the rise of cybercrime 1970s - 2010
TRANSCRIPT
© Kelly White – 2013 Page 1
The Rise of Cybercrime 1970 through 2010
A tour of the conditions that gave rise to cybercrime and the crimes themselves
Kelly White
© Kelly White – 2013 Page 2
Introduction Computer crime has changed from a 1970s characterization of hobbyists committing pranks and ‘exploring’ computer systems to a present day horizontally integrated industry of exploit researchers, malware writers, hackers, fraudster, and money mules that cause hundreds of millions of dollars in damages annually. The articles below illustrate the juxtaposition of computer crimes from earlier decades with those of the present.
Teaching Hackers Ethics Newsweek – January 14, 1985
The parents of "Echo Man," 16, "Thr ee Rocks," 15, and "Uncle Sam," 17, probably thought they were in their rooms doing homework. Instead, the Burlingame, Calif., teen-agers were programming their Apples to scan the Sprint telephone-service computers for valid access numbers, which they used to make free calls. The hackers then posted the numbers on an electronic bulletin board, so others could share in the spoils. That was their undoing. Local police, who had been monitoring the bulletin board, raided each of the hackers' homes last month and found enough evidence to charge them with felony theft and wire fraud. FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms1 Washington Post, Brian Krebs – October 26, 2009 Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim’s online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company’s online account…
How do you explain the typical computer crime making the leap from petty phone access theft in the 70s to huge heists in 00s? As it turns out, in each decade, the computer crimes fit pretty well with the demographics of their time. The type and frequency of computer crime occurring in each decade seems to have been shaped by three demographics:
• The number of computers online • The type and amount of online commerce • The globalization of Internet use
1 http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html
© Kelly White – 2013 Page 3
The number of crime targets is limited by the number of computers online. The profitability of a target is dependent on the type of commerce being conducted on the computers. And the likelihood of being caught is positively correlated with the effectiveness of law enforcement in prosecuting crimes that, I have observed, is inversely proportional with the globalization of the Internet. As these demographics evolved, so too did the crime.
The Perfect Conditions for Crime What are the perfect conditions for crime? How about easy targets, high profits, and very little chance of being caught. That is what the Internet provides – lots of easy targets where 250 million people are online in the U.S. alone and with very weak security. An almost guaranteed high return – over 72 million people in the U.S. conducting banking online. And little chance of being caught – attribution of crime on the Internet is nearly impossible and governments don’t have the resources to handle the volume, let alone the high cost of international investigations. They successfully prosecute a few per year for publicity, but little else. The Internet is the perfect place to commit crime. It took until the late 1990s for these conditions to converge to create the perfect storm. These conditions didn’t mature until the late 90s. Before that essential elements were missing – people, connectivity, commerce, and insecurity.
Computers and Connectivity The first dimension to set in to motion was personal and commercial use of computers in the mid 1970s. In the 70s there weren’t very many computer systems and they weren’t interconnected. In the 80s private citizen computer ownership started ramping up, but their connectivity was limited largely to computer-‐to-‐computer modem services and access to the Internet was restricted to government and university. In the 90s the government opened up the Internet to commercial and then public access. By the end of the decade, about half of the U.S. population was ‘online’.
© Kelly White – 2013 Page 4
+ Commerce The explosion of online commerce was another important ingredient in creating the cyber crime environment. Without commerce, all the potential targets connected to the Internet are just targets. With commerce, computers become rich targets – credit card processing systems and automated tellers. In 2000, 40 million people in the U.S. had ever bought something online2. By 2008, that number reached 201 million3. Nearly everyone who can shop online does shop online.
In 1998 8 million people in the U.S. were conducting banking online. By 2012 that grew to 72 million – 28% of online users and fully 23% of the entire U.S. population!
