TERRY GROSS, host:
This is FRESH AIR. I'm Terry Gross. Earlier this month, Google announced that the security of some of its Gmail accounts had been breached by a sophisticated cyber-attack originating from mainland China. That didn't surprise our next guests, Joseph Menn and Barrett Lyon.
They've argued for years that increasingly organized bands of hackers are a threat to everyone who uses the Internet, from individual consumers to banks and credit card companies, to the U.S. government.
Joseph Menn is a journalist who covers cyber-security and other technology issues for the Financial Times. His new book, "Fatal System Error," is a look at the hacker underworld where cyber-criminals in the former Soviet bloc and elsewhere commit extortion, fraud, identity theft and even politically motivated attacks on the Web sites of governments and dissidents.
Barrett Lyon is a computer ace who spent much of his young career defending companies from cyber-attacks and helping law enforcement find and prosecute cyber-criminals. He's currently the CEO of a company called 3Crowd Technologies.
Joseph Menn and Barrett Lyon spoke with FRESH AIR contributor Dave Davies.
DAVE DAVIES, host:
Well, Joseph Menn, Barrett Lyon, welcome to FRESH AIR. Barrett, I'd like to start with you and have you tell us a bit about some of the work that you did helping these online gambling companies, folks that run sites where people can wage bets, which are and these, of course, are companies located offshore in places like Costa Rica, and they were, in effect, extorted by cyber-criminals. First of all, how did these cyber-attacks work?
Mr.�BARRETT LYON (3Crowd Technologies): Well, I began working these guys in Las Vegas, with a company that specializes in operating the information for sports betting, and they were being extorted. They were being shut down, and when they're down, sports betting around the world stops.
So I spent several weeks in Las Vegas dealing with these guys, and it turns out that they were being extorted by basically these unknown people on the Internet that had taken an army or a huge group of computers to flood their Web site.
So it's pretty much the equivalent of owning a restaurant and having 100,000 people show up to your restaurant and buy nothing. So the site just stops running, everything stops working, and your Internet business is no longer a business.
DAVIES: Right. Now, of course, the critical question there is how does one of these miscreants, these cyber-criminals, get control of thousands of computers to simultaneously try to log onto your Web site and thus overload it?
Mr.�LYON: It's there's unlimited ways to do it. These guys have these very sophisticated, amazing softwares that basically can hunt down computers on the Internet that have real common holes in them and then remotely install software that allows them to control those computers.
DAVIES: Right, and the term for someone whose computer has been a computer that's been taken over by an external operator is a bot, as in robot, right?
Mr.�LYON: Yeah, they're basically a bot. They're kind of a tool for your, you know, your whims.
DAVIES: Right, and just to make this clear, we're talking about this could be many listeners in our audience, for example, who might have been happily using their computers for months, not knowing that somebody somewhere, maybe in Ukraine, has had some program, has gotten into their computer and is actually, without them knowing it, using their computer to flood some Internet site somewhere as part as part of an extortion effort.
Mr.�LYON: Yeah, I mean, that's exactly how it works, and it's not necessarily like the person in Estonia is logged in to your computer and running it physically. Their your computer has a little piece of software that links into another location that kind of aggregates them all together so you can send commands in a mob or in a mass and say, basically broadcast a message saying, okay, all you computers go and attack this.
DAVIES: Right, and so then once the cyber-criminal has control of thousands of computers, they then contact the Internet gambling company and say what?
Mr.�LYON: Well, generally speaking, you'd get an email in your mailbox that says hi, hope you're having a good day.
(Soundbite of laughter)
Mr.�LYON: By the way, I'm going to take your business down if you don't give me $100,000 or $20,000. Do it now, and talk to you soon.
(Soundbite of laughter)
Mr.�LYON: It's nothing that you'd expect. It doesn't come across incredibly serious at the beginning.
DAVIES: But in fact it happens, right?
