2006 UCLA data compromise; over 800,000 student and staff records taken.
2007 The Apple iPhone Jail breaking method is introduced to the public on July 10 this allows hackers to modify the phone and its security settings. It also allows unsafe non Apple approved applications to be installed.
2007 March 30th, Hackers infiltrate TJ Max and steal over 45 million credit cards. Their wireless sales terminals were not using secure communications.
2008 Conficker Worm infects millions of computers worldwide. (This was a real data stealing worm that infected millions of computers worldwide!) See Bot Nets in Appendix A.
2009 Microsoft releases Windows 7 October 22. This is the most secure Microsoft operating system to date.
2009 China Denies involvement in Hacking US power grid.
2009 President’s Helicopter, Marine 1 blueprints leaked via Limewire file sharing net.
2010 Apple introduces the iPhone 4 on June 24, 2010, the world’s most powerful smartphone with internet access, the new frontier of hacking.
2010 Microsoft Announces IE9, its most secure browser yet. It protects users from bad websites and their malicious content!
Note that in the year 1998 the first innocent viruses begin to arrive. In 2001 the Code Red worm does $2 billion dollars damage by bringing down web sites, which is like turning off the power to any company. They were not stealing data at this point; they were disrupting online business activity. Finally notice that in 2008 a mass worm called Conficker hits. It can be programmed to steal any type of data, it can look for and take bank accounts, SSNs (Social Security Numbers), credit cards and more. (http://www.microsoft.com/security/worms/conficker.aspx.)
Conficker is a bot net. A bot net comes from the word robot. A spammer or cyber criminal uses special software to automatically send out millions of emails via their bot net to lure users into taking the bait. Unsuspecting users click on web mail links, or they purchase fake products offered and when they do, they unknowingly and unwillingly become part of the bot net. The cyber criminal’s goal is to have millions of computers under his control. Then, besides collecting the users’ data, bank logins, etc., he uses them to attack more users. Just how many emails can a spammer like this send out per day? Billions! But they often keep it much lower to try to avoid being detected. Cyber Crooks even rent out the bot nets to other cyber criminals! That’s right, they take over millions of systems and use them to steal others data, intellectual property, credit cards and then rent the hijacked systems out including yours so other bad guys can share the wealth!
All this technological growth and innovation was happening but it was being placed onto an insecure internet. Technology was simply growing by leaps and bounds and no one seemed to notice the mess we were about to get into. The internet kept growing and we just kept moving more and more onto it. As usual, public demand for technology drove corporations to produce it and make more of it available. We did not stop to look at the risk, or the long term headaches we were about to cause. We operated in silos and thought we had things under control. And why not? The money kept pouring into PC makers and the software companies.
Keep in mind in the 1980’s we were totally dependant on dial up networks, high speed cable or broadband. Always on internet was many years off. The 1980s are called “the war dialer era”. Despite ARPAnet, the majority of computers can only be accessed by discovering their individual dial up phone lines. Thus, one of the most treasured prizes of the 1980s hacker is a list of phone numbers that tie to computers waiting to be discovered or hacked as was the case.
So what happens next? As I mentioned earlier, I lived and worked in a technology career during these critical years. I was a Shuttle launch control computer tech. Later I went into launch control engineering. It wasn’t until after 1992 when I was laid off from the Shuttle program due to the Challenger accident that I started to see the battle against viruses really hit the corporate network. It was 1995 when I landed a job with the Space program once again. I was now a systems administrator deploying monthly antivirus updates. There were still no mass data stealing viruses; they were mostly disruptive. They corrupted Microsoft word templates.
Notice I just mentioned monthly antivirus updates. Did you know we now have computers set for automatic updates? They update almost daily and sometimes hourly! That’s because the threat level has changed from those early nuisance viruses to the latest stealthy, password data stealing viruses and worms. Let’s pause a minute to briefly discuss a computer Virus and a Worm.
A Virus needs a host just like a real biological Virus. Where a Biological Virus attaches to a cell, a PC Virus attaches to a program or file. You open the program or file and Wham! It spreads.
Worms are a sub class of a Virus but are very dangerous because they can travel without any human interaction. They automatically copy themselves and spread across networks. They might even use your email address book to decide where they are going, all without asking you.
A Trojan horse masquerades as a legitimate piece of software. After installation you have a program that does things you did not expect. They often add a back door to your system, where a cyber criminal can view and control your system. This is how they steal data, your credit card and your identity. This is where we are today, from the 1980s to now.
Worms and Viruses gradually became more sophisticated. It went something like this: In the 1990s we continued to have basic intrusions and viruses. As we moved toward 1995 we still encountered viruses and malware but it was mostly for recognition or fame. “Look at me! I’m famous! I wrote a virus that spread all over the world and it even made the evening news.” Still no one was using them for financial gain. It was not until the mid 2000’s when everything changed. Suddenly mass malware was here and looking to take whatever it could for financial gain. No longer were people writing a virus or other piece of malware to get attention. It was quite the opposite. They used stealthy code that was designed to break in, steal data like a credit card or SSN and then exit very quietly.
As I mentioned earlier, the 2006 UCLA compromise that took over 800,000 student and staff records went undetected for over a year. It was only by chance that someone in their IT department happened to notice that a lot of data was suddenly being pulled from their data base out to the internet. An anomaly or a crime in progress? Why are so many records suddenly being pulled out to the internet they had to ask? The FBI got involved and the last I heard was that an application had a flaw and a foreign country exploited it.
We keep seeing this happen. In many cases it’s a poorly configured application or web server. You can’t just take a brick and mortar business worth millions of dollars, put it on the internet and, suddenly, you have the world as your customers and no new problems. You might now have instant access to global customers but you are also connected to all the bad guys in the world too. While your customer exposure went up so did your risk of a data compromise. It’s just simple math; before the internet all businesses used snail mail and telephones. Now large corporations have everything potentially exposed to the entire planet and its 24 x 7 exposure! That is unless they are very careful at how they architect their networks and manage risk.
They also need to be mindful about training all their users! I will say this over and over. I even made it our School Districts Security motto. “Users need to know that no matter what physical and technological devices are in place…ultimately, it is user knowledge and action that will achieve the utmost security for the District”. I really believe this, and there is a lot of evidence to support it. I like to compare it to driving a car. You can place the best automotive technology on the road, that includes antilock brakes, SRS airbags, Antiskid controls which help a lot, but if the driver is ignorant about safety, under the influence of alcohol, drugs or texting then no Technology will ever save them.
1 Computerhistory.org
Конец ознакомительного фрагмента.
Текст