Friday, May 10, 2013

Who does this?


Who is doing this? 

Who wants to work that hard to destroy your life? 
The answer tends to break down into two groups, both of them equally scary: overseas syndicates and bored kids.
The syndicates are scary because they’re efficient and wildly prolific. 

Malware and virus-writing used to be something hobbyist hackers did for fun, as proofs of concept. 


Not anymore. 


Sometime around the mid-2000s, organized crime took over. 


Today’s virus writer is more likely to be a member of the professional criminal class operating out of the former Soviet Union than some kid in a Boston dorm room. 


There’s a good reason for that: money.
Given the sums at stake—in 2011 Russian-speaking hackers alone took in roughly $4.5 billion from cybercrime—it’s no wonder that the practice has become organized, industrialized, and even violent. 

Moreover, they are targeting not just businesses and financial institutions but individuals too. 


Russian cybercriminals, many of whom have ties to the traditional Russian mafia, took in tens of millions of dollars from individuals last year.


Largely by harvesting online banking passwords through phishing and malware schemes. 

In other words, when someone steals your Citibank password, there’s a good chance it’s the mob.
But teenagers are, if anything, scarier, because they’re so innovative. 

The groups that hacked David Pogue and me shared a common member: a 14-year-old kid who goes by the handle “Dictate.” 


He isn’t a hacker in the traditional sense. 


He’s just calling companies or chatting with them online and asking for password resets. 


But that does not make him any less effective. 


He and others like him start by looking for information about you that’s publicly available.


Your name, email, and home address, for example, which are easy to get from sites like Spokeo and WhitePages.com. 

Then he uses that data to reset your password in places like Hulu and Netflix, where billing information, including the last four digits of your credit card number, is kept visibly on file. 


Once he has those four digits, he can get into AOL, Microsoft, and other crucial sites. 


Soon, through patience and trial and error, he’ll have your email, your photos, your files—just as he had mine.


Why do kids like Dictate do it? 
Mostly just for lulz: to fuck shit up and watch it burn. 

One favorite goal is merely to piss off people by posting racist or otherwise offensive messages on their personal accounts. 


As Dictate explains, “Racism invokes a funnier reaction in people. 


Hacking, people don’t care too much. 


When we jacked @jennarose3xo”—aka Jenna Rose, an unfortunate teen singer whose videos got widely hate-watched in 2010—”I got no reaction from just tweeting that I jacked her stuff. 


We got a reaction when we uploaded a video of some black guys and pretended to be them. 


Apparently, sociopathy sells.
A lot of these kids came out of the Xbox hacking scene, where the networked competition of gamers encouraged kids to learn cheats to get what they wanted. 

In particular they developed techniques to steal so-called OG (original gamer) tags.

The simple ones, like Dictate instead of Dictate27098—from the people who’d claimed them first. 



One hacker to come out of that universe was “Cosmo,” who was one of the first to discover many of the most brilliant socialing exploits out there, including those used on Amazon and PayPal. 

It just came to me, he said with pride when I met him a few months ago at his grandmother’s house in southern California. 

In early 2012, Cosmo’s group, UGNazi, took down sites ranging from Nasdaq to the CIA to 4chan. 


It obtained personal information about Michael Bloomberg, Barack Obama, and Oprah Winfrey. 


When the FBI finally arrested this shadowy figure in June, they found that he was just 15 years old; when he and I met a few months later, I had to drive.
It’s precisely because of the relentless dedication of kids like Dictate and Cosmo that the password system cannot be salvaged. 

You can’t arrest them all, and even if you did, new ones would keep growing up. 


Think of the dilemma this way: Any password-reset system that will be acceptable to a 65-year-old user will fall in seconds to a 14-year-old hacker.
For the same reason, many of the silver bullets that people imagine will supplement—and save—passwords are vulnerable as well. 

For example, last spring hackers broke into the security company RSA and stole data relating to its SecurID tokens.


These supposedly hack-proof devices that provide secondary codes to accompany passwords. 

RSA never divulged just what was taken, but it’s widely believed that the hackers got enough data to duplicate the numbers the tokens generate.


If they also learned the tokens’ device IDs, they’d be able to penetrate the most secure systems in corporate America.
On the consumer side, we hear a lot about the magic of Google’s two-factor authentication for Gmail. 

It works like this: First you confirm a mobile phone number with Google. 


After that, whenever you try to log in from an unfamiliar IP address, the company sends an additional code to your phone: the second factor. 


Does this keep your account safer? 


Absolutely, and if you’re a Gmail user, you should enable it this very minute. 


Will a two-factor system like Gmail’s save passwords from obsolescence? 



Let me tell you about what happened to Matthew Prince.
This past summer UGNazi decided to go after Prince, CEO of a web performance and security company called CloudFlare. 

They wanted to get into his Google Apps account, but it was protected by two-factor. 


What to do? 


The hackers hit his AT&T cell phone account. 


As it turns out, AT&T uses Social Security numbers essentially as an over-the-phone password. 


Give the carrier those nine digits—or even just the last four—along with the name, phone number, and billing address on an account and it lets anyone add a forwarding number to any account in its system. 


And getting a Social Security number these days is simple: 


They’re sold openly online, in shockingly complete databases.
Prince’s hackers used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. 

So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. 


Two-factor just added a second step and a little expense. 


The longer we stay on this outdated system.

The more Social Security numbers that get passed around in databases.

The more login combinations that get dumped.

The more we put our entire lives online for all to see

The faster these hacks will get.

And that might be other people today

And what if it's you tomorrow?

Please tidy up your affairs

No comments: