SlideShare una empresa de Scribd logo
1 de 17
Descargar para leer sin conexión
 	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  

The	
  Rise	
  of	
  Cybercrime	
  
1970	
  through	
  2010	
  
	
  

A	
  tour	
  of	
  the	
  conditions	
  that	
  gave	
  rise	
  to	
  cybercrime	
  and	
  the	
  crimes	
  themselves	
  

	
  
	
  
	
  
	
  

	
  

Kelly	
  White	
  

	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  1	
  
Introduction
	
  
Computer	
   crime	
   has	
   changed	
   from	
   a	
   1970s	
   characterization	
   of	
   hobbyists	
  
committing	
  pranks	
  and	
  ‘exploring’	
  computer	
  systems	
  to	
  a	
  present	
  day	
  horizontally	
  
integrated	
  industry	
  of	
  exploit	
  researchers,	
  malware	
  writers,	
  hackers,	
  fraudster,	
  and	
  
money	
  mules	
  that	
  cause	
  hundreds	
  of	
  millions	
  of	
  dollars	
  in	
  damages	
  annually.	
  	
  The	
  
articles	
  below	
  illustrate	
  the	
  juxtaposition	
  of	
  computer	
  crimes	
  from	
  earlier	
  decades	
  
with	
  those	
  of	
  the	
  present.	
  
	
  
Teaching Hackers Ethics
Newsweek – January 14, 1985
The parents of "Echo Man," 16, "Thr ee Rocks," 15, and "Uncle Sam," 17,
probably thought they were in their rooms doing homework. Instead, the
Burlingame, Calif., teen-agers were programming their Apples to scan the
Sprint telephone-service computers for valid access numbers, which they
used to make free calls. The hackers then posted the numbers on an
electronic bulletin board, so others could share in the spoils. That was their
undoing. Local police, who had been monitoring the bulletin board, raided
each of the hackers' homes last month and found enough evidence to
charge them with felony theft and wire fraud.
FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms1
Washington Post, Brian Krebs – October 26, 2009
Cyber criminals have stolen at least $40 million from small to mid-sized
companies across America in a sophisticated but increasingly common form
of online banking fraud, the FBI said this week. According to the FBI and
other fraud experts, the perpetrators have stuck to the same basic tactics in
each attack. They steal the victim’s online banking credentials with the help
of malicious software distributed through spam. The intruders then initiate a
series of unauthorized bank transfers out of the company’s online account…

	
  
How	
  do	
  you	
  explain	
  the	
  typical	
  computer	
  crime	
  making	
  the	
  leap	
  from	
  petty	
  phone	
  
access	
   theft	
   in	
   the	
   70s	
   to	
   huge	
   heists	
   in	
   00s?	
   As	
   it	
   turns	
   out,	
   in	
   each	
   decade,	
   the	
  
computer	
  crimes	
  fit	
  pretty	
  well	
  with	
  the	
  demographics	
  of	
  their	
  time.	
  The	
  type	
  and	
  
frequency	
  of	
  computer	
  crime	
  occurring	
  in	
  each	
  decade	
  seems	
  to	
  have	
  been	
  shaped	
  
by	
  three	
  demographics:	
  
• The	
  number	
  of	
  computers	
  online	
  
• The	
  type	
  and	
  amount	
  of	
  online	
  commerce	
  
• The	
  globalization	
  of	
  Internet	
  use	
  
	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
1	
  http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html	
  
	
  
©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  2	
  
The	
   number	
   of	
   crime	
   targets	
   is	
   limited	
   by	
   the	
   number	
   of	
   computers	
   online.	
   The	
  
profitability	
  of	
  a	
  target	
  is	
  dependent	
  on	
  the	
  type	
  of	
  commerce	
  being	
  conducted	
  on	
  
the	
  computers.	
  And	
  the	
  likelihood	
  of	
  being	
  caught	
  is	
  positively	
  correlated	
  with	
  the	
  
effectiveness	
   of	
   law	
   enforcement	
   in	
   prosecuting	
   crimes	
   that,	
   I	
   have	
   observed,	
   is	
  
inversely	
  proportional	
  with	
  the	
  globalization	
  of	
  the	
  Internet.	
  	
  
	
  
As	
  these	
  demographics	
  evolved,	
  so	
  too	
  did	
  the	
  crime.	
  	
  
	
  

The Perfect Conditions for Crime
	
  
What	
  are	
  the	
  perfect	
  conditions	
  for	
  crime?	
  How	
  about	
  easy	
  targets,	
  high	
  profits,	
  and	
  
very	
  little	
  chance	
  of	
  being	
  caught.	
  	
  
	
  
That	
  is	
  what	
  the	
  Internet	
  provides	
  –	
  lots	
  of	
  easy	
  targets	
  where	
  250	
  million	
  people	
  
are	
   online	
   in	
   the	
   U.S.	
   alone	
   and	
   with	
   very	
   weak	
   security.	
   An	
   almost	
   guaranteed	
   high	
  
return	
   –	
   over	
   72	
   million	
   people	
   in	
   the	
   U.S.	
   conducting	
   banking	
   online.	
   And	
   little	
  
chance	
   of	
   being	
   caught	
   –	
   attribution	
   of	
   crime	
   on	
   the	
   Internet	
   is	
   nearly	
   impossible	
  
and	
  governments	
  don’t	
  have	
  the	
  resources	
  to	
  handle	
  the	
  volume,	
  let	
  alone	
  the	
  high	
  
cost	
  of	
  international	
  investigations.	
  They	
  successfully	
  prosecute	
  a	
  few	
  per	
  year	
  for	
  
publicity,	
  but	
  little	
  else.	
  The	
  Internet	
  is	
  the	
  perfect	
  place	
  to	
  commit	
  crime.	
  	
  
	
  
It	
   took	
   until	
   the	
   late	
   1990s	
   for	
   these	
   conditions	
   to	
   converge	
   to	
   create	
   the	
   perfect	
  
storm.	
   These	
   conditions	
   didn’t	
   mature	
   until	
   the	
   late	
   90s.	
   Before	
   that	
   essential	
  
elements	
  were	
  missing	
  –	
  people,	
  connectivity,	
  commerce,	
  and	
  insecurity.	
  	
  
	
  
Computers and Connectivity
The	
   first	
   dimension	
   to	
   set	
   in	
   to	
   motion	
   was	
   personal	
   and	
   commercial	
   use	
   of	
  
computers	
   in	
   the	
   mid	
   1970s.	
   In	
   the	
   70s	
   there	
   weren’t	
   very	
   many	
   computer	
   systems	
  
and	
   they	
   weren’t	
   interconnected.	
   In	
   the	
   80s	
   private	
   citizen	
   computer	
   ownership	
  
started	
   ramping	
   up,	
   but	
   their	
   connectivity	
   was	
   limited	
   largely	
   to	
   computer-­‐to-­‐
computer	
  modem	
  services	
  and	
  access	
  to	
  the	
  Internet	
  was	
  restricted	
  to	
  government	
  
and	
   university.	
   In	
   the	
   90s	
   the	
   government	
   opened	
   up	
   the	
   Internet	
   to	
   commercial	
  
and	
   then	
   public	
   access.	
   By	
   the	
   end	
   of	
   the	
   decade,	
   about	
   half	
   of	
   the	
   U.S.	
   population	
  
was	
  ‘online’.	
  
	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  3	
  
 
	
  
+	
  Commerce	
  
The	
  explosion	
  of	
  online	
  commerce	
  was	
  another	
  important	
  ingredient	
  in	
  creating	
  the	
  
cyber	
  crime	
  environment.	
  Without	
  commerce,	
  all	
  the	
  potential	
  targets	
  connected	
  to	
  
the	
   Internet	
   are	
   just	
   targets.	
   With	
   commerce,	
   computers	
   become	
   rich	
   targets	
   –	
  
credit	
  card	
  processing	
  systems	
  and	
  automated	
  tellers.	
  In	
  2000,	
  40	
  million	
  people	
  in	
  
the	
   U.S.	
   had	
   ever	
   bought	
   something	
   online2.	
   By	
   2008,	
   that	
   number	
   reached	
   201	
  
million3.	
  Nearly	
  everyone	
  who	
  can	
  shop	
  online	
  does	
  shop	
  online.	
  

	
  
In	
  1998	
  8	
  million	
  people	
  in	
  the	
  U.S.	
  were	
  conducting	
  banking	
  online.	
  By	
  2012	
  that	
  
grew	
  to	
  72	
  million	
  –	
  28%	
  of	
  online	
  users	
  and	
  fully	
  23%	
  of	
  the	
  entire	
  U.S.	
  population!	
  	
  
	
  

	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
2http://www.pewInternet.org/Reports/2002/Getting-­‐Serious-­‐Online-­‐As-­‐Americans-­‐Gain-­‐Experience-­‐They-­‐Pursue-­‐More-­‐
Serious-­‐Activities.aspx	
  
3	
  http://www.pewInternet.org/Reports/2008/Online-­‐Shopping.aspx?r=1	
  
	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  4	
  
 
	
  
+	
  Insecurity	
  
The	
  build	
  out	
  of	
  the	
  Internet	
  network	
  infrastructure	
  and	
  the	
  connected	
  systems	
  was	
  
fast	
   and	
   furious.	
   At	
   this	
   pace,	
   all	
   focus	
   was	
   on	
   feature	
   and	
   functionality.	
   Little	
  
thought	
  was	
  given	
  to	
  the	
  consequences	
  of	
  the	
  risks	
  and	
  to	
  the	
  security	
  requirements	
  
of	
   such	
   a	
   critical,	
   complex	
   infrastructure.	
   	
   As	
   a	
   security	
   consultant	
   in	
   the	
   late	
   1990s,	
  
I	
  examined	
  up	
  close	
  the	
  lack	
  of	
  security	
  controls	
  in	
  even	
  critical	
  infrastructure.	
  On	
  
one	
  engagement,	
  my	
  co-­‐worker	
  and	
  I	
  were	
  called	
  up	
  on	
  short	
  notice	
  to	
  conduct	
  an	
  
Internet	
   perimeter	
   test	
   of	
   a	
   company	
   that	
   provided	
   core	
   processing	
   services	
   to	
  
credit	
  unions.	
  One	
  of	
  their	
  services	
  was	
  outsourced	
  Internet	
  Banking.	
  Compromising	
  
their	
   perimeter	
   was	
   simple,	
   taking	
   about	
   10	
   minutes.	
   We	
   scanned	
   their	
   public	
  
address	
   space	
   for	
   common	
   ports,	
   noticed	
   135	
   and	
   139	
   were	
   listening	
   on	
   their	
  
Internet	
   Banking	
   server,	
   established	
   a	
   net	
   session	
   and	
   went	
   to	
   work	
   guessing	
   the	
  
administrator	
   account	
   password.	
   The	
   password	
   was	
   ‘snow’.	
   It	
   was	
   easy	
   pickings	
  
from	
   there.	
   Towards	
   the	
   end	
   of	
   the	
   engagement,	
   I	
   met	
   on-­‐site	
   with	
   the	
   company’s	
  
system	
  administrators	
  to	
  discuss	
  the	
  findings.	
  In	
  response	
  to	
  my	
  recommendations	
  
they	
  asked,	
  “What	
  is	
  a	
  firewall?”	
  
	
  
+	
  Internationalization	
  and	
  No	
  Law	
  Enforcement	
  
In	
   1998	
   –	
   1999	
   about	
   80%	
   of	
   the	
   people	
   using	
   the	
  Internet	
   were	
   U.S.	
   citizens	
   and	
  
about	
   95%	
   were	
   U.S.	
   citizens	
   or	
   citizens	
   of	
   U.S.	
   allied	
   countries.4	
   Under	
   these	
  
conditions,	
  serious	
  computer	
  crimes	
  could	
  be	
  investigated	
  and	
  prosecuted	
  because	
  
the	
   crimes	
   were	
   largely	
   occurring	
   from	
   within	
   the	
   borders	
   of	
   governments	
   that	
  
were	
   willing	
   to	
   cooperate	
   in	
   cyber	
   crime	
   investigations.	
   This	
   acted	
   as	
   a	
   deterrent	
   of	
  
sorts,	
  deterring	
  many	
  people	
  from	
  committing	
  really	
  serious	
  cyber	
  crimes.	
  	
  
	
  
Even	
   in	
   to	
   2000,	
   people	
   using	
   the	
   Internet	
   in	
   developing	
   economies	
   were	
   limited	
   to	
  
the	
   professional	
   class	
   –	
   people	
   in	
   government,	
   education,	
   and	
   industry,	
   due	
   to	
  
Internet	
   access	
   constraints.	
   As	
   Internet	
   accessibility	
   increased	
   and	
   cost	
   decreased	
  
non-­‐professionals	
   quickly	
   got	
   online.	
   By	
   2005,	
   the	
   number	
   of	
  Internet	
   users	
   in	
   BRIC	
  
countries	
  –	
  Brazil,	
  Russia,	
  India,	
  and	
  China	
  –	
  surpassed	
  the	
  number	
  of	
  Internet	
  users	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
4

	
  http://datafinder.worldbank.org/Internet-­‐users	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  5	
  
in	
   the	
   U.S.	
   Among	
   these	
   Internet	
   users	
   were,	
   as	
   in	
   other	
   countries,	
   criminals.	
   The	
  
difference	
  this	
  time	
  though	
  was	
  that	
  governments	
  proved	
  inept	
  in	
  dealing	
  with	
  the	
  
volume,	
  the	
  costs	
  and	
  international	
  legal	
  and	
  political	
  barriers	
  of	
  prosecuting	
  crime.	
  	
