Schneier on Security
A blog covering security and security technology.
« Google Detects Malware in its Search Data |
| Friday Squid Blogging: Glass Squid »
July 21, 2011
Is There a Hacking Epidemic?
Freakonomics asks: "Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?"
They posted five answers, including mine:
The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events—just more articles.
Hacking for fun—like LulzSec—has been around for decades. It’s where hacking started, before criminals discovered the Internet in the 1990s. Criminal hacking for profit—like the Citibank hack—has been around for over a decade. International espionage existed for millennia before the Internet, and has never taken a holiday.
The past several months have brought us a string of newsworthy hacking incidents. First there was the hacking group Anonymous, and its hacktivism attacks as a response to the pressure to interdict contributions to Julian Assange‘s legal defense fund and the torture of Bradley Manning. Then there was the probably espionage-related attack against RSA, Inc. and its authentication token—made more newsworthy because of the bungling of the disclosure by the company—and the subsequent attack against Lockheed Martin. And finally, there were the very public attacks against Sony, which became the company to attack simply because everyone else was attacking it, and the public hacktivism by LulzSec.
None of this is new. None of this is unprecedented. To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous—just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name.
It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.
Posted on July 21, 2011 at 6:07 AM
• 73 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks."
Only because most people don't have anything a (professional) hacker wants - except for the spammers and malware sellers, of course, for whom everyone is fair game.
Meanwhile, Anonymous claims they're ripped off a GB of data from NATO which they claim most of which they can't publish "because it would be irresponsible". LOL!
I say, "Publish and be damned! NATO deserves it!" This "we have to support the troops" attitude is BS. "The troops" are out there bombing civilians daily. Screw 'em. No one told them to join the military and serve as hatchet men for politicians, oil companies, and the military-industrial complex.
And I say that having enlisted in 1967 and spent 3 years in the US Army including a year in Vietnam.
I wised up. Anyone who puts himself in harms way on orders from people he doesn't know for reasons he doesn't understand based on intelligence he doesn't have access to is simply a moron.
Anonymous should publish every byte of that NATO data.
[Tyler Durden voice]:
I am Bruce's complete lack of surprise.
There is a difference. In the past the hackers wanted to keep quite about what they had done.
1. It was illegal
2. The were criminals and wanted the continued opportunity to exploit the hack
3. Spies likewise.
Now you have people who hack for the publicity.
1. Bragging rights.
2. Opening up the security of systems, in order to get the security tightened.
It's the later that is new.
We use to say "If you're a good hacker, everyone knows your name. if you're a GREAT hacker, NO ONE knows your name!"
The recent news coverage is misleading as it focuses on certain types of hacking that largely impacts large corporation and government agencies. There's also a lot of attention to hacking that seeks media attention. Most of us don't have to worry about this type of hacking.
However, home computers and SMBs are a much bigger target than big corporations and government agencies because they are so much easier to hack and the risk/benefit is much better. The risks resulting from hacking an SMB are low but the criminal gang can walk away with tens or hundreds of thousands of dollars fairly quickly. The security is likely to be poor so it will be easy to get onto the system where they can start sucking up credit card information or gain access to the businesses online banking. Think the bank cares about fraudulent ACH transactions and wire transfers? They don't. With the exception of Brian Krebs and the endless stream of advisories coming out of the FBI, there is minimal attention paid to these issues. (Although check out today's WSJ for an exception.)
@RSH: "I wised up. Anyone who puts himself in harms way on orders from people he doesn't know for reasons he doesn't understand based on intelligence he doesn't have access to is simply a moron."
A great follow up to that is: Okay, so you disclose the information and the soldier decides: Naw.. I don't feel like doing it.. Then what? What about 10 soldiers? What about 20?
You end up lots of soldiers in harms way because not everyone is on the same page.
No, I am not in the military, but I have played team sports and worked in a large organization. When people do understand the reasons and they don't agree with it, they don't act as they need to for the betterment of the team.
Outside of that--
I think the targets are the reason for the disclosure, but I kind of disagree with the phrase:
""But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.""
I think some of the attacks showed how the Internet is NOT safe as thousands and thousands of PII and corporate data was published. We ultimately don't know what the ramifications/cost of those disclosures are. Sure, not all of the data was made public -- but how much was sold? How much of it could have been taken by other hackers (hack the hacker types)?
Just a thought.
Excellent point. Saying "the internet is safe" because Joe Average hasn't been hacked is ridiculous and myopic. The fact is at one time or another nearly every system connected to the internet is subjected to attack and in most cases compomised to some degree. Maybe it's only compromised by spyware... maybe it's a worm/virus... or maybe it gets taken over as part of a massive botnet. But "safe"? No way!
Which one is yours, Bruce?
Number 4 is appealing because the media loves to exaggerate threats by, among other methods, claiming that like threats all come from a single entity.
Is this implied by #3 or by being too obvious?
Personal liberties are seeing a low priority; something that is near and dear to the hacker's heart? (As well it should be to all of us!)
Because I enjoy making grandiose statements informed by various currently unfashionable schools of thought, I offer the following analysis:
What we are seeing today is a culmination of the nihilistic trajectory of world civilization for many decades, if not centuries. Modern people are cut off from their mythical traditions, have no deep culture, vision or ethos, nothing to restrain or inspire them, and the internet is the perfect medium to express their nihilism. Modern people are also powerless and dependent upon an impersonal matrix for their survival like never before in history. The logical consequence of this nihilism and powerlessness is the kind of hacking epidemic we're seeing.
My advice to young people in the tech industry is to deprogram yourselves from our dominant culture, which is a monstrous combination of cultural Marxism and global capitalism, and discover a real myth to live by. Read Joseph Campbell, Mercia Eliade, google the traditionalists, and find your tribe, or soon you may find yourself joining the ranks of the "just for the lulz" nihilists that the modern world produces in such abundance.
"You too can join Anonymous—just hack something, and claim you’re a member."
... on an imageboard.
...the biggest "hackers" are government agencies.
NSA/DHS/FBI routinely and massively 'hack' into all types of private/personal/"secure" information... across the spectrum of electronic communications/records -- and even into paper snail-mail.
The media is not much interested.
Even when caught red-handed-- government hackers just get a yawn. The FBI's own Inspector-General blew the whistle on thousands of illegal FBI wiretaps & electronic intrusions --- result was nothing... no indictments, or even hand-slaps. But the FBI somehow had plenty of interest in arresting alleged "Anonymous" private-hackers.
The vast media disinterest in government hackers is the elephant-in-the-living-room.
The opinion that...
"It’s not that things are getting worse; it’s that things were always this bad. "
...is just the old adage that things have not changed at all, they are just reported better.
Life is not black-and-white in the sense that there are only two alternatives:
X. things get worse, OR
Y. things stay the same and are just reported better
Obviously there is more hacking now than e.g. in 1993, simply because:
1. there are more computers connected to the internet (thus more devices through which to hack if one chooses to)
2. there is more material about hacking
3. there are lists about software vulnerabilities, and ready made hacking scripts and other malware to use
Each factor above lowers the thresholds for a young aspiring hacker to enter the industry.
And because of that the truth is not either X or Y (above) but some combination of X and Y.
On the issue of legality or morality I think there is a corolary between the book "City of God" by St. Augustine and what LulzSec, Anonymous and Anti-Sec are up to. St. Augustine tells the story of a pirate captured by Alexander the Great. Alexander demands of him, "How dare you molest the seas?" To which the pirate replied, "How dare you molest the whole world? Because I do it with a small boat, I am called a pirate and a thief. You, with a great navy, molest the world and are called an emperor."
@ Bruce Schneier
I strongly disagree with his assessment. I feel there has been an increase in hacking over the previous years in many extents. The description didn't factor in some very important issues. The first is the amount of available hacker aids including books, online howto's, premade scripts, and cheaply available rootkits that actually defeat AV systems & automatically comb up credentials. Hackers in my day didn't have it that easy, with much of the work being customized & you had to be trusted by pro's to get good scripts & best practices.
Second, there's been tons of press coverage in newspapers, blogs like Kreb's and magazines like Wired that tell random people about the tools of the black hat trade, what kinds of places have them, how much they cost, and how easy they are to use. One article gave specific web sites that sold CC numbers for "as little as $200." This was a widely read publication. Any member who had thought crime was risky & expensive to get into is now informed that's it's cheap, low risk, where to get the stuff, and that Western Union is the preferrable payment method. Multiply that by thousands of similar articles and you get the idea of the potential impact.
These two factors have combined to cause an increase in online crime. In the 90's, we were port scanning systems, hoping for default passwords to be there, etc. It was either random or targeted. The credit card theft was mainly a physical affair & identity thieves worked hard to get personal information and selectively hit targets. Today, people can anonymously buy a few dozen credit cards, put them on mag stripes, and cash them out at ATM's. Today, identity thieves & data brokers can use off-the-shelf kits to break into databases, stealing records by the tens of millions or more. In the past, we'd brag about having a hundred or so systems. Today, they have several million at once, acquired with fire-and-forget malware.
So, I'd say that hacking is much more numerous & damaging than it once was. There are more of them, they have better tools, they have more education, most are in foreign jurisdictions, they are making more money on average, and the act requires little to no skill. The situation is much worse than it used to be. An epidemic? Well, the word "pandemic" might be more appropriate considering the number and locations of victims of hacking, online fraud & spam-related fraud.
Also: I think media is finally picking up on how many people have really honking bad pins.
"1. Bragging rights.
2. Opening up the security of systems, in order to get the security tightened."
"It's the later that is new."
No, we've been doing that for a long time. Perhaps since the 90's, as I was actively exposing bank's weaknesses to them in 1999. We'd hack them, get some data, wrap it and send it to the bank manager or security guy. We'd leave little files or send internal emails proving we were there. Since we did it for the rush rather than destruction, we would tell them the hole & how to fix it. Typical response? In one hacker's words: "We're coming after you you little sons of bitches! How dare you be on our network!" Were the holes fixed? Sometimes immediately & sometimes after we breached them two or three times. I remember one hacker compromised a major bank using a dictionary attack. Password? "User Id: root password: control. I typed control & I had it. That easy."
So, LulzSec-like efforts and publicity-based efforts have been going on a long time. "Bragging rites" have probably been a motivation as far back as the first hackers at MIT stealing access from timesharing machines. Regardless of motivation, all of these incidents have still failed to cause widespread deployment of secure systems and processes. Many old school hackers were left disappointed by this, as it was their dream. I say, "Dream on!"
@ Richard Steven Hack
"Meanwhile, Anonymous claims they're ripped off a GB of data from NATO which they claim most of which they can't publish "because it would be irresponsible". LOL!"
Or they don't have it and they're just bullshiting. Anonymous & LulzSec are both known to do this. Either way, I think it's NATO's fault if they loose a 1GB of classified information. The government has been pushing out high assurance vendors and replacing them with low assurance systems over the past twenty to thirty years. Then, they get hacked by some mediocre hackers. Cause and effect, anyone? They simply need to spend money on real security & controlled sharing like they used to. They can't use sharing and collaboration as an excuse anymore because there are numerous vendors like BlueSpace that make MLS-capable wiki's, geospatial intelligence systems, etc. that work on both commodity & secure MLS platforms.
"And finally, there were the very public attacks against Sony, which became the company to attack simply because everyone else was attacking it, and the public hacktivism by LulzSec."
-There were a few events that have turned tech people anti-Sony, including (most recently) what they've been doing with their gaming console and against hackers who are trying to keep its original functionality.
@Sean the Mystic
I agree that the wave of "for the lulz" is partially a product of nihilism and a lack of a compelling narrative. But it also comes from people being jerks, which you can't blame on culture.
I do agree with Bruce that the wave of hacking is a wave of awareness rather than of actual hacking.
It makes sense that the increasing accessibility of hacking as an activity has led to its growth and that increased awareness leads to increased activity. But I think these are longer term trends and I don't see how there has been an explosive growth in the past few months. At least not one in proportion to the shift in media coverage.
If anyone has a sense of story, look to a a newsman. I noticed a wonderful flow from the Wikileaks drama (what's going on with that now, anyway?) right into the next chapter of Anonymous and LulzSec. I wonder what they'll bring us for Christmas?
"But I think these are longer term trends and I don't see how there has been an explosive growth in the past few months. At least not one in proportion to the shift in media coverage."
I totally agree. My post represents about five to six year time frame where the underground grew & matured into a specialized economy.
I agree with those who say there is both more hacking and more news about hacking. Clearly hacking is like anything else in economic terms: if the payoff is big, more and more people invest in it until the payoff is reduced to the "general rate of return." This is true about coercion in general just as it is in all areas of human behavior.
Add to that the increase in accessible machines both in the public and private sectors and obviously you're going to have more hacking. - and better hacking.
But Nick and others are right that the recent wave of highly publicized hacking is mostly based on 1) the high profile of the hacking victims, 2) the connection of those victims with the political stories of the day, i.e., Wikileaks, wars, and related topical subjects, and 3) the news media seizing on the topic.
AppSec: "When people do understand the reasons and they don't agree with it, they don't act as they need to for the betterment of the team."
Which implies that "the team" is the be all and end all over individual lives - which implies soldiers are slaves. Which they are. The notion that "individual liberty" has to be defended by slaves is clearly a bankrupt proposition. Historically, many of the best armies were those with the loosest "discipline." The Israeli military comes to mind (at least in the early days.)
Warriors on the other hand are the exact opposite: they know why they're fighting, they know who they're fighting and why they're a threat, they have access to the necessary intel, and they plan and conduct their own battles with regard to their own lives.
Unfortunately, warriors went out with tribal societies. Which is the US is having such a problem crushing the remaining tribal societies of Iraq and Afghanistan. Which is not to say the Taliban aren't relying on hierarchical command structures and indoctrination. But clearly the Taliban are FAR more motivated than US (to say nothing of NATO) forces. For good reason.
And comparing team sports with a group of warriors is incorrect. The stakes are considerably higher in war and if the war makes any sense, there will be little disagreement in waging it.
Also, even if a group of warriors disagrees on strategy or tactics, it doesn't necessarily put them in harm's way. It can also take them out of harm's way because the folly of the project is exposed.
Finally, I was in Vietnam. I know precisely how little motivated most US conscripts were and how much sabotage of the Army went on. That was why the US turned to a "professional" army - which is still composed to a large degree of immigrants seeking a green card, people who would otherwise be in prison, people seeking a free college education - along with a smattering of psychopaths who just want to kill people, and a large proportion who think being a soldier gives them some self-esteem or expresses their - fundamentally unconsidered and unintelligent - "patriotism" (while still hoping they never get shot at.)
And a number of complete idiots who really think invading Iraq and Afghanistan is "protecting freedom" or "protecting the United States" - which is demonstrably false to a five-year-old. ("Run out and find me a five-year-old child, I can't make head or tail of this." - Groucho)
All pretty pathetic excuses. Everyone considering joining a military ought to read General Smedley Butler's "War is a Racket". It should be required reading in civics classes.
Anonymous tells off the FBI:
Anonymous & Lulz Security Statement
Now let us be clear here, Mr. Chabinsky, while we understand that you and your colleagues may find breaking into websites unacceptable, let us tell you what WE find unacceptable:
* Governments lying to their citizens and inducing fear and terror to keep them in control by dismantling their freedom piece by piece.
* Corporations aiding and conspiring with said governments while taking advantage at the same time by collecting billions of funds for federal contracts we all know they can't fulfil.
* Lobby conglomerates who only follow their agenda to push the profits higher, while at the same time being deeply involved in governments around the world with the only goal to infiltrate and corrupt them enough so the status quo will never change.
Nice. Low-level analysis but nice response.
@ AppSec (and others)
"I think some of the attacks showed how the Internet is NOT safe... "
Random surveys of home PCs show 80-90% are infected with at least one malware, often several. I've detected from a great distance friends' machines being infected, by a Word doc they sent me.
The Internet is a very dangerous jungle, and most homes and offices are not even close to minimally secure. These recent targeted attacks prove it. They get more publicity because the other enterprises and home users //don't yet know they're infected//. Who knows when the next major time bomb will go off, and CC#s, Gov secrets, etc. will be stolen? How much of that happens that we never hear about, because the parties involved want to hush it up?
btw, this is just idle curiosity, but there used to be a poster at RSnake's blog, ha.ckers.org, who went by thd name "appsec". Or maybe it was Robert himself, I don't remember. Just wondering if you're the same person. Cheers.
I think there is a correlation between publicity hacking and attempts to create Internet laws, such as the three strikes anti-piracy legislation. Also, while the hacks might not be more numerous, they are gaining access to larger databases of users, many of which reuse passwords and thereby create a domino effect. The general media don't report on known security exploits, just the bravado of the hackers.
This is not an epidemic so much as a turf war, and it's currently directly tied to what's going on with Rupert Murdoch's empire. What Murdoch's people were doing was happening with the tacit complicity of government on both sides of the pond. As these activities come to light, the schism between right and left wing employees of both the British and American governments, specifically intel operatives and co-opted hackers working for those governments, is coming to a head. Two whistleblowers are already dead in Great Britain - today's white hat is yesterday's Star Trek red shirt. It's getting very ugly, and it's likely to get uglier.
Richard Steven Hack is correct on many points, but in particular this: the real epidemic of hacking has been the post 9/11/01 actions of what is now clearly emerging as a global, transnational military/industrial complex enacted against the citizenry of supposedly "free" countries it's members are ostensibly paid to protect. War *IS* a racket - and the actions of the post 9/11/01 US military was a protection racket taken to obscene extremes which set our civil liberties back a good 225 years.
The obvious enabling involvement of Murdoch's media empire with establishing the current status quo, which borders dangerously on fascism, is only the tip of the iceberg. He is the new sacrificial lamb, the new Lehman Brothers, but his corporation and it's employees are by far not the only ones guilty. The fallout from this is far reaching. Whistleblowers don't get dead over nothing. Also, with many of the right wing co-opted hackers and the people they support working in the general vicinity of NYC (Murdoch's HQ, Wall Street) currently under fire, I am rather glad to be watching this play out from a certain distance. An Air Force vet myself, I am with Richard Steven Hack on this one. I'm quite done being a sitting duck at some coward's ground zero, putting myself out there for people who'd just as soon see me fall dead upon the king's infohighway.
"That’s probably what the members of Anonymous arrested in Turkey were, 32 people who just decided to just decided to use that name"
Which makes me think yet again after the way FBI et al "snatch squads" have been sent in after teenagers etc,
"Is Anonymous the new Al Qaeda"
It's funny you should mention Sony...
It appears they are not just "piggy in the middle" but "the squealer in a pig sticking contest".
After losing over 100million sets of personal details and claiming that it was insured, it turns out their insurer does not agree, and has gone to court to get that firmly established.
This is going to be very messy, because if it turns out Sony was "engaging in business for which it had no liability insurance" it could find it's self on the end of some very nasty legal action.
Also it might well end up setting a president for all other companies with online services that hold PII etc.
I suspect this could get quite interesting, in the sense of the Chinese curse...
Did a post disappear? I'm sure there was one above this one about hacking, but can't remember what it was...
All the perspectives in the Freakonomics posting are valuable. I judge them (based more on gut instinct than on knowledge) to be at least partially correct.
While hacking may not have increased or decreased, I judge that the effect of hacking on the average person may have increased with the number of online accounts that they keep.
Repost from Freakanomics in case anyone is interested
Brian Donohue says:
Reading this, I am wondering if maybe high unemployment numbers and all the baggage that comes with them may be feeding fuel to the hacking fire.
Nick P says:
Certainly. I remember reading in sociology texts back in college that poverty and lack of education were the primary contributors to criminality in a given area. People desparate to pay bills & who lack the ability to legitimately get the money are naturally more likely to see crime as the most cost-effective solution. Many even might think, at first, that they’ll only do it a few times to pay these bills. Seeing the ease of making thousands a month, they might stick with it. An example of a layoff leading to a life of cybercrime is given in the presentation “Becoming the six million dollar man”. Google it.
For an immediate idea, here’s the kind of payoff you’re looking at. If the crook has no money, they might use some free samples or $200 for some CC’s, making a few grand off of reselling stolen merchandise. A two grand investment gets them some blank cards, a card writer & some ATM cards with PIN. This usually results in a few grand. They do this a few times and they have $10 grand. Invest some of that in some ACH malware kits & fire them off at small businesses, churches, etc. from residential wifi hotspots. Average ACH fraud is $100k-$300k. Assume laundering & other losses take 50% of the revenue. Resulting profit is still $50k-150k, from a cash investment as little as $3,000. It’s easy to see IT guys remaining jobless for months might think this is a better option, especially if they felt cheated by the system as some crooks describe.
not so sure…. there is huge difference between small criminals and big ones…the big ones generally try to discourage the small ones as they make life difficult for big criminals i.e. put political pressure on authorities to crack down on crime… small criminals (street theft etc) discourage people from going out and that reduces business for big criminals… big criminals skim from the top and so do not kill the goose .. a protection racket is transparent to the consumer who is paying in higher prices! Robbing banks does not discourage people from online transactions even though via insurance premiums etc the cost is passed back to the consumer…
Nick P says:
That sounds nice and much like street crime. However, most online crime actually doesn’t work like that. The vast majority of online criminals are independents, groups or individuals, who saw an opportunity and took up the trade. Most long-term individuals specialize in a particular skill, like developing sploits or building botnets.
The more generalized ones are often composed of small groups that focus on about one scheme at a time, trying to milk it as much as they can. They often have a few profitable core members and sometimes even support personnel who help the new people with hard cases. (Esp. true with 419 groups) The largest groups, like Russian Business Network, do whatever scheme makes them the most money, have an R&D apparatus that develops more sophisticated approaches, and leverage off-the-shelf attack kits where possible.
In the online market, everyone discourages everyone. Competition decides who wins because the competitors are often nameless, invisible and unreachable, even for the big fish. The more successful groups leverage their resources to further deny competitors success, as seen in botnets that disable other botnet’s code or patch vulnerabilities. It’s not like the organized street crime or protection rackets. It’s much more laissez faire.
And the hacking problem will not get better as the underlying problem has no resolution in sight. Namely, computers are too complex to be secure.
Nick P: Gotta agree with that last. The book "Kingpin" pretty much establishes that, since it's all about one hacker taking down a whole slew of credit card hackers Web sites and absorbing them into his and "industrializing" the credit card fraud business - at least until he got caught.
I do think that how online crime works depends on the location. I suspect that in Russia and Eastern Europe, it's more like how traditional organized crime works - and probably involves much the same people. The hackers do the grunt work, but the business networks are set up by people who understand criminal enterprises.
In the US, it's probably much more independent, with little influence from "real" organized crime. You look at the people in "Kingpin", the US ones are all small time hustlers and techies, the European ones are more professional criminals who have adapted to computer crime.
Clive: Here's an example of the FBI busts:
What, me a hacker?! Target of international manhunt speaks!
They raided some band who had an open WiFi - and on top of which they all moved out a few weeks before the FBI raid.
Doesn't the FBI even SURVEILL a raid site before pounding up the stairs to see if the people they're after are even around any more? Really?
If the rest of their busts are of this caliber, it's going to turn into a PR nightmare for the FBI.
They're not referred to as "Fumbling Bunch of Idiots" for nothing by professional criminals.
And the work goes on...
Anonymous still accessing, downloading NATO data
If true, apparently NATO hasn't found the breach yet... Will this turn out to be an inside job like Bradley Manning? Stay tuned.
And the corruption of the security industry goes on:
Cyber Weapons: The New Arms Race
Companies that are developing zero-day exploits for profit and targeting anyone at all.
And someone at the FBI said Anonymous actions were "unacceptable"?
@ Nick P.:
"I remember reading in sociology texts back in college that poverty and lack of education were the primary contributors to criminality in a given area."
I'd not put too much stock in sociology, as it's barely a science; certainly one of the "softest". E. g., There was more crime in the US during the boom of the Roaring (19-) Twenties than during the Depression of the 1930s.
In all fairness, the 1920s were the Prohibition era, which gave incentives for gang violence over the lucrative trade, just as drug prohibition does today. No black market = no profits worth risking jail or death.
Plenty of people who are already rich commit crimes. (Most of them are politicians, haha - not so haha. John Edwards is back in the news again for financial malfeasance:
Very poor people in the US who can't afford computers or the training to use them seem like unlikely cybercriminals.
Sociologists and the media have a tendency to focus on one or two easy and obvious factors, in this or any other issue, and those "obvious" ones aren't always right. It's a multi-factor problem, and glib clichés don't answer it.
