Willie Sutton was a prolific bank robber who robbed about 100 banks from the late 1920s until his final arrest in 1952. An urban legend was created when a reporter asked him why he robbed banks and he supposedly answered “because that’s where the money is.” He denies he said it claiming the reporter added the statement to embellish the story.
While banks are still “where the money is” in physical form, enterprise networks are banks for information in digital form. That the information stored in those networks has value is an undeniable fact. Determining the value of information is another matter entirely and is more an art than a science. Considering that identity theft cost the US economy $53B last year and theft of personally identifiable information is the primary means by which criminals commit identity theft, we can rightfully conclude that the value of information is very high indeed. And that doesn’t include the theft of sensitive information or intellectual property from businesses or individuals.
So, if Willie were alive today, he might be more interested in stealing information than money so he might change his M.O. from robbing banks to robbing networks.
Just for fun, let’s presume he is alive, has become a prolific hacker, and has consented to an interview with our Undercover Reporter who is doing a story on information theft.
In the fictional interview below, UR is our undercover reporter and WS is, of course Willie Sutton, Master Data Thief.
UR: So, Willie, why do you hack networks?
WS: Aw c’mon … gimme a break … I do it because that’s where the data is.
UR: Data? I thought you were after money. Do I take that to mean you steal the data to sell it?
WS: You got it!
UR: So, there’s money in selling data stolen from networks?
WS: Oh man … you gotta be kidding me … I can’t believe you’re asking me that. You bet there’s money in selling data … big money … and its easy money. Like I said in my book “Go where the money is … and go there often.”[1]
UR: So how do you turn data into cash?
WS: I sell it on the IBM.
UR: What … you sell it to IBM?
WS: No, man, I sell it on the International Black Market.
UR: Oh, I see. Do you have a hard time finding a buyer?
WS: Nope. Piece of cake. It never ceases to amaze me how many people out there are willing to just about any kind of data.
UR: So what kind of data do they like to buy?
WS: Oh just about anything. I’ve discovered that just about everything on a network has some value or it wouldn’t be there in the first place. Yeah there’s some junk out there … sappy love letters … and some really spicy e-mails … but there’s lots and lots of really good stuff too. Speaking of e-mails, you just can’t believe what people will say in e-mails! Almost makes me blush.
UR: So what kind of good stuff do you run into?
WS: Oh, personally identifiable information that can used for identity theft, intellectual property, sensitive inf
ormation about marketing, mergers & acquisitions, downsizing plans, and the like.
WS: Oh I almost forgot … credit card numbers are a really hot item … especially when you have the security codes to go with them. Man that’s a such a sweet deal … I get top dollar for that data … and the buyer recovers their investment when they use the cards to buy whatever it is they want to buy. And what’s so amazing about it is the card holders don’t lose any money. They have to spend a little time explaining to their bank that they didn’t make the purchases. Then the bank just writes it off as a loss. Man, you gotta love those banks. Like I always said about banks … that’s where the money is!
UR: So tell me more about how you hack into networks to steal data.
WS: Well, I don’t actually “hack” into networks … although it’s sometimes easy to do because some companies just don’t understand the value of the data they have on their networks and so they won’t allocate sufficient resources to cyber security. Besides that’s not my bag man.
UR: So what is your bag? How do you get the data if you don’t hack the network? Are you some sort of magician?
WS: Naw … I use insiders to get me the data I want.
UR: Hmm … so you just walk right up to them and ask them to give you the data?
WS: Aw c’mon, work with me here … I case the joint ya know … I watch people arrive at work in the mornings to see who might be strapped for cash. Young single Moms driving beat up old clunkers are good targets as are young guys with fancy sports cars. The Moms are struggling to feed their kids so they’re always in need of extra dough and you can bet the young hot rods are strapped for cash after making a big car and insurance payment but still need some coins to take Ms. Hottie out on Saturday night. Or I go to the local watering hole and just listen. If you listen long enough people will tell you everything you need to hear. Just the other day, I was sipping a cognac and in walks Mr. Hot Rod and one of his buds. After slammin’ down a few brewskis, I overhead the buddy say ‘That sure is a cool new ride you have.’ and Mr. Hot Rod says “Yeah it’s a sweet machine, but after making the payment and paying the insurance and gas, I can barely find two nickels to rub together. I didn’t realize when I bought it that my diet and love life would change so dramatically … I live on ramen noodles, beanie weenies, and Vienna Sausages … and there’s no dough for a date, and that really sucks, man!’ So, he’s obviously an easy mark in need of some cold hard cash.
UR: OK, OK I get the picture. After you’ve identified your targets, what do you do th
en?
WS: I simply offer them pennies … yes that’s pennies … for each database record they can get for me.
UR: So you get the data for pennies?
WS: Per record not in total. Let me give you an example. Suppose one of my marks gets me 10,000 records. If I give ‘em ten cents per record, they make a quick and easy $1,000. That’s a lot of diapers and formula for the kiddies or studly duds and gas for the hot rod.
UR: OK. So how do they get that much data to you without getting caught?
WS: Another easy one. I have them use a stega-somethingorother application they can get on the Internet.
UR: You mean a steganography application?
WS: Yeah that
’s it. How did you know that?
UR: I just read something in Digital Forensics Investigator the other day about how steganography can be used to hide information in digital files.
WS: Yeah it’s really cool … it’s amazin’ how much data you can hide in a single picture.
UR: How do they get the picture, or pictures, to you?
WS: Another easy one … they simply send it to me as an attachment to an e-mail. Who would suspect anything out of the ordinary about a picture of a kid or a juiced up set of wheels?
UR: So how come you or any of your insiders never get caught?
WS: You know, that’s a really funny one … I think you call it
a ‘paradox.’ You see, nobody thinks any body’s using stega-whatever so nobody is willing to spend any dough on the tools needed to detect it. And because nobody’s using tools to look for it, it’ll never be detected? Now ain’t that a beautiful thing?
UR: It’s no wonder they called you “Slick Willie” back in your heyday!
WS: That’s right. Hey are we ‘bout done here? I’m expecting some important emails!
So it goes, insiders are exfiltrating sensitive data with complete impunity because no one has deployed tools to detect steganography because no one thinks any one is using it because there’s not a large amount of proof that steganography is being used … because nobody is looking for it!
1. Where the Money Was: The Memoirs of a Bank Robber (Viking Press, New York, 1976)
No comments:
Post a Comment