Weitere ähnliche Inhalte
Ähnlich wie The Rise of Cybercrime 1970s - 2010 (20)
Mehr von - Mark - Fullbright (20)
Kürzlich hochgeladen (20)
The Rise of Cybercrime 1970s - 2010
- 1.
The
Rise
of
Cybercrime
1970
through
2010
A
tour
of
the
conditions
that
gave
rise
to
cybercrime
and
the
crimes
themselves
Kelly
White
©
Kelly
White
–
2013
Page
1
- 2. Introduction
Computer
crime
has
changed
from
a
1970s
characterization
of
hobbyists
committing
pranks
and
‘exploring’
computer
systems
to
a
present
day
horizontally
integrated
industry
of
exploit
researchers,
malware
writers,
hackers,
fraudster,
and
money
mules
that
cause
hundreds
of
millions
of
dollars
in
damages
annually.
The
articles
below
illustrate
the
juxtaposition
of
computer
crimes
from
earlier
decades
with
those
of
the
present.
Teaching Hackers Ethics
Newsweek – January 14, 1985
The parents of "Echo Man," 16, "Thr ee Rocks," 15, and "Uncle Sam," 17,
probably thought they were in their rooms doing homework. Instead, the
Burlingame, Calif., teen-agers were programming their Apples to scan the
Sprint telephone-service computers for valid access numbers, which they
used to make free calls. The hackers then posted the numbers on an
electronic bulletin board, so others could share in the spoils. That was their
undoing. Local police, who had been monitoring the bulletin board, raided
each of the hackers' homes last month and found enough evidence to
charge them with felony theft and wire fraud.
FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms1
Washington Post, Brian Krebs – October 26, 2009
Cyber criminals have stolen at least $40 million from small to mid-sized
companies across America in a sophisticated but increasingly common form
of online banking fraud, the FBI said this week. According to the FBI and
other fraud experts, the perpetrators have stuck to the same basic tactics in
each attack. They steal the victim’s online banking credentials with the help
of malicious software distributed through spam. The intruders then initiate a
series of unauthorized bank transfers out of the company’s online account…
How
do
you
explain
the
typical
computer
crime
making
the
leap
from
petty
phone
access
theft
in
the
70s
to
huge
heists
in
00s?
As
it
turns
out,
in
each
decade,
the
computer
crimes
fit
pretty
well
with
the
demographics
of
their
time.
The
type
and
frequency
of
computer
crime
occurring
in
each
decade
seems
to
have
been
shaped
by
three
demographics:
• The
number
of
computers
online
• The
type
and
amount
of
online
commerce
• The
globalization
of
Internet
use
1
http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html
©
Kelly
White
–
2013
Page
2
- 3. The
number
of
crime
targets
is
limited
by
the
number
of
computers
online.
The
profitability
of
a
target
is
dependent
on
the
type
of
commerce
being
conducted
on
the
computers.
And
the
likelihood
of
being
caught
is
positively
correlated
with
the
effectiveness
of
law
enforcement
in
prosecuting
crimes
that,
I
have
observed,
is
inversely
proportional
with
the
globalization
of
the
Internet.
As
these
demographics
evolved,
so
too
did
the
crime.
The Perfect Conditions for Crime
What
are
the
perfect
conditions
for
crime?
How
about
easy
targets,
high
profits,
and
very
little
chance
of
being
caught.
That
is
what
the
Internet
provides
–
lots
of
easy
targets
where
250
million
people
are
online
in
the
U.S.
alone
and
with
very
weak
security.
An
almost
guaranteed
high
return
–
over
72
million
people
in
the
U.S.
conducting
banking
online.
And
little
chance
of
being
caught
–
attribution
of
crime
on
the
Internet
is
nearly
impossible
and
governments
don’t
have
the
resources
to
handle
the
volume,
let
alone
the
high
cost
of
international
investigations.
They
successfully
prosecute
a
few
per
year
for
publicity,
but
little
else.
The
Internet
is
the
perfect
place
to
commit
crime.
It
took
until
the
late
1990s
for
these
conditions
to
converge
to
create
the
perfect
storm.
These
conditions
didn’t
mature
until
the
late
90s.
Before
that
essential
elements
were
missing
–
people,
connectivity,
commerce,
and
insecurity.
Computers and Connectivity
The
first
dimension
to
set
in
to
motion
was
personal
and
commercial
use
of
computers
in
the
mid
1970s.
In
the
70s
there
weren’t
very
many
computer
systems
and
they
weren’t
interconnected.
In
the
80s
private
citizen
computer
ownership
started
ramping
up,
but
their
connectivity
was
limited
largely
to
computer-‐to-‐
computer
modem
services
and
access
to
the
Internet
was
restricted
to
government
and
university.
In
the
90s
the
government
opened
up
the
Internet
to
commercial
and
then
public
access.
