Part 1: Here’s Why Criminals Choose Screens Over AK-47s

Cybersecurity is one of the most over-used terms in security circles. And for good reason. Not only are cyber attacks becoming increasingly prolific, but the nature of these attacks is malicious enough to worry even the most tech-savvy expert. Gone are the days of harmless cyber attacks perpetrated by delinquents and pranksters looking to vent their angst. Instead large scale multi-billion dollar breaches flawlessly executed by well-organized crime syndicates and terrorists have become the norm.

While most organizations are aware that the cyber landscape is evolving, they’re unsure about how to adapt. The reality, and what more and more experts are starting to realize, is that technology only goes so far in the fight against cyber attacks. After all, the main reason we’re losing this cyber war has nothing to do with a lack of cutting-edge cybersecurity technology and everything to do with our hackneyed thinking. It’s time to re-think everything we know about this new breed of black hat hackers. They may be the new kids on the cyber block, but this is their turf and they’ll continue to rule until we show them who’s boss. And that starts by understanding what makes these hackers tick.

In many senses we’re fighting a losing battle. The Internet makes it easy for hackers to commit crimes and other acts of cyber war. In fact, using digital tools hackers can launch large scale attacks which are capable of causing irreparable damage for a fraction of the cost of a real world attack. Case in point is Stuxnet, which has been dubbed the world’s first digital weapon. This was a malicious virus developed to compromise Iran’s nuclear facility. What’s terrifying about this malicious software is that once it is released, anyone code reuse it. Just imagine what terrorists and other criminals intent on causing harm could do armed with a cyber weapon like Stuxnet. It makes you wonder how the average organization would even begin defending itself against a sophisticated cyber weapon.

In this three-part series we’ll explore why we’re losing this battle. This post will explore the issue from the perspective of black hat hackers. Next week we’ll follow up by considering how this threat landscape is evolving from a white hat hacker’s point of view.

Where the grass is greener

From attacks on governments to good old-fashioned robbery, the grass really is greener online. And a quick look at the nature of cyber attacks clearly shows this. In 2014 alone the U.S. government is believed to have fended off 61,000 attempted data breaches. Most recently, sensitive information, including social security numbers and phone numbers, about 21.5 million U.S. citizens was leaked. The cyber attack also exposed the fingerprints of 1.1 million Americans. But it’s not just government departments that are under attack. More and more businesses are falling victim to costly cyber attacks. It’s estimated that data breaches cost businesses between $400 to $500 million yearly, not including larger scale attacks which tend to go unreported. Furthermore, research by Gartner indicates that $101 billion will be spent on cybersecurity in 2018, this up from $79.9 billion in 2015.

Undoubtedly cybercrime and warfare thrive online. But the question remains: why are criminals and terrorists choosing their screens over AK-47s? While it may be hard to believe, an attack carried out online is both cheaper and more effective than anything even the most well-trained armed gang could pull off. For many black hat hackers, the ability to automate attacks makes them very cost effective. This enables hackers to execute many large scale attacks in no time. But the appeal of cyber attacks extends beyond their cost effectiveness and efficacy. Thanks to the Internet hackers can launch attacks remotely without ever needing to target or engage with a victim physically. There’s also very little chance they’ll get caught at the crime scene. You could call it the perfect crime.

There’s also a lot to be said for the weapons cyber criminals use. These are far easier to come by than guns and are much cheaper to purchase and develop. What’s also frightening is that a hacker doesn’t necessarily need to pay for malicious software. A lot of attack toolkits are freely available on the darknet for anyone to download and use. But for hackers who are willing to pay, the darknet is a treasure trove of maliciousness just waiting to be unleashed. For example, there’s a new darknet marketplace, TheRealDeal Market, which sells zero-day exploits including a hack for Apple iCloud accounts for $17,000 in bitcoin as well as an attack toolkit for Windows XP, Windows Vista and Windows 7, which sells for about $8,000 in bitcoin.

Welcome to the Wild West

While it may seem rather cynical, one has to acknowledge that there’s something innovative about a black hat hacker’s approach to crime. Most hackers use a range of attack vectors and rely on the weakness of digital identities to ensure their anonymity. This makes a skilled hacker almost impossible to catch, and undermines attribution and deterrence. After all the most basic tenet of most modern security strategies is deterrence, but how do you enable retribution and deterrence against a threat actor which cannot be identified? Organizations are sitting ducks in this battle against these marauding cyber bandits.

Not only are cyber criminals difficult to detect, but there aren’t any international laws regulating cyber crime. Left unchecked these underground cybercrime networks quickly thrive, becoming dangerous enough to wreak unimaginable damage. This is the new Wild West, and our only hope is to put an end to the lawlessness.

The U.S. Senate has started working on a cybersecurity bill which would make it easier for organizations to share information about cyber attacks with government and other organizations without risking a lawsuit. The Cybersecurity Information Sharing Act, as the bill is known, is highly controversial with many companies including Twitter, Yelp, Reddit and Wikipedia speaking out against it. Many view it as a privacy killing bill which would do more harm than good. Interestingly, South Africa is also looking to pass cybersecurity legislation, the Cybercrimes and Cybersecurity Bill, which would be used to regulate cyber crimes. Regardless of whether or not these bills pass, they’re an indicator that finally governments are waking up to the need to regulate cyber attacks.

Another initiative which aims to make order out of some of this online chaos is the Cybersecurity Information Sharing Partnership (CiSP) established by CERT-UK. The idea behind this is to reduce the impact of cyber threats by encouraging organizations to share information about attacks and data breaches in real-time. The hope is that this will reduce the risk of a cyber attack by providing organizations with the intelligence they need to defend themselves. 

Inside the cyber Kingpin’s lair

The best way to understand what we’re up against is by considering what motivates a black hat hacker. And there’s no one better than the notorious Kevin Poulsen to shine a light on why we’re losing this battle. Poulsen started out as a black hat hacker, and is most well-known for hacking the Los Angeles radio station KIIS-FM in the early 90s. As as result, he was able to ensure he would be the 102nd caller and the winner of a Porsche. He soon became known as the “The Hannibal Lecter of computer crime” and was even able to hack into the US Department of Defense’s Arpanet. In 1991 Poulsen was arrested and sentenced to 5 years in prison, and was banned from using the Internet for a further three years following his release. He is now an editor at Wired and the author of a book on the cybercrime underworld called Kingpin.

In a recent interview, Poulsen touched on what makes black hat hacking so appealing. He explained that for a talented hacker, particularly in Eastern European countries where these crimes tend not to be prosecuted, the temptation is sometimes too hard to resist. For a skilled hacker, this is the easiest way to make more money than they’ve ever dreamed of with very little risk, and many hackers get sucked in. In another interview about the newly released film Blackhat, Poulsen also pointed out how cybercrime is evolving. What we’re now witnessing are highly organized cybercrime networks with international ties. This makes it even harder to pinpoint who is behind the criminal activity as the hackers use several servers. For many hackers this adds to the appeal of black hat hacking.

Some may consider Poulsen’s views unorthodox. He recently downplayed the threat we’re facing by explaining that people tend to overreact to cyber attacks because they don’t really understand cybersecurity. While he did acknowledge that the Sony hack was detrimental, he added that most hacks (unless a nation state is behind it) aren’t that serious. The CENTCOM hack is a good example of this. Even though it was only CENTCOM’s Twitter feed that had been compromised, some people were convinced that sensitive military data had been leaked. The reality is that contrary to all the media buzz it would actually be almost impossible to hack the Northeast power grid or launch a nuclear weapon (according to Poulsen).

But perhaps instead of focusing on the appeal of hacking, we should find a better way to clamp down on this malicious activity. Poulsen is a firm believer that tougher laws and more stringent sentences won’t deter hackers. In fact he recently wrote a piece for Wired entitled “Why I Hope Congress Never Watches Blackhat”. In this article he makes the point that he’s concerned the U.S. government will use the film as a way to justify harsher sentences for hackers. He argues that this will only have severe consequences and won’t stop black hat hackers. Instead concerned governments must invest in cybersecurity research, and should pass laws which force companies to report data breaches. “Blindly boosting sentences for the few hackers who get caught will do nothing to help. And outlawing security tools just because they can be abused will only aid the real blackhats,” he said.

A view from the lion’s lair is telling, but does it give us the full picture? Does it really explain why black hat hackers continue to thrive even though billions of dollars are invested yearly in bolstering cybersecurity? In part two of this trilogy we’ll explore the issue from the point of view of those who work tirelessly to prevent data breaches. Enter the white hat hacker.