14 results back to index
barriers to entry, bitcoin, Brian Krebs, cashless society, defense in depth, Donald Trump, employer provided health coverage, mutually assured destruction, offshore financial centre, payday loans, pirate software, placebo effect, ransomware, Silicon Valley, Stuxnet, the payments system, transaction costs, web application
Thank you for purchasing this eBook. At Sourcebooks we believe one thing: BOOKS CHANGE LIVES. We would love to invite you to receive exclusive rewards. Sign up now for VIP savings, bonus content, early access to new ideas we're developing, and sneak peeks at our hottest titles! Happy reading! SIGN UP NOW! For my BizMgr Copyright © 2014 by Brian Krebs Cover and internal design © 2014 by Sourcebooks, Inc. Cover design by The Book Designers Sourcebooks and the colophon are registered trademarks of Sourcebooks, Inc. All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means including information storage and retrieval systems—except in the case of brief quotations embodied in critical articles or reviews—without permission in writing from its publisher, Sourcebooks, Inc.
—From a Declaration of Principles Jointly Adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations All brand names and product names used in this book are trademarks, registered trademarks, or trade names of their respective holders. Sourcebooks, Inc., is not associated with any product or vendor in this book. Published by Sourcebooks, Inc. P.O. Box 4410, Naperville, Illinois 60567-4410 (630) 961-3900 Fax: (630) 961-2168 www.sourcebooks.com Library of Congress Cataloging-in-Publication Data Krebs, Brian. Spam nation : the inside story of organized cybercrime—from global epidemic to your front door / Brian Krebs. pages cm 1. Computer crimes—United States. 2. Internet fraud—United States. 3. Spam (Electronic mail) 4. Phishing. 5. Organized crime—United States. I. Title. HV6773.2.K74 2014 364.16’80973—dc23 2014023007 CONTENTS Chapter 1: Parasite Chapter 2: Bulletproof Chapter 3: The Pharma Wars Chapter 4: Meet the Buyers Chapter 5: Russian Roulette Chapter 6: Partner(ka)s in (Dis)Organized Crime Chapter 7: Meet the Spammers Chapter 8: Old Friends, Bitter Enemies Chapter 9: Meeting in Moscow Chapter 10: The Antis Chapter 11: Takedown Chapter 12: Endgame Epilogue: A Spam-Free World: How You Can Protect Yourself from Cybercrime Acknowledgments Sources About the Author WHO’S WHO IN THE CYBERWORLD PAVEL VRUBLEVSKY, a.k.a “RedEye”—Cofounder of ChronoPay, a high-risk card processor and payment service provider that was closely tied to the rogue antivirus industry.
Tellingly, directly after 3FN was taken down—but before washingtonpost.com ran the story on ChronoPay’s ties to the rogue antivirus industry—Crutop.nu’s homepage was changed to a lengthy screed about the FTC’s action against 3FN. This would be my first introduction to Vrublevsky’s epic rants. The message read, in part: And in conclusion we would like to add, that while paragraph 1 of our rules has never been taken seriously before and was written as a joke, but related to recent events we would like to know how it was possible that five (5!) reputable experts-agents (including NASA experts and Mr. Brian Krebs) from the USA (where every tenth person speaks Russian, source: Wikipedia), could not figure out that on Crutop.nu in the SPAM sub-forum, discussions have nothing to do with mail spam or other cybercrimes? The story on Vrublevsky and ChronoPay’s key role in 3FN finally ran more than four months after I turned it in. No lawsuit from him or ChronoPay followed. But the editors at the Washington Post said they were still deeply concerned about my focus on Internet bad guys.
23andMe, 3D printing, additive manufacturing, Affordable Care Act / Obamacare, Airbnb, airport security, Albert Einstein, algorithmic trading, artificial general intelligence, augmented reality, autonomous vehicles, Baxter: Rethink Robotics, Bill Joy: nanobots, bitcoin, Black Swan, blockchain, borderless world, Brian Krebs, business process, butterfly effect, call centre, Chelsea Manning, cloud computing, cognitive dissonance, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, data acquisition, data is the new oil, Dean Kamen, disintermediation, don't be evil, double helix, Downton Abbey, Edward Snowden, Elon Musk, Erik Brynjolfsson, Filter Bubble, Firefox, Flash crash, future of work, game design, Google Chrome, Google Earth, Google Glasses, Gordon Gekko, high net worth, High speed trading, hive mind, Howard Rheingold, hypertext link, illegal immigration, impulse control, industrial robot, Internet of things, Jaron Lanier, Jeff Bezos, job automation, John Harrison: Longitude, Jony Ive, Julian Assange, Kevin Kelly, Khan Academy, Kickstarter, knowledge worker, Kuwabatake Sanjuro: assassination market, Law of Accelerating Returns, Lean Startup, license plate recognition, litecoin, M-Pesa, Mark Zuckerberg, Marshall McLuhan, Menlo Park, mobile money, more computing power than Apollo, move fast and break things, Nate Silver, national security letter, natural language processing, obamacare, Occupy movement, Oculus Rift, offshore financial centre, optical character recognition, pattern recognition, personalized medicine, Peter H. Diamandis: Planetary Resources, Peter Thiel, pre–internet, RAND corporation, ransomware, Ray Kurzweil, refrigerator car, RFID, ride hailing / ride sharing, Rodney Brooks, Satoshi Nakamoto, Second Machine Age, security theater, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, smart grid, smart meter, Snapchat, social graph, software as a service, speech recognition, stealth mode startup, Stephen Hawking, Steve Jobs, Steve Wozniak, strong AI, Stuxnet, supply-chain management, technological singularity, telepresence, telepresence robot, Tesla Model S, The Wisdom of Crowds, Tim Cook: Apple, trade route, uranium enrichment, Wall-E, Watson beat the top human players on Jeopardy!, Wave and Pay, We are Anonymous. We are Legion, web application, WikiLeaks, Y Combinator, zero day