By
the
end
of
the
decade,
about
half
of
the
U.S.
population
was
‘online’.
©
Kelly
White
–
2013
Page
3
- 4.
+
Commerce
The
explosion
of
online
commerce
was
another
important
ingredient
in
creating
the
cyber
crime
environment.
Without
commerce,
all
the
potential
targets
connected
to
the
Internet
are
just
targets.
With
commerce,
computers
become
rich
targets
–
credit
card
processing
systems
and
automated
tellers.
In
2000,
40
million
people
in
the
U.S.
had
ever
bought
something
online2.
By
2008,
that
number
reached
201
million3.
Nearly
everyone
who
can
shop
online
does
shop
online.
In
1998
8
million
people
in
the
U.S.
were
conducting
banking
online.
By
2012
that
grew
to
72
million
–
28%
of
online
users
and
fully
23%
of
the
entire
U.S.
population!
2http://www.pewInternet.org/Reports/2002/Getting-‐Serious-‐Online-‐As-‐Americans-‐Gain-‐Experience-‐They-‐Pursue-‐More-‐
Serious-‐Activities.aspx
3
http://www.pewInternet.org/Reports/2008/Online-‐Shopping.aspx?r=1
©
Kelly
White
–
2013
Page
4
- 5.
+
Insecurity
The
build
out
of
the
Internet
network
infrastructure
and
the
connected
systems
was
fast
and
furious.
At
this
pace,
all
focus
was
on
feature
and
functionality.
Little
thought
was
given
to
the
consequences
of
the
risks
and
to
the
security
requirements
of
such
a
critical,
complex
infrastructure.
As
a
security
consultant
in
the
late
1990s,
I
examined
up
close
the
lack
of
security
controls
in
even
critical
infrastructure.
On
one
engagement,
my
co-‐worker
and
I
were
called
up
on
short
notice
to
conduct
an
Internet
perimeter
test
of
a
company
that
provided
core
processing
services
to
credit
unions.
One
of
their
services
was
outsourced
Internet
Banking.
Compromising
their
perimeter
was
simple,
taking
about
10
minutes.
We
scanned
their
public
address
space
for
common
ports,
noticed
135
and
139
were
listening
on
their
Internet
Banking
server,
established
a
net
session
and
went
to
work
guessing
the
administrator
account
password.
The
password
was
‘snow’.
It
was
easy
pickings
from
there.
Towards
the
end
of
the
engagement,
I
met
on-‐site
with
the
company’s
system
administrators
to
discuss
the
findings.
In
response
to
my
recommendations
they
asked,
“What
is
a
firewall?”
+
Internationalization
and
No
Law
Enforcement
In
1998
–
1999
about
80%
of
the
people
using
the
Internet
were
U.S.
citizens
and
about
95%
were
U.S.
citizens
or
citizens
of
U.S.
allied
countries.4
Under
these
conditions,
serious
computer
crimes
could
be
investigated
and
prosecuted
because
the
crimes
were
largely
occurring
from
within
the
borders
of
governments
that
were
willing
to
cooperate
in
cyber
crime
investigations.
This
acted
as
a
deterrent
of
sorts,
deterring
many
people
from
committing
really
serious
cyber
crimes.
Even
in
to
2000,
people
using
the
Internet
in
developing
economies
were
limited
to
the
professional
class
–
people
in
government,
education,
and
industry,
due
to
Internet
access
constraints.
As
Internet
accessibility
increased
and
cost
decreased
non-‐professionals
quickly
got
online.
By
2005,
the
number
of
Internet
users
in
BRIC
countries
–
Brazil,
Russia,
India,
and
China
–
surpassed
the
number
of
Internet
users
4
http://datafinder.worldbank.org/Internet-‐users
©
Kelly
White
–
2013
Page
5
- 6. in
the
U.S.
Among
these
Internet
users
were,
as
in
other
countries,
criminals.
The
difference
this
time
though
was
that
governments
proved
inept
in
dealing
with
the
volume,
the
costs
and
international
legal
and
political
barriers
of
prosecuting
crime.
And
frankly,
non-‐U.S.
allies
were
and
continue
to
not
be
seriously
interested
in
assisting
other
countries
in
criminal
investigations.
Ever
contact
a
bank
in
Russia
to
request
that
they
return
a
fraudulent
wire?
Ever
participated
in
an
FBI
investigation
that
requires
cooperation
of
Chinese
authorities?
Good
luck.
The
early
financially
driven
international
cyber
crime
spree
in
2001
–
2002
went
unchecked.
This
encouraged
additional
investment
in
cyber
crime.
Success
continued
to
meet
success,
which
continues
to
spiral
to
where
we
are
today.
