Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum

Rupert Murdoch, CEO of News Corp., sits in a car as he is driven along Whitehall, prior to a parliamentary committee hearing on the phone hacking scandal, in London, U.K. on Tuesday, July 19, 2011. (Photographer: Simon Dawson/Bloomberg via Getty Images)

You don’t have to be all that sharp to see that there’s a lot of hacking going on lately. As I type, Rupert Murdoch and his allies are testifying before British Parliament over the mushrooming News of the World disaster (live video here). It seems like everyone on earth is getting hacked: consultants and cops, Sony and the Senate, the IMF and Citi, and firms ranging from Lockheed Martin (China suspected) to Google (ditto) to dowdy old PBS. But is there really more hacking than usual of late, or are we just more observant?

To answer this question, we put together a Freakonomics Quorum of cyber-security and I.T. experts (see past Quorums here) and asked them the following:

Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?

Thanks to everyone in the Quorum for their sharp and helpful replies. There is a lot of information below, some of it contradictory, much of it provocative. Interestingly, it appears very very hard to quantify the level of hacking in any real way, in part because much of the most “valuable” hacking goes either undetected or unreported.

Bruce Schneier (earlier Q&A here) is an internationally renowned security technologist and author. His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as “the book the National Security Agency wanted never to be published.” Schneier has testified on security issues before Congress and runs the popular blog Schneier on Security.

The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events — just more articles.

Hacking for fun — like LulzSec — has been around for decades. It’s where hacking started, before criminals discovered the Internet in the 1990s. Criminal hacking for profit — like the Citibank hack — has been around for over a decade.  International espionage existed for millennia before the Internet, and has never taken a holiday.

The past several months have brought us a string of newsworthy hacking incidents. First there was the hacking group Anonymous, and its hacktivism attacks as a response to the pressure to interdict contributions to Julian Assange‘s legal defense fund and the torture of Bradley Manning.  Then there was the probably espionage-related attack against RSA, Inc. and its authentication token — made more newsworthy because of the bungling of the disclosure by the company — and the subsequent attack against Lockheed Martin. And finally, there were the very public attacks against Sony, which became the company to attack simply because everyone else was attacking it, and the public hacktivism by LulzSec.

None of this is new.  None of this is unprecedented.  To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous — just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name.

It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.

 

Tal Be’ery is senior web security researcher at the cyber-security firm Imperva.  He has spent years in cyber security as a researcher in the private sector and a practitioner in the military.

 

It’s both. There are more hacking incidents and there’s more visibility to it – so the combined effect gets squared. But there’s much more to it.

The economic drivers behind hacking have evolved dramatically over the years.  In the past, before we put data online, hacking was done for amusement. First, hackers would attack Microsoft because they were big and Bill Gates had lots of money. As websites came online, they mainly presented information and conducted a small level of transactions. Hackers focused on defacement, aka hacktivism, to embarrass these organizations. In the cases where websites focused on transactions (in the early days, it was online gambling), hackers would blackmail site operators with attacks that brought websites down (a “denial of service” attack in geek speak). But eventually, the network firewall was invented to stop this.

Then a crucial development took place: companies began digitizing data (credit cards, intellectual property, etc…). This data had tons of value on the black market, governments included. Consequently, the hacker focus shifted from denying service to stealing data. They’ve built a whole industry around it.

Here’s where we reach a critical problem: companies are poised for the old cyber security model which was designed to keep the bad guys out. However, the same convenience that allowed individuals to access data from their living rooms meant hackers could too, say from a Starbucks, or a dorm room or Timbuktu. The old paradigm—keep them out—stopped working. Protecting the network, while still important, became secondary to protecting data. Few have recognized this evolution—except hackers. Today, of the $16 billion spent on security, less than 10% goes to data protection.

Here’s what this looks like in real life. When the small town of Pittsford, N.Y., was hacked and lost $139,000, the town supervisor said, “We have good firewalls and anti-virus software, and we weren’t at all lax in our security systems. We thought we were pretty secure.”  Did the same excuse get made at Sony, Epsilon…?  Probably.