Mitnick and William L Simon, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (New York: Little, Brown, 2012). 22 Poulsen’s ingenious 1990 hack: Jonathan Littman, “The Last Hacker,” Los Angeles Times, Sept. 12, 1993. 23 For example, in October 2013: “Adobe Hack: At Least 38 Million Accounts Breached,” BBC, Oct. 30, 2013. 24 But what changed in that attack: Brian Krebs, “Adobe to Announce Source Code, Customer Data Breach,” Krebs on Security, Oct. 3, 2013. 25 Yep, the company that is selling: Darlene Storm, “AntiSec Leaks Symantec pcAnywhere Source Code After $50K Extortion Not Paid,” Computerworld, Feb. 7, 2012. 26 Traditional organized crime groups: The Hague, Threat Assessment: Italian Organized Crime, Europol Public Information, June 2013; Nir Kshetri, The Global Cybercrime Industry: Economic, Institutional, and Strategic Perspectives (London: Springer, 2010), 1; Chuck Easttom, Computer Crime, Investigation, and the Law (Boston: Cengage Learning, 2010), 206. 27 These newly emerging: Mark Milian, “Top Ten Hacking Countries,” Bloomberg, April 23, 2013. 28 New syndicates: Brian Krebs, “Shadowy Russian Firm Seen as Conduit for Cybercrime,” Washington Post, Oct. 13, 2007; Verisign iDefense, The Russian Business Network: Survey of a Criminal ISP, June 27, 2007. 29 RBN famously provides: Trend Micro, The Business of Cybercrime: A Complex Business Model, Jan. 2010. 30 ShadowCrew operated the now-defunct Web site: Kevin Poulsen, “One Hacker’s Audacious Plan to Rule the Black Market in Stolen Credit Cards,” Wired, Dec. 22, 2008. 31 Founded by the notorious criminal hacker: James Verini, “The Great Cyberheist,” New York Times Magazine, Nov. 10, 2010. 32 The number and reach: John E.
Deep Web Harvesting,” BrightPlanet, July 31, 2013. 15 Whereas Silk Road: Andy Greenberg, “Inside the ‘DarkMarket’ Prototype, a Silk Road the FBI Can Never Seize,” Wired, April 24, 2014. 202 To that end, in mid-2014: Kim Zetter, “New ‘Google’ for the Dark Web Makes Buying Dope and Guns Easy,” Wired, April 17, 2014. 16 Certain criminal forums: Michael Riley, “Stolen Credit Cards Go for $3.50 at Amazon-Like Online Bazaar,” Bloomberg, Dec. 19, 2011. 17 Numerous illicit “torrents”: Ernesto, May 18, 2008, blog on TorrentFreak, accessed on June 27, 2014. 18 Another such site: “Inside the Mansion—and Mind—of Kim Dotcom, the Most Wanted Man on the Net,” Wired, Oct. 18, 2012. 19 Not only do they sell: Beth Stebner, “The Most Dangerous Drug in the World: ‘Devil’s Breath’ Chemical from Colombia Can Block Free Will, Wipe Memory, and Even Kill,” Mail Online, May 12, 2012. 20 Tor hidden sites: Forward-Looking Threat Research Team, “Deepweb and Cybercrime,” Trend Micro, 2013, 16. 21 Once stolen: Brian Krebs, “Peek Inside a Professional Carding Shop,” Krebs on Security, June 4, 2014. 22 Given the vast amounts: Max Goncharov, “Russian Underground Revisited,” Forward-Looking Threat Research Team, Trend Micro Research Paper. 23 The cards are sold: Brian Krebs, “Cards Stolen in Target Breach Flood Underground Markets,” Krebs on Security, Dec. 20, 2013; Dancho Danchev, “Exposing the Market for Stolen Credit Cards Data,” Dancho Danchev’s Blog, Oct. 31, 2011; “Meet the Hackers,” Bloomberg Businessweek, May 28, 2006; David S. Wall, “The Organization of Cybercrime in an Ever-Changing Cyberthreat Landscape” (draft paper for the Criminal Networks Conference, Montreal, Oct. 3–4, 2011). 24 The United States is the largest victim: “Skimming off the Top,” Economist, Feb. 15, 2014. 25 Nearly 20 percent: Pew Research Center, “More Online Americans Say They’ve Experienced a Personal Data Breach,” April 14, 2014; Rosie Murray-West, “UK Worst in Europe for Identity Fraud,” Telegraph, Oct. 1, 2012. 26 Medical identity theft: Herb Weisbaum, “U.S.
Millman, “Cybercriminals Work in a Sophisticated Market Structure,” Wall Street Journal, June 27, 2013. 79 Worse, it was the tool of choice: Dana Liebelson, “All About Blackshades, the Malware That Lets Hackers Watch You Through Your Webcam,” Mother Jones, May 21, 2014. 80 So good was the Blackshades RAT: “Syrian Activists Targeted with BlackShades Spy Software,” The Citizen Lab, June 19, 2012. 81 The rewards, however: Gregg Keizer, “Google to Pay Bounties for Chrome Browser Bugs,” Computerworld, Jan. 29, 2010. 82 Not to be outdone: Brian Krebs, “Meet Paunch: The Accused Author of the BlackHole Exploit Kit,” Krebs on Security, Dec. 6, 2013. 83 Dark Net chat rooms: Nicole Perlroth and David E. Sanger, “Nations Buying as Hackers Sell Flaws in Computer Code,” New York Times, July 13, 2013. 84 In 2012, the Grugq sold: Andy Greenberg, “Shopping for Zero-Days: A Price List For Hackers’ Secret Software Exploits,” Forbes, March 23, 2012. 85 Companies such as Vupen: Brian Krebs, “How Many Zero-Days Hit You Today,” Krebs on Security, Dec. 13, 2013. 86 The result, as pointed out: Josh Sanburn, “How Exactly Do Cyber Criminals Steal $78 Million?,” Time, July 3, 2012. 87 Worse, now that Stuxnet: Simonite, “Stuxnet Tricks Copied by Computer Criminals.” 88 Crime, Inc. can even draft: “The Child Porn PC Virus,” Week, Nov. 10, 2009. 89 According to the FBI: FBI, “GameOver Zeus Botnet Disrupted,” June 2, 2014. 90 As of mid-2014: Symantec, “Grappling with the ZeroAccess Botnet,” Sept. 30, 2013. 91 In the Russian digital underground: Ian Steadman, “The Russian Underground Economy Has Democratised Cybercrime,” Wired UK, Nov. 2, 2012. 92 Moreover, the threat: “Computer Says No,” Economist, June 22, 2013; Perlroth and Hardy, “Bank Hacking Was the Work of Iranians.” 93 The toll of victims: Chris Brook, “Meetup.com Back Online After DDoS Attacks, Extortion Attempt,” Threat Post, March 5, 2014; Pierluigi Paganini, “Botnet Authors Use Evernote Account as C&C Server,” Security Affairs, March 31, 2013. 94 Given these obvious advantages: Mathew J.
