by Marc Goodman
• Computer worms also cause damage, but do so as stand-alone software and do not require a host program to replicate.
• Trojans, named after the mythical wooden horse used by the Greeks to infiltrate Troy, often masquerade as legitimate pieces of software and are activated when a user is tricked into loading and executing the files on a targeted system. Trojans frequently create “back doors” that allow hackers to maintain persistent access to an infected system. Trojans do not reproduce by infecting other files per se, but rather spread by deceiving users into clicking on a file or opening an infected e-mail attachment.
Virus writers today recognize that the public is slowly (very slowly) beginning to get the message not to click on files sent by strangers. As a result, criminals have updated their tactics to create so-called drive-by downloads, which use malware to exploit vulnerabilities in computer scripting languages such as Java and ActiveX, languages commonly used by Internet Web browsers. The world has moved online, and hacking tools such as Internet Explorer, Firefox, and Safari makes sense for criminals, though the new modus operandi comes with a heavy cost for unsuspecting users. Researchers at Palo Alto Networks discovered that as much as 90 percent of modern malware is now spread via previously hacked popular Web sites that serve up the computer infection the moment an unsuspecting visitor stops by the site. Many large companies, including Yahoo!, a major destination portal around the world, have had their Web sites hijacked by criminals and thus unknowingly poisoned their own customers who innocently stopped by to check sports scores or the latest stock market returns.
The Malware Explosion
Now it’s not just about the “lulz” but for want of money, information, and power that hackers ply their trade. In the early twenty-first century, as criminals figured out ways to monetize their malicious software through identity theft and other techniques, the number of new viruses began to soar. By 2015, the volume had become astonishing. In 2010, the German research institute AV-Test had assessed that there were forty-nine million strains of computer malware in the wild. By 2011, the antivirus company McAfee reported it was identifying two million new pieces of malware every month. In the summer of 2013, the cyber-security firm Kaspersky Lab reported it identified and isolated nearly 200,000 new malware samples every single day.
Taking a cynical approach to these statistics and presuming that antivirus companies might be incentivized to overstate the problem that they were established to combat, one could be inclined to deflate the numbers dramatically, say by 50 or even 75 percent. Even so, that would still mean that fifty thousand new viruses were generated each and every day. Think about the tremendous research-and-development effort that would be required on a global scale to create that volume of uniquely coded malware.
As any business owner knows, R&D is an expensive proposition. As such, the return on investment (ROI) required to support international organized crime’s ongoing illicit computer programming efforts must be vast. An independent study by the trusted Consumers Union, publisher of Consumer Reports magazine, seems to confirm the mounting impact of computer malware. A survey of its members revealed that one-third of the households in the United States had experienced a malicious software infection in the previous year, costing consumers a whopping $2.3 billion annually. And that’s just the people who realize they’ve been attacked.
The Security Illusion
Each year, consumers and businesses around the world put their faith in the computer security software industry to protect them from the burgeoning threat of computer malware. According to a study by the Gartner group, worldwide spending on security software totaled nearly $20 billion in 2012 and is forecast to skyrocket to $94 billion spent annually on cyber security by 2017.
Ask most individuals what to do about computer viruses, and their very first answer would be to use an antivirus product from a company like Symantec, McAfee, or Trend Micro. The response is instinctual from a public that has been trained well. While such tools might have proven useful in the past, they are rapidly losing their efficacy, and the statistics are deeply revealing. In December 2012, Researchers at Imperva, a data security research firm in Redwood Shores, California, and students at the Technion–Israel Institute of Technology decided to put the standard antivirus tools to the test. They collected eighty-two new computer viruses and ran the malware against the threat-detection engines of more than forty of the world’s largest antivirus companies, including Microsoft, Symantec, McAfee, and Kaspersky Lab. The results: the initial threat-detection rate was only 5 percent, meaning that 95 percent of the malware went completely undetected. That also means the antivirus software you are running on your own computer is likely only catching 5 percent of the emerging threats targeting your machine. If your body’s own immune system had a batting average like that, you would be dead in a matter of hours.
Months later, the behemoths of the security software industry eventually update their software, but of course by then it’s often too late. The fact of the matter is that criminals and virus writers are completely out-innovating and outmaneuvering the antivirus industry established to protect us against these threats. Worse, the “time-to-detection rate”—that is, the amount of time it takes from the initial introduction of a piece of malware “in the wild” to be uncovered—is growing. For example, in 2012 researchers at Kaspersky Lab in Moscow uncovered a highly complex piece of malware known as Flame that had been pilfering data from information systems around the world for more than five years before it was detected. Mikko Hypponen, the well-respected chief research officer at the computer security firm F-Secure, called Flame a failure for the antivirus industry and noted he and his colleagues may be “out of their leagues in their own game.” Though millions around the world rely on these tools, it’s pretty clear the antivirus era is over.
One of the reasons it is proving difficult to counter the wide variety of technological threats in our lives today is that there has been a burgeoning increase in the number of so-called zero-day attacks. A zero-day exploit takes advantage of a previously unknown vulnerability in a computer application that developers and security staff have not had time to address. Rather than proactively looking for these vulnerabilities themselves, antivirus software companies generally only consider known data points. They’ll block a malicious bit of code if it’s just like the other malicious bits of code they have seen previously. It’s essentially like putting up a wanted poster for Bonnie and Clyde because we know they have robbed banks previously. Bank tellers would know to be on the lookout for the couple, but as long as no one fitting that description materialized, they might let their guard down—until a different bank robber struck, that is. These zero days are increasingly being generated for a wide variety of techno-products commonly used in our lives, affecting everything from Microsoft Windows to Linksys routers to Adobe’s ubiquitous PDF Reader and Flash Player.
Eventually, hackers figured out that the more noise they made breaking into your systems, the more quickly you would fix the problem and kick them out. Now it’s all about stealth and clandestinity, like having a sleeper cell in your computer. You might think the abysmal 5 percent computer virus detection rate revealed in the Imperva study applied only to average citizens using personal security software in their homes. Surely businesses with their massive budgets for information technology and security would fare much better against hackers? Not so much. Tens of thousands of successful hacks against major corporations, NGOs, and governments around the world reveal that enterprises, for all they spend, are not much better in protecting their own information.
According to Verizon’s 2013 Data Breach Investigations Report, most businesses have proven simply incapable of detecting when a hacker has breached their information systems. The landmark survey carried out by Verizon business services, working in conjunction with the U.S. Secret Service, the Dutch National Police, and the U.K. Police Central E-crimes Unit, reported that on average 62 percent of the intrusions against business to
ok at least two months to detect. A similar study by Trustwave Holdings revealed that the average time from the initial breach of a company’s network until discovery of the intrusion was an alarming 210 days. That’s nearly seven months for an attacker—whether organized crime, the competition, or a foreign government—to creep around unfettered in a corporate network stealing secrets, gaining competitive intelligence, breaching financial systems, and pilfering customers’ personally identifiable information, such as their credit card numbers.
When businesses do eventually notice that they have a digital spy in their midst and that their vital information systems have been compromised, an appalling 92 percent of the time it is not the company’s chief information officer, security team, or system administrator who discovers the breach. Rather, law enforcement, an angry customer, or a contractor notifies the victim of the problem. If the world’s biggest companies, firms that collectively spend millions on cyber defense and have whole departments of professionals working 24/7 to protect their networks, can be so readily penetrated by hackers, the prospects for home users protecting their information look grim indeed.
How hard is it to break into the average computer system? Laughably easy. According to the Verizon study, once hackers set their sights on your network, 75 percent of the time they can successfully penetrate your defenses within minutes. The same study notes that only 15 percent of the time does it take more than a few hours to breach a system. The implications of these findings are profound. From the time an attacker decides to target your world, 75 percent of the time the game is over in minutes. You’ll be punched, knocked out, and on the floor before you ever knew what hit you. In today’s world, hackers are living unfettered and free inside your very own data systems for months and months, watching, waiting, lurking, and pillaging everything from your passwords to work projects to old selfies. You are easy marks and sitting ducks. How odd that we as a society tolerate this. If any of us noticed a burglar in our home watching over us as we slept or filming us in the shower, we would immediately dial 911 (or alternatively scream or reach for a gun). In cyberspace, this is a daily occurrence, yet most of us remain calmly, even blissfully unaware of the threat, despite our deep vulnerabilities and the bad guys looming over us as we sleep.
The cost of our universal cyber insecurity continues to mount. Though businesses around the world may be on track to spend nearly $100 billion by 2017 for a variety of software and hardware security measures, that price is merely a starting point when considering the full economic impact of our technological fragility. Take, for example, the 2007 cyber strike against TJX, the parent company of the retail stores T.J. Maxx and Marshalls in the United States and T.K. Maxx throughout Europe.
In that case, hackers stole the credit card details of over forty-five million customers, making it the largest retail store hacking case of its time. Later in court filings, it was revealed the actual number of victims was closer to ninety-four million. Though TJX reached a settlement with Visa, MasterCard, and its customers in the amount of $256 million, many analysts believe the true costs could easily have been closer to $1 billion. One of the most authoritative sources for research on the cost of data breaches comes from the Ponemon Institute, which conducts independent research on data protection and information security policy. In calculating cybersecurity breaches, it notes it is important to extend the loss analysis well beyond direct consumer theft amounts.
For example, the victim company targeted in the attacks, such as TJX, must spend handsomely on detecting the breach, containing the attackers, investigating the matter, identifying the perpetrators, and repairing and recovering its computer network. Moreover, there are often heavy sales declines as a wary public shies away from using the services of a company perceived to be unsafe and insecure. Add to that the price of credit card replacement fees (currently estimated to be $5.10 per card), consumer credit-monitoring services that need to be purchased by the victim company to prevent ongoing credit card fraud against its customers, and rising cyber-insurance premiums, and it is easy to see how quickly the costs of these losses can escalate. No wonder most companies are loath to admit that they have been hacked and many attempt to deny the breach as long as possible.
There are yet even greater costs to be considered, including how the stock market punishes victim firms via precipitous drops in their stock prices after a cyber intrusion. In one case, Global Payments saw its market valuation slashed by 9 percent in just one day until the New York Stock Exchange halted trading of its shares. Adding to the financial headaches in these cases are the ensuing class-action lawsuits from a firm’s customers, shareholders, and regulators. All told, the Ponemon Institute estimates that companies face nearly $188 in costs for each and every record stolen. Multiply that amount by the nearly 100 million account records stolen at TJX, and it’s easy to see how quickly the cost of these breaches escalates and grows exponentially.
All told, between the sums spent on mostly ineffective prevention measures and retroactively closing the cyber barn door after the horses are out (and the hackers are in), we pay dearly as a society for our technological insecurity. Worse, our growing connectedness to the networked world and our concomitant radical dependence on wholly penetrable technologies can bite in ways that hurt much more than our collective wallets.
The Internet has lost its innocence. Our interconnected world is becoming an increasingly more dangerous place, and the more we incorporate assailable technologies into our lives, the more vulnerable we become. The next Industrial Revolution, the information revolution, is well under way, with massive yet unrealized implications for our personal and global security. Yet as daunting as the threats to individuals, organizations, and even our critical infrastructures seem today, there is a proverbial technological train leaving the station, one that is rapidly and exponentially picking up speed. There are signs of it everywhere, if one knows where to look.
Just over the horizon are newly emerging technologies, including robotics, artificial intelligence, genetics, synthetic biology, nanotechnology, 3-D manufacturing, brain science, and virtual reality, that will have major impacts on our world and pose a panoply of security threats that will make today’s common cyber crime seem like child’s play. These innovations will play essential roles in our daily lives in just a few years, yet no in-depth, broad-based study has been completed to help us understand the unintended attendant risks they pose.
The depth and extent of this transformation and its concomitant risks have gone unnoticed by most, yet before we know it, our global society will connect as many as one trillion new devices to the Internet—devices that will permeate every aspect of our lives. These persistent connections will bind us to both man and machine, across the planet, for good and for ill, and will be woven into the entire realm of our exponentially expanding common sentience. As a result, technology will no longer be just about machines; it will become the story of life itself. Those who know how these underlying technologies work will be increasingly well positioned to exploit them to their advantage and, as we have seen, to the detriment of the common man. The cornucopia of technology that we are accepting into our lives, with little or no self-reflection or thoughtful examination, may very well come back and bite us. These risks portend the new normal—a future for which we are wholly unprepared. This is a book about man and machine and how the slave may become master.
CHAPTER 2
System Crash
If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.
OMAR N. BRADLEY
Something had to be wrong with the signals. It was a Tuesday in early January 2008 when a tram in Lodz, Poland, suddenly veered to the left. This in itself wasn’t so strange—except for the fact that the conductor had been attempting to turn his train right. Moments later, the rear cars skidded off the rails before crashing into another tram and coming to a screeching halt.
Amazingly, given the size of th
e collision, no one was killed, but more than a dozen passengers were injured, and many others were left scratching their heads. What had gone wrong? Rather than a circuit failure or human error on the part of the conductor, rail engineers quickly suspected foul play. They were right, but for reasons they would probably never have wagered.
It turns out that a fourteen-year-old computer whiz kid had created an infrared remote transmitter capable of controlling all the junctions on the transit line. The boy spent months studying the city’s rail system to determine the best places to redirect trains in order to cause the most havoc and hacked the switches throughout the town to redirect trains on his command.
In other words, the teen was able to use the city’s tram system as his “personal toy train set” by hacking and electronically commandeering the city’s transit infrastructure. The teen was believed to have utilized the device on numerous occasions, and when he was caught and arrested, he admitted, like Mat Honan’s hacker, that he had carried out his act “just for the lulz” of it all.
But this prank resulted in the derailment of four trains and could easily have led to passenger deaths, an important distinction that left many security analysts fuming that more wasn’t being done to ensure the safety of the city’s critical infrastructure. They fittingly reasoned that if a fourteen-year-old boy, acting alone, could hack the transit system’s network and wreak this sort of havoc for his own amusement, what was to stop criminals, terrorists, or a warring nation from doing the very same?
A Vulnerable Global Information Grid
We’ve seen how easy it is to hack into the majority of computer systems and how quickly it can be done. Mat Honan’s experience proved that our digital lives can be struck from the record in an instant. T.J. Maxx and Citibank both learned the hard way what can happen when criminals thousands of miles away bring you into their sights. Given the obvious dangers, one would have thought a measure of prudence would be in order before adding everything that plugs into the wall or has a battery to the global information grid, yet we proceed full steam ahead in our growing love affair with all things tech.