Home Black Hat Deep Tech Essays Fireside Chat My Take News Alerts Q&A RSAC Videocasts About Contact

USAToday stories


MY TAKE: Once upon a time, circa 2003-2004, botnets emerged as the engine of cybercrime

By Byron V. Acohido

Betty Carty figured she ought to be in the digital fast lane.

Last Christmas, Carty purchased a Dell desktop computer, then signed up for a Comcast high-speed Internet connection. But her new Windows XP machine crashed frequently and would only plod across the Internet.

(Editor’s note: This 2,200 word article was originally published, Sept. 8, 2004,  in print form as a USA TODAY Money section cover story, part of one of a three part series on the emergence of botnets for systemic criminal use. Botnets are today much larger, stealthier and more sophisticated. They actually pivot off cloud-based services — and they continue to be the engine that drives most forms of Internet-centric hacking.)

Dell was no help. The PC maker insisted — correctly — that Carty’s hardware worked fine.

But in June, Comcast curtailed Carty’s outbound e-mail privileges after pinpointing her PC as a major source of e-mail spam. An intruder had turned Carty’s PC into a “zombie,” spreading as many as 70,000 pieces of e-mail spam a day.

Related article: The care and feeding of botnets in 2017

The soft-spoken Carty, 54, a grandmother of three from southern New Jersey, was flabbergasted. “Someone had broken into my computer,” she says.

Since early 2003, wave after wave of infectious programs have begun to saturate the Internet, causing the number of PCs hijacked by hackers and turned into so-called zombies to soar into the millions — mostly in homes like Carty’s, at small businesses and on college campuses. And, much like zombies of voodoo legend, they mindlessly do the bidding of their masters and help commit crimes online.

Personal computers have never been more powerful — and dangerous. Just as millions of Americans are buying new PCs and signing up for ultrafast Internet connections, cybercrooks are stepping up schemes to take control of their machines — and most consumers don’t have a clue.

“We thought things were bad in … more

The takedown tale of Gribodemon

by Donna Leinwand Leger and Anna Arutunyan, USA TODAY March 5, 2014

TVER, Russia — Sasha Panin called himself “Gribodemon,” and his evil works in the world of cybercrime have bedeviled millions.

Panin is a 20-something Russian computer whiz who until a few years ago lived in obscurity with his grandmother in this struggling riverside city.

Context: Lessons from the capture of Spyeye’s mastermind

Working from a Moscow apartment, federal prosecutors say, Panin developed SpyEye, one of the most destructive computer software programs ever launched in the Internet’s criminal underworld, the dark Web where hackers ply their trade.

Panin’s software tool kit, which sold for a few thousand dollars on underground websites, systematically infected more than 1.4 million computers, where it collected bank account credentials, credit card numbers, passwords and personal identification numbers.

The world’s cybercriminals — from lone hackers like Panin, who supply the software tools, to elaborate, multilevel crime syndicates that steal billions of dollars every year — wreak havoc on computer systems: Witness the data heists that struck Target and Neiman Marcus during the holiday shopping season last year.

An examination of Panin’s case, his lifestyle, his eccentric ambitions and his ultimate capture by U.S. authorities reveals how youthful hackers hiding behind anonymous screen names in unlikely corners of the world can use their personal computers and programming skills to create malicious software, called malware, with the power to penetrate computers at multinational corporations, financial institutions and governments — and steal your credit card numbers or even your identity.

The threat from hackers for hire, state-sponsored cyber intrusions and organized cyber syndicates is so dire that Director of National Intelligence James Clapper lists cybersecurity as the greatest global threat, edging out terrorism and weapons of mass destruction.

To catch Panin, who awaits sentencing in a U.S. prison after pleading guilty this year to bank and wire fraud, FBI agents crisscrossed the globe, hacked into computers and posed … more

Reuters editor accused of getting Anonymous to hack former employer

By William M. Welch and Byron Acohido, USA TODAY

(Update. 15 March 2013: Reuters suspended social-media editor for the Reuters news agency charged Thursday in federal court with conspiring with the hacker group “Anonymous” to hack into and alter an online Tribune Company news story.)

A social-media editor for the Reuters news agency was charged Thursday with conspiring with the hacker group “Anonymous” to hack into and alter an online Tribune Company news story, the Justice Department said.

