Recently, I received an email from my dear friend Gloria Steinem. (In truth, our only contact was in 2005 when I persuaded her to write an essay for this magazine.) Flattered to discover that the iconic feminist still thinks of me, I opened her e-missive to receive a “personal” recommendation for, ironically, a penile enlargement procedure. What humor.
This and other dubious queries bore apparently valid From: addresses, including unusually spelled names, separating them from the garden-variety Nigerian intermediaries discreetly informing me of “an opportunity which is presently at hand, but which must be handled with utmost care and caution.”
And then I heard from the fraud department of my bank. Had I attempted to rent a hotel room in Merced? No. After a few more questions and a few more no’s, I got the picture. The picture was my checking balance tied to my debit card was down by $250.
Professor David Wagner, a specialist in computer security, heard my litany of digital scam encounters with a mix of empathy and “heard-it-all-before.” Wagner leads a team located on the sixth and seventh floors of the Soda Hall hillside computer science building on Berkeley’s Hearst Avenue. Together with colleagues at the University of California, San Diego, they track what they refer to as the digital arms race that encompasses not only personal spam assaults but attacks on health networks, industrial control systems for water and electrical plants and gas pipelines, intellectual property, and trade and defense secrets.
The same technology that transforms our lives with email, mobile computing, e-commerce, multi-player games, social networks, cloud computing, and data mining has spawned vastly scaled, polymorphous, automated, blazingly efficient, and mostly money-motivated assaults perpetrated from remote sites often three or four times removed from each other around the globe. Moreover, law enforcement experts estimate that as far back as 2005, revenues from cybercrime surpassed those of the international drug trade. Two years ago, AT&T’s chief of security testified to Congress that cybercrime was averaging more than $1 trillion annually, “a figure in excess of the entire software industry and nearly twice the GDP of Germany.”
“Email can be easily spoofed,” Wagner said matter-of-factly. “Your friends, like millions of others, got hacked. And there’s been little or no attempt to curb it.”
And the bank fraud? Using my debit card without the card? I asked with residual indignation.
“That’s easy,” he responded. “Someone physically handled it, a waiter or maybe a clerk. They copied your number. Someone else, another party, then encoded the magnetic tape and put it on a different card.”
Anticipating my question about the so-called labyrinthine defense, a barrier of security questions such as “Mother’s Maiden Name” or “First Pet” set up to protect me, Wagner described a global landscape hosting cells of would-be perpetrators whose only missions are guessing answers to security questions and perfecting code to automatically respond. “Think of technically well educated, energetic people in countries where legitimate opportunities are rare, where international legal cooperation is lax. Russia, Romania, Bulgaria … China is harder to assess.”
Compared to the implied and perceived threats to the economy, infrastructure, health, and national security, such abuses amount to petty online crimes. However, Wagner points out, a “Nigerian scam” or spam message costs literally pennies to create and send to millions (mostly in the United States and Europe), and will surely find and bilk its marks. In 2010, the Internet Crime Complaint Center, affiliated with the National White Collar Crime Center and the FBI, and supported by the Bureau of Justice Assistance, recorded 304,000 domestic Internet fraud complaints with hundreds of millions in reported losses.
From the perspective of Wagner and his Soda Hall colleague Vern Paxson, and their UC San Diego cohorts, Internet fraud uses technological evolution to take advantage of a fundamental human desire to trust, which makes us vulnerable to being fooled. The Nigerian scam is just an email version of a classic grift that people have been falling for literally for centuries. However, the Internet has allowed scam artists a much wider scope.
Moreover, global social networking sites like Facebook are in reality giant data-gathering repositories that make their millions of followers, who willingly give up important personal information, all the more vulnerable to wolves masquerading as “friends.”
According to Stefan Savage, Wagner’s and Paxson’s colleague at UCSD, there are already scams that take advantage of social networks. “A more insidious variation is what sometimes gets called the ‘Super Bowl scam.’ Here the scammer looks for young marks who announce that they are travelling to some event away from home (e.g., to see the Super Bowl).” The information may be gathered simply by watching friends of friends, without even having to hack an account. The scammer then contacts the grandparents (identified either from the social net itself or third-party identity services) “claiming to be the grandchild and that you’ve been robbed, are stranded, and need money to get home. This takes advantage of the shared knowledge between the relative and the mark and some assumptions about the strength of the relationship.” Because the scammer is able to include a piece of specific information, it encourages the mark to trust the request. “We all want to trust. We’ve had to teach ourselves to be skeptical, but once that skepticism is pierced by some inside information we’re very happy to believe,” explains Savage.
