W is for War Cyberwarfare is no longer a sci-fi abstract: It’s a very real part of strategy. Its exact workings remain shrouded in mystery, but its effects are becoming more pronounced.
When Russia and Georgia briefly went to war in 2008, DDoS attacks hit Georgian websites. As more and more public services go online, such attacks obviously will be increasingly damaging. What’s less clear is who launched the attacks in 2008. Russia was the obvious culprit, but analysis showed that the attacks came from around the world. It seems that, rather than acting directly, a loose coalition of third-party actors—a diaspora, or contractors, or both—achieved Russia’s ends. The line between governments and independent hackers acting in their interest is increasingly hard to discern: Instead of acting directly, governments might “seed” hacking activity, whose results can be chaotic and unpredictable.
Even more ominously, the line between digital and physical war has already been crossed. In 2010, a virus called Stuxnet spread around the world, but it’s believed to have been designed to do just one thing: Destroy centrifuges in Iran that were being used for its nuclear program. The virus was designed to reprogram the centrifuges to essentially shake themselves apart, all while pretending to be functioning normally (and it seems to have worked).
Needless to say, nobody ever took credit for the virus, but the Israeli and American governments were suspected.
X is for doXing You don’t have to break into a computer system to learn all about someone; most people have a more revealing online footprint than they realize. It just takes a motivated party to connect the dots—or the “dox,” publicly available online documents. Scenario: You make a post on a blog under an alias. A malicious hacker could use search engines like Pipl.com (or even Google) to find everything posted using that alias on the Internet. Since people tend to reuse aliases, the data trail could span many sites; one happens to connect to your real name. Feeding your real name back into the search engine reveals your other aliases, including the one you used to angrily sound off in an online forum. Meanwhile, your real name brings the hacker to your semi-private Facebook page, which discloses your hometown and spouse’s name. A search on your spouse’s name yields an academic history, an old blog and a Twitter account that provides kids’ and pets’ names—one of which turns out to be the secret reset password on your e-mail account.
A single point of data might not be especially telling. But when many points are put together, a remarkably revealing picture can emerge.
Y is for Yikes According to Symantec, in 2011 there were 286 million malware variants, many of which had the potential to expose personal data.
Z is for Zero-day attack Oftentimes a company knows about vulnerabilities in its systems, and it’s no great surprise when they’re finally hacked. Then there’s zero-day attacks, so named for the total number of days a software company has had to prepare for an onslaught. In 2008, Microsoft was staggered when attackers found a flaw in Explorer that had been lurking for almost a decade, before being discovered by hackers and exploited to steal passwords. Microsoft had to scramble to release a patch and fix a goodly per cent of the world’s computers.
“We’re always going to be one step behind the next thing,” says Tamir Israel, a lawyer at the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic. “We’re always going to be reactive.”
It would be nice if cybercrime could be stemmed at the root. But the mushrooming digital universe and the very nature of software itself—intricate, infinite, used by highly fallible humans—makes that an impossible fantasy.
Instead, cybercrime has fast become something like every other kind of crime: a phenomenon born of human circumstance that will just have to be managed. It might well be the world’s youngest profession. But like the oldest, it’s not going anywhere.