23andMe, Airbnb, airport security, AltaVista, Anne Wojcicki, augmented reality, Benjamin Mako Hill, Black Swan, Brewster Kahle, Brian Krebs, call centre, Cass Sunstein, Chelsea Manning, citizen journalism, cloud computing, congestion charging, disintermediation, Edward Snowden, experimental subject, failed state, fault tolerance, Ferguson, Missouri, Filter Bubble, Firefox, friendly fire, Google Chrome, Google Glasses, hindsight bias, informal economy, Internet Archive, Internet of things, Jacob Appelbaum, Jaron Lanier, Julian Assange, Kevin Kelly, license plate recognition, linked data, Lyft, Mark Zuckerberg, Nash equilibrium, Nate Silver, national security letter, Network effects, Occupy movement, payday loans, pre–internet, price discrimination, profit motive, race to the bottom, RAND corporation, recommendation engine, RFID, self-driving car, Silicon Valley, Skype, smart cities, smart grid, Snapchat, social graph, software as a service, South China Sea, stealth mode startup, Steven Levy, Stuxnet, TaskRabbit, telemarketer, Tim Cook: Apple, transaction costs, Uber and Lyft, urban planning, WikiLeaks, zero day
Alex Williams (23 Dec 2013), “Target may be liable for up to $3.6 billion for card data breach,” Tech Crunch, http://techcrunch.com/2013/12/23/target-may-be-liable-for-up-to-3-6-billion-from-credit-card-data-breach. Lance Duroni (3 Apr 2014), “JPML centralizes Target data breach suits in Minn.,” Law360, http://www.law360.com/articles/524968/jpml-centralizes-target-data-breach-suits-in-minn. banks are being sued: Brian Krebs (8 Jan 2014), “Firm bankrupted by cyberheist sues bank,” Krebs on Security, http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank. Brian Krebs (20 Jun 2014), “Oil Co. wins $350,000 cyberheist settlement,” Krebs on Security, http://krebsonsecurity.com/2014/06/oil-co-wins-350000-cyberheist-settlement. Brian Krebs (13 Aug 2014), “Tenn. firm sues bank over $327K cyberheist,” Krebs on Security, http://krebsonsecurity.com/2014/08/tenn-utility-sues-bank-over-327k-cyberheist. These cases can be complicated: Here’s one proposal. Maurizio Naldi, Marta Flamini, and Giuseppe D’Acquisto (2013), “Liability for data breaches: A proposal for a revenue-based sanctioning approach,” in Network and System Security (Lecture Notes in Computer Science Volume 7873), Springer, http://link.springer.com/chapter/10.1007%2F978-3-642-38631-2_20.
hackers broke into: Robert O’Harrow Jr. (17 Feb 2005), “ID data conned from firm,” Washington Post, http://www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html. hackers broke into Home Depot’s: Brian Krebs (2 Sep 2014), “Banks: Credit card breach at Home Depot,” Krebs on Security, http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot. Robin Sidel (18 Sep 2014), “Home Depot’s 56 million card breach bigger than Target’s,” Wall Street Journal, http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571. from JPMorgan Chase: Dominic Rushe (3 Oct 2014), “JP Morgan Chase reveals massive data breach affecting 76m households,” Guardian, http://www.theguardian.com/business/2014/oct/02/jp-morgan-76m-households-affected-data-breach. criminals have legally purchased: Brian Krebs (20 Oct 2013), “Experian sold consumer data to ID theft service,” Krebs on Security, http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service.
NSA’s BULLRUN program: James Ball, Julian Borger, and Glenn Greenwald (5 Sep 2013), “Revealed: How US and UK spy agencies defeat internet privacy and security,” Guardian, http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security. Nicole Perlroth, Jeff Larson, and Scott Shane (5 Sep 2013), “N.S.A. able to foil basic safeguards of privacy on Web,” New York Times, http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html. British, Russian, Israeli: Brian Krebs (28 May 2014), “Backdoor in call monitoring, surveillance gear,” Krebs on Security, http://krebsonsecurity.com/2014/05/backdoor-in-call-monitoring-surveillance-gear. they have employees secretly: Peter Maass and Laura Poitras (10 Oct 2014), “Core secrets: NSA saboteurs in China and Germany,” Intercept, https://firstlook.org/theintercept/2014/10/10/core-secrets. Eric Schmidt tried to reassure: Martin Bryant (7 Mar 2014), “Google is ‘pretty sure’ its data is now protected against government spying, Eric Schmidt says,” Next Web, http://thenextweb.com/google/2014/03/07/google-pretty-sure-protected-government-spying-eric-schmidt-says. 7: Political Liberty and Justice the First Unitarian Church of Los Angeles sued: David Greene (27 Jan 2014), “Deep dive into First Unitarian Church v.
Pax Technica: How the Internet of Things May Set Us Free or Lock Us Up by Philip N. Howard
Affordable Care Act / Obamacare, Berlin Wall, bitcoin, blood diamonds, Bretton Woods, Brian Krebs, British Empire, call centre, Chelsea Manning, citizen journalism, clean water, cloud computing, corporate social responsibility, crowdsourcing, Edward Snowden, en.wikipedia.org, failed state, Fall of the Berlin Wall, feminist movement, Filter Bubble, Firefox, Francis Fukuyama: the end of history, Google Earth, Howard Rheingold, income inequality, informal economy, Internet of things, Julian Assange, Kibera, Kickstarter, land reform, M-Pesa, Marshall McLuhan, megacity, Mikhail Gorbachev, mobile money, Mohammed Bouazizi, national security letter, Network effects, obamacare, Occupy movement, packet switching, pension reform, prediction markets, sentiment analysis, Silicon Valley, Skype, spectrum auction, statistical model, Stuxnet, trade route, uranium enrichment, WikiLeaks, zero day
York, “Syria’s Twitter Spambots,” Guardian, April 21, 2011, accessed September 30, 2014, http://www.theguardian.com/commentisfree/2011/apr/21/syria-twitter-spambots-pro-revolution. 37. Qtiesh, “Spam Bots Flooding Twitter to Drown Info About #Syria Protests.” 38. Brian Krebs, “Twitter Bots Drown Out Anti-Kremlin Tweets,” Krebs on Security, December 8, 2011, accessed September 30, 2014, http://krebsonsecurity.com/2011/12/twitter-bots-drown-out-anti-kremlin-tweets/;Mike Orcutt, “Twitter Mischief Plagues Mexico’s Election,” MIT Technology Review, June 21, 2012, accessed September 30, 2014, http://www.technologyreview.com/news/428286/twitter-mischief-plagues-mexicos-election/; Brian Krebs, “Twitter Bots Target Tibetan Protests,” Krebs on Security, March 20, 2012, accessed September 30, 2014, http://krebsonsecurity.com/2012/03/twitter-bots-target-tibetan-protests/; Torin Peel, “The Coalition’s Twitter Fraud and Deception,” Independent Australia, August 26, 2013, accessed September 30, 2014, http://www.independentaustralia.net/politics/politics-display/the-coalitions-twitter-fraud-and-deception,5660; “Jasper Admits to Using Twitter Bots to Drive Election Bid,” Inside Croydon, November 26, 2012, accessed September 30, 2014, http://insidecroydon.com/2012/11/26/jasper-admits-to-using-twitter-bots-to-drive-election-bid/; W.
“Who Is Using EGHNA Media Server,” EGHNA Media Server, accessed September 30, 2014, http://media.eghna.com/success_stories. 27. “A Call to Harm: New Malware Attacks Target the Syrian Opposition,” Citizen Lab, June 21, 2013, accessed September 30, 2014, https://citizenlab.org/2013/06/a-call-to-harm/. 28. Alex Cheng and Mark Evans, Inside Twitter: An In-Depth Look at the 5% of Most Active Users (Toronto: Sysomos, August 2009), accessed September 30, 2014, http://www.sysomos.com/insidetwitter/mostactiveusers/. 29. Brian Krebs, “Twitter Bots Target Tibetan Protests,” Krebs on Security, March 20, 2012, accessed September 30, 2014, http://krebsonsecurity.com/2012/03/twitter-bots-target-tibetan-protests/. 30. Mike Orcutt, “Twitter Mischief Plagues Mexico’s Election,” MIT Technology Review, June 21, 2012, accessed September 30, 2014, http://www.technologyreview.com/news/428286/twitter-mischief-plagues-mexicos-election/. 31.
Dean Nelson, “China ‘Hacking Websites in Hunt for Tibetan Dissidents,’” Telegraph, August 13, 2013, accessed September 30, 2014, http://www.telegraph.co.uk/news/worldnews/asia/china/10240404/China-hacking-websites-in-hunt-for-Tibetan-dissidents.html. 28. Iain Thomson, “AntiLeaks Boss: We’ll Keep Pummeling WikiLeaks and Assange,” Register, August 13, 2012, accessed September 30, 2014, http://www.theregister.co.uk/2012/08/13/antileaks_wikileaks_attack_response/. 29. Brian Krebs, “Amnesty International Site Serving Java Exploit,” Krebs on Security, December 22, 2011, accessed September 30, 2014, http://krebsonsecurity.com/2011/12/amnesty-international-site-serving-java-exploit/. 30. @indiankanoon, “IK Servers Are Getting DDoSed Using the DNS Reflection Attack,” Indian Kanoon (October 19, 2013), accessed September 30, 2014, https://twitter.com/indiankanoon/status/391497714451492865. 31.
Cybersecurity: What Everyone Needs to Know by P. W. Singer, Allan Friedman
4chan, A Declaration of the Independence of Cyberspace, Apple's 1984 Super Bowl advert, barriers to entry, Berlin Wall, bitcoin, blood diamonds, borderless world, Brian Krebs, business continuity plan, Chelsea Manning, cloud computing, crowdsourcing, cuban missile crisis, data acquisition, Edward Snowden, energy security, failed state, Fall of the Berlin Wall, fault tolerance, global supply chain, Google Earth, Internet of things, invention of the telegraph, Julian Assange, Khan Academy, M-Pesa, mutually assured destruction, Network effects, packet switching, Peace of Westphalia, pre–internet, profit motive, RAND corporation, ransomware, RFC: Request For Comment, risk tolerance, rolodex, Silicon Valley, Skype, smart grid, Steve Jobs, Stuxnet, uranium enrichment, We are Anonymous. We are Legion, web application, WikiLeaks, zero day
On the other hand, since the world of cybersecurity is not a unified one, why should we expect a single approach to solve all the problems that have emerged, or frankly even to be possible? Approach It as a Public-Private Problem: How Do We Better Coordinate Defense? For a few weeks, a single blogger was the savior of the Internet. But, as with all superheroes, he actually needed a little bit of help. In 2008, Washington Post reporter Brian Krebs, who blogs at the Security Fix site, became curious about a single company that was poisoning the Internet and why everyone else was letting them get away with it. The company in question was McColo, a web hosting company physically based in California with a client list that, as Krebs wrote, “includes some of the most disreputable cyber-criminal gangs in business today.” After spending four months gathering data on the company and its clients, Krebs then reached out to the large commercial ISPs that provided McColo with their bandwidth to reach the Internet.
