by Marc Goodman
The crimeware (criminal software) involved is so sophisticated it even knows how much it has stolen from each bank account compromised. Thus, if the thieves stole $2,419 from your checking account, an algorithm will add that portion back to what you see on your screen in real time as you view your online account balance. Purchases made by criminals with your credit or debit card are automatically struck from the recent transactions list and the online statement before they appear on your screen. Even PDF copies of your banking and credit card transactions sent to your printer are modified before they come out of your machine. When these thieves own you, they really own you.
These types of man-in-the-middle attacks are powerful reminders that criminal hackers are perfectly capable of intermediating reality for you via the ever-increasing number of screens in your life. Just like the perpetrators of Stuxnet, these criminals recognize that screens are merely a proxy for reality, one that is completely malleable and easily manipulated. Yet not all manipulation of the data we see on our screens is carried out by global cyber-crime cartels or espionage services.
Pedophiles routinely take on the digital personas of children, and those under eighteen cannot tell when they are speaking to an adult 80 percent of the time, making the screens of the young particularly vulnerable to attack. Recall the case of Amanda Todd, the twelve-year-old girl who was tricked into showing her breasts on video camera to a person she thought was a boy her age. Todd was blackmailed and tormented by her virtual attacker, driving the Canadian student to take her own life. For years, the case went unsolved, and Amanda’s parents never knew who had tortured their daughter until April 2014, when a break in the case led the Royal Canadian Mounted Police to the Netherlands and a suspect five thousand miles away. Police in Holland identified thirty-five-year-old Aydin Coban and charged him with “one count each of extortion, internet luring, criminal harassment, possession of child pornography for the purpose of distribution.” Coban’s alleged modus operandi was to establish a fake online persona, gain the trust of underage girls, and then seduce them into performing sex acts in front of a Webcam. Dozens of other victims both in Canada and around the world are believed to have been targeted by the Dutch pedophile.
Even for adults, interpersonal relationships and screen manipulation can be a dangerous mix. Such was the case with Elizabeth Thrasher, who was accused of lashing out at the daughter of her ex-husband’s new girlfriend. The jealous woman allegedly copied two photographs from the teen’s Myspace account and posted them to Craigslist in the Casual Encounters section of the site. She also listed the innocent girl’s home address, phone number, e-mail, and work information, stating that she was looking for sex. Thrasher’s prey had no idea about the Craigslist posting until she started to receive phone calls, text messages, and photographs (including nude pictures), along with solicitations for sex. In court, the girl testified that she felt as if she’d been “set up to get killed and raped by somebody.”
Stock Screeners
Not only can individuals and companies be manipulated based upon what appears on their screens, but so too can financial markets. While whispers and suppositions have moved markets in the past, the breakneck speed of the Internet means the world often reacts before information has been verified. In August 2000, a hacker by the name of Mark S. Jakob, a twenty-three-year-old community college student from El Segundo, California, created a fake press release and forwarded it to the Internet Wire, a Web-based distributor of corporate announcements. Jakob chose the Emulex Corporation, a Nasdaq-traded communications equipment manufacturer, as his target. The hacker merely copied the stationery and style of previous Emulex press releases, spoofed the company’s e-mail address, and forwarded his news story to the Internet Wire. The fictional press release stated that the Securities and Exchange Commission (SEC) had opened an investigation into Emulex, that its quarterly earnings were to be restated, and that the company’s CEO, Paul Folino, had resigned in response. The sensational story went viral and was picked up by numerous other newswires, including TheStreet.com, CNBC, Bloomberg, and the Dow Jones Newswires.
The market’s response was both predictable and immediate. “In a sixteen-minute period following the republication of the fake press release, 2.3 million shares of Emulex stock were traded, and the price plummeted $61, from $104 to $43, resulting in Emulex’s losing $2.2 billion in market capitalization.” Exactly the response Jakob had been hoping for when he shorted the stock, earning the young market manipulator a paper profit of $250,000. Immediately, Emulex’s CEO appeared on Bloomberg and in other financial press denying the story, but by then the damage had been done. Within six days, the FBI, working with the SEC, had identified Jakob, who was arrested and pleaded guilty to wire and securities fraud. When all was said and done, legitimate investors in the market lost more than $110 million because a kid at a community college manipulated the trust they had in their screens.
Screen manipulation in the financial services sector is commonplace, and so-called pump-and-dump schemes are the meat and potatoes of online securities fraud. The practice involves traders artificially pumping up the price of a stock through false and misleading positive statements posted online and then dumping their overvalued shares before their lies are discovered. The practice has flourished in cyberspace, and the FBI has arrested dozens of criminals for taking part in these scams. Though pump and dump is generally unsophisticated in its approach, both individuals and organized crime groups have earned hundreds of millions of dollars by manipulating the information we all see online.
Sometimes financial screens can manipulate you in ways you don’t even realize, by watching you while you watch them. That’s what professional traders at Goldman Sachs and JPMorgan learned about the Bloomberg trading terminals they had been using for years. Bloomberg terminals are the lifeblood of Wall Street, and firms pay $20,000 per year per terminal to mine the reams of data they provide in order to make their daily trades. What these traders didn’t realize, however, was that reporters from Bloomberg’s news division had been granted administrative access that allowed them to monitor client activities as traders used their Bloomberg boxes. In other words, Bloomberg news reporters were keeping tabs on terminal use to facilitate news reporting. Traders who thought they were viewing information privately on a dumb terminal learned the terminal wasn’t quite so dumb and was actually watching back.
More than 300,000 of the most influential people in the financial world, including bankers, hedge fund managers, and Treasury Department officials, rely on these Bloomberg boxes to carry out their deeply proprietary research, with each query tied to a specific individual. The scandal came to light when a Bloomberg journalist phoned Goldman Sachs to inquire whether a partner still worked there, noting he hadn’t logged in to his terminal for days. The casual observation set off alarm bells at Goldman Sachs, which went public with the story.
It was later revealed that Bloomberg’s twenty-four hundred reporters were able to see histories of user log-in information on the company’s terminals, as well as the various search functions they used, such as for equities or commodities. Goldman officials complained that Bloomberg reporters eavesdropped on customers using their terminals and used this private information to spy on the activity of individual Goldman partners, information they used to generate Bloomberg news stories. One former Bloomberg reporter noted that “there was always a discussion in the newsroom of how to use the terminals to break news.”
Financial screens can also be hacked and manipulated via high-frequency trading (HFT). In his seminal 2014 book, Flash Boys, Michael Lewis tells the story of how Wall Street insiders have gamed the entire financial trading system by hacking time. By spending hundreds of millions of dollars on vastly superior technical infrastructure, high-frequency traders were able to shave mere milliseconds off their trading times, providing them with an exploitable advantage over their peers. Flash Boys follows Brad Katsuyama, a trader at the Royal Bank of Canada’s New York office, and his i
ncredibly complex multiyear investigation into the world of HFT. What he discovered was startling: the stock market as it appeared on the screens on his desk was an illusion.
As it turned out, every time Katsuyama attempted to execute a trade, the stock price moved before his order was completed. How did this happen? High-speed traders had figured out a way to exploit the variable speeds at which trading information moved along fiber-optic cables to the stock exchanges. Though the signals traveled at two-thirds the speed of light, over longer distances minuscule time lags added up and could be taken advantage of. By paying huge sums of money for the fastest cables, the most powerful computers, and the privilege of colocating their data servers on-site with the exchanges themselves, high-speed traders were able to see Katsuyama’s intent to purchase a stock at a particular strike price and purchase it out from underneath him at the price displayed on his screen. Katsuyama was not alone; we were all being affected by the same problem; he was just the first to document it. High-frequency traders were front running the market and in return screwing us all, including you and your mutual fund purchases, your 401(k) plan, and even city pension plans.
High-frequency traders had hacked time and screen, in what amounted to a man-in-the-middle attack. They inserted themselves between the purported real-time stock market data projected on Katsuyama’s screens and a much faster reality, which they controlled and owned. Their computers were so fast that they could detect other people’s orders, cut in line before them, buy the stocks in question, and sell them back to the person who had originally attempted the purchase, albeit at a higher price. A few pennies’ difference here and there on millions of trades a day meant high-frequency traders made billions of dollars in cumulative profits out of a five-millisecond trading advantage. To put that level of speed into context, the blink of a human eye takes approximately three hundred to four hundred milliseconds. It’s akin to the scene in the movie The Matrix when the bad guys start shooting at Neo (Keanu Reeves) and he can see the bullets coming and can move at light speed to avoid them, except in this case it’s all about hacking the financial system and none of us little people have Neo’s powers.
In the days after Flash Boys was released, a series of investigations were launched by the SEC, the FBI, and the New York State attorney general. But their sudden interest begs an important question: How is it this entire system was even able to develop in plain view of the SEC right on the heels of the 2008 global financial crisis? Michael Lewis rightfully pointed out that the “market is rigged,” but before this could happen, the firms involved in flash trading had to undermine your screen in order to create the fiction of a transparent and trustworthy marketplace. It is troubling to know that we live in a world in which the screens of hospitals, prisons, police departments, banks, brokerages, and news sites are so readily hackable, but as we shall see, screens are proliferating, threats are mounting, and these attacks can cost us much more than just our money.
CHAPTER 9
Mo’ Screens, Mo’ Problems
In a world that daily disconnects further from truth, more and more people accept the virtual in place of the real, and all things virtual are also malleable.
