The Hackers are Coming!

By Bruce Schneier
Utility Automation & Engineering T&D
December 13, 2005

Over the past few years, we have seen hacking transform from a hobbyist activity to a criminal one. Hobbyist threats included defacing web pages, releasing worms that did damage, and running denial-of-service attacks against major networks. The goal was fun, notoriety, or just plain malice.

The new criminal attacks have a more focused goal: profit. This difference makes the new attackers more dangerous and potentially more damaging.

Criminals differ from hobbyists in several respects. One, they care less about finesse. Hobbyist hackers looked for new and clever attacks, while criminals will use whatever works. Hobbyists regularly advertised their presence, while criminals are more likely to be stealthy. Hobbyists generally didn't care who they attacked, while criminals are more likely to target individual organizations. Criminal attackers are less risk-averse; they're willing to risk jail, which hobbyists are largely not. As such, criminal attackers will engage in behavior that hobbyists avoid.

Counterpane's monitoring data (we currently monitor over 500 networks) illustrates this trend. The financial industry ranks second highest in attacks. And we are seeing many IP addresses of Romanian origin probing financial institutions. Romania has been one of the known locations for organized crime organizations. (As an interesting side note, bio-health and manufacturing companies seem to be particularly vulnerable to the Zotob worm.)

Security Events Across Vertical Industries
January - October, 2005
Technology26%
Financial18%
Bio-Health17%
Insurance9%
Government8%
Materials/Manufacturing7%
Retail6%
Utilities/Power4%
Entertainment/Media2%
Consumer Products1%
Transportation1%
Lottery1%
Non-Profit0%

We are seeing a decline in the "noisy" brute-force vulnerability scanning that hobbyist hackers tended to favor, and an increase in more targeted, stealthy, and sophisticated scanning. Fifty percent of the targeted scans detected by Counterpane happened in the financial industry.

Targeted Scans
Financial50%
Bio-Health17%
Transportation8%
Retail5%
Technology4%
Entertainment/Media3%
Materials/Manufacturing3%
Insurance3%
Lottery2%
Utilities/Power2%
Consumer Products2%
Government0%
Non-Profit0%

There is also an increase in Trojans and other malware designed to "own" computers. Now that criminals are increasingly amassing both networks, they're using them for profit-making ventures: as a launching pad for spam, for denial-of-service extortion, to steal passwords and other personal information, and to run phishing attacks from. Often these uses are stealthier, and the computer's owner might not even realize a hacker has control of their computer.

Counterpane is also noticing an increase in targeted attacks against networks, and an increase in attackers who are not easily dissuaded.

Criminals are now the main perpetrators of Internet attacks.

This trend is also echoed in the CSI/FBI Computer Crime Survey. Corporate losses due to computer crime were generally down from last year, although up in the two areas most indicative of criminal attack: unauthorized access to information, and theft of proprietary information.

While criminal attacks are now serious risks for all organizations, the greatest risk is probably to the people whose information is stored by those organizations. When a criminal steals personal information as a prelude to identity theft, it is the victim of that identity theft who bears the brunt of that crime - not the organization that failed to protect the data. So, while individual organizations might see overall losses going down, losses across the Internet are rising significantly.

It is for this reason that many national and local governments are enacting laws designed to protect personal information. Organizations risk civil and criminal penalties if they fail to adequately protect personal data, or do not notify individuals whose information has been stolen.

Criminal attacks represent a new threat for most organizations. Most organizations have built their computer and network-security systems to defend against the hobbyist threat. Criminals are more highly motivated, better funded, less risk-averse, and more tenacious. Defending against them will require even more expertise and resources.

earlier essay: Airline Security a Waste of Cash
later essay: Hold the Photons!
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..