While Krebs had started out on his own, he depended on the network of companies that provided Internet service to act, who in turn depended on him to provide the information and intelligence they needed to act on. It’s not enough for single actors or organizations to try to build higher walls or better malware detection on their own. Attackers adapt. Moreover, attackers exploit boundaries of control and responsibility, setting up a collective action problem. By bringing together the necessary actors and information, Brian Krebs was able to spur effective action, leveraging cooperation against the right fulcrum. While cyberspace seems diffuse and decentralized—simultaneously one of the key advantages and insecurities of the Internet—there are often bottlenecks of control, choke points where the defenders can concentrate resources to gain an advantage. The dependence on large ISPs is one that helped shut down the McColo problem.
Again, though, the same argument was made about lifeboats and other safety measures on early ocean liners like the Titanic, fire codes for buildings, protections at nuclear power plants, seatbelts and air bags in cars, and so on. By working together to find standards that meet evolving needs but still allow firms to flourish, the public and private sectors can find a good balance. The key point is that cybersecurity requires coordination and action outside of the immediate victims or even owners of the networks under attack. Brian Krebs didn’t have the power of the government behind him, but his actions mattered because he mobilized a network that could target key choke points by malicious actors in cyberspace. But some problems of scale or target move the matter from the easily resolved situations where private parties have incentives to come together, like the ISPs in the McColo case or banks in financial fraud, to situations where the incentives might not be sufficient or the threat touches on public security concerns.
Brian Krebs, dumpster diving, fault tolerance, Firefox, Menlo Park, offshore financial centre, pirate software, Plutocrats, plutocrats, popular electronics, profit motive, RFID, Silicon Valley, zero day
He disabled a server hosted at an Atrivo data center in Silicon Valley and was told that the server had been leased to EST Domains. To his surprise, an EST executive called and asked what the problem was. The agent flew to meet him in Estonia, where the executive told him that he had re-leased the server to a customer in Moscow whom he only dealt with over ICQ. Armin and his allies got better results when they provided information on EST to Brian Krebs, a Washington Post tech security writer who gave the Atrivo and McColo studies the broadest exposure. Krebs reported on hundreds of malicious sites at EST Domains, then followed up with a report that EST Chief Executive Vladimir Tsastsin had recently been convicted of credit card fraud and forgery. ICANN, which for years had allowed companies to sell domain names with almost total secrecy to whomever they wanted, took the historic step of revoking EST’s right to peddle website addresses.
Some of the premier experts in government are cited in the text, while others asked not to be exposed. I was fortunate to be aided by many of the most able private researchers, not all of whom are paid for their work, including Joe Stewart, Rafal Rohozinski, Don Jackson, Jart Armin, Paul Ferguson, Avivah Litan, and Dmitri Alperovich. My fellow journalistic specialists also do an important service for followers like me and for the world at large. Among the very best are Brian Krebs, John Markoff, Jon Swartz, Byron Acohido, Kevin Poulsen, Kim Zetter, John Leyden, and Robert McMillan. I am grateful to my former colleagues at the Los Angeles Times, who supported my early reporting and allowed me a leave to write; my new friends at the Financial Times, who gave me time to finish; Lindsay Jones and others at PublicAffairs; my agent Jill Marsal; Chris Gaither, who served as an unpaid manuscript editor; and those close to me who dealt with my prolonged distraction and repeated absences.
CHAPTER 11 196 as high as possible, at King Arthur: Sources include Pohamov, others in Russian and U.K. law enforcement, and Lyon. 196 a man in his early twenties living in the Russian republic of Dagestan: A U.S. official with another federal agency confirmed that identification for its publication here, as did a colleague of Crocker’s at the NHTCU. 196 signaling an end to the subject: Crocker described this scene to colleagues. 196 The committee never pursued the case: Interviews with Russian law enforcement. 198 much to Andy’s amusement: Sources for this section include Lyon and another person at the party. 199 give his country another chance: Interview with Pohamov. 200 had to be numbered by hand: Crocker described the Russian format when discussing previous submissions. Other details are from Crocker’s law enforcement allies. 200 including Milsan: U.S. law enforcement sources. 201 within days of its release: According to security firm Commtouch. 201 Small businesses were increasingly targeted in account transfers: See such Brian Krebs articles on the topic as http://voices.washingtonpost.com/securitynx/2009/09/more_business_banking_victims.html?. 201 far less than half of 1 percent of the perpetrators: The Gartner study by Litan. 202 the top country for hacking: Interviews with Zenz, Henry, and others. 203 “political protection at a very strong level”: Interviews with U.K. and U.S. law enforcement, private researchers including Jart Armin, Paul Ferguson, David Bizeul, Don Jackson, and Zenz, along with written reports from those five and others.
Apple II, Brian Krebs, Burning Man, corporate governance, dumpster diving, Exxon Valdez, Hacker Ethic, hive mind, index card, McMansion, Mercator projection, offshore financial centre, packet switching, pirate software, Ponzi scheme, Robert Hanssen: Double agent, Saturday Night Live, Silicon Valley, Steve Jobs, Steve Wozniak, Steven Levy, traffic fines, web application, WikiLeaks, zero day, Zipcar
District Court for the Eastern District of New York. 3 it was Jonathan James who would pay the highest price: See the author’s “Former Teen Hacker’s Suicide Linked to TJX Probe,” Wired.com, July 9, 2009 (http://www.wired.com/threatlevel/2009/07/hacker/). 4 They recruit ordinary consumers as unwitting money launderers: For more detail on these so-called “money mule” scams, see the blog of former Washingtonpost.com reporter Brian Krebs, who has covered the crime extensively: http://krebsonsecurity.com/. 5 the Secret Service had been paying Gonzalez an annual salary of $75,000 a year: First reported in Kim Zetter, “Secret Service Paid TJX Hacker $75,000 a Year,” Wired.com, March 22, 2010. 6 filed by the attorneys general of 41 states: Sources include Dan Kaplan, “TJX settles over breach with 41 states for $9.75 million,” SC Magazine, June 23, 2009 (http://www.scmagazineus.com/tjx-settles-over-breach-with-41-states-for-975-million/article/138930/). 7 another $40 million to Visa-issuing banks: Mark Jewell, “TJX to pay up to $40.9 million in settlement with Visa over data breach,” Associated Press, November 30, 2007. 8 Heartland had been certified PCI compliant: Sources include Ellen Messmer, “Heartland breach raises questions about PCI standard’s effectiveness,” Network World, January 22, 2009 (http://www.networkworld.com/news/2009/012209-heartland-breach.html). 9 Hannaford Brothers won the security certification even as hackers were in its systems: Sources include Andrew Conry-Murray, “Supermarket Breach Calls PCI Compliance into Question,” InformationWeek, March 22, 2008. 10 The restaurants filed a class-action lawsuit: http://www.prlog.org/10425165-secret-service-investigation-lawsuit-cast-shadow-over-radiant-systems-and-distributo.html.
