FEATURE | WINTER 2009/2010 EFFECT

Moving Targets

by Andy Steiner

By keeping pace with technology, wily cyber criminals try to stay ahead of justice.

It used to be that hackers were like flies: a nuisance, but largely harmless.

“In the beginning, hacking really wasn’t cyber crime,” says Dave Marcus, director of security research and communications for the California-based Internet security firm McAfee Avert Labs. “In the early days of the Internet, hackers were just a group of eggheads sharing data and flexing their muscles trying to show their friends all the fun programming tricks they’d mastered. It had an edge of deviance, but mostly it wasn’t hurting anybody. Then businesses started transacting money online and everything changed.”

The changes, according to Marcus, transformed what had once been a free-flowing egghead club into a dizzying, ungoverned universe where large amounts of money are transacted both legally and illegally, where the human impulse for greed governs the actions of many of the participants, and where business is transacted around the world and around the clock.

“In this day and age, cyber crime is completely profit driven,” he says. “We saw criminal activity on the Web starting to shift in the later ’90s, and by 2000 it was at the point where most hackers were criminals in it for the money. The other guys had moved on. It had evolved.”

Evolution is the name of the game for today’s cyber criminals. Because there is big money to be made in such common cyber crimes as phishing, spamming, or the production of malware, offenders do their best to remain undetected by law enforcement, changing tactics and creating new programs designed to help them fly beneath the radar. When cyber criminals become aware that their tactics are about to be decoded, they create new strategies designed to get around those who would bring them down.

“Cyber crime used to be more about, ‘Look how smart I am. Look what I found,’” explains Randy Romes, a LarsonAllen information security services principal. “They’d pound their chests and brag. Today that’s become less common because now it’s a big-money game, and the bad guys realized that if they announced what they’d done, the good guys would fix it.”

Like a powerful flu virus mutating to gain ground in a human immune system, the best way to flourish is under the cover of darkness. Once you’re discovered, a vaccine can be produced.

What Color Is Your Hat? Today, Kevin Mitnick is a computer security consultant and author. But not that long ago, the Los Angeles native was a notorious computer hacker, and a former fugitive accused of worming his way into some of the most highly classified organizations in the country, including Novell, PacBell, the FBI, and the Pentagon. More

A good example is the proliferation of malware, or software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can be used to gain access to credit card numbers and other personal information obtained in common online business transactions. “We’ve seen record numbers of malware being produced,” says Marcus. “This year, on an average day, 6,000–8,000 new pieces of malware are produced. Last year, it was under 1,000 pieces a day.”

Information security professionals and law enforcement work to study and decode these programs, but they mutate with such speed it can be hard to stay on top of the problem. The current global economic crisis may be making a life of cyber crime appear more attractive. “People around the world are feeling desperate and hopeless right now,” Marcus says. “They are going to look for ways to make money—even if they are illegal.”

Easy access to malware is also helping promote the spread of illegal activities. “Today, if you can turn on a computer and create a Word document you can commit a cyber crime,” Marcus explains. “You can get the tools you need with a Google search.”

Its bloodlessness also makes it more appealing. “It is easier to be a cyber criminal than a regular criminal,” Marcus says. “To be a criminal in the real world, you are going to have to engage a person face-to-face. You’d have to break into a house, steal a car, whack some old lady in the head and steal her pocketbook.” A cyber criminal works remotely; keeps his hands clean. And when he has a hard time getting his illegal operation off the ground, there are even places he can turn for help.

There is a group in Russia that sells a hacking software application that you can buy and use to attack Web sites and consumers, Romes says incredulously. “They sell a software package that includes support and updates.”

With the help of malware, a crime can happen quickly. The faster the transaction, the lower the chance of being caught. “Cyber criminals know when they steal an identity, they have a very short time window in which to make some money,” explains Mark Eich, a LarsonAllen information security services principal. These speedy transactions often get small-time hackers looped in with international organized crime groups. “A big-money crime group will pay a hacker $500 to $1,500 for a customer record. Using various techniques like purchasing and selling merchandise, they can turn that one identity into $50,000 really quickly.”

“When I started in this line of work 10 years ago, you had more lone-wolf type hackers seeking excitement, seeking glory … It was kids’ stuff,” says John Lynch, deputy chief of the Computer Crime and Intellectual Property Section of the United States Department of Justice. “Now they’re getting more organized. There’s real money to be made here, and the game is no longer for kids. It’s for serious criminals.”

Who hacking hurts

Millions of people do business on the Internet every day. Most do not have their identities stolen. Still, information security professionals say the spread of cyber crime is affecting consumers, business owners, and governments worldwide.

“If you’ve got a computer, you are potential victim,” Marcus says. “If you have a Web site, you’ll get impacted. Every moment of every day, cyber crime affects us.”

Cyber crime touches the daily lives of ordinary people in a number of ways, Eich says. “Take banks. They spend a boatload of money on defensive measures and insider training and covering losses incurred on behalf of their customers. That has an impact on the ways banks price their products. It has a direct impact on the customer.”

Romes points out that there are direct and indirect effects on consumers. “Three years ago, individuals were specifically targeted by email phishing where bad guys would convince the consumer to give them their account numbers. Then they’d drain the accounts of money, set up fraudulent credit cards, and use them to obtain goods. Today the bad guys have moved to targeting organizations.”

Remember Mafiaboy, the 15-year-old Canadian hacker who in 2000 shut down a number of powerful Web sites, including CNN, Yahoo, Amazon, Dell, and eBay? The act was a joyride for the young computer prodigy, but law enforcement officials didn’t see it that way.

