So who would you like to hack today? A bank, a website, a corporation or perhaps a government agency that's rubbing you the wrong way? The hacktivist group LulzSec is taking requests. Or maybe you'd like to get your hands on some stolen credit-card accounts to boost your personal spending level or purchase some malware that will divert a business's payments from its vendors to you. A malware seller called Zeus not only can do that but also provides customer support. Hacking has become a service and entertainment business and in a quantity and at a quality never before reached.
Hacktivists, pranktivists, idealists and malware coders are oozing past the circa-2000 network-security gates of corporations and governments with ease. Among the biggest hacks was the one that brought down Sony's PlayStation Network. Some fingered the politically motivated group Anonymous, and authorities in Spain have arrested several purported members. But Anonymous has said, Not us.
When Sony announced that it had finally restored service, the gang of merry hacksters called LulzSec began to trample through its websites, including Sony Pictures. LulzSec, which makes a point of pointing out holes in Web security, used a hack called an SQL injection, then tweeted about it: "We accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?" It has since broken into gaming companies such as Bethesda Softworks and Minecraft. It used a hack called a distributed-denial-of-service attack to lock up the CIA's website; it accessed account information from Citibank.
LulzSec may be the headline hacker, but it's not the most malevolent. The black-hat, criminal side of the practice is booming by adopting a similar approach. Cyberthieves have shifted their focus to social networks. Instead of attacking corporate firewalls head-on, they are breaching corporate sites using social engineering, convincing someone within a company that an e-mail is from a friend or colleague. It's a technique called spear phishing: the idea is to identify vulnerable targets say, someone in human resources or finance and, through them, burrow into corporate networks. They are feasting on small and mediumsize businesses like wolves on lambs.
There is also a real cyberwar being waged by nations. Reports of cybersecurity incidents from federal agencies have increased 660% over the past five years, to 41,776 in 2010, according to the Government Accountability Office's information-security-issues director. The networks of the Department of Defense (DOD) are probed millions of times every day. More than 100 foreign intelligence agencies have attempted to penetrate DOD networks or those of military contractors attacks characterized as APTs, or advanced persistent threats. At least one got into the Pentagon via Lockheed Martin by cracking the RSA security token, the random-number-generating device that many companies use for secure access to computer networks.
To experts, this is just another sign that the older technology that protected IT is passé. "User-named passwords are breakable now. They weren't when they first started," says Bill Conner, CEO of Entrust, an IT-security firm. "Tokens have been around a long time. One lockmaker has now been breached. Even tokens aren't good against some of the new-age cybercrimes."
The New Threat Matrix
It adds up to an entirely different threat matrix bubbling up on the Web. The hacker community that once operated in its dark recesses has broken the surface, embracing social networks and exploiting them to expand in all directions, legal and otherwise. "What we are seeing is beyond a technical improvement," says Dave Jevans, chairman of the Web-security firm IronKey. "They have a social element to bring people together [via the network] to create more sophisticated attacks than we've ever seen. That's what makes it accelerate."
And it's not just Nigerian spammers and post-Soviet computer jocks anymore. In the past quarter, the IT-security company AVG traced hack attacks tied to about 700 command-and-control servers servers that take over computers infected by botnets used by various hackers around the world. "About 30% of the hackers were in the U.S.," says CEO J.R. Smith. "This is a shocking experience to see the data being stolen medical data, business data. The volume of data being stolen is constantly increasing." So is his business, since the thieves are also expanding into cell phones. Smith says his company blocks 10,000 malicious mobile-app downloads every day.