by Marc Goodman
As noted in the first chapter of this book, every day we are becoming more connected, dependent, and vulnerable. The overwhelming majority of our information systems can be penetrated in mere minutes, and there has been exponential growth in the number of viruses, Trojans, and zero days available to accomplish the task. The average time to discovery from the moment an intruder first breaks into a system until the hack is uncovered is measured not in minutes but in hundreds of days. We are being penetrated, digitally probed, spied upon, robbed, and virtually manipulated day in and day out, and most of us remain blissfully unaware of the threat. Welcome to the new normal, a world in which for every screen in your life governments, criminals, terrorists, and hacktivists have a plan of attack.
In the end, all the computer hacking, code manipulation, and screen shifting boil down to a fundamental issue of trust. Trust is at the core of all of these discussions, and currently in our world there is no such thing as trustworthy computing. The security, privacy, and reliability of technology are too easily disrupted, sabotaged, and undermined. The fact of the matter is we have no earthly idea what is going on inside our systems, the same ones we use every day personally, professionally, and to run the world. While we may still faithfully place our trust in God, placing our trust in screens is deeply misguided and will come back to bite us in ways we will regret.
The Heartbleed security bug that burst into prominence in early 2014 is emblematic of the challenges we face. In theory, cryptographic algorithms are meant to secretly encode and decode sensitive information passed between two parties. The most common encryption protocols on the Internet are the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). In fact, a version of SSL, known as open SSL, is responsible for protecting more than two-thirds of all Internet traffic. Even if you don’t know what cryptography or SSL is, chances are you use it every time you log in to your bank, check your e-mail, or buy something online. We’ve all been trained to look for the little green lock in our Web browser’s address line and to search for HTTPS versus HTTP to ensure our connections to a given Web site are trusted and secure. Green means go, it’s safe, all is okay—at least we thought so.
The core big reveal about the Heartbleed bug is that even though the little green locks on our browsers were showing us we were safe, in fact, we were not. The trust we had in closed SSL locks on our browser screens was in fact misplaced. Once again, “in screen we trust” deceives. Heartbleed is the largest and most widespread vulnerability in the history of the Internet to date. A programming flaw in open SSL meant that those secret cryptographic keys you thought you were privately sharing with your bank or social media company’s server were in fact suddenly accessible by somebody else. Worse, the flaw was completely undetectable, even though it had been in existence since December 2011. That means that all the chat messages, e-mails, online purchases, Web site visits, and downloaded apps during the past several years were in fact fully accessible to somebody with the time, energy, and inclination to decipher them.
Open SSL is used by 66 percent of all Web sites on the Internet, which is why millions of Web sites around the globe had to inform their users that there was a big gaping hole that allowed hackers to circumvent the encryption between you and their sites. Instagram, Pinterest, Facebook, Tumblr, Google, Yahoo!, Etsy, GoDaddy, Foursquare, TurboTax, Flickr, Netflix, YouTube, USAA, and Dropbox are just some of the companies to have been affected by the problem. Moreover, 150 million apps downloaded on the Android mobile phone platform were also susceptible. Sadly, changing your password was not good enough to resolve the problem on the consumer’s end. Each of these Web sites first needed to change its server software and update the version of open SSL it was using; otherwise any potential attackers would still be able to read your new password even after you changed it. Even a full month after the Heartbleed bug was announced, hundreds of thousands of sites remained vulnerable to the massive flaw in the cryptographic backbone running the majority of the Internet. Of course attackers lost no time in taking advantage of the Heartbleed opportunity, including the NSA, which had reportedly known about the vulnerability for years but kept it to itself in order to exploit the opportunities it provided. Criminals also took part in the gold rush created by Heartbleed, with attacks carried out against the Canada Revenue Agency (Canada’s IRS equivalent) and dozens of e-commerce sites around the world.