The story of Max Vision would have listed heavily to his criminal side were it not for Tim Spencer and Marty Roesch, who shared their experience of Max as white-hat hacker, and Kimi Mack, who spoke candidly about her marriage to Max. My thanks also to security wunderkind Marc Maiffret, who helped isolate some of Max’s exploits. The underworld that Kingpin delves into has been illuminated by a number of first-rate journalists, including Bob Sullivan, Brian Krebs, Joseph Menn, Byron Acohido, Jon Swartz, and my Wired colleague Kim Zetter. Finally, my thanks to my wife, Lauren Gelman, without whose loving support and sacrifice this book would not have been possible, and to Sadelle and Asher, who will find their computer use closely supervised until they’re eighteen. ABOUT THE AUTHOR KEVIN POULSEN is a senior editor at Wired.com and a contributor to Wired magazine.
@War: The Rise of the Military-Internet Complex by Shane Harris
Amazon Web Services, barriers to entry, Berlin Wall, Brian Krebs, centralized clearinghouse, clean water, computer age, crowdsourcing, data acquisition, don't be evil, Edward Snowden, failed state, Firefox, Julian Assange, mutually assured destruction, Silicon Valley, Silicon Valley startup, Skype, Stuxnet, uranium enrichment, WikiLeaks, zero day
. [>] Homeland Security, the FBI, the Energy Department: Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team, Monthly Monitor (ICS—MM201310), July–September 2013, released October 31, 2013, http://ics-cert.us-cert.gov/sites/default/files/Monitors/NCCIC_ICS-CERT_Monitor_Jul-Sep2013.pdf. [>] Shell, Schlumberger, and other: Zain Shauk, “Phishing Still Hooks Energy Workers,” FuelFix, December 22, 2013, http://fuelfix.com/blog/2013/12/22/phishing-still-hooks-energy-workers/. [>] In a rare public appearance: Berlin spoke at a cyber security conference at the Newsuem in Washington, DC, on May 22, 2013. [>] A few months after the intrusions: Brian Krebs, “Chinese Hackers Blamed for Intrusion at Energy industry Giant Telvent,” KrebsonSecurity, September 26, 2012, http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/. [>] But the country also needs: World Bank, “GDP Growth,” http://data.worldbank.org/indicator/NY.GDP.MKTP.KD.ZG [>] China is the world’s second-largest: US Energy Information Administration, http://www.eia.gov/countries/country-data.cfm?
. [>] Earlier in the year a pair: Nicole Perlroth, “Electrical Grid Is Called Vulnerable to Power Shutdown,” Bits, New York Times, October 18, 2013, http://bits.blogs.nytimes.com/2013/10/18/electrical-grid-called-vulnerable-to-power-shutdown/. [>] “There isn’t a computer system”: McConnell spoke at a cyber security conference sponsored by Bloomberg in Washington, DC, October 30, 2013. [>] Investigators concluded that the hackers: Brian Krebs, “Target Hackers Broke in Via HVAC Company,” KrebsonSecurity, February 5, 2014, http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/. [>] In February 2014 a Senate committee report: Craig Timberg and Lisa Rein, “Senate Cybersecurity Report Finds Agencies Often Fail to Take Basic Preventative Measures,” Washington Post, February 4, 2013, http://www.washingtonpost.com/business/technology/senate-cybersecurity-report-finds-agencies-often-fail-to-take-basic-preventive-measures/2014/02/03/493390c2-8ab6-11e3-833c-33098f9e5267_story.html. [>] At a security conference in Washington, DC: Alexander spoke in Washington, DC, at the Newsuem on October 8, 2013, http://www.youtube.com/watch?
Affordable Care Act / Obamacare, Amazon Web Services, asset allocation, autonomous vehicles, bank run, bitcoin, Brian Krebs, buy low sell high, Capital in the Twenty-First Century by Thomas Piketty, combinatorial explosion, computer vision, corporate governance, crowdsourcing, en.wikipedia.org, Erik Brynjolfsson, estate planning, Flash crash, Gini coefficient, Goldman Sachs: Vampire Squid, haute couture, hiring and firing, income inequality, index card, industrial robot, invention of agriculture, Jaron Lanier, Jeff Bezos, job automation, John Maynard Keynes: Economic Possibilities for our Grandchildren, Loebner Prize, Mark Zuckerberg, mortgage debt, natural language processing, Own Your Own Home, pattern recognition, Satoshi Nakamoto, school choice, Schrödinger's Cat, Second Machine Age, self-driving car, sentiment analysis, Silicon Valley, Silicon Valley startup, Skype, software as a service, The Chicago School, Turing test, Watson beat the top human players on Jeopardy!, winner-take-all economy, women in the workforce, working poor, Works Progress Administration
CAPTCHA stands for “Completely Automated Public Turing Test to tell Computers and Humans Apart.” Mark Twain famously said, “It is my … hope … that all of us … may eventually be gathered together in heaven … except the inventor of the telephone.” Were he alive today, I’m confident he would include the inventor of the CAPTCHA. Regarding the use of low-skilled low-cost labor to solve these, see Brian Krebs, “Virtual Sweatshops Defeat Bot-or-Not Tests,” Krebs on Security (blog), January 9, 2012, http://krebsonsecurity.com/2012/01/virtual-sweatshops-defeat-bot-or-not-tests/. 5. OFFICER, ARREST THAT ROBOT 1. E. P. Evans, The Criminal Prosecution and Capital Punishment of Animals (1906; repr., Clark, N.J.: Lawbook Exchange, 2009). 2. Craig S. Neumann and Robert D. Hare, “Psychopathic Traits in a Large Community Sample: Links to Violence, Alcohol Use, and Intelligence,” Journal of Consulting and Clinical Psychology 76 no. 5 (2008): 893–99. 3.
