Honestly who needs the bother? (Photo: screencap)

Seems the uptick in cyber crime has some benefit, at least: The Wall Street Journal reports that as criminals discover the beauty of electronic exploits like credit card theft, there's far less incentive to stroll into a bank, fire off a couple of rounds into the ceiling and demand all the cash you can carry.

Our condolences to anyone who saw Public Enemies and decided  to make his name as a modern-day John Dillinger. We'll always have Ocean's Eleven.

The Journal says that bank robberies have dropped precipitously in the last ten years, by almost 50 percent. That's partly because robbing a bank is harder than ever (gone are the days of tommy guns and bravado) and the penalties are stiffer.

But it's also because, increasingly, the money isn't there any more:

"Clearly, as more and more transactions become electronic, more bank crimes become electronic," said Doug Johnson, vice president of risk management at the American Bankers Association.

Sure, "I deploy phishing scams to empty virtual bank accounts because that's where the money is" doesn't have the same romantic ring to it--but who needs romance when you've got loot?

(flickr/mjtmail)

Firms specializing in technology security make it their business to scare potential customers, but that doesn't make an Internet Identity (IID) report predicting cyber doom in 2014, highlighted today by Ray Kurzweil's Accelerating Intelligence, any less spooky.

According to IID, looming cybersecurity threats in 2013--more mobile malware, increasingly aggressive hacktivism, attacks on the cloud--are "well-anticipated and mundane."

Those "mundane" threats are nothing next to the bleak wasteland of death and destruction IID expects in 2014:

[By] 2014 significant new methods of cybercrime will emerge. These new threats include the utilization of Internet connected devices to actually carry out physical crimes, including murders and cybercriminals leveraging mobile device Near Field Communications (NFC) to wreak havoc with banking and e-commerce. IID also expects the industry to combat such threats with new platforms for sharing intelligence across researchers, commercial enterprises and government agencies.

IID elaborated on "Murder By Internet Connected Devices" with scenarios that sound pretty plausible. They predicted that criminals could use pacemakers with remote connections, control systems on Internet-connected vehicles or even connected machines that control IV drips to potentially carry out long-distance, untraceable crimes.

It sounds like hyperbole, but pacemakers (for example) are already hackable, and as Forbes noted in this early December post about the reality of compromised medical equipment, Homeland has already used a hacked pacemaker as a plot device.

IID also warned about the dangers of NFC-enabled smart phones. NFC, or near-field communication, allows information exchange between compatible devices. It's pretty common on phones now but may one day even permit cars to talk to each other. Paul Ferguson, the company's vice president of Threat Intelligence, says NFC could be "a gold mine for cybercriminals and we have already seen evidence that they are working to leverage these apps to siphon money."

Additional threats IID believes may manifest in 2014 include an increase in state-sponsored malware, like Stuxnet, Flame and Duqu, a successful cyberattack on a power grid and an "exploit of a significant military assault system like drones."

Not directly mentioned but already in the wild: hackers already taking advantage of poorly-secured supervisory control and data acquisition (SCADA) systems which have easily cracked web administration pages. At the moment SCADA vulnerabilities might just cause discomfort and disruption, but in 2014's creepy killer web scenario, compromising a large-scale heating and cooling system might just be round one in an all-out infrastructure attack on a regional, even a national scale.

In posting a link to the Kurzweil write-up about IID's dire warnings, Quartz's Christopher Mims sounded the necessary note of caution needed after reading hints of a looming cyber-pocalypse:

Cybercriminals will straight-up kill you, says firm that profits massively by hyping threat. kurzweilai.net/murder-by-inte…

— Christopher Mims (@mims) January 4, 2013

Duly noted. However, if IID is correct, we've only got a year.

Cower and whimper accordingly.

This guy is everywhere now. (Image Devdsp on Flickr

Sometime last summer, hackers invaded a New Jersey company's web-accessible heating and air-conditioning systems using a gaping security hole in the system's supervisory control and data acquisition (SCADA) software.

Ars Technica reports that an IT contractor who works with the business informed F.B.I. agents investigating the breach that controls for the HVAC system were "directly connected to the Internet" and there was no "interposing firewall."

The backdoor into the controls is found in some versions of the Niagara AX Framework, software that controls similar systems at the Pentagon and the Federal Bureau of Investigation. An F.B.I. memo issued in July said any hacker who found their way into the nameless New Jersey company's Niagara controls would have been able to learn the same information available to a systems administrator, such as "a floor plan layout of the office, with control fields and feedback for each office and shop area." The web interface wasn't even password-protected.

