Read Fatal System Error Online
Authors: Joseph Menn
Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology
Fatal System Error (32 page)
IDefense concluded that “there is little doubt left as to his involvement in attacks to date.” Like other worldwide security firms, iDefense hesitated to finger the Chinese government. But Tan Dailin did not come across as a freelancer. In 2008 and 2009, a team that included Rafal Rohozinski and experts at the University of Toronto tracked stolen documents flowing out from Tibetan groups to Chinese command-and-control servers and then hacked into those machines and saw the other sites that had been compromised. The vast network, which the group dubbed GhostNet in a report, had infected 1,295 machines, 397 of which were “either significant to the relationship between China and Tibet, Taiwan or India, or were identified as computers at foreign embassies, diplomatic missions, government ministries or international organizations.”
DURING THE BUSH ADMINISTRATION, the White House response to the cyberwar threat was abysmal—far worse than its tepid reaction to the rising power of cybercriminal gangs. As far back as 2002, before the rise of the botnets, a broad and distinguished group was so concerned about cyberattacks on the country’s infrastructure that it asked Bush to invest an initial $500 million in a new Manhattan Project for Internet defense. Signatories to the letter included former directors of the CIA, NSA, and Defense Intelligence Agency. Organizer Sami Saydjari, himself a highly ranked veteran of the NSA and DARPA, the agency that gave birth to the Internet, politely described the reaction as “mixed,” although Congress did authorize hundreds of millions of dollars in research.
Cyber issues got such short shrift in the Department of Homeland Security that four successive heads of technology safety resigned in less than two years, starting with Howard Schmidt, who left in 2003. “I recall at a White House meeting, we had a section in our [national cybersecurity] plan related to end users, and how with the power of broadband, how they could be used as a potential weapon as part of botnets, such as with distributed denial-of-service attacks,” Schmidt said in 2009. “They had someone fighting against us, an economist, who said ‘I took a semester of computer science in college, and when we look at impact on vital infrastructure, they have nothing to do with it.’” Schmidt said plans such as giving Internet service providers more power to cut off malicious machines and block access to bad sites were dismissed. “The actions that could have been taken were not. Which is why we’re sitting here almost six years down the road trying to figure it all out.”
The Homeland Security Department routinely issued calls for the private sector to do more, observing that most of the Internet infrastructure is in private hands. Officials published countless strategy documents stressing the need for public-private cooperation. Yet the private sector had long before grasped the enormity of the problem, put aside its traditional libertarian posture, and called for increased regulation. In February 2005, a group of chief information officers from both hardware and software companies traveled to the White House together for the first time. Executives from Microsoft, Dell, IBM, Hewlett-Packard, and security giant Symantec, among others, carried a three-item wish list. No. 1 was the creation of a government commission on organized cybercrime. They didn’t get it. Cybercrime had risen to the level where it constituted a threat to national security by mid-2007, according to Congress’s Government Accountability Office.
The Homeland Security Department was itself compromised electronically or infected with viruses hundreds of times. Hackers even read the Secretary of Defense’s unclassified email. The State Department was so riddled with intrusions that it had to cut off all Internet access for a time. While CIA officials said that a cyberwar had been going on for years, top Bush appointees didn’t focus on the issue until 2006, when Director of National Intelligence Mike McConnell told Bush that if the 9/11 hijackers had instead carried out a successful cyber assault on a U.S. bank, the damage to the economy would have been ten times worse. In January 2008, Bush finally issued a classified directive in response that called for the National Security Agency to keep an eye on U.S. government networks and for investments in the billions of dollars to that end.
The disconnect was still on show at the Black Hat computer security convention in Las Vegas in July 2008. One evening, members of an all-star commission convened by the Center for Strategic and International Studies to make recommendations for the next president said that cybersecurity should be a high priority—but acknowledged that it probably wouldn’t be. “How many of you think that IP is broken?” one panelist asked those assembled, referring to the Internet protocol that provides the fundamental functioning of the Internet. Almost everyone in the audience raised their hands. “Nothing is happening,” said commission member Jerry Dixon, a former director of the National Cyber Security Division at Homeland Security who joined Team Cymru. The CSIS panel was chaired by the two leaders of the U.S. House committee on cybersecurity, a retired Air Force general, and the head of Microsoft’s Trustworthy Computing effort. When it issued its report in the fall of 2008, the group called for a White House-led strategy that would use diplomatic, intelligence, military, and economic policy to protect U.S. cyber infrastructure “using all elements of national power.” Hearings and briefings that informed the report “made it clear we are in a long-term struggle with criminals, foreign intelligence agencies, militaries, and others ... and this struggle does more real damage every day to the economic health and national security of the United States than any other threat,” the panel wrote, putting cybersecurity on “a strategic issue on par with weapons of mass destructions and global jihad.”
SHORTLY AFTER BARACK OBAMA took office as president, he asked cybersecurity industry veteran Melissa Hathaway to conduct a complete sixty-day review of the country’s policies. When the White House released the report in late May 2009, it echoed the findings of the CSIS study. “The architecture of the nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient,” Hathaway wrote. “Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations.”
On the same day, Obama gave the first presidential speech in history devoted to cybersecurity. He pledged to invest more in research and public education and to appoint a White House czar, though not one that would report directly to him, as Obama had promised during his campaign. “Our defense and military networks are under constant attack,” Obama said. Beginning immediately, “the networks and computers we depend on every day will be treated as they should be: as a strategic national asset.”