  
And	
   frankly,	
   non-­‐U.S.	
   allies	
   were	
   and	
   continue	
   to	
   not	
   be	
   seriously	
   interested	
   in	
  
assisting	
   other	
   countries	
   in	
   criminal	
   investigations.	
   Ever	
   contact	
   a	
   bank	
   in	
   Russia	
   to	
  
request	
  that	
  they	
  return	
  a	
  fraudulent	
  wire?	
  Ever	
  participated	
  in	
  an	
  FBI	
  investigation	
  
that	
  requires	
  cooperation	
  of	
  Chinese	
  authorities?	
  Good	
  luck.	
  
	
  

	
  
	
  
The	
   early	
   financially	
   driven	
   international	
   cyber	
   crime	
   spree	
   in	
   2001	
   –	
   2002	
   went	
  
unchecked.	
   This	
   encouraged	
   additional	
   investment	
   in	
   cyber	
   crime.	
   Success	
  
continued	
  to	
  meet	
  success,	
  which	
  continues	
  to	
  spiral	
  to	
  where	
  we	
  are	
  today.	
  	
  
	
  

The 1970s
Environment	
  
In	
   the	
   early	
   1970s	
   computers	
   were	
   limited	
   to	
   large,	
   expensive	
   timesharing	
  
mainframe	
   and	
   Unix	
   systems	
   owned	
   by	
   universities,	
   large	
   corporations,	
   and	
  
government	
  agencies.	
  In	
  1975	
  Ed	
  Roberts	
  released	
  the	
  first	
  microcomputer	
  for	
  sale	
  
to	
  the	
  public	
  –	
  the	
  MITS	
  Altair	
  8080.	
  No	
  keyboard,	
  no	
  screen	
  –	
  just	
  a	
  box	
  with	
  toggle	
  
switches	
   for	
   programming	
   and	
   LED	
   lights	
   to	
   show	
   the	
   output	
   of	
   the	
   program.	
   He	
  
sold	
   2,000	
   of	
   the	
   systems	
   the	
   first	
   year.	
   The	
   following	
   year,	
   Steve	
   Jobs	
   and	
   Steve	
  
Wozniak	
   released	
   the	
   Apple	
   I.	
   Again,	
   no	
   keyboard	
   or	
   screen.	
   By	
   the	
   end	
   of	
   1976	
  
computing	
  enthusiasts	
  had	
  purchased	
  40,000	
  microcomputers.5	
  In	
  1977,	
  the	
  Apple	
  
II,	
   the	
   Tandy	
   TRS-­‐80	
   (I	
   cut	
   my	
   teeth	
   programming	
   on	
   this	
   model),	
   and	
   the	
  
Commodore	
   PET	
   brought	
   visual	
   displays	
   and	
   keyboards	
   to	
   the	
   market.	
   People	
  
purchased	
  150,000	
  of	
  these	
  systems.6	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
5	
  http://jeremyreimer.com/postman/node/329	
  
6http://arstechnica.com/old/content/2005/12/total-­‐share.ars	
  

http://en.wikipedia.org/wiki/File:WIntHosts1981-­‐2009.jpg	
  

	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  6	
  
 
Computer	
  communications	
  were	
  pretty	
  limited.	
  The	
  government,	
  military,	
  and	
  a	
  few	
  
universities	
   had	
   ARPA	
   net	
   and	
   X25	
   networks.	
   The	
   public	
   was	
   limited	
   to	
   modem-­‐
based	
   computer-­‐to-­‐computer	
   phone	
   calls,	
   which	
   was	
   fine	
   for	
   dialing	
   computers	
   in	
  
your	
  area,	
  but	
  a	
  bit	
  of	
  a	
  problem	
  for	
  those	
  a	
  long	
  distance	
  call	
  away.	
  The	
  killer	
  app	
  
for	
   computer	
   communications	
   was	
   Bulletin	
   Board	
   System	
   software,	
   which	
   first	
  
came	
   to	
   public	
   life,	
   courtesy	
   of	
   Randy	
   Seuss,	
   during	
   a	
   snowstorm	
   in	
   February	
   1978.	
  	
  
This	
   development	
   connected	
   computer	
   enthusiasts	
   across	
   the	
   U.S.	
   in	
   an	
   electronic	
  
underground	
   where	
   they	
   could	
   publish	
   ideas	
   and	
   communicate	
   within	
   their	
   own	
  
realm	
  on	
  their	
  own	
  terms.	
  From	
  this	
  technology	
  the	
  computer	
  hacker	
  underground	
  
took	
  root.	
  
	
  
While	
   it	
   took	
   some	
   time	
   for	
   microcomputers	
   to	
   take	
   hold,	
   the	
   phone	
   system	
   was	
  
already	
   built	
   out	
   and	
   available.	
   A	
   large	
   community	
   of	
   phone	
   system	
   fanatics	
   –	
  
‘phone	
  phreaks’	
  –	
  learned	
  how	
  to	
  control	
  the	
  switching	
  system	
  of	
  the	
  predominant	
  
phone	
  switching	
  system	
  in	
  use	
  at	
  the	
  time,	
  largely	
  in	
  thanks	
  to	
  serious	
  security	
  flaws	
  
in	
  the	
  system	
  and	
  the	
  publication	
  of	
  the	
  details	
  of	
  the	
  internal	
  switching	
  system	
  in	
  
the	
  November	
  1954	
  issue	
  of	
  the	
  Bell	
  Labs	
  Technical	
  Journal.	
  
	
  
Motives	
  and	
  Crimes	
  
The	
   primary	
   motives	
   behind	
   the	
   cyber	
   crimes	
   of	
   the	
   60s	
   and	
   70s	
   were	
   desire	
   for	
  
system	
   access,	
   curiosity,	
   and	
   the	
   sense	
   of	
   power	
   attained	
   from	
   defeating	
   security.	
  
The	
   phone	
   system	
   was	
   the	
   first	
   and	
   favorite	
   computer	
   system	
   targeted.	
   The	
  
attraction	
   to	
   the	
   phone	
   system	
   for	
   the	
   pioneers	
   of	
   phone	
   phreaking	
   was	
   not	
   free	
  
calls,	
  but	
  the	
  desire	
  to	
  learn	
  the	
  system,	
  the	
  desire	
  to	
  beat	
  the	
  system,	
  and	
  the	
  desire	
  
to	
  control	
  the	
  system.	
  John	
  Draper,	
  the	
  father	
  of	
  phone	
  phreaking,	
  when	
  asked	
  about	
  
the	
   techniques	
   he	
   developed	
   for	
   gaining	
   operator	
   access	
   to	
   phone	
   systems,	
  
published	
  in	
  the	
  October	
  1971	
  issue	
  of	
  Esquire	
  Magazine,	
  stated	
  his	
  motive	
  behind	
  
unauthorized	
  system	
  access.	
  
	
  

	
  

	
  

	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
	
  
	
  
©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  7	
  
From	
  Secrets	
  of	
  the	
  Little	
  Blue	
  Box	
  by	
  Ron	
  Rosenbaum,	
  Esquire	
   Magazine	
  
(October	
  1971)	
  

	
  
The	
   pioneers	
   of	
   ‘phone	
   phreaking’	
   mastered	
   the	
   techniques	
   for	
   controlling	
   the	
  
phone	
   system	
   and	
   codified	
   it	
   in	
   what	
   is	
   now	
   called	
   a	
   ‘little	
   blue	
   box’.	
   The	
   box,	
  
commonly	
  twice	
  the	
  size	
  of	
  a	
  cigarette	
  case,	
  had	
  buttons	
  on	
  the	
  front	
  that	
  emitted	
  
tones.	
   These	
   tones	
   could	
   be	
   used,	
   if	
   emitted	
   at	
   the	
   right	
   time	
   and	
   in	
   the	
   right	
  
sequence	
  during	
  a	
  call	
  would	
  yield	
  operator	
  access	
  to	
  the	
  phone	
  system.	
  The	
  benefit,	
  
of	
  course,	
  was	
  free	
  calls	
  to	
  anywhere	
  in	
  the	
  world.	
  
	
  
Computers	
   weren’t	
   left	
   alone.	
   The	
   first	
   edition	
   of	
   Creative	
   Computing	
   magazine,	
  
published	
   in	
   1976,	
   had	
   an	
   article	
   titled	
   “Is	
   Breaking	
   Into	
   A	
   Timesharing	
   System	
   A	
  
Crime?”7	
  	
  
	
  

	
  
	
  
Besides	
   the	
   intellectual	
   challenge	
   of	
   breaking	
   in	
   to	
   systems,	
   people	
   were	
   also	
  
motivated	
  to	
  break	
  in	
  to	
  systems	
  simply	
  to	
  gain	
  access.	
  In	
  the	
  60s	
  and	
  early	
  70s	
  time	
  
on	
  the	
  university-­‐owned	
  computer	
  systems	
  was	
  limited.	
  Students	
  who	
  wanted	
  more	
  
time	
  developed	
  the	
  first	
  password	
  crackers	
  and	
  trojan	
  software	
  in	
  order	
  to	
  get	
  the	
  
access	
  they	
  wanted.	
  	
  
	
  
With	
  the	
  introduction	
  of	
  microcomputers	
  and	
  Bulletin	
  Board	
  Systems	
  in	
  the	
  mid	
  to	
  
late	
  70s	
  people	
  wanted	
  to	
  connect	
  to	
  other	
  computer	
  systems.	
  To	
  foot	
  the	
  bill	
  for	
  the	
  
long-­‐distance	
   calls	
   many	
   resorted	
   to	
   stealing	
   long	
   distance	
   access	
   codes	
   –	
   wire	
  
fraud.	
   Again,	
   the	
   primary	
   motive	
   to	
   steal	
   the	
   access	
   codes	
   was	
   not	
   for	
   profit,	
   but	
  
curiosity	
  –	
  to	
  connect	
  and	
  learn.	
  

The 1980s
Environment	
  
In	
  the	
  1980s	
  the	
  computer	
  solidified	
  its	
  position	
  in	
  the	
  upper	
  income	
  households,	
  
growing	
  from	
  over	
  1	
  million	
  households	
  with	
  computers	
  to	
  in	
  excess	
  of	
  14	
  million	
  
by	
  the	
  end	
  of	
  the	
  decade.	
  In	
  1979,	
  CompuServe	
  introduced	
  timesharing	
  services	
  to	
  
the	
  public	
  through	
  a	
  100-­‐baud	
  service	
  called	
  ‘MicroNet’,	
  with	
  electronic	
  mail	
  as	
  their	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
7	
  http://www.atariarchives.org/bcc1/showpage.php?page=4	
  
©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  8	
  
first	
  application.	
  CompuServe	
  added	
  real-­‐time	
  messaging	
  in	
  1980.	
  By	
  the	
  end	
  of	
  
1981	
  they	
  had	
  10,000	
  users.	
  By	
  1987	
  it	
  grew	
  to	
  380,000.	
  It	
  was	
  a	
  bit	
  pricey	
  -­‐	
  $10	
  /	
  
hour.	
  YouTube.com	
  has	
  an	
  interesting	
  vintage	
  news	
  report	
  on	
  the	
  system	
  (search	
  
‘1981	
  primitive	
  Internet	
  report	
  on	
  KRON’).	
  	
  
	
  
Bulletin	
   Board	
   Systems	
   continued	
   to	
   proliferate	
   in	
   the	
   80s.	
   They	
   didn’t	
   have	
  
monthly	
  access	
  fees	
  and	
  were	
  under	
  the	
  control	
  of	
  the	
  person	
  hosting	
  the	
  Board	
  –	
  
not	
   a	
   corporation.	
   	
   The	
   Internet	
   continued	
   to	
   remain	
   the	
   private	
   domain	
   of	
   the	
  
government	
  and	
  some	
  universities.	
  
	
  
In	
  the	
  1980s	
  the	
  cyber	
  world,	
  for	
  all	
  intents	
  and	
  purposes,	
  was	
  a	
  geography-­‐centric	
  
system,	
   bounded	
   within	
   countries	
   by	
   telecommunications	
   infrastructure	
   borders	
  
and	
   high	
   international	
   communications	
   costs.	
   Any	
   cyber	
   crimes	
   that	
   occurred	
  
within	
   a	
   country	
   could	
   be	
   effectively	
   investigated	
   because	
   the	
   attack	
   was	
   likely	
  
staged	
  within	
  the	
  same	
  country	
  and	
  there	
  just	
  weren’t	
  as	
  many	
  to	
  investigate.	
  	
  
	
  
Motives	
  and	
  Crimes	
  
Hacking	
   in	
   the	
   1980s	
   was	
   primarily	
   about	
   pursuit	
   of	
   knowledge,	
   building	
  
reputations,	
   a	
   bit	
   of	
   politics,	
   and	
   games	
   –	
   games	
   of	
   breaking	
   into	
   systems	
   and	
  
pulling	
   off	
   pranks.	
   The	
   hacker	
   underground	
   gathered	
   and	
   flourished	
   in	
   the	
  
anonymity	
  and	
  freedom	
  of	
  the	
  Bulletin	
  Board	
  System	
  where	
  boards	
  in	
  the	
  hundreds	
  
such	
   as	
   Hack-­‐A-­‐Trip,	
   Hackers	
   of	
   America,	
   Hi-­‐Tech	
   Pirates,	
   Cult	
   of	
   the	
   Dead	
   Cow,	
  
Legion	
   of	
   Doom,	
   PhoneLine	
   Phantoms,	
   and	
   the	
   Strata-­‐Crackers	
   formed.	
   Through	
  
boards	
  hackers	
  shared	
  their	
  knowledge	
  and	
  displayed	
  the	
  trophies	
  of	
  their	
  system	
  
exploits.	
  	
