Cybercrime spree

It seems like every day there is a new story on cybercrime. Milena Popova looks at what is going on

Image: CC-AT-SA Flickr: sklathill

So, who hasn’t been hacked^[1][2] recently? Every other day I seem to wake up to news of yet another security breach. Most recently, it was the International Monetary Fund, supposedly hacked by a government. Affiliates of the FBI have not been immune either. To turn the tables a little, MI6 has been hacking Al Qaeda, with cupcake recipes. Anonymous has been threatening NATO.

The private sector, too, isn’t faring much better. Citi is having to issue new credit cards to 100,000 North American customers after its systems were broken into. Sony’s Playstation Network was brought down and data stolen earlier this year. (Anonymous: ”It wasn’t us!”) Even the small and harmless knitting-based social networking site (Yep, you read that right! Yours truly is a member) Ravelry had a file with encrypted passwords stolen.

The two stories I find most worrying though involve the security of basic networking infrastructure. The first is the hacking of RSA SecureID - a popular two-factor authentication system used mainly by companies, for instance for VPN login. SecureID tokens are associated to a particular user and generate a pseudo-random number using a seed and an algorithm. The same seed and algorithm reside on the server, so it “knows” what number to expect at any given point for this particular user.

It appears that when RSA’s systems were compromised back in March, both the algorithm and the seeds for a large number tokens were stolen, thus rendering those tokens useless for security purposes. Even more worryingly, it took RSA until June to admit the full extent of the breach and offer replacement tokens to its customers. It appears that it was only the hack of Lockheed Martin using the Secure ID vulnerability that prompted RSA to act.

The other infrastructure security related story dates back to January, when security researcher Thomas Roth announced he had hacked the WPA-PSK WiFi authentication protocol - using brute force and the Cloud. Using the processing power of the Amazon Cloud and a program which checks 400,000 passwords per second, Roth was able to hack a WPA-PSK protected network within six minutes. At 28 cents per minute of Cloud time, that’s a bargain. While not exactly making P = NP obsolete (yet?), the kind of processing power available on the Cloud poses some interesting problems for security.

In the movie 23, a fictionalised account of what was perhaps the first publicised incident of cyber crime and espionage, the main characters struggle to overcome the obstacle of insufficient processing power. In a particularly tragi-comic scene, they end up buying a PDP11 (instead of the more compact Micro PDP11) which is then left out to rust in the rain as they are unable to use it.

We have come a long way since the 1980s - the power of the Cloud is available to pretty much anyone with an internet connection and some spare change. We’ve already seen a botnet infiltrate Amazon’s Cloud. I suspect the next one is only a matter of time. Malicious hacking is here to stay, and we are going to have to develop a host of technological, user education, and legal measures to fight it.

 

[1] I am a big fan of reclaiming the word “hacker” to its original meaning (“A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.” - Jargon File/Hacker’s Dictionary) I much prefer referring to people who breach computer security maliciously as “crackers”. Having said that, it’s an uphill struggle and with this recent batch of news stories, “hacking” in the popular mind is definitely a malicious activity.

[2] About an hour after I finished writing this article, cia.gov was taken down.

 

Milena is an economics & politics graduate, an IT manager, and a campaigner for digital rights, electoral reform and women's rights. She tweets as @elmyra