If 2011 was the year the world witnessed the potentially devastating impact of cyber crime, 2012 saw governments and security agencies stage a fightback in an attempt to regain control.
As ever, the case for improving both the national and commercial cyber defences grew dramatically. According to Ernst & Young’s 15th Global Information Security Survey, published in October, nearly nine out of 10 IT leaders in the UK reported an increase in external attacks compared to the previous year, up from 72% in 2011 and up from 41% in 2009.
When announcing a new cyber security centre in the UK in October, foreign secretary William Hague called for a new international consensus to improve cooperation between states, businesses and organisations to combat the worst abuses in cyber crime.
And in an annual report in July, the UK Intelligence and Security Committee suggested that the nation should take a more aggressive stance by engaging in ‘active defence’ of its interests in cyberspace.
It was a suggestion that may have been influenced by reports from the US press, revealing that the US and Israeli intelligence forces had been behind high-profile cyber attacks such as the Stuxnet and Flame malware worms in 2010.
In terms of inbound threats of state- sponsored attack, China remained a key suspect for several nations last year. This suspicion spilt over into the telecoms space, and in October the US government barred Huawei and ZTE from taking part in any acquisitions or mergers in the country. A congressional report warned that the Chinese vendors “cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States”. Naturally, Huawei flatly rejected the accusation.
It was not just external threats that seemed to be on the rise in 2012: there was also an apparent increase in internal data security lapses. In August, a report by the Information Commissioner’s Office (ICO) in conjunction with Syscap found that the number of fines months was four times the number it had issued the previous year.
The ICO also issued its first fine to an NHS body in April when it handed a £70,000 penalty to a Welsh health board after sensitive patient records were sent to the wrong recipient.
Two months later the privacy watchdog stung Brighton and Sussex University Hospitals NHS Trust with a record £325,000 penalty after patients’ medical records were found to have been sold on hard drives on an Internet auction site in October and November 2010.
After falling victim to cyber attacks last year, some businesses suffered not only from the direct consequences of the incidents themselves, but also as a result of the aftermath that followed.
The year had barely begun when US online clothing retailer Zappos was hit by a data breach that exposed personal data relating to its 24 million customers. In response, the company reset all of its customers’ passwords, and in anticipation of the huge influx of calls to follow shut off its phone-based customer support, asking customers to email instead.
“We’ve spent over 12 years building our reputation, brand and trust with our customers,” Zappos CEO Tony Hsieh wrote in an email to employees at the time. “It’s painful to see us take so many steps back due to a single incident.”
And in June, US-based Global Payments, which processes payments for several credit card companies, confirmed that around 1.5 million credit cards were compromised in a data breach three months earlier when an investigation by the company revealed that it had been the victim of “potential unauthorised access to servers containing personal information”.
As a result, Visa dropped the company from its PCI DSS compliant list – a minimal security standard requirement that companies processing credit card details must meet in order to safeguard cardholder information.
During the same month, professional social networking site LinkedIn was hit by a security breach that saw 6.5 million partially encrypted passwords leaked onto a Russian cyber criminal site. While it was eventually dismissed in a US court, LinkedIn was served with a class-action lawsuit over the incident worth more than $5 million for “failing to properly safeguard the data”, demonstrating the potential indirect cost of failing to put adequate security measures in place.
In 2011, the biggest story in the information security sphere was the emergence of ‘hacktivist’ groups such as Anonymous and its loosely affiliated splinter group, LulzSec. The shenanigans continued in 2012, but this time the long arm of the law fought back.
In February, one LulzSec member hacked into a Met officer’s personal email and found the details of a supposedly private conference call between Scotland Yard andthe FBI. This enabled the hacktivist group to dial in, record and publish the recording on the Internet.
The FBI retaliated in March when it confirmed that it had arrested five LulzSec members in relation to high-profile attacks made on businesses and governments last year. The arrests were made after information was provided to the FBI in testimony by a LulzSec member known as ‘Sabu’, who had pleaded guilty to “computer hacking conspiracies” in August 2011.
In April, Anonymous went on to claim responsibility for DDoS (distributed denial- of-service) attacks on UK government websites belonging to 10 Downing Street, the Home Office and the Ministry of Justice in protest against the planned extradition of alleged hacker Gary McKinnon, and Richard O’Dwyer (founder of file-sharing website TV Shack), to the US.
Officers from the Met’s Police Central e- crime Unit (PCeU) arrested a 41-year-old in conjunction with the 10 Downing Street and Home Office attacks in November. “The activity this morning demonstrates the commitment of the PCeU and our colleagues to combat cyber criminality anywhere within the UK and take action against those responsible,” said PCeU detective inspector Jason Tunn in a statement at the time.
Towards the end of the year, a 22-year-old student and Anonymous member pleaded guilty in December to participating in denial- of-service attacks on targets including PayPal, Visa and Mastercard. PayPal said the attacks cost it £3.5 million in lost trading and increased security spending.
The police may be catching up with last year’s criminals, but as always the bad guys set the pace for innovation. According to a recent report from McAfee, in 2013 cyber criminals offering ‘hacking as a service’ will become increasingly prevalent.
One example of this was unearthed in October by security researcher Brian Krebs, who discovered a service called Dedicatexpress advertised on several cyber crime forums. The service reportedly offered customers access to 17,000 hacked computers with weak passwords at several Fortune 500 companies, including networking giant Cisco.
For just a few dollars, buyers are supposedly granted access inside companies’ networks via remote desktop protocol services that had been left enabled on the compromised machines.
Krebs wrote that the service operators even provided online ticket-based technical support to its customers should they experience any problems with the hacked servers, showing that, while morally dubious, even cyber criminals recognise the value of good customer service.
With luck, law enforcement agencies will find out how to crack down on services such as this, but it is almost inevitable that the cycle of innovation will continue. It is this sense that the traditional approaches to fighting cyber crime may not be working that security guru Bruce Schneier addressed when he spoke at the RSA security conference in November 2012.
“We will do much better against not just crime or fraud but any other defection if we engage people’s moral or reputational systems and get laws working right before building the firewalls and everything else,” Schneier said. “We’re much better when we look at this entire space instead of just the security systems.”