The last Presidential election has brought the security of our nation's cyber network to the forefront of the news and investigation.
Cyber crimes are and can be criminal offenses committed via the Internet or otherwise aided by various forms of computer technology, such as the use of online social networks to bully others or sending sexually explicit digital photos with a smart phone. The Federal Bureau of Investigations is the lead federal agency tasked for investigating cyber crimes and attacks by criminals, overseas adversaries, and terrorists. The threat is incredibly serious and growing. Cyber intrusions are becoming more dangerous, commonplace, and more sophisticated.
Cyber crimes are one of the greatest threats facing our country, and has
enormous implications for our national security, economic prosperity,
and public safety. The range of threats and the challenges they present
for law enforcement expand just as rapidly as technology evolves.
On April 5, 2002, an unidentified hacker penetrated a California server
housing the state government’s payroll database, gaining access to
names, Social Security numbers and salary information for 265,000 state
workers from the governor on down. The breach itself was small potatoes,
but when it emerged that the California Controller’s Office had waited
two weeks to warn the victims, angry lawmakers reacted by passing the
nation’s first breach disclosure law, SB1386.
That law requires hacked organizations to promptly warn potential
identity theft victims. Its passage pulled the rock off the string of
major corporate breaches that companies would have preferred to hush up.
Today, 45 states have enacted similar laws.
In 2003, fear came in 376 bytes. The lightning-fast Slammer worm
targeted a hole in Microsoft’s SQL server, and despite striking six
months after a fix was released, the malware cracked an estimated 75,000
unpatched servers in the space of hours. Bank of America and Washington
Mutual ATM networks ground to a halt. Continental Airlines delayed and
canceled flights when its ticketing system got gummed up. Seattle lost
its emergency 911 network, and a nuclear power plant in Ohio lost a
safety monitoring system.
Slammer wasn’t the biggest worm ever, but in its aggressive, relentless
spread, it exposed the secret interconnections that corporations were
foolishly allowing between important private networks and the public
When Los Angeles traffic engineers went on strike in August 2006, the
city decided not to take any chances: They temporarily blocked most
access to the computer that controls 3,200 traffic signals throughout
the City of Angels. Two of the striking engineers hacked in anyway. From
a laptop, Kartik Patel and Gabriel Murillo picked four key
intersections and changed the timing on the traffic signals so the most
congested approach would hit long red lights.
The timing tweaks wreaked havoc in a city already flirting with gridlock, according to the Los Angeles Times,
snarling traffic at the Los Angeles International Airport, backing up
the Glendale Freeway and paralyzing Little Tokyo and the streets of the
downtown Civic Center. It evidently took several days for managers to
figure out what was going on.
In December 2009, the engineers were sentenced to probation.
The first time we learned that the payment processor RBS Worldpay had
been hacked, it sounded like no big deal: The company announced in
December 2008 that it had seen fraud on only 100 of the 1.5 million
payroll and gift card accounts compromised in the breach. But it turns
out the hackers were able to raise the withdrawal limits on 44 of those
cards to as high as $500,000. Then they dispatched a global army of
cashers to slam the accounts with repeated rapid-fire withdrawals.
More than 130 ATMs in 49 cities
from Moscow to Atlanta were hit simultaneously just after midnight
Eastern Time on November 8, 2008, resulting in a one-day haul of $9.5
million in cold, hard cash. In November, the United States indicted four of the alleged ringleaders, who are in Estonia, Russia and Moldova. Yeah... good luck with that!
He called it “Operation Get Rich or Die Tryin’.” For nearly four years ending in 2008, 28-year-old Albert “Segvec” Gonzalez and his accomplices
in America and Russia staged the biggest data thefts in history,
stealing credit and debit card magstripe data for sale on the black
market. Using Wi-Fi hacking and SQL injection, the gang popped companies
like 7-Eleven, Dave & Buster’s, Office Max, TJX, and the credit
card processor Heartland Payment Systems, which alone gave up 130
The intrusions didn’t just make Gonzalez a millionaire — he buried $1.1
million in his parents’ backyard — they exposed slipshod security in
America’s card-processing infrastructure, and positioned the former
Secret Service informant to break a new record: longest U.S. prison term
for hacking. His plea agreements envision a 17- to 25-year sentence. It
could be worse. One of Gonzalez’s overseas accomplices got 30 years in a Turkish prison.
Bots were probably the biggest black-hat innovation of the decade, and the biggest and best was Conficker. From the start, the Conficker botnet had a trouble managing expectations.
But just because the worm didn’t destroy the internet, as predicted by
the mainstream press, doesn’t mean it wasn’t an impressive achievement.
Packing state-of-the-art encryption, and sophisticated peer-to-peer
update mechanism, Conficker tantalized security researchers and resisted
attempts at eradication, inhabiting at its peak as many as 15 million
unpatched Windows boxes, mostly in China and Brazil.
Experts think it’s the work of an organized team of coders, and there
are hints that it originated in Ukraine. And like most of the hacking
out of Eastern Europe, the software has a profit motive: It’s been seen
sending spam, and serving victims a fake anti-virus product that offers
to remove malware for $49.95.
Another innovation from the former Soviet empire were the so-called
“money mule” scams that emerged in 2009. Using specialized Trojan horses
like Zeus and URLZone,
the perps target small businesses that use online banking, stealing the
victim’s credentials and initiating wire transfers from their accounts,
usually totaling tens or hundreds of thousands of dollars.
In some cases, the Trojan horse even covers up the crime by rewriting
the victim’s online bank statement on the fly; other times, the hacker
just wipes the hard drive to keep the target off the internet for a
while. The stolen money goes to mules
who’ve been recruited through bogus work-at-home offers, and whose job
it is to withdraw the cash and send the bulk of it to the scammers via
Moneygram. It’s the perfect crime, one the FBI says has racked up $100
million in thefts, and counting.
As more and more people become aware of and use technology, the more cyber related crime is becoming more frequent, increasingly complex and with economic impact at a local regional and national level. Internet and digital related crime has a consequence for people and businesses, and the people associated to them, including staff, customers and stakeholders.
Cyber risk will not go away. It cannot be stopped but it can be mitigated.