Cryptographic keys and digital certificates are the means by which our online data and their underlying technologies are meant to be protected and secured. Yet Heartbleed was not the first time these systems themselves were successfully subverted. By and large the tools to make our technological world secure and trustworthy are simply not at hand. As a result, we do not have the means we require as a global society to make smart and reliable decisions in an increasingly confusing world. Human beings don’t directly read the ones and zeros on our hard drives, nor do we think in binary code (at least not yet). We use a bevy of screens and other machines to interpret this information for us and, in doing so, sacrifice any real hope of understanding the innermost truth of anything. As long as others can intermediate our digital and virtual experiences, we remain deeply at risk for fraud, abuse, and attack—not a foundation on which to build any future civilization.
The biggest challenges we face in the “in screen we trust” world are not the problems of today, however, but the ones of tomorrow. Given the obvious implications of Moore’s law, the number of screens in our lives today will pale in comparison to those to come. To paraphrase the rapper the Notorious B.I.G., “Mo’ screens, mo’ problems.” We will have screens everywhere—on our wrists, in our glasses, on our contact lenses, and in our clothes, as so-called wearables become commonplace. In our homes, our dining room tables, picture frames, refrigerators, and washing machines will all be transformed into screens. As we travel about our daily affairs, we will have screens in our cars, on our trains, and on the headrest of every airplane seat. Menus at restaurants, mirrors in the ladies’ room, and the walls behind the urinal in the men’s room will all beacon us with visual information. Not only will all billboards become screens, but so too will the walls of homes, office buildings, and shops. Heads-up displays like those used by jet fighter pilots and augmented reality will become mainstream and will project layers and layers of virtual information into our line of sight, ever influencing our points of view. In fact, every possible flat surface will be transformed into an interactive screen, each serving as a filter for our reality, easily manipulated by those whom we allow to interpret the real world for us.
There are ghosts in the wires, screens, and data banks of our twenty-first-century world. As the digital and the virtual drown out the real, our lives will be intermediated by others, but at what cost? The global information grid that we are all increasingly connected to and dependent on is deeply vulnerable.
There is a gathering storm before us, and all the signs of disaster are there. The technological bedrock on which we are building the future of humanity is deeply unstable and like a house of cards can come crashing down at any moment. Despite this, we plod forward, adopting newer, brighter technologies, each promising to solve a new problem or deliver a particular convenience. The problem is not that technology is bad; in fact, science and technology hold the promise of profound benefit to humanity. The problem, as we have seen, is that those with technological know-how, be they criminals, terrorists, or rogue governments, can use their knowledge to exploit an exponentially growing portion of the general public to its detriment. Though today’s technologies have been a boon for illicit actors, they will pale in comparison to the breadth and scope of technological change that will rapidly unfold before us in the coming years. Soon a plethora of exponential technologies now just in their infancy, such as robotics, artificial intelligence, 3-D manufacturing, and synthetic biology, will be upon us, and with them will come concomitantly profound, perhaps even life-altering, opportunities for harm.
Though criminals have take
n advantage of the techno-tools available to them to date, the worst may be yet to come. Vulnerable and untrustworthy computing has prepped the battlefield for a future world replete with criminality and social insecurity. The gathering storm has gathered and the result may well be a destiny for which we are wholly unprepared. Welcome to the future of crime.
PART
TWO
The
Future
of
Crime
CHAPTER 10
Crime, Inc.
Organized crime in America takes in over forty billion dollars a year …[and] spends very little for office supplies.
WOODY ALLEN
Innovative Marketing was a small and promising start-up that created pioneering software products to address its clients’ needs. The firm’s young founders incorporated their company in Belize because of its favorable tax regimes, a smart move that they modeled on the business practices of well-established tech giants, such as Apple, Google, and HP, each of which has cleverly created subsidiaries in tax havens around the world. To further reduce overhead costs, Innovative Marketing chose to establish its main offices in Kiev, Ukraine, where highly competent technical graduates with advanced degrees in computer science and mathematics were abundant and employees could be hired for a fraction of the salaries offered in Silicon Valley.