Mr.�LYON: Yeah, it sure does. I mean, and it started happening I think around in 2004, it turned into an epidemic, and it wasn't just the gambling guys. It was pretty much anything that's online that has any criticality. So we're talking about banks, foreign exchange trading companies, anybody that has some sort of time essence and money attached to their Web site.
DAVIES: Right. Now the reason that you're in this book is that you made I guess an avocation and then a profession out of defending companies from these massive attacks, denial-of-service attacks in which they would be flooded by thousands of robotically controlled computers. How do you defend a company from that kind of a flood of input that shuts it down?
Mr.�LYON: Well, when I was pretty young and running some services online that were constantly being brutalized by attacks, not because of extortion but the services on there kind of created this thuggery online and one person's ego would kind of attack the others person's ego, and as a result whoever's computer was associated to that was getting kind of demolished.
And, you know, I was running a small business at the time, and I needed to figure out techniques to kind of filter it to make the service more stable and, you know, less of a a little more of a fortress. And as a result, you know, I started writing papers and presenting and coming up with methodologies to protect services on the Internet from these types of attacks.
But you know, eventually real businesses started being attacked, and the same things that applied to my small little experiment online ended up working for large companies.
DAVIES: So you would get a panicked call from somebody who says, you know, I've got 24 hours to either pay somebody 50 grand or they're going to shut down my Web site. I can't let that happen. Barrett, help me. What do you do?
Mr.�LYON: Well, at the beginning it was more like I got on a plane and showed up at somebody's office and started helping them and helping their engineers fix their network. Later on, when we became a business, I built an infrastructure that had more capacity and basically, you know, a bigger weapon than they had that could absorb It. So it was like a heat sink.
And the attack would come to me, and then we'd clean it, and the result was, you know, good, filtered traffic, and that would be back to the computers that operated that site. So we basically became like a firewall in the Internet for these companies.
But over time it evolved from, okay, let's protect these businesses to let's figure out who this is and make it stop, and let's make them suffer as much as we suffered and our clients are suffering, and that's where it really got personal.
DAVIES: Joseph Menn, how big a problem is this, I mean, these coordinated denial-of-service attacks?
Mr.�JOSEPH MENN (Author, "Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet"): Well, the denial-of-service attacks were a very big problem going back years, and then the same bad guys that were those were one of the obvious things to do with an army of bots. Sending spam was another one, and it still is, but the same bad guys have gone on to do other things.
Now denial-of-service attacks are important again, I would say, not still but again, in the political arena. They're used a lot in sort of modern cyber-warfare.
DAVIES: You know, late in your book, Joseph Menn, there was an astonishing statistic presented, attributed to Admiral Dennis Blair, who was testifying before Congress, estimating that by the end of 2009, which has already passed, of course, 15 percent of all online computers would become robots, become bots, become externally controlled. Is that true? Is that credible?
Mr.�MENN: It's certainly credible. We'll never know exactly. The problem is that most people whose computers have become bots don't know it, or they, you know, shoot it in the head and get another computer.
You might not notice any change in your computer, or it might just be slower. You don't really know whether you have your computer is a bot or not.
DAVIES: Barrett Lyon, go ahead.
Mr.�LYON: I was going to say, yeah, another major issue is there's huge sections of the world that pirate their operating systems, and as a result, they don't get the patches that they need, and they don't really get the attention that they need to kind of clean their computers or protect them. So you know, that percentage of the world has grown quite a bit, and I wouldn't be surprised to see that number larger.
Mr.�MENN: It's kind of a tradeoff. The pirated machines in the Third World are more likely to become infected, but on the other hand, in places like the U.S. or South Korea, where you've got greater bandwidth, they're more desirable computers because they can do more damage.
DAVIES: And just to (unintelligible) here, when you say to be clear, when you say pirated, you mean that they have gotten software that's not really from the manufacturer, it's a copy of a copy and is thus more vulnerable to penetration?
Mr.�MENN: Well, it's not that they're more vulnerable on the face. The problem is that they tend not to get the updates that will protect them from various new vulnerabilities.
