by Marc Goodman
Beyond merely cataloging the latest in criminal innovation and technical vulnerabilities, this book offers a path forward to defeat the myriad threats that await us. If we use foresight, I believe it is possible to anticipate and prevent tomorrow’s crimes today, before we reach the point of no return. Future generations will look back and judge our efforts to curb these security threats and defend the soul of technology to ensure that it inures to humanity’s ultimate benefit.
A friendly warning: if you proceed in reading the pages that follow, you will never look at your car, smart phone, or vacuum cleaner the same way again.
This is your last chance. After this, there is no turning back. You take the blue pill—the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill—you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember, all I’m offering is the truth—nothing more.
MORPHEUS’S WARNING TO NEO, THE MATRIX
PART
ONE
A
Gathering
Storm
CHAPTER 1
Connected, Dependent, and Vulnerable
Technology … is a queer thing; it brings you great gifts with one hand and it stabs you in the back with the other.
CHARLES PERCY SNOW
Mat Honan’s life looked pretty good on-screen: in one tab of his browser were pictures of his new baby girl; in another streamed the tweets from his thousands of Twitter followers. As a reporter for Wired magazine in San Francisco, he was living an urbane and connected life and was as up-to-date on technology as anyone. Still, he had no idea his entire digital world could be erased in just a few keystrokes. Then, one August day, it was. His photographs, e-mails, and much more all fell into the hands of a hacker. Stolen in just minutes by a teenager halfway around the world. Honan was an easy target. We all are.
Honan recalls the afternoon when everything fell apart. He was playing on the floor with his infant daughter when suddenly his iPhone powered down. Perhaps the battery had died. He was expecting an important call, so he plugged the phone into the outlet and rebooted. Rather than the usual start-up screen and apps, he saw a large white Apple logo and a multilingual welcome screen inviting him to set up his new phone. How odd.
Honan wasn’t especially worried: he backed up his iPhone every night. His next step was perfectly obvious—log in to iCloud and restore the phone and its data. Upon logging in to his Apple account, he was informed that his password, the one he was sure was correct, had been deemed wrong by the iCloud gods. Honan, an astute reporter for the world’s preeminent technology magazine, had yet another trick up his sleeve. He would merely connect the iPhone to his laptop and restore his data from the hard drive on his local computer. What happened next made his heart sink.
As Honan powered up his Mac, he was greeted with a message from Apple’s calendar program advising him his Gmail password was incorrect. Immediately thereafter, the face of his laptop—its beautiful screen—turned ashen gray and quit, as if it had died. The only thing visible on the screen was a prompt: please enter your four-digit password. Honan knew he had never set a password.
Honan ultimately learned that a hacker had gained access to his iCloud account, then used Apple’s handy “find my phone” feature to locate all of the electronic devices in Honan’s world. One by one, they were nuked. The hacker issued the “remote wipe” command, thereby erasing all of the data Honan had spent a lifetime accumulating. The first to fall was his iPhone, then his iPad. Last, but certainly not least, was his MacBook. In an instant, all of his data, including every baby picture he had taken during his daughter’s first year of life, were destroyed. Gone too were the priceless photographic memories of his relatives who had long since died, vanquished into the ether by parties unknown.
Next to be obliterated was Honan’s Google account. In the blink of an eye, the eight years of carefully curated Gmail messages were lost. Work conversations, notes, reminders, and memories wiped away with a click of a mouse. Finally, the hacker turned his intention to his ultimate target: Honan’s Twitter handle, @Mat. Not only was the account taken over, but the attacker used it to send racist and homophobic rants in Honan’s name to his thousands of followers.
In the aftermath of the online onslaught, Honan used his skills as an investigative reporter to piece together what had happened. He phoned Apple tech support in an effort to reclaim his iCloud account. After more than ninety minutes on the phone, Honan learned that “he” had just called thirty minutes prior to request his password be reset. As it turns out, the only information anybody needed to change Honan’s password was his billing address and the last four digits of his credit card number. Honan’s address was readily available on the Whois Internet domain record he had created when he built his personal Web site. Even if it hadn’t been, dozens of online services such as WhitePages.com and Spokeo would have provided it for free.
To ascertain the last four digits of Honan’s credit card, the hacker guessed that Honan (like most of us) had an account on Amazon.com. He was correct. Armed with Honan’s full name and his e-mail and mailing addresses, the culprit contacted Amazon and successfully manipulated a customer service rep so as to gain access to the required last four credit card digits. Those simple steps and nothing more turned Honan’s life upside down. Although it didn’t happen in this case, the hacker could have just as easily used the very same information to access and pilfer Honan’s online bank and brokerage accounts.
The teenager who eventually came forward to take credit for the attack—Phobia, as he was known in hacking circles—claimed he was out to expose the vast security vulnerabilities of the Internet services we’ve come to rely on every day. Point made. Honan created a new Twitter account to communicate with his attacker. Phobia, using the @Mat account, agreed to follow Honan’s new account, and now the two could direct message each other. Honan asked Phobia the single question that was burning on his mind: Why? Why would you do this to me? As it turns out, the near decade of lost data and memories was merely collateral damage.
Phobia’s reply was chilling: “I honestly didn’t have any heat towards you … I just liked your [Twitter] username.” That was it. That’s all it was ever about—a prized three-letter Twitter handle. A hacker thousands of miles away liked it and simply wanted it for himself.
The thought that somebody with no “heat” toward you can obliterate your digital life in a few keystrokes is absurd. When Honan’s story appeared on the cover of Wired in December 2012, it garnered considerable attention … for a minute or two. A debate on how to better secure our everyday technologies ensued but, like so many Internet discussions, ultimately flamed out. Precious little has changed since Honan’s trials and tribulations. We are still every bit as vulnerable as Honan was then—and even more so as we ratchet up our dependency on hackable mobile and cloud-based applications.
As with most of us, Honan’s various accounts were linked to one another in a self-referential web of purported digital trust: the same credit card number on an Apple profile and an Amazon account; an iCloud e-mail address that points back to Gmail. Each had information in common, including log-on credentials, credit card numbers, and passwords with all the data connected back to the same person. Honan’s security protections amounted to nothing more than a digital Maginot Line—an overlapping house of cards that came tumbling down with the slightest pressure. All or most of the information needed to destroy his digital life, or yours, is readily available online to anybody who is the least bit devious or creative.
Progress and Peril in a Connected World
In a few years’ time, with very little self-reflection, we’ve sprinted headlong from merely searching Google to relying on it for directions, calendars, address books, video, entertainment, voice mail, and telephone calls. One billion of us have posted our most intimate details on Facebook and willingly provided social networking graphs of our friends, family, and co-workers. We’ve downloaded billion
s of apps, and we rely on them to help us accomplish everything from banking and cooking to archiving baby pictures. We connect to the Internet via our laptops, mobile phones, iPads, TiVos, cable boxes, PS3s, Blu-rays, Nintendos, HDTVs, Rokus, Xboxes, and Apple TVs.
The positive aspects of this technological evolution are manifest. Over the past hundred years, rapid advances in medical science mean that the average human life span has more than doubled and child mortality has plummeted by a factor of ten. Average per capita income adjusted for inflation around the world has tripled. Access to a high-quality education, so elusive to many for so long, is free today via Web sites such as the Khan Academy. And the mobile phone is singularly credited with leading to billions upon billions of dollars in direct economic development in nations around the globe.
The interconnectivity the Internet provides through its fundamental architecture means that disparate peoples from around the world can be brought together as never before. A woman in Chicago can play Words with Friends with a total stranger in the Netherlands. A physician in Bangalore, India, can remotely read and interpret the X-ray results of a patient in Boca Raton, Florida. A farmer in South Africa can use his mobile phone to access the same crop data as a PhD candidate at MIT. This interconnectedness is one of the Internet’s greatest strengths, and as it grows in size, so too does the global network’s power and utility. There is much to celebrate in our modern technological world.
While the advantages of the online world are well documented and frequently highlighted by those in the tech industry, there is also a downside to all of this interconnectivity.
Our electrical grids, air traffic control networks, fire department dispatch systems, and even the elevators at work are all critically dependent on computers. Each day, we plug more and more of our daily lives into the global information grid without pausing to ask what it all means. Mat Honan found out the hard way, as have thousands of others. But what should happen if and when the technological trappings of our modern society—the foundational tools upon which we are utterly dependent—all go away? What is humanity’s backup plan? In fact, none exists.
The World Is Flat (and Wide Open)
For centuries, the Westphalian system of sovereign nation-states has prevailed in our world. It meant that countries were to be sovereign in their territory, with no role for outside authorities to meddle in a nation’s domestic affairs. The Westphalian structure was preserved through a system of borders, armies, guards, gates, and guns. Controls could be implemented to limit both immigration and emigration of people from a national territory. Moreover, customs and inspection structures would be established to control the flow of goods across national boundaries. Yet as prescient as the signatories to the Treaty of Westphalia were in 1648, none of them foresaw Snapchat.
Though physical borders still matter, such divisions are much less clear in an online world. Bits and bytes flow freely from one country to the next without any border guards, immigration controls, or customs declarations to slow their transit. The traditional transnational barriers to crime faced by former generations of thieves, thugs, and convicts have been demolished in the online world, allowing unsavory individuals to freely enter and exit any virtual location they please.
Think about that and its implications for our security. Once upon a time, if criminals attempted to rob a bank in New York’s Times Square, several things were considered to be self-evident. First and foremost, it was assumed that the perpetrators had entered a physical location within the boundaries of the NYPD’s Midtown South Precinct. The bank robbery would have breached both New York State and U.S. federal law, and the NYPD and the FBI would share joint jurisdiction to investigate the matter. The victim (in this case the bank) was also colocated within the physical jurisdiction of the concerned law enforcement authorities, greatly simplifying their investigation. Attempts to solve the case would have been bolstered by physical evidence likely left behind at the scene of the crime by the bank robber, including fingerprints on a note handed to a teller and DNA on the counter he jumped over, and perhaps via the images of his own face visible on the bank’s security camera system. In addition, the crime itself was subject to certain physical limitations. The dollar bills stolen would have had weight and mass, and only so many could be carried away. The piles of cash might also have had an embedded exploding dye pack to flag the suspect to the police. But in today’s world, long-established, tried-and-true investigative givens, such as jurisdictional commonality and physical evidence—fundamental tools for authorities to solve crimes—often no longer exist.
Compare the Times Square heist scenario above with the infamous 1994 Internet bank robbery carried out by Vladimir Levin from his apartment in St. Petersburg, Russia. Levin, a computer programmer, was accused of hacking the accounts of several of Citibank’s large corporate customers and making away with $10.7 million. Collaborating with accomplices around the world, Levin transferred large sums of cash to accounts in Finland, the United States, the Netherlands, Germany, and Israel.
Who had jurisdiction for this matter? Was it the police in the United States, where the victim (Citibank) was located? Was it the cops in St. Petersburg, where the suspect carried out the alleged offense? Or was jurisdiction held in Israel or Finland, perhaps, where the ill-gotten funds were electronically delivered to fraudulent accounts? Levin never physically entered the United States to commit the crime. He left no fingerprints or DNA and was never marked by an exploding dye pack. Importantly, he never needed to physically carry the thousands of pounds of cash out of the bank; it was all accomplished with a mouse and a keyboard. No need for a mask or sawed-off shotgun either; Levin merely hid behind his computer screen and used a circuitous virtual route to cover his digital tracks.
The nature of the Internet means that we are increasingly living in a borderless world. Today anybody, with good or ill intent, can virtually travel at the speed of light halfway around the planet. For criminals, this technology has been a boon, as they hop from one country to the next virtually hacking their way across the globe in an effort to frustrate police. Criminals have also learned how to protect themselves from being tracked online. A smart hacker would never directly initiate an attack against a bank in Brazil from his own apartment in France. Instead, he would route his attack from one compromised network to another, from France, to Turkey, to Saudi Arabia, toward his ultimate target in Brazil. This ability to country-hop, one of the Internet’s greatest strengths, creates enormous jurisdictional and administrative problems for the police and is one of the main reasons why cyber-crime investigation is so challenging and often feckless. A police officer in Paris has no authority to make an arrest in São Paulo.
The Good Old Days of Cyber Crime
The nature of the cyber threat has changed dramatically over the past twenty-five years. In the early days of the personal computer, hackers were mostly motivated by the “lulz,” or laughs. They hacked computer systems just to prove that they could do it or to make a point. One of the very first computer viruses to infect IBM PCs was the Brain virus, created in 1986 by the brothers Amjad Farooq Alvi and Basit Farooq Alvi, aged twenty-four and seventeen, of Lahore, Pakistan. Their virus was intended to be innocuous, to stop others from pirating the software the brothers had spent years developing. Brain worked by infecting the boot sector of a floppy disk as a means of preventing its copying and allowed the brothers to track illegal copies of their own software. The brothers, upset that others were pirating their software without paying for it, included an ominous warning that appeared on infected users’ screens:
Welcome to the Dungeon © 1986 Brain & Amjads (pvt). BRAIN COMPUTER SERVICES 730 NIZAM BLOCK
ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS …
Contact us for vaccination …
Their message is notable for several reasons. First, the brothers claimed to have copyrighted their virus, a ballsy move indeed. Even more strange was the fact that they included
their address and phone numbers for users to contact the virus originators for “vaccination” or removal of the virus. Their reasoning for creating the virus seemed logical enough to Basit and Amjad, but what they hadn’t realized was their creation had the capacity to replicate and spread and did so the old-fashioned way, through human beings’ carrying around 5.25-inch floppy disks from computer to computer. Eventually, Brain had traveled the globe, introducing Basit and Amjad to the rest of the world.
Over time, hackers grew more ambitious—and more malicious. Our interconnection to one another via computer bulletin board services meant that digital viruses no longer needed to travel via a “sneakernet,” carried by human beings on floppy disks, but rather could spread via modem over telephone lines through early online services such as CompuServe, Prodigy, EarthLink, and AOL. Newer viruses and Trojans such as Melissa (1999), ILOVEYOU (2000), Code Red (2001), Slammer (2003), and Sasser (2004) could now infect Microsoft Windows computers around the world with ease, destroying the term papers, recipes, love letters, and company spreadsheets we had saved to our hard drives. Suddenly we all had skin in this game.
Computer “malware,” a portmanteau combining the words “malicious” and “software,” now comes in many forms, but all seek to damage, disrupt, steal from, or inflict some illegitimate or unauthorized action on a data system or network:
• Computer viruses propagate by inserting a copy of themselves into another program, just as a real-world virus infects an available biological host.