We also see more hacking incidents which keeps it top of mind. Unlike in the past, hacking has grown and evolved as a discipline.  There are three types of hacking that currently dominate headlines:

  1. Advanced Persistent Threat (APT):  This refers to government-sponsored hacking. In this case, data theft can be either citizen data or intellectual property. Schematics for weapons are often targeted.  APT is growing for several reasons. It evens the playing field. Suddenly, isolated North Korea can attack the U.S. government, as it did two years ago. APT can also successfully paralyze an opponent’s infrastructure. For example, Stuxnet highlighted how a government could hinder Iran’s nuclear development capabilities. Lastly, APT is not punished. When China attacked Google, what happened to China?  Nothing. 
  2. Industrialized hacking: These are commercial hackers who do it for money. It’s growing for a few reasons: good guys are putting more data/commerce online; and more legal business activity fuels more illegal activity. Also, industrialization makes hacking a more efficient business. Automatic tools help hackers attack thousands of victims in just hours. Just as armies became more effective when they evolved from single shot to automatic rifles, hackers are experiencing the same sort of technological progress. Education is also fueling growth. Hacker forums, for instance, exemplify the spirit of web-based collaboration and education, offering a rich menu of tutorials, advice and technology designed to steal data. Analysis of one forum, with 210,000 registered hackers, showed that approximately 25% of the discussions were focused on hacking tutorials and techniques—ensuring a consistent supply of expertise in the marketplace.
  3. Hacktivism”: This relies on the same methods described above; the purpose however isn’t data theft but rather making a political statement. For example, you may take down a government website or deface it (as was done to Hugo Chavez when his picture was replaced with one of Austin Powers’s Mini Me).  Hacktivism, however, only thrives with attention. Much like terror, it needs media coverage.  No coverage, no terror.  Hacktivism is the same.

 

(Photo: iStockphoto)

Henry Harrison is the technical director for cyber security at BAE Systems Detica, an information-security firm. Harrison supports Detica’s work across government and commercial customers and helps steer investments toward new cyber-security capabilities.

 

Let me restate what I think is being asked here. Why is there so much hacking being reported in the media of late? And is there actually more of it going on than there used to be?

Let’s work backwards. Over the longish term, there is definitely more of every sort of cyber-crime and cyber-espionage going on than there used to be. Twenty years ago, the world was only very loosely connected (in an electronic sense) and still at the very early stages of dependence on I.T. — so the returns to be had from hacking and other forms of nefarious electronic activity were relatively limited. Since then, the world’s interconnectedness has grown quite astonishingly, meaning there are much greater incentives for those who want to hack into both corporate and personal I.T. systems.

What’s more, the online environment presents very little in the way of disincentive for this sort of activity. There are numerous ways to obscure the source of an attack, meaning that it’s very difficult to work out who’s doing these things, and even if they do, not much likelihood that they’re going to do anything really painful in return. Of course, it’s not a completely deterrence-free zone: people do go to prison, and diplomatic pressure does get applied. But it’s really nothing comparable to the real world. I doubt we need any scientific studies to assess the relative adrenalin levels of someone hacking into a network compared with someone walking into a bank with a stocking over their head and a shotgun in their hand (though it would be an interesting comparison).

So: increased incentives and relatively few disincentives. Over the longer term then, there is (a lot) more hacking going on than there used to be.

Now to the first question. Definitely one of the factors that’s leading to more hacking being reported is that more of it is going on. But of course there’s a media cycle element to it as well. Because more is going on, cyber security in general is getting to be a bigger story; this means that hacking incidents get to be front-page news more often than they used to. They feed a developing storyline rather than being reported only as individual incidents. And this in turn means that for those whose motivation is publicity, incentives are strengthened.

It would be a mistake though to think that this sort of publicity-seeking behavior is sufficient on its own to sustain the media attention. I think the media is sticking with this story because of the much more significant trend underneath it, as demonstrated by rarer, but occasionally reported, incidents such as RSA, Google (“Aurora”) and the oil companies (“Night Dragon”) — and by significant new government spending around cyber security in the U.S., U.K., and many other countries.

