THE SINISTER WORLD
OF CYBERCRIME, PART II
Tech columnist Kevin Roose describes today’s world as “a time when everything from refrigerators to baby monitors is networked, internet-connected, and vulnerable to attack.” Does that make you nervous? It should. (Part I of our survey of cybercrime is on page 187.)
RISE OF THE MACHINES
Proving that life imitates art, many households now utilize Star Trek–like technology called Internet of Things (IoT), a network of devices that can be operated remotely. Now you can activate your coffeemaker, lock your front door, or command your “smart speakers” (Amazon Echo, Google Assistant, etc.) to play your favorite songs, all from a distance. The possibilities are impressive…but also terrifying. As malware expert David Balaban puts it, “We are all lucky enough to live a world full of interconnected devices, which is very cool because it’s so easy to keep remote things at your fingertips wherever you are. The flip side: anything connected to the Internet is potentially vulnerable.” Most IoT manufacturers focus on convenience, not security, and that makes sense, because most consumers don’t want to enter a complex password every time they adjust the thermostat or turn on a light, and who’d want to hack those things, anyway? Spoiler: Cybercriminals would.
When you turn on an unsecured IoT gadget (and many of them are), tech-savvy criminals could tap into it, steal your Wi-Fi password, and then intercept data transmitted on your network. Samsung’s smart refrigerator, for example, displays users’ Gmail calendars on its door—but a flaw made it possible for outsiders to steal the users’ Gmail login credentials. Even easier: anyone can access your appliance using its default name and password if you didn’t bother to change them (who does?). Rutgers student Paras Jha and two cohorts took advantage of this in 2016, when they wrote software that seized control of 200,000 IoT devices and created the first IoT botnet—a collection of computers controlled remotely without the owners’ knowledge. By directing their army of unlikely soldiers (thermostats, refrigerators, and home surveillance cameras) to overload servers, Jha and friends conducted at least four massive attacks on the college’s computer network. (One of them was done specifically to delay Jha’s calculus exam.) And before he was caught, Jha released the code for his software, called Mirai. That spawned several copycat botnets, which caused widespread damage to other major computer networks across the country.
Whoa! The average U.S. high school senior spends nine hours a day on “screen time.”
IoT properties are now common in critical electronics from cars to cardiac devices, which if hacked could have serious consequences. In 2016 Chinese security researchers demonstrated one potential danger when they took control of a moving car—from 12 miles away. The car was a Tesla Model S, but the researchers from Keen Security Lab say the hack would work on other Tesla models, too. By commandeering the car’s network of computers (which is built into all modern vehicles), the team could remotely operate all of its electronic features. Whether the car was parked or driving, they could apply the brakes, unlock the doors, open the trunk, turn on the wipers, and change the seat adjustments. All the hackers needed was to: 1) connect the car to a Wi-Fi hotspot that they set up, and 2) turn on the car’s web browser. Although Tesla eliminated this vulnerability, experts worry that cybercriminals will find new ways to crash cars, sabotage heart monitors, and generally wreak havoc using IoT devices.
UNFREE AS A JAILBIRD
According to Infosecurity magazine, nine out of ten cybercrime victims suffer financial harm. But some, like Los Angeles resident Gerber Guzman, suffer an even worse fate: Their freedom is imperiled. About 14 percent of identity fraud victims are falsely implicated in crimes when the thief provides their identification to police when caught. Around 2008, Guzman experienced this nightmare when officers arrested him for a crime he didn’t commit. They believed he was a drug offender who had skipped court.
Details of how the cybercriminal obtained Guzman’s data are hazy. Perhaps he stole it online and created an ID with his own photo. Or maybe he wasn’t even a hacker, because criminals can just buy personal information on the black market or on the dark web. In 2015 reporters for the online news site Quartz found more than 600 seller offers for “fullz” (a full data set, including the victim’s name, address, birth date, Social Security number, and possibly credit card information). On average, each fullz sold for only $21.35.
But however Guzman’s thief acquired the data, he was walking around free while Guzman was locked up in jail. Not surprisingly, the cops paid no attention to Guzman’s claims of innocence, which sounded exactly like those of everyone else who’s in jail. He pleaded for days…then a week…then another week…until—finally—U.S. marshals compared his fingerprints to those of the drug offender who had used his identity. They didn’t match, so after 16 days in jail, Guzman was set free. But the story wasn’t over.