  
	
  
Curiosity	
  /	
  Reputation	
  
The	
   Morris	
   Worm	
   was	
   among	
   the	
   most	
   significant	
   computer	
   security	
   event	
   of	
   the	
  
1980s,	
   a	
   program	
   written	
   by	
   Robert	
   Morris,	
   a	
   graduate	
   student	
   at	
   Cornell	
  
University.	
   Though	
   the	
   only	
   purpose	
   of	
   the	
   worm	
   was	
   to	
   propagate	
   itself	
   to	
   other	
  
systems,	
   it	
   did	
   degrade	
   the	
   performance	
   of	
   systems	
   it	
   compromised,	
   causing	
  
significant	
  impact	
  to	
  Internet-­‐connected	
  systems	
  it	
  invaded.	
  	
  It	
  was	
  estimated	
  to	
  	
  
	
  
In	
   1988,	
   Prophet	
   of	
   Legion	
   of	
   Doom	
   compromised	
   AIMSX,	
   a	
   BellSouth	
   system.	
   He	
  
did	
   no	
   damage,	
   just	
   explored.	
   In	
   his	
   probing	
   of	
   the	
   system	
   he	
   discovered	
   a	
   file	
  
containing	
   information	
   related	
   to	
   administration	
   of	
   the	
   911	
   system.	
   Why	
   did	
   he	
  
download	
  the	
  file?	
  It	
  was	
  a	
  trophy	
  –	
  proof	
  of	
  his	
  compromise	
  of	
  the	
  system.	
  Also,	
  it	
  
was	
  forbidden	
  knowledge,	
  and	
  possession	
  of	
  forbidden	
  knowledge	
  was	
  the	
  currency	
  
with	
  which	
  reputation	
  was	
  purchased.8	
  
	
  
Pranking	
  
Some	
  system	
  compromises	
  were	
  simply	
  to	
  pull	
  off	
  a	
  prank.	
  	
  In	
  June	
  of	
  1989	
  a	
  person	
  
compromised	
  a	
  Southern	
  Bell	
  phone	
  switch	
  and	
  redirected	
  calls	
  made	
  to	
  the	
  Palm	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
8

	
  The	
  Hacker	
  Crackdown	
  page	
  112-­‐113	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  9	
  
Beach	
   County	
   Probation	
   Department	
   to	
   “Tina,”	
   a	
   phone-­‐sex	
   worker	
   in	
   New	
   York	
  
State.9	
  
	
  
One	
   of	
   the	
   earliest	
   computer	
   viruses	
   was	
   created	
   as	
   a	
   joke.	
   Elk	
   Cloner,	
   written	
   by	
  
Rich	
   Skrenta,	
   spread	
   to	
   Apple	
   II	
   systems	
   through	
   infected	
   floppy	
   disks.	
   The	
   payload	
  
of	
   the	
   virus	
   simply	
   periodically	
   displayed	
   a	
   humorous	
   poem,	
   in	
   addition	
   to	
  
replicating	
  itself	
  to	
  any	
  floppy	
  disk	
  inserted	
  into	
  an	
  infected	
  system.	
  
	
  
Activism	
  
The	
   department	
   of	
   defense	
   wasn’t	
   left	
   alone	
   either.	
   A	
   Defense	
   Data	
   Network	
  
security	
  bulletin	
  was	
  published	
  on	
  October	
  18,	
  1989,	
  warning	
  of	
  a	
  malicious	
  worm	
  
attacking	
  VMS	
  systems	
  on	
  the	
  SPAN	
  network.10	
  	
  
	
  

	
  
	
  
Money	
  
In	
   1989,	
   a	
   sixteen-­‐year-­‐old	
   from	
   Indiana	
   gave	
   an	
   early	
   glimpse	
   of	
   the	
   future	
  
financially	
  motivated	
  electronic	
  crime	
  wave	
  to	
  come	
  two	
  decades	
  later.	
  Fry	
  Guy,	
  so	
  
referred	
   to	
   in	
   the	
   computer	
   underground	
   because	
   of	
   his	
   compromise	
   of	
   a	
  
McDonald’s	
   mainframe,	
   developed	
   a	
   knack	
   for	
   pilfering	
   data	
   from	
   credit	
   reporting	
  
agencies	
   and	
   for	
   compromising	
   phone-­‐switching	
   systems.	
   Combining	
   these	
   two	
  
skills,	
  he	
  would	
  phone	
  Western	
  Union	
  and	
  ask	
  for	
  a	
  cash	
  advance	
  on	
  a	
  stolen	
  card.	
  
To	
  ensure	
  the	
  security	
  of	
  transactions,	
  Western	
  Union	
  had	
  a	
  practice	
  of	
  calling	
  the	
  
card	
  owner	
  back	
  to	
  verify	
  the	
  authenticity	
  of	
  the	
  request.	
  Having	
  changed	
  the	
  card	
  
owner’s	
   phone	
   number	
   temporarily	
   to	
   a	
   public	
   pay	
   phone,	
   Fry	
   Guy	
   would	
   answer	
  
the	
  phone	
  as	
  the	
  cardholder	
  and	
  authorize	
  the	
  transaction.11	
  
	
  

	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
	
  The	
  Hacker	
  Crackdown	
  page	
  95	
  
	
  http://www.textfiles.com/hacking/ddn03.hac	
  
11 	
  The	
  Hacker	
  Crackdown	
  page	
  100	
  
9

10

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  10	
  
The 1990s
Environment	
  
By	
  the	
  end	
  of	
  the	
  1990s,	
  the	
  perfect	
  conditions	
  for	
  cybercrime	
  had	
  formed:	
  everyone	
  
was	
   online,	
   lots	
   of	
   people	
   conducting	
   online	
   banking	
   and	
   credit	
   card	
   transactions,	
  
lack	
  of	
  legal	
  framework	
  and	
  resources	
  to	
  prosecute	
  cyber	
  crime,	
  and	
  poor	
  security.	
  
Two	
  huge	
  events	
  in	
  the	
  1990s	
  made	
  this	
  happen.	
  The	
  first	
  was	
  the	
  invention	
  of	
  the	
  
World	
   Wide	
   Web.	
   In	
   1990,	
   Tim	
   Berners-­‐Lee	
   completed	
   his	
   build	
   out	
   of	
   all	
   the	
  
components	
   necessary	
   for	
   his	
   ‘WorldWideWeb’	
   project	
   -­‐	
   a	
   web	
   server,	
   a	
   web	
  
browser,	
  a	
  web	
  editor,	
  and	
  the	
  first	
  web	
  pages.	
  In	
  1991,	
  he	
  made	
  his	
  project	
  publicly	
  
available	
  on	
  the	
  Internet	
  as	
  the	
  ‘Web’.	
  	
  In	
  a	
  single	
  decade,	
  the	
  Web	
  grew	
  from	
  non-­‐
existent	
  to	
  over	
  17	
  million	
  web	
  sites.	
  12	
  
	
  
The	
  other	
  history-­‐altering	
  event	
  was	
  the	
  build	
  out	
  of	
  public	
  Internet	
  access	
  points.	
  
In	
  1994,	
  the	
  National	
  Science	
  Foundation	
  sponsored	
  four	
  companies	
  to	
  build	
  public	
  
Internet	
   access	
   points	
   –	
   Pacific	
   Bell,	
   WorldCom,	
   Sprint,	
   and	
   Ameritech.	
   Within	
   a	
  
couple	
   of	
   years,	
   Joe	
   Public	
   declared	
   the	
   Internet	
   was	
   good	
   and	
   got	
   on-­‐line.	
   	
   At	
   the	
  
beginning	
  of	
  the	
  decade	
  there	
  were	
  two	
  million	
  people	
  on	
  the	
  Internet	
  in	
  the	
  U.S.	
  By	
  
the	
  end	
  of	
  the	
  decade	
  there	
  were	
  135	
  million.	
  
	
  
Companies	
  followed	
  the	
  public	
  and	
  moved	
  their	
  commerce	
  channels	
  online.	
  The	
  U.S.	
  
Department	
  of	
  Commerce	
  reported	
   for	
   1999	
   $5.25	
   billion	
   in	
   online	
   travel	
   bookings,	
  
$3.75	
  billion	
  in	
  online	
  brokerage	
  fees,	
  and	
  $15	
  billion	
  in	
  retail	
  sales.	
  Banks	
  got	
  on-­‐
line	
  too,	
  with	
  10	
  million	
  people	
  conducting	
  banking	
  online	
  in	
  2000.	
  	
  
	
  
Adoption	
  of	
  the	
  Internet	
  was	
  not	
  just	
  a	
  U.S.	
  phenomenon.	
  Though	
  lagging	
  developed	
  
economies	
  by	
  about	
  five	
  years,	
  the	
  emerging	
  economies	
  got	
  online	
  too.	
  By	
  2000,	
  36	
  
million	
  people	
  in	
  the	
  BRIC	
  countries	
  –	
  Brazil,	
  Russia,	
  India,	
  and	
  China	
  –	
  were	
  online.	
  
While	
   the	
   U.S.	
   and	
   its	
   Allies	
   established	
   reasonably	
   functional	
   agreements	
   for	
  
prosecuting	
   cyber	
   crime,	
   no	
   such	
   agreements	
   were	
   realized	
   with	
   the	
   rest	
   of	
   the	
  
world.	
   The	
   result	
   was,	
   and	
   remains	
   today,	
   an	
   Internet	
   with	
   no	
   functional	
   legal	
  
system	
  for	
  fighting	
  crime.	
  
	
  
Motives	
  and	
  Crimes	
  
With	
  the	
  millions	
  of	
  new	
  systems	
  coming	
  online,	
  the	
  1990s	
  was	
  a	
  target	
  rich	
  decade	
  
for	
  hackers.	
  	
  Fortunately	
  for	
  businesses	
  and	
  people	
  putting	
  their	
  private	
  information	
  
online,	
   hackers	
   primarily	
   made	
   a	
   sport	
   of	
   defacing	
   websites,	
   rather	
   than	
   targeting	
  
the	
   sensitive	
   information	
   stored	
   in	
   the	
   systems.	
   It	
   would	
   take	
   until	
   the	
   following	
  
decade	
  for	
  the	
  criminal	
  profiteers	
  to	
  figure	
  out	
  how	
  to	
  monetize	
  computer	
  crime.	
  	
  
	
  
Sport	
  
The	
   most	
   common	
   computer	
   crime	
   of	
   the	
   1990s	
   was	
   defacing	
   websites.	
   Hacking	
   for	
  
‘sport’	
   is	
   good	
   category	
   for	
   these	
   compromises.	
   There	
   really	
   was	
   no	
   knowledge	
   to	
  
gain,	
   no	
   curiosity	
   to	
   satisfy	
   –	
   just	
   the	
   sport	
   of	
   compromising	
   web	
   sites.	
   Attrition.org	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
12

	
  http://www.cnn.com/2006/TECH/Internet/11/01/100millionwebsites/	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  11	
  
documented	
   many	
   of	
   the	
   web	
   site	
   hacks	
   through	
   its	
   web	
   page	
   hack	
   mirror	
   at	
  
http://attrition.org/mirror/.	
   According	
   to	
   Attrition’s	
   data,	
   four	
   web	
   sites	
   were	
  
hacked	
  in	
  1995.	
  	
  Attrition	
  reported	
  1905	
  websites	
  being	
  hacked	
  in	
  1999.	
  
	
  
Number	
  of	
  Website	
  Defacements	
  Reported	
  by	
  Attrition.org13	
  
	
  

	
  
	
  
Some	
   very	
   high	
   profile	
   sites	
   fell	
   during	
   the	
   decade.	
   In	
   1996,	
   the	
   top	
   sites	
  
compromised	
   included	
   the	
   U.S.	
   Air	
   Force,	
   NASA,	
   and	
   the	
   site	
   of	
   the	
   British	
   Labour	
  
Party.	
   Sites	
   compromised	
   in	
   1997	
   included	
   Stanford	
   University,	
   Farmers	
   &	
  
Merchants	
  Bank,	
  Fox	
  News,	
  and	
  Yahoo.	
  	
  Other	
  high	
  profile	
  sites	
  to	
  be	
  compromised	
  
included	
   the	
   U.S.	
   Senate’s	
   www.senate.gov,	
   ebay.com,	
   alashdot.org,	
   and	
  
nytimes.com.	
  	