On that front, we might just be beginning to see corporations open up a bit about reporting incidents that happen to them. But that really is at a very early stage. Through our work with customers, we run up against a much larger proportion of potentially high-profile incidents which have never been reported and probably never will be. There’s an awfully long way to go in terms of better disclosure and consequently more awareness of what’s really going on out there.

What’s perhaps more surprising to many people is that there are even more incidents that have never even been detected, let alone reported. When the motivation for an attacker is to gain publicity, obviously the incident ends up being “detected” — because the perpetrator reports it. But if the motivation is to steal confidential information — intellectual property, or sensitive commercial data — then the whole objective is not to be detected. Most companies simply aren’t looking for this sort of covert infiltration today, and in various cases when we have started to look for it inside a new customer’s network, we have fairly rapidly found evidence of intruders who have had access into the network for some time, completely undetected by the victim organization. Extrapolating from that to the majority of organizations who — today — are still not looking for these covert activities inside their networks, we can be fairly certain that there are a significant number of hacking incidents which are successful but completely undetected.

What will happen next? I suspect that the current media cycle has a while to run and that we will continue to see a large number of high-profile incidents where the motivation is to gain publicity. But I know more about security than I do about media, so I’d probably take that with a pinch of salt and pay more attention to my second prediction: that more and more organizations are going to start asking themselves whether they ought to be looking for evidence of the sort of covert data-stealing that’s currently going undetected. As more organizations find out that this sort of hacking is going on, they’ll start feeling the urgency to report the incidents because of the material impact they can have on the business.

 

Julie Conroy McNelley is a senior analyst within Aite Group’s Retail Banking practice, covering fraud, data security, anti-money laundering, and compliance issues. She has over a decade of product-management experience working with financial institutions, payments processors, and risk management companies.

Hacking and malware attacks are on the rise, and that trend will only continue to grow. Many of the headlines about data breaches over the last several months reflect the concerted effort of a highly organized underground economy whose business is financial gain through cyber crime. We can’t pin all the blame for these attacks on organized crime, however; nation-states have also been implicated in a number of the high-profile attempts, such as the NASDAQ, Google, and IMF attacks.

The uptick in attacks is spurred by a number of things:

  1. Technological innovation: The sophistication of the malware and hacking attacks is on the rise, and the innovation among the criminal element is further enhanced by the fact that they actively collaborate. The inventor of ZeuS, one of the more pernicious Trojans, licenses his software via underground bulletin boards, reinforcing the notion that cyber crime is now run like a business. True to the open-source model, licensees are free to modify ZeuS to make their attacks more difficult to detect and prevent. The rapid pace of technological innovation by legitimate businesses also provides an opportunity: as new technologies are deployed, the law of unintended consequences often means that there’s a security gap somewhere that hasn’t been fully thought through (until it’s too late).
  2. The success of PCI: Introduced mid-way through the last decade, PCI is an information security standard governing organizations that handle bankcard data. While it’s not a silver bullet for data security issues, it has significantly contributed to a decrease in breach events. The law of supply and demand dictates that as the number of credit card records that are available to the criminal underground decrease, the value of this data on the open market increases. The price for stolen card data is therefore on the rise, which means that the criminals are redoubling their efforts. Card data isn’t the only thing they’re after, of course. Online banking credentials, particularly those associated with business accounts, are also a hot commodity.
  3. Bad guys don’t require business cases: Whereas most businesses require a business case to deploy new levels of protection, bad guys are generally free from these constraints. Moreover, a criminal that is successful only in 1 of 100 attempts is still having a great day: in that one successful attempt, he was likely able to make off with thousands, if not millions, of data elements that can be monetized. Conversely, institutions and businesses that are trying to protect their data have to consistently bat 1.000 in their security efforts. It’s tough to be perfect in the face of the barrage of attacks, which is why we will continue to see these headlines for some time.

Nation-states employ similar tactics to the organized criminal element, but their efforts more often target strategic information that can be used for diplomatic or economic gain. Cyberspace is the new battleground, and the battle is here to stay.

