Getting Hacked
While Santa stuffed stockings last Christmas Eve, zombies invaded Columbia.
In hacker slang, a “zombie” is a compromised computer, one that can be remotely controlled to mindlessly attack. In this case, a network of infected computers were commanded to flood the City of Columbia’s website. They obeyed orders perfectly, making the site inaccessible for all of Christmas Day and the day after. visitors were greeted with a message saying the website was taking too long to respond and that users should check their Internet connection. Of course, Internet connection wasn’t the problem. The city was under cyberattack, the first the city had ever faced.
It’s been attacked 17 times since.
All 17 have been Distributed Denial of Services attacks, a popular form of cybercrime that floods a website’s servers. If you imagine 10,000 people trying to fit through the front door of City Hall at the same time, you can begin to understand how a DDOS attack works. The website is inundated beyond capacity by requests from malware-infected computers, blocking all legitimate traffic until the attack subsides. It’s uncomplicated and more or less impossible to stop. Because the attacker doesn’t gain access to the system, a DDOS isn’t a hack. It is, however, a cybercrime — and a serious one at that.
Cybercrime is now a security issue for every person with a computer and every business that’s online, but cybercrime against businesses in mid-Missouri can be difficult to gauge. In 2011, the Missouri Sherriff’s Association was attacked, along with 76 other law enforcement agencies, in protest to Anonymous members being arrested. This attack, and the December attack on the city, was high profile enough to notice, but that isn’t always the case.
“Columbia’s website is very visible, and that attack would be known quickly,” says David Nivens, CEO of Midwest Computech in Columbia. “A law firm or doctor’s office may choose to not make an attack public. a lot of people get hacked and never know it.”
The threats are continually evolving, and computer security experts have to be both proactive and reactive to stay on the cutting edge. This kind of crime is hard to stop, but local experts have some tips to take the safety of your company’s online presence to the next level.
The façade of safety
Hacking becomes more widespread as cybercrime becomes larger scale and more sophisticated. In a scam unveiled in mid-February, cybercriminals stole more than $1 billion from European and U.S. banks through careful infiltration of employee computers. In January, hackers attacked Sony Picures to protest The Interview, a film depicting the assassination of North Korean dictator Kim Jong-Un; in turn, North Korea’s Internet went out a few days later. Other hacking stories abound.
Computer hacking emerged in popular culture in the mid-’80s, propagated by successful hacking movies such as WarGames, in which Matthew Broderick plays an unwitting hacker who nearly sets off World War III. Magazines, notably the still active 2600, and online forums began giving hackers a place to call home — and to swap stories, techniques and secrets.
Nivens says the new information threats have caused massive changes in the 21st century.
“Fifteen years ago, security was pretty static,” Nivens says. “You usually just put up a firewall and then said that was it. Now the bad guys are always one step ahead of everyone else, coming up with new ways to penetrate your network or make you give up information. It’s really a reactive industry.”
Nivens sees three possible motivations for hackers: profit, pleasure and protest. A for-profit hack would be like the one that victimized banks in February; a pleasure hack would be like HackMizzou, a 24-hour pro- gramming competition held on the University of Missouri campus.
The attack on Columbia’s city website was a protest: The attacker, through a YouTube video posted on
the website Counter Current News, said he wanted to punish the city for a 2011 SWAT raid in which two
dogs were shot, one fatally. The YouTube video has since been deleted.
DDOS attacks are popular among the “hacktivists.” In 2011, the hacking collective Anonymous petitioned the U.S. government to legalize DDOS as a legitimate form of protest, saying it was the same as occupying physical space. A DDOS attack is easy, once you have access to a sizable botnet, and you can even download software that teaches you how to do it for free.
Still, complicated attacks involve more layered infiltration. Attackers will often gain access to a company’s system through phishing emails (also known as spam), observe their target and look for weaknesses to attack. Nivens’ company hopes to make those weaknesses as small as possible.
Midwest Computech hosts a Web-based cloud system, using multiple layers to protect customer information. Nivens is quick to distinguish it from the “consumer-level” clouds such as Dropbox and Apple’s iCloud, which was breached last September. Access to Midwest Computech’s secure cloud is encrypted, and having all of the information in one place provides fewer points of entry for potential attackers. The cloud also allows work to be secured from different devices. Having mobile access is important for a modern business, but it also opens up more possibilities for infiltration; more devices on a network mean more devices that could be compromised.