Like any good tech start-up, Innovative Marketing advertised its wares across the Web using banner ads and paid to ensure its software appeared high up in search engine query results. It attracted new customers by turning to a well-honed and tested technique developed by Amazon.com known as affiliate marketing: if a potential customer clicked on the affiliate link, Innovative Marketing would pay the hosting Web site a small fee for serving up the ad, and if any actual sales were generated, the affiliate would receive a percentage referral fee. The system worked well for all parties: it incentivized a commission-based workforce and drove software sales for the young start-up.
The two entrepreneurs who founded Innovative Marketing, the India-born Shaileshkumar “Sam” Jain and the Swedish national Bjorn Sundin, had picked their software product lineup well. The pair decided to focus their creative energies on designing an entirely new class of antivirus and computer security software back in 2006, just as the world was growing increasingly concerned about cyber threats. Soon business was booming and sales of the company’s products, such as Malware Destructor, System Defender, and Windows AntiSpyware, were growing year over year. Soon hundreds, then thousands, then millions of orders for its products flooded into the firm’s Kiev offices.
Innovative Marketing, like so many successful start-ups, had more demand than it could supply and was struggling to keep up with its rapid expansion. Before long, the company occupied a full three stories of modern office space at 160 Severo-Syretskaya Street in the burgeoning industrial section of Kiev. Inside, dozens of highly talented computer geeks churned out code at a frenzied pace, as engineers laid out clusters of new Ethernet cables and added racks of computer servers trying to keep up with consumer demand.
In the lobby of Innovative Marketing’s growing headquarters, workers hung a colorfully backlit five-foot-square glass logo that they suspended behind a bank of receptionists, busy answering phones and greeting employees at the start of their day. Beyond the ultramodern reception area, executives were abuzz establishing business processes and putting systems in place to provide the corporate structure required to grow the firm. Soon, department after department was added, including software development, quality assurance, finance, billing, marketing, human resources, translation and software localization, research and development, production, outsourcing, and technical support. Jain and Sundin, like any proud parents, were watching their baby grow.
Within short order, Innovative Marketing had become a massive success—a global multilingual company, operating around the clock, with more than six hundred employees and customers in sixty countries. Through its subsidiaries, it outsourced call center functions to India to handle technical support and customer service queries in English. German speakers had their questions answered by bilingual staff in Poland, and Francophone clients were routed over VoIP to Algeria. Sales of Innovative Marketing’s software were all automated and distributed online. Customers could buy their products at the click of the mouse and product ID numbers were issued on e-mailed receipts, which offered money-back guarantees on goods sold. Innovative Marketing took customer service seriously and advised clients calling its 800 numbers that calls would be monitored for quality assurance. According to statistics kept by the call centers, over 95 percent of clients described themselves as “happy” with the service they had received.
Like all tech start-ups, Innovative Marketing was well represented on social media. Hundreds of its employees had established profiles on LinkedIn, including their positions and work histories. To bring in the talent required to grow the start-up, Innovative Marketing placed job ads on numerous career Web sites and used recruiters to help find project managers, UNIX administrators, search engine optimization specialists, researchers, support engineers, and business development associates. To manage its explosive growth, Innovative Marketing used a variety of techniques to address the human resources issues common in the start-up world. It offered prizes to the best salesmen and carefully selected its employees of the month.
To relieve stress caused by the frenetic pace of work, Innovative Marketing also rewarded its employees with staff outings to seaside resorts where employees would engage in team-building exercises, including footraces, wall climbing, rope exercises, and paintball competitions, in order to build morale and cooperation. By all accounts, Innovative Marketing was a great place to work and a wildly profitable business. From the customer’s perspective, however, there was a slight problem.