 

David Jevans is chairman of internet security firm IronKey. He is also chairman and founder of the Anti-Phishing Working Group, a leading non-profit dedicated to eradicating identity theft and fraud on the Internet.

The hacking headlines have been fast and furious this year, both because of more disclosure and the high-profile list of large and sophisticated victims. But that’s the tip of the iceberg. Hackers are also stealing millions from SMBs/SMEs, and while that only makes headlines when they get caught, the problem is so rampant a federal agency has just issued new, stronger security guidelines for Internet banking security.

Here are some of the reasons behind the cyber-crime onslaught on Internet banking and why their success rate is so high.

  1. Instead of attacking banks directly, cyber criminals attack the weakest point—the online banking customer’s PC. They are much more likely to find vulnerabilities at SMBs and SMEs than at a bank that has a strong internal security team and systems.
  2. Hacker toolkits like SpyEye and ZeuS have made it much easier for non-programmers to mount very sophisticated attacks. These tools are sold on the Internet, which increased the number of hackers.
  3. These same toolkits are command-and-control centers for armies of botnets, enabling criminals to create a pool of millions of computers that can be used to mount large-scale attacks very quickly.
  4. Cyber criminals have learned how to escape anti-virus detection by frequently changing their attack viruses. Anti-virus works based on having seen an attack before and looking for its “signature.” This leaves a window of vulnerability between the time a new attack is launched, and when it is detected. By morphing their attacks frequently, hackers avoid anti-virus completely.
  5. New attacks are much harder to stop even with stronger online banking security methods such as one-time passwords (OTPs).  For example, one type of attack is man-in-the-browser, where the cyber criminal actually takes over the browser during an online banking session and invisibly passes additional ACH transfers to your account while you are using it too. To the bank, it looks like it is you.
  6. Thieves are going after higher value targets, such as businesses and municipalities, with more targeted attacks. For example, “spearphishing” involves learning enough about the mark that the criminal can send a very personalized and persuasive email that tricks the recipient into installing malware. New research from Cisco shows targeted, personalized attacks have tripled in the past year. They estimate the bad guys made more than $1 billion a year ago, and that targeted attacks, have an average payoff of $80,000.

Leave A Comment

Comments are moderated and generally will be posted if they are on-topic and not abusive.

 

COMMENTS: 19

View All Comments »
  1. Mike B says:

    What is going on in the UK right now I wouldn’t even describe as “hacking” at all. In this country it is better known a Pretexting thanks for the Hewlett-Package CEO scandal back in 2006 where private detectives used Social Engineering techniques to gain access to private data. The term hacking should at least imply a technical component so guessing poorly chosen or unchanged passwords might qualify, but calling up the phone company and sweet-talking (or just bribing) your way in is as old as agent carried communications themselves. If you don’t believe me just watch an episode of the Rockford Files.

    This isn’t about “hacking”, its about how the news media in Briton has, by hook or by crook, been able to corrupt large institutions for its own personal gain. Police were bribed, private communications were BROKEN into and this is probably the tip of the iceburg. Real hacker groups and cybercriminals have been plying their trade since these sorts of technologies came online and have proportionally stepped up their activities as the potential profit and visibility have increased. The British tabloid press, on the other hand, appear to have morphed into a criminal enterprise decades ago, its just until now nobody had been able to report on it. Gee, I wonder why.

    Well-loved. Like or Dislike: Thumb up 12 Thumb down 0
    • CK says:

      In addition to pretexting it is rumored they used caller ID spoofing to fool phone company voicemail systems into letting them in without the need to enter a password. That meets your narrow definition of ‘hacking’

      Thumb up 1 Thumb down 0
  2. Chris B says:

    I agree with Mike B. I saw this thought concisely summed up on Twitter recently with the post:

    “The one thing missing from all this news about phone hacking: hackers”.

    Also, to Freakonomics, you may want to include the guys behind the Verizon Data Breach Investigations Report ( http://securityblog.verizonbusiness.com/ ) who put out essentially the best and most comprehensive study on actual hacking every year. Their opinions would be quite appropriate here, since they analyze and publish the data.

