|From today's Globe & Mail:|
'Hunting season' for computer attackers
00:00 EDT Wednesday, July 06, 2005
TORONTO -- Their anonymous ranks include extortionists who threaten to crash companies' on-line operations. They play with powerful viruses to surreptitiously lift personal data off PCs. And they brazenly wander through electronic bazaars to freely trade stolen information, malicious computer code and access to hijacked networks.
A new generation of sophisticated, amorphous and highly co-ordinated Internet criminals is not only costing businesses billions of dollars; it's testing people's faith in on-line technology and pushing global law enforcement to the limit, industry experts warn.
"It's hunting season right now. It's unbelievable how [flagrant] the attackers are. They know right now is the time because law enforcement has no resources and there's no universal jurisdictional law," says Ryan Purita, a forensic examiner with Totally Connected Security Ltd. in Vancouver. "Thieves are just going 'wow, what a wicked time.' " Attackers are increasingly co-ordinating their activities by sharing and selling malicious code and stolen information. They are streamlining operations and hiring at an incredible rate, says Claudiu Popa, president of Informatica Corp., a Toronto-based network consultancy.
The recent onslaught of focused attacks on computer systems worldwide may be starting to test the public's confidence in the Internet and could threaten to undermine emerging technologies, some industry experts say.
"This is the year we're seeing cybercrime, or the potential of cybercrime, begin to affect how people use the Internet," said James Lewis, senior fellow at the Center for Strategic and International Studies in Washington, D.C.
It has taken the better part of a decade to persuade the mainstream user to shop and bank on-line. But just as the technology is finally starting to deliver on promises made during the dot-com boom, Mr. Lewis says a significant portion of the population is questioning the safety of the medium.
"If people can't feel confident about using the Internet, they will begin to back off from using it. This is one of the greatest social costs of cybercrime," he said yesterday.
Law enforcement around the world is struggling to track and locate the threats, said Mr. Lewis, who was commissioned by McAfee Inc., a large security software company based in California, to write a report on organized crime and the Internet. "There's been substantial effort on behalf of law enforcement. But the best you can say is that they're barely keeping up with it," he said.
In the past few weeks, several major breaches of consumer financial data have come to light. In one instance, forty million credit card accounts were exposed to a breach and at least 200,000 records were stolen from Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants across North America. Further, Equifax Canada Inc., the credit reporting company, revealed that it had suffered a security breach that gave criminals access to personal financial information for hundreds of Canadians.
Threats may come in the form of electronic Trojan horses, which lie behind fake Web links or attach themselves to e-mails, appearing as harmless files that actually contain malicious code. When a file is opened, the code installs itself on the recipient's computer and is programmed to surreptitiously take control of the device. Infected computers are known as bots, or zombies, and they become part of an army of machines under the control of an attacker, who can use them to bombard a site with traffic and even bring it down.
These battalions of bots have been used in countless attacks on companies that do business on the Web. On-line betting firms, including CanBet Ltd. and William Hill Sportsbook, have been favourite targets, with attackers demanding payments of tens of thousands of dollars to back off.
Some Trojans planted inside companies' computers actually reroute corporate traffic to an illegitimate destination. Once the electronic bridge is in place, criminals intercept, monitor and retrieve all the sensitive information they want. They may dismantle the connection days before a company's IT department realizes what happened.
Web-based chat rooms and Internet relay chat, a technology that allows users to set up discussion channels on-line anonymously, are favourite forums for exchanging information and recruiting. There are also countless websites set up to blatantly promote criminal activity, such as the International Association for the Advancement of Criminal Activity (http://www.iaaca.com).
Some cybergangs hide in plain sight. The HangUP Team, a Russian gang that has eluded the law for several years, carries out a dialogue of hacker exploits on its site and bears the logo "In Fraud We Trust."
Mobile devices such as cellphones that can surf the Web or act as credit cards will be attractive targets of cybercrooks in the next year, as users begin to store more valuable information on their handheld devices. In addition, voice over Internet protocol (VoIP) will give attackers a new way to exploit computer vulnerabilities to interfere with phone services, Mr. Lewis said.
The trend toward mobile computing is already opening up a giant hole in many networks. When users plug their laptops or personal digital assistants into a corporate network, they run the risk of importing malicious code. "Mobile devices represent a new way for mischief to come into a company and they are hard to control," said Robert Gleichauf, chief technology officer of security at Cisco Systems Inc.
Police use a variety of techniques to track attackers, including tracing the Internet protocol (IP) address assigned to the computer by its Internet service provider. "You always leave a trail, just like a murderer does. Your IP address is your fingerprint, your DNA," Mr. Purita said.
That trail, however, is frequently impossible to track. Most advanced attackers employ a process of looping and weaving, which means running their traffic through zombie computers in multiple countries.
"The further physically removed they are, the harder it becomes to find them," said Howard Schmidt, former special adviser for cyberspace security at the White House and president of R&H Security Consulting in Seattle.
Getting a handle on the number of attacks is difficult because many businesses don't report them for fear of hurting their reputations, said inspector Rob Currie, director of the RCMP's technological crime branch.
He says his group receives a call from a large Canadian company almost every week reporting a breach or seeking counsel on a "hypothetical" breach.
"IT security breaches are [now] part of daily life."
Phishing for trouble
$61.9-MILLION: ESTIMATED COST OF CYBER CRIME IN 2004
75-150 MILLION: ESTIMATED NUMBER OF PHISHING E-MAILS SENT EACH DAY
300: NUMBER OF NEW PIECES OF MALICIOUS SOFTWARE WORLDWIDE EACH MONTH IN 2004
$1,200: AVERAGE COST OF PHISHING SCAMS PER VICTIM IN U.S.
60,000: ESTIMATED NUMBER OF VICTIMS OF PHISHING SCAMS (FOOLING USERS TO HAND OVER PERSONAL INFORMATION TO COUNTERFEIT WEB SITES) IN 2004
50+: ESTIMATED PERCENTAGE OF NORTH AMERICAN HOME COMPUTERS INFECTED BY MALICIOUS SOFTWARE
2,000: NUMBER OF NEW PIECES OF MALICIOUS SOFTWARE WORLDWIDE EACH MONTH IN 2005
1 HOUR: ESTIMATED PERIOD WITHIN WHICH AN UNPROTECTED COMPUTER ON-LINE WILL BE PROBED BY MALICIOUS SOFTWARE
SOURCES: FBI, MCAFFEE INC. AND GARTNER INC.