Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum
Naked Self-Promotion
Keep up with the latest Freakonomics news and chatter at Big Buzz. And here's more:
- Stephen Dubner talks with Dan Schawbel at Forbes about the Freakonomics phenomenon.
- Freakonomics: The Movie is now on Showtime! It is also available on DVD
and Blu-ray
. You can also watch it on iTunes or Netflix.
- Freakonomics tops Forbes' list of books that rock the "New Author Platform".
- Daily Beast Q&A with Dubner & Levitt on SuperFreakonomics paperback edition.
- NY Mag on Levitt’s new mind-for-hire gig.
- Econ profs rank Levitt as their fourth favorite economist under age 60.
- TIME has named the Freakonomics blog one of "The 25 Best Financial Blogs."
- Freakonomics Radio has hit the air! Find out when our second season of five hour-long specials will air on your local public radio station. You can download/subscribe at iTunes, get the RSS feed, or grab our widget.
What is going on in the UK right now I wouldn’t even describe as “hacking” at all. In this country it is better known a Pretexting thanks for the Hewlett-Package CEO scandal back in 2006 where private detectives used Social Engineering techniques to gain access to private data. The term hacking should at least imply a technical component so guessing poorly chosen or unchanged passwords might qualify, but calling up the phone company and sweet-talking (or just bribing) your way in is as old as agent carried communications themselves. If you don’t believe me just watch an episode of the Rockford Files.
This isn’t about “hacking”, its about how the news media in Briton has, by hook or by crook, been able to corrupt large institutions for its own personal gain. Police were bribed, private communications were BROKEN into and this is probably the tip of the iceburg. Real hacker groups and cybercriminals have been plying their trade since these sorts of technologies came online and have proportionally stepped up their activities as the potential profit and visibility have increased. The British tabloid press, on the other hand, appear to have morphed into a criminal enterprise decades ago, its just until now nobody had been able to report on it. Gee, I wonder why.
Well-loved. Like or Dislike:
11 
0
In addition to pretexting it is rumored they used caller ID spoofing to fool phone company voicemail systems into letting them in without the need to enter a password. That meets your narrow definition of ‘hacking’
That meets me definition of poor security for sure!!!
I agree with Mike B. I saw this thought concisely summed up on Twitter recently with the post:
“The one thing missing from all this news about phone hacking: hackers”.
Also, to Freakonomics, you may want to include the guys behind the Verizon Data Breach Investigations Report ( http://securityblog.verizonbusiness.com/ ) who put out essentially the best and most comprehensive study on actual hacking every year. Their opinions would be quite appropriate here, since they analyze and publish the data.
Tal Be’ery sounds like one of those HBGary types who knows just enough about ‘web security’ to bleed the government out of contractor money.
Everyone else clearly knows their stuff.
you are spot-on with that comment. not to disparage anyone, but Tal’s post was virtually content free, and failed to properly define or characterize what advanced persistent threats actually are. i would have been interested to see the perspective of someone like Marcus Ranum, who, like the rest of the panel, knows his stuff, and often presents insightful counterpoints to Schneier’s pragmatic approach to security.
The example given for “Advanced Persistent Threat” was not random. In the industry, “APT” is often pronounced “Advanced Persistent Chinese”. APT is largely constituted in a series of departments in the Chinese military and other government agencies. The employees’ orders are to steal our technology, whenever stealing it is likely to be more efficient than creating it.
The reason there is no retaliation against the Chinese government for its hacking endeavors is because — unlike the Russian mob or other criminal hacking enterprises — effective retaliation would require the deployment of a major military force.
The Chinese threat? Mmm .. Does anyone ask if the US has been hacking Chinese govt computers? This may be a better explanation about lack of
‘retaliation’ .. This is same US that used its technology to hack everyone’s mobile! Echelon. SameUS that compromised Swiss crypto maker to put a back door on all diplomatic cipher machines! Do I hear someone mention something about kettles calling pots …..
I just want to point out: wikileaks started with a giant “hack.” Julian Assange took the data flowing through the Tor network, bouncing between tons of machines for the sake of anonymity, and scooped tons of data out of that stream. He abused the tool so when wikileaks launched he could say “tens of thousands of documents uploaded” when none of them were voluntary.
This is the only forum that even brought up the discussion of whether this is hacking or not. Thank you!
There’s quite a bit of gray area with social engineering, but if my vote counts, I say it qualifies, since it involves using techniques to bypass security systems.
In terms of how it’s used in conversation, is seems to me that “hacking” is a phrase people use when they don’t understand what they are talking about. Worse, they don’t want to and\or don’t believe they are capable of understanding, so they stop trying to think at all as soon as the magic phrase appears.
If they simply pointed out this is about corruption of law enforcement and legislators at the highest levels of the UK government and media, and involved the release of protected information potentially under color of law THEN people would perk their ears up.
The hacking scandal in the UK and the Whitey Bulger fiasco in the US share at least one key characteristic — the overseer (Scotland Yard, FBI) got to close to the people they were supposed to be overseeing (media, Whitey). Is this just the 2011 version of George Stigler’s regulatory capture theory of the 1960s?
Reading this, I am wondering if maybe high unemployment numbers and all the baggage that comes with them may be feeding fuel to the hacking fire.
Certainly. I remember reading in sociology texts back in college that poverty and lack of education were the primary contributors to criminality in a given area. People desparate to pay bills & who lack the ability to legitimately get the money are naturally more likely to see crime as the most cost-effective solution. Many even might think, at first, that they’ll only do it a few times to pay these bills. Seeing the ease of making thousands a month, they might stick with it. An example of a layoff leading to a life of cybercrime is given in the presentation “Becoming the six million dollar man”. Google it.
For an immediate idea, here’s the kind of payoff you’re looking at. If the crook has no money, they might use some free samples or $200 for some CC’s, making a few grand off of reselling stolen merchandise. A two grand investment gets them some blank cards, a card writer & some ATM cards with PIN. This usually results in a few grand. They do this a few times and they have $10 grand. Invest some of that in some ACH malware kits & fire them off at small businesses, churches, etc. from residential wifi hotspots. Average ACH fraud is $100k-$300k. Assume laundering & other losses take 50% of the revenue. Resulting profit is still $50k-150k, from a cash investment as little as $3,000. It’s easy to see IT guys remaining jobless for months might think this is a better option, especially if they felt cheated by the system as some crooks describe.
not so sure…. there is huge difference between small criminals and big ones…the big ones generally try to discourage the small ones as they make life difficult for big criminals i.e. put political pressure on authorities to crack down on crime… small criminals (street theft etc) discourage people from going out and that reduces business for big criminals… big criminals skim from the top and so do not kill the goose .. a protection racket is transparent to the consumer who is paying in higher prices! Robbing banks does not discourage people from online transactions even though via insurance premiums etc the cost is passed back to the consumer…
That sounds nice and much like street crime. However, most online crime actually doesn’t work like that. The vast majority of online criminals are independents, groups or individuals, who saw an opportunity and took up the trade. Most long-term individuals specialize in a particular skill, like developing sploits or building botnets.
The more generalized ones are often composed of small groups that focus on about one scheme at a time, trying to milk it as much as they can. They often have a few profitable core members and sometimes even support personnel who help the new people with hard cases. (Esp. true with 419 groups) The largest groups, like Russian Business Network, do whatever scheme makes them the most money, have an R&D apparatus that develops more sophisticated approaches, and leverage off-the-shelf attack kits where possible.
In the online market, everyone discourages everyone. Competition decides who wins because the competitors are often nameless, invisible and unreachable, even for the big fish. The more successful groups leverage their resources to further deny competitors success, as seen in botnets that disable other botnet’s code or patch vulnerabilities. It’s not like the organized street crime or protection rackets. It’s much more laissez faire.
Alright, this is my first thoughts on the matter. I might post something else after thoroughly reading the sources on the blog. This opinion was previously posted on Schneier’s blog.
I strongly disagree with his assessment. I feel there has been an increase in hacking over the previous years in many extents. The description didn’t factor in some very important issues. The first is the amount of available hacker aids including books, online howto’s, premade scripts, and cheaply available rootkits that actually defeat AV systems & automatically comb up credentials. Hackers in my day didn’t have it that easy, with much of the work being customized & you had to be trusted by pro’s to get good scripts & best practices.
Second, there’s been tons of press coverage in newspapers, blogs like Kreb’s and magazines like Wired that tell random people about the tools of the black hat trade, what kinds of places have them, how much they cost, and how easy they are to use. One article gave specific web sites that sold CC numbers for “as little as $200.” This was a widely read publication. Any member who had thought crime was risky & expensive to get into is now informed that’s it’s cheap, low risk, where to get the stuff, and that Western Union is the preferrable payment method. Multiply that by thousands of similar articles and you get the idea of the potential impact.
These two factors have combined to cause an increase in online crime. In the 90′s, we were port scanning systems, hoping for default passwords to be there, etc. It was either random or targeted. The credit card theft was mainly a physical affair & identity thieves worked hard to get personal information and selectively hit targets. Today, people can anonymously buy a few dozen credit cards, put them on mag stripes, and cash them out at ATM’s. Today, identity thieves & data brokers can use off-the-shelf kits to break into databases, stealing records by the tens of millions or more. In the past, we’d brag about having a hundred or so systems. Today, they have several million at once, acquired with fire-and-forget malware.
So, I’d say that hacking is much more numerous & damaging than it once was. There are more of them, they have better tools, they have more education, most are in foreign jurisdictions, they are making more money on average, and the act requires little to no skill. The situation is much worse than it used to be. An epidemic? Well, the word “pandemic” might be more appropriate considering the number and locations of victims of hacking, online fraud & spam-related fraud.