I agree that online crime now is more likely to be perpetrated by sophisticated individuals and gangs, but were they motivated by their former poverty, or because they could make a lot more money with a lot less effort than in an honest job? -- aside from lacking a moral compass, which goes back to upbringing, culture, etc.
@ Richard Steven Hack:
This Silicon Valley start-up with such valuable proprietary source code wasn't even smart enough to store it encrypted when the office is closed? ... not sure I'd want to buy anything from them.
Nick P: By the way, this - "It’s easy to see IT guys remaining jobless for months might think this is a better option, especially if they felt cheated by the system as some crooks describe." - comes perilously close to describing me. :-)
Tommy: The shoe maker's children go without shoes. It's security guru Shimomura getting hacked. It's HBHary Federal getting hacked.
It's good that this happens because part of the info in that article comes from the HBGary hack. We might never know how corrupt the IT security industry is without such incompetence on its part.
Also, I think Nick P was suggesting that middle-class IT people out of a job are just as likely to consider computer crime as lower class people might consider other types of crime - not specifically that lower class people become cyber-criminals. Although you CAN find cases where that actually occurred.
It's pretty clear that economic conditions DO influence the crime rate for certain classes of crime. Other factors, such as laws enabling black markets, also factor in.
For computer crime, I suspect the relative ease of the crime - no physical dealings necessary, no moving of large amounts of physical contraband, etc. - as well as the relative lack of risk - only 1 in 700 cases of identity theft prosecuted, only cases totaling $50-100K being actively investigated - is a prime motivator. I've read that dollar for dollar and risk for risk, computer crime is now more profitable - if not necessarily larger in total revenue - than drug crime. Not hard to see the attraction for people on all levels.
@ Richard Steven Hack:
Nice analogy with the aphorism about the shoemaker's children. :)
"It's pretty clear that economic conditions DO influence the crime rate for // certain classes // of crime. Other factors, such as laws enabling black markets, also factor in. (emphasis was mine).
Agreed. However, the sociology books like the one Nick P. probably read have a tendency to lump the entire spectrum of criminal activity into one lump called "crime", and then attribute all of it to generalities like poverty and lack of education. Your point was much better said than the soc. books: Different classes of crime attract different criminals, and for different causes and motives. I was just disagreeing with the one-cause-fits-all model so common in ivory-tower academics and mass media pundits.
Also agree that the risk-reward ratio for computer crime is far better than for knocking off liquor stores for $150 and a bottle of Wild Turkey. Good point - and as you said, for people on /all/ levels. The poor and illiterate might be stuck with the liquor store heists.
"This Silicon Valley start-up with such valuable proprietary source code wasn't even smart enough to store it encrypted when the office is closed? ... not sure I'd want to buy anything from them."
Nicria Networks always smelt a little funny to me. A valley based startup full of CS Phd's with from Berkley and Stanford and MIT, yet not a single Asian or Indian sounding name amongst them. Hmmm... whats the probability of that happening, without some active pre-selection criteria.
OK so why would a Venture funded start-up have a racial mix that is completely out of sync with the rest of the valley's commercial workforce? I don't know...but maybe the statistical characteristics of this companies employees matches that of some other groups better.... bingo, 3 sigma match for at least two other companies, who's activities are a little better known.
Now what were we talking about here, yea the theft of network virtualization software on parallel distributed hardware with a Network Hypervisor layer, where the founders are all ex Cisco, Juniper and Force10 guys..... I give up, can't imagine who would want that, or what lengths they might go to to either get a peek at it OR just convince someone that they got a peek at it.
@ Robert T.:
What scares me even more is a super-high-tech company that can't count to 5 in decimal.
"We may disclose your PII to third parties if: (1) you request or authorize it; (2) the information is provided to comply with the law, applicable regulations, court orders or subpoenas, to enforce any agreements, or to protect our rights, property or safety or the rights, property or safety of our users or others; (4) the disclosure is done as part of a purchase, transfer or sale of Nicira's business or assets (e.g., in the event that Nicira transfers substantially all of our assets, customer information may be one of the transferred assets); or (5) such third parties are Nicira's agents, outside vendors or service providers who are performing functions on our behalf...."
I guess I'm the first person ever to have noticed that there is no Paragraph (3). Or maybe I'm the only one who reads privacy policies. ;)
I'll leave the conspiratorial aspects of this to you. Me, I'm just going to put on my aluminum-foil hat, and wonder about all of these high-tech people who don't know how to count 1, 2, 3, 4, 5 ... or even worse, are so careless as not to care. If they don't proofread their own web site, why would we believe they vet their own code at all?
:light bulb: The burglar with the ski mask stole Paragraph 3! B*st*rd!
@ Robert T & tommy,
"OK so why would a Venture funded start-up have a racial mix that is completely out of sync with the rest of the valley's commercial workforce?"
"I guess I'm the first person ever to have noticed that there is no Paragraph (3)"
It's funny where 'side channels' pop up and what they can reveal...
Tommy, I'd be wondering what was removed rather than if they could count ;)
"It's funny where 'side channels' pop up and what they can reveal..."
I once to a course on, The identification and characterization of nonlinear systems from random data.
To this day, I'm amazed at how much information can be harvested from simple data distributions for randomly collected sample points. What's even more amazing is how much can be inferred about the nature of processes / system that create non normal data distribution. It is fun reconstructing, equivalent Bilinear and Trilinear systems to predict system behavior to stochastic inputs.
So what you call "side channels" I call evidence of system nonlinearity, because the presence and nature of the Side channel is a function of the data being acted upon by a nonlinearity. So the side channel leak is only one special case, of the many things that can be inferred about systems that act non-linearly on random input data.
Nonlinear systems analysis really is a fascinating topic, and of great relevance to real time Cryptography because most crypto primitives are highly non-linear functions, so by their very operation Crypto functions must create side channels, yet we act surprised when someone discovers the side channel, that must by definition exist. Oh well...its a job!
Gwyn Moody has an angle:
which is that it's generally parallel to what legitimized powers have been up to lately.
@ Nick P,
You know the other day you were looking for a modern example of a software "poke to die" well...
It appears that Apple, has done a "security silly" in that they have a default password on the micro processor in the Apple Mac batteries...
Well the researcher who found the passwords is looking at if it is possible to put malware in the battery to own the Mac it get's pluged into...
Such is the obsesive compulsive disorder that all mobile phone and laptop/netbook manufactures have about the illegal (in Europe) requirment to "use only their batteries in their products" I think his chances are quite high.
From what I have been told in the past some of these "battery micros" are not just noddy little I2C comms bus sensors or memory chips like the old fashioned software dongles of old, but more akin to phone SIMs...
@ tommy and RSH
"I'd not put too much stock in sociology, as it's barely a science; certainly one of the "softest". E. g., There was more crime in the US during the boom of the Roaring (19-) Twenties than during the Depression of the 1930s. In all fairness, the 1920s were the Prohibition era, which gave incentives for gang violence over the lucrative trade, just as drug prohibition does today. No black market = no profits worth risking jail or death. " (tommy)
Good points. I was kind of going in that direction but I think I can narrow it to make it more accurate. How about this: a strong decrease in the number and pay of legitimate jobs coupled with an increase in low-risk, high payoff criminal opportunities greatly increases the number of affected individuals taking up such crimes. The trend, as I've seen it, has occurred over half a decade (maybe more). The most likely criminals come from the IT side of the financial, services and manufacturing industries. Many IT people have a hard time finding work. Many others face increasing pressures for decreasing wages. Crime might be seen as a nice alternative for these people.
"Very poor people in the US who can't afford computers or the training to use them seem like unlikely cybercriminals. " (tommy)
You'd be surprised. I've lived in many rural areas where people were on food stamps but had laptops and made wardriving a hobby. I've also lived in the "hood" and seen the same things. Just because they are poor or do manual labor doesn't mean they aren't smart. It's usually a small percentage with technical skills. They are the highest risk in that class. Another common occurrance is the less technically inclined hear about these things and try to convince one of the few technical people to come up with a scheme or teach them one.
@ RSH in particular
"...were part of the X-Force, a team of “white hat” hackers at a company called Internet Security Systems... concentrated on breaking into secure networks to find holes before someone with bad intentions could do the same... 'There are maybe 500 people in the world who could do this kind of stuff,' says Christopher Klaus."
Only 500 good pentesters in the world? And they all work for his company? What? Yeah right. Otherwise, the article was a nice source of information on offensive infowar. THanks for sharing it.