DAVIES: Okay. We're speaking with technology writer Joseph Menn and cyber-crime fighter Barrett Lyon. Menn's new book is called "Fatal System Error." We'll talk more after a break. This is FRESH AIR.
(Soundbite of music)
DAVIES: If you're just joining us, we're talking about the growing threat of cyber-crime. Our guests are technology writer Joseph Menn. His new book is called "Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet." Also with us is Barrett Lyon. He is a self-taught and self-motivated cyber-crime fighter.
You know, so many of these cyber-criminals and hackers are very young, and many got started as teenagers, kind of making, I guess, kind of the equivalent of crank phone calls, really, only a lot more destructive, just discovering what kind of damage they could do by writing software. Barrett, when you were a kid as a teenager, you got into a little bit of mischief yourself, didn't you?
Mr.�LYON: Yeah, you know, it was interesting because the Internet wasn't really well, to me at that time, it wasn't real, and I mean, we were just going from BBSs to where we were dialing in to people's computers to dialing into one computer and having access to many. And before we were using the Internet, we were playing games like Trade Wars and these old-school text games, and none of it really felt real.
So you know, when you first get online, and you're a kid, and your parents and everybody around you has no idea what this Internet thing is, including yourself, you can get yourself in trouble.
DAVIES: Well, tell us about the experience with the AOL site.
(Soundbite of laughter)
Mr.�LYON: There may be people listening to this that have no idea that this happened, but yeah, I figured out a tricky way of deleting domain names, and as a test, I compiled a list of domains that popped into my head, and AOL was one of them, and it was deleted. I didn't really think that would become an issue until it became news.
DAVIES: Well, like, it shut down the AOL site for three days? Is that right?
Mr.�LYON: Yeah, I mean...
(Soundbite of laughter)
Mr.�LYON: There's people I work with now that had to deal with that, and they probably don't know, but - and I was I forget how old I was. I must have been 13 or something like that. So I had no idea what would actually happen, and if I could have done something differently, I would have. But yeah, I think it had a rather adverse effect on AOL.
DAVIES: Right, and I realize this isn't the proudest moment of your life, but it is revealed in the book, and the other fascinating thing is that when you're there at age 13, the FBI got on started tracking this down and found their way to your parents' door.
Mr.�LYON: Yeah, I think that's about how it went. You know, I wasn't there, so I don't remember exactly what happened, but I've always wanted to pull my FBI file just to see what's in there because it's got to be kind of interesting.
DAVIES: Sure, and I think in fairness, we have to tell the audience that you have since spent many, many years, both professionally and in a volunteer way, helping people fight cyber-crime. So, you know, that adolescent indiscretion had an impact, but it's you certainly kind of behaved in a different way since then.
You became very good at protecting companies from these denial-of-service attacks, where, you know, thousands of robotically controlled computers would attack somebody's Web site. But eventually you decided you had to track these guys down, I mean, who were there in the great anonymous forest of the Internet. How'd you do it?
Mr.�LYON: Well, I mean, like I said, when these guys continuously attacked us, constantly, non-stop, you get to the point where you're just fed up with it, and some of the attacks started looking similar to each other, to the point where we actually, just by looking at the signatures of the attack, we could tell that it was one group or another, and it was kind of triggered based on one extortion attempt or another, and the largest and most difficult ones we wanted to shut down.
So eventually we started looking I mean, it's kind of just obvious to me, which is, look, if you have, you know, a hundred thousand computers coming after you, and those hundred thousand computers had a hole, or they were compromised somehow, then you could use the same hole and learn who and how these computers are being controlled.
DAVIES: And when you say a hole, you mean what?
Mr.�LYON: You know, somebody didn't patch their computer and left a known, exploitable backdoor, you know, that's just sitting there on their computer.
Now, we didn't necessarily have to even go that far. Microsoft did us a huge favor. They left and enabled this simple protocol called SNMP, simple network management protocol, and SNMP was a tool that you can use to look inside the brain of a computer remotely, and it's completely passive, and it's not something that requires you to hack their computer. It's just turned on with public interface, like public access.
So out of the hundred thousand computers that were attacking us, we figured at least one of them had that turned on and enabled, and so we scanned through them and sure enough one was, and then we could look at who that computer was communicating to.
And that led us back to kind of their controller server. So when we started getting on to these control servers, there they were. The bad guys were in there chatting with each other in Russian, and that's where the story kind of begins.
DAVIES: As you began tracking down these cyber-criminals through the Internet and discovered that in fact they were, you know, from the former Soviet Republics and Russia, how did you overcome the language issues, or was that an issue?
Mr.�LYON: They predominately speak English, but Google has a great translator. So we'd cut and paste the Cyrillic or, you know, the writings that we couldn't read and tried to figure out what it was and what language it was, and for the most part we ended up getting cuss words back.
(Soundbite of laughter)
Mr.�LYON: It wasn't necessarily that useful, but most of the guys spoke English because it was a common way to you know, keep in mind, they're not all just in Russia. There's guys in China and all over the planet, and if you can have one common language, it ended up being English.
DAVIES: Right, so the lingua franca of the computer world is English, in effect.
DAVIES: And so one of the things I guess you, Barrett, did, was to once you had access to these kind of, these computer communities of criminals offering stolen goods and exchanging services, you could get in and pretend to be one of them and gradually find out more about who they are.
Mr.�LYON: Yeah, so one of the guys I was working with, his name was Dayton Turner(ph), we used his nickname and went in to kind of it was almost a group of us that were dealing with this, started chatting to each other about what to say to these bad guys.
And eventually it became like this effort where we were just talking to them all the time, and eventually they got comfortable enough with us to where we started talking with them through AIM, AOL Instant Messenger. Actually, no. Back then it was ICQ, which I don't think many people use these days, but through ICQ they gave me a user ID and we started using it to chat with them and found out, you know, what kind of pizza they like. We have this ridiculous amount of information on these guys.
We still didn't know we knew what the guy's first name was, and we just, we had no idea where they were, other than Russia, and we really didn't have, you know, a good grasp on the guys themselves. We knew what his nickname was. It was Exe, or E-X-E, which stands for executable, I thought, but it actually stood for extremist.
So I set up some logging systems on the more public Internet relay chat servers. These are the ones that, you know, there's hundreds of thousands of people in, and it's a real common place for techies to kind of go and communicate.
And so I took his nicknames, and I just remember adding some kind of triggered words or triggered monitor things that if he logged in to this larger community with his nickname, it would just alert me and record where he logged in from.
And I forgot I did it, and about a week later, I got this little alert. The guy logged in, and he logged in using a vanity domain name, which is a domain that you would purchase to just kind of look cool on the Internet. So I think it was security dash systems.cc. And when you looked up the registration records for security dash systems.cc, it was his name, address, phone number and everything about the guy.
Mr.�LYON: And we had him.
GROSS: Barrett Lyon and Joseph Menn will continue their conversation with FRESH AIR contributor Dave Davies in the second half of the show. Menn is the author of the new book "Fatal System Error." Lyon defends companies from cyber-attacks. I'm Terry Gross, and this is FRESH AIR.
(Soundbite of music)
GROSS: This is FRESH AIR. Im Terry Gross.
Lets get back to the interview that FRESH AIR contributor Dave Davies recorded about cyber-crime with journalist Joseph Menn, author of the new book, "Fatal System Error," and Barrett Lyon, a computer wiz who defends companies from cyber-attacks and has helped law enforcement agencies find and prosecute cyber-criminals. Menns book is, in part, about Lyon and his work. Lyons investigation into cyber-crime led him to a Russian crime syndicate.
DAVIES: Joseph Menn, a lot of your book is about these efforts to hunt down and bring to justice these, you know, these cyber thugs who are operating in these former Soviet Republics, and in Russia, too, operating thousands and thousands of computers and running scams and extortion plots and stealing credit cards. Tell us about one of these -one of these cyber-criminals. Just give us a little bit of a sense of who they are, where they operated.
Mr. MENN: Well, if I had to pick one, if would probably be eXe, Ivan is the one we know the most about. But, you know, he's a kid. And Ivan was the guy that actually did the work. And he lived with his parents in a not-very-nice town, in a not-very-nice house. And he's like Barrett, a self-taught computer wiz. And he had a relay chat room going, and he needed a bot to keep it going.
So he learned a little bit about how to write bot code, and he just learned to do it. And he met somebody else online, these chat rooms, and they started talking about how they were assembling a, what he called, you know, a self-breeding bot that would take over more computers. And it was just - they offered to hire him, and he made very little money doing it.
DAVIES: And so he was how old when he was arrested?
Mr. LYON: Id want to say 23, 24.
Mr. MENN: Yeah. I think 23. Somewhere in there.
DAVIES: A lot of these are really...
Mr. MENN: (unintelligible) people. Yeah.
Mr. MENN: Yeah.
Mr. LYON: Yeah, I mean, I was only maybe a year or two older than him and...
Mr. MENN: Some of the big bosses were even younger.
Mr. LYON: Yeah.
Mr. MENN: They're really scary guys that are above the guys that are above the guys, like Ivan, also early 20s.
DAVIES: You describe these enormous investigative efforts to track down these cyber-criminals who are in various - of the former Soviet Republics and in Russia. And in some cases, people were arrested. In some cases, there were trials. But it was striking how little real punishment was inflicted. You know, despite these guys committing really big crimes and threatening a lot of international commerce, why was it so hard to bring these folks to real justice?
Mr. MENN: Because this isnt really about street crime. This isnt really about criminals. This is a matter of geopolitical struggle right now. And these people are very useful. If you are a government and you have some citizens that know how to get into other peoples bank accounts, that can get into other peoples Web sites and that have thousands upon thousands of computers that could be used, you know, at your whim, thats a pretty handy set of skills and resources to have.
And the Soviet - the former Soviet Union cares about that stuff, and Russia, in particular, cares about that stuff. And Russia has found some of these same crime lords to be very useful in political disputes.
DAVIES: Well, like what? Like how? How would they handle...
Mr. MENN: Well, like the attacks that shut down government Web sites in Estonia and government and media Web sites in Georgia, and mysteriously, their denial of service attacks used against people like Garry Kasparov, internal dissidents in Russia and mainstream Russian media sites. If they happen to run an interview with an exiled oligarch that is out of favor with the Kremlin, mysteriously, their Web site goes down due to denial of service attack.
DAVIES: So youre saying that the Russian government, with dissidents and international rivals and political opponents, will either orchestrate or cooperate with these cyber-criminals to do one of these massive denial of service attacks and flood a Web site and shut down someone elses operation?
Mr. MENN: Thats exactly what Im saying. Its something thats been suspected by a lot of really good researchers that have worked really hard to make the case, and its always been circumstantial. But its clear whats going on here, and these people are protected by the Russian government and they're used by the Russian government against their enemies, foreign and domestic.
DAVIES: If youre just joining us, our guests are technology writer Joseph Menn, who's just written a book called "Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet." Also with us is Barrett Lyon. He is a self-taught and self-motivated cyber-crime fighter who has worked with law enforcement and companies to defeat cyber-crime attacks and bring cyber-criminals to justice.
Well, Joseph Menn, there's been a lot of attention recently about cyber-attacks that appear to be coming from China and may or may not be connected to the Chinese government. Whats your view whats going on there?
Mr. MENN: First of all, they are connected to the Chinese government. Even Google surprisingly made that, you know, as clear as they could. Google escalated - Google complained publicly about the hacking earlier this month. They went after not just human rights activists and dissidents within China trying to get into their Google mail accounts, but also after some of Googles proprietary software.
And Google took it to the next level and said stop censoring our results within China, or we'll leave. And obviously, thats something that only the government can decide. So, they - without saying it explicitly, Google is saying that the Chinese government is behind the hacking. And I can tell you - its also in the book - yes, the Chinese government is behind the hacking.
DAVIES: And what are the potential consequences here? I mean, are they -what havoc or mischief might the Chinese government, you know, work with this ability?
Mr. MENN: Well, this - I think this is kind of a watershed moment. The China one is a really big one. Basically, what you have is organized crime in Russia that is going after your bank account, my bank account and lots of other things, basically about money and protected by the Russian government because they're used in quasi-military operations.
In China, you have the government supporting a massive effort to steal commercial secrets and military secrets in the U.S. And what the sophistication of the hacks against Google and others shows is that there is an awful lot invested in this, and they already have an enormous amount. And they see cyberspace as a way to catch up to the U.S. in terms of military domination.
DAVIES: So what could they do? Could they take down the American electric grid...
Mr. MENN: Absolutely.
DAVIES: ...steal our military secrets? Yes?
Mr. MENN: That they have our military secrets, and they could shut down the electric grid. And if you do that for long enough, then youre talking about stone age conditions.
DAVIES: Were just about out of time, but, you know, Joseph Menn, I have to ask you. You know, I dont want to be too apocalyptic here, but, you know, the 9/11 attacks completely changed our view of so many things about air travel and the relationship between civil liberties and security. And I wonder if the Internet seems so vulnerable and the criminal seems so sophisticated and the political obstacles to action seems so great, do you think we're headed for some sort of cyber catastrophe that will change the way we look at these issues?
Mr. MENN: It may well be, and it may be an act of war or an act of terrorism because, we didnt talked about it, but the terrorists are also pretty interested in this stuff. Its really handy. But it is more likely that it'll be, I think, dribs and drabs. And the reason that people arent rising up in arms about this now is that, in general, your credit card covers you if something bad happens.
And it sort of gradually gets passed along to the merchants, usually, who charge more. And so its sort of generally absorbed by society. But its a - if you believe Barack Obama, its a trillion dollar drain on society ever year. Its just an insane amount of money. And our economy doesnt really need that kind of drain. So I think its more likely that there'd be sort of a gradual lessening of faith in online commerce. And thats kind of too bad, because online commerce is one of the things thats really helping the economy recover.
DAVIES: Barrett Lyon, you want to add your thoughts here, before we end?
Mr. LYON: Yeah. I think my view of security is just, I give up. Im so frustrated with it that the industry itself has become very, very paranoid, which isnt a great way to be able to interact with the Internet. You dont want to be paranoid.
DAVIES: When you say the industry, you mean what?
Mr. LYON: Just the security industry alone is just a - its not a place thats conducive to openness and thought sharing and things like that, which is what the Internet originally was all about. The other thing is security was an afterthought for the Internet. Its all duct tape. It's things that were added to the - you know, on top of, you know, the protocols that are the base of it. And they werent just, you know, the Internet just wasnt generally built for this purpose. And I guess the frustrating part is, you know, if we can build this fantastic, amazingly scalable communications network, can't we sit back and go, OK. Well, that works really well. What doesnt work well? Well, we can point at that. And how come we can't take the time to sit back and do it right? And why cant we look at and go, well, its software. We can do anything with it. Thats the frustrating part.
DAVIES: Well, Joseph Menn, Barrett Lyon, thanks so much for speaking with us.
Mr. MENN: Thanks for having me.
Mr. LYON: Absolutely. Thank you very much.
GROSS: Joseph Menn is the author of the new book, "Fatal System Error." Barrett Lyon has defended businesses against computer attacks and investigated cyber criminals. Coming up, rock critic Ken Tucker reviews the new album by Magnetic Fields. This is FRESH AIR.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.