    Thumb up 3 Thumb down 0
    • Ryan says:

      Tal Be’ery sounds like one of those HBGary types who knows just enough about ‘web security’ to bleed the government out of contractor money.

      Everyone else clearly knows their stuff.

      Thumb up 2 Thumb down 3
      • PLH says:

        you are spot-on with that comment. not to disparage anyone, but Tal’s post was virtually content free, and failed to properly define or characterize what advanced persistent threats actually are. i would have been interested to see the perspective of someone like Marcus Ranum, who, like the rest of the panel, knows his stuff, and often presents insightful counterpoints to Schneier’s pragmatic approach to security.

        Thumb up 1 Thumb down 0
  3. Enter your name says:

    The example given for “Advanced Persistent Threat” was not random. In the industry, “APT” is often pronounced “Advanced Persistent Chinese”. APT is largely constituted in a series of departments in the Chinese military and other government agencies. The employees’ orders are to steal our technology, whenever stealing it is likely to be more efficient than creating it.

    The reason there is no retaliation against the Chinese government for its hacking endeavors is because — unlike the Russian mob or other criminal hacking enterprises — effective retaliation would require the deployment of a major military force.

    Thumb up 2 Thumb down 1
    • Napata says:

      The Chinese threat? Mmm .. Does anyone ask if the US has been hacking Chinese govt computers? This may be a better explanation about lack of
      ‘retaliation’ .. This is same US that used its technology to hack everyone’s mobile! Echelon. SameUS that compromised Swiss crypto maker to put a back door on all diplomatic cipher machines! Do I hear someone mention something about kettles calling pots …..

      Thumb up 2 Thumb down 1
  4. Joshua says:

    I just want to point out: wikileaks started with a giant “hack.” Julian Assange took the data flowing through the Tor network, bouncing between tons of machines for the sake of anonymity, and scooped tons of data out of that stream. He abused the tool so when wikileaks launched he could say “tens of thousands of documents uploaded” when none of them were voluntary.

    Thumb up 2 Thumb down 0
  5. Ben says:

    This is the only forum that even brought up the discussion of whether this is hacking or not. Thank you!

    There’s quite a bit of gray area with social engineering, but if my vote counts, I say it qualifies, since it involves using techniques to bypass security systems.

    In terms of how it’s used in conversation, is seems to me that “hacking” is a phrase people use when they don’t understand what they are talking about. Worse, they don’t want to and\or don’t believe they are capable of understanding, so they stop trying to think at all as soon as the magic phrase appears.

    If they simply pointed out this is about corruption of law enforcement and legislators at the highest levels of the UK government and media, and involved the release of protected information potentially under color of law THEN people would perk their ears up.

    Thumb up 1 Thumb down 1
  6. Paul says:

    The hacking scandal in the UK and the Whitey Bulger fiasco in the US share at least one key characteristic — the overseer (Scotland Yard, FBI) got to close to the people they were supposed to be overseeing (media, Whitey). Is this just the 2011 version of George Stigler’s regulatory capture theory of the 1960s?

    Thumb up 0 Thumb down 0
  7. Brian Donohue says:

    Reading this, I am wondering if maybe high unemployment numbers and all the baggage that comes with them may be feeding fuel to the hacking fire.

    Thumb up 1 Thumb down 0
    • Nick P says:

      Certainly. I remember reading in sociology texts back in college that poverty and lack of education were the primary contributors to criminality in a given area. People desparate to pay bills & who lack the ability to legitimately get the money are naturally more likely to see crime as the most cost-effective solution. Many even might think, at first, that they’ll only do it a few times to pay these bills. Seeing the ease of making thousands a month, they might stick with it. An example of a layoff leading to a life of cybercrime is given in the presentation “Becoming the six million dollar man”. Google it.