The typical scenario went something like this. As users sat at their keyboards, pining away on Facebook, responding to an e-mail, or checking the latest quarterly report, suddenly a large red pop-up would appear on the center of their screens: WARNING: SERIOUS VIRUS DETECTED. Simultaneously, the computers’ speakers would begin to wail, as a blaring siren sound let users know something was seriously wrong with their system. In an instant, the System Defender logo would appear on-screen next to a large magnifying glass that appeared to be scanning the files on the users’ hard drive. One by one, long and complex system file names would fly by in rapid succession as a mounting tally of malware threats detected was displayed on a scoreboard on the bottom of the screen. In the end, System Defender might show twenty-three known viruses, seven worms, and eighteen pieces of spyware along with an ominous warning: YOUR COMPUTER IS AT IMMINENT RISK FOR A SYSTEM CRASH AND PERMANENT DATA LOSS. CLICK HERE TO REMOVE ALL THREATS.
As the siren continued to screech in the background on the computers’ speakers, users generally chose the most obvious course of action, clicking on the “remove threats” button glaring before them. When they did, they were directed to a purchase page for Innovative Marketing’s System Defender product, a $49 software program guaranteed to resolve all known computer issues. Those who foolishly opted to ignore the “remove threats” option and tried clicking anywhere else on the screen soon discovered that their computer had completely locked up, save for the obnoxious siren noise. The Escape key did not work, and users were permanently stuck on a red screen of death, unable to control their own computers. Savvy users thought rebooting might resolve the problem, but when they did, they were met with the blaring siren noise and the same implacable red alert screen. Paying the $49 fee was the only way to regain access to their own computers and data (a deluxe version with unlimited tech support was available for $79).
So what exactly was this pioneering software product Innovative Marketing had created? It was called crimeware, a whole new product category within the software industry—software that commits crime. Crimeware, sometimes called scareware, ransomware, or rogue antivirus, is nothing more than a malicious computer program that plays on a us
er’s fear of virus infection. We’ve all been trained to be on the lookout for antivirus alerts and to run our security software when a problem is detected. Thus it seemed entirely logical that when System Defender’s critical system pop-up message appeared on the screens of users around the world, the best and commonsense course of action was to click on the “remove all threats” button. There was only one hitch: the warning messages displayed were nothing more than an elaborate software hoax, a case of “in screen we trust” gone wrong.
Innovative Marketing’s customers never actually had a virus; instead, their browsers and operating systems had been hijacked. The animated graphical image that gave the appearance that the user’s computer was being scanned for viruses was just a visual ruse, no different from a Disney animation. No scan of the computer ever actually took place, and the “found” viruses and Trojans detected were virtual figments of the software’s imagination, projected convincingly on the screen. Once users were tricked into paying for and downloading the System Defender product, the software had one primary mission: to remove a user’s legitimate antivirus program, thereby allowing additional malware, back doors, and keystroke loggers to be installed on the affected hard drive. Worse, those credit card details provided to buy the bogus software were now up for sale to the highest bidder on the black market. Innovative Marketing, for all its call centers, gleaming offices, and employee retreats, was nothing more than an immensely successful front for modern organized crime.
Innovative Marketing was able to create the massive market for its felonious products by using its own teams and those of its affiliates to booby-trap legitimate Web sites with malware-infected ads sold by subsidiary front companies. When an unsuspecting user innocently visited an infected Web site or clicked the wrong link, a bit of malware code was downloaded to infect the machine, allowing the programmers at Innovative Marketing the access they needed to pull off their convincing red-screen scams. Eventually, after numerous customers complained to authorities in dozens of countries, the criminal enterprise was exposed, and the results of the investigation were shocking. Innovative Marketing kept in its offices copies of all the receipts it had issued to its crimeware customers around the world. In 2009 alone, it processed 4.5 million individual customer orders for an average sales price of $35. That works out to $180 million in revenue for Innovative Marketing back in 2009, handily beating the $106 million earned by Twitter two years later in 2011. In total, Innovative Marketing pulled in a jaw-dropping $500 million in global sales for the three-year period in which it sold its crimeware.