To Stop Future Hacks, Look to the Past
In September of 2020, the world saw its first human death caused by a cyberattack. A woman was turned away from the emergency department of the university hospital in Düsseldorf, Germany. The hospital was dealing with a ransomware attack that disabled the clinic’s IT systems, preventing it from treating her. The woman died while being transferred to another hospital that was further away.
This tragedy may seem like a terrifying new frontier in cybercrime, but experts in the field have long reckoned with cases like this one. Many hacks and viruses haven’t fundamentally changed since computers became widely integrated into modern life. Although machines are getting smarter by the minute, many of them remain vulnerable to these simple attacks.
Ransomware is a genre of attack that has been around since the early days of computing. It infects a computer, disables all its programs and displays a note demanding a fee to return to normal operation. In areas where systems need to work at all times like hospitals, these kinds of attacks can be lucrative for hackers. As the New York Times reports, attackers have been targeting more and more healthcare institutions and demanding greater sums in recent years.
Cyberattacks aren’t just about putting people’s lives in danger, though. From governments spying on one another to freezing billion-dollar websites for the fun of it to manipulating the stock market for capital gains, hackers choose to spread malware for any number of reasons.
Although the motives behind a hack might change over time, the fundamental method doesn’t. Attackers want to inject some malevolent code into a system and try to take control of it. Of course, the techniques for doing so have become more sophisticated over the years, but there is a surprising amount of wisdom that one can — and should — draw from the events of the past.
Melissa, or the Rise of Antivirus Software
Around 20 years ago, computer viruses weren’t half as well-known to the general public as they are today. But one hack changed everything.
In March of 1999, computer programmer David Lee Smith shared a document with an internet newsgroup that, so he promised, contained free passwords for websites with adult content. When a user downloaded and opened the document, however, it unleashed a virus on their computer.
The Melissa virus, allegedly named after a stripper in Florida, emailed the first 50 contacts in the victim’s Outlook account. The messages promised more adult content if the recipients opened the attachments. Unbeknownst to them, the virus was lurking in those attachments as well, and so more and more computers got infested by Melissa.
Eventually, around one million email clients got disrupted. This doesn’t sound like much in this day and age; at the time, however, email servers at more than 300 corporations and government agencies became overloaded, and some had to be shut down entirely. Even though the Federal Bureau of Investigation managed to contain the virus within a few days, the clean-up and repair of infected computer systems ultimately cost an estimated $80 million.
It’s no coincidence that, after this hack, sales for antivirus software soared. Although there have been many similar attacks since then, this is arguably the first instance of computer crime that brought cybersecurity into the public eye. After the Melissa hack, mainstream society recognized that the internet offered both the promise of greater connection and new kinds of threats as well.
These days, we have internalized these lessons, and everyone is well aware of the risks posed by computer viruses. As a result, most operating systems come with pre-installed antivirus programs. If you do plan to install another one, be sure to research the program first. Past incidents have been documented in which antivirus programs themselves contained other viruses. Ultimately, the lesson here is that you can’t trust that unknown materials on the internet are what they claim to be.
MafiaBoy and the Dawn of Cyberjustice
Fast-forward just a bit to the year 2000. The Melissa scare is long-forgotten, and the dotcom bubble is, well, bubbling. Investors are flocking to the New York Stock Index and placing huge bets on nascent internet companies like Yahoo, eBay, Amazon and more. Little do they know that it will only take a 15-year-old with a computer to tear it all down.
Michael Calce, known online as MafiaBoy, was just a nerdy little boy from Montreal. But he’d managed to take control of a handful of university networks, and he was able to harness their computing power to attack other websites.
He got the university networks to target Yahoo, at the time the world’s largest search engine. The site, valued at many billions of dollars by investors, eventually went down for over an hour. He then proceeded to take down CNN, eBay and Amazon, among others.