  
	
  
The	
  content	
  placed	
  on	
  these	
  sites	
  ranged	
  from	
  ‘Free	
  Kevin!’,	
  to	
  pornography;	
  from	
  
taunting	
  messages	
  like	
  ‘Look	
  you	
  sorry	
  ass	
  system	
  admin…’,	
  to	
  security	
  advice	
  such	
  
as	
   ‘Stop	
   using	
   old	
   versions	
   of	
   FTP’.	
   A	
   screenshot	
   of	
   part	
   of	
   the	
   compromised	
  
senate.gov	
  site	
  is	
  shown	
  below.14	
  
	
  

	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
13	
  http://www.phrack.org/issues.html?issue=55&id=18&mode=txt	
  
14	
  http://www.flashback.se/hack/1999/05/27/1/	
  
	
  
©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  12	
  
 
Money	
  
There	
  were	
  a	
  few	
  notable	
  money-­‐driven	
  computer	
  crimes	
  in	
  the	
  1990s.	
  In	
  1994,	
  a	
  
group	
  led	
  by	
  Vladimir	
  Levin,	
  broke	
  in	
  to	
  the	
  bank	
  accounts	
  of	
  several	
  corporations	
  
held	
  at	
  Citibank.	
  Accessing	
  the	
  funds	
  through	
  Citi’s	
  dial-­‐up	
  wire	
  transfer	
  service,	
  he	
  
transferred	
   $10.7	
   million	
   to	
   accounts	
   controlled	
   by	
   accomplices	
   in	
   Finland,	
   the	
  
United	
  States,	
  Germany,	
  the	
  Netherlands,	
  and	
  Israel.	
  	
  
	
  
In	
  1999,	
  a	
  Russian	
  by	
  the	
  handle	
  of	
  ‘Maxus’	
  compromised	
  the	
  CD	
  Universe	
  web	
  site	
  
and	
   stole	
   over	
   300,000	
   credit	
   card	
   records.	
   	
   Attempting	
   to	
   profit	
   from	
   the	
   crime,	
  
Maxus	
   faxed	
   an	
   extortion	
   note	
   to	
   CD	
   Universe	
   demanding	
   $100,000	
   in	
   return	
   for	
  
silence	
   of	
   the	
   theft	
   and	
   destruction	
   of	
   the	
   stolen	
   data.	
   His	
   extortion	
   rejected,	
   he	
  
published	
  25,000	
  of	
  the	
  records	
  on	
  a	
  website.	
  In	
  reporting	
  on	
  the	
  incident,	
  ZDNET	
  
called	
  it	
  the	
  ‘biggest	
  hacking	
  fraud	
  ever’.15	
  	
  
	
  
Curiosity	
  
Though	
   the	
   Melissa	
   Virus	
   wasn’t	
   the	
   first,	
   it	
   certainly	
   opened	
   the	
   eyes	
   of	
  
corporations	
   and	
   system	
   administrators	
   to	
   the	
   fragility	
   and	
   vulnerability	
   of	
  
computer	
  systems	
  and	
  the	
  Internet.	
  In	
  1999,	
  David	
  Smith,	
  a	
  network	
  programmer,	
  
released	
   the	
   Melissa	
   Virus	
   to	
   the	
   Internet.	
   The	
   virus	
   was	
   contained	
   in	
   a	
   Microsoft	
  
Word	
   document	
   macro.	
   When	
   an	
   infected	
   document	
   was	
   opened,	
   it	
   would	
   email	
  
itself	
   to	
   the	
   first	
   50	
   addresses	
   in	
   the	
   MAPI	
   email	
   address	
   file	
   on	
   the	
   computer.	
   In	
  
asking	
  why	
  he	
  did	
  it,	
  David	
  Smith	
  stated	
  that	
  he	
  just	
  wanted	
  to	
  see	
  if	
  it	
  would	
  work.	
  	
  
	
  
It	
   did	
   work	
   –	
   splendidly,	
   crashing	
   an	
   estimated	
   100,000	
   email	
   servers.	
   People	
  
readily	
   opened	
   the	
   malicious	
   document	
   received	
   from	
   someone	
   they	
   knew	
  
containing	
  a	
  moderately	
  convincing	
  subject	
  line	
  and	
  message.	
  Besides,	
  this	
  type	
  of	
  
attack	
  was	
  new.	
  People	
  weren’t	
  used	
  to	
  being	
  on	
  their	
  guard	
  when	
  opening	
  up	
  email	
  
attachments,	
  especially	
  from	
  people	
  they	
  knew.	
  	
  	
  
	
  
Activism	
  
A	
   few	
   activist	
   hacks	
   occurred	
   during	
   the	
   decade.	
   In	
   1998,	
   three	
   members	
   of	
   the	
  
hacker	
   group	
   Milw0rm,	
   as	
   a	
   protest	
   of	
   the	
   Indian	
   government’s	
   nuclear	
   weapons	
  
test	
  program,	
  broke	
  in	
  to	
  several	
  servers	
  of	
  the	
  India	
  Atomic	
  Research	
  Centre	
  and	
  
modified	
   the	
   organizations	
   homepage	
   and	
   stole	
   thousands	
   of	
   emails	
   and	
   related	
  
research	
  documents.16	
  That	
  same	
  year	
  hackers	
  compromised	
  and	
  disabled	
  filtering	
  
on	
  a	
  half-­‐dozen	
  firewalls	
  used	
  by	
  China	
  to	
  filter	
  its	
  people’s	
  Internet	
  traffic.17	
  

The 2000s
Environment	
  
Two	
   technological	
   innovations	
   really	
   changed	
   the	
   landscape	
   of	
   the	
   Internet	
   from	
  
something	
   you	
   ‘go	
   on’	
   to	
   something	
   you	
   are	
   ‘always	
   on’	
   –	
   the	
   iPhone	
   and	
   cloud	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
	
  http://www.zdnet.com/biggest-­‐hacking-­‐fraud-­‐ever-­‐3002076252/	
  
	
  http://www.wired.com/science/discoveries/news/1998/06/12717	
  
17 	
  http://www.wired.com/politics/law/news/1998/12/16545	
  
15
16

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  13	
  
computing.	
   Prior	
   to	
   the	
   release	
   of	
   the	
   iPhone	
   in	
   2007,	
   getting	
   on	
   the	
   Internet	
   was	
  
‘expensive’	
   in	
   terms	
   of	
   time	
   and	
   location	
   –	
   you	
   had	
   to	
   be	
   at	
   your	
   desktop	
   or	
   your	
  
laptop	
   and	
   the	
   system	
   had	
   to	
   be	
   connected	
   to	
   the	
   Internet.	
   Most	
   often	
   this	
   was	
   at	
  
work	
  or	
  at	
  home,	
  sometimes	
  at	
  a	
  public	
  access	
  point.	
  	
  
	
  
The	
   iPhone,	
   and	
   smart	
   phones	
   that	
   followed,	
   essentially	
   put	
   the	
   Internet	
   in	
   the	
  
owner’s	
  pocket	
  on	
  a	
  very	
  pleasantly	
  usable	
  device.	
  Now	
  you	
  always	
  had	
  the	
  Internet	
  
with	
   you	
   and	
   didn’t	
   have	
   to	
   go	
   out	
   of	
   your	
   way	
   to	
   use	
   it.	
   With	
   this	
   always	
   on	
  
connectivity,	
  individuals	
  moved	
  larger	
  portions	
  of	
  their	
  lives	
  to	
  Internet	
  connected	
  
systems	
   and,	
   in	
   doing	
   so,	
   moved	
   larger	
   swaths	
   of	
   their	
   personal	
   data	
   to	
   more	
  
systems	
  –	
  fitness	
  activities,	
  notes,	
  photos,	
  social,	
  even	
  their	
  homes.	
  
	
  
Cloud	
  computing	
  it	
  made	
  it	
  easy	
  for	
  computing-­‐intensive	
  companies	
  to	
  set	
  up	
  shop.	
  
No	
   longer	
   was	
   large	
   capital	
   investment	
   required	
   to	
   build	
   a	
   computing-­‐intensive	
  
company.	
  With	
  rates	
  measured	
  and	
  charged	
  in	
  pennies	
  per	
  hour,	
  companies	
  could	
  
expand	
  their	
  computing	
  infrastructure	
  as	
  needed.	
  And	
  they	
  could	
  do	
  it	
  easily,	
  with	
  
much	
   of	
   the	
   traditional	
   heavy	
   lifting	
   of	
   data	
   center	
   operations	
   and	
   networking	
  
already	
   completed	
   for	
   them.	
   The	
   result	
   has	
   been	
   an	
   increase	
   in	
   Internet-­‐based	
  
companies	
  –	
  SAAS	
  providers	
  and	
  web	
  startups.	
  
	
  
	
  Motives	
  and	
  Crimes	
  
In	
   the	
   first	
   decade	
   of	
   the	
   millennium,	
   the	
   financial	
   cybercrimes	
   evolved	
   from	
  
infrequent,	
   one-­‐man	
   operations	
   to	
   frequent	
   events	
   perpetrated	
   through	
   a	
   highly	
  
sophisticated,	
   horizontally	
   integrated	
   criminal	
   industry.	
   Other	
   criminal	
   activities	
  
flourished	
   too.	
   While	
   many	
   of	
   the	
   crimes	
   had	
   been	
   seen	
   in	
   previous	
   decades,	
   the	
  
frequency	
  and	
  magnitude	
  of	
  the	
  crimes	
  hadn’t.	
  	
  
	
  
Money	
  –	
  Bank	
  Account	
  Takeover	
  
One	
   of	
   the	
   biggest	
   criminal	
   developments	
   of	
   the	
   2000s	
   was	
   the	
   formation	
   of	
   an	
  
entire	
  industry	
  devoted	
  to	
  compromising	
  and	
  pilfering	
  online	
  bank	
  accounts.	
  One	
  of	
  
the	
  earlier	
  online	
  account	
  compromises	
  occurred	
  in	
  June	
  of	
  2005,	
  when	
  a	
  fraudster	
  
gained	
   unauthorized	
   access	
   to	
   a	
   Miami	
   businessman’s	
   online	
   bank	
   account	
   using	
  
keystroke-­‐logging	
   malware	
   and	
   was	
   able	
   to	
   fraudulently	
   wire	
   over	
   $90,000	
   to	
   an	
  
account	
   in	
   Latvia.18	
   By	
   the	
   third	
   quarter	
   of	
   2009,	
   fraudsters	
   successfully	
   hijacked	
  
hundreds	
  of	
  U.S.	
  small	
  business	
  online	
  accounts,	
  hauling	
  away	
  over	
  $25	
  million.19	
  	
  
	
  
This	
   amount	
   of	
   criminal	
   opportunity	
   drove	
   specialization,	
   with	
   some	
   enterprises	
  
selling	
   access	
   to	
   compromised	
   systems,	
   some	
   selling	
   custom	
   malware,	
   and	
   others	
  
focusing	
  on	
  cashing	
  out	
  compromised	
  accounts.	
  A	
  specific	
  malware	
  class	
  of	
  ‘banking	
  
trojans’	
   developed	
   to	
   enable	
   bypass	
   of	
   online	
   banking	
   controls,	
   such	
   as	
   Zeus,	
  
Sinowal,	
   Carberp,	
   SpyEye,	
   and	
   others.	
   A	
   fully	
   featured	
   license	
   for	
   Zeus,	
   at	
   one	
   point,	
  
was	
  selling	
  in	
  the	
  criminal	
  world	
  for	
  nearly	
  $20,000.	
  	
  
	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
18
19

	
  http://www.finextra.com/news/fullstory.aspx?newsitemid=13194	
  
	
  http://krebsonsecurity.com/2010/03/cyber-­‐crooks-­‐leave-­‐bank-­‐robbers-­‐in-­‐the-­‐dust/	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  14	
  
Money	
  -­‐	
  ATMs	
  
ATMs	
   are	
   computer	
   driven	
   cash	
   dispensers.	
   If	
   the	
   account	
   balance	
   and	
   daily	
  
withdraw	
  limit	
  line	
  up	
  with	
  an	
  authenticated	
  request,	
  then	
  the	
  machine	
  will	
  give	
  the	
  
requested	
   amount	
   of	
   money.	
   	
   So,	
   what	
   happens	
   when	
   you	
   steal	
   a	
   few	
   cards	
   and	
  
modify	
   the	
   account	
   balances	
   and	
   daily	
   withdraw	
   limits?	
   The	
   WorldPay	
   division	
   of	
  
Royal	
  Bank	
  of	
  Scotland	
  found	
  out.	
  	
  
	
  
On	
   November	
   8,	
   2008,	
   an	
   army	
   of	
   cashers	
   armed	
   with	
   compromised	
   WorldPay	
   pre-­‐
paid	
  payroll	
  cards	
  descended	
  on	
  ATMs	
  located	
  in	
  over	
  280	
  cities	
  around	
  the	
  world	
  
and	
   withdrew	
   $9.5	
   million	
   in	
   cash	
   in	
   a	
   twelve-­‐hour	
   period.	
   The	
   cashers	
   kept	
   their	
  
commission,	
   30-­‐50%	
   of	
   the	
   take,	
   and	
   wired	
   the	
   remainder	
   to	
   the	
   scheme	
  
masterminds.	
   The	
   four	
   leaders	
   of	
   the	
   heist	
   had	
   previously	
   broken	
   in	
   to	
   the	
   Royal	
  
Bank	
  of	
  Scotland	
  WorldPay	
  network	
  and	
  stolen	
  data	
  for	
  44	
  pre-­‐paid	
  payroll	
  cards,	
  
cracked	
  the	
  payroll	
  card	
  PIN	
  encryption,	
  raised	
  the	
  funds	
  available	
  on	
  each	
  account	
  
up	
   to	
   as	
   high	
   as	
   $500,000,	
   and	
   changed	
   the	
   daily	
   ATM	
   withdraw	
   limit	
   allowed.	
  