“There’s some façade that if it’s on your network, then you’re safe,” Nivens says. “Life isn’t lived on a desktop anymore. The number of devices that can connect to your data is exponential.”
Picking up the pieces
The DDOS attack on the city website attracted attention from local media, to the apparent delight of the attacker, who fielded a few questions from a Columbia Daily Tribune reporter on Twitter. The attacker was less happy with local news station KOMU 8. after the station posted a Web story, quoting the city’s erroneous statement that the attacker was affiliated with anonymous, KOMU’s website went down. It was
More zombies.
Matt Garrett, director of audience development at KOMU 8, was flummoxed. “Quite frankly, we were dumbfounded as to why we were being attacked,” he says. “We were reporting, factually, something that the City of Columbia told us.”
This elicited a grin from the man seated next to Garrett, KOMU 8 network administrator Jason Kennedy. “We’re still paying for that one,” he says. Three hours after KOMU was able to get the site back up, the attacker crashed it again. The site’s hosting provider refused to allow the site back up again until they had a mitigation system in place, the only real defense against a DDOS attack.
KOMU now uses CloudFlare, a mitigation service that masks a site’s IP address, which makes it more difficult to target. The CloudFlare package with this capability costs $200 a month. This can be frustrating to spend, especially for defense against such a basic attack.
“These attacks aren’t a challenge,” Kennedy says. “This is the same software that I use to stress test our servers. It’s rudimentary. It’s easy.”
Garrett says the DDOS attacks were more than an inconvenience; they were financially damaging. a nonfunctional website is bad for any business, particularly one that relies on Web traffic and Internet ad revenue.
Although they were sleepless holidays at KOMU 8, both Kennedy and Garrett agree there wasn’t much more to be done. They didn’t communicate with the attacker at all, and they didn’t alter their original story to meet the attacker’s requests. To do so, they say, would have only provided an incentive to other potential cybercriminals.
These were the first attacks that Kennedy dealt with in 22 years at KOMU 8. For him, they reaffirmed his suspicions about living in the online age.
“If you’re online, you’re not safe,” he says. “People think I’m paranoid, but it’s true.”
Garrett, now smiling, adds, “That’s mostly because he goes around wearing a hat made of tin foil.”
The risk of the cyber age
If anybody should be at the cutting edge of cybersecurity, it’s John Shier, senior security expert at Sophos, an international computer security company. Shier has an ear for explaining the complex industry in down- to-earth terms: He refers to cybercriminals as “crooks” and takes time to explain terms such as spear-phishing and snowshoe spam. He blogs on Naked Security, Sophos’ cybernews site for the average consumer. Recent topics include a hitchhiking robot and a how-to guide for spotting phishy emails.
Shier knows what a difficult game of chess he’s playing and how well crafted cyberattacks can be. “To do security right is really hard,” he says. “You need to have all of your ducks in a row.”
Shier says phishing emails are the biggest security threat businesses have to deal with. Employees should know how to spot a bad link or a suspicious email and report the potential attack as soon as possible.
Malevolent hackers often cast a wide net in hopes of entangling just enough people to gain access and begin analyzing a target. even when a company is targeted prior to an attack, it’s usually the employees who unwittingly grant an attacker access to the system. after that, the crooks just take what’s available, meaning every business has different security concerns.
“When you break into a jewelry store, you’re not looking to steal one specific Rolex,” Shier says. “You just want to grab as much as you can and get out.”
Sophos tries its hardest to stay at the criminals’ pace. Shier says their emerging threats team is made of top IT professionals who examine weaknesses and continually bolster Sophos products. Shier says it’s important for businesses to stay up to date on their software in an effort to be, at the very least, a moving target that’s difficult to hit.
Still, he knows the realities of the industry. “At the end of the day, they’re going to get in, so it’s about how much the crooks can take,” Shier says.
After KOMU 8 was attacked, Kennedy and Garrett say they moved quickly to pick up the pieces and soberly brace for the next attack. Cybercrime is continually evolving, and the threats to businesses are always changing.
“There is no such thing as ‘ahead of the game,’” Kennedy says. “You can read periodicals, you can stay up to date and keep your stuff patched, but they’re always going to be one step ahead. They’re the ones taking it apart, finding things they can exploit, and you won’t even know until it happens.”