      For an immediate idea, here’s the kind of payoff you’re looking at. If the crook has no money, they might use some free samples or $200 for some CC’s, making a few grand off of reselling stolen merchandise. A two grand investment gets them some blank cards, a card writer & some ATM cards with PIN. This usually results in a few grand. They do this a few times and they have $10 grand. Invest some of that in some ACH malware kits & fire them off at small businesses, churches, etc. from residential wifi hotspots. Average ACH fraud is $100k-$300k. Assume laundering & other losses take 50% of the revenue. Resulting profit is still $50k-150k, from a cash investment as little as $3,000. It’s easy to see IT guys remaining jobless for months might think this is a better option, especially if they felt cheated by the system as some crooks describe.

      Thumb up 0 Thumb down 0
      • napata says:

        not so sure…. there is huge difference between small criminals and big ones…the big ones generally try to discourage the small ones as they make life difficult for big criminals i.e. put political pressure on authorities to crack down on crime… small criminals (street theft etc) discourage people from going out and that reduces business for big criminals… big criminals skim from the top and so do not kill the goose .. a protection racket is transparent to the consumer who is paying in higher prices! Robbing banks does not discourage people from online transactions even though via insurance premiums etc the cost is passed back to the consumer…

        Thumb up 1 Thumb down 0
      • Nick P says:

        That sounds nice and much like street crime. However, most online crime actually doesn’t work like that. The vast majority of online criminals are independents, groups or individuals, who saw an opportunity and took up the trade. Most long-term individuals specialize in a particular skill, like developing sploits or building botnets.

        The more generalized ones are often composed of small groups that focus on about one scheme at a time, trying to milk it as much as they can. They often have a few profitable core members and sometimes even support personnel who help the new people with hard cases. (Esp. true with 419 groups) The largest groups, like Russian Business Network, do whatever scheme makes them the most money, have an R&D apparatus that develops more sophisticated approaches, and leverage off-the-shelf attack kits where possible.

        In the online market, everyone discourages everyone. Competition decides who wins because the competitors are often nameless, invisible and unreachable, even for the big fish. The more successful groups leverage their resources to further deny competitors success, as seen in botnets that disable other botnet’s code or patch vulnerabilities. It’s not like the organized street crime or protection rackets. It’s much more laissez faire.

        Thumb up 1 Thumb down 0
  8. Nick P says:

    Alright, this is my first thoughts on the matter. I might post something else after thoroughly reading the sources on the blog. This opinion was previously posted on Schneier’s blog.

    I strongly disagree with his assessment. I feel there has been an increase in hacking over the previous years in many extents. The description didn’t factor in some very important issues. The first is the amount of available hacker aids including books, online howto’s, premade scripts, and cheaply available rootkits that actually defeat AV systems & automatically comb up credentials. Hackers in my day didn’t have it that easy, with much of the work being customized & you had to be trusted by pro’s to get good scripts & best practices.

    Second, there’s been tons of press coverage in newspapers, blogs like Kreb’s and magazines like Wired that tell random people about the tools of the black hat trade, what kinds of places have them, how much they cost, and how easy they are to use. One article gave specific web sites that sold CC numbers for “as little as $200.” This was a widely read publication. Any member who had thought crime was risky & expensive to get into is now informed that’s it’s cheap, low risk, where to get the stuff, and that Western Union is the preferrable payment method. Multiply that by thousands of similar articles and you get the idea of the potential impact.

    These two factors have combined to cause an increase in online crime. In the 90′s, we were port scanning systems, hoping for default passwords to be there, etc. It was either random or targeted. The credit card theft was mainly a physical affair & identity thieves worked hard to get personal information and selectively hit targets. Today, people can anonymously buy a few dozen credit cards, put them on mag stripes, and cash them out at ATM’s. Today, identity thieves & data brokers can use off-the-shelf kits to break into databases, stealing records by the tens of millions or more. In the past, we’d brag about having a hundred or so systems. Today, they have several million at once, acquired with fire-and-forget malware.

    So, I’d say that hacking is much more numerous & damaging than it once was. There are more of them, they have better tools, they have more education, most are in foreign jurisdictions, they are making more money on average, and the act requires little to no skill. The situation is much worse than it used to be. An epidemic? Well, the word “pandemic” might be more appropriate considering the number and locations of victims of hacking, online fraud & spam-related fraud.

    Thumb up 2 Thumb down 0