The Los Angeles Times reported that the case involved an attempt to change an online version of one of its stories.

Matthew Keys, 26, of Secaucus, N.J., was named in an indictment in the Eastern District of California. He was charged with one count each of transmitting information to damage a protected computer, attempted transmission and conspiracy, the Justice Department said.

Keys worked for a Sacramento television station, KTXL Fox40, as a Web producer until he was fired in October 2010, the department said. The station and Los Angeles Times are owned by the Tribune company.

Reuters said in a prepared statement that it was aware of the charges and is “committed to obeying the rules and regulations in every jurisdiction in which it operates.” It noted that the indictment cites actions that occurred in 2010, before Keys joined Reuters in 2012, and said the agency would have no further comment.

The indictment alleges that two months after leaving the TV station, Keys provided members of the hacker group Anonymous with log-in credentials to a Tribune Co. computer server.

The Justice Department said Keys identified himself as a former Tribune employee during an Internet forum chat and provided the Anonymous group with a login and password, then allegedly encouraged group members to disrupt the website.

The indictment alleges that at least one computer hacker used the credentials provided by Keys to log into the Tribune server and make changes to the … more

MY TAKE: Why tightening security on BYOD devices could erode productivity

By Byron V. Acohido

So you don’t mind paying for the latest, greatest mobile device and dedicating it to both home and work tasks. Join the crowd.

BYOD — Bring Your Own Device to work — is a trend that’s been on the rise for a few years. Companies save costs, employees enjoy greater flexibility, and both reap productivity gains.

Companies in 2012 generally conceded that BYOD is unstoppable. That said, workers who opt to join the BYOD craze this year won’t have the same free-wheeling experiences that characterized the trend in its earlier stages.

This year, BYOD participants can expect to relinquish control of their devices — and forgo a level of privacy — as companies impose much tighter security constraints, mobile industry analysts say.

“If workers want more BYOD, they will need to give up something in return,” says Jack Gold, researcher at J. Gold Associates. “That’s the ability for enterprises to enact policies and control their access and actions.”

As the BYOD craze heated up in 2012, tensions mounted. Information-technology departments used to micromanaging the use of company-supplied equipment discovered that locking down employee-owned devices — without stifling new-found productivity gains — was anything but simple.

In response, a new category of tech systems, referred to as mobile-device management, or MDM, tools and services, took root. “Organizations will continue to grapple with BYOD security and usage issues in 2013,” predicts Christian Kane, enterprise-mobility analyst at research firm Forrester.

Mixed tasking

The beginnings of BYOD trace back a few years, when consumers first began gobbling up cool new social-networking, gaming and mapping apps delivered via state-of-the-art mobile devices.

Initially, workers looking for an edge began to tap hot new consumer apps for work-related networking and collaborating on iPads, iPhones and Android smartphones. Then, app-happy senior executives began to demand access to company e-mail and databases via their new smartphones and touch tablets.

“Employees sought the ability to mix work during personal time … more

Google execs lack clarity in closed-door briefing of Congress

By Byron Acohido, USA TODAY, 3Feb2012, P1B

Google executives faced tough questions Thursday, in a meeting with members of Congress, about changes to the company’s privacy policy scheduled to go into effect March 1.

However, the search giant failed to assuage lawmakers’ privacy concerns stemming from the company’s controversial plans to step up the cross-referencing of data generated by consumers who use its popular online services, says Rep. Mary Bono Mack, R-Calif., who arranged the closed-door briefing.

Pablo Chavez, Google’s public policy director, and Michael Yang, its deputy general counsel, outlined how the company supplies consumers with a number of tools to protect their privacy. Lawmakers questioned whether tools that Google makes available to help consumers control their privacy were user-friendly and effective.

Rep. Joe Barton, R-Texas, says Chavez and Yang “danced around actual details, and instead spoke in generalities, highlighting their efforts to ‘enhance the user experience’ — but at what cost?”

Bono Mack said she expects Google to proceed with its planned March 1 change.

“I don’t know that I got any more clarity than what I’ve been reading in the press,” says Bono Mack. “There’s a big concern in Congress about privacy, on both sides of the aisle.”

