Two years ago, a company called Medtronic unveiled a pacemaker that can be monitored via the tiny device's wireless connection. The pacemaker can talk to a regular BlackBerry, and to the world beyond.
It's 2012, and everything is data. Governments moving online deliver their most critical services as data. Businesses have turned their property into data, their processes into data, their money into data. Citizens have turned their social lives into data. Your location at this very moment is data: Your phone is tracking it, and your car is probably tracking it too. Anything you communicate to anyone who's not in earshot is data.
And wherever there's a flow of data, there's someone who wants to bend it to suit their own ends. Cybersecurity is no longer just a game of cat-and-mouse played with recluses who, by the dim green light of their computer screens, try to infiltrate mainframes. It's a wild, unpredictable space, where hardly a week passes without word of an attack on a newly targeted organization (Sony? NASA? The NDP?) for motives that are financial, political or just plain inscrutable. And, dear reader, you need to know the basics of this epidemic; we can't just rely on IT to take care of it. So here's a primer, in 26 steps, on some of the big questions facing the world of cybersecurity—and what you can do to keep from becoming a casualty.
A is for Anonymous The only thing that Anonymous generates more than headlines is confusion about what it is. Anonymous has shut down the Vatican's website, taunted cabinet ministers, released hacked e-mails and inserted itself into national debates. But is it an agitprop activist group? A genuine security threat? An occasional cover for government meddling? Or just an anarchic idea gone viral?
Here's what we do know: Anonymous isn't a centralized organization, but a nebulous collection of cells and splinter groups that co-ordinate their efforts, to varying degrees, in online chat rooms. The first rule of Anonymous is (surprise) anonymity—a rejection of personal fame. After that, things get fuzzy. "Beyond a foundational commitment to anonymity and the free flow of information, Anonymous has no consistent philosophy or political program," writes Gabriella Coleman, a McGill professor who's spent years studying Anonymous.
If anything can be said definitively, it's that Anonymous embodies a culture of creative disturbance—the pursuit of chaos, justice, retribution, and having laughs—or "lulz," after the "laughing out loud" acronym "LOL."
In fact, Anonymous has more in common with the Dadaists than it does with run-of-the-mill cybercriminals. Its roots are in online pranksterism: The group sprang from a message board called 4chan—the same anarchic forum that produced harmless Internet memes like Rick rolling and LOLCATS.
But a faction from the board started using more aggressive means to stir up trouble, like baiting and harassing obnoxious YouTube users. The turning point came in 2008, when Anonymous targeted the Church of Scientology. The church's secretive, controlling nature clashed with the collective's libertine streak, even before the church threatened websites in an attempt to suppress the dissemination of a goofy leaked video of Tom Cruise. Lulz ahoy! The church found its servers under attack, its offices surrounded by masked protesters, and a great many unordered pizzas showing up at its doorstep. The pranksters had found a political voice.
Since then, Anonymous has become the poster child for "hacktivism"—cybercrime that's committed on principle, rather than for financial gains or to pursue national ends. (However, since anyone can take up the Anonymous mantle, there's speculation in the security community that government actors could be using the group for cover.) After Anonymous mocked Vic Toews, the hapless Canadian minister wanted Parliament to act. Many Canadians already knew better: You can't punish a culture.
B is for Botnet What does a virus actually do when it infects your computer? There are plenty of options, all of them unpleasant, but a common one is to recruit your machine into a virtual army. The machine will fall under the control of a lurking third party but might not show any outward sign of infection.
Botnets can reach into hundreds of thousands or even millions of infected computers. Size is their weapon. They can launch Distributed Denial of Service attacks (see "D" below), in which an army of commandeered computers bombards a website with requests until it collapses.
Botnets are also one cause of that unrelenting global scourge, spam: Each infected machine becomes a miniature post office, spewing out phony ads and links to booby-trapped websites that can draw even more machines into the network. Consider Rustock, a botnet that, by some estimates, enlisted as many as 2.4 million machines into its network. At its peak, it may have been sending 1.8 billion spam messages an hour, a third of global spam.
C is for China Internet watchers still remember Jan. 12, 2010: the day Google announced that, after a serious hacking incident, the company was no longer going to play ball with the Chinese government.