On September 12, 2001, Mafiaboy, whose real name is Michael Calce, was investigated and prosecuted under a joint agreement between the FBI and the Royal Canadian Mounted Police. A minor, he was sentenced to eight months of open custody, one year of probation, restricted use of the Internet, and a small fine. After serving his time, Calce mostly disappeared from the public eye until 2008 when he published a book, Mafiaboy: How I Cracked the Internet and Why It’s Still Broken (Viking).

While taking down a popular site seems less malicious than a malware attack on the credit records of individual consumers, Marcus explains that even those crimes can have ripple effects across an entire economy. While experts argue over the exact global financial damage Calce’s 2000 pranks inflicted, the trial prosecutor gave a conservative estimate of $7.5 million (U.S.).

“To a news organization that disseminates news, or to a site that conducts business with consumers, losing public access can be devastating,” Marcus explains. Business cannot be transacted. Advertisers lose page views. Target markets are denied access and turn elsewhere. Employees sit idle. “Having a site brought down is the equivalent of burning their building down.”

The Wild, Wild West?

When people talk about crime and the state of Internet commerce, the cliché is to compare the online world to the early days of the Wild West, where cowboys roamed the lawless plains: bad guys robbed banks and jumped claims, and good guys did their darndest to impose a much-needed sense of order.

If you watch an old Western, you’ll see that the bad guys wear black hats while good guys wear white. “It’s a fairly common way to talk in the security industry,” explains Romes. “A white-hat hacker is a professional who has a focus on penetration and security assessment. A black hat is essentially a criminal. A gray hat is someone who was a criminal at one point but is now working legitimately. Some companies will hire a gray hat, but many won’t.”

Sam McQuade, graduate program coordinator in the College of Applied Science and Technology at the Rochester Institute of Technology, prefers to use a different analogy when talking about safely navigating life online. McQuade, who recently published a groundbreaking study of children’s exposure to cyber crime, explains, “The state we are in right now is analogous to the introduction of automobiles as a primary form of transportation in our society. At first, cars were a luxury only for the very rich, but then they were introduced to the general public, and there were a lot of accidents. It took a few decades before we had unified traffic laws. Even after that, many people still died on the roads. Today, we have cars with seatbelts and airbags and everything. It is much safer to drive, but no one can guarantee that every trip you take in your car will be accident free. The Internet is still evolving, and all of us are just along for the ride.”

Eich says he still likes the Wild West comparison. It helps him to put the current state of Internet affairs in historical perspective—and even give himself a sense of hope that the lawlessness that now pervades so much of the industry may someday be put under check.

“Sometimes I tell my clients to compare the present day to bank robberies in the 1800s,” Eich says. “Back then banks doing business in the frontier West were stuck with a lot of loss. It was part of the deal. But over time they got smarter about defensive measures. They learned to understand their risk more.

“Today doing business is about risk mitigation, not risk elimination. Crime is part of human nature. We aren’t going to completely eliminate the bad element of people. We haven’t eliminated bank robberies, but banks are still able to do business.”

Helping clients help themselves

So how does a company that does business online protect itself from the threats posed by hackers and other cyber criminals? Internet security experts say the key to staying secure online is advance planning, security audits, and a healthy sense of reality.

“Bad things happen sometimes,” says Romes. “But you can make it so that bad things happen much less often.”

Eich, Romes, and their colleagues work as independent security consultants, testing the security of their clients’ online operations and responding to attacks. When a client calls to say their network is under attack, staff divide their work between incident response and forensics.

“Incident response is always first,” Eich says. “We work on determining what could be occurring and then figure out what to do with it. The forensic specialists get involved in determining the totality of the incident and consider whether prosecution can be made.”

And, it’s important to note, the crimes aren’t always outside jobs. “We’ve worked with small business owners who have limited IT staff who believe their internal IT person is manipulating their system,” Eich recalls. “We’ve worked with a school district that had an employee who set up a business and a Web site using their computer system. We’ve done a lot of insider fraud work. One of the big drivers for that right now is competitive intelligence, where people steal secrets through corporate espionage.”

When it is clear that a crime has been committed, the group works closely with law enforcement, a task that feels much more useful than it did in the early days of online commerce. As recently as five years ago, Eich says, not all police and prosecutors understood cyber crime’s impact.

“I think law enforcement has made tremendous strides,” he says. “The people we interact with today are far more knowledgeable and aware.”

The Department of Justice’s Lynch points to significant recent cases, including the August 2009 indictment of hacker Albert Gonzalez (along with two unnamed Russian conspirators) in the theft of more than 130 million credit card numbers from payment processors, grocery store chains, and major retailers.

“This is a global problem,” Lynch says. “We have to work with law enforcement around the world in order to address these problems. Because criminals are constantly changing their tactics, law enforcement has to be ready to understand the technology behind the schemes and then change their tactics to counteract criminals’ actions. That’s what we’re doing.”

All this talk about the wild, wooly world of hackers and online predators is enough to make any consumer or business owner feel insecure about doing business online. Caution is good, says Marcus, but no one should let fear get in the way of the tremendous promise offered by the Web.

“I tell my clients not to let themselves be ruled by fear,” he says. “As long as they are using the right technologies and are educated about the threats that exist, they can shop and bank online and pay bills online with a lot of confidence.” The Internet is till a place of great promise and tremendous creative freedom.

“It’s my job to empower people,” he says, “not to limit them.”