Rewards may far outweigh risks for savvy hackers |

Rewards may far outweigh risks for savvy hackers

Andrew Russell | Tribune-Review
Alex Reece, a member of the Carnegie Mellon University’s computer hacking team, diagrams computer code mid-air with a light pen at the Collaborative Innovation Center on campus. At top right, Reece drew a sketch of Tux, a penguin character that is the official mascot of Linux, a computer operating system. This photo was produced using a long camera exposure on Monday, February 4, 2013.
Andrew Russell | Tribune-Review
Alex Reece, 21, plays mine craft in a computer lab on Tuesday, Jan. 22, 2013, on the Carnegie Mellon University campus in Oakland. Reece is a member of the Carnegie Mellon University-based Plaid Parliament, a computer hacking team.
Andrew Russell | Tribune-Review
Tyler Nighswander, 22, a member of the Carnegie Mellon University-based Plaid Parliament computer hacking team, has computer code projected onto his face with a laptop projector on Friday, Jan. 25, 2013, in his Shadyside home.
Andrew Russell | Tribune-Review
George Hotz, 23, Alex Reece, 21, and Tyler Nighswander, 22, (from left) all members of Carnegie Mellon University’s Plaid Parliament of Pwning computer hacking team, celebrate solving a computer code problem on Saturday, Jan. 19, 2013, in the Collaborative Innovation Center on the school's Oakland campus.
Andrew Russell | Tribune-Review
David Brumley, a Carnegie Mellon University computer science professor who works with the school’s capture-the-flag hacking team, types on a laptop computer during one of the group’s Friday night meetings held January 18, 2013.

A malicious computer hacker has to find just one way in.

Like soldiers defending a fort, however, anyone trying to protect a website or online business must try to close every potential breach. A single coding mistake, in the wrong hands, could be an opening to be exploited.

When a computer attack begins, it can be hard to detect — harder still to identify the perpetrators, locate them and bring criminal charges.

“It’s the right place to set up shop if you’re an ambitious criminal,” said Ari Juels, director of RSA Laboratories, a Cambridge, Mass., data security research company.

Potential rewards versus the risk are great, too. Someone with a computer and know-how might be able to steal corporate secrets for an airplane design or information on newly discovered oil and gas fields.

The haul could be worth millions, if not billions.

“It’s simply too easy to orchestrate these types of intrusions,” said Dmitri Alperovitch, co-founding chief technology officer of CrowdStrike, a security technology company based in Irvine, Calif.

“It’s cost-free, even if you get caught,” he said. “If there’s a nation-state sponsor, nothing is going to happen to you. No one is going to arrest you. You’re operating freely from the confines of your own country, supported by your own government.”

Adversaries of the United States are arming themselves for computer espionage as well as potential attempts to cause disruption or destruction, the Government Accountability Office reports .

In 2010, the Department of Defense developed a Cyber Command to oversee computer security, primarily for the Defense Department. The move occurred around the time Stuxnet, a computer worm that struck Iran’s nuclear program, was discovered.

No one has taken credit for the attack, but some suspect the United States and Israel.

Iran responded to the attack by announcing plans last year to create a “cyber army,” and an Iranian group in September took credit for hacking into 370 Israeli websites.

Army Gen. Keith Alexander, the head of CyberCom, has warned the Defense Department cannot protect itself. The Defense Department announced plans to hire 4,000 people for computer security, but the military has 15,000 computer networks at 4,000 locations worldwide.

“The number of potential vulnerabilities, therefore, is staggering,” the department reported in 2010.

Since Stuxnet, unknown hackers introduced other malware — shorthand for malicious software — to collect information that could be useful for an attack, said Liam O Murchu, a manager of security response operations at Symantec, a computer software security company in Mountain View, Calif. Those viruses mainly targeted Middle Eastern companies involved in pipelines and industrial control systems, he said.

“We did think it was science fiction until we saw Stuxnet, and we saw that a virus could interact in a very sophisticated way with specific equipment that made it work in a very predetermined manner,” O Murchu said. “It’s definitely possible that another attack could be mounted.”

More malware recently targeting Middle Eastern marks included a virus aimed at Saudi Arabia’s state-owned oil company in August that wiped out more than 30,000 computers, replacing system files with an image of a burning U.S. flag. A similar attack hit a natural gas producer in Qatar. Defense Secretary Leon Panetta called the malware the most destructive computer attack ever on the private sector.

Taking down a gigantic infrastructure network in the United States would require a sophisticated attack by an advanced nation-state, Alperovitch said. China, for example, might trigger a computer virus attack only during a hot war with the United States.

Individual researchers, however, could proliferate that technology.

“Is there a danger that they may decide to rent their services out to a rogue nation-state or to a terrorist group?” Alperovitch said. “People worry about that sort of thing … and that’s certainly a valid concern.”

The world’s largest companies fall into two groups, according to security technology company McAfee : “Those that know they’ve been compromised and those that don’t yet know.”

Those that are safe don’t have anything valuable or interesting that hackers consider to be worth stealing.

“When it happens, we may not hear about it,” said Ting-Fang Yen, principal research scientist at RSA Laboratories. “You don’t want to admit you’re being attacked, most of the time. Or people don’t know that they are attacked.”

Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or [email protected]

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.