Boing Boing » cybercrime

Cybercrime, patent-theft numbers are total bullshit

Cory Doctorow — Sat, 04 Aug 2012 06:42:07 +0000

In case there was any doubt in your mind, the alleged $1T cost to America from cyberwar and the $250B cost to America from "cyber-theft of Intellectual property" are both total bullshit. Pro Publica breaks it down.

One of the figures Alexander attributed to Symantec — the $250 billion in annual losses from intellectual property theft — was indeed mentioned in a Symantec report, but it is not a Symantec number and its source remains a mystery.
McAfee’s trillion-dollar estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. "I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large," said Eugene Spafford, a computer science professor at Purdue.
Spafford was a key contributor to McAfee’s 2009 report, "Unsecured Economies: Protecting Vital Information" (PDF). The trillion-dollar estimate was first published in a news release that McAfee issued to announce the report; the number does not appear in the report itself. A McAfee spokesman told ProPublica the estimate was an extrapolation by the company, based on data from the report. McAfee executives have mentioned the trillion-dollar figure on a number of occasions, and in 2011 McAfee published it once more in a new report, "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency" (PDF).
In addition to the three Purdue researchers who were the report’s key contributors, 17 other researchers and experts were listed as contributors to the original 2009 report, though at least some of them were only interviewed by the Purdue researchers. Among them was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. "I would have objected at the time had I known about it," he said. "The intellectual quality of this ($1 trillion number) is below abysmal."

Does Cybercrime Really Cost $1 Trillion? (via /.)

Report: complexity of cyberspying botnets greater than previously known

Xeni Jardin — Mon, 30 Jul 2012 14:42:55 +0000

Brian Krebs interviews Joe Stewart, a security researcher "who’s spent 18 months cataloging and tracking malicious software that was developed and deployed specifically for spying on governments, activists and industry executives." Speaking at Defcon in Las Vegas, Stewart says the "complexity and scope of these cyberspy networks now rivals many large conventional cybercrime operations.

LulzSec disbands, Anonymous dumps, what's next in #Antisec? Xeni on The Madeleine Brand radio show

Xeni Jardin — Mon, 27 Jun 2011 05:48:45 +0000

I joined the Madeleine Brand show this morning for a radio discussion around news that LulzSec has disbanded, and/or re-absorbed by the primordial ooze of Anonymous from whence they came. Listen here. Background in this Boing Boing post from earlier today.

Keeping up with the pwnses: CNET's spreadsheet of recent hacking attacks

Xeni Jardin — Fri, 17 Jun 2011 07:14:03 +0000

Elinor Mills at CNET has posted a chronological chart that documents recently publicized hacking events:

By our count, there have been more than 40 computer attacks, network intrusions, or data breaches in the last few months. And they seem to be a daily occurrence.

The chart shows which hackers and groups are identified as being behind each attack, and the methods and motives believed to be involved. As you skim through, remember that the date on which a given hack is made public isn't necessarily the date that target was breached: sometimes, a breach occurs long before the target or the attacker tells the world about it.

Mills adds that CNET will to update the chart as time goes on, and they're soliciting updates.

Here's a link to the article, and here's a direct link to the spreadsheet.

Pentagon: Hacking can count as an act of war

Xeni Jardin — Tue, 31 May 2011 03:55:14 +0000

The Wall Street Journal broke the news yesterday that the Pentagon has concluded that hacking and other forms of digital sabotage that originate from other countries can be considered an act of war. This means that for the first time, the U.S. is in the position of possibly responding to an online attack with offline "traditional military force." Guns, troops, drones, bombs.

The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military. In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official.

Read the whole article here. If the paywall locks you out, MSNBC has a related piece.

FBI shuts down poker sites in online gambling crackdown

Xeni Jardin — Sat, 16 Apr 2011 02:41:35 +0000

On Friday, the FBI shut down three of the world's most popular online poker sites, replacing their home pages with the message: "This domain name has been seized by the F.B.I. pursuant to an Arrest Warrant."

Former Boing Boing guest-blogger Joe Menn at the Financial Times nails the story first and best, and describes it as "the largest crackdown since Congress banned electronic gambling transactions in 2006." More:

In an indictment unsealed on Friday, the government accused the creators of Full Tilt Poker, PokerStars and Absolute Poker of illegal gambling, money laundering and bank fraud.
The government also filed a $3bn civil suit seeking to recover profit at the companies, which are based in other countries but have the three largest shares of the US market. They seized bank accounts and the website addresses used by all three, replacing the latter with warnings that managing or owning a gambling business is a crime.
None of companies could be reached for comment. The disruption of their sites and the seizure of funds could make it hard for them to do business and might dissuade some people from playing cards online.

