Hackers attack large and small companies in every industry seeking secrets, notoriety, profits or revenge. This article explores how hacking began, evolved over the years, and what can we expect in the future. The article also examines what organisations and individuals can do to protect themselves against hacking.
This article is part of the PLC multi-jurisdictional guide to corporate crime, fraud and investigations law. For a full list of jurisdictional Q&As visit www.practicallaw.com/corporatecrime-mjg.
Headlines announce almost every day that another company has been hacked. Hackers attack large and small companies in every industry seeking secrets, notoriety, profits or revenge. Hackers today are a diverse and widespread group who threaten different types of companies for different reasons. In the midst of the constant drumbeat of new attacks, it is worth pausing for a minute to address two important issues:
First, how did we get here? How has hacking evolved over the years, and what can we expect to see in the future?
Second, is there any hope? What can organisations and individuals do to protect themselves?
Hacking began in the early days of computers, before iPads, the internet, and even PCs. The first hackers infiltrated mainframe computers then used only by governments and very large companies. These early hackers saw hacking as a game. As a result, these early hacks generally just planted a flag and infiltrated a computer system merely to let someone else know that they could. For the most part, these early hackers were not really seeking to profit from hacking, they were seeking notoriety and a thrill. This type of hacker was popularised in the 1983 movie War Games, staring a young Matthew Broderick as a teenage hacker who breaks into the Pentagon's computer system and accidentally almost starts WWIII by playing what he believed to be a computer game. Though the results of the hacking are almost catastrophic, Broderick's hacker is not portrayed as a villain.
In real life, these early hackers had similar romantic notions about themselves. However, the authorities did not share this view. Kevin Mitnick, possibly the most famous hacker from this period, was arrested in 1995 and released from jail in 2002. He now markets himself as a computer security specialist and white hat hacker (that is, he is paid by corporations to test how robust their security networks are by attempting to hack into them). He has given several interviews about his early years as a hacker, including a 2009 interview to Elinor Mills published at CNET News. Mitnick, who, among other things, hacked into Motorola's computer systems to obtain the source code for its MicroTac cell phone (the iPhone of its day), described the goal of that hacking as obtaining "a trophy". Mitnick claims that he did not seek to sell the stolen source code or to profit from it. In Mitnick's words, "I was so hooked into the adventure of the hacking game, doing it for a number of years even though it became illegal. It was thrilling, adventurous. It was all about solving the puzzle, using intellect to get around obstacles. It was like a huge game."
Not long after Mitnick went to jail, hackers as a group seemed to have discovered that this "game" could be profitable; not merely by becoming security consultants after you were caught. Hackers realised that their activities gave them access to very valuable infrastructure and data that they could use or sell for profit. One of the first groups of people to exploit this realisation was a group that promoted what may be the least popular spinoff of the computer era, that is, spam.
The first spam e-mail is thought to have been a message advertising the availability of a new model of computer sent to 393 recipients on the Arpanet (a precursor to the internet) by Gary Thuerk in 1978. The reaction from the Arpanet community was uniformly negative, that is, the mass e-mail advertisement was seen as a gross violation of the budding computer community norms. Sadly, though everyone claimed to hate it, the advertisement purportedly worked as several of the recipients bought the new computer.
Once e-mail and the internet became widespread, spamming became ubiquitous. E-mail providers quickly found themselves in an ongoing war with spammers. However, as soon as the major e-mail providers identified a computer system as a source of spam, they would refuse to accept any messages from those computers, leaving hackers on the search for new machines. What they found was that every major corporation had an e-mail system capable of sending out large numbers of e-mails, apparently just waiting for spammers to use. Best of all these systems were not only "clean" but were also essentially free as long as you knew how to hack them. This caused spammers to become (or hire) hackers. Corporate e-mail systems were targeted not for their data but rather so that spammers could use the infrastructure itself.
Of course, none of these exploits lasted long. Corporate IT teams noticed the vast jumps in the amount of outgoing e-mails. Corporations then went through the expensive and difficult process of shutting out the spammers and upgrading their security systems. The spammers themselves simply moved on to another corporate server and kept sending out spam. This cycle ended only when the e-mail providers found more targeted ways to filter spam, reducing the benefit to spammers of taking over a corporate e-mail system.
Unlike the earliest hackers, neither Hollywood nor anyone else seems to have viewed the spam hackers as rogue heroes. Spam was disliked from the moment it was invented. The fact that it came with destructive hacking made it even worse.
Eventually, hackers came to realise that corporate IT computing power was not the best prize that could be obtained from hacking. In fact, a corporation's data is often worth far more than the infrastructure on which it sits. Broadly speaking, corporations hold two kinds of data that is monetisable by hackers:
Data that can be directly exploited to obtain money, such as:
bank account numbers;
credit card numbers;
logins and passwords for financial websites; or
social security numbers.
Intellectual property (IP) and corporate secrets. This is information that can be used by or sold to competitors, bidders or investors/market participants for vast sums of money.
Many businesses maintain financial data on their employees, customers, suppliers, agents, and business partners. This data typically includes the details of individuals':
Bank account numbers.
Credit card numbers.
Social security numbers.
Often, financial data is maintained in large databases, which, if compromised, allow hackers sudden access to potentially millions of individuals' data. This type of financial data, collectively often referred to as Personally Identifying Information (PII), is an ideal target for hackers. As banks maintain fraud detection techniques that shut down compromised credit cards after only a small number of fraudulent transactions and large transactions are likely to attract immediate attention. Any one person's credit card or bank account information is likely to net a wrongdoer only a few thousand dollars. However, if criminals have access to thousands or millions of cards, those relatively small amounts can turn into very significant frauds.
Criminal networks have essentially institutionalised the process of gathering, trading, and fraudulently using credit cards. Indeed, by the early 2000s criminals created e-auction sites to facilitate trade in stolen credit card, bank account and social security numbers. The most infamous of the first generation of these websites was known as shadowcrew.com (Shadowcrew). Members (who were only admitted through an invitation from admitted members) could buy or sell stolen PII in a capitalist marketplace. Participants ranged from individuals who would use stolen bank account information to withdraw money from automatic bank machines to criminal rings that used credit cards to purchase goods for fraudulent resale. In one typical and ingenious scam, a fraudster would offer for sale high end cameras or computers that he did not own on eBay. The fraudster would sell these to the highest bidder, an innocent third party who was unaware that he was purchasing (soon to be) stolen goods. Then posing as the person who owned a stolen credit card, the fraudster would use a stolen credit card to purchase the item from a legitimate seller, and ship it as a "gift" to the innocent buyer. By the time everyone involved discovered that a stolen credit card had been used, it was almost impossible to find the criminal. The fraudulent purchased goods ended up in the hands of an innocent purchaser who only knew the criminal by his long since abandoned eBay screen name.
For a while, Shadowcrew and its spinoff frauds seemed like perfect crimes. The hackers were notoriously difficult to track and catch. Shadowcrew itself was hard to penetrate (since it was members only) and difficult for law enforcement to attack. Unlike previous forms of organised crime, Shadowcrew members did not actually know each other as they communicated only over the internet using aliases. The frauds that spun out of Shadowcrew were similarly hard to prosecute as the internet made it possible to use credit cards remotely without creating a clear trail that led back to the fraudster.
Eventually, law enforcement did figure out how to take down Shadowcrew. In 2003, a man named Albert Gonzalez was arrested in New York using reprogrammed credit cards to withdraw money from an automatic teller machine (ATM). After a series of interviews, he agreed to co-operate with the authorities and revealed himself as a rising star amongst the Shadowcrew network. Gonzalez spent years working for, and being paid by, the US government while it methodically built a case against Shadowcrew, tracked many of its most important members, and ultimately brought indictments that effectively put Shadowcrew out of business.
However, the Shadowcrew arrests did not bring an end to internet-based PII hacking and fraud. Gonzalez himself may have been the first to realise that the demise of Shadowcrew actually created a market opportunity. While he was still working for the US government helping take down Shadowcrew, Gonzalez was busy building his own alternative to Shadowcrew. He personally diversified away from merely buying stolen PII into obtaining it as well. Over the course of several years, Gonzalez and a team of hackers committed a series of massive PII breaches, stealing literally millions of credit cards from several major retailers and others. Gonzalez was eventually caught, and ultimately received a twenty-year prison sentence.
PII hacking and fraud continues to grow. For companies, a PII breach is incredibly expensive and embarrassing. Most US states now require companies that are subject to PII breaches to individually notify the affected individuals (see www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx). This means that companies are forced to thoroughly investigate allegations of data breaches so that they can figure out if they have a notification obligation, and if so, who exactly they are supposed to notify. In addition, companies must make public the fact of these breaches, and typically end up paying for credit monitoring and other services for the affected customers. This is an extremely expensive process that can easily cost millions of dollars in fees to technical consultants, lawyers, and credit monitoring services in the aftermath of breach. The European Union (EU) is contemplating a similar directive.
Hackers can also profit from a company's data by stealing the company's IP or its business secrets. For many companies, this can be the most insidious form of hacking. Though a PII hack can be expensive and embarrassing for its victims, it rarely affects the core of what a company does. By contrast, IP is a company's crown jewels, that is, its secret formulas, bidding plans or strategy. Theft of this data can be devastating. Worse, hackers that steal core IP may never make their presence known, and may use the data in a way that does not alert the victimised company that the theft occurred. Companies can therefore be the victims of large and ongoing compromises and not even know that their security has been breached.
IP hacking is not limited to hi-tech companies or defence contractors with very valuable secret plans. In recent years, many smaller companies have found themselves targets of this kind of theft. For example, a recent case concerned a company with fewer than 100 employees that was involved in selling a substantial asset through a competitive bid. One of the offshore bidders hired hackers to break into the company's network so that the bidder could read internal company e-mails about the bidding process in order to improve their chances of winning the auction at the lowest price. Until the hacking was discovered, the company had never seriously considered the possibility that a bidder would act in such an unethical and illegal way.
Unlike PII hacking, core IP hacking requires expertise not only in IT penetration, but also in the nature of the business. Hackers need to know both how to locate the key IP, and who would be interested in obtaining it. Although some secret new IP might be incredibly valuable, most people would not know what it was when they read it, nor have any idea how to sell it to someone who did. On the surface, one might expect that this would make such hacking relatively rare, which might be true for shady external hackers (that is, the people one associates with the word "hacker"). However, those inside the company have both the detailed information about the company necessary to locate the valuable information and the means to turn it into profits if they so choose. So much attention is paid to hacking by outsiders that it is easy to forget that the majority of hacking and data theft is committed by insiders such as current or former employees, agents or partners, who typically have the means and often the motive to steal from organisations.
A relatively recent hacking threat is the rise of groups like Anonymous and Lulzsec, which are loosely organised groups of hackers whose goal is to make a political statement, rather than to obtain data for profit. These groups have attacked political targets, such as governments and contractors closely associated with governments. However, they have also attacked purely commercial organisations when they contend that those organisations have violated some real or perceived right. These groups have attacked the following, among others:
Major music and motion picture distributors.
Payment websites.
Security companies.
Banks.
Consumer products companies.
Hacktavists' goals are typically to disrupt or embarrass their targets. They therefore tend to publicise rather than directly exploit for profit any compromised data, including:
Personal e-mails of senior executives.
PII information.
Financial results.
Instead of directly hacking a company hacktavists have also been known to organise Distributed Denial of Service (DDOS) attacks on websites, a type of attack that does not actually penetrate an organisation's firewalls, but effectively shuts down a website by overwhelming it with spurious data requests.
Hacktavists' targets are diverse and their grievances often seem very idiosyncratic to those outside the hacktatvist community. This makes it difficult for organisations to know whether they might be the next target. However, hacktavists organise publicly on the web, typically announcing future targets of attack in advance, so companies usually get at least some warning. Prosecutors are also enjoying increased success prosecuting hacktavists, as the recent indictments against many alleged Lulzsec members demonstrate.
Other forms of hacking that may impact on companies include government sponsored cyberspying (attempts to hack into the computers of rival governments and militaries) and cyberwarfare (using computer hacking and computer viruses to destroy data or equipment).
Government-sponsored hacking has been linked to attacks on e-mail providers (presumably to obtain communications of foreign government officials and dissidents), as well as security companies and defence contractors. In addition, foreign governments have been suspected of involvement in IP theft from a wide range of companies, presumably in an effort to compete in areas of strategic interest, such as mineral and energy extraction and high technology.
In addition to cyberspying, governments have been implicated in instances of cyberwarfare. The most publicised of these incidents was the Stuxnet virus, which has been described as the most sophisticated computer virus ever created. It appears to have been created by one or more governments seeking to disrupt Iran's efforts to produce enriched uranium for use in nuclear weapons. The virus infected Iranian centrifuge machines. It reprogrammed the centrifuges so that they would spin out of control, thereby destroying them, while at the same time their detection systems incorrectly reported that the machines were functioning normally. The effort is said to have caused widespread damage to the Iranian centrifuge programme, and is thought to have significantly slowed the Iranian acquisition of a nuclear bomb.
Though most companies are unlikely to be the targets of the kind of cyberwarfare typified by the Stuxnet virus, its existence still stands as a warning. Centrifuges are not the only possible targets of Cyberwar, and not all governments or other political actors will confine their cyberwarfare to military targets. Many fear that the day of a cyber-Pearl Harbour is not far off, with governments or terrorist organisations potentially wreaking havoc by taking control of critical infrastructure systems such as financial systems, electricity distribution, water treatment, or even traffic control. As virtually all companies have computer links to some of these critical infrastructure systems, each represents a potential attack vector for a devastating attack.
Hacking will continue to evolve in the years ahead as hackers discover new and different ways to profit from their trade. Companies must be aware of these evolving risks and work proactively to lower their risk profile.
In the evolving and ever more dangerous world of hacking, what can companies due to protect themselves? Like all security issues, it is worth remembering that there is no perfect security, but it is possible to lower your risk profile.
The following ten steps can reduce the risk of an attack and mitigate the impact of any successful compromise:
Senior executives must prioritise IT security. All companies must view cyber-security as an issue for senior management attention. Unless senior management believes that preventive security measures are crucial (and budgeted for), necessary security measures will not be implemented. Companies must designate a Chief Security Officer to ensure that someone in senior management understands that the security strategy is part of his core responsibilities.
Understand data. Data cannot be effectively protected if you don't know what or where it is. IT architecture evolves over time in most companies, with incomplete data migration leaving different types of servers and archives in multiple locations, both on and off-site. Stockpiles of potentially sensitive data can be lost or forgotten. Companies should review what data they have stored and determine if any of it can be destroyed. Simply put, hackers cannot obtain data that no longer exists.
Segregate and limit access to sensitive data. In most companies, many more people have access to sensitive data than actually need that access. Data should be segregated and permissions set so that sensitive data is available on a need-to-know basis. This reduces the risk that rogue employees steal the data, and make an external hacker's job harder. A successful hack of a computer account that does not itself have access to sensitive data will not provide a gateway to the sensitive data.
Encrypt data. Encryption essentially scrambles data so that it is unreadable by anyone without a special key, making it much harder for even a successful hacking to obtain the underlying data. Encryption also prevents lost data, such as a laptop left on a train, from falling into the wrong hands. For this reason, most disclosure laws exempt from their notification requirement breaches of data if that data is encrypted.
Prepare an incident response plan (IRP) and team. Part of any security system is creating an IRP to mitigate any damage after a breach occurs. If the roles and responsibilities of the team responding to an incident are unclear in advance, opportunities to mitigate the attack will be lost during the time it takes to organise the team. The incident response team should include pre-selected outside law firms and computer forensic consultants to ensure that the response to a compromise is rapid and state of the art.
Train employees on preventing and responding to a hacking. The first line of any IT security system is the individual users. Users need to know the best practices to avoid inadvertently assisting a breach (by, for example, clicking on documents in suspicious e-mails and thereby infecting their computers with a virus). Employees also need to know how to report a suspected breach, so that the incident response team can spring into action. A surprisingly large number of breaches are exacerbated because employees do not know how to report an incident.
Require the use of strong passwords. Most people use very weak passwords. People often use as passwords things like "password", "123456", or common names or words that appear in a dictionary. These kinds of passwords can be easily broken by hackers using a dictionary attack (cycling through all the possibilities that are most likely to succeed). Use of strong passwords dramatically reduces the risk of this type of attack. The strength of a password is determined primarily by its length and complexity.
Integrate electronic and physical security. Many companies have, in the past, tended to think of physical security and IT security as separate projects. However, physical security measures and IT security measures must be integrated. State-of-the-art encryption is useless if employees place sensitive documents in recycle bins that are discarded before shredding. Similarly, the world's strongest physical security measures are instantly undone by a lost laptop containing unencrypted data.
Examine business partners' and vendors' security protocols. Every company shares its sensitive data with other entities such as law firms, consultants, and business partners. It is critical that these outsiders treat your data with the same level of security that you employ. After all, if their systems are breached, it is your data that will be compromised.
Test and revise the IRP frequently. Computer networks and cyber risks are constantly evolving. Therefore, a security plan must be kept current or it will quickly become ineffective. Companies must conduct periodic audits to identify and secure weaknesses, and constantly remind and re-educate their employees and executives about the evolving threats.
T +44 20 7448 0480
F +44 20 7448 0451
E sberman@strozfriedberg.com
W www.strozfriedberg.com
Qualified. Massachusetts, US; New York, US, 1996