@ Robert T,
"So what you call "side channels" I call evidence of system nonlinearity, because the presence and nature of the Side channel is a function of the data being acted upon by a nonlinearity"
And to be a bit glib 'the greatest cause of non linearity is humans' ;)
I remember a story from the first gulf war about how the fact the war had started was known first to the pizza delivery boys around various Gov buildings, they had "never had it so good" that night...
Sometimes just walking down the street and looking up and seeing the "midnight oil" being burnt is enough to tell a game is afoot.
From some of my early days "bin diving" you would learn some quite amazing things just looking at peoples trash/rubbish.
The one that always gets me is people who get "burgled twice" they don't seem to realise that putting out in the rubbish the packing cartons of their new shiny replacment electronics etc is just advertising "Steal me quick" to the local low lifes.
Yup I call them all 'side channels' for want of a better expression...
@ Clive Robinson
The number of cars in the parking lot is another classic give away. So, if leaking classified information to the enemy is espionage, then what are we going to charge these nitwits with? Involuntary espionage? :)
I was going to take a different tack on the subject. My thesis is that an increase in hacking (and/or hacking's visibility) is directly related to the Pentagon's recently announced initiatives on cyber warfare.
This is a similar phenomonen to post-9/11, where afterwards we started hearing of real or pseudo-terrorist events happening almost weekly, and started making terrorists of tourists with cameras, for instance.
Any time there's a huge amount of money -- taxpayer's money -- at stake in such projects as cyber-warfare, propaganda is a sure sign to accompany any real initiative.
@ Clive Robinson:
"Tommy, I'd be wondering what was removed rather than if they could count ;)"
The post was a bit facetious, but the Big Picture was: Carelessness, the pandemic disease of our times.
The reason the Army teaches recruits to shine their shoes and belt buckles to a reflective gleam is not that any war has ever been lost by unshined shoes or dirty belt buckles. It's to instill the habit of care and precision, so that the gleamingly-cleaned rifle is less likely to jam at a crucial moment, and so that mission orders will be followed with precision. Those who pay attention to the small details are more likely to get the crucial ones right. Sorry that subtext wasn't evident in the post.
@ Nick P.:
"... a strong decrease in the number and pay of legitimate jobs coupled with an increase in low-risk, high payoff criminal opportunities greatly increases the number of affected individuals taking up such crimes. ..."
It could be, but there's still the issue of moral compass. Many people in dire financial straits don't turn to crime. A young lady can make much more money by prostitution than from accepting a minimum-wage job until things get better, but the overwhelming majority don't. (Not counting "getting married" here. ;) Much more complex factors lie behind who turns to this lifestyle.
Same in your case. Honest people won't turn to crime. They'll find other ways to cope. Of course, if the IT person has always had a larcenous streak in them anyway, then your model fits perfectly. And we know that power corrupts, and having strong security skills (hence, anti-security skills) is power. Which could corrupt someone. I'd ask whether you yourself would start stealing if things got bad, but I'd rather not know the answer. ;-D
Interesting point about tech skill-sets among the impoverished. "Just because they are poor or do manual labor doesn't mean they aren't smart." -- Or at least, "shrewd" -- "street smats". Do you have any data at all on how many criminal hacks are done by inner-city minorities (read "ghetto-ites") vs. the white-collar crowd we usually asociate with this? I hadn't heard of it; would love to see some stats or even some individual case reports.
However, people of such mind and circumstances were probably committing other higher-risk, lower-reward crimes before, then discovered the better ratio available form electronic crime. Those with a strong moral and ethical code won't break it in the face of temptation - in fact, that's the very definition of a strong ethic.
I forget who mentioned it above, but you have to know that one heck of a lot of pretty good IT people have been laid off by the most dishonest businesses in the world -- big stock trading houses.
They were already committing plenty of crimes, they just get a pass under our current system. Or in some cases, not exactly crimes, (bad laws exist, or good ones fail to exist, or regulators can't do their jobs for "various reasons") but certainly morally wrong stuff - amounting to outright theft in arbitrage and front-running, as well as quote stuffing.
Seems natural that this sort, many of whom are pretty expert in networks and the lower level parts of opsys, and who already have proved they have no moral compass -- or one that already always points south -- might be involved in some of the more intense larger scale hacking.
I trade for a living. I have high bandwidth access to market data all day every day. You can see this going on if you have a clue -- it only takes a few seconds to find it if you know what you're looking for in the transactional flow. Since I developed software for a bunch of decades before this, I have a clue how it all works.
Now, is it unfair for me to take advantage of this "insider knowledge" since it's public? At the current level of development, it's still possible for a smart human to beat a fast but dumb algo....even if the dealer is cheating, you can win at poker.
@ Nick P,
"then what are we going to charge these nitwits with Involuntary espionage?"
It's actualy a good question because how do you tell the difference between a nitwit and a careful/clever spy?
The generalised idea is that "nothing exists in a vacuum" and thus it effects and is effected by what adjoins or touches it, it is the fundemental idea behind forensics axiom of Locard's Exchange Principle (sometimes incorrectly called "Lockhart's Principle) about crime scenes and perpetrators.
[Although I suspect Arthur Conan Doyle had the idea to a greater degree with his fictional charecter Sherlock Holms, based in part on Edinburgh's real Dr. Joseph Bell and Sir Henry Littlejohn. In fact Edmond Locard was actually called "The Sherlock Holmes of France".]
"Nothing exists in a vacuum" is also the idea behind the idea of "cause and effect" that every effect has an attributable cause.
The problem with both Locard's idea and cause and effect is the known problem from physics of "The Noise Floor" or "measurement error".
That is in every measurment there is uncertainty due to many issues that cannot be effectivly quantified and thus either assessed or removed.
[There is a whole branch of science behind measurment known as metrology, (not to be mistaken with meteorology). And importantly it is noticable how few "metrologists" ( http://www.agilent.com/metrology/define.shtml ) work in forensics as oposed to other equivalent areas such as "test and calibration".]
Measurment error is atributable to two causes "mistakes" and "error", mistakes are avodable with care error cannot. Sometimes various aspects are given specific names such as "cross contamination" (which can be attributable to either mistake or error), but most are not.
One asspect of "error" is "from the environment" which gives the "background noise", one such area that this occurs is "nitrate tests" for explosives. Amonium nitrate is a natural part of the environment and cannot be avoided or quatified as it is used for many diverse things including as a "cure" for preserving meats. It originates as part of the process of decay and other nitrates occur similarly due to the break down of organic compounds such as nitrates of cotton and wood etc that gave us early plastics and varnishes. Thus finding "traces of nitrates" is not "proof positive" of anything in particular and anyone who says otherwise usually has an agenda.
Thus all human activities suffer from Locard's principle and cause and effect both tempered by the background noise, and this "noise floor" area is where a clever spy hides there activities.
Amazingly as in your "car park" example and the "pizza example" the most obvious side channels are often "oblivious to those within".
However as Robert T has pointed out the clever spy can be caught, as eventually you can "average out" the noise to show patterns. Which might (but I very much doubt it) be how the insider trader which Bruce bloged about a few days ago was caught.
The thing is for metrology to work consistantly you need lots of data and this is becoming an issue in the field of security.
Due to the issues of liability businesses keep the minimum of records on the principle of "Don't leave ammunition for the enemy". However if you don't keep sufficient records you cannot show how a security event happened and thus prevent it occuring again.
The important questions are thus where do you draw the lines and why, and can these choices be used to show "intent". Which brings us back to Robert T's question the other day of "destruction of evidence" and the flip side of "best practice".
"Now, is it unfair for me to take advantage of this "insider knowledge" since it's public?"
Interesting question, it is one the I often grapple with regarding equities trading.
There are many High speed trading trading strategies that become illegal because they are fundamentally gaming the system. However what is interesting is to watch vested interests defend what are clearly "morally questionable" practices.
I remember some strategies were as simple as bid on anything and than refuse to follow through if the price moved in the wrong direction. (It was a bit more complex than just this and involved manipulating the "ping" fast to bid but very slow to settle.)
I know a lot of early cryptographers applied the next point predictive capabilities of "Hidden Markov models " to drive buying and selling algorithms. What is interesting is that the anti-quant programs than implemented HMM but sold when the programs said to buy. Regarding the current discussion of "non-linear /side channels" is that this anti-quant strategy results in highly non-Gaussian data distributions so the quant player can infer the interference of the anti-quant and can thereby subtract out those actions.
Back before 2000 I did some consulting and design of some special purpose hardware, to solve financial data problems in real time. Interestingly I made more solving this problem for a few interested parties, than I would ever make providing similar communications chips for the masses.
@ Robert T,
I was aware that some people were using Kalman Filtering to lift certain market data out of the noise.
However Kalman filtering works best with gaussian noise, from what you are saying the "interesting noise" is now nolonger gaussian...
That should prove interesting to watch unless they have read,
And the follow ups (Which I'm assuming they have).
Mind you the last time I implemented a Kalman filter it was for something much more important than making money, it was for a prototype controler for my sons model railway, just to make the "inertia" look realisti. Some things just don't have a price 8)
I don't really keep up with the latest on non-linear systems techniques, sometimes it is better to just stick with the old methods that you know and continue to refine their implementation.
Personally I mainly use non-linear identification methods developed by Juileus Bendat and Allan Piersol. I probably shouldn't admit using Bendat's methods because they were only ever popular in some very narrow fields. Anyway, I'm certainly not an expert on this stuff but I usually think of the Kalman Filter as a simplified linear form or HMM.
I've read some of the Unscented Kalman filtering stuff before, but I can't find any beauty in the math so it doesn't resonant. Sorry but I still need to be able to find beauty in math before I can internalize it.
"It could be, but there's still the issue of moral compass. Many people in dire financial straits don't turn to crime. "
It's always a minority. So, our conversation applies to that minority. The "dishonest minority," didn't Bruce want to call them? Of course, we opposed that idea because cheating the system is sometimes ethically right and sometimes wrong. This leads to another aspect of this minority: many honest people can justify criminal acts.
The first justification that might kick in is doing the lesser of two evils: should I feed my family & keep our home or follow the law and choose one of these options? A very moral person might value their family and existing debts higher than the cash drawer of a liquor store or the cash holdings of a greedy bank. This hypothesis is supported by the claims of many credit card thieves that got arrested. Many of them said they picked credit cards instead of ATM cards because they were just stealing the banks money & consumers were only liable for $50. Sounds to me like a crook with a moral compass in action. ;)
The second justification is that the person deserves the money that the system didn't give them. Or the lifestyle the system didn't give them. In the food stamp debate, many people who have been on food stamps for years said they paid taxes for a decade before running into financial trouble and *deserve* to use taxpayer dollars as long as they feel they need to. This attitude of entitlement shows up across the nation and can lead to crime or parasitic behavior. I've also noticed these people often work together to make their parasitism more profitable.
A third justification is that the target deserves it. Old school hackers used to use this to justify all sorts of mischief. The anti-sec movement is currently causing plenty of misery with this kind of justification. Bank robbers have also used this justification, often accusing banks of conning and robbing their customers. (Perhaps some sound reasoning there...) So, they say, "The banks rob consumers, we rob them. How is this any different?"
A fourth justification is amoral behavior. Although a small percentage of the whole, many people just don't care what they have to do to make money. They typically avoid outright crime because they can easily use this mentality to make legitimate money. (After all, many CEO's got their job by effectively acting like psychopaths, along with good business decisions.) If legitimate money becomes hard to come by, then these individuals will likely turn to crime.
So, we have our basic metrics: lower legitimate opportunities; legitimate opportunities with undesirable work vs reward; increased low-risk criminal opportunities; very desirable work vs reward ratio for crime. Anyone who is affected by the first two might go for the second two using any of the four common justifications I mentioned. Many have. Although, the resulting behavior is usually cons and petty theft in my experience. Some take a smarter approach though & many weren't criminals before the economy turned to shit.
"The first justification that might kick in is doing the lesser of two evils: should I feed my family & keep our home or follow the law and choose one of these options? A very moral person might value their family and existing debts higher than the cash drawer of a liquor store or the cash holdings of a greedy bank. This hypothesis is supported by the claims of many credit card thieves that got arrested. Many of them said they picked credit cards instead of ATM cards because they were just stealing the banks money & consumers were only liable for $50. Sounds to me like a crook with a moral compass in action. ;)"
That is a major point, if you take that back in time, if you wanted food or shelter just find some empty land and animals surrounding the area.
Today if the farms stop producing the food, a power station that isn't in your city, a petrol company that isn't in your city... you don't have control over you future let alone your survival, and that isn't going to change back.
The worst part about that is you need a job to get that stuff(money), but if you are the biggest arse hole on earth your not going to get a job, ie no food/energy/shelter... and the only way is crime.
But did you turn to crime first which stopped you getting employed or were you a tosser then turned to crime.
Andy: "But did you turn to crime first which stopped you getting employed or were you a tosser then turned to crime."
It's both. People don't become criminals one bright day when they wake up for no reason with a simple choice. They have a developmental history from birth (and possibly genetic predispositions, but I place little stock in that other than on a neurophysiological level.) They have parents who treated them a certain way (or didn't treat them in a different way.) They have experiences in society which alter their perspective. They get blind-sided by other people, society and events, health, whatever.
And eventually, depending on their developmental history, they get "fed up" with their lot and "fight back" in particular ways that are called "crime".
Or "terrorism". A "terrorist" is usually someone with a particular viewpoint on and history of life who has decided "I'm mad as hell and I'm not going to take it anymore."
I know. I was one. I still am in terms of that attitude. I understand terrorists and criminals perfectly because they're the same people as those who choose a non-criminal path - just for different reasons and a different developmental history. At bottom, every human IS the same.
The term "crime" is just too general to be useful. So is the term "criminal". The notion that there is a simple choice between "right" and "wrong" that everyone can make every second is just totally incorrect for just about everyone. It's Ayn Rand's nonsense.
It's on a par with these Pollyannas like Tony Robbins who claim they can fix anything wrong with you just with a few NLP tricks. If it was that easy, how come the whole world isn't doing it? How come it isn't mandated in human education?
Sure, we KNOW how to "fix people" and we KNOW how people should be raised to prevent them from becoming criminals.
But SOCIETY is not organized to do that. And because of human nature, it never will be (at least until human nature itself is altered.)
So we will continue to have a minority of people breaking "the rules" - and a majority of people supporting "the rules" - and those "rules" will make the minority an endless inevitability. And the "rules" will never be changed by the majority because they are conditioned to support them regardless of the fact that they produce a criminal minority and as a result produce an oppression of the majority as well.
Tommy: "would love to see some stats or even some individual case reports."
Read "Hacker Cracker". Classic case. A description:
"Nuwere is only 21 years old, but he has lived quite a life, which he shares here with the help of able coauthor Chanoff. Currently a security specialist with a major financial institution in New York City, Nuwere grew up in Brooklyn's often dangerous Bedford-Stuyvesant neighborhood. He was a precocious child who watched his young and once beautiful mother die of AIDS. At 13, under the watchful eye of his grandmother, he became a serious hacker, thanks to an uncle who lent him a PC. Nuwere's determination sets him apart from most he is smart enough to figure out that the risks associated with hacking, particularly anything financially rewarding, are probably much greater than the return. He also seems to have a real gift for independent study, able to teach himself a great deal by examining the available documentation or reading textbooks in Barnes & Noble stores."
Clive: The WSJ article was interesting. Especially this part:
"Four years ago, he upgraded to a now-standard Microsoft Corp. Windows PC that connected directly to the Internet."
That was his first mistake... :-)
"Mr. Angelastri didn't ignore security. He regularly updated the payment software on his computer to keep up with the latest standards."
And this was not ignoring security HOW?
"Mr. Angelastri checked his systems and called in an outside technology consultant. That investigator found one problem on his computer—a piece of hacking software known as malware—which the investigator removed. Still, X-Charge kept forwarding him emails between MasterCard and a payment processor called Global Payments Inc. that suspected fraud."
They don't note how that malware got on the payment processing system, which probably means it either wasn't properly patched or someone got hit by a drive-by on the Internet by using the system for other than payment processing. Or the system received email from customers or others which infected it. Or it was hit by a real zero-day which is the least likely explanation (although someone always gets hit by zero-days so might as well be him.)
"After a sixth email warning in June 2010, Mr. Angelastri says MasterCard demanded he hire a forensic investigator to do a thorough review of his system... A Trustwave investigator worked at Mr. Angelastri's newsstand until 2 a.m. one morning looking for cyber clues as to how his system might be leaking credit cards to hackers.