Read the full FT story here. The LA Times also has coverage here and here, and here is a response by the owners of Full Tilt Poker.

NASA cybersecurity report: ISS, Hubble, Shuttle vulnerable when hackers penetrated NASA network

Xeni Jardin — Sat, 02 Apr 2011 03:58:37 +0000

The office of NASA's Inspector General released a report this week titled "Inadequate Security Practices Expose Key NASA Network to Cyberattack," which details pretty much what it says on the tin: the International Space Station, the Hubble telescope, the space shuttle, and other key assets were made vulnerable back in 2009 when hackers penetrated the NASA computer network that controls them.

The vulnerabilities have since been addressed, but NASA still lacks a recommended cybersecurity oversight progam to reduce future risks.

Also in 2009, hackers stole 22 gigabytes of export-controlled data from the Jet Propulsion Laboratory and opened links between the NASA network and 3,000 foreign IP addresses.
NASA has closed the worst holes in its system, according to the audit released Monday, but other risks will remain until NASA establishes IT safeguards for the entire agency. NASA says it will do that by the end of the fiscal year Sept. 30. NASA said in a statement Tuesday that its chief information officer will work with NASA centers, including Huntsville's Marshall Space Flight Center, to make sure computers are secure.

And more about the past intrusions, directly from the NASA Inspector General's report:

We found that computer servers on NASA's Agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA's operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks. These deficiencies occurred because NASA hadnot fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected. In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network.
However, even though the Agency concurred with the recommendation it remained unimplemented as of February 2011.

Direct link to the Inspector General's cybersecurity audit here.

(thanks, Miles O'Brien)

3 teens behind internet crime forum Gh0stMarket get jail

Xeni Jardin — Thu, 03 Mar 2011 00:36:19 +0000

The Guardian reports that three UK teenagers who created and ran "one of the world's largest English-language internet crime forums," described in court as "Crimebook", have been sentenced to up to 5 years in jail. Authorities estimated that losses from credit card data traded over Gh0stMarket.net totaled more than $26 million dollars. Threatening to blow up the head of the police unit in charge of internet crimes after an earlier arrest was probably an unwise move:

The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts. Nicholas Webber, the site's owner and founder, was arrested in October 2009 with the site's administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.
After seizing Webber's laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.
Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers' addresses.

Image: Nicholas Webber, who will spend the next five years in jail. Photograph: Gavin Rodgers, via Guardian.

Teenagers jailed for running £16m internet crime forum (Guardian, via Brian Krebs)

Tracing the pill-trails to America from Russia's e-pharmacy underworld

Xeni Jardin — Thu, 24 Feb 2011 11:07:15 +0000

Security reporter Brian Krebs has a fascinating piece up on Pavel Vrublevsky, founder of Russia's biggest online payment processor, ChronoPay. Krebs reports that this man also co-owns Rx-Promotion, an online pharmacy that sells tens of millions of US dollars worth of controlled pills to Americans each year: Valium, Percocet, Tramadol, Oxycodone, and other substances with high street resale value. Just before Krebs arrived in Russia to meet with Vrublevsky, "several truckloads of masked officers from Russian drug enforcement bureaus" raided a private party thrown for the top moneymakers of Rx-Promotion (that's their promotional banner, above). Snip:

I hadn't told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.
"Duuuuuuuudddde!," he answers. "It's 7 a.m. where you are, who died?"
I reply that I am in fact in his time zone and that we should meet. After another long "Duuuuuuuuddde!" Vrublevsky promises to send a car if I will wait in the hotel lobby. He tells me he'll be sending along with the driver his receptionist, named Vera. He proceeds to describe Vera as this grossly overweight, unattractive older lady but, hey, she speaks English and knows how to deal with Westerners, so she's coming, he says.
Fifteen minutes later, I am seated in the lobby waiting for Vera, watching incoming guests as they stomp off snow and trudge through the hotel's revolving door. I find it difficult to avoid staring at this unusually attractive, slender, dark-haired young woman standing nervously just beside the door. I notice she also keeps glancing at me. Finally, she comes over and asks if my name is Brian. I am momentarily alarmed (I know next to no one in Moscow yet) until she says her name is Vera and I suddenly remember with a smile why I can trust almost nothing of what comes out of Vrublevsky's mouth.

Russian Cops Crash Pill Pusher Party (via Joseph Menn)

What does the front-end of an online hacker store look like?

Xeni Jardin — Fri, 21 Jan 2011 08:25:16 +0000

This. Note the dot-mil and dot-govs, and good heavens, the affordable pricing. Fascinating story behind the screengrab over at Krebs on Security.

Two dudes seeking "maximum lols" charged in AT&T iPad hack case

Xeni Jardin — Tue, 18 Jan 2011 08:33:52 +0000

Two suspects are charged with federal crimes for hacking AT&Ts website in 2010 to obtain personal data of more than 100,000 iPad users. From Kim Zetter's Wired News piece:

Daniel Spitler, 26, of San Francisco, Calif., was charged in New Jersey on Tuesday with one count of identity fraud and one count of conspiracy to access a computer without authorization. Andrew Auernheimer, 25, of Fayetteville, Ark., was charged in Arkansas for the same crimes.

The chat transcripts really do say it all:

Spitler: I hit fucking oil
Auernheimer: loooool nice
Spitler: If I can get a couple thousand out of this set where can we drop this for max lols?
Auernheimer: dunno i would collect as much data as possible the minute its dropped, itll be fixed BUT valleywag i have all the gawker media people on my facecrook friends after goin to a gawker party

Two Charged in AT&T Hack of IPad Customer Data (Wired News)

The Business of Malware

Xeni Jardin — Thu, 16 Dec 2010 03:49:11 +0000

Information designer Jess Bachman's latest creation explores the "financial motivations and transaction that take place in the underground malware and trojan markets." The flow chart "follows the point of infection to monetary gain of the botmasters, scammers and fraudsters who operate these nefarious lines of code." View the full image.

Keep Your 40 Acres, Just Send the Mules

Joseph Menn — Fri, 05 Nov 2010 05:00:32 +0000

I suppose I can boil down my complaints about U.S. law enforcement's attempts to do something effective about rampant and metastasizing cybercrime to two things. The first is that our guys don't have good relations with Russia and other countries that are knowingly harboring the worst criminals. And the second is that they don't have bad relations with those countries--not bad enough to blow the whistle.

Instead, U.S. authorities are the co-dependents in a perennially depressing romance, always thinking that real change in their partner is right around the corner. Think about Lucy holding the football for Charlie Brown.

After spending a couple of vacation days this week at a cybercrime conference aimed mostly at bankers--'cause hey, that's how I roll--I'm still convinced that we are in much bigger trouble than people realize. The Zeus family of financial computer trojans, which are probably on millions of PCs and often escape the notice of antivirus software, is truly impressive. Even if your bank cares enough about you to hand over a gadget with ever-changing one-time passwords, Zeus can intercept them and do other neat tricks, like redirecting you to a "down for maintenance" page while it cleans out your account. It can then do math on the fly so that when you check your balance, it appears to be right where it should be. I'm pretty sure it can walk on its hands while juggling with its feet, but you should check with one of the people who have lost or nearly lost their businesses, like Karen McCarthy.

But I also spoke to the Secret Service and FBI delegates to the conference, and they gave me a glimmer of hope that I would like to fan into a faint glow. It wasn't their accounts of the five big cheese Ukranians detained recently in a $70 million Zeus case, though that was certainly a good thing. Those men still haven't been charged, let alone convicted and sent to jail; the FBI man grimaced when I asked about the chances for locking up Zeus' Russian author; and forensics maven Gary Warner reported this morning that new Zeus control servers are popping up every day.

What cheered me was that they showed more pragmatism and less bust-down-the-doors machismo than I have ever seen in high-level feds. They are making slow progress in tough spots like Ukraine, they said, in part because the criminals screwed up and started attacking their countrymen. If every other country starts cooperating, pressure on Russia will grow. In the meantime, they are seizing servers, building intelligence on 50 top criminals, and disrupting their networks when they can.

Looking at the big picture, they see that the current bottleneck for the mobsters is the mules--the tens of thousands of people in the U.S. alone who often unwittingly accept transfers from compromised accounts, take a cut, and wire the rest overseas. The cyber gangs have access to more bank money than they can get out of the country.

So that's why the FBI made a big deal out of picking up some dozens of mules a few weeks back. Arrests and news conferences get precious TV time and stories, which can alert people that those work-from-home payment processing jobs are a really bad idea. Like the occasional fall of one or another honcho or botnet, the removal of scores of low-level employees won't do much to stem the tide. But an amplified message could reduce access to some of the kingpins' most precious assets, and it's certainly a worthwhile thing to try.

Something else seems increasingly doable as well, but that calls for a broader effort from outside law enforcement. The recent Zeus cases depended on work by outside security researchers, who often know far more than the cops. I would really like to see more such collaboration. I don't see why thousands of people would work together on such open-source projects as Linux and Mozilla and not on something so core to defending the Internet as a reasonable place to exist.

This marks the end of my guest-blogging stint here at BoingBoing, and I want to thank my gracious hosts and all of you for reading. You can always follow me at @josephmenn.