2http://www.pewInternet.org/Reports/2002/Getting-‐Serious-‐Online-‐As-‐Americans-‐Gain-‐Experience-‐They-‐Pursue-‐More-‐Serious-‐Activities.aspx 3 http://www.pewInternet.org/Reports/2008/Online-‐Shopping.aspx?r=1
© Kelly White – 2013 Page 5
+ Insecurity The build out of the Internet network infrastructure and the connected systems was fast and furious. At this pace, all focus was on feature and functionality. Little thought was given to the consequences of the risks and to the security requirements of such a critical, complex infrastructure. As a security consultant in the late 1990s, I examined up close the lack of security controls in even critical infrastructure. On one engagement, my co-‐worker and I were called up on short notice to conduct an Internet perimeter test of a company that provided core processing services to credit unions. One of their services was outsourced Internet Banking. Compromising their perimeter was simple, taking about 10 minutes. We scanned their public address space for common ports, noticed 135 and 139 were listening on their Internet Banking server, established a net session and went to work guessing the administrator account password. The password was ‘snow’. It was easy pickings from there. Towards the end of the engagement, I met on-‐site with the company’s system administrators to discuss the findings. In response to my recommendations they asked, “What is a firewall?” + Internationalization and No Law Enforcement In 1998 – 1999 about 80% of the people using the Internet were U.S. citizens and about 95% were U.S. citizens or citizens of U.S. allied countries.4 Under these conditions, serious computer crimes could be investigated and prosecuted because the crimes were largely occurring from within the borders of governments that were willing to cooperate in cyber crime investigations. This acted as a deterrent of sorts, deterring many people from committing really serious cyber crimes. Even in to 2000, people using the Internet in developing economies were limited to the professional class – people in government, education, and industry, due to Internet access constraints. As Internet accessibility increased and cost decreased non-‐professionals quickly got online. By 2005, the number of Internet users in BRIC countries – Brazil, Russia, India, and China – surpassed the number of Internet users 4 http://datafinder.worldbank.org/Internet-‐users
© Kelly White – 2013 Page 6
in the U.S. Among these Internet users were, as in other countries, criminals. The difference this time though was that governments proved inept in dealing with the volume, the costs and international legal and political barriers of prosecuting crime. And frankly, non-‐U.S. allies were and continue to not be seriously interested in assisting other countries in criminal investigations. Ever contact a bank in Russia to request that they return a fraudulent wire? Ever participated in an FBI investigation that requires cooperation of Chinese authorities? Good luck.
The early financially driven international cyber crime spree in 2001 – 2002 went unchecked. This encouraged additional investment in cyber crime. Success continued to meet success, which continues to spiral to where we are today.
The 1970s Environment In the early 1970s computers were limited to large, expensive timesharing mainframe and Unix systems owned by universities, large corporations, and government agencies. In 1975 Ed Roberts released the first microcomputer for sale to the public – the MITS Altair 8080. No keyboard, no screen – just a box with toggle switches for programming and LED lights to show the output of the program. He sold 2,000 of the systems the first year. The following year, Steve Jobs and Steve Wozniak released the Apple I. Again, no keyboard or screen. By the end of 1976 computing enthusiasts had purchased 40,000 microcomputers.5 In 1977, the Apple II, the Tandy TRS-‐80 (I cut my teeth programming on this model), and the Commodore PET brought visual displays and keyboards to the market. People purchased 150,000 of these systems.6 5 http://jeremyreimer.com/postman/node/329 6http://arstechnica.com/old/content/2005/12/total-‐share.ars http://en.wikipedia.org/wiki/File:WIntHosts1981-‐2009.jpg
© Kelly White – 2013 Page 7
Computer communications were pretty limited. The government, military, and a few universities had ARPA net and X25 networks. The public was limited to modem-‐based computer-‐to-‐computer phone calls, which was fine for dialing computers in your area, but a bit of a problem for those a long distance call away. The killer app for computer communications was Bulletin Board System software, which first came to public life, courtesy of Randy Seuss, during a snowstorm in February 1978. This development connected computer enthusiasts across the U.S. in an electronic underground where they could publish ideas and communicate within their own realm on their own terms. From this technology the computer hacker underground took root. While it took some time for microcomputers to take hold, the phone system was already built out and available. A large community of phone system fanatics – ‘phone phreaks’ – learned how to control the switching system of the predominant phone switching system in use at the time, largely in thanks to serious security flaws in the system and the publication of the details of the internal switching system in the November 1954 issue of the Bell Labs Technical Journal. Motives and Crimes The primary motives behind the cyber crimes of the 60s and 70s were desire for system access, curiosity, and the sense of power attained from defeating security. The phone system was the first and favorite computer system targeted. The attraction to the phone system for the pioneers of phone phreaking was not free calls, but the desire to learn the system, the desire to beat the system, and the desire to control the system. John Draper, the father of phone phreaking, when asked about the techniques he developed for gaining operator access to phone systems, published in the October 1971 issue of Esquire Magazine, stated his motive behind unauthorized system access.
© Kelly White – 2013 Page 8
From Secrets of the Little Blue Box by Ron Rosenbaum, Esquire Magazine (October 1971)
The pioneers of ‘phone phreaking’ mastered the techniques for controlling the phone system and codified it in what is now called a ‘little blue box’. The box, commonly twice the size of a cigarette case, had buttons on the front that emitted tones. These tones could be used, if emitted at the right time and in the right sequence during a call would yield operator access to the phone system. The benefit, of course, was free calls to anywhere in the world. Computers weren’t left alone. The first edition of Creative Computing magazine, published in 1976, had an article titled “Is Breaking Into A Timesharing System A Crime?”7
Besides the intellectual challenge of breaking in to systems, people were also motivated to break in to systems simply to gain access. In the 60s and early 70s time on the university-‐owned computer systems was limited. Students who wanted more time developed the first password crackers and trojan software in order to get the access they wanted. With the introduction of microcomputers and Bulletin Board Systems in the mid to late 70s people wanted to connect to other computer systems. To foot the bill for the long-‐distance calls many resorted to stealing long distance access codes – wire fraud. Again, the primary motive to steal the access codes was not for profit, but curiosity – to connect and learn.
The 1980s Environment In the 1980s the computer solidified its position in the upper income households, growing from over 1 million households with computers to in excess of 14 million by the end of the decade. In 1979, CompuServe introduced timesharing services to the public through a 100-‐baud service called ‘MicroNet’, with electronic mail as their
7 http://www.atariarchives.org/bcc1/showpage.php?page=4
© Kelly White – 2013 Page 9
first application. CompuServe added real-‐time messaging in 1980. By the end of 1981 they had 10,000 users. By 1987 it grew to 380,000. It was a bit pricey -‐ $10 / hour. YouTube.com has an interesting vintage news report on the system (search ‘1981 primitive Internet report on KRON’). Bulletin Board Systems continued to proliferate in the 80s. They didn’t have monthly access fees and were under the control of the person hosting the Board – not a corporation. The Internet continued to remain the private domain of the government and some universities. In the 1980s the cyber world, for all intents and purposes, was a geography-‐centric system, bounded within countries by telecommunications infrastructure borders and high international communications costs. Any cyber crimes that occurred within a country could be effectively investigated because the attack was likely staged within the same country and there just weren’t as many to investigate. Motives and Crimes Hacking in the 1980s was primarily about pursuit of knowledge, building reputations, a bit of politics, and games – games of breaking into systems and pulling off pranks. The hacker underground gathered and flourished in the anonymity and freedom of the Bulletin Board System where boards in the hundreds such as Hack-‐A-‐Trip, Hackers of America, Hi-‐Tech Pirates, Cult of the Dead Cow, Legion of Doom, PhoneLine Phantoms, and the Strata-‐Crackers formed. Through boards hackers shared their knowledge and displayed the trophies of their system exploits. Curiosity / Reputation The Morris Worm was among the most significant computer security event of the 1980s, a program written by Robert Morris, a graduate student at Cornell University. Though the only purpose of the worm was to propagate itself to other systems, it did degrade the performance of systems it compromised, causing significant impact to Internet-‐connected systems it invaded. It was estimated to In 1988, Prophet of Legion of Doom compromised AIMSX, a BellSouth system. He did no damage, just explored. In his probing of the system he discovered a file containing information related to administration of the 911 system. Why did he download the file? It was a trophy – proof of his compromise of the system. Also, it was forbidden knowledge, and possession of forbidden knowledge was the currency with which reputation was purchased.8 Pranking Some system compromises were simply to pull off a prank. In June of 1989 a person compromised a Southern Bell phone switch and redirected calls made to the Palm
8 The Hacker Crackdown page 112-‐113
© Kelly White – 2013 Page 10
Beach County Probation Department to “Tina,” a phone-‐sex worker in New York State.9 One of the earliest computer viruses was created as a joke. Elk Cloner, written by Rich Skrenta, spread to Apple II systems through infected floppy disks. The payload of the virus simply periodically displayed a humorous poem, in addition to replicating itself to any floppy disk inserted into an infected system. Activism The department of defense wasn’t left alone either. A Defense Data Network security bulletin was published on October 18, 1989, warning of a malicious worm attacking VMS systems on the SPAN network.10