Under pressure from the public, investors and President Bill Clinton himself, law enforcement tracked down the boy. He was eventually charged with more than 50 crimes and sentenced to eight months in a youth group home.
Even though MafiaBoy wasn’t the first person to be sentenced for a cybercrime, his actions brought to light a deeper problem. Namely, if multibillion-dollar corporations can be brought to their knees by a 15-year-old, how safe is our money? What about our information?
Many hackers are like MafiaBoy — minors who aren’t overtly malevolent. So how do we, as a society, go about punishing those who exploit these security gaps? To this day, MafiaBoy’s hack serves as a case that frames the public debate about cyberjustice.
The efforts of the justice system to track down and punish hackers cannot be neglected. There is a bit of a red herring at work here, however, since it’s mostly young and inexperienced hackers that get caught. Truly malevolent or greedy professionals know how to pass undetected and will hardly be scared away by teenagers who are forced to spend a few months in a group home.
I understand the immense difficulties that cyberpolice face, from the technical constraints to the lack of funding. Nevertheless, more effort needs to be put into catching professional hackers, and teenagers without overtly evil intentions should be less severely punished. Still, the next time you want to access a site and it’s down due to traffic, that may remind you of MafiaBoy. Although sometimes sites crash due to real traffic, you can never be sure that there might not be a hacker like him behind the outage.
The Samy Worm, or How to Make a Million Friends
Marketplaces like eBay and Amazon were already flourishing at the onset of the new millennium, but it took a few more years for social media platforms to take off. When they did, however, hackers didn’t wait long before they wreaked havoc.
One of these hackers was Samy Kamkar, who was a 19-year-old high school dropout in 2005 when he achieved fame for his hacking prowess. Wanting to impress his techie friends, he spent weeks trying to figure out how to beef up his profile page on MySpace. At the time, users could only upload 12 profile photos, but with a technique called cross-site scripting, Samy managed to upload a thirteenth. He also wanted to tell his friends that he was “in a hot relationship” instead of selecting a standard option like married, single, and so on. With some hacking, he managed that too.
Once he reached that point, he realized that he could do pretty much anything. Subsequently, he worked on a script that would force anyone that viewed his page to add him as a friend. He was aware that his page didn’t have that many visitors, so he made the script self-replicate so that a visitor to the page of somebody that had also viewed his page would also have to add him as a friend.
The script spread like a wildfire. Samy’s friend requests kept piling up the day after he released it, reaching a million before MySpace went down. Samy didn’t want quite that much attention, unfortunately. His hacking ultimately got him charged with a cybercrime and sentenced to three years of probation with practically no computer access.
For internet companies, Samy’s stunt served as a bitter lesson. Although many experts in the field knew about the risks of cross-site scripting, few took it very seriously. Only after the Samy worm did many websites and browsers upgrade their security. For companies, the lesson is clear. If you notice a possible security threat, resolve it right away. Don’t wait for someone to exploit a flaw before taking action. By the time you fix it, the damage to your reputation and your bottom line may be done.
Regular internet users also stand to learn something here as well. This hack is one of the reasons that the URL of this site starts with “https” and not “http”: the “s” stands for “secure” and indicates that this site is harder to hack with Samy-style worms and other malware. These days, if you’re using Chrome, Firefox or Safari, you won’t be able to access sites beginning with “http:” without a clear warning. If you’re using another browser, however, you might want to check your preferences so you don’t accidentally land on an insecure site that could do harm to your computer.
WannaCry: How North Korea May Have Hacked British Health Services
Due to its relevance today and the lessons we still need to learn from it, I’ll move forward in time right to the WannaCry attacks of 2017. WannaCry is a type of ransomware that exploits a vulnerability in Windows systems to creep into the computer. Microsoft realized this quickly and released a patch to fix it in March of 2017. Many Windows users didn’t update their systems fast enough, however. Two months later, WannaCry was everywhere, including on the machines of the British National Health Service.