DEAN KOONTZ, THE GOOD GUY
Robin Sage was a young and attractive twenty-five-year-old woman working as a cyber-threat analyst at the U.S. Navy’s Network Warfare Command. She had degrees from MIT and had interned at the NSA. Like many her age, Robin was a consummate networker on social media, with profiles on Facebook, LinkedIn, and Twitter. Shortly after starting her career with the navy, she began to send out friend requests to other cyber geeks working in the government. In under a month, she had grown her network to more than three hundred connections in the cyber-security world, including military personnel, defense contractors, and staff at various intelligence agencies. Among her new online pals were the chairman of the Joint Chiefs of Staff, the CIO at the NSA, senior intelligence officials at the Marine Corps, the chief of staff for a U.S. congressman, and executives at Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton.
Though some who received her friend requests at first didn’t quite remember the young woman, Robin assured them that they had met the previous year at DEF CON, a large hacker gathering frequented by the “hackerati” and government spooks alike. Those with any lingering doubts just looked at Robin’s network and saw how many friends they already had in common, allaying any fears about accepting her connection requests. Robin even made friends on Facebook and LinkedIn with those who worked with her in the same building at the Naval Network Warfare Command. As her social media presence and network began to grow, Lockheed Martin and other firms became interested in hiring the young woman to work for them and the job offers began to pour in. There was just one slight problem: Robin Sage did not exist.
Sage was the invention of Thomas Ryan, a security consultant who wanted to test the threats social media posed to professionals working in the national security community. His goal was simple: to see what intelligence he could covertly gather via social media networks using a fictitious persona. In less than a month, his new contacts began openly sharing extensive data with his attractive alter ego, Robin Sage. Using his virtual Mata Hari routine, Ryan duped an army Ranger whom he had friended into sending Sage photographs—pictures that included embedded geo-location data for his secret base in Afghanistan. The Ranger further revealed details about his and other troop movements in Iraq to his new “friend.”
Robin Sage’s screen presence was so convincing that she even received confidential documents to review as well as offers to speak at several high-profile conferences on cyber warfare and security. How hard was it for Ryan to carry out his ruse against an elite group of seasoned military and intelligence professionals working in America’s national security community? Dead easy. Ryan merely plucked a photograph off the Internet and used it to create Sage’s social media profiles. In reality, the picture belonged to a lesser-known porn star of limited repute. Even her name, Robin Sage, was actually the name of a large military exercise carried out annually by the army in North Carolina. Robin’s address? That of the infamous military security contractor Blackwater. The Robin Sage experiment proves how easily the trust people place in their screens can be undermined. If trained military and intelligence professionals took the bait, what chance might the general public have of protecting themselves from these types of threats? But when everything is connected, computers are far from the only screens you have to worry about.
Call Screening
Given the explosion in mobile devices, it’s not surprising that criminals are turning their attention from big screens to little ones—especially because phone software is often less secure than its desktop counterparts. Though we are all used to seeing caller ID screens on our phones, in our offices, and in our homes, like any other screen they are easily hacked. There are any number of software programs and Web sites that have been created to alter the caller identification on outbound phone calls.
Web sites and apps such as SpoofCard.com and SpoofTel.com make it incredibly easy to display a different number on any outbound telephone call. All you need to do is enter the number you want it to appear as if you were calling from and the name of the party calling, and that is what will be displayed in the outbound caller ID to your target. Want to pretend to be the president? No problem, just enter “202-456-1414” and “The White House” in the app, and you are good to go. Phone-spoofing companies offer a variety of packages meant to deceive other senses beyond just the visual. They also offer the ability to change your voice from male to female and even insert background noise into any conversation to convince the other party that you are calling from a busy office, nightclub, traffic jam, or airport. These companies tout their products as a means of “protecting your identity” or “pulling pranks on your friends.” Of course, text messages can be altered using the same techniques. While no doubt teenagers would have fun pretending to be everybody from Lady Gaga to the FBI director,
there are obviously more nefarious uses, which criminals are all too eager to exploit.
In the case of the epic News Corp phone-hacking debacle, a spoofed caller ID screen allowed reporters to access the voice-mail system of Milly Dowler and others, an attack that could just as easily happen to you. The scam worked because by default many mobile phone carriers do not require a password to enter a voice-mail box. The system just relies on your mobile phone caller ID to play your messages. Because all mobile companies worldwide have a central 800 number you can dial to check your messages when calling from a landline, bad guys just spoof your outbound number when dialing the mobile phone company’s voice-mail system and, voilà—they have full access to your messages. Not only were public figures in the U.K. targeted with the technique, but some celebrities seeking gossip have even used it to hack into the voice mail of rivals, such as when Paris Hilton notably used SpoofCard to listen to the messages of Lindsay Lohan.