Money In 1989, a sixteen-‐year-‐old from Indiana gave an early glimpse of the future financially motivated electronic crime wave to come two decades later. Fry Guy, so referred to in the computer underground because of his compromise of a McDonald’s mainframe, developed a knack for pilfering data from credit reporting agencies and for compromising phone-‐switching systems. Combining these two skills, he would phone Western Union and ask for a cash advance on a stolen card. To ensure the security of transactions, Western Union had a practice of calling the card owner back to verify the authenticity of the request. Having changed the card owner’s phone number temporarily to a public pay phone, Fry Guy would answer the phone as the cardholder and authorize the transaction.11
9 The Hacker Crackdown page 95 10 http://www.textfiles.com/hacking/ddn03.hac 11 The Hacker Crackdown page 100
© Kelly White – 2013 Page 11
The 1990s Environment By the end of the 1990s, the perfect conditions for cybercrime had formed: everyone was online, lots of people conducting online banking and credit card transactions, lack of legal framework and resources to prosecute cyber crime, and poor security. Two huge events in the 1990s made this happen. The first was the invention of the World Wide Web. In 1990, Tim Berners-‐Lee completed his build out of all the components necessary for his ‘WorldWideWeb’ project -‐ a web server, a web browser, a web editor, and the first web pages. In 1991, he made his project publicly available on the Internet as the ‘Web’. In a single decade, the Web grew from non-‐existent to over 17 million web sites. 12 The other history-‐altering event was the build out of public Internet access points. In 1994, the National Science Foundation sponsored four companies to build public Internet access points – Pacific Bell, WorldCom, Sprint, and Ameritech. Within a couple of years, Joe Public declared the Internet was good and got on-‐line. At the beginning of the decade there were two million people on the Internet in the U.S. By the end of the decade there were 135 million. Companies followed the public and moved their commerce channels online. The U.S. Department of Commerce reported for 1999 $5.25 billion in online travel bookings, $3.75 billion in online brokerage fees, and $15 billion in retail sales. Banks got on-‐line too, with 10 million people conducting banking online in 2000. Adoption of the Internet was not just a U.S. phenomenon. Though lagging developed economies by about five years, the emerging economies got online too. By 2000, 36 million people in the BRIC countries – Brazil, Russia, India, and China – were online. While the U.S. and its Allies established reasonably functional agreements for prosecuting cyber crime, no such agreements were realized with the rest of the world. The result was, and remains today, an Internet with no functional legal system for fighting crime. Motives and Crimes With the millions of new systems coming online, the 1990s was a target rich decade for hackers. Fortunately for businesses and people putting their private information online, hackers primarily made a sport of defacing websites, rather than targeting the sensitive information stored in the systems. It would take until the following decade for the criminal profiteers to figure out how to monetize computer crime. Sport The most common computer crime of the 1990s was defacing websites. Hacking for ‘sport’ is good category for these compromises. There really was no knowledge to gain, no curiosity to satisfy – just the sport of compromising web sites. Attrition.org 12 http://www.cnn.com/2006/TECH/Internet/11/01/100millionwebsites/
© Kelly White – 2013 Page 12
documented many of the web site hacks through its web page hack mirror at http://attrition.org/mirror/. According to Attrition’s data, four web sites were hacked in 1995. Attrition reported 1905 websites being hacked in 1999.
Number of Website Defacements Reported by Attrition.org13
Some very high profile sites fell during the decade. In 1996, the top sites compromised included the U.S. Air Force, NASA, and the site of the British Labour Party. Sites compromised in 1997 included Stanford University, Farmers & Merchants Bank, Fox News, and Yahoo. Other high profile sites to be compromised included the U.S. Senate’s www.senate.gov, ebay.com, alashdot.org, and nytimes.com. The content placed on these sites ranged from ‘Free Kevin!’, to pornography; from taunting messages like ‘Look you sorry ass system admin…’, to security advice such as ‘Stop using old versions of FTP’. A screenshot of part of the compromised senate.gov site is shown below.14
13 http://www.phrack.org/issues.html?issue=55&id=18&mode=txt 14 http://www.flashback.se/hack/1999/05/27/1/
© Kelly White – 2013 Page 13