In the wake of the outbreak, Microsoft accused the U.S. National Security Agency of knowing about the bug but choosing not to report it. Instead, they might have created their own malware. This code, called EternalBlue, might in turn have been stolen by a hacker group and shared in a seemingly political Medium post. To this day, it’s unclear whether these allegations are true or not.
The mystery deepens because, in the aftermath of the attack, researchers discovered strong links to the Lazarus group. This group is believed to be linked to the North Korean government. In other words, North Korea might have hacked the rest of the world, all while the NSA was busy developing its own malware.
Regardless of whether some, any or all of these allegations are true, this wouldn’t be the first time that foreign governments meddled with viruses. One lesson that government agencies like the NSA should draw from this event is that they need to protect their own citizens before getting busy developing new malware. Given the absence of NSA-related scandals in recent years, they might indeed have learned from it.
WannaCry also offers a couple of lessons for average computer users as well. First, install security updates as soon as they’re available. Procrastinating on these types of tasks is not a good idea! Second, keep a back-up of your files in a cloud or a physical server. WannaCry is only one of many viruses that can corrupt your files irrevocably.
Equifax, or Why Half of Americans Could Have Their Identity Stolen
It turned out that 2017 was not a good year for cybersecurity. In May, the WannaCry mayhem unfolded. In September, the world learned about yet another incident. And this time, 150 million — a little less than one out of every two — Americans were concerned.
According to Equifax’s CEO, a massive amount of consumer data was compromised in July of that year. This information included names, birthdates, addresses and social security numbers. It’s the last of these that makes this data breach unlike any other. With people’s social security numbers, criminals could open credit cards and bank accounts or even buy homes in their victims’ names. They could apply for jobs, file their taxes, and claim kids as their own dependents. In other words, knowing a social security number can help criminals gain total control over people’s lives.
What makes matters worse is that Equifax had been alerted about a vulnerability by the U.S. Department of Homeland Security before the breach in March of 2017. But apparently, the information got lost somewhere in the belly of Equifax, and therefore the vulnerability never got the treatment that it deserved. In addition, three senior executives sold almost $2 million in stock just days after the security breach was discovered in March.
In this sense, Equifax is a prime example for other companies of how not to react to a vulnerability, meaning by ignoring it, potentially doing some insider trading, and then finally announcing it months after it happened. Equifax learned that lesson the hard way, as it eventually agreed to pay a $700 million settlement as compensation for its wrongdoings.
The sensitive information of one in two Americans remains potentially exposed, however. So far, there is no trace that any of the data has been sold, which makes it hard to track the hackers down. Whoever has the data in their hands could still take control over the lives of huge numbers of American citizens.
At this moment in time, there is not much you can do to protect your data if you’re a client of Equifax. If you do plan to switch to one of its competitors, you’ll need to do your due diligence. Companies like LifeLock, for example, actually purchase monitoring services through Equifax, which means they may not be much more secure. As with all the other examples, you’ll need to be careful to make sure your information is safe.
Mistakes Are Inevitable, but Learning From Them Is Crucial
No information is 100 percent safe. We all know that, but it’s still scary when we learn that our data has been compromised, whether by teenagers or the North Korean government. This isn’t about vacation pictures or cute puppy videos either. Rather, it’s about tax identification numbers and the trade secrets of multibillion-dollar companies.
Governments, corporations and individual citizens alike must therefore keep their machines up to date. Federal justice agencies must try to track down and penalize hackers to prevent further cybercrime from happening. And if a security breach does happen, corporations and government agencies must communicate honestly about what they did and didn’t do.
Finally, there’s only so much fretting you can do about the security of your data. In a world of ever-increasing digitization, you can’t pour acid over your PC and pray that the world gets back to rights again. Instead, we ought to learn from the mistakes of the past.
The life that was taken by a cybercriminal attack in September of 2020 will almost certainly not be the last of its kind. But we might be able to save some lives by drawing lessons from previous events — and by not panicking too much.