Public hearings on Internet privacy are planned for this spring, she says. And Google spokesman Chris Gaither says: “We’re happy to discuss our updated privacy policy with Congress.”

On Thursday, the Google officials were pressed on whether the company’s new policy enables a consumer to easily and completely delete a Gmail message or a record of a search for sensitive information, such as on a medical website.

“Consumers want to know if they hit the delete button, that something truly is deleted,” says Bono Mack.

Gaither made reference to Google’s stated privacy policy. The company aims to ” maintain our services in a manner that protects information from accidental or malicious destruction,” the policy states. “”Because of this, after … more

Trust in the Internet falters after DigiNotar, Comodo hacked

The keepers of the Internet have become acutely concerned about the Web’s core trustworthiness.

A hacker cracked into digital certificate supplier DigiNotar this summer and began issuing forged digital certificates for hundreds of web pages published by dozens of marquee companies.

Unable to cope with the fallout, the Dutch firm, a division of Vasco, filed for bankruptcy on 20Sept2011 and abruptly closed up shop. Two other digital certificate companies — New Jersey-based Comodo and Japanese-owned GlobalSign — were similarly hacked this summer, exposing a glaring weakness in the Internet’s underpinnings, security analysts say.

“The infrastructure baked into the Internet, which is based on trust, is starting to fall apart,” says Michael Sutton, research vice-president at security firm Zscaler. “If somebody can issue faked digital certificates, it throws the entire process into chaos.”

The hacked firms are among more than 650 certificate authorities, or CAs, worldwide. CAs work behind the scenes with the five top web browsers — Microsoft’s Internet Explorer, Firefox, Opera, Apple’s Safari and Google’s Chrome — to assure the authenticity of web pages where consumers type in sensitive information, such as account logons, credit card numbers and personal data.

Digital certificates enable consumers to submit information that travels through an encrypted connection between the user’s web browser and a website server. The certificate assures the web page can be trusted as authentic. But the unprecedented attacks against CAs shows how fragile that trust can be.

Deep foothold

Upon gaining a foothold deep inside of DigiNotar’s systems, a counterfeiter was able to issue valid certificates for 531 faked pages, impersonating online properties of Google, Microsoft, Skype, Equifax, Twitter, Facebook, the CIA, among others, according to this report by consulting firm Fox-IT.

This touched off a scramble to revoke bogus DigiNotar certificates and cut off the faked pages. Counterfeiting digital certificates isn’t trivial, says  Josh Shaul, chief technical officer at security firm AppSec.

“It takes a tremendous amount of planning … more

Apps, social networks pose rising danger to kids online

By Byron Acohido, USA TODAY, 07Sept2011, P3B

There is a rising threat to kids who habituate the Internet: the likelihood that a popular mobile app or social-networking service will invade their privacy.

The Federal Trade Commission last month announced a $50,000 settlement with app maker W3 Innovations for collecting and dispersing information of kids under 13 in violation of the Children’s Online Privacy and Protection Act, or COPPA.

Earlier this year the FTC wrested a record $3 million settlement from online game developer Playdom, now a division of Disney, for similar COPPA violations.

Click here to access advice for protecting kids online.

Child-safety advocates say identity thieves and pedophiles have begun taking advantage of youngsters’ increasing infatuation with mobile devices and Web apps.

“Children are using these services more and more, opening themselves up to more information disclosures,” says Andrew Serwin, chairman of the privacy practice at law firm Foley & Lardner. “And there’s more and more mobile services directed to children, as well.”

W3 Innovations published Emily’s Girl World, Emily’s Dress Up and Emily’s Runway High Fashion, online services which encouraged kids to create virtual models and outfits and e-mail a fictitious character named Emily with comments and blog posts. Apple iPhone and iPad users downloaded Emily apps more than 50,000 times.

“We want to make it crystal clear, to app developers and to others in this new mobile space, that we believe the protection under COPPA is not platform specific,” says David Vladeck, director of the FTC’s consumer protection bureau. “If you can’t do it online, you can’t do it in an app.”

FTC staff is hammering out revisions to COPPA rules likely to include different guidelines for verifying parental permission for kids to use certain apps, and specific rules to protect children using Internet-connected mobile devices, Serwin says.

Meanwhile, more children than ever are using mobile devices and spending longer hours socializing online and and using cool … more