Money There were a few notable money-‐driven computer crimes in the 1990s. In 1994, a group led by Vladimir Levin, broke in to the bank accounts of several corporations held at Citibank. Accessing the funds through Citi’s dial-‐up wire transfer service, he transferred $10.7 million to accounts controlled by accomplices in Finland, the United States, Germany, the Netherlands, and Israel. In 1999, a Russian by the handle of ‘Maxus’ compromised the CD Universe web site and stole over 300,000 credit card records. Attempting to profit from the crime, Maxus faxed an extortion note to CD Universe demanding $100,000 in return for silence of the theft and destruction of the stolen data. His extortion rejected, he published 25,000 of the records on a website. In reporting on the incident, ZDNET called it the ‘biggest hacking fraud ever’.15 Curiosity Though the Melissa Virus wasn’t the first, it certainly opened the eyes of corporations and system administrators to the fragility and vulnerability of computer systems and the Internet. In 1999, David Smith, a network programmer, released the Melissa Virus to the Internet. The virus was contained in a Microsoft Word document macro. When an infected document was opened, it would email itself to the first 50 addresses in the MAPI email address file on the computer. In asking why he did it, David Smith stated that he just wanted to see if it would work. It did work – splendidly, crashing an estimated 100,000 email servers. People readily opened the malicious document received from someone they knew containing a moderately convincing subject line and message. Besides, this type of attack was new. People weren’t used to being on their guard when opening up email attachments, especially from people they knew. Activism A few activist hacks occurred during the decade. In 1998, three members of the hacker group Milw0rm, as a protest of the Indian government’s nuclear weapons test program, broke in to several servers of the India Atomic Research Centre and modified the organizations homepage and stole thousands of emails and related research documents.16 That same year hackers compromised and disabled filtering on a half-‐dozen firewalls used by China to filter its people’s Internet traffic.17
The 2000s Environment Two technological innovations really changed the landscape of the Internet from something you ‘go on’ to something you are ‘always on’ – the iPhone and cloud
15 http://www.zdnet.com/biggest-‐hacking-‐fraud-‐ever-‐3002076252/ 16 http://www.wired.com/science/discoveries/news/1998/06/12717 17 http://www.wired.com/politics/law/news/1998/12/16545
© Kelly White – 2013 Page 14
computing. Prior to the release of the iPhone in 2007, getting on the Internet was ‘expensive’ in terms of time and location – you had to be at your desktop or your laptop and the system had to be connected to the Internet. Most often this was at work or at home, sometimes at a public access point. The iPhone, and smart phones that followed, essentially put the Internet in the owner’s pocket on a very pleasantly usable device. Now you always had the Internet with you and didn’t have to go out of your way to use it. With this always on connectivity, individuals moved larger portions of their lives to Internet connected systems and, in doing so, moved larger swaths of their personal data to more systems – fitness activities, notes, photos, social, even their homes. Cloud computing it made it easy for computing-‐intensive companies to set up shop. No longer was large capital investment required to build a computing-‐intensive company. With rates measured and charged in pennies per hour, companies could expand their computing infrastructure as needed. And they could do it easily, with much of the traditional heavy lifting of data center operations and networking already completed for them. The result has been an increase in Internet-‐based companies – SAAS providers and web startups. Motives and Crimes In the first decade of the millennium, the financial cybercrimes evolved from infrequent, one-‐man operations to frequent events perpetrated through a highly sophisticated, horizontally integrated criminal industry. Other criminal activities flourished too. While many of the crimes had been seen in previous decades, the frequency and magnitude of the crimes hadn’t. Money – Bank Account Takeover One of the biggest criminal developments of the 2000s was the formation of an entire industry devoted to compromising and pilfering online bank accounts. One of the earlier online account compromises occurred in June of 2005, when a fraudster gained unauthorized access to a Miami businessman’s online bank account using keystroke-‐logging malware and was able to fraudulently wire over $90,000 to an account in Latvia.18 By the third quarter of 2009, fraudsters successfully hijacked hundreds of U.S. small business online accounts, hauling away over $25 million.19 This amount of criminal opportunity drove specialization, with some enterprises selling access to compromised systems, some selling custom malware, and others focusing on cashing out compromised accounts. A specific malware class of ‘banking trojans’ developed to enable bypass of online banking controls, such as Zeus, Sinowal, Carberp, SpyEye, and others. A fully featured license for Zeus, at one point, was selling in the criminal world for nearly $20,000.
18 http://www.finextra.com/news/fullstory.aspx?newsitemid=13194 19 http://krebsonsecurity.com/2010/03/cyber-‐crooks-‐leave-‐bank-‐robbers-‐in-‐the-‐dust/
© Kelly White – 2013 Page 15
Money -‐ ATMs ATMs are computer driven cash dispensers. If the account balance and daily withdraw limit line up with an authenticated request, then the machine will give the requested amount of money. So, what happens when you steal a few cards and modify the account balances and daily withdraw limits? The WorldPay division of Royal Bank of Scotland found out. On November 8, 2008, an army of cashers armed with compromised WorldPay pre-‐paid payroll cards descended on ATMs located in over 280 cities around the world and withdrew $9.5 million in cash in a twelve-‐hour period. The cashers kept their commission, 30-‐50% of the take, and wired the remainder to the scheme masterminds. The four leaders of the heist had previously broken in to the Royal Bank of Scotland WorldPay network and stolen data for 44 pre-‐paid payroll cards, cracked the payroll card PIN encryption, raised the funds available on each account up to as high as $500,000, and changed the daily ATM withdraw limit allowed. During the heist the hackers monitored the withdraw transactions remotely from the RBS WorldPay systems and, once the heist was finished, they attempted to cover their tracks on the RBS network.20 Money – Payment Card Theft Grand scale payment card theft looks like Albert Gonzalez’s ‘Operation Get Rich or Die Tryin’, a payment card hacking crew that stole over 90 million payment card numbers from companies including Heartland Payment Systems, TJ Maxx, 7-‐Eleven, and Office Max and caused over $200 million in damages. Gonzalez and crew compromised the payment card processing systems at these companies by exploiting well-‐known vulnerabilities in their wireless networks and web applications. Upon arresting Gonzalez, agents found $1.6 million in his several bank accounts. His goal was $15 million, at which point he planned to buy a yacht and retire.21 Money – Identity Theft Since 2001, identity theft has been the most common consumer complaint registered to the Federal Trade Commission. In 2012 16.6 million U.S. residents, ages 16 and older, were victims of identity theft. The vast majority of these thefts involved fraudulent use of an existing financial account, such as a bank account or credit card account. The total cost of these crimes was estimated at $24.7 billion in 2012.22 Activism Persons with a potentially more aggressive approach to activism took to the Internet in droves in the 2000s. One person’s 2010 New Year’s resolution was to
20 http://www.wired.com/threatlevel/2009/11/rbs-‐worldpay/ Federal Indictment http://www.justice.gov/opa/pr/2009/November/09-‐crm-‐1212.html 21 http://www.wired.com/threatlevel/2010/03/tjx-‐sentencing 22 http://www.bjs.gov/content/pub/pdf/vit12.pdf
© Kelly White – 2013 Page 16
actively disrupt sites he deemed to support “terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys.” Operating under the handle ‘The Jester’, he frequently delivered on his resolution by launching Denial of Service attacks against sites he deemed to fit within in his objective. His primary targets were wikileaks.org, for releasing the U.S. State Department cable messages, and sites or organizations he deemed to be aligned with terrorism.
Unknown numbers of people took up a variety of ‘hacktivist’ campaigns under the banner of Anonymous. Taking the opposite position as ‘The Jester’, Anonymous launched DDOS attacks against serveral financial firms in response to their ban of Wikileaks from their payment networks for publishing the U.S. State Department cables. A small Anonymous unit was involved in raising the awareness of the Stubenville High rape case. Anonymous went after Sony to punish them for prosecuting George Hotz for successfully unlocking PlayStation 3 security system. Ilmars Polkans campaign to expose fraud within the Latvian government was very effective and is worth researching. When filing his tax returns, Ilmars ‘unintentionally’ stumbled on a vulnerability on the Latvia Revenue Site that allowed him to see all tax filings. What he found was fat salaries for government officials during a time when citizens of Latvia, both public and private, were being forced to endure deep pay cuts because of the recession. His campaign to expose the injustice literally resulted in a public rebellion against the government.
So What Comes Next? I am hopeful and I am dismayed all at the same time. On the leading edge, there is really exciting stuff happening in the security space, particularly in the areas of leveraging big data and data analytics to detect malicious events early in the attack stages. In the middle, the people, processes, practices, and technology for building and maintaining reasonably secure systems, networks, and applications is readily available. I see a lot of organizations doing the right security stuff, and they are being successful in protecting their businesses and their customers. Surprisingly, there are also still a lot of organizations that just don’t care. They don’t even do the basics. They have database servers listening on the Internet. Their systems are out of date and misconfigured. Their application access controls are
© Kelly White – 2013 Page 17
easily bypassed. They just don’t care. And there is no excuse for it. Frankly, I think they should be kicked off the Internet until they get their stuff right. And there lies the answer. The crime will continue to occur and it will most commonly occur against organizations that don’t do security well. People will continue to move their money and their data online and criminals will continue to steal it from the organizations, most commonly, that have the least security.