In Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door, Brian Krebs offers a fascinating look at the mass-scale cybercrime that underpins the spam in your inbox and provides an inside peek at a violent fight among its principle players. Cory Doctorow reviews.Read the rest
In case there was any doubt in your mind, the alleged $1T cost to America from cyberwar and the $250B cost to America from "cyber-theft of Intellectual property" are both total bullshit. Pro Publica breaks it down.
One of the figures Alexander attributed to Symantec — the $250 billion in annual losses from intellectual property theft — was indeed mentioned in a Symantec report, but it is not a Symantec number and its source remains a mystery.
McAfee’s trillion-dollar estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. "I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large," said Eugene Spafford, a computer science professor at Purdue.
Spafford was a key contributor to McAfee’s 2009 report, "Unsecured Economies: Protecting Vital Information" (PDF). The trillion-dollar estimate was first published in a news release that McAfee issued to announce the report; the number does not appear in the report itself. A McAfee spokesman told ProPublica the estimate was an extrapolation by the company, based on data from the report. McAfee executives have mentioned the trillion-dollar figure on a number of occasions, and in 2011 McAfee published it once more in a new report, "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency" (PDF).
In addition to the three Purdue researchers who were the report’s key contributors, 17 other researchers and experts were listed as contributors to the original 2009 report, though at least some of them were only interviewed by the Purdue researchers. Among them was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. "I would have objected at the time had I known about it," he said. "The intellectual quality of this ($1 trillion number) is below abysmal."
I joined the Madeleine Brand show this morning for a radio discussion around news that LulzSec has disbanded, and/or re-absorbed by the primordial ooze of Anonymous from whence they came. Listen here. Background in this Boing Boing post from earlier today.
Elinor Mills at CNET has posted a chronological chart that documents recently publicized hacking events:
By our count, there have been more than 40 computer attacks, network intrusions, or data breaches in the last few months. And they seem to be a daily occurrence.The chart shows which hackers and groups are identified as being behind each attack, and the methods and motives believed to be involved. As you skim through, remember that the date on which a given hack is made public isn't necessarily the date that target was breached: sometimes, a breach occurs long before the target or the attacker tells the world about it.
Mills adds that CNET will to update the chart as time goes on, and they're soliciting updates.
The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military. In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official.
On Friday, the FBI shut down three of the world's most popular online poker sites, replacing their home pages with the message: "This domain name has been seized by the F.B.I. pursuant to an Arrest Warrant."
Former Boing Boing guest-blogger Joe Menn at the Financial Times nails the story first and best, and describes it as "the largest crackdown since Congress banned electronic gambling transactions in 2006." More:
In an indictment unsealed on Friday, the government accused the creators of Full Tilt Poker, PokerStars and Absolute Poker of illegal gambling, money laundering and bank fraud.Read the full FT story here. The LA Times also has coverage here and here, and here is a response by the owners of Full Tilt Poker.
The government also filed a $3bn civil suit seeking to recover profit at the companies, which are based in other countries but have the three largest shares of the US market. They seized bank accounts and the website addresses used by all three, replacing the latter with warnings that managing or owning a gambling business is a crime.
None of companies could be reached for comment. The disruption of their sites and the seizure of funds could make it hard for them to do business and might dissuade some people from playing cards online.
The office of NASA's Inspector General released a report this week titled "Inadequate Security Practices Expose Key NASA Network to Cyberattack," which details pretty much what it says on the tin: the International Space Station, the Hubble telescope, the space shuttle, and other key assets were made vulnerable back in 2009 when hackers penetrated the NASA computer network that controls them.
The vulnerabilities have since been addressed, but NASA still lacks a recommended cybersecurity oversight progam to reduce future risks.
Also in 2009, hackers stole 22 gigabytes of export-controlled data from the Jet Propulsion Laboratory and opened links between the NASA network and 3,000 foreign IP addresses.
NASA has closed the worst holes in its system, according to the audit released Monday, but other risks will remain until NASA establishes IT safeguards for the entire agency. NASA says it will do that by the end of the fiscal year Sept. 30. NASA said in a statement Tuesday that its chief information officer will work with NASA centers, including Huntsville's Marshall Space Flight Center, to make sure computers are secure.
And more about the past intrusions, directly from the NASA Inspector General's report:
Image: Nicholas Webber, who will spend the next five years in jail. Photograph: Gavin Rodgers, via Guardian.
The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts. Nicholas Webber, the site's owner and founder, was arrested in October 2009 with the site's administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.
After seizing Webber's laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.
Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers' addresses.
Teenagers jailed for running £16m internet crime forum (Guardian, via Brian Krebs)
Security reporter Brian Krebs has a fascinating piece up on Pavel Vrublevsky, founder of Russia's biggest online payment processor, ChronoPay. Krebs reports that this man also co-owns Rx-Promotion, an online pharmacy that sells tens of millions of US dollars worth of controlled pills to Americans each year: Valium, Percocet, Tramadol, Oxycodone, and other substances with high street resale value. Just before Krebs arrived in Russia to meet with Vrublevsky, "several truckloads of masked officers from Russian drug enforcement bureaus" raided a private party thrown for the top moneymakers of Rx-Promotion (that's their promotional banner, above). Snip:
Russian Cops Crash Pill Pusher Party (via Joseph Menn)
I hadn't told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.
"Duuuuuuuudddde!," he answers. "It's 7 a.m. where you are, who died?"
