It is something of a cliché to refer to 1984, George Orwell’s dystopian vision of the future, as an indicator of the direction society is heading in the early 21st century. But when you hear respected voices such as Mikko Hypponen, chief research officer at Internet security company F-Secure, talking about how the German government used the R2D2 Trojan, surreptitiously installed on the computers of its own citizens to monitor their online activity, it’s hard to get away from Orwell’s concept of a Big Brother society.
Governments spying on their citizens, governments deploying cyber-espionage weapons against foreign companies or other nation states, the threat of high-tech weapons being captured via malware and redeployed, hackers seeking vigilante-style justice – all of these sound like movie plots, but all of these are real.
So are cyber criminals who rip off 556 million people per year, according to the 2012 Norton cybercrime report. Some 1.5 million are victimized each day, which works out to 18 per second. The global price tag of cybercrime is a whopping $110 billion (see chart).
“There is and always will be a permanent race in cyber space between attackers and defenders,” says a September 28, 2012 European Network and Information Security Agency (ENISA) report. “Unfortunately, at the moment attackers are one step ahead.”
Now that two-thirds of adults access the Internet via mobile phones new forms of cybercrime are emerging, targeting mobile devices and social networks. “Mobile devices are one new frontier,” says Israeli security specialist Keren Elazari, a scheduled speaker at DLD 2013. “Only one in 20 smartphones has any kind of security software on it, and yet it has all our most personal stuff on it.”
The most malware-ridden platform is Android, Google’s mobile operating system based on Linux. “We receive 150,000 samples of malware a day. On the desktop, we find 10,000 to 15,000 samples are for Windows; there are more than there used to be for Mac OSX, and nothing for Linux.” says F-Secure’s Hypponen, who is also scheduled to speak at DLD 2013. “On mobile, it’s the other way round. On iOS, there’s nothing. On Windows Phone, there’s nothing. On Android, there are tens of thousands. You used not to need security software on your phone; today you do.”
Drive-by download attacks against web browsers have become the top web threat, according to the ENISA report. These attacks target software on Internet users’ computers (web browsers, browser plug-ins, and operating systems) and infect computers automatically when the user visits a drive-by download website, without any user interaction. In May of last year the first drive-by download for Android was reported, meaning drive-by download attacks are now a mobile threat as well, exposing not just consumers but businesses to new types of attacks.
“IT departments now have to manage a mix of endpoint devices: desktops, laptops and smartphones — often a variety of different smartphones. The problem is exacerbated because many people use the same device for personal and business use. So loss of data may be bad news not just for an individual, but for the business too,” says David Emm, senior security researcher at Kaspersky Labs. (Eugene Kaspersky, founder and CEO of Kaspersky Labs, is a scheduled speaker at DLD 2013.)
Trojans, which are widely used by cyber criminals to steal money, are a major malware threat in mobile platforms. Social networks are another new appealing distribution channel for malware, an example being the Koobface23 worm that targeted and infected users of major social networking sites.
In addition to drive-by attacks, worms and Trojans, other threats that made the ENISA top ten include code injection, exploit kits, botnets, denial of service attacks, phishing, compromising confidential information, rogueware/scareware, targeted attacks, physical theft/loss/damage, identity theft, abuse of information, search engine poisoning and rogue certificates.
The increase in the number and type of cyberattacks has prompted the creation of the European Cybercrime Centre, at the European Police Office, Europol, in the Hague, which officially opened for business in January. The center’s focus is on illegal online activities carried out by organized crime groups — especially attacks targeting online financial activities, online child sexual exploitation and crimes that affect the critical infrastructure and information systems in the European Union.
Trouble is that cyber attacks know no borders, making it all the more difficult to keep them in check. In January 2010 Google disclosed that it had been the target of a cyberattack that had originated in China. Later, Adobe and Rackspace confirmed that they had also been targeted in the attack, which was dubbed Aurora.
More recently, the Shamoon virus attacked computers at the Saudi state oil company, Aramco, and at RasGas, the Qatari natural gas producer. That devastating virus stole data in order to send bogus messages back to the oil companies’ command and control centers, wiped out data and destroyed the master boot record on infected PCs. It finally announced its presence by putting up an image on the screen of a burning U.S. flag.
While businesses need to be alert to potential breaches of their cyber defences by criminals and hackers, those breaches can come from the people a business should be able to trust: the employees themselves. “You can employ risk mitigation technology,” says Kevin Bailey, European security software research director at consultancy IDC, “but you also need policies around the people themselves.” He points to innocent employees who can be targeted in a “spearfishing attack,” which is when criminals go after an individual and attempt to gain access to a company by gaining their trust.
Cybercriminals also gather information from social networks and other public resources that allow them to tailor their attack to bypass the company’s security, warns Kaspersky Lab’s Emm. “People are susceptible to social engineering tricks for various reasons,” he says. “Sometimes they simply don’t realize the danger.”
The old model of strong perimeter defences is no longer appropriate, adds Holman, as once a person or computer is compromised, the attack can be spread around a business network.
Businesses are attacked for information, whether it’s commercial secrets or an attack by activists seeking to embarrass an organization. Says Holman: “If I want to do a targeted attack, I’ll try and get inside the company. Most businesses do perimeter security, so once I’m in, it’s easy. Businesses are crunchy on the outside but squishy on the inside.”
Both Elazari and Holman point to the emergence of hacktivists as key players on the security scene. The most visible of these groups is Anonymous, which has led cyber attacks on supporters of U.S. anti-piracy legislation, as well as on alleged pedophiles and even national governments, including hacking into Ugandan government websites to protest at that country’s hardline stance on homosexuality.
Hacktivists “are a phenomenon that’s here to stay,” says F-Secure’s Hypponen. “We didn’t see them coming, and they’re different from cybercriminals who want to get rich. They want to prove a point or send a message. They are a problem,” he adds. “We do worry about them; don’t underestimate them.”
Says Holman, who comes from the hacking subculture: “What we have seen so far is a bunch of kids, but there are a lot of them. They suffer from economic disenfranchisement — they don’t have economic opportunities; they’re being marginalized and they lash out with the tools they have. In the old days they had Molotov cocktails; today they mount DDoS [distributed denial of service] attacks.”
Elazari points out that these skills can be harnessed for good. “Anonymous tries to promote the notion of privacy and retaining control over your info,” she says. “And in South America, hacktivists are standing up to the narco-cartels.”
She adds: “Hacking doesn’t have to be antisocial behaviour — there’s a hackingsociety right now in California teaching computer science to young women. When I speak about hacking, I don’t see it as criminal behaviour: I see it as creative, innovative and outside the box.”
Hacking is most certainly becoming a creative part of 21st-century military strategy: a number of out-of-the-box approaches to hampering the enemy have come to light. “Militaries have decreed that this is the fifth space for warfare,” says Elazari, with cyberspace joining the traditional battle arenas of air, land, sea and space. Stuxnet, which was identified in 2010, was the first known piece of malware engineered for cyberwarfare and cyberespionage purposes, but it will not be the last.
Israel was thought to be behind the Stuxnet worm, which targeted very specific software in Iranian nuclear facilities with the aim of spying on and subverting industrial systems. “Stuxnet demonstrates that the boundary between the purely electronic realm and the physical realm is one that a computer virus can cross,” says Elazari. “Lines of code can find a way into a computer controlling something important” — such as the drones being used by the U.S. to target rebels in Afghanistan.
In the UK, MPs warned at the beginning of January that Britain’s armed forces were at risk of being “fatally compromised” by a sustained cyber attack, urging the UK government to put in place “as it has not yet done — mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities that cyber presents.”
Holman has a succinct explanation for why warfare is moving into cyberspace: “If you were a hostile country, any country in the world besides the U.S., would you rather control our land or our computers?”
Chilling words, which underscore the darker side of cyberspace: criminals, rogue governments, hackers and terrorists don’t need to be physically present to do considerable damage.