Good news, of a kind, from a dark world

Joseph Menn — Tue, 26 Oct 2010 06:52:12 +0000

As a fan of BoingBoing dating from a decade ago, when it was delivered on horseback, I wanted to share something positive with fellow readers in my first guest post. Unfortunately, the thing I've been most passionate about in my reporting and writing since 1999--cybercrime and tech security--doesn't lend itself to much that's happy. What I'm offering today is a compromise. It was good news to me personally, and it will be good news to those of you who have my read my book, Fatal System Error. For the rest of you, it won't be pleasant, and I'm sorry about that.

On Friday, I got a Skype message from a longtime source of mine: "My friend got his daughter back." We spoke on Sunday, and I will tell you what I can from that talk. To begin with, though, my source uses the fake name Jart Armin of HostExploit.

Like the people who work at Spamhaus, Jart is one of those people dedicated to tracking the worst cyber gangs who works in anonymity in order to protect himself. I don't like quoting people I can't name, but I did so in the book with Jart because he has done important research and because he is entirely right to be afraid of the people he has been tracking.

To explain that in the book, I briefly told the story of a colleague of Jart's who was investigating mob activity in St. Petersburg, Russia. The colleague made the mistake of working with the local police. Before he finished his assignment, the man's teenage daughter was kidnapped from her Western country, and the investigator got a message that if he dropped the case, the rest of his children might be okay.

That was five years ago. I had to leave the story hanging in the book because there had been no closure. A couple of weeks ago, the man got a new message. His daughter was in Kazakhstan, and he could have her back as long as he agreed not to look into certain of the gang's activities. One factor in the change of heart was the additional attention that Fatal System Error brought to the mob. The family has been reunited, though the young woman is not the same as she was. She was fed drugs and used to service men. A grim story, but at least it has an ending now, and I wanted to update those who knew the first part.

There are many reasons why cybercrime is as bad as it is, and getting much worse. One of them is lack of awareness of how dangerous and well-connected the gangs are. The most serious identity thieves and fraudsters are not isolated teenage script kiddies. They are mobsters who kill people, and worse, though those stories are seldom told. Folks need to know just how bad they are, every bit as much as they need to know the stories of the heroes who are risking their lives to stop them.

Welcome to the Boing Boing guestblog, Joseph Menn!

Xeni Jardin — Tue, 26 Oct 2010 07:32:38 +0000

I am delighted to welcome author and journalist Joseph Menn (web / Twitter / Facebook) to Boing Boing as guestblogger. His most recent book, Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, was published this January in the US and comes out today in an updated paperback form.

From his bio:

Menn has spoken at major security conferences including RSA, Black Hat DC and DefCon on his findings, which include hard evidence that the governments of Russia and China are protecting and directing the behavior of some of the world's worst cyber-criminals. He also has given invited talks at meetings convened by the US Secret Service and Federal Deposit Insurance Corp.
"Fatal System Error accurately reveals the secretive global cyber cartels and their hidden multibillion-dollar business, proving cybercrime does pay and pays well," said Richard A. Clarke, special advisor to President George W. Bush for cyber security. The New Yorker magazine said it was "riveted" by the tale, comparing it to the novels of Stieg Larsson, while Business Week called it "a fascinating high-tech whodunit." Fatal System Error has been placed on the official reading list of the US Strategic Command and is being translated into Chinese, Japanese and Korean.
Menn has reported on technology for more than a decade at the Financial Times and the Los Angeles Times, mostly from his current base in San Francisco. His coverage areas for the FT include technology security and privacy, digital media, and Apple and the PC industry.

He is a two-time finalist for the Loeb Award, the most prestigious in financial journalism, for coverage of Microsoft and the Hollywood writers' strike. Earlier, he won a "Best in Business" award from the Society of American Business Editors and Writers for tobacco coverage at Bloomberg News, where as legal editor he directed stories that revealed the landmark settlement talks between the cigarette companies and the states.
His previous books include All the Rave: The Rise and Fall of Shawn Fanning's Napster, the definitive 2003 work selected as a book-of-the-year finalist by the trade group Investigative Reporters & Editors Inc. "All the Rave" reversed the conventional wisdom on what had been the most exhaustively covered start-up of the era. The New York Times wrote it "provides a well-documented history of one of the most celebrated collapses of the Internet. But it goes far deeper, giving an inside account of the creation of Napster, the battle for its control and the maneuvering by big Silicon Valley names to try to turn music piracy into gold."
Menn is also co-author of The People Vs. Big Tobacco: How the States Took on the Cigarette Giants (1998) and a principal editor of The Chronology: The Documented Day-by-Day Account of the Secret Military Assistance to Iran and the Contras (1987). He has taught advanced technology and business writing at the University of California at Berkeley's graduate school of journalism and lectured at other universities and conferences.