The 1970s
Environment
In
the
early
1970s
computers
were
limited
to
large,
expensive
timesharing
mainframe
and
Unix
systems
owned
by
universities,
large
corporations,
and
government
agencies.
In
1975
Ed
Roberts
released
the
first
microcomputer
for
sale
to
the
public
–
the
MITS
Altair
8080.
No
keyboard,
no
screen
–
just
a
box
with
toggle
switches
for
programming
and
LED
lights
to
show
the
output
of
the
program.
He
sold
2,000
of
the
systems
the
first
year.
The
following
year,
Steve
Jobs
and
Steve
Wozniak
released
the
Apple
I.
Again,
no
keyboard
or
screen.
By
the
end
of
1976
computing
enthusiasts
had
purchased
40,000
microcomputers.5
In
1977,
the
Apple
II,
the
Tandy
TRS-‐80
(I
cut
my
teeth
programming
on
this
model),
and
the
Commodore
PET
brought
visual
displays
and
keyboards
to
the
market.
People
purchased
150,000
of
these
systems.6
5
http://jeremyreimer.com/postman/node/329
6http://arstechnica.com/old/content/2005/12/total-‐share.ars
http://en.wikipedia.org/wiki/File:WIntHosts1981-‐2009.jpg
©
Kelly
White
–
2013
Page
6
- 7.
Computer
communications
were
pretty
limited.
The
government,
military,
and
a
few
universities
had
ARPA
net
and
X25
networks.
The
public
was
limited
to
modem-‐
based
computer-‐to-‐computer
phone
calls,
which
was
fine
for
dialing
computers
in
your
area,
but
a
bit
of
a
problem
for
those
a
long
distance
call
away.
The
killer
app
for
computer
communications
was
Bulletin
Board
System
software,
which
first
came
to
public
life,
courtesy
of
Randy
Seuss,
during
a
snowstorm
in
February
1978.
This
development
connected
computer
enthusiasts
across
the
U.S.
in
an
electronic
underground
where
they
could
publish
ideas
and
communicate
within
their
own
realm
on
their
own
terms.
From
this
technology
the
computer
hacker
underground
took
root.
While
it
took
some
time
for
microcomputers
to
take
hold,
the
phone
system
was
already
built
out
and
available.
A
large
community
of
phone
system
fanatics
–
‘phone
phreaks’
–
learned
how
to
control
the
switching
system
of
the
predominant
phone
switching
system
in
use
at
the
time,
largely
in
thanks
to
serious
security
flaws
in
the
system
and
the
publication
of
the
details
of
the
internal
switching
system
in
the
November
1954
issue
of
the
Bell
Labs
Technical
Journal.
Motives
and
Crimes
The
primary
motives
behind
the
cyber
crimes
of
the
60s
and
70s
were
desire
for
system
access,
curiosity,
and
the
sense
of
power
attained
from
defeating
security.
The
phone
system
was
the
first
and
favorite
computer
system
targeted.
The
attraction
to
the
phone
system
for
the
pioneers
of
phone
phreaking
was
not
free
calls,
but
the
desire
to
learn
the
system,
the
desire
to
beat
the
system,
and
the
desire
to
control
the
system.
John
Draper,
the
father
of
phone
phreaking,
when
asked
about
the
techniques
he
developed
for
gaining
operator
access
to
phone
systems,
published
in
the
October
1971
issue
of
Esquire
Magazine,
stated
his
motive
behind
unauthorized
system
access.
©
Kelly
White
–
2013
Page
7
- 8. From
Secrets
of
the
Little
Blue
Box
by
Ron
Rosenbaum,
Esquire
Magazine
(October
1971)
The
pioneers
of
‘phone
phreaking’
mastered
the
techniques
for
controlling
the
phone
system
and
codified
it
in
what
is
now
called
a
‘little
blue
box’.
The
box,
commonly
twice
the
size
of
a
cigarette
case,
had
buttons
on
the
front
that
emitted
tones.
These
tones
could
be
used,
if
emitted
at
the
right
time
and
in
the
right
sequence
during
a
call
would
yield
operator
access
to
the
phone
system.
The
benefit,
of
course,
was
free
calls
to
anywhere
in
the
world.
Computers
weren’t
left
alone.
The
first
edition
of
Creative
Computing
magazine,
published
in
1976,
had
an
article
titled
“Is
Breaking
Into
A
Timesharing
System
A
Crime?”7
Besides
the
intellectual
challenge
of
breaking
in
to
systems,
people
were
also
motivated
to
break
in
to
systems
simply
to
gain
access.
In
the
60s
and
early
70s
time
on
the
university-‐owned
computer
systems
was
limited.
Students
who
wanted
more
time
developed
the
first
password
crackers
and
trojan
software
in
order
to
get
the
access
they
wanted.
With
the
introduction
of
microcomputers
and
Bulletin
Board
Systems
in
the
mid
to
late
70s
people
wanted
to
connect
to
other
computer
systems.
To
foot
the
bill
for
the
long-‐distance
calls
many
resorted
to
stealing
long
distance
access
codes
–
wire
fraud.
Again,
the
primary
motive
to
steal
the
access
codes
was
not
for
profit,
but
curiosity
–
to
connect
and
learn.
The 1980s
Environment
In
the
1980s
the
computer
solidified
its
position
in
the
upper
income
households,
growing
from
over
1
million
households
with
computers
to
in
excess
of
14
million
by
the
end
of
the
decade.
In
1979,
CompuServe
introduced
timesharing
services
to
the
public
through
a
100-‐baud
service
called
‘MicroNet’,
with
electronic
mail
as
their
7
http://www.atariarchives.org/bcc1/showpage.php?page=4
©
Kelly
White
–
2013
Page
8
- 9. first
application.
CompuServe
added
real-‐time
messaging
in
1980.
By
the
end
of
1981
they
had
10,000
users.
By
1987
it
grew
to
380,000.
It
was
a
bit
pricey
-‐
$10
/
hour.
YouTube.com
has
an
interesting
vintage
news
report
on
the
system
(search
‘1981
primitive
Internet
report
on
KRON’).
Bulletin
Board
Systems
continued
to
proliferate
in
the
80s.
They
didn’t
have
monthly
access
fees
and
were
under
the
control
of
the
person
hosting
the
Board
–
not
a
corporation.
The
Internet
continued
to
remain
the
private
domain
of
the
government
and
some
universities.
In
the
1980s
the
cyber
world,
for
all
intents
and
purposes,
was
a
geography-‐centric
system,
bounded
within
countries
by
telecommunications
infrastructure
borders
and
high
international
communications
costs.
Any
cyber
crimes
that
occurred
within
a
country
could
be
effectively
investigated
because
the
attack
was
likely
staged
within
the
same
country
and
there
just
weren’t
as
many
to
investigate.
Motives
and
Crimes
Hacking
in
the
1980s
was
primarily
about
pursuit
of
knowledge,
building
reputations,
a
bit
of
politics,
and
games
–
games
of
breaking
into
systems
and
pulling
off
pranks.
The
hacker
underground
gathered
and
flourished
in
the
anonymity
and
freedom
of
the
Bulletin
Board
System
where
boards
in
the
hundreds
such
as
Hack-‐A-‐Trip,
Hackers
of
America,
Hi-‐Tech
Pirates,
Cult
of
the
Dead
Cow,
Legion
of
Doom,
PhoneLine
Phantoms,
and
the
Strata-‐Crackers
formed.
Through
boards
hackers
shared
their
knowledge
and
displayed
the
trophies
of
their
system
exploits.
Curiosity
/
Reputation
The
Morris
Worm
was
among
the
most
significant
computer
security
event
of
the
1980s,
a
program
written
by
Robert
Morris,
a
graduate
student
at
Cornell
University.
Though
the
only
purpose
of
the
worm
was
to
propagate
itself
to
other
systems,
it
did
degrade
the
performance
of
systems
it
compromised,
causing
significant
impact
to
Internet-‐connected
systems
it
invaded.
It
was
estimated
to
In
1988,
Prophet
of
Legion
of
Doom
compromised
AIMSX,
a
BellSouth
system.
He
did
no
damage,
just
explored.
In
his
probing
of
the
system
he
discovered
a
file
containing
information
related
to
administration
of
the
911
system.
Why
did
he
download
the
file?
It
was
a
trophy
–
proof
of
his
compromise
of
the
system.
Also,
it
was
forbidden
knowledge,
and
possession
of
forbidden
knowledge
was
the
currency
with
which
reputation
was
purchased.8
Pranking
Some
system
compromises
were
simply
to
pull
off
a
prank.
In
June
of
1989
a
person
compromised
a
Southern
Bell
phone
switch
and
redirected
calls
made
to
the
Palm
8
The
Hacker
Crackdown
page
112-‐113
©
Kelly
White
–
2013
Page
9
- 10. Beach
County
Probation
Department
to
“Tina,”
a
phone-‐sex
worker
in
New
York
State.9
One
of
the
earliest
computer
viruses
was
created
as
a
joke.
Elk
Cloner,
written
by
Rich
Skrenta,
spread
to
Apple
II
systems
through
infected
floppy
disks.
The
payload
of
the
virus
simply
periodically
displayed
a
humorous
poem,
in
addition
to
replicating
itself
to
any
floppy
disk
inserted
into
an
infected
system.
Activism
The
department
of
defense
wasn’t
left
alone
either.
