thursday-11th-october-joyride-2
Security

Kathryn Cave (Global) - Is Hacking the New Joyriding?

Cosmo is a legend. Tagged "CosmoTheGod", he is so infamous amongst his local hacker community they even hoaxed a hostage situation to get a SWAT team round his house for the "lolz". He is 15. He lives with his mum and his gran who describes him as "a good kid [because he] is always home." This is the profile of a hacker. This is the sort of individual who - from the comfort of his bedroom - can help bring international organisations to their knees.

Between last Winter and this Spring, Cosmo and the rest of UGNazi conducted DDos Attacks across sites including NASDAQ, and CIA.gov. In May, after breaking into one billing agency, they proceeded to post 500,000 active credit card details online. Finally this June, Cosmo (amongst others) was arrested as part of a multi-state FBI sting targeting credit card fraud, sentencing is yet to take place. Cosmo was the social engineer; his role was getting past barriers, hijacking phone numbers, and breaking into any account you can name: Amazon, Apple, AOL, PayPal...

What is disturbing though, is this is no Moriarty-style criminal mastermind; this is not a powerful evil genius looking to amass wealth and power; this is just a bored, semi-delinquent kid. Instead of nicking someone's wallet, joyriding a car or breaking into local shops, now this demography can literally wreak global havoc. For no reason other than amusement, people with the time and expertise can maraud through cyberspace, stealing personal identities and halting businesses. Last month, Wired journalist, Matt Honan, interviewed Cosmo and provided a scary insight into this world.

It all began with a trick to cheat at online Xbox. It became apparent to aficionados that instant victory could be achieved by knocking rival players offline mid-match. This could be done by turning a script on their opponent's IP address. It was simple; as gamers knew each other by tags (rather than names,) getting a password-reset on Windows Live (and thus hijacking a gamer tag,) required only the name of the account and the last four digits and expiration date of the credit card on file. As the original gamer, tagged "Cosmo", also had a Netflix account, a legend was created.

Cosmo told Wired: "I called Netflix and it was so easy. "They said, ‘What's your name?' and I said, ‘Todd [Redacted],' gave them his e-mail, and they said, ‘Alright your password is 12345,' and I was signed in. I saw the last four digits of his credit card. That's when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date." In the name of journalistic integrity Wired tested this method, and it still works.

The story provides terrifying insight into online hacking. This gateway is open to anyone who cares to look - sensitive information can be disclosed, companies can lose trust and credibility - and this trend is rising. At the end of July, global information assurance company, NCC Group, announced substantial hacking increases in the second quarter of 2012. This included a sharp increase in hacks originating in the US, China and Russia.

In response more and more ordinary people are learning to hack for themselves. As Jack Koziol, director of educational services at The InfoSec Institute, explained recently to the Washington Post: "It's an arms race. The profile of a hacker has really changed through the years, and it's hard to understand how your system can be attacked if you don't actually attack it yourself." The company, which offers hacking workshops throughout the US, has seen a significant increase in demand over the last couple of years and expects to see revenue go up by 21% in 2013.

This is all very interesting, and appropriate training and security are obviously critical for companies to stay safe. However, can organisations really compete with bored kids who have nothing better to do? It is always easier to break things than it is to secure them. In the ‘good old days of joyriding' all those blaring car alarms never seemed to make very much difference....

By Kathryn Cave, Editor, IDG Connect

 

PREVIOUS ARTICLE

« Alex Horovitz (Global) - It's the Data, Stupid

NEXT ARTICLE

Dan Swinhoe (US) - US Elections pt. II: Tech Companies Funding the Romney Machine »

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends

Poll

Is your organization fully GDPR compliant?