“Phishing is common in social networks,” Paxson, said, explaining: “The phisher fools a user into thinking they need to log into the service, when in fact the user is typing in their username and password to a fake website run by the attacker.” This gains the attacker access to an established account, which can then be used directly to gather or send out information, or as a stepping-stone to get more accounts (e.g., by tweeting out a URL to this phishing site).
As recently as the past decade, such a scammable infrastructure—with both perpetrators and potential victims interconnected—did not exist on this scale, according to Savage. “The computer viruses and worms of the 20th century were joy riders, driven primarily by ambition for notoriety,” he noted recently in an essay for The New York Times. “But once it became possible to make money from computer infection, whether through advertising (spam) or theft (stealing bank account credentials), this economic engine fed a bloom in online crime.”
What’s more, this vast universe of seemingly loose criminal atoms has congealed into an intricately stitched niche network. In the fall of 2010, researchers at Berkeley, UCSD, and Budapest University of Technology and Economics spent three months reverse engineering nearly a billion email messages, opening spam, ordering goods and services online, and spending several thousand dollars for more than 100 purchases. In a paper delivered to the Institute of Electrical and Electronics Engineers, they demonstrated how they were able to trace each transaction, end to end, using proprietary software and specially programmed web crawlers. As an example, clicking an online offer with “Viagra Official Site” in the subject line took the scientists to a website registered in Russia only days before the offer. The server, they discovered, was located in China. A proxy server in Brazil worked as an intermediary, handling requests from the Chinese server. The actual purchase was transacted between a computer in Turkey and a bank in Azerbaijan. Finally, the product was sent from a counterfeit manufacturer in India.
Such an email spam campaign can generate the equivalent of three messages for every person on the planet. And yet the cost of doing business in this manner is so low, the spammers could afford to generate more than 12 million messages just to sell $100 worth of fake Viagra.
“Specialization in a market economy,” Wagner calls it. “One party selling email addresses or Twitter accounts, one email spamming to millions, lots of cheap sales—even reimbursement if you drive someone to my black market services, or reimbursement if you can collect credit card data or answer the key questions.”
If the remote exchange of money for actual goods, even counterfeit goods, were the only issue, Wagner, Paxson, and their colleagues would likely not be so exercised. The real prize is worth far more than $100 here and there. The real prize is identity.
Wagner cited a recent cyber attack with serious defense consequences. It began innocently enough when an employee of RSA, the security branch of the giant IT company EMC, received an email from a colleague, with whom he had regularly corresponded. And so he opened the attachment, which looked like a normal spread sheet. But embedded was a flash video—unusual. He closed the attachment, but the damage had been done: Malicious software (“malware” or “worm”) had already installed itself. With it came the capability to disrupt, deny, or, in this case, to spy and snatch.
“Now they had control of that guy’s machine. They could remotely send it commands,” Wagner says. “They were able to break into RSA’s internal systems. This led to a break-in of Lockheed Martin’s cryptic enterprise data.” Lockheed is a major EMC client and primary technology provider to the federal government. In mid-December, within weeks of this interview, Iran announced it had conducted a “sophisticated electronic attack” that brought down a RQ-170 Sentinel stealth drone spy aircraft within its borders. Lockheed Martin manufactured the aircraft.
Wagner declined to speculate about what was stolen in the RSA data heist. But that it happened, the perceived consequences of what happened, and what could happen on a grand and growing scale, are enough to get plenty of attention. The National Science Foundation has kicked in $3.7 million and the Office of Naval Research has also helped fund the research with a pair of $1.5 million grants for thwarting cyber piracy. Intel recently put up $15 million for the new Intel Science and Technology Center for Secure Computing, directed by Wagner at Soda Hall. And recently a representative of the Department of Homeland Security paid a visit to Soda Hall.
Their exigency is clear. Based on industry analysis, 1 in 14 downloads contains a piece of malware. From January 2009 to September 2010, the discovered amount of invasive malicious software grew from 5 million to 50 million pieces.
Not only has malware become ubiquitous, but it has become precise, targeting individuals (spear phishing) or stalking specific computers for data shakedowns. Not only is it precise, it can hide its tracks, automatically changing registered domains every few days, and it is supported by a decentralized network of hundreds of affiliates, mimicking a digital terrorist network, the Berkeley scientists say. Furthermore, malware can be programmed to search out and disrupt or destroy competing malware already on the target machine and to fight off new, incoming malware.