It was a seismic event in the online world. Google and China were never easy bedfellows: Google's corporate mission is to organize the world's data and make it readily available. China, on the other hand, censors the Internet and sits behind a national filter so impermeable it's known as the "Great Firewall." Attempting to strike a balance, Google agreed to censor its search results, while alerting Chinese users that results were being withheld.
So when allegedly Chinese attackers gained access to some of Google's most precious assets—reportedly including elements of its source code, and the Google-hosted e-mail accounts of political dissidents—the company stopped censoring its search results. Within months, it was blocked throughout the country.
The incident helped solidify the image of China as a digital arch-enemy in the Western consciousness: There's hardly a cyberattack in the news that, failing to be credited to Anonymous, isn't reported to have some Chinese involvement. A recent McAfee survey of electricity-infrastructure executives showed that China was by far their top concern. And it's generally agreed that Beijing has adopted digital warfare as part of its military doctrine.
"China, at some point years ago, decided this was the best way it could catch up, and started seeding a lot of this activity," says Ron Deibert, director of The Citizen Lab at the Munk School of Global Affairs.
But the Chinese hacking threat might also be overstated in the popular press. "I think it's easy to find a bogeyman," says Dean Turner, director of Symantec Intelligence Group's Global Intelligence Network. "From the data we've seen, China consistently ranks in the top five. But so does the United States."
In fact, Symantec's most recent numbers for malicious activity by nation put the U.S. in first place, followed by China and India. It turns out that—surprise—countries with large populations of networked users also show more people using those networks for ill.
Nor is China monolithic. Deibert suggests that elements within the Chinese leadership are starting to realize that fostering a culture of hacking might not be a wise long-term move for a growing economic power.
Finally, tracing attacks to Chinese IP addresses doesn't necessarily mean that the attackers are physically in China. Internet traffic can be circuitously routed to hide an attacker's tracks; China might only have been the last stop on that path.
D is for Distributed Denial of Service At its March convention, the New Democratic Party was supposed to elect its new leader by dinnertime, in a part-live, part-online process that would strike a one-person/one-vote blow for grassroots democracy. But something went wrong: As delegates milled about and broadcasters played for time, the result was delayed, and delayed again, until late into the evening. The party's computers had been hit by a denial-of-service attack.
Web servers can only handle so much traffic, after which they slow to a crawl or crash. So if you want to knock a rival site off the Internet, one tactic is to just bombard it. To keep that site's owners from simply ignoring traffic from one place, it needs to come from all directions—at once.
This can be done with a botnet, where one attacker relays a signal that causes thousands of infected computers to focus their attentions on one hapless web server. Alternatively, users can voluntarily take part in a DDoS attack: Anonymous, for instance, uses a piece of software winningly called the Low Orbit Ion Cannon, which lets members voluntarily turn their computers into traffic generators.
The motive? Malice, damage, politics or money. DDoS can make a political statement, hobble a commercial rival, shut down government sites and the services they deliver, or even take pieces of networked infrastructure offline. But the real money could be in extortion: For service providers who can't afford a disruption—think enterprise computing services, gaming networks, power grids—the mere threat of denial of service could be enough to make a target pay up. Victims don't tend to publicize these incidents, but, in 2009, the CIA claimed that attackers had penetrated unnamed power grids, and caused at least one blackout.
E is for Everywhere In March, 2010, over 100 drivers in Austin, Texas, found their cars inert on the pavement, refusing to start; some absently honked.
The dead cars were testament to the perils of interconnectedness: When networking is everywhere around us, so is vulnerability to attack.
The cars, it turned out, came from the same used-car dealer, who had installed a device that could deactivate cars if the owners stopped paying. A disgruntled former employee accessed the system and locked out the drivers.
More than one sci-fi franchise has postulated doom-by-computer network. And in today's reality, computer networks reach into every corner of the world, from the lights on the CN Tower (controlled by a remote web interface) to life-or-death instruments like cars and medical equipment. "It's something we haven't dealt with in the security industry until recently," says Brian Contos, a strategist at McAfee.
Vulnerability has many faces. In industrial settings, PCs that control critical processes in everything from manufacturing to power distribution don't always get updated: Patches might change the way a computer works and introduce instability, and the last thing you want is the power grid conking out. This means that there's still a backlog of very old, very vulnerable systems in critical roles.
The auto industry is another concern. Cars aren't cars any more so much as networks on wheels, encompassing dozens of different processors and systems. A vehicle's central computer software spans hundreds of millions of lines of code. RFID tags in the wheels sense pressure and send a wireless message to the car's central computer to alert the driver should the tire need attention. Cadillacs have their own Wi-Fi hot spots. Infotainment systems talk to the Internet, log into Facebook, shunt audio/video around the car, and store your contact information. Systems like OnStar can remotely slow your engine to a stop in case of theft. But unlike desktop software that gets updates constantly, embedded computers tend to be updated less frequently, if at all, leaving vulnerabilities exposed for longer.
And if you don't yet feel surrounded by suspect technology, consider that last year security whiz Barnaby Jack hacked an insulin pump in real time, on-stage, at a convention. McAfee's Contos says a company investigation showed that IV pumps equipped with Bluetooth could be hacked to overdose patients; security apparently just hadn't been considered in their design.
F is for Facebook Think that blocking employees from social networks will help secure your firm and boost productivity? Perhaps you're right, but it also could backfire. Young employees don't take well to being barred from Facebook, and rather than go cold turkey, they'll look for options. "People find a way to get around it, and that's where breaches happen," says Hernan Barros, director of product management at Telus Security Solutions. "You're routing around the security."
Employees who are adventurous might find some way to work around the corporate web-filter. More likely, they'll surf from their phone or bring in a tablet from home. "Facebook and using a mobile device for corporate use: Now you've got a deadly combination," says Barros. Oftentimes, work ends up on the personal device. Details may leak out through a social network. Or, worse still, the device might wander off—taking the corporate data with it.
G is for Ghostnet A story to give diplomats and human-rights activists a chill: In 2009, Citizen Lab uncovered a secret network—which it dubbed Ghostnet—of at least 1,295 computers, all infected with malware that gave an unknown entity free rein to rummage through their documents, and spy in real time. Some 30% of those computers were "high-value" targets in places like embassies and government ministries. The infection was spread by convincing-looking e-mail attachments. The target list seemed tilted toward Tibetan targets, including the Dalai Lama. Three out of four of the servers controlling the network were based in China.
H is for Hackers In March, a 28-year old Manhattanite named Hector Xavier Monsegur was very publicly unveiled as "Sabu," one of the leaders of LulzSec, a group that conducted aggressive hacking efforts (including an infamous Sony job; see "P" below) in loose affiliation with Anonymous. He was goateed, handsome and charismatic; he was an enemy of government censorship and a dabbler in drug-dealing and stolen goods. And, as it turned out, he was an FBI informant.
Rugged, flawed, morally complex: Sabu was a hacker from central casting. But when it comes to the enterprise of cybercrime, the lone-wolf prodigy is the exception, not the rule. For most cybercriminals, this is business. "You can't underestimate the fact that it's becoming a highly specialized industry," says Rafal Rohozinski, CEO of SecDev Group, an Ottawa-based security firm. Increasingly, he says, work is divided along a vertical chain. "It's unlikely that you're going to have people who own the whole value chain. Rather it's a specialized, segmented business that comes together."
There's an ever-expanding list of ways to make cybercrime pay, but some are more common than others. Credit card numbers acquired by hook or crook can be charged. Botnets can be used to commandeer thousands of computers to defraud advertising networks by fraudulently clicking on online ads, each click worth a fraction of a cent. The threat of denial-of-service attacks can be used to extort sums from companies or utilities that can't afford to be knocked offline.
Some specializations have a national flavour. The Philippines has a reputation for enlisting workers to break CAPTCHAS—the distorted text that verifies whether a user is human. Russia specializes in transforming digital wealth into physical assets. (Items bought with stolen credit card numbers need to be sent somewhere, after all.)
Demographics play a part as well. Cybercrime correlates with high education and high unemployment. In some countries, it's a way of getting rich. In West Africa, money-transfer scams are a way out of poverty.
And while hacktivists can act like the weather, striking without warning as the eddies and currents of millions of connected users coalesce to form new social movements, cybercriminals tend to follow the path of least resistance to the greatest reward. This gives them at least a degree of predictability. "Okay, so I can open all the water valves in Trenton by remote IP," says Rohozinski. "What's the particular gain that a cybercriminal's going to get from this?"
I is for Impersonation Pretending to be someone you're not is a cybercrime fundamental. The essence of "phishing" is fooling users into giving up information, as with spam e-mail purporting to be from a bank that needs your password to "protect your account."
But when trying to crack a high-value target, attackers will take the extra step of impersonating a target's friends and co-workers—a tactic called "spear-phishing." It could go like this: An attacker uses malware to gain access to corporate e-mail, allowing the attacker to read correspondence and send e-mails in their victim's name. No need to play the CEO; impersonating a grunt in the IT department, who e-mails around saying he "needs your passwords" to perform maintenance, can garner all the access the attacker wants.
J is for John Sawers Sir John Sawers might reasonably have been irked at his wife for posting vacation photos of him in a Speedo on Facebook, or because she posted their home address and their children's locations on her public profile. Still, all of this might have been passable, but for the fact that Sawers had just been appointed the head of MI6—Britain's spy agency. A moral emerged in the public lambasting that followed: All the technology in the world will not prevent a human intelligence failure. Education for employees—and their families—is key.
K is for Koobface The Facebook virus, which showed that social media is addictive for criminals, too. Koobface infected a computer, then sent a lurid message to its owners' Facebook friends, tricking them into downloading an infected phony software update. When documented in 2010, the network was found to have generated more than $2 million by commanding infected computers to send clicks to various affiliate programs.
Facebook eventually took the dramatic step of publicly naming the Russian crew behind the now-defunct scheme. But there will be others. Twitter battles a spam problem every day, and, in March, word circulated about the latest threat: Pinterest scammers.
L is for Loss In 2011, 22% of Canadian businesses surveyed by Telus and the Rotman School of Management reported that laptops or mobile devices had gone missing—the second-most common security breach, after infection by viruses. There's a silver lining: Technologies that "remotely wipe" or disable misplaced devices are proliferating. Their makers might find a client in NASA, which last year reported the theft of a laptop—one that contained unencrypted command-and-control codes for the International Space Station.
M is for Malware Any piece of malicious software that infects a computer system, forcing it to do an attacker's bidding. Viruses are one kind of malware, but there are others: Trojan horses trick users into installing them; spyware surveys computer activity; and keyloggers transmit a record of everything that's typed—passwords and all.
There's no magic bullet to protect yourself; as with real viruses, the best defence is good hygiene. That means up-to-date software, good passwords, and knowing to avoid infectious items: unsolicited attachments, dodgy websites and common scams.
N is for New targets In February, 2011, Google had a problem: Attackers had cooked up a nasty Trojan horse that fooled Android users into thinking they were installing a regular app—but they really installed malware that turned over personal information to a remote server and gave hackers substantial control over the phone.
Google quickly sent out a clean-up piece of software to clear up the infection. Attackers saw the hype around the fix, and did the only logical thing: They created a fake clean-up tool that, when installed, actually infected the phone with more malware.
This is the new battleground. Smartphone shipments finally surpassed those of PCs in 2012, to the tune of 488 million units. The paradigm shift has not gone unnoticed in the underworld. The chief target is Android, in part because it's so popular, and in part because users can download apps from anywhere. "Just like in the PC world, where the Microsoft monoculture created a really big problem, you're starting to see the same problem with Android monoculture," says SecDev's Rohozinski.
IPhones and iPads are less vulnerable, chiefly because Apple insists that all apps be installed through the App Store, where it screens every app by hand. "Jailbroken" iPhones, which have had their Apple-imposed restrictions removed by adventurous users, are wide open. According to Symantec, two worms have been spotted on jailbroken iPhones: One demanded an 5 euro PayPal ransom before unlocking the phone; the other just changed the wallpaper to Rick Astley.
O is for Outlay How much does peace of mind cost? In their survey of Canadian business, Telus and the Rotman School found that the sweet spot for security outlay was between 5% and 6% of IT expenditures.
P is for Password recycling Scenario: You roll into work one day, and discover that someone has weaselled their way into your e-mail account, changed the password to lock you out, and is now sending scam messages to your friends in your name, begging for money.
What happened? Maybe you picked a password that's easy to guess. Even security professionals use terrible passwords like family members' names—which can easily be found online—or words like, well, "password."
But the odds are good that you've fallen into another trap: You've used the same password for a variety of different accounts. Remember: Not all websites are equally secure, or equally scrupulous. Your bank can probably be trusted with your name and password. But suppose you use the same password to sign up for a website whose programmers turn out to be inept, and who allow your name and password to be stolen. (Sound implausible? In 2011, LulzSec hacked into the database of no less than Sony, and published the passwords of thousands of Sonypictures.com users.) Hackers could then plug those same credentials into Facebook, Gmail, Twitter or, worse still, that trustworthy bank of yours. It's hard to blame anyone for not remembering a different password for every account. But at a minimum, use different passwords for the accounts that are critical to your finances and online identity.
Q is for Quantity In 2010, consumers and enterprises stored more than 13 exabytes of data on drives, notebooks and PCs. A single exabyte is 4,000 times as much information as is stored in the Library of Congress. We now create more data than we can physically store. It's being called the age of "Big Data"—and the new challenge in the security world isn't just gaining access to it, but making sense of it.
R is for RSA What does it take to take down one of the top computer-security vendors? An employee opening an unsolicited Excel attachment.
RSA is the security arm of EMC Corp. Among other things, RSA sells software that helps double-authenticate logins and passwords. Reportedly, an attacker sent a phony e-mail to an employee; its attachment installed a piece of backdoor software that gave the attackers access to the keys to some of RSA's user authentication products. Then, they turned around and used this information to infiltrate one of RSA's clients: defence contractor Lockheed Martin. One ill-considered double-click gave away the keys to the kingdom.
S is for Surveillance It was the IMSI Catchers, as much as anything else, that blew Gus Hosein away.
Cellphones are designed to lock onto the most powerful base station available to them. Put a fake base station with a strong signal in range of GSM cellphones, and they'll lock onto its signal instead. And as they log in, the fake base station will catch their unique IMSI identifier codes—identifiers that can be cross-referenced with telcos to determine their owners' identities. Put one of these nondescript gadgets in a public square, and you could determine the name of every cellphone-owner there.
Meanwhile, industrial-grade surveillance equipment has appeared on the private market. These technologies were once the domain of national spy agencies, but now they're being marketed to corporations and police forces. "Up until six months ago, we had no idea of these technologies," says Hosein, the executive director of London-based Privacy International, an advocacy group. "And we're the most paranoid people in the human rights movement."
The gear ranges from spy gadgets to software tools that help sift through vast quantities of network traffic, extracting clear pictures of who knows who, and who's been talking about what.
And when police get into the spy game, the lines between government and hacker can get fuzzy. The same tools that criminals use to pursue financial gain can be used by repressive governments to monitor dissidents. One British company, Gamma Group, sells what it calls "Governmental IT Intrusion" tools—which turn out to be malware attacks that install monitoring software on an individual's devices.
Canadians can't sit pretty, either. Guelph-based Netsweeper has attracted scrutiny for providing countrywide web-censoring services for repressive regimes like Yemen. Meanwhile, the Canadian "lawful access" legislation that raised an uproar this year would force Internet companies to install data-sorting equipment to comply with the government's demand that online communications be interceptable.
"The most useful information is access to traffic data, subscriber data," Hosein says. "That's when you can start doing mass surveillance: drawing the lines between who's speaking to who, what websites you're visiting; your political interest, your sexual interests, your social interests." As he speaks to legislators, Hosein struggles to make clear that Internet surveillance isn't a natural evolution of wiretapping: Information captured from a single conversation pales next to the aggregated data of a user's online life. And once this data is collected, it's bound to be used.
T is for Telco One day in March, a Rogers customer publicly informed the company via Twitter that he'd been receiving spam text messages.
"Thanks for sharing that," the Rogers rep replied. "I don't see anything related to us in that SMS [text]though."
"Was sent over your network," said the complainant. "Do you not investigate phishing attacks?"
It's a question that becomes more loaded by the day: Are ISPs responsible for policing what traverses their networks? Telecom companies have a view into what's happening on their networks that few can match. Just as police demand that ISPs report activity by child pornographers, and copyright holders wonder whether telcos shouldn't filter for infringement, security experts ask whether telcos shouldn't take the lead in monitoring for threats like malware and botnets.
