Hackers And Clouds: How Secure Is The Web?

Apple co-founder Steve Wozniak, Kevin Mitnick and Emmanuel Goldstein on Jan. 20, 2003, the day Mitnick was released from government supervision for his crimes as a hacker. i i

Apple co-founder Steve Wozniak, Kevin Mitnick and Emmanuel Goldstein on Jan. 20, 2003, the day Mitnick was released from government supervision for his crimes as a hacker. Courtesy of Kevin Mitnick hide caption

itoggle caption Courtesy of Kevin Mitnick
Apple co-founder Steve Wozniak, Kevin Mitnick and Emmanuel Goldstein on Jan. 20, 2003, the day Mitnick was released from government supervision for his crimes as a hacker.

Apple co-founder Steve Wozniak, Kevin Mitnick and Emmanuel Goldstein on Jan. 20, 2003, the day Mitnick was released from government supervision for his crimes as a hacker.

Courtesy of Kevin Mitnick

Two new victims took a hit in the Wild West world of computer hacking this week: Citibank, where 200,000 credit card holders were victimized, and the International Monetary Fund, which reportedly also endured a cyberattack.

The FBI is on the case — so much so that 1 in 4 hackers may now be an informant, according to some experts.

Hackers And Spies

Ed Pilkington, who covers hacking for the Guardian, tells Weekend All Things Considered guest host Rachel Martin that the overriding atmosphere in the hacker community is one of paranoia and fear as more and more of them join the other side to get out of trouble.

"They don't really who know who's doing what," he says. "It seems such an extraordinary contradiction. Here is this community which in popular vision is a community of anarchists, anti-establishment people, and yet here are so many of them actually acting as the eyes and ears, as virtual spies, on behalf of FBI and Secret Service."

There are those in the cyber-community who think even more than 1 in 4 hackers are in cahoots with the U.S. government these days. Former hacker and information security consultant Kevin Mitnick says that informants are essential to America's defenses.

"I don't know of any case that involves computer hacking where there were multiple defendants charged where there wasn't an informant on the case," he says.

And Mitnick knows the community well. As a kid, he found he had a knack for what was then called "phone freaking" — essentially hacking phones before there were computers.

"When I got pretty adept with manipulating the phone company's systems, I was able to pull pranks," Mitnick says. "I was able to change a friend's home telephone's class of service to that of a payphone. So whenever he or his parents would pick up the phone to make a call, it would say, 'The call you have made requires a 25 cent deposit.'"

Years later, Mitnick went from hacking phones to breaking into phone companies' computer systems. Then in 1995, he was arrested on charges of computer fraud and served a five-year jail sentence. A fellow hacker testified against him in court in exchange for a lesser sentence.

"You definitely feel a great sense of betrayal," Mitnick says of the testimony. "If hackers, if anyone committing a criminal act, wants to reduce their risk, they obviously don't involve anybody else. The greater the circle of people that know what you're doing, the higher the risk."

Catching Small Fish

Today, the risk — and the stakes — have never been higher. As more and more personal and financial information has wound up on the Web, hackers have increasingly banded together to attack that information.

"The main group are the carders. They specialize in breaking into databases of credit cards, usually held by banks or credit card companies," Pilkington says. "They can do millions of dollars of damage in terms of stealing directly from bank accounts, or going out with fraudulent credit cards that they create using this database of information."

They do this with very sophisticated attacks. But the FBI has managed to fight them, Pilkington says, using an old-fashioned trick.

"It's the trick they use against drug gangs, it's the trick they use against mobsters and the mafia: You catch a little guy doing a little thing," he says.

Pilkington gives the example of Albert Gonzales, who was caught fraudulently taking money out of an ATM, which "in the scheme of this stuff is pretty small beer." Authorities got him out of prison early and set him up in an FBI office. They paid him $75,000 a year to set up networks to meet other hackers.

"He then became essentially a honey trap for big carders and identity thieves in the hacking community," Pilkington says.

But last year Gonzales got a 20-year sentence for hacking: While he was working as an informant for the FBI, he was secretly hacking government agencies and bank accounts.

Fifteen years ago, Mitnick says, things were not this complicated.

"When I was a hacker it was all about pursuit of knowledge, getting a bite of the forbidden apple, so to speak. Then of course the challenge and the seduction of adventure," he says. "Today it's all changed. I mean, the trend of hacking today is all profit — credit card numbers, bank account numbers. For example, Sony recently has suffered over 17 attacks."

Protecting The Cloud

Another tech company hackers were watching closely this week was Apple. CEO Steve Jobs announced the iCloud, a new service that will allow Apple users to store all their email, photos, music and documents on an array of servers.

"By centralizing their data, they've really painted a target on their back," says David Brumley, a computer scientist at Carnegie Mellon University in Pittsburgh. He says Apple's iCloud is a bank of servers in a building the size of two football fields in North Carolina.

"From the reports, they have barbed wire around the building, they have guards and you're going to need an ID to get into those buildings," he says. "So the physical security is actually pretty good. It would be a lot like getting onto a military installation to actually get into Apple's iCloud data center."

Though it may be tough to break into the server's headquarters, Mitnick says, breaking in online could be another story.

"I was hired to test this cloud infrastructure in South America. Literally in the 15 minutes that I was on the phone with the CEO of the company and one of the lead technical guys, I was able to get access that only system administrators should get access to," he says.

Mitnick says there are things everyday Internet users can do to protect their information, like using a VPN client or more secure browsers like Google Chrome, but he adds, "Anything out there is vulnerable to attack given enough time and resources."

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.