During	
   the	
   heist	
   the	
   hackers	
   monitored	
   the	
   withdraw	
   transactions	
   remotely	
   from	
  
the	
  RBS	
  WorldPay	
  systems	
  and,	
  once	
  the	
  heist	
  was	
  finished,	
  they	
  attempted	
  to	
  cover	
  
their	
  tracks	
  on	
  the	
  RBS	
  network.20	
  	
  
	
  
Money	
  –	
  Payment	
  Card	
  Theft	
  
Grand	
  scale	
  payment	
  card	
  theft	
  looks	
  like	
  Albert	
  Gonzalez’s	
  ‘Operation	
  Get	
  Rich	
  or	
  
Die	
   Tryin’,	
   a	
   payment	
   card	
   hacking	
   crew	
   that	
   stole	
   over	
   90	
   million	
   payment	
   card	
  
numbers	
   from	
   companies	
   including	
   Heartland	
   Payment	
   Systems,	
   TJ	
   Maxx,	
   7-­‐Eleven,	
  
and	
   Office	
   Max	
   and	
   caused	
   over	
   $200	
   million	
   in	
   damages.	
   Gonzalez	
   and	
   crew	
  
compromised	
   the	
   payment	
   card	
   processing	
   systems	
   at	
   these	
   companies	
   by	
  
exploiting	
   well-­‐known	
   vulnerabilities	
   in	
   their	
   wireless	
   networks	
   and	
   web	
  
applications.	
   Upon	
   arresting	
   Gonzalez,	
   agents	
   found	
   $1.6	
   million	
   in	
   his	
   several	
   bank	
  
accounts.	
   His	
   goal	
   was	
   $15	
   million,	
   at	
   which	
   point	
   he	
   planned	
   to	
   buy	
   a	
   yacht	
   and	
  
retire.21	
  	
  
	
  
Money	
  –	
  Identity	
  Theft	
  
Since	
   2001,	
   identity	
   theft	
   has	
   been	
   the	
   most	
   common	
   consumer	
   complaint	
  
registered	
   to	
   the	
   Federal	
   Trade	
   Commission.	
   In	
   2012	
   16.6	
   million	
   U.S.	
   residents,	
  
ages	
   16	
   and	
   older,	
   were	
   victims	
   of	
   identity	
   theft.	
   The	
   vast	
   majority	
   of	
   these	
   thefts	
  
involved	
  fraudulent	
  use	
  of	
  an	
  existing	
  financial	
  account,	
  such	
  as	
  a	
  bank	
  account	
  or	
  
credit	
   card	
   account.	
   	
   The	
   total	
   cost	
   of	
   these	
   crimes	
   was	
   estimated	
   at	
   $24.7	
   billion	
   in	
  
2012.22	
  	
  
	
  
Activism	
  
Persons	
   with	
   a	
   potentially	
   more	
   aggressive	
   approach	
   to	
   activism	
   took	
   to	
   the	
  
Internet	
   in	
   droves	
   in	
   the	
   2000s.	
   One	
   person’s	
   2010	
   New	
   Year’s	
   resolution	
   was	
   to	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
20 	
  http://www.wired.com/threatlevel/2009/11/rbs-­‐worldpay/	
  
Federal	
  Indictment	
  
http://www.justice.gov/opa/pr/2009/November/09-­‐crm-­‐1212.html	
  
21 	
  http://www.wired.com/threatlevel/2010/03/tjx-­‐sentencing	
  
22 	
  http://www.bjs.gov/content/pub/pdf/vit12.pdf	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  15	
  
actively	
   disrupt	
   sites	
   he	
   deemed	
   to	
   support	
   “terrorists,	
   sympathizers,	
   fixers,	
  
facilitators,	
   oppressive	
   regimes	
   and	
   other	
   general	
   bad	
   guys.”	
   Operating	
   under	
   the	
  
handle	
  ‘The	
  Jester’,	
  he	
  frequently	
  delivered	
  on	
  his	
  resolution	
  by	
  launching	
  Denial	
  of	
  
Service	
   attacks	
   against	
   sites	
   he	
   deemed	
   to	
   fit	
   within	
   in	
   his	
   objective.	
   	
   His	
   primary	
  
targets	
  were	
  wikileaks.org,	
  for	
  releasing	
  the	
  U.S.	
  State	
  Department	
  cable	
  messages,	
  
and	
  sites	
  or	
  organizations	
  he	
  deemed	
  to	
  be	
  aligned	
  with	
  terrorism.	
  
	
  

Unknown numbers of people took up a variety of ‘hacktivist’ campaigns under the
banner of Anonymous. Taking the opposite position as ‘The Jester’, Anonymous
launched DDOS attacks against serveral financial firms in response to their ban of
Wikileaks from their payment networks for publishing the U.S. State Department cables.
A small Anonymous unit was involved in raising the awareness of the Stubenville High
rape case. Anonymous went after Sony to punish them for prosecuting George Hotz for
successfully unlocking PlayStation 3 security system.
Ilmars Polkans campaign to expose fraud within the Latvian government was very
effective and is worth researching. When filing his tax returns, Ilmars ‘unintentionally’
stumbled on a vulnerability on the Latvia Revenue Site that allowed him to see all tax
filings. What he found was fat salaries for government officials during a time when
citizens of Latvia, both public and private, were being forced to endure deep pay cuts
because of the recession. His campaign to expose the injustice literally resulted in a
public rebellion against the government.

So What Comes Next?
I	
  am	
  hopeful	
  and	
  I	
  am	
  dismayed	
  all	
  at	
  the	
  same	
  time.	
  On	
  the	
  leading	
  edge,	
  there	
  is	
  
really	
   exciting	
   stuff	
   happening	
   in	
   the	
   security	
   space,	
   particularly	
   in	
   the	
   areas	
   of	
  
leveraging	
  big	
  data	
  and	
  data	
  analytics	
  to	
  detect	
  malicious	
  events	
  early	
  in	
  the	
  attack	
  
stages.	
  	
  In	
  the	
  middle,	
  the	
  people,	
  processes,	
  practices,	
  and	
  technology	
  for	
  building	
  
and	
   maintaining	
   reasonably	
   secure	
   systems,	
   networks,	
   and	
   applications	
   is	
   readily	
  
available.	
   I	
   see	
   a	
   lot	
   of	
   organizations	
   doing	
   the	
   right	
   security	
   stuff,	
   and	
   they	
   are	
  
being	
  successful	
  in	
  protecting	
  their	
  businesses	
  and	
  their	
  customers.	
  	
  
	
  
Surprisingly,	
  there	
  are	
  also	
  still	
  a	
  lot	
  of	
  organizations	
  that	
  just	
  don’t	
  care.	
  They	
  don’t	
  
even	
   do	
   the	
   basics.	
   They	
   have	
   database	
   servers	
   listening	
   on	
   the	
   Internet.	
   Their	
  
systems	
   are	
   out	
   of	
   date	
   and	
   misconfigured.	
   Their	
   application	
   access	
   controls	
   are	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  16	
  
easily	
  bypassed.	
  They	
  just	
  don’t	
  care.	
  And	
  there	
  is	
  no	
  excuse	
  for	
  it.	
  Frankly,	
  I	
  think	
  
they	
  should	
  be	
  kicked	
  off	
  the	
  Internet	
  until	
  they	
  get	
  their	
  stuff	
  right.	
  
	
  
And	
   there	
   lies	
   the	
   answer.	
   The	
   crime	
   will	
   continue	
   to	
   occur	
   and	
   it	
   will	
   most	
  
commonly	
   occur	
   against	
   organizations	
   that	
   don’t	
   do	
   security	
   well.	
   People	
   will	
  
continue	
  to	
  move	
  their	
  money	
  and	
  their	
  data	
  online	
  and	
  criminals	
  will	
  continue	
  to	
  
steal	
  it	
  from	
  the	
  organizations,	
  most	
  commonly,	
  that	
  have	
  the	
  least	
  security.	
  	
  

©	
  Kelly	
  White	
  –	
  2013	
  
Page	
  17	
  

Más contenido relacionado

La actualidad más candente

I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000 RAJ ANAND
 
Cyber crime lecture one definition and nature
Cyber crime lecture one definition and natureCyber crime lecture one definition and nature
Cyber crime lecture one definition and natureDr. Arun Verma
 
Offences against women in india
Offences against women in indiaOffences against women in india
Offences against women in indiaNilendra Kumar
 
cyber law IT Act 2000
cyber law IT Act 2000cyber law IT Act 2000
cyber law IT Act 2000Yash Jain
 
Introduction to Contract Law
Introduction to Contract LawIntroduction to Contract Law
Introduction to Contract Lawtheacademist
 
ppt on child pornography and cyber crime
ppt on child pornography and cyber crimeppt on child pornography and cyber crime
ppt on child pornography and cyber crime008_Anuj
 
E contracting in india
E contracting in indiaE contracting in india
E contracting in indiaatuljaybhaye
 
Jurisdiction in cyberspace
Jurisdiction in cyberspaceJurisdiction in cyberspace
Jurisdiction in cyberspaceDr. Arun Verma
 
Cyber Crime and its Jurisdictional Issue's
Cyber Crime and its Jurisdictional Issue'sCyber Crime and its Jurisdictional Issue's
Cyber Crime and its Jurisdictional Issue'sDhurba Mainali
 
CYBER CRIME( DU PRESENTATION FOR FYUP)
CYBER CRIME( DU PRESENTATION FOR FYUP)CYBER CRIME( DU PRESENTATION FOR FYUP)
CYBER CRIME( DU PRESENTATION FOR FYUP)Siddharth Anand
 

La actualidad más candente (20)

I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000
 
Capacity to contract
Capacity to contractCapacity to contract
Capacity to contract
 
Cyber laws
Cyber lawsCyber laws
Cyber laws
 
Cyber crime lecture one definition and nature
Cyber crime lecture one definition and natureCyber crime lecture one definition and nature
Cyber crime lecture one definition and nature
 
Cyber space: its legal jurisdiction
Cyber space: its legal jurisdictionCyber space: its legal jurisdiction
Cyber space: its legal jurisdiction
 
Cyber law2
Cyber law2Cyber law2
Cyber law2
 
Tort trespass
Tort trespassTort trespass
Tort trespass
 
Offences against women in india
Offences against women in indiaOffences against women in india
Offences against women in india
 
Cyber law final
Cyber law finalCyber law final
Cyber law final
 
Introduction to cyber law.
Introduction to cyber law. Introduction to cyber law.
Introduction to cyber law.
 
cyber law IT Act 2000
cyber law IT Act 2000cyber law IT Act 2000
cyber law IT Act 2000
 
Introduction to Contract Law
Introduction to Contract LawIntroduction to Contract Law
Introduction to Contract Law
 
Undue influence
Undue influenceUndue influence
Undue influence
 
Negotiable instruments act, 1881 22
Negotiable instruments act, 1881  22Negotiable instruments act, 1881  22
Negotiable instruments act, 1881 22
 
ppt on child pornography and cyber crime
ppt on child pornography and cyber crimeppt on child pornography and cyber crime
ppt on child pornography and cyber crime
 
E contracting in india
E contracting in indiaE contracting in india
E contracting in india
 
Jurisdiction in cyberspace
Jurisdiction in cyberspaceJurisdiction in cyberspace
Jurisdiction in cyberspace
 
Cyber Crime and its Jurisdictional Issue's
Cyber Crime and its Jurisdictional Issue'sCyber Crime and its Jurisdictional Issue's
Cyber Crime and its Jurisdictional Issue's
 
CYBER CRIME( DU PRESENTATION FOR FYUP)
CYBER CRIME( DU PRESENTATION FOR FYUP)CYBER CRIME( DU PRESENTATION FOR FYUP)
CYBER CRIME( DU PRESENTATION FOR FYUP)
 
Ipc presentation
Ipc presentationIpc presentation
Ipc presentation
 

Similar a The Rise of Cybercrime 1970s - 2010

Aspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseAspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseRohit Revo
 
"Cyber crime", or computer-oriented crime..!!
"Cyber crime", or computer-oriented crime..!!"Cyber crime", or computer-oriented crime..!!
"Cyber crime", or computer-oriented crime..!!amit_shanu
 
Cybercrime: A Seminar Report
Cybercrime: A Seminar ReportCybercrime: A Seminar Report
Cybercrime: A Seminar ReportArindam Sarkar
 
cyber-crime-140128140443-phpapp02.pptx
cyber-crime-140128140443-phpapp02.pptxcyber-crime-140128140443-phpapp02.pptx
cyber-crime-140128140443-phpapp02.pptxsainnrg
 
Module 1.pptx
Module 1.pptxModule 1.pptx
Module 1.pptxnivi55
 
Identifying And Prosecuting Computer Crime
Identifying And Prosecuting Computer CrimeIdentifying And Prosecuting Computer Crime
Identifying And Prosecuting Computer CrimeMellisa Hedeen
 
A Review Paper On Cyber Crime
A Review Paper On Cyber CrimeA Review Paper On Cyber Crime
A Review Paper On Cyber CrimeJody Sullivan
 

Similar a The Rise of Cybercrime 1970s - 2010 (20)

Advantages And Disadvantages Of Cyber Crime
Advantages And Disadvantages Of Cyber CrimeAdvantages And Disadvantages Of Cyber Crime
Advantages And Disadvantages Of Cyber Crime
 
Cyber Crime And Transnational Crime Essay
Cyber Crime And Transnational Crime EssayCyber Crime And Transnational Crime Essay
Cyber Crime And Transnational Crime Essay
 
Cyber Crime Essay
Cyber Crime EssayCyber Crime Essay
Cyber Crime Essay
 
Aspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseAspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offense
 
Essay Cyber Crime
Essay Cyber CrimeEssay Cyber Crime
Essay Cyber Crime
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
The Issue Of Cyber Crimes Essay
The Issue Of Cyber Crimes EssayThe Issue Of Cyber Crimes Essay
The Issue Of Cyber Crimes Essay
 
"Cyber crime", or computer-oriented crime..!!
"Cyber crime", or computer-oriented crime..!!"Cyber crime", or computer-oriented crime..!!
"Cyber crime", or computer-oriented crime..!!
 
Persuasive Essay On Cybercrime
Persuasive Essay On CybercrimePersuasive Essay On Cybercrime
Persuasive Essay On Cybercrime
 
Cybercrime: A Seminar Report
Cybercrime: A Seminar ReportCybercrime: A Seminar Report
Cybercrime: A Seminar Report
 
Cyber Crimes And The Crime
Cyber Crimes And The CrimeCyber Crimes And The Crime
Cyber Crimes And The Crime
 
cyber-crime-140128140443-phpapp02.pptx
cyber-crime-140128140443-phpapp02.pptxcyber-crime-140128140443-phpapp02.pptx
cyber-crime-140128140443-phpapp02.pptx
 
Cyber Security Threats And Crimes
Cyber Security Threats And CrimesCyber Security Threats And Crimes
Cyber Security Threats And Crimes
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cybercrime And Its Effect On The Youth
Cybercrime And Its Effect On The YouthCybercrime And Its Effect On The Youth
Cybercrime And Its Effect On The Youth
 
Module 1.pptx
Module 1.pptxModule 1.pptx
Module 1.pptx
 
Why Cybercrime Is Important
Why Cybercrime Is ImportantWhy Cybercrime Is Important
Why Cybercrime Is Important
 
Communications
CommunicationsCommunications
Communications
 
Identifying And Prosecuting Computer Crime
Identifying And Prosecuting Computer CrimeIdentifying And Prosecuting Computer Crime
Identifying And Prosecuting Computer Crime
 
A Review Paper On Cyber Crime
A Review Paper On Cyber CrimeA Review Paper On Cyber Crime
A Review Paper On Cyber Crime
 

Más de - Mark - Fullbright

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019- Mark - Fullbright
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019- Mark - Fullbright
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 - Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017- Mark - Fullbright
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business- Mark - Fullbright
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015- Mark - Fullbright
 

Más de - Mark - Fullbright (20)

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 

Último

How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
Diploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfDiploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfMohonDas
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 

Último (20)

How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
Diploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfDiploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdf
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 