For weeks after the speech, private and government experts felt surprised gratitude that the leader of the free world, beset as he was with economic and military problems, would begin to tackle the cybercrime crisis. They expected Obama to name the czar, now officially called a coordinator, within two weeks. But the position as advertised would have reported to both the National Economic Council and the National Security Council, and it would have wielded an uncertain authority and budget. The top Microsoft security official from the CSIS panel and the former head of Symantec both declined overtures to serve. As five months passed without a nomination to the Senate, and even Hathaway resigned from her caretaker role, the sense of hopelessness returned.
12
FIXING WHAT’S FIXABLE
BARRETT LYON DID AS MUCH AS anyone in the private sector could do to fight denial-of-service attacks, the leading edge of a tsunami of organized cybercrime. Yet by 2009, every new day brought more than 1,000 DDoS attacks—not just against companies, but against governments and activists as well. It was so easy to orchestrate a DDoS that a Canadian teenager who disliked tech commentator Kevin Rose took aim and wiped out Rose’s
Digg.com
, one of the most popular news sites in the world. Unfortunately for the teen, Digg CEO Jay Adelson previously founded Web hosting giant Equinix and was a good friend of Barrett’s. In exchange for a pizza, Barrett got Digg back up in five minutes. Within days, Barrett had the teen’s nickname, while his mysterious allies at Team Cymru used their undisclosed methods to produce a log of the assailant boasting of the attack on an IRC channel. For those less connected, however, things were very much worse than before Barrett started.
Digg.com
, one of the most popular news sites in the world. Unfortunately for the teen, Digg CEO Jay Adelson previously founded Web hosting giant Equinix and was a good friend of Barrett’s. In exchange for a pizza, Barrett got Digg back up in five minutes. Within days, Barrett had the teen’s nickname, while his mysterious allies at Team Cymru used their undisclosed methods to produce a log of the assailant boasting of the attack on an IRC channel. For those less connected, however, things were very much worse than before Barrett started.
Andy Crocker did the most that an individual in government could do to punish some of the worst of the cyber mafia. At a minimum, Andy’s shoe-leather investigation and the prosecutions he championed set a new standard for cooperation on criminal cases between the West and Russia, home to some of the most heinous crooks anywhere. Yet because of internal bureaucratic shifts and deteriorating relations with Moscow, the U.K. abandoned the claim that Andy staked. It had no one in Russia or Kazakhstan working with the honest members of the MVD to pursue Brain, Milsan, and others high up in the criminal hierarchy. Andy saw that he couldn’t accomplish much more in what was now a matter of geopolitics, albeit one unrecognized as such by Western government. He followed Barrett’s lead and walked away, retiring from public service in 2009.
Three things would help mitigate the enormous overall problem: catching the bad guys, who are growing more numerous; disabling the tools they use, which are growing more powerful; and separating them from their chief prey—governments, consumers, and businesses trusting the Internet with more sensitive information while using less effective protection software. There is cause for hope in each of those areas and good ideas about what more could be done.
Without much help from abroad, it’s still possible to nab the occasional kingpin—even when they aren’t on vacation. With an impressive effort, a group including the Secret Service, the Manhattan district attorney’s office, and the New York Police Department showed they could lure prey all the way to the U.S. The target was Igor Klopov of Moscow, who law enforcement sources said pioneered selling counterfeit credit cards along with the ability to change the billing address assigned to those cards. Perfecting a system for address changes was a key innovation, because it meant that the victims would never see the bills that would give away bogus purchases. Klopov sold his card numbers on Shadowcrew and CarderPlanet, then Mazafaka, for much more than card numbers tethered to real addresses.
Klopov might have remained safe in the Russian shadows, but greed took hold of him. Only twenty-four, he came up with another innovation: targeting home-equity lines of credit. He picked out victims from sources including the Forbes 400 list of the richest Americans, then narrowed his focus to those in states with extensive online information about properties and deeds. With that data, he could click on “I forgot my password” at financial sites and often answer the challenge questions to “prove” he was the target. Klopov recruited assistants through
Monster.com
and
CareerBuilder.com
, giving them all fake identity documents and arranging their travel to five-star hotels. He gave the accomplices dossiers on the targets, then dispatched them to banks and brokerages to arrange money transfers. Klopov and his crew took in $1.5 million. But they aimed too high when they went after Texas investor Charles Wyly Jr.
Monster.com
and
CareerBuilder.com
, giving them all fake identity documents and arranging their travel to five-star hotels. He gave the accomplices dossiers on the targets, then dispatched them to banks and brokerages to arrange money transfers. Klopov and his crew took in $1.5 million. But they aimed too high when they went after Texas investor Charles Wyly Jr.
Posing as Wyly, Klopov asked that a checkbook for his home-equity account be sent to a new address. An accomplice then used one of the checks to arrange to buy $7 million in gold from a Westchester, New York, bullion dealer. But the dealer called the bank, J.P Morgan, which contacted Wyly, who said he didn’t send the check. The bank notified authorities, who had begun tracking Klopov after an earlier suspicious transaction. An ex-homicide detective then assumed the online identity of an arrested Klopov ally, said the gold deal had been pulled off, and even sent a picture of himself posing with the bars. That persuaded Klopov to travel as close as the Dominican Republic for a rendezvous. The undercover cop got Klopov to join him on a private plane to sneak into the U.S. and collect the loot, and he was arrested soon after arrival.
Other books
The Black-Eyed Blonde: A Philip Marlowe Novel by Benjamin Black
The Harvest by Vicki Pettersson
Capturing the Single Dad’s Heart by Kate Hardy
Tales of Wonder by Jane Yolen
Big Sky by Kitty Thomas
Leslie LaFoy by Come What May
Deadly Testimony by Piper J. Drake
The Skrayling Tree by Michael Moorcock
Scarecrow by Matthew Reilly
Guernica by Dave Boling