I reply that I am in fact in his time zone and that we should meet. After another long "Duuuuuuuuddde!" Vrublevsky promises to send a car if I will wait in the hotel lobby. He tells me he'll be sending along with the driver his receptionist, named Vera. He proceeds to describe Vera as this grossly overweight, unattractive older lady but, hey, she speaks English and knows how to deal with Westerners, so she's coming, he says.
Fifteen minutes later, I am seated in the lobby waiting for Vera, watching incoming guests as they stomp off snow and trudge through the hotel's revolving door. I find it difficult to avoid staring at this unusually attractive, slender, dark-haired young woman standing nervously just beside the door. I notice she also keeps glancing at me. Finally, she comes over and asks if my name is Brian. I am momentarily alarmed (I know next to no one in Moscow yet) until she says her name is Vera and I suddenly remember with a smile why I can trust almost nothing of what comes out of Vrublevsky's mouth.
This. Note the dot-mil and dot-govs, and good heavens, the affordable pricing. Fascinating story behind the screengrab over at Krebs on Security.
Two suspects are charged with federal crimes for hacking AT&Ts website in 2010 to obtain personal data of more than 100,000 iPad users. From Kim Zetter's Wired News piece:
Daniel Spitler, 26, of San Francisco, Calif., was charged in New Jersey on Tuesday with one count of identity fraud and one count of conspiracy to access a computer without authorization. Andrew Auernheimer, 25, of Fayetteville, Ark., was charged in Arkansas for the same crimes.The chat transcripts really do say it all:
Spitler: I hit fucking oilTwo Charged in AT&T Hack of IPad Customer Data (Wired News)
Auernheimer: loooool nice
Spitler: If I can get a couple thousand out of this set where can we drop this for max lols?
Auernheimer: dunno i would collect as much data as possible the minute its dropped, itll be fixed BUT valleywag i have all the gawker media people on my facecrook friends after goin to a gawker party
Information designer Jess Bachman's latest creation explores the "financial motivations and transaction that take place in the underground malware and trojan markets." The flow chart "follows the point of infection to monetary gain of the botmasters, scammers and fraudsters who operate these nefarious lines of code." View the full image.
I suppose I can boil down my complaints about U.S. law enforcement's attempts to do something effective about rampant and metastasizing cybercrime to two things. The first is that our guys don't have good relations with Russia and other countries that are knowingly harboring the worst criminals. And the second is that they don't have bad relations with those countries--not bad enough to blow the whistle.
Instead, U.S. authorities are the co-dependents in a perennially depressing romance, always thinking that real change in their partner is right around the corner. Think about Lucy holding the football for Charlie Brown.
After spending a couple of vacation days this week at a cybercrime conference aimed mostly at bankers--'cause hey, that's how I roll--I'm still convinced that we are in much bigger trouble than people realize. The Zeus family of financial computer trojans, which are probably on millions of PCs and often escape the notice of antivirus software, is truly impressive. Even if your bank cares enough about you to hand over a gadget with ever-changing one-time passwords, Zeus can intercept them and do other neat tricks, like redirecting you to a "down for maintenance" page while it cleans out your account. It can then do math on the fly so that when you check your balance, it appears to be right where it should be. I'm pretty sure it can walk on its hands while juggling with its feet, but you should check with one of the people who have lost or nearly lost their businesses, like Karen McCarthy. Read the rest
Read the rest
As a fan of BoingBoing dating from a decade ago, when it was delivered on horseback, I wanted to share something positive with fellow readers in my first guest post. Unfortunately, the thing I've been most passionate about in my reporting and writing since 1999--cybercrime and tech security--doesn't lend itself to much that's happy. What I'm offering today is a compromise. It was good news to me personally, and it will be good news to those of you who have my read my book, Fatal System Error. For the rest of you, it won't be pleasant, and I'm sorry about that.
On Friday, I got a Skype message from a longtime source of mine: "My friend got his daughter back." We spoke on Sunday, and I will tell you what I can from that talk. To begin with, though, my source uses the fake name Jart Armin of HostExploit.
Like the people who work at Spamhaus, Jart is one of those people dedicated to tracking the worst cyber gangs who works in anonymity in order to protect himself. I don't like quoting people I can't name, but I did so in the book with Jart because he has done important research and because he is entirely right to be afraid of the people he has been tracking.
To explain that in the book, I briefly told the story of a colleague of Jart's who was investigating mob activity in St. Petersburg, Russia. The colleague made the mistake of working with the local police. Before he finished his assignment, the man's teenage daughter was kidnapped from her Western country, and the investigator got a message that if he dropped the case, the rest of his children might be okay.
That was five years ago. I had to leave the story hanging in the book because there had been no closure. A couple of weeks ago, the man got a new message. His daughter was in Kazakhstan, and he could have her back as long as he agreed not to look into certain of the gang's activities. One factor in the change of heart was the additional attention that Fatal System Error brought to the mob. The family has been reunited, though the young woman is not the same as she was. She was fed drugs and used to service men. A grim story, but at least it has an ending now, and I wanted to update those who knew the first part.
There are many reasons why cybercrime is as bad as it is, and getting much worse. One of them is lack of awareness of how dangerous and well-connected the gangs are. The most serious identity thieves and fraudsters are not isolated teenage script kiddies. They are mobsters who kill people, and worse, though those stories are seldom told. Folks need to know just how bad they are, every bit as much as they need to know the stories of the heroes who are risking their lives to stop them.