The investigator discovered a program called Kameo was capturing everything that came into Mr. Angelastri's system before it even reached the PC Charge payment software."
Which means the first guy didn't find ALL the malware. Either he didn't find the Kameo service OR he didn't find some other malware which eventually installed the Kameo spyware.
This is the malware installed:
And I'll bet the reason the first guy didn't find it is because the business owner didn't want to pay for the time it would take to do a really complete cleaning. A malware cleaning can take from four to eight hours or even more. Depending on what the guy is charging (I charge $50/hour for small business users), that can add up.
"A Trustwave investigator worked at Mr. Angelastri's newsstand until 2 a.m. one morning..."
Been there, done that... That's what it takes to get rid of some of this stuff.
Although I have to say the tools are getting better these days. There are tons of freeware Windows process and service utilities that will tell you what is going on pretty deep in the system and let you get control of it and then eliminate it. Tools like Process Explorer, ComboFix, Rkill, D7...
@ Richard Steven Hack:
Interesting, thank you. Even more interesting was that the gentleman in question is now in a very prestigious and legitimate professional position, where he makes probably as much money, but without the risk of jail. So somewhere, he *did* receive a moral compass.
One could say the same of high-school hacker-turned-entrepreneur Bill Gates, except that Gates never acquired the moral compass. ;-D
@ Nick P.:
"Rationalize" = "Rational Lies". All rationalizations, none of them logically supportable. Even if Bank X did something considered morally wrong to Customer A (b,c,d, etc.), for Z to rob the bank does not right the wrong. What do they say? Oh, yeah,
"Two wrongs don't make a right."
Besides, is the robber going to distribute the proceeds back to the customers who were /supposedly/ gouged? Really? REALLY?
And this business of banks as evil is grossly overstated. The current crisis in the US was caused entirely by //Government// actions. (Richard, did I get your attention? ;)
I posted a 2200-word essay on this topic, tracing the current crisis to its roots in laws enacted in 1979, but because the essay includes a 14-line parody of Lord Polonius' advice to his son in Shakespeare's "Hamlet", I've been asked not to put such links in comments.
So I hope that anyone who wants to know what *really* caused the housing boom and bust, the bank crisis, and the current four-year recession, with no end in sight, will click the link in my signature and read the story.
Tommy: "So somewhere, he *did* receive a moral compass."
Yeah, one that told him "Go north for more money and less jail time." That's intelligence, not "moral compass."
And I agree about Gates, whose only goal in life is to take every dime that exists in every single person's pocket.
As for the current crisis being caused entirely by government, that's a bit simplistic. Certainly without government there would be no such things as "corporations" (although there might be such things as "companies".) However, the symbiosis between government and the rich needs no caveat and stretches back not merely through the decades in this country, but through the centuries everywhere.
The Founding Fathers of the US were more or less wealthy men - although most of them went broke during the Revolutionary War. And when Shay's Rebellion broke out - a revolution of the true underclass - John Adams suspended habeus corpus to keep the revolutionaries in prison. Although Thomas Jefferson said, "Let Shay's men go. For if you imprison men for riot and sedition, what check is there on government?"
Can you imagine any politician saying the same today (even in the Tea Party)?
Power calls to wealth and wealth is the reward of power. Not that wealth can't be achieved by other, fairer means. But the habit is to use wealth to acquire - and then abuse - power.
Yep, same one as over at RSnake's..
I wasn't trying to imply that sports = war. But it's the best comparison that I can come up with regard to teams that I've been a part of (something about corporate teams just doesn't seem to mesh at all ;) ).
@ tommy (and RSH might be interested)
""Rationalize" = "Rational Lies". All rationalizations, none of them logically supportable. "
Actually, nature invented us and the other animals on the planet. Nature gave us many survival tactics ranging on a continuum from selfish to altruistic. Theft & murder for survival advantage are valid tactics in nature's book. Human beings made up morality to impose order on a rather chaotic species. This is reflected in noticing that the law largely rewards those who support it and punishes or destroys those who oppose it, regardless of how.
If anything, people who make claims about inherent morality are the one's lying to themselves. It doesn't exist. It's a myth that explains "moral" people's individual preference of altruism & is used to convince/force more selfish people to avoid using their more effective & damaging tactics to gain a competitive advantage.
"Besides, is the robber going to distribute the proceeds back to the customers who were /supposedly/ gouged? Really? REALLY? "
It doesn't matter. I was merely illustrating how they model their justification in their heads. And in those specific cases, your "Rational Lies" applies because they'd be lying to themselves. Only those with Jusification 4, pure selfishness, are taking an honest approach.
Interesting enough, capitalism is partly based on the ethical theory of "profit maximization," where everyone plays it selfish & market/social forces cause equillibriums. In a capitalist viewpoint, these criminals using Justification 4 are doing the right thing. They are also a check against people hoarding wealth, as they will target them. (My novel contribution to that field of study. ;) It takes a strong set of societal and other protection mechanisms to defeat determined individuals using Justification 4. Our society has evolved & developed these, so we regularly crush them.
However, attackers with many justifications will continue to pop up because it's human nature like RSH said. Additionally, organizations with poor defenses (for economic reasons) will continue to lure potential attackers, who hit for economic advantage or psychological gratification. Morality is hardly a factor. It's just pyschology & human nature. Sometimes it plays out in a way we would describe as "moral." Sometimes it doesn't. Fortunately, most people act "morally" to some degree most of the time.
@ Richard Steven Hack:
"As for the current crisis being caused entirely by government, that's a bit simplistic. Certainly without government there would be no such things as 'corporations' "
Richard, I certainly can't demand that you read the essay in question, but it appears that it was not read before your above reply. It's not the existence of corporations per se, it's laws that specifically //forced// banks to make bad loand to unqualified borrowers, loans that the banks would never have made on their standard underwriting criteria. This caused the housing boom and bust, and hence, the recession. If you have time, give it a look.
Actually, Government //has// caused nearly all of our economic woes, by taking us off the gold standard and creating in 1913 the Federal Reserve Board, with its power to print worthless paper money. If you or I do that, it's called "counterfeiting",. and we go to jail. If the Fed does it, it's called "stimulating the economy", or the new euphemism, "quantitative easing". Economists like myself (MBA with double majors in Finance and Economics) call that "inflation".
There's another essay of moi's posted, that details the econmic history of the US, from founding to the present mess, where we went wrong, why, and what it would take to fix it. Which isn't going to happen, IMHO, short of the much-needed default next week. Again, the 6300-word treatise (could have been a doctorate thesis, LOL) includes part of it being a parody of Don McLean's classic, "American Pie", so per instructions, the link is in my signature to *this* post rather than in the comment field. The link to the housing-specific one is in the signature to that post, "Posted by: tommy at July 25, 2011 2:15 AM".
Isn't it amazing how one can remember trivial details from a year ago, of no real importance (no offense), but not remember where is the pen that I set down twenty seconds ago? ;-D ... well, thanks for letting me know that a few neurons are still firing. :)
@ Nick P.:
"They are also a check against people hoarding wealth,"
And if I choose to keep what I earn (honestly, but even if dishonestly earned), why is that bad? Rhetorical - I maintain that what's mine is mine, after the Gov steals its cut, of course :-(, and if I want to stick it under the mattress, that's no one's business but mine.
In fact, this "hoarding" doesn't happen very much. The same selfishness you describe gives those with surpluses an incentive to invest it in ways that they hope will increase it. Yes, banks and corporations are much tighter now with doling it out, but that's because those who survived the recent disasters still got pretty badly spanked themselves, for doling it out too loosely. Rational self-interest. Good loans to credit-worthy borrowers are not only made; they're eagerly sought. (I get a few solicitations in the mail every week. Not that affluent, but my parents instilled in me the values of thrift, of living //beneath// one's income, and hence, of saving for rainy days, or freakin' thunderstorms.)
I never said morality was inherent in a new-born baby. As per a previous post somewhere that I don't need to find, I said to RSH that "the attempt to make strangers feel safe with us, and for us to treat strangers decently, is called 'civilzation'. Results to date have been mixed." Civilizations work to develop a moral code so that they can be civilizations instead of might-makes-right jungles. (Someone once said that when ethics fail, we make laws. Good one.) Religions try to do this. Individuals *are* capable of avoiding harming others because they believe it's wrong, or empathize with the victim. The fact that not all do, doesn't change this.
The best argument for a morality that is correct for all humanity was made in "Atlas Shrugged" by Ayn Rand, so whenever you have time to delve into an 1100-page novel, you might find some interesting viewpoints on these topics.
Copy-paste error. Link to Econ History of US to "American Pie" is in *this* sig -- I hope.
But I remembered AppSec from RSnake's blog (sheesh!).
Tommy: I followed Objectivism back in the late '60's (while in high school) into the early '70's while in the Army and a bit after. After experiences in the US Army and Vietnam, when I became aware of the concept of anarchism, I subjected Rand's concept of limited statism to a careful analysis using her own concepts of economics from Austrian economic theory. I ended up rejecting her limited statism for anarchism purely on economic behavior grounds. Her own arguments for limited statism simply didn't hold water on economic grounds.
This demonstrated to me that her philosophy was not as consistent and rational as her proponents believed.
Subsequently while writing in the zine "The Libertarian Connection" for some years, I analyzed her emphasis on morality and blew that off as well for being inconsistent and not particularly rational.
Much later, while in prison with plenty of time on my hands sitting for over two years in "The Hole" at Leavenworth, I went back to first principles and developed my own philosophy which I refer to as "radical Transhumanism".
Basically, the only thing Rand ever said which was correct was that "values depend on life." From that basis - and with influences from such diverse sources as William S. Burroughs, Timothy Leary, Robert Anton Wilson, and especially Alan Harrington in his "The Immortalist", as well as objective facts from the sciences and the history and evolution of human behavior and human society, I came up with what I view as a more correct and rational perspective on most issues.
So I am - or was, not paid much attention to it lately - familiar with Austrian economic theory and the effect of government on economics - which is why I said what I did above.
But as I've indicated above, I've moved well beyond that - and some would probably say well beyond everything... :-)
My concepts of Transhumanism and the probable ultimate effects of technology over the next half century to a century have altered any interest I might have in the usual concepts of human nature, human civilization, human psychology, political order, sociology, religion, economics - pretty much everything.
Technological development over the next half century to a century is going to radically change everything right down to the human body and brain and the world environment. The rise of Transhumans is going to be the seminal and primary phenomena of this century, beggaring pretty much everything else including climate change.
You might want to look into "Orion's Arm" future universe building site for the sort of thing I'm talking about. It's an awesome endeavor and great fun.
Humans are obsolete - and were never much good for anything except developing technology anyway. Humans are unlikely to survive the next 50 to 100 years as a species. So my primary interest is in surviving to see and be part of the "di-morphic split" between humans and Transhumans.
Pretty much everything else is irrelevant to me except for intellectual recreation in deciding what is "correct" and what is "incorrect" about current human events like computer security and foreign policy.
In other words, my perspective on things is pretty much a combination of Star Trek's Mr. Spock and Heath Ledger's The Joker... :-) Or a combination of Doctor Doom and Thanos (my two Main Men) from Marvel Comics... :-)
Which is why I'm good at getting to the heart of most matters and ignoring the superficial aspects of things and seeing through the BS the rest of the world bases their lives on.
So far it hasn't made me any money or gotten me laid, though... :-) But I'm working on that.
"And if I choose to keep what I earn (honestly, but even if dishonestly earned), why is that bad? "
A strong economy is composed of many exchanges of wealth. A person with lots of money who buys things and makes investments economically benefits many people. A person who holds onto their wealth benefits 1 person during that time frame and *maybe* more later. Hoarding benefits few at the cost of many. I'm merely looking at it from that angle.
"Civilizations work to develop a moral code so that they can be civilizations instead of might-makes-right jungles."
Sounds half right. We don't have a civilization though. It's abstract. We have an implementation of the civilization concept in the form of the US Govt., formal laws, courts, social structures and individuals. The key point missing in your statement is "control." Many of these structures are created or maintained by people who want control over others for selfish reasons or dubious altruistic reasons. These aspects of civilization, at least as numerous as those promoting morality, actually causes the opposite of the intended effect. This must be taken into account when considering the "morality" of a given "crime."
"Individuals *are* capable of avoiding harming others because they believe it's wrong, or empathize with the victim. The fact that not all do, doesn't change this. "
Some are, some aren't. Which points toward it being an individual preference rather that some inherent truth embedded in us. The workings of nature as a whole tend to point toward it being a preference, perhaps to give our species a survival advantage. So, there still is no right or wrong. There's merely what's right/wrong for the individual, the government, the species, the biosphere, etc. Each person chooses, some innately, what they want to align their values with.
@ Richard Steven Hack on Transhumanism
"I went back to first principles and developed my own philosophy which I refer to as "radical Transhumanism"."
"But as I've indicated above, I've moved well beyond that - and some would probably say well beyond everything... :-)"
You might be too far beyond. Transhumanists are much like the underwear gnomes in southpark:
1. Start moving from the current state.
3. Transhumans (profit!)
Most transhumanists are focusing on 3, but 2 is the most important step. The risks that the movement poses to humanity are as great as the alleged benefits. (Or worse, as the risks have proven out more often than the benefits.) The problem is unchecked scientific progress, esp. regarding genetic engineering. They are building and deploying stuff en masse without adequate long-term study of its effects on the human body or biosphere. The results of this trends will probably be negative. Here's a few risks that immediately come to mind.
1. Bioweapons. Engineered to resist drugs, heat, etc. Let's hope one never escapes or some college kid doesn't use available information to build one for someone to use.
2. GM crops. Genetic modification to make better crops. Sounds nice. Cons? Various serious medical conditions? Can propagate to safer, natural foods? Why was this a good idea, again?
3. Human DNA modification. Where do we begin? Gattaca-effect: new stuff mostly affordable by rich & upper class, creating a caste system. Biotech stuff is usually patented & investors want big $$$, so this is likely to be attempted. Sub-human argument: we create sub-humans for labor, unethical experimentation, etc. (May not be entirely bad, though.) Super-human argument: we create something that's not necessarily better or singularity, but which destroys us. (Brilliant, human, psychopaths a la "The Eves" on X-Files?) Doomsday scenario: we create & widely distribute something that has positive short term effects, but destroys us in the long-term. (There was a good example in movie or book, but I can't recall.)
As if the above weren't alarming enough...
4. Physics. Theoretical physics experiments that could cause major disasters have run largely unchecked & without adequate caution. HAARP project, mostly classified, is trying to raise and superheat the atmosphere. In spite of gov.'t studies showing dangers of ELF waves on brain, we have subs, power distr. centers, and things like HAARP blasting them all over the place. In spite of dangers of high power microwaves to brain, we have them everywhere. And they built the LHC even though the current models indicate it might produce planet destroying micro-black holes or stranglets.
5. Biosphere. Rampant technological progress and industrialization have consumed many of the planets best resources, destroyed many potentially-useful species, and undermined the very mechanisms by which our species survives (clean water & the ozone layer come to mind). Expanding populations & dependence on technology merely increases this.
From what I see, there's a greater chance of Transhumanism retarding our social growth or destroying our species outright. Call me an alarmist, but human nature & economic forces are pushing us in the direction of the doomsday scenarios, not some enlightenment & transformation of all for the better.
This thread is running away in several directions. Please make sure any further comments stick close to the subject of security.
Nick P: "there's a greater chance of Transhumanism... destroying our species outright."
Heh, but you don't get my point. You say that as if it were a Bad Thing! :-)
Moderator: I think this thread is pretty much over.
@ Richard Steven Hack
"You say that as if it were a Bad Thing! :-)"
Good point. Recently, I've been thinking it would be a good thing. The destruction of this failed design is necessary for a better species to develop and thrive. I've even charted out a few modifications to human nature that would prevent the majority of problems we face. So, the next thing might be human-like. It can't be human, though.
"Moderator: I think this thread is pretty much over."
have a look what german journalists make of a reasonable answer to a question of an online magazine:
"is there a hacking epidemic?" asks bruce schneier, well renowned security expert from the u.s. capitol washington.
but another question is much more important: how is it possible that these hackers could have been so successful?
the inconvenient answer is: the most important piece of infrastructure to our planet is too weak to do what we are using it for. the computers, the network, well, information technology as a whole is failing on a massive scale.
ouch. what was the first sentence from bruce's reply again?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.