The Industries of the Future by Alec Ross
23andMe, 3D printing, Airbnb, algorithmic trading, AltaVista, Anne Wojcicki, autonomous vehicles, banking crisis, barriers to entry, Bernie Madoff, bioinformatics, bitcoin, blockchain, Brian Krebs, British Empire, business intelligence, call centre, carbon footprint, cloud computing, collaborative consumption, connected car, corporate governance, Credit Default Swap, cryptocurrency, David Brooks, disintermediation, Dissolution of the Soviet Union, distributed ledger, Edward Glaeser, Edward Snowden, en.wikipedia.org, Erik Brynjolfsson, fiat currency, future of work, global supply chain, Google X / Alphabet X, industrial robot, Internet of things, invention of the printing press, Jaron Lanier, Jeff Bezos, job automation, knowledge economy, knowledge worker, litecoin, M-Pesa, Mark Zuckerberg, Mikhail Gorbachev, mobile money, money: store of value / unit of account / medium of exchange, new economy, offshore financial centre, open economy, peer-to-peer lending, personalized medicine, Peter Thiel, precision agriculture, pre–internet, RAND corporation, Ray Kurzweil, recommendation engine, ride hailing / ride sharing, Satoshi Nakamoto, self-driving car, sharing economy, Silicon Valley, Silicon Valley startup, Skype, smart cities, social graph, software as a service, special economic zone, supply-chain management, supply-chain management software, technoutopianism, underbanked, Vernor Vinge, Watson beat the top human players on Jeopardy!, women in the workforce, Y Combinator, young professional
In addition, the hackers stole: Mark Hosenball, “Target Vendor Says Hackers Breached Data Link Used for Billing,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-target-breach-vendor-idUSBREA1523E20140206. Profits fell 46 percent in: Elizabeth A. Harris, “Faltering Target Parts Ways with Chief,” New York Times, May 6, 2014, http://www.nytimes.com/2014/05/06/business/target-chief-executive-resigns.html?ref=technology&_r=0. The company could still face: Brian Krebs, “Target Hackers Broke in via HVAC Company,” Krebs on Security (blog), February 5, 2014, http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/. It lost billions of dollars: Susan Taylor, Siddharth Cavale, and Jim Finkle, “Target’s Decision to Remove CEO Rattles Investors,” Reuters, May 5, 2014, http://www.reuters.com/article/2014/05/05/us-target-ceo-idUSBREA440BD20140505.
Liars and Outliers: How Security Holds Society Together by Bruce Schneier
airport security, barriers to entry, Berlin Wall, Bernie Madoff, Bernie Sanders, Brian Krebs, Broken windows theory, carried interest, Cass Sunstein, Chelsea Manning, corporate governance, crack epidemic, credit crunch, crowdsourcing, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Graeber, desegregation, don't be evil, Double Irish / Dutch Sandwich, Douglas Hofstadter, experimental economics, Fall of the Berlin Wall, financial deregulation, George Akerlof, hydraulic fracturing, impulse control, income inequality, invention of agriculture, invention of gunpowder, iterative process, Jean Tirole, John Nash: game theory, joint-stock company, Julian Assange, meta analysis, meta-analysis, microcredit, moral hazard, mutually assured destruction, Nate Silver, Network effects, Nick Leeson, offshore financial centre, patent troll, phenotype, pre–internet, principal–agent problem, prisoner's dilemma, profit maximization, profit motive, race to the bottom, Ralph Waldo Emerson, RAND corporation, rent-seeking, RFID, Richard Thaler, risk tolerance, Ronald Coase, security theater, shareholder value, slashdot, statistical model, Steven Pinker, Stuxnet, technological singularity, The Market for Lemons, The Nature of the Firm, The Spirit Level, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, theory of mind, too big to fail, traffic fines, transaction costs, ultimatum game, UNCLOS, union organizing, Vernor Vinge, WikiLeaks, World Values Survey, Y2K
“Stop Snitching” campaign Rick Hampson (28 Mar 2006), “Anti-Snitch Campaign Riles Police, Prosecutors,” USA Today. Rick Frei (2010), “Witness Intimidation and the Snitching Project,” written testimony submitted to the Subcommittee on Drugs and Crime, U.S. Senate Committee on the Judiciary. Con artists try David Maurer (1940), The Big Con: The Story of the Confidence Man, Bobbs Merrill. Fake anti-virus software Brian Krebs (3 Aug 2011), “Fake Antivirus Industry Down, But Not Out,” Krebs on Security. Internet money laundering Mitchell Zuckoff (15 May 2005), “Annals of Crime: The Perfect Mark,” The New Yorker, 36–42. doctrine of necessity Leslie Wolf-Phillips (1979), “Constitutional Legitimacy: A Study of the Doctrine of Necessity.” Third World Quarterly, 1:99–133. competing interests H.E. Mason, ed. (1996), Moral Dilemmas and Moral Theory, Oxford University Press.
