Thursday, April 05, 2012

Sharks in the digital gene pool

kw: book reviews, nonfiction, internet, cybercriminals

You may know the old saw: Speak of the devil and he may appear. This is particularly true in cyberspace. The most accomplished hackers, being fond of their reputations, have software agents on the lookout for their names to pop up. Preferring to remain below their radar, I'll leave names out of this review. Interestingly, the author of DarkMarket: Cyberthieves, Cybercops and You, Misha Glenny, names nineteen assorted online criminals, refers to at least sixteen others only by their handle, because he doesn't know their names, and has tentatively determined that two much-revered handles actually belong to consortia.

I came to the book looking for guidance; the and You in the title hinted at personal relevancy. There was none. Perhaps none is possible! On the World Wide Web, it is simply best to keep your wits about you, because it is certain that someone out there is hoping to gain the information needed to plunder your bank account. If you happen to be privy to your company's secrets, there is also someone out there hoping to get access to that. So we see two of the three major arms of online criminality: credit card and bank fraud, and industrial espionage.

The third arm is cyberwarfare. You and I may not be directly engaged in warfare, ever, yet still may suffer its effects: Typically it is carried out via denial-of-service attacks aimed at shutting down a country's or company's online presence. If you do business there, you may find yourself locked out for a time, and perhaps your data will be lost or looted.

The focus of the book is credit fraud, and a major sting carried out by the US FBI, through a web site called DarkMarket. It was a forum for people to "discuss" card fraud, and thus served as a meeting place. Deals were made elsewhere, as the stated aim of the site was to stay (barely) legal. The site was administered mostly by criminals, plus one or two federal agents, unbeknownst to the others. After almost a five-year run, DarkMarket came to an end three years ago.

Carding has several aspects. One is skimming. A small device is added to an ATM, and it reads the magnetic stripe on your ATM card when you swipe it or slip it in. Some have an attachment that reads your PIN as you enter it. The skimmer's "owner" sells the data to someone else, who may use it to clone cards and either raid the card owners' accounts directly, or hire someone else to do so (by visiting ATM after ATM). What is our defense? Get to know how the ATM's you usually use are supposed to look. Be suspicious with a new machine. Most of all, when entering your PIN, hold the other hand above the typing hand, so a nearby camera can't read your fingers. Also keep a sharp eye on a store or restaurant clerk to whom you hand your credit card. Make sure they don't slip the card out of your sight for a moment, to run it through a skimmer under the counter.

Another aspect is stealing a copy of a company's credit card verification database. While this may be done by hacking in, it is usually easier to use phishing, or social engineering. This points up the salient fact about internet security: people are the weak link. Recent incidents of the theft of millions of credit card verification data were cases of someone getting access to a computer with the help, knowing or unknowing, of an insider.

The main substance of the book is a running biography of about three dozen criminals and a number police and government agents around the world. Internet crime is not confined to America, nor to the English speaking world. In fact, some of the biggest players are in Russia, the Ukraine, Turkey, and China. The author singles out Odessa, Ukraine, as a major focus of online criminal activity. But it is simply first (or near first) among many. An innocent-seeming e-mail containing some kind of phishing or malware attack may seem to originate from Toronto, for example, but an expert "cracker tracker" may track it via a random African nation or two, to Singapore, and there find that the origin is still further on, but too obscured to track further.

Near the end, the author discusses what we ought to do with an arrested hacker. He is not discussing the organized criminals—who may employ a hacker for technical skills—, but those who program for the fun of it and for reputation, having little interest in getting money. A few of those currently behind bars are acknowledged as the best technical minds there are. He thinks it a shame to waste their talent. He may have a point, but the practice some have of hiring a hacker as a security agent smacks of putting the hen house in charge of the fox. A brilliant hacker may be useful, but employing one can only be done safely if he (you can count the females on your thumbs) is supervised by someone of equal talent.

The current state of the internet is much like the wild west. A few criminals have been incarcerated, and a few areas have a sheriff watching over things, but almost anything can be got away with, given some planning. I've been told that services such as LifeLock are unhelpful, but I am not sure. At the very least, keeping tabs on your credit report is a must. Employing LifeLock is probably best for those with something worth losing, like a big IRA.

Even though the book didn't have quite what I hoped to find, it is a fascinating read. The author obtained access to several incarcerated criminals and hackers, and to police and agents from a number of agencies. His acknowledgements indicate he taped 200 hours of interviews. That is about par for a history book this size. The hard work was not in gathering information, but in cross checking it, both because various people have various views, and because some just lied. Glenny has done an admirable job ferreting out a coherent picture that is as accurate as we are ever likely to have.

No comments: