marine Corps computer network.
The same uncertainty surrounding state-sponsored attacks afflicts the commercial world as well, but nobody likes to admit that they’ve been hacked. (Note that the eight other financial institutions struck along with JPMorgan remain unnamed.) Banks have conflicting interests in confessing the level of threat.
“They’re very carefully not telling anybody else because they don’t want to make it look too big so that other people are encouraged to jump on the bandwagon,” Patton said. “But they also don’t want to lie and make it sound like it’s smaller than it is.”
While we have a pretty good handle on the amount of identity theft out there, bank-fraud losses are harder to finger. This fuzziness plays a role in capitalization. If you don’t really know how much potential loss is out there or how much you’re already preventing, then how can you possibly determine your all-important return on investment?
Given the uncertainties, most banks and retailers use a risk-management approach that examines vulnerabilities and exposure and calculates a number—as they do with the financial markets. Then they’ll either invest more to change the number or buy more insurance. That’s a problem for Stiennon.
“It doesn’t work that way in cyber. You can’t know what your exposure is because that attacker is not going to give up. So even if you’re perfectly patched, the attacker will just use a zero-day vulnerability,” he said. “Banks, in general in the United States, have been focusing too much on risk models and not enough on threat models.”
Maybe that’s because it’s not the hacked institutions that bear the cost of the illegal egress, but their customers. Insurance ultimately covered a substantial portion of Target’s exposure, leaving it with a pre-tax bill of about $140 million, or 0.2 percent of last year’s $73.7 billion in revenue.
“It’s you and me who pay the cost,” Ryan said. “Every time a successful exploit is done, a fraction of a cent is added to the cost of things that we buy, or a fraction of a cent in a credit-card fee. Yeah, there is some bad publicity, but in the end, the cost is a pass-through to the consumer.”
For their part, the credit-card companies herald the incipient arrival of chip-and-PIN-style credit, debit and ATM cards. Instead of just a metallic strip, these cards have an embedded microchip and are authenticated by entering the personal identification number. (Other “smart cards” are chip-and-signature.) It makes it very hard to clone the card, but it requires merchants to add whole new point-of-sale terminals for all their registers at $500 apiece.
America is the last major country to abandon the magnetic strip. The rollout begins in earnest next year, ahead of the major U.S. credit-card issuers’ October 2015 deadline. Experts say stores won’t be ready in time, but they have an incentive—after the deadline, liability for fraud shifts to the least compliant party, merchants.
Unfortunately, chip-and-PIN is not the panacea it may once have been. Patton saw a British bank’s presentation at a security conference in the Netherlands a couple of months ago.
“When they introduced chip-and-PIN, it went down to $350 million that year, and after that, they just found different attack vectors [so] now it’s back at [the original level],” he said. “Chip-and-PIN is not the solution.”
Of course, that’s just human nature. If there’s a way to make money, people will figure it out, and if there’s a way to monetize shady cyberbehavior, certain people will find it.
In November, Arizona State University computer scientist Gail-Joon Ahn chaired the 21st Association for Computing Machinery’s Conference on Computer and Communications Security in Scottsdale, Ariz.
Ahn is involved in creating a secure mobile wallet and has secured several patents for the technology.
Another of Ahn’s research projects involves an unsecured “honeypot” server that waits like flypaper for malware to strike. The idea is to study it, identify its signatures and, using social media, try to identify its origin.
He also suggests that a way around the spate of POS and other credit-card attacks on retailers may be to rethink our approach to financial transactions.
“Is it possible to make my payment without leaving my financial information with the merchant?” he asked. “Can I talk to my bank directly and my bank talks to these merchants regarding my approval? My bank has my personal information; why do I have to … give it to the merchant?”
Whatever the developments, few believe these security problems will be solved quickly. Rather, Patton says most institutions price it into their operating costs.
“The stuff that’s happening, it’s expensive, but it’s not like it’s going anywhere. So people are getting credit-card information and they’re selling it. And the financial institutions have a budget to absorb a certain amount of loss every year,” he said.
Some of the issue is built into the incentive system. If it’s hard to see the advantage, it’s hard to invest.
Unfortunately, those capable of addressing the issue of computer fraud—banks and retailers—have little incentive to make costly changes when the fraud’s already covered by consumers.
“Not only do the cardholders not know what it’s costing them, even if they were able to create savings, it wouldn’t be passed through to [them],” Patton said.
This is the idea that resonates most with Ryan. Noting the indifference with which security has been handled and the general unwillingness of companies to heavily invest, she suggests that we insist that everyone who safeguards personal information, creates software or operates networks have a little more skin in the game.
“I’m hoping a new generation of lawyers will develop a legal strategy of negligence and liability, because that’s the only thing that I believe will really change the culture,” she said.