Affordable Care Act / Obamacare, algorithmic trading, Amazon Mechanical Turk, asset-backed security, Atul Gawande, bank run, barriers to entry, Berlin Wall, Bernie Madoff, Black Swan, bonus culture, Brian Krebs, call centre, Capital in the Twenty-First Century by Thomas Piketty, Chelsea Manning, cloud computing, collateralized debt obligation, corporate governance, Credit Default Swap, credit default swaps / collateralized debt obligations, crowdsourcing, cryptocurrency, Debian, don't be evil, Edward Snowden, en.wikipedia.org, Fall of the Berlin Wall, Filter Bubble, financial innovation, Flash crash, full employment, Goldman Sachs: Vampire Squid, Google Earth, Hernando de Soto, High speed trading, hiring and firing, housing crisis, informal economy, information retrieval, interest rate swap, Internet of things, invisible hand, Jaron Lanier, Jeff Bezos, job automation, Julian Assange, Kevin Kelly, knowledge worker, Kodak vs Instagram, kremlinology, late fees, London Interbank Offered Rate, London Whale, Mark Zuckerberg, mobile money, moral hazard, new economy, Nicholas Carr, offshore financial centre, PageRank, pattern recognition, precariat, profit maximization, profit motive, quantitative easing, race to the bottom, recommendation engine, regulatory arbitrage, risk-adjusted returns, search engine result page, shareholder value, Silicon Valley, Snapchat, Spread Networks laid a new fibre optics cable between New York and Chicago, statistical arbitrage, statistical model, Steven Levy, the scientific method, too big to fail, transaction costs, two-sided market, universal basic income, Upton Sinclair, value at risk, WikiLeaks
Harris and Nicole Perlroth, “For Target, the Breach Numbers Grow,” New York Times, January 1, 2014, http://www.nytimes.com /2014 /01/11/business/target-breach-affected-70 -million-customers.html?_r=0. 59. Thomas R. McLean & Alexander B. McLean, “Dependence on Cyberscribes-Issues in E-Security,” 8 J. Bus. & Tech. L. (2013): 59 (discussing instances of medical information on the black market); Brian Krebs & Anita Kumar, “Hackers Want Millions for Data on Prescriptions,” Wash. Post, May 8, 2009, at B1. 60. Misha Glenny, DarkMarket: How Hackers Became the New Mafi a (New York: Vintage Books, 2012) 2 (“this minuscule elite (call them geeks, technos, hackers, coders, securocrats, or what you will) has a profound understanding of a technology that every day directs our lives more intensively and extensively, while most of the rest of us understand absolutely zip about it.”). 61.
Ayatollah Khomeini, Brian Krebs, crowdsourcing, data acquisition, Doomsday Clock, Edward Snowden, facts on the ground, Firefox, friendly fire, Google Earth, information retrieval, Julian Assange, Loma Prieta earthquake, Maui Hawaii, pre–internet, RAND corporation, Silicon Valley, skunkworks, smart grid, smart meter, South China Sea, Stuxnet, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, Y2K, zero day
They had to go public with the news.15 So on July 12, Ulasen posted a brief announcement about the zero-day to his company’s website and to an online English-language security forum, warning that an epidemic of infections was about to break out.16 He divulged few details about the hole it was attacking, to avoid giving copycat hackers information that would help them exploit it. But members of the forum grasped the implications quickly, noting that it had the potential to be “deadly to many.” Three days later, tech journalist Brian Krebs picked up the announcement and wrote a blog post about it, summarizing what little was known about the vulnerability and exploit at the time.17 The news raced through the security community, causing everyone to brace for a wave of assaults expected to come from the worm and copycat attacks using the same exploit.18 In the meantime, the head of an institute in Germany that researched and tested antivirus products brokered an introduction between Ulasen and his contacts at Microsoft, prompting the software company to begin work on a patch.19 But with news of the vulnerability already leaked, Microsoft decided to release an immediate advisory about the critical flaw to customers, along with a few tips advising them how to mitigate their risk of infection in the meantime.
Terms of Service: Social Media and the Price of Constant Connection by Jacob Silverman
23andMe, 4chan, A Declaration of the Independence of Cyberspace, Airbnb, airport security, Amazon Mechanical Turk, augmented reality, Brian Krebs, California gold rush, call centre, cloud computing, cognitive dissonance, correlation does not imply causation, Credit Default Swap, crowdsourcing, don't be evil, Edward Snowden, feminist movement, Filter Bubble, Firefox, Flash crash, game design, global village, Google Chrome, Google Glasses, hive mind, income inequality, informal economy, information retrieval, Internet of things, Jaron Lanier, jimmy wales, Kevin Kelly, Kickstarter, knowledge economy, knowledge worker, late capitalism, license plate recognition, life extension, Lyft, Mark Zuckerberg, Mars Rover, Marshall McLuhan, meta analysis, meta-analysis, Minecraft, move fast and break things, national security letter, Network effects, new economy, Nicholas Carr, Occupy movement, optical character recognition, payday loans, Peter Thiel, postindustrial economy, prediction markets, pre–internet, price discrimination, price stability, profit motive, quantitative hedge fund, race to the bottom, Ray Kurzweil, recommendation engine, rent control, RFID, ride hailing / ride sharing, self-driving car, sentiment analysis, shareholder value, sharing economy, Silicon Valley, Silicon Valley ideology, Snapchat, social graph, social web, sorting algorithm, Steve Ballmer, Steve Jobs, Steven Levy, TaskRabbit, technoutopianism, telemarketer, transportation-network company, Turing test, Uber and Lyft, Uber for X, universal basic income, unpaid internship, women in the workforce, Y Combinator, Zipcar
“Everything We Know About What Data Brokers Know About You.” ProPublica. Sept. 13, 2013. propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you. 215 TSA sells to debt collectors: Susan Stellin. “Security Check Now Starts Long Before You Fly.” New York Times. Oct. 21, 2013. nytimes.com/2013/10/22/business/security-check-now-starts-long-before-you-fly.html. 215 Experian investigation: Brian Krebs. “Experian Sold Consumer Data to ID Theft Service.” KrebsonSecurity. Oct. 20, 2013. krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service. 215 Identity thieves in Vietnam: Sean Vitka. “Experian-Acquired Data Broker Sold Social Security Numbers to Identity Thieves.” Slate. Oct. 25, 2013. slate.com/blogs/moneybox/2013/10/25/experian_data_broker_social_security_numbers_sold_to_identity_thieves.html. 215 Experian revenue: “Investor Centre.”