A
Defense
Data
Network
security
bulletin
was
published
on
October
18,
1989,
warning
of
a
malicious
worm
attacking
VMS
systems
on
the
SPAN
network.10
Money
In
1989,
a
sixteen-‐year-‐old
from
Indiana
gave
an
early
glimpse
of
the
future
financially
motivated
electronic
crime
wave
to
come
two
decades
later.
Fry
Guy,
so
referred
to
in
the
computer
underground
because
of
his
compromise
of
a
McDonald’s
mainframe,
developed
a
knack
for
pilfering
data
from
credit
reporting
agencies
and
for
compromising
phone-‐switching
systems.
Combining
these
two
skills,
he
would
phone
Western
Union
and
ask
for
a
cash
advance
on
a
stolen
card.
To
ensure
the
security
of
transactions,
Western
Union
had
a
practice
of
calling
the
card
owner
back
to
verify
the
authenticity
of
the
request.
Having
changed
the
card
owner’s
phone
number
temporarily
to
a
public
pay
phone,
Fry
Guy
would
answer
the
phone
as
the
cardholder
and
authorize
the
transaction.11
The
Hacker
Crackdown
page
95
http://www.textfiles.com/hacking/ddn03.hac
11
The
Hacker
Crackdown
page
100
9
10
©
Kelly
White
–
2013
Page
10
- 11. The 1990s
Environment
By
the
end
of
the
1990s,
the
perfect
conditions
for
cybercrime
had
formed:
everyone
was
online,
lots
of
people
conducting
online
banking
and
credit
card
transactions,
lack
of
legal
framework
and
resources
to
prosecute
cyber
crime,
and
poor
security.
Two
huge
events
in
the
1990s
made
this
happen.
The
first
was
the
invention
of
the
World
Wide
Web.
In
1990,
Tim
Berners-‐Lee
completed
his
build
out
of
all
the
components
necessary
for
his
‘WorldWideWeb’
project
-‐
a
web
server,
a
web
browser,
a
web
editor,
and
the
first
web
pages.
In
1991,
he
made
his
project
publicly
available
on
the
Internet
as
the
‘Web’.
In
a
single
decade,
the
Web
grew
from
non-‐
existent
to
over
17
million
web
sites.
12
The
other
history-‐altering
event
was
the
build
out
of
public
Internet
access
points.
In
1994,
the
National
Science
Foundation
sponsored
four
companies
to
build
public
Internet
access
points
–
Pacific
Bell,
WorldCom,
Sprint,
and
Ameritech.
Within
a
couple
of
years,
Joe
Public
declared
the
Internet
was
good
and
got
on-‐line.
At
the
beginning
of
the
decade
there
were
two
million
people
on
the
Internet
in
the
U.S.
By
the
end
of
the
decade
there
were
135
million.
Companies
followed
the
public
and
moved
their
commerce
channels
online.
The
U.S.
Department
of
Commerce
reported
for
1999
$5.25
billion
in
online
travel
bookings,
$3.75
billion
in
online
brokerage
fees,
and
$15
billion
in
retail
sales.
Banks
got
on-‐
line
too,
with
10
million
people
conducting
banking
online
in
2000.
Adoption
of
the
Internet
was
not
just
a
U.S.
phenomenon.
Though
lagging
developed
economies
by
about
five
years,
the
emerging
economies
got
online
too.
By
2000,
36
million
people
in
the
BRIC
countries
–
Brazil,
Russia,
India,
and
China
–
were
online.
While
the
U.S.
and
its
Allies
established
reasonably
functional
agreements
for
prosecuting
cyber
crime,
no
such
agreements
were
realized
with
the
rest
of
the
world.
The
result
was,
and
remains
today,
an
Internet
with
no
functional
legal
system
for
fighting
crime.
Motives
and
Crimes
With
the
millions
of
new
systems
coming
online,
the
1990s
was
a
target
rich
decade
for
hackers.
Fortunately
for
businesses
and
people
putting
their
private
information
online,
hackers
primarily
made
a
sport
of
defacing
websites,
rather
than
targeting
the
sensitive
information
stored
in
the
systems.
It
would
take
until
the
following
decade
for
the
criminal
profiteers
to
figure
out
how
to
monetize
computer
crime.
Sport
The
most
common
computer
crime
of
the
1990s
was
defacing
websites.
Hacking
for
‘sport’
is
good
category
for
these
compromises.
There
really
was
no
knowledge
to
gain,
no
curiosity
to
satisfy
–
just
the
sport
of
compromising
web
sites.
Attrition.org
12
http://www.cnn.com/2006/TECH/Internet/11/01/100millionwebsites/
©
Kelly
White
–
2013
Page
11
- 12. documented
many
of
the
web
site
hacks
through
its
web
page
hack
mirror
at
http://attrition.org/mirror/.
According
to
Attrition’s
data,
four
web
sites
were
hacked
in
1995.
Attrition
reported
1905
websites
being
hacked
in
1999.
Number
of
Website
Defacements
Reported
by
Attrition.org13
Some
very
high
profile
sites
fell
during
the
decade.
In
1996,
the
top
sites
compromised
included
the
U.S.
Air
Force,
NASA,
and
the
site
of
the
British
Labour
Party.
Sites
compromised
in
1997
included
Stanford
University,
Farmers
&
Merchants
Bank,
Fox
News,
and
Yahoo.
Other
high
profile
sites
to
be
compromised
included
the
U.S.
Senate’s
www.senate.gov,
ebay.com,
alashdot.org,
and
nytimes.com.
The
content
placed
on
these
sites
ranged
from
‘Free
Kevin!’,
to
pornography;
from
taunting
messages
like
‘Look
you
sorry
ass
system
admin…’,
to
security
advice
such
as
‘Stop
using
old
versions
of
FTP’.
A
screenshot
of
part
of
the
compromised
senate.gov
site
is
shown
below.14
13
http://www.phrack.org/issues.html?issue=55&id=18&mode=txt
14
http://www.flashback.se/hack/1999/05/27/1/
©
Kelly
White
–
2013
Page
12
- 13.
Money
There
were
a
few
notable
money-‐driven
computer
crimes
in
the
1990s.
In
1994,
a
group
led
by
Vladimir
Levin,
broke
in
to
the
bank
accounts
of
several
corporations
held
at
Citibank.
Accessing
the
funds
through
Citi’s
dial-‐up
wire
transfer
service,
he
transferred
$10.7
million
to
accounts
controlled
by
accomplices
in
Finland,
the
United
States,
Germany,
the
Netherlands,
and
Israel.
In
1999,
a
Russian
by
the
handle
of
‘Maxus’
compromised
the
CD
Universe
web
site
and
stole
over
300,000
credit
card
records.
Attempting
to
profit
from
the
crime,
Maxus
faxed
an
extortion
note
to
CD
Universe
demanding
$100,000
in
return
for
silence
of
the
theft
and
destruction
of
the
stolen
data.
His
extortion
rejected,
he
published
25,000
of
the
records
on
a
website.
In
reporting
on
the
incident,
ZDNET
called
it
the
‘biggest
hacking
fraud
ever’.15
Curiosity
Though
the
Melissa
Virus
wasn’t
the
first,
it
certainly
opened
the
eyes
of
corporations
and
system
administrators
to
the
fragility
and
vulnerability
of
computer
systems
and
the
Internet.
In
1999,
David
Smith,
a
network
programmer,
released
the
Melissa
Virus
to
the
Internet.
The
virus
was
contained
in
a
Microsoft
Word
document
macro.
When
an
infected
document
was
opened,
it
would
email
itself
to
the
first
50
addresses
in
the
MAPI
email
address
file
on
the
computer.
In
asking
why
he
did
it,
David
Smith
stated
that
he
just
wanted
to
see
if
it
would
work.
It
did
work
–
splendidly,
crashing
an
estimated
100,000
email
servers.
People
readily
opened
the
malicious
document
received
from
someone
they
knew
containing
a
moderately
convincing
subject
line
and
message.
Besides,
this
type
of
attack
was
new.
People
weren’t
used
to
being
on
their
guard
when
opening
up
email
attachments,
especially
from
people
they
knew.
Activism
A
few
activist
hacks
occurred
during
the
decade.
In
1998,
three
members
of
the
hacker
group
Milw0rm,
as
a
protest
of
the
Indian
government’s
nuclear
weapons
test
program,
broke
in
to
several
servers
of
the
India
Atomic
Research
Centre
and
modified
the
organizations
homepage
and
stole
thousands
of
emails
and
related
research
documents.16
That
same
year
hackers
compromised
and
disabled
filtering
on
a
half-‐dozen
firewalls
used
by
China
to
filter
its
people’s
Internet
traffic.17
The 2000s
Environment
Two
technological
innovations
really
changed
the
landscape
of
the
Internet
from
something
you
‘go
on’
to
something
you
are
‘always
on’
–
the
iPhone
and
cloud
http://www.zdnet.com/biggest-‐hacking-‐fraud-‐ever-‐3002076252/
http://www.wired.com/science/discoveries/news/1998/06/12717
17
http://www.wired.com/politics/law/news/1998/12/16545
15
16
©
Kelly
White
–
2013
Page
13
- 14. computing.
Prior
to
the
release
of
the
iPhone
in
2007,
getting
on
the
Internet
was
‘expensive’
in
terms
of
time
and
location
–
you
had
to
be
at
your
desktop
or
your
laptop
and
the
system
had
to
be
connected
to
the
Internet.
Most
often
this
was
at
work
or
at
home,
sometimes
at
a
public
access
point.
The
iPhone,
and
smart
phones
that
followed,
essentially
put
the
Internet
in
the
owner’s
pocket
on
a
very
pleasantly
usable
device.