Observers like Melissa Hathaway, who worked as a cybersecurity adviser to the Bush and Obama administrations, argue that ISPs, as the first line of defence, should assume a series of duties, including educating customers about threats, and notifying them of malware infections spreading across their infrastructure. In Australia, some 30 leading ISPs have taken the cue: They teamed up to provide a single threat-notification and education service for consumers, and they report the threats they find to a national body.
Rogers does investigate user complaints against specific IP addresses, according to a spokesperson; the ISP also "reserves the right" to manage its network to control spam and malware.
U is for Undisclosed Big breaches make news. But who knows how many security breaches go unreported? In Canada, there is no statutory requirement for private firms to report breaches of user data—but there could be. Such an update to Canada's digital privacy law has been introduced in Parliament, but is sitting idle.
V is for fake anti-Virus software A recent but ubiquitous ploy: tricking users into installing free anti-virus software (or, worse, paying for it) that will do the opposite, and infect the user's computer. Stick to brands you trust, and treat anything claiming to be a "free virus scanner" as gingerly as you can.
W is for War Cyberwarfare is no longer a sci-fi abstract: It's a very real part of strategy. Its exact workings remain shrouded in mystery, but its effects are becoming more pronounced.
When Russia and Georgia briefly went to war in 2008, DDoS attacks hit Georgian websites. As more and more public services go online, such attacks obviously will be increasingly damaging. What's less clear is who launched the attacks in 2008. Russia was the obvious culprit, but analysis showed that the attacks came from around the world. It seems that, rather than acting directly, a loose coalition of third-party actors—a diaspora, or contractors, or both—achieved Russia's ends. The line between governments and independent hackers acting in their interest is increasingly hard to discern: Instead of acting directly, governments might "seed" hacking activity, whose results can be chaotic and unpredictable.
Even more ominously, the line between digital and physical war has already been crossed. In 2010, a virus called Stuxnet spread around the world, but it's believed to have been designed to do just one thing: Destroy centrifuges in Iran that were being used for its nuclear program. The virus was designed to reprogram the centrifuges to essentially shake themselves apart, all while pretending to be functioning normally (and it seems to have worked).
Needless to say, nobody ever took credit for the virus, but the Israeli and American governments were suspected.
X is for doXing You don't have to break into a computer system to learn all about someone; most people have a more revealing online footprint than they realize. It just takes a motivated party to connect the dots—or the "dox," publicly available online documents. Scenario: You make a post on a blog under an alias. A malicious hacker could use search engines like Pipl.com (or even Google) to find everything posted using that alias on the Internet. Since people tend to reuse aliases, the data trail could span many sites; one happens to connect to your real name. Feeding your real name back into the search engine reveals your other aliases, including the one you used to angrily sound off in an online forum. Meanwhile, your real name brings the hacker to your semi-private Facebook page, which discloses your hometown and spouse's name. A search on your spouse's name yields an academic history, an old blog and a Twitter account that provides kids' and pets' names—one of which turns out to be the secret reset password on your e-mail account.
A single point of data might not be especially telling. But when many points are put together, a remarkably revealing picture can emerge.
Y is for Yikes According to Symantec, in 2011 there were 286 million malware variants, many of which had the potential to expose personal data.
Z is for Zero-day attack Oftentimes a company knows about vulnerabilities in its systems, and it's no great surprise when they're finally hacked. Then there's zero-day attacks, so named for the total number of days a software company has had to prepare for an onslaught. In 2008, Microsoft was staggered when attackers found a flaw in Explorer that had been lurking for almost a decade, before being discovered by hackers and exploited to steal passwords. Microsoft had to scramble to release a patch and fix a goodly per cent of the world's computers.
"We're always going to be one step behind the next thing," says Tamir Israel, a lawyer at the University of Ottawa's Canadian Internet Policy and Public Interest Clinic. "We're always going to be reactive."
It would be nice if cybercrime could be stemmed at the root. But the mushrooming digital universe and the very nature of software itself—intricate, infinite, used by highly fallible humans—makes that an impossible fantasy.
Instead, cybercrime has fast become something like every other kind of crime: a phenomenon born of human circumstance that will just have to be managed. It might well be the world's youngest profession. But like the oldest, it's not going anywhere.