And it can do all of this automatically, Paxson said, so scammers and spammers can pick a program off the shelf. “It’s simply pay for install, which involves having your application or malware put on someone else’s computer.” Malware may do any number of things—send the addresses in your email inbox to a spammer, for example, or note your passwords anytime you log into a secure site—and the type of malware can determine how many people profit from the infection. However, it’s a good bet that you won’t be one of them. “The broker doesn’t care about compromising systems. They just want payment. It’s also sobering how cheap it is. To install on more than 1,000 systems in the U.S. costs about $150, in Asia it’s $8.”
I suggested that the bad guys seem to be riding their own version of Moore’s Law. Named for Intel co-founder Gordon Moore, a 1950 Berkeley graduate, it generally states that computer processing power doubles approximately every 18 months.
“There has been a similar trend for network capacity,” Wagner responded. “Today, my network connection is way faster than a decade ago. That’s made piracy a lot easier.”
“We’re seeing innovation from the criminal side,” Paxson added, “and it’s accelerating, certainly. It’s unsettling. Every day we come into the office thinking: ‘How are we going to get a handle on this?’”
The first step was to study the digital criminal ecosystem. In a preliminary report called “Click Trajectories: End-to-End Analysis of the Spam Value Chain,” they identified the links in the chain as naming, hosting, payment, and fulfillment (delivery of the good or service, whether that’s a Twitter account or a bank account).
They focused on potential bottlenecks and concluded that “95 percent of spam-advertised pharmaceutical, replica (knockoffs), and software products are monetized using merchant services from just a handful of banks.” The bottom line, they conclude, is that banks are the choke point, and the evidence presented by Paxson and Wagner and their UCSD colleagues should be strong fodder for a banking and credit card policy overhaul. “You’d cut off the money that supports the entire spam enterprise,” Savage of UCSD told The New York Times last spring.
That it should be so easy. Though 95 percent of the credit card transactions the scientists used for purchasing drugs and herbal remedies were handled by just three financial institutions, those banks were in Azerbaijan, Denmark, and Nevis, West Indies. Their purchases of software were mainly handled by only a few banks in Russia, which was also home to most of the hacker message boards. “Russian is the language of the underground,” Paxson mused.
As for the other head of the beast, malware, Wagner is leading the Berkeley team to come up with what they call “trustworthy computing.” This means creating safeguards against remote, third-party attacks that can reprogram industrial control systems, without alarming operators, and steal proprietary information—as happened to Google in February 2010, when an account in China not only hacked Google, but 30 companies that did business with Google.
“Suppose all your personal and professional digital devices could interact on your behalf, like trusted agents,” proposes a recent report issued by Wagner’s team at the Computer Science Division, which seeks to make cloud computing more secure for the user. Part of that team is Dawn Song, Ph.D. ’02, an associate professor and 2010 recipient of the MacArthur “Genius Award” Fellowship for her work on computer security.
“We’re working on building new paradigms for security,” Song said. “To do that, especially in cloud computing and on mobile devices, we have to identify vulnerability. Begin with applications. Anybody can develop one; anybody can put one up, essentially anybody can take over a phone or invade the cloud. So we need to develop underlying security platforms.”
By this, she means, creating a sort of computer condom that protects the operating system from applications, thus preventing infections from spreading.
The key could be in developing a new generation of developers, Song and Wagner both say. “When we try to introduce security platforms into software systems all applications must stop working in order to accommodate [the retrofit]. You have unhappy developers whose culture is just to get the work done and ship it,” Wagner explained. “We just need to make it easier for them at the outset of development.”
To go forward we need to teach programmers to think about security before development. Song and her teammates are developing a security platform to show students and prospective developers how to provide digital safeguards, sort of like an isolation room in a hospital to prevent the spread of contagious diseases. “We hope it will demonstrate the benefits to everyone, to developers, who will still have access to sensitive data, and end users who will have access to even more products and better applications,” Song said, with an engaging, confident smile, suggesting that security is as much a commodity as speed, storage capacity, and even megapixels.
In the meantime, the old adage holds true that if a deal seems too good to be true, it probably is. And if your Facebook friend emails you for a wire transfer, pick up the phone and call.