After his release, authorities assured Guzman that his case record would be corrected. Except…six years later, when Guzman was pulled over during a traffic stop, police said he had an outstanding warrant in New York for drug crimes, and took him to jail. He was separated from his two children and his wife, who was eight months pregnant. Guzman’s wife, Yanira Hernandez, explained everything to the DEA, but nothing happened. Desperate, Hernandez turned to the news media for help. In an interview with KCBS in Los Angeles, Hernandez lamented, “They know it’s not him, but they still have him in there, and that’s what’s heartbreaking.” Ultimately, KCBS was able to help get Guzman out…but only after he’d spent 12 days in jail.
A record 4,239 guns were seized at U.S. airports in 2018. (86% were loaded.)
CYBER PEEPING TOMS
You’ve probably seen it in suspense movies or TV shows: Computer hackers remotely activate someone’s computer webcam so they can spy on their victim. Secretly, they watch, snap photos, or record video of whatever appears in the webcam’s field of view, which for many people includes their bedroom. Called camfecting, this spying is devastating to victims. If they’re lucky, the hacker is just a creepy stalker. If not, it’s a creepy stalker who blackmails them with photos of them undressing (or worse) which is known as sextortion, and it’s more common than you think. In Britain, the number of webcam blackmails rose from nine in 2011 to nearly a thousand in 2016. And that’s only the ones that were reported.
In 2013 Cassidy Wolf, a model and winner of the Miss California Teen beauty pageant, was terrorized by a hacker who spied on her for a year before threatening to post photos of her if she didn’t comply with his demands. His demand: that she create a sex video for him. Taking a risk, she decided to ignore his threats and reported him to the police. Eventually, authorities identified him as 19-year-old computer science student Jared Abrahams. Through malware known as “creepware,” he had tapped into the webcams of more than 100 women and underage girls. He served 18 months in prison while Wolf, now Miss Teen USA 2013, toured schools to warn about sextortion.
How did Abrahams install the creepware? He sent out phishing messages—so called because they’re designed to bait and hook you like a fish. Once unsuspecting victims click on the link provided, they download malware that lets hackers access their computers. Or maybe someone physically installs it on their devices. That’s what happened to ten women who asked a friendly University of Florida student to repair their computers. When he fixed the machines, he planted spy software that automatically opened as soon as the webcams detected movement. As if that violation of their privacy wasn’t bad enough, he used video he’d taken of one woman as a marketing tool to sell his program to other hackers. And after a stint in jail…he started a marketing business.
A TIP FROM UNCLE JOHN
You can’t rely on your webcam’s light to come on when it’s recording. Hackers can disable the light. Your best bet is to cover the webcam when you’re not using it. Famously, Mark Zuckerberg, former FBI director James Comey, and Pope Francis all place tape over their webcams…but a hacker can still listen through the microphone.
Two biggest consumers of helium worldwide: 1) The U.S. government. 2) The Macy’s Thanksgiving Day Parade.
YOU DON’T HAVE TO PUT ON THE RED LIGHT
There’s a scene in the 1995 cult classic Hackers in which tech-savvy teens break into New York City’s traffic control system and cause citywide gridlock. That really happened during a Los Angeles rush hour in August 2006. At four of the city’s busiest intersections, drivers were stuck for what must have seemed like forever. Red lights were unusually long; green lights were very short. Traffic jams plagued Los Angeles International Airport, Studio City, and other crowded destinations for four days. But unlike in Hackers, the perpetrators weren’t pesky teens—they were city traffic engineers. Angry over a pay dispute, Kartik Patel and Gabriel Murillo stole a supervisor’s credentials, logged into the system, and reengineered the lights. To further jam things up, they changed the access codes so that managers couldn’t reset the lights. Besides frustrating commuters, the stunt threatened public safety. City workers have to be able to manage traffic lights to help first responders get to a crime scene, but for days they lost that ability. It could’ve been worse, though. If the engineers had been able to disable the lights, they might’ve caused deadly crashes instead of just making everyone want to take a long drive off a short pier.
Jump-drive to page 440 for the most destructive cybercrimes.
A RANDOM BIT OF FACTINESS
Queen drummer Roger Taylor has a four-octave vocal range, just like Queen singer Freddie Mercury.