Now
you
always
had
the
Internet
with
you
and
didn’t
have
to
go
out
of
your
way
to
use
it.
With
this
always
on
connectivity,
individuals
moved
larger
portions
of
their
lives
to
Internet
connected
systems
and,
in
doing
so,
moved
larger
swaths
of
their
personal
data
to
more
systems
–
fitness
activities,
notes,
photos,
social,
even
their
homes.
Cloud
computing
it
made
it
easy
for
computing-‐intensive
companies
to
set
up
shop.
No
longer
was
large
capital
investment
required
to
build
a
computing-‐intensive
company.
With
rates
measured
and
charged
in
pennies
per
hour,
companies
could
expand
their
computing
infrastructure
as
needed.
And
they
could
do
it
easily,
with
much
of
the
traditional
heavy
lifting
of
data
center
operations
and
networking
already
completed
for
them.
The
result
has
been
an
increase
in
Internet-‐based
companies
–
SAAS
providers
and
web
startups.
Motives
and
Crimes
In
the
first
decade
of
the
millennium,
the
financial
cybercrimes
evolved
from
infrequent,
one-‐man
operations
to
frequent
events
perpetrated
through
a
highly
sophisticated,
horizontally
integrated
criminal
industry.
Other
criminal
activities
flourished
too.
While
many
of
the
crimes
had
been
seen
in
previous
decades,
the
frequency
and
magnitude
of
the
crimes
hadn’t.
Money
–
Bank
Account
Takeover
One
of
the
biggest
criminal
developments
of
the
2000s
was
the
formation
of
an
entire
industry
devoted
to
compromising
and
pilfering
online
bank
accounts.
One
of
the
earlier
online
account
compromises
occurred
in
June
of
2005,
when
a
fraudster
gained
unauthorized
access
to
a
Miami
businessman’s
online
bank
account
using
keystroke-‐logging
malware
and
was
able
to
fraudulently
wire
over
$90,000
to
an
account
in
Latvia.18
By
the
third
quarter
of
2009,
fraudsters
successfully
hijacked
hundreds
of
U.S.
small
business
online
accounts,
hauling
away
over
$25
million.19
This
amount
of
criminal
opportunity
drove
specialization,
with
some
enterprises
selling
access
to
compromised
systems,
some
selling
custom
malware,
and
others
focusing
on
cashing
out
compromised
accounts.
A
specific
malware
class
of
‘banking
trojans’
developed
to
enable
bypass
of
online
banking
controls,
such
as
Zeus,
Sinowal,
Carberp,
SpyEye,
and
others.
A
fully
featured
license
for
Zeus,
at
one
point,
was
selling
in
the
criminal
world
for
nearly
$20,000.
18
19
http://www.finextra.com/news/fullstory.aspx?newsitemid=13194
http://krebsonsecurity.com/2010/03/cyber-‐crooks-‐leave-‐bank-‐robbers-‐in-‐the-‐dust/
©
Kelly
White
–
2013
Page
14
- 15. Money
-‐
ATMs
ATMs
are
computer
driven
cash
dispensers.
If
the
account
balance
and
daily
withdraw
limit
line
up
with
an
authenticated
request,
then
the
machine
will
give
the
requested
amount
of
money.
So,
what
happens
when
you
steal
a
few
cards
and
modify
the
account
balances
and
daily
withdraw
limits?
The
WorldPay
division
of
Royal
Bank
of
Scotland
found
out.
On
November
8,
2008,
an
army
of
cashers
armed
with
compromised
WorldPay
pre-‐
paid
payroll
cards
descended
on
ATMs
located
in
over
280
cities
around
the
world
and
withdrew
$9.5
million
in
cash
in
a
twelve-‐hour
period.
The
cashers
kept
their
commission,
30-‐50%
of
the
take,
and
wired
the
remainder
to
the
scheme
masterminds.
The
four
leaders
of
the
heist
had
previously
broken
in
to
the
Royal
Bank
of
Scotland
WorldPay
network
and
stolen
data
for
44
pre-‐paid
payroll
cards,
cracked
the
payroll
card
PIN
encryption,
raised
the
funds
available
on
each
account
up
to
as
high
as
$500,000,
and
changed
the
daily
ATM
withdraw
limit
allowed.
During
the
heist
the
hackers
monitored
the
withdraw
transactions
remotely
from
the
RBS
WorldPay
systems
and,
once
the
heist
was
finished,
they
attempted
to
cover
their
tracks
on
the
RBS
network.20
Money
–
Payment
Card
Theft
Grand
scale
payment
card
theft
looks
like
Albert
Gonzalez’s
‘Operation
Get
Rich
or
Die
Tryin’,
a
payment
card
hacking
crew
that
stole
over
90
million
payment
card
numbers
from
companies
including
Heartland
Payment
Systems,
TJ
Maxx,
7-‐Eleven,
and
Office
Max
and
caused
over
$200
million
in
damages.
Gonzalez
and
crew
compromised
the
payment
card
processing
systems
at
these
companies
by
exploiting
well-‐known
vulnerabilities
in
their
wireless
networks
and
web
applications.
Upon
arresting
Gonzalez,
agents
found
$1.6
million
in
his
several
bank
accounts.
His
goal
was
$15
million,
at
which
point
he
planned
to
buy
a
yacht
and
retire.21
Money
–
Identity
Theft
Since
2001,
identity
theft
has
been
the
most
common
consumer
complaint
registered
to
the
Federal
Trade
Commission.
In
2012
16.6
million
U.S.
residents,
ages
16
and
older,
were
victims
of
identity
theft.
The
vast
majority
of
these
thefts
involved
fraudulent
use
of
an
existing
financial
account,
such
as
a
bank
account
or
credit
card
account.
The
total
cost
of
these
crimes
was
estimated
at
$24.7
billion
in
2012.22
Activism
Persons
with
a
potentially
more
aggressive
approach
to
activism
took
to
the
Internet
in
droves
in
the
2000s.
One
person’s
2010
New
Year’s
resolution
was
to
20
http://www.wired.com/threatlevel/2009/11/rbs-‐worldpay/
Federal
Indictment
http://www.justice.gov/opa/pr/2009/November/09-‐crm-‐1212.html
21
http://www.wired.com/threatlevel/2010/03/tjx-‐sentencing
22
http://www.bjs.gov/content/pub/pdf/vit12.pdf
©
Kelly
White
–
2013
Page
15
- 16. actively
disrupt
sites
he
deemed
to
support
“terrorists,
sympathizers,
fixers,
facilitators,
oppressive
regimes
and
other
general
bad
guys.”
Operating
under
the
handle
‘The
Jester’,
he
frequently
delivered
on
his
resolution
by
launching
Denial
of
Service
attacks
against
sites
he
deemed
to
fit
within
in
his
objective.
His
primary
targets
were
wikileaks.org,
for
releasing
the
U.S.
State
Department
cable
messages,
and
sites
or
organizations
he
deemed
to
be
aligned
with
terrorism.
Unknown numbers of people took up a variety of ‘hacktivist’ campaigns under the
banner of Anonymous. Taking the opposite position as ‘The Jester’, Anonymous
launched DDOS attacks against serveral financial firms in response to their ban of
Wikileaks from their payment networks for publishing the U.S. State Department cables.
A small Anonymous unit was involved in raising the awareness of the Stubenville High
rape case. Anonymous went after Sony to punish them for prosecuting George Hotz for
successfully unlocking PlayStation 3 security system.
Ilmars Polkans campaign to expose fraud within the Latvian government was very
effective and is worth researching. When filing his tax returns, Ilmars ‘unintentionally’
stumbled on a vulnerability on the Latvia Revenue Site that allowed him to see all tax
filings. What he found was fat salaries for government officials during a time when
citizens of Latvia, both public and private, were being forced to endure deep pay cuts
because of the recession. His campaign to expose the injustice literally resulted in a
public rebellion against the government.
So What Comes Next?
I
am
hopeful
and
I
am
dismayed
all
at
the
same
time.
On
the
leading
edge,
there
is
really
exciting
stuff
happening
in
the
security
space,
particularly
in
the
areas
of
leveraging
big
data
and
data
analytics
to
detect
malicious
events
early
in
the
attack
stages.
In
the
middle,
the
people,
processes,
practices,
and
technology
for
building
and
maintaining
reasonably
secure
systems,
networks,
and
applications
is
readily
available.
I
see
a
lot
of
organizations
doing
the
right
security
stuff,
and
they
are
being
successful
in
protecting
their
businesses
and
their
customers.
Surprisingly,
there
are
also
still
a
lot
of
organizations
that
just
don’t
care.
They
don’t
even
do
the
basics.
They
have
database
servers
listening
on
the
Internet.
Their
systems
are
out
of
date
and
misconfigured.
Their
application
access
controls
are
©
Kelly
White
–
2013
Page
16
- 17. easily
bypassed.
They
just
don’t
care.
And
there
is
no
excuse
for
it.
Frankly,
I
think
they
should
be
kicked
off
the
Internet
until
they
get
their
stuff
right.
And
there
lies
the
answer.
The
crime
will
continue
to
occur
and
it
will
most
commonly
occur
against
organizations
that
don’t
do
security
well.
People
will
continue
to
move
their
money
and
their
data
online
and
criminals
will
continue
to
steal
it
from
the
organizations,
most
commonly,
that
have
the
least
security.
©
Kelly
White
–
2013
Page
17