The Rise of Cybercrime 1970s - 2010

  • 1.                             The  Rise  of  Cybercrime   1970  through  2010     A  tour  of  the  conditions  that  gave  rise  to  cybercrime  and  the  crimes  themselves             Kelly  White                   ©  Kelly  White  –  2013   Page  1  
  • 2. Introduction   Computer   crime   has   changed   from   a   1970s   characterization   of   hobbyists   committing  pranks  and  ‘exploring’  computer  systems  to  a  present  day  horizontally   integrated  industry  of  exploit  researchers,  malware  writers,  hackers,  fraudster,  and   money  mules  that  cause  hundreds  of  millions  of  dollars  in  damages  annually.    The   articles  below  illustrate  the  juxtaposition  of  computer  crimes  from  earlier  decades   with  those  of  the  present.     Teaching Hackers Ethics Newsweek – January 14, 1985 The parents of "Echo Man," 16, "Thr ee Rocks," 15, and "Uncle Sam," 17, probably thought they were in their rooms doing homework. Instead, the Burlingame, Calif., teen-agers were programming their Apples to scan the Sprint telephone-service computers for valid access numbers, which they used to make free calls. The hackers then posted the numbers on an electronic bulletin board, so others could share in the spoils. That was their undoing. Local police, who had been monitoring the bulletin board, raided each of the hackers' homes last month and found enough evidence to charge them with felony theft and wire fraud. FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms1 Washington Post, Brian Krebs – October 26, 2009 Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim’s online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company’s online account…   How  do  you  explain  the  typical  computer  crime  making  the  leap  from  petty  phone   access   theft   in   the   70s   to   huge   heists   in   00s?   As   it   turns   out,   in   each   decade,   the   computer  crimes  fit  pretty  well  with  the  demographics  of  their  time.  The  type  and   frequency  of  computer  crime  occurring  in  each  decade  seems  to  have  been  shaped   by  three  demographics:   • The  number  of  computers  online   • The  type  and  amount  of  online  commerce   • The  globalization  of  Internet  use                                                                                                                     1  http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html     ©  Kelly  White  –  2013   Page  2  
  • 3. The   number   of   crime   targets   is   limited   by   the   number   of   computers   online.   The   profitability  of  a  target  is  dependent  on  the  type  of  commerce  being  conducted  on   the  computers.  And  the  likelihood  of  being  caught  is  positively  correlated  with  the   effectiveness   of   law   enforcement   in   prosecuting   crimes   that,   I   have   observed,   is   inversely  proportional  with  the  globalization  of  the  Internet.       As  these  demographics  evolved,  so  too  did  the  crime.       The Perfect Conditions for Crime   What  are  the  perfect  conditions  for  crime?  How  about  easy  targets,  high  profits,  and   very  little  chance  of  being  caught.       That  is  what  the  Internet  provides  –  lots  of  easy  targets  where  250  million  people   are   online   in   the   U.S.   alone   and   with   very   weak   security.   An   almost   guaranteed   high   return   –   over   72   million   people   in   the   U.S.   conducting   banking   online.   And   little   chance   of   being   caught   –   attribution   of   crime   on   the   Internet   is   nearly   impossible   and  governments  don’t  have  the  resources  to  handle  the  volume,  let  alone  the  high   cost  of  international  investigations.  They  successfully  prosecute  a  few  per  year  for   publicity,  but  little  else.  The  Internet  is  the  perfect  place  to  commit  crime.       It   took   until   the   late   1990s   for   these   conditions   to   converge   to   create   the   perfect   storm.   These   conditions   didn’t   mature   until   the   late   90s.   Before   that   essential   elements  were  missing  –  people,  connectivity,  commerce,  and  insecurity.       Computers and Connectivity The   first   dimension   to   set   in   to   motion   was   personal   and   commercial   use   of   computers   in   the   mid   1970s.   In   the   70s   there   weren’t   very   many   computer   systems   and   they   weren’t   interconnected.   In   the   80s   private   citizen   computer   ownership   started   ramping   up,   but   their   connectivity   was   limited   largely   to   computer-­‐to-­‐ computer  modem  services  and  access  to  the  Internet  was  restricted  to  government   and   university.   In   the   90s   the   government   opened   up   the   Internet   to   commercial   and   then   public   access.   By   the   end   of   the   decade,   about   half   of   the   U.S.   population   was  ‘online’.     ©  Kelly  White  –  2013   Page  3  
  • 4.     +  Commerce   The  explosion  of  online  commerce  was  another  important  ingredient  in  creating  the   cyber  crime  environment.  Without  commerce,  all  the  potential  targets  connected  to   the   Internet   are   just   targets.   With   commerce,   computers   become   rich   targets   –   credit  card  processing  systems  and  automated  tellers.  In  2000,  40  million  people  in   the   U.S.   had   ever   bought   something   online2.   By   2008,   that   number   reached   201   million3.  Nearly  everyone  who  can  shop  online  does  shop  online.     In  1998  8  million  people  in  the  U.S.  were  conducting  banking  online.  By  2012  that   grew  to  72  million  –  28%  of  online  users  and  fully  23%  of  the  entire  U.S.  population!                                                                                                                       2http://www.pewInternet.org/Reports/2002/Getting-­‐Serious-­‐Online-­‐As-­‐Americans-­‐Gain-­‐Experience-­‐They-­‐Pursue-­‐More-­‐ Serious-­‐Activities.aspx   3  http://www.pewInternet.org/Reports/2008/Online-­‐Shopping.aspx?r=1     ©  Kelly  White  –  2013   Page  4  
  • 5.     +  Insecurity   The  build  out  of  the  Internet  network  infrastructure  and  the  connected  systems  was   fast   and   furious.   At   this   pace,   all   focus   was   on   feature   and   functionality.   Little   thought  was  given  to  the  consequences  of  the  risks  and  to  the  security  requirements   of   such   a   critical,   complex   infrastructure.     As   a   security   consultant   in   the   late   1990s,   I  examined  up  close  the  lack  of  security  controls  in  even  critical  infrastructure.  On   one  engagement,  my  co-­‐worker  and  I  were  called  up  on  short  notice  to  conduct  an   Internet   perimeter   test   of   a   company   that   provided   core   processing   services   to   credit  unions.  One  of  their  services  was  outsourced  Internet  Banking.  Compromising   their   perimeter   was   simple,   taking   about   10   minutes.   We   scanned   their   public   address   space   for   common   ports,   noticed   135   and   139   were   listening   on   their   Internet   Banking   server,   established   a   net   session   and   went   to   work   guessing   the   administrator   account   password.   The   password   was   ‘snow’.   It   was   easy   pickings   from   there.   Towards   the   end   of   the   engagement,   I   met   on-­‐site   with   the   company’s   system  administrators  to  discuss  the  findings.  In  response  to  my  recommendations   they  asked,  “What  is  a  firewall?”     +  Internationalization  and  No  Law  Enforcement   In   1998   –   1999   about   80%   of   the   people   using   the  Internet   were   U.S.   citizens   and   about   95%   were   U.S.   citizens   or   citizens   of   U.S.   allied   countries.4   Under   these   conditions,  serious  computer  crimes  could  be  investigated  and  prosecuted  because   the   crimes   were   largely   occurring   from   within   the   borders   of   governments   that   were   willing   to   cooperate   in   cyber   crime   investigations.   This   acted   as   a   deterrent   of   sorts,  deterring  many  people  from  committing  really  serious  cyber  crimes.       Even   in   to   2000,   people   using   the   Internet   in   developing   economies   were   limited   to   the   professional   class   –   people   in   government,   education,   and   industry,   due   to   Internet   access   constraints.   As   Internet   accessibility   increased   and   cost   decreased   non-­‐professionals   quickly   got   online.   By   2005,   the   number   of  Internet   users   in   BRIC   countries  –  Brazil,  Russia,  India,  and  China  –  surpassed  the  number  of  Internet  users                                                                                                                   4  http://datafinder.worldbank.org/Internet-­‐users   ©  Kelly  White  –  2013   Page  5  
  • 6. in   the   U.S.   Among   these   Internet   users   were,   as   in   other   countries,   criminals.   The   difference  this  time  though  was  that  governments  proved  inept  in  dealing  with  the   volume,  the  costs  and  international  legal  and  political  barriers  of  prosecuting  crime.     And   frankly,   non-­‐U.S.   allies   were   and   continue   to   not   be   seriously   interested   in   assisting   other   countries   in   criminal   investigations.   Ever   contact   a   bank   in   Russia   to   request  that  they  return  a  fraudulent  wire?  Ever  participated  in  an  FBI  investigation   that  requires  cooperation  of  Chinese  authorities?  Good  luck.         The   early   financially   driven   international   cyber   crime   spree   in   2001   –   2002   went   unchecked.   This   encouraged   additional   investment   in   cyber   crime.   Success   continued  to  meet  success,  which  continues  to  spiral  to  where  we  are  today.       The 1970s Environment   In   the   early   1970s   computers   were   limited   to   large,   expensive   timesharing   mainframe   and   Unix   systems   owned   by   universities,   large   corporations,   and   government  agencies.  In  1975  Ed  Roberts  released  the  first  microcomputer  for  sale   to  the  public  –  the  MITS  Altair  8080.  No  keyboard,  no  screen  –  just  a  box  with  toggle   switches   for   programming   and   LED   lights   to   show   the   output   of   the   program.   He   sold   2,000   of   the   systems   the   first   year.   The   following   year,   Steve   Jobs   and   Steve   Wozniak   released   the   Apple   I.   Again,   no   keyboard   or   screen.   By   the   end   of   1976   computing  enthusiasts  had  purchased  40,000  microcomputers.5  In  1977,  the  Apple   II,   the   Tandy   TRS-­‐80   (I   cut   my   teeth   programming   on   this   model),   and   the   Commodore   PET   brought   visual   displays   and   keyboards   to   the   market.   People   purchased  150,000  of  these  systems.6                                                                                                                   5  http://jeremyreimer.com/postman/node/329   6http://arstechnica.com/old/content/2005/12/total-­‐share.ars   http://en.wikipedia.org/wiki/File:WIntHosts1981-­‐2009.jpg     ©  Kelly  White  –  2013   Page  6  
  • 7.   Computer  communications  were  pretty  limited.  The  government,  military,  and  a  few   universities   had   ARPA   net   and   X25   networks.   The   public   was   limited   to   modem-­‐ based   computer-­‐to-­‐computer   phone   calls,   which   was   fine   for   dialing   computers   in   your  area,  but  a  bit  of  a  problem  for  those  a  long  distance  call  away.  The  killer  app   for   computer   communications   was   Bulletin   Board   System   software,   which   first   came   to   public   life,   courtesy   of   Randy   Seuss,   during   a   snowstorm   in   February   1978.     This   development   connected   computer   enthusiasts   across   the   U.S.   in   an   electronic   underground   where   they   could   publish   ideas   and   communicate   within   their   own   realm  on  their  own  terms.  From  this  technology  the  computer  hacker  underground   took  root.     While   it   took   some   time   for   microcomputers   to   take   hold,   the   phone   system   was   already   built   out   and   available.   A   large   community   of   phone   system   fanatics   –   ‘phone  phreaks’  –  learned  how  to  control  the  switching  system  of  the  predominant   phone  switching  system  in  use  at  the  time,  largely  in  thanks  to  serious  security  flaws   in  the  system  and  the  publication  of  the  details  of  the  internal  switching  system  in   the  November  1954  issue  of  the  Bell  Labs  Technical  Journal.     Motives  and  Crimes   The   primary   motives   behind   the   cyber   crimes   of   the   60s   and   70s   were   desire   for   system   access,   curiosity,   and   the   sense   of   power   attained   from   defeating   security.   The   phone   system   was   the   first   and   favorite   computer   system   targeted.   The   attraction   to   the   phone   system   for   the   pioneers   of   phone   phreaking   was   not   free   calls,  but  the  desire  to  learn  the  system,  the  desire  to  beat  the  system,  and  the  desire   to  control  the  system.  John  Draper,  the  father  of  phone  phreaking,  when  asked  about   the   techniques   he   developed   for   gaining   operator   access   to   phone   systems,   published  in  the  October  1971  issue  of  Esquire  Magazine,  stated  his  motive  behind   unauthorized  system  access.                                                                                                                                                                                                                                                                                                                                                       ©  Kelly  White  –  2013   Page  7  
  • 8. From  Secrets  of  the  Little  Blue  Box  by  Ron  Rosenbaum,  Esquire   Magazine   (October  1971)     The   pioneers   of   ‘phone   phreaking’   mastered   the   techniques   for   controlling   the   phone   system   and   codified   it   in   what   is   now   called   a   ‘little   blue   box’.   The   box,   commonly  twice  the  size  of  a  cigarette  case,  had  buttons  on  the  front  that  emitted   tones.   These   tones   could   be   used,   if   emitted   at   the   right   time   and   in   the   right   sequence  during  a  call  would  yield  operator  access  to  the  phone  system.  The  benefit,   of  course,  was  free  calls  to  anywhere  in  the  world.     Computers   weren’t   left   alone.   The   first   edition   of   Creative   Computing   magazine,   published   in   1976,   had   an   article   titled   “Is   Breaking   Into   A   Timesharing   System   A   Crime?”7           Besides   the   intellectual   challenge   of   breaking   in   to   systems,   people   were   also   motivated  to  break  in  to  systems  simply  to  gain  access.  In  the  60s  and  early  70s  time   on  the  university-­‐owned  computer  systems  was  limited.  Students  who  wanted  more   time  developed  the  first  password  crackers  and  trojan  software  in  order  to  get  the   access  they  wanted.       With  the  introduction  of  microcomputers  and  Bulletin  Board  Systems  in  the  mid  to   late  70s  people  wanted  to  connect  to  other  computer  systems.  To  foot  the  bill  for  the   long-­‐distance   calls   many   resorted   to   stealing   long   distance   access   codes   –   wire   fraud.   Again,   the   primary   motive   to   steal   the   access   codes   was   not   for   profit,   but   curiosity  –  to  connect  and  learn.   The 1980s Environment   In  the  1980s  the  computer  solidified  its  position  in  the  upper  income  households,   growing  from  over  1  million  households  with  computers  to  in  excess  of  14  million   by  the  end  of  the  decade.  In  1979,  CompuServe  introduced  timesharing  services  to   the  public  through  a  100-­‐baud  service  called  ‘MicroNet’,  with  electronic  mail  as  their                                                                                                                   7  http://www.atariarchives.org/bcc1/showpage.php?page=4   ©  Kelly  White  –  2013   Page  8  
  • 9. first  application.  CompuServe  added  real-­‐time  messaging  in  1980.  By  the  end  of   1981  they  had  10,000  users.  By  1987  it  grew  to  380,000.  It  was  a  bit  pricey  -­‐  $10  /   hour.  YouTube.com  has  an  interesting  vintage  news  report  on  the  system  (search   ‘1981  primitive  Internet  report  on  KRON’).       Bulletin   Board   Systems   continued   to   proliferate   in   the   80s.   They   didn’t   have   monthly  access  fees  and  were  under  the  control  of  the  person  hosting  the  Board  –   not   a   corporation.     The   Internet   continued   to   remain   the   private   domain   of   the   government  and  some  universities.     In  the  1980s  the  cyber  world,  for  all  intents  and  purposes,  was  a  geography-­‐centric   system,   bounded   within   countries   by   telecommunications   infrastructure   borders   and   high   international   communications   costs.   Any   cyber   crimes   that   occurred   within   a   country   could   be   effectively   investigated   because   the   attack   was   likely   staged  within  the  same  country  and  there  just  weren’t  as  many  to  investigate.       Motives  and  Crimes   Hacking   in   the   1980s   was   primarily   about   pursuit   of   knowledge,   building   reputations,   a   bit   of   politics,   and   games   –   games   of   breaking   into   systems   and   pulling   off   pranks.   The   hacker   underground   gathered   and   flourished   in   the   anonymity  and  freedom  of  the  Bulletin  Board  System  where  boards  in  the  hundreds   such   as   Hack-­‐A-­‐Trip,   Hackers   of   America,   Hi-­‐Tech   Pirates,   Cult   of   the   Dead   Cow,   Legion   of   Doom,   PhoneLine   Phantoms,   and   the   Strata-­‐Crackers   formed.   Through   boards  hackers  shared  their  knowledge  and  displayed  the  trophies  of  their  system   exploits.       Curiosity  /  Reputation   The   Morris   Worm   was   among   the   most   significant   computer   security   event   of   the   1980s,   a   program   written   by   Robert   Morris,   a   graduate   student   at   Cornell   University.   Though   the   only   purpose   of   the   worm   was   to   propagate   itself   to   other   systems,   it   did   degrade   the   performance   of   systems   it   compromised,   causing   significant  impact  to  Internet-­‐connected  systems  it  invaded.    It  was  estimated  to       In   1988,   Prophet   of   Legion   of   Doom   compromised   AIMSX,   a   BellSouth   system.   He   did   no   damage,   just   explored.   In   his   probing   of   the   system   he   discovered   a   file   containing   information   related   to   administration   of   the   911   system.   Why   did   he   download  the  file?  It  was  a  trophy  –  proof  of  his  compromise  of  the  system.  Also,  it   was  forbidden  knowledge,  and  possession  of  forbidden  knowledge  was  the  currency   with  which  reputation  was  purchased.8     Pranking   Some  system  compromises  were  simply  to  pull  off  a  prank.    In  June  of  1989  a  person   compromised  a  Southern  Bell  phone  switch  and  redirected  calls  made  to  the  Palm                                                                                                                   8  The  Hacker  Crackdown  page  112-­‐113   ©  Kelly  White  –  2013   Page  9  
  • 10. Beach   County   Probation   Department   to   “Tina,”   a   phone-­‐sex   worker   in   New   York   State.9     One   of   the   earliest   computer   viruses   was   created   as   a   joke.   Elk   Cloner,   written   by   Rich   Skrenta,   spread   to   Apple   II   systems   through   infected   floppy   disks.   The   payload   of   the   virus   simply   periodically   displayed   a   humorous   poem,   in   addition   to   replicating  itself  to  any  floppy  disk  inserted  into  an  infected  system.     Activism   The   department   of   defense   wasn’t   left   alone   either.   A   Defense   Data   Network   security  bulletin  was  published  on  October  18,  1989,  warning  of  a  malicious  worm   attacking  VMS  systems  on  the  SPAN  network.10           Money   In   1989,   a   sixteen-­‐year-­‐old   from   Indiana   gave   an   early   glimpse   of   the   future   financially  motivated  electronic  crime  wave  to  come  two  decades  later.  Fry  Guy,  so   referred   to   in   the   computer   underground   because   of   his   compromise   of   a   McDonald’s   mainframe,   developed   a   knack   for   pilfering   data   from   credit   reporting   agencies   and   for   compromising   phone-­‐switching   systems.   Combining   these   two   skills,  he  would  phone  Western  Union  and  ask  for  a  cash  advance  on  a  stolen  card.   To  ensure  the  security  of  transactions,  Western  Union  had  a  practice  of  calling  the   card  owner  back  to  verify  the  authenticity  of  the  request.  Having  changed  the  card   owner’s   phone   number   temporarily   to   a   public   pay   phone,   Fry   Guy   would   answer   the  phone  as  the  cardholder  and  authorize  the  transaction.11                                                                                                                      The  Hacker  Crackdown  page  95    http://www.textfiles.com/hacking/ddn03.hac   11  The  Hacker  Crackdown  page  100   9 10 ©  Kelly  White  –  2013   Page  10  
  • 11. The 1990s Environment   By  the  end  of  the  1990s,  the  perfect  conditions  for  cybercrime  had  formed:  everyone   was   online,   lots   of   people   conducting   online   banking   and   credit   card   transactions,   lack  of  legal  framework  and  resources  to  prosecute  cyber  crime,  and  poor  security.   Two  huge  events  in  the  1990s  made  this  happen.  The  first  was  the  invention  of  the   World   Wide   Web.   In   1990,   Tim   Berners-­‐Lee   completed   his   build   out   of   all   the   components   necessary   for   his   ‘WorldWideWeb’   project   -­‐   a   web   server,   a   web   browser,  a  web  editor,  and  the  first  web  pages.  In  1991,  he  made  his  project  publicly   available  on  the  Internet  as  the  ‘Web’.    In  a  single  decade,  the  Web  grew  from  non-­‐ existent  to  over  17  million  web  sites.  12     The  other  history-­‐altering  event  was  the  build  out  of  public  Internet  access  points.   In  1994,  the  National  Science  Foundation  sponsored  four  companies  to  build  public   Internet   access   points   –   Pacific   Bell,   WorldCom,   Sprint,   and   Ameritech.   Within   a   couple   of   years,   Joe   Public   declared   the   Internet   was   good   and   got   on-­‐line.     At   the   beginning  of  the  decade  there  were  two  million  people  on  the  Internet  in  the  U.S.  By   the  end  of  the  decade  there  were  135  million.     Companies  followed  the  public  and  moved  their  commerce  channels  online.  The  U.S.   Department  of  Commerce  reported   for   1999   $5.25   billion   in   online   travel   bookings,   $3.75  billion  in  online  brokerage  fees,  and  $15  billion  in  retail  sales.  Banks  got  on-­‐ line  too,  with  10  million  people  conducting  banking  online  in  2000.       Adoption  of  the  Internet  was  not  just  a  U.S.  phenomenon.  Though  lagging  developed   economies  by  about  five  years,  the  emerging  economies  got  online  too.  By  2000,  36   million  people  in  the  BRIC  countries  –  Brazil,  Russia,  India,  and  China  –  were  online.   While   the   U.S.   and   its   Allies   established   reasonably   functional   agreements   for   prosecuting   cyber   crime,   no   such   agreements   were   realized   with   the   rest   of   the   world.   The   result   was,   and   remains   today,   an   Internet   with   no   functional   legal   system  for  fighting  crime.     Motives  and  Crimes   With  the  millions  of  new  systems  coming  online,  the  1990s  was  a  target  rich  decade   for  hackers.    Fortunately  for  businesses  and  people  putting  their  private  information   online,   hackers   primarily   made   a   sport   of   defacing   websites,   rather   than   targeting   the   sensitive   information   stored   in   the   systems.   It   would   take   until   the   following   decade  for  the  criminal  profiteers  to  figure  out  how  to  monetize  computer  crime.       Sport   The   most   common   computer   crime   of   the   1990s   was   defacing   websites.   Hacking   for   ‘sport’   is   good   category   for   these   compromises.   There   really   was   no   knowledge   to   gain,   no   curiosity   to   satisfy   –   just   the   sport   of   compromising   web   sites.   Attrition.org                                                                                                                   12  http://www.cnn.com/2006/TECH/Internet/11/01/100millionwebsites/   ©  Kelly  White  –  2013   Page  11  
  • 12. documented   many   of   the   web   site   hacks   through   its   web   page   hack   mirror   at   http://attrition.org/mirror/.   According   to   Attrition’s   data,   four   web   sites   were   hacked  in  1995.    Attrition  reported  1905  websites  being  hacked  in  1999.     Number  of  Website  Defacements  Reported  by  Attrition.org13         Some   very   high   profile   sites   fell   during   the   decade.   In   1996,   the   top   sites   compromised   included   the   U.S.   Air   Force,   NASA,   and   the   site   of   the   British   Labour   Party.   Sites   compromised   in   1997   included   Stanford   University,   Farmers   &   Merchants  Bank,  Fox  News,  and  Yahoo.    Other  high  profile  sites  to  be  compromised   included   the   U.S.   Senate’s   www.senate.gov,   ebay.com,   alashdot.org,   and   nytimes.com.       The  content  placed  on  these  sites  ranged  from  ‘Free  Kevin!’,  to  pornography;  from   taunting  messages  like  ‘Look  you  sorry  ass  system  admin…’,  to  security  advice  such   as   ‘Stop   using   old   versions   of   FTP’.   A   screenshot   of   part   of   the   compromised   senate.gov  site  is  shown  below.14                                                                                                                       13  http://www.phrack.org/issues.html?issue=55&id=18&mode=txt   14  http://www.flashback.se/hack/1999/05/27/1/     ©  Kelly  White  –  2013   Page  12  
  • 13.   Money   There  were  a  few  notable  money-­‐driven  computer  crimes  in  the  1990s.  In  1994,  a   group  led  by  Vladimir  Levin,  broke  in  to  the  bank  accounts  of  several  corporations   held  at  Citibank.  Accessing  the  funds  through  Citi’s  dial-­‐up  wire  transfer  service,  he   transferred   $10.7   million   to   accounts   controlled   by   accomplices   in   Finland,   the   United  States,  Germany,  the  Netherlands,  and  Israel.       In  1999,  a  Russian  by  the  handle  of  ‘Maxus’  compromised  the  CD  Universe  web  site   and   stole   over   300,000   credit   card   records.     Attempting   to   profit   from   the   crime,   Maxus   faxed   an   extortion   note   to   CD   Universe   demanding   $100,000   in   return   for   silence   of   the   theft   and   destruction   of   the   stolen   data.   His   extortion   rejected,   he   published  25,000  of  the  records  on  a  website.  In  reporting  on  the  incident,  ZDNET   called  it  the  ‘biggest  hacking  fraud  ever’.15       Curiosity   Though   the   Melissa   Virus   wasn’t   the   first,   it   certainly   opened   the   eyes   of   corporations   and   system   administrators   to   the   fragility   and   vulnerability   of   computer  systems  and  the  Internet.  In  1999,  David  Smith,  a  network  programmer,   released   the   Melissa   Virus   to   the   Internet.   The   virus   was   contained   in   a   Microsoft   Word   document   macro.   When   an   infected   document   was   opened,   it   would   email   itself   to   the   first   50   addresses   in   the   MAPI   email   address   file   on   the   computer.   In   asking  why  he  did  it,  David  Smith  stated  that  he  just  wanted  to  see  if  it  would  work.       It   did   work   –   splendidly,   crashing   an   estimated   100,000   email   servers.   People   readily   opened   the   malicious   document   received   from   someone   they   knew   containing  a  moderately  convincing  subject  line  and  message.  Besides,  this  type  of   attack  was  new.  People  weren’t  used  to  being  on  their  guard  when  opening  up  email   attachments,  especially  from  people  they  knew.         Activism   A   few   activist   hacks   occurred   during   the   decade.   In   1998,   three   members   of   the   hacker   group   Milw0rm,   as   a   protest   of   the   Indian   government’s   nuclear   weapons   test  program,  broke  in  to  several  servers  of  the  India  Atomic  Research  Centre  and   modified   the   organizations   homepage   and   stole   thousands   of   emails   and   related   research  documents.16  That  same  year  hackers  compromised  and  disabled  filtering   on  a  half-­‐dozen  firewalls  used  by  China  to  filter  its  people’s  Internet  traffic.17   The 2000s Environment   Two   technological   innovations   really   changed   the   landscape   of   the   Internet   from   something   you   ‘go   on’   to   something   you   are   ‘always   on’   –   the   iPhone   and   cloud                                                                                                                    http://www.zdnet.com/biggest-­‐hacking-­‐fraud-­‐ever-­‐3002076252/    http://www.wired.com/science/discoveries/news/1998/06/12717   17  http://www.wired.com/politics/law/news/1998/12/16545   15 16 ©  Kelly  White  –  2013   Page  13  
  • 14. computing.   Prior   to   the   release   of   the   iPhone   in   2007,   getting   on   the   Internet   was   ‘expensive’   in   terms   of   time   and   location   –   you   had   to   be   at   your   desktop   or   your   laptop   and   the   system   had   to   be   connected   to   the   Internet.   Most   often   this   was   at   work  or  at  home,  sometimes  at  a  public  access  point.       The   iPhone,   and   smart   phones   that   followed,   essentially   put   the   Internet   in   the   owner’s  pocket  on  a  very  pleasantly  usable  device.  Now  you  always  had  the  Internet   with   you   and   didn’t   have   to   go   out   of   your   way   to   use   it.   With   this   always   on   connectivity,  individuals  moved  larger  portions  of  their  lives  to  Internet  connected   systems   and,   in   doing   so,   moved   larger   swaths   of   their   personal   data   to   more   systems  –  fitness  activities,  notes,  photos,  social,  even  their  homes.     Cloud  computing  it  made  it  easy  for  computing-­‐intensive  companies  to  set  up  shop.   No   longer   was   large   capital   investment   required   to   build   a   computing-­‐intensive   company.  With  rates  measured  and  charged  in  pennies  per  hour,  companies  could   expand  their  computing  infrastructure  as  needed.  And  they  could  do  it  easily,  with   much   of   the   traditional   heavy   lifting   of   data   center   operations   and   networking   already   completed   for   them.   The   result   has   been   an   increase   in   Internet-­‐based   companies  –  SAAS  providers  and  web  startups.      Motives  and  Crimes   In   the   first   decade   of   the   millennium,   the   financial   cybercrimes   evolved   from   infrequent,   one-­‐man   operations   to   frequent   events   perpetrated   through   a   highly   sophisticated,   horizontally   integrated   criminal   industry.   Other   criminal   activities   flourished   too.   While   many   of   the   crimes   had   been   seen   in   previous   decades,   the   frequency  and  magnitude  of  the  crimes  hadn’t.       Money  –  Bank  Account  Takeover   One   of   the   biggest   criminal   developments   of   the   2000s   was   the   formation   of   an   entire  industry  devoted  to  compromising  and  pilfering  online  bank  accounts.  One  of   the  earlier  online  account  compromises  occurred  in  June  of  2005,  when  a  fraudster   gained   unauthorized   access   to   a   Miami   businessman’s   online   bank   account   using   keystroke-­‐logging   malware   and   was   able   to   fraudulently   wire   over   $90,000   to   an   account   in   Latvia.18   By   the   third   quarter   of   2009,   fraudsters   successfully   hijacked   hundreds  of  U.S.  small  business  online  accounts,  hauling  away  over  $25  million.19       This   amount   of   criminal   opportunity   drove   specialization,   with   some   enterprises   selling   access   to   compromised   systems,   some   selling   custom   malware,   and   others   focusing  on  cashing  out  compromised  accounts.  A  specific  malware  class  of  ‘banking   trojans’   developed   to   enable   bypass   of   online   banking   controls,   such   as   Zeus,   Sinowal,   Carberp,   SpyEye,   and   others.   A   fully   featured   license   for   Zeus,   at   one   point,   was  selling  in  the  criminal  world  for  nearly  $20,000.                                                                                                                       18 19  http://www.finextra.com/news/fullstory.aspx?newsitemid=13194    http://krebsonsecurity.com/2010/03/cyber-­‐crooks-­‐leave-­‐bank-­‐robbers-­‐in-­‐the-­‐dust/   ©  Kelly  White  –  2013   Page  14  
  • 15. Money  -­‐  ATMs   ATMs   are   computer   driven   cash   dispensers.   If   the   account   balance   and   daily   withdraw  limit  line  up  with  an  authenticated  request,  then  the  machine  will  give  the   requested   amount   of   money.     So,   what   happens   when   you   steal   a   few   cards   and   modify   the   account   balances   and   daily   withdraw   limits?   The   WorldPay   division   of   Royal  Bank  of  Scotland  found  out.       On   November   8,   2008,   an   army   of   cashers   armed   with   compromised   WorldPay   pre-­‐ paid  payroll  cards  descended  on  ATMs  located  in  over  280  cities  around  the  world   and   withdrew   $9.5   million   in   cash   in   a   twelve-­‐hour   period.   The   cashers   kept   their   commission,   30-­‐50%   of   the   take,   and   wired   the   remainder   to   the   scheme   masterminds.   The   four   leaders   of   the   heist   had   previously   broken   in   to   the   Royal   Bank  of  Scotland  WorldPay  network  and  stolen  data  for  44  pre-­‐paid  payroll  cards,   cracked  the  payroll  card  PIN  encryption,  raised  the  funds  available  on  each  account   up   to   as   high   as   $500,000,   and   changed   the   daily   ATM   withdraw   limit   allowed.   During   the   heist   the   hackers   monitored   the   withdraw   transactions   remotely   from   the  RBS  WorldPay  systems  and,  once  the  heist  was  finished,  they  attempted  to  cover   their  tracks  on  the  RBS  network.20       Money  –  Payment  Card  Theft   Grand  scale  payment  card  theft  looks  like  Albert  Gonzalez’s  ‘Operation  Get  Rich  or   Die   Tryin’,   a   payment   card   hacking   crew   that   stole   over   90   million   payment   card   numbers   from   companies   including   Heartland   Payment   Systems,   TJ   Maxx,   7-­‐Eleven,   and   Office   Max   and   caused   over   $200   million   in   damages.   Gonzalez   and   crew   compromised   the   payment   card   processing   systems   at   these   companies   by   exploiting   well-­‐known   vulnerabilities   in   their   wireless   networks   and   web   applications.   Upon   arresting   Gonzalez,   agents   found   $1.6   million   in   his   several   bank   accounts.   His   goal   was   $15   million,   at   which   point   he   planned   to   buy   a   yacht   and   retire.21       Money  –  Identity  Theft   Since   2001,   identity   theft   has   been   the   most   common   consumer   complaint   registered   to   the   Federal   Trade   Commission.   In   2012   16.6   million   U.S.   residents,   ages   16   and   older,   were   victims   of   identity   theft.   The   vast   majority   of   these   thefts   involved  fraudulent  use  of  an  existing  financial  account,  such  as  a  bank  account  or   credit   card   account.     The   total   cost   of   these   crimes   was   estimated   at   $24.7   billion   in   2012.22       Activism   Persons   with   a   potentially   more   aggressive   approach   to   activism   took   to   the   Internet   in   droves   in   the   2000s.   One   person’s   2010   New   Year’s   resolution   was   to                                                                                                                   20  http://www.wired.com/threatlevel/2009/11/rbs-­‐worldpay/   Federal  Indictment   http://www.justice.gov/opa/pr/2009/November/09-­‐crm-­‐1212.html   21  http://www.wired.com/threatlevel/2010/03/tjx-­‐sentencing   22  http://www.bjs.gov/content/pub/pdf/vit12.pdf   ©  Kelly  White  –  2013   Page  15  
  • 16. actively   disrupt   sites   he   deemed   to   support   “terrorists,   sympathizers,   fixers,   facilitators,   oppressive   regimes   and   other   general   bad   guys.”   Operating   under   the   handle  ‘The  Jester’,  he  frequently  delivered  on  his  resolution  by  launching  Denial  of   Service   attacks   against   sites   he   deemed   to   fit   within   in   his   objective.     His   primary   targets  were  wikileaks.org,  for  releasing  the  U.S.  State  Department  cable  messages,   and  sites  or  organizations  he  deemed  to  be  aligned  with  terrorism.     Unknown numbers of people took up a variety of ‘hacktivist’ campaigns under the banner of Anonymous. Taking the opposite position as ‘The Jester’, Anonymous launched DDOS attacks against serveral financial firms in response to their ban of Wikileaks from their payment networks for publishing the U.S. State Department cables. A small Anonymous unit was involved in raising the awareness of the Stubenville High rape case. Anonymous went after Sony to punish them for prosecuting George Hotz for successfully unlocking PlayStation 3 security system. Ilmars Polkans campaign to expose fraud within the Latvian government was very effective and is worth researching. When filing his tax returns, Ilmars ‘unintentionally’ stumbled on a vulnerability on the Latvia Revenue Site that allowed him to see all tax filings. What he found was fat salaries for government officials during a time when citizens of Latvia, both public and private, were being forced to endure deep pay cuts because of the recession. His campaign to expose the injustice literally resulted in a public rebellion against the government. So What Comes Next? I  am  hopeful  and  I  am  dismayed  all  at  the  same  time.  On  the  leading  edge,  there  is   really   exciting   stuff   happening   in   the   security   space,   particularly   in   the   areas   of   leveraging  big  data  and  data  analytics  to  detect  malicious  events  early  in  the  attack   stages.    In  the  middle,  the  people,  processes,  practices,  and  technology  for  building   and   maintaining   reasonably   secure   systems,   networks,   and   applications   is   readily   available.   I   see   a   lot   of   organizations   doing   the   right   security   stuff,   and   they   are   being  successful  in  protecting  their  businesses  and  their  customers.       Surprisingly,  there  are  also  still  a  lot  of  organizations  that  just  don’t  care.  They  don’t   even   do   the   basics.   They   have   database   servers   listening   on   the   Internet.   Their   systems   are   out   of   date   and   misconfigured.   Their   application   access   controls   are   ©  Kelly  White  –  2013   Page  16  
  • 17. easily  bypassed.  They  just  don’t  care.  And  there  is  no  excuse  for  it.  Frankly,  I  think   they  should  be  kicked  off  the  Internet  until  they  get  their  stuff  right.     And   there   lies   the   answer.   The   crime   will   continue   to   occur   and   it   will   most   commonly   occur   against   organizations   that   don’t   do   security   well.   People   will   continue  to  move  their  money  and  their  data  online  and  criminals  will  continue  to   steal  it  from  the  organizations,  most  commonly,  that  have  the  least  security.     ©  Kelly  White  –  2013   Page  17