Information about these flaws in Niagara systems has been public knowledge among hackers for some time. In a blog post published in an Anonymous-associated blog on January 19, 2012, a hacker using the name @ntisec listed vulnerable Niagara web servers all over the world.

The hacker prefaced the list by explaining that he or she had learned of the vulnerability from a Dutch technology site and then found vulnerable pages with simple searches using Google and ShodanHQ, a site that helps "expose online devices."

@ntisec insisted his or her purpose was to make sure these gaps were closed, because "Most scada systems dont (sic) have the need to be webfaced."

Ars Technica notes that in 2009 a security guard in a Texas hospital learned of that facility's weak SCADA security and posted screen captures online that demonstrated he could take control of parts of the system used to control operating room temperatures. The guard ended up federal prison.

Given the large number of Niagara servers listed by @ntisec last January, we'll probably hear about several other intrusions before the holes are filled. Once that happens, maybe they'll just come for our smart TVs.

Bank of America, one of the victims of Operation Ababil (Screengrab)

The Izz ad-Din al-Qassam Cyber Fighters published a new message on their Pastebin profile late Monday, warning of a new round of cyber attacks against U.S. financial institutions, beginning this week.

In their lengthy post, titled "Phase 2 Operation Ababil," the Qassam Cyber Fighters announced that they plan to attack websites owned by J.P. Morgan Chase, Bank of America, U.S. Bancorp, PNC Financial Services and SunTrust Banks.

Previous cyber attacks for which the ideologically-motivated group claimed credit took some bank sites down for more than 24 hours and affected website functions for days afterwards. The Cyber Fighters say that in Phase 2, "the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks."

U.S. officials have said they believe the attacks are state-sponsored by Iran, but the cyber attackers still insist they are not working for any government. Though they mention events since their previous attacks such as Israel's efforts against Hamas, the al-Qassam Cyber Fighters still say their main reason for renewed cyber attacks is the presence of Innocence of Muslims on the Internet. Google has refused to removed the anti-Islamic video from the Internet in nations where it is not against the law.

Fox Business notes one of the reasons security researchers and U.S. officials have said they believe the al-Qassam Cyber Fighters are more organized and well-funded than an ad-hoc group of cyber terrorists is because they use such a sophisticated botnet of compromised web servers. The Cyber Fighters' zombie army of bots sidesteps bandwidth limits and focuses more power against their targets than attacks from home computers.

Previous banks affected by al-Qassam's efforts included Wells Fargo, Bank of America and the New York Stock Exchange.

Update: It looks like the Cyber Fighters didn't waste any time. As of 1:45 p.m. ET Tuesday, many Bank of America customers were reporting problems accessing the bank's website.

This guy.

In a new SecureList blog post, Kaspersky Lab researcher Vicente Diaz has described a new frontier in a relatively old online scam. Phishers, tired of building fake websites to lure victims into unintentionally giving away email addresses, passwords or even financial information are beginning to use Google Docs to siphon data from the unwary.

This approach makes it easy for spammers to bypass filters, as emails with links to a shared Google document don't get flagged, giving the recipient the illusion that the message is legit.

Mr. Diaz writes that tricking someone into entering personal data into a sketchy Google Doc is only "the tip of the iceberg":

Google Docs allows hosting other contents such as executable files in different formats, resulting in a very convenient and free hosting service for malicious content. As a bonus the connection is HTTPS by default, making it even more convenient for cybercriminals the use of this service.

HTTPS is the communications protocol that supposedly means a web page is secure and any data entered in a form on that page won't be intercepted by a cyber-thief.

The Google Docs dodge is fairly new but may not be all that rare, as spammers are catching on to the fact that it's so easy to make a target believe they're looking at a legitimate document.

Until anti-spam programs begin to learn and account for this ploy the best defense is skepticism. If you have no idea why anyone would share a Google document with you, don't even click the link.

Hackers having fun, unlike Sam Yin.

Manhattan's district attorney has slapped Gucci hacker Sam Chihlung Yin with up to six years in state prison for hacking the corporate network of Gucci American, Inc. In a press release from the office of Cyrus R. Vance, Jr., the D.A. noted that Mr. Yin pleaded guilty in mid-July to one felony count of computer tampering in the first degree and 10 felony counts of "criminal possession of computer related material."

Mr. Vance's announcement regarding Mr. Yin's sentence included a quote from the D.A. that could be read as a none-too-veiled warning to anyone else tempted to follow the former Gucci network engineer's example:

Today, a computer hacker is going to state prison for attacking the network of his former employer, which is one of the more than 900 fashion companies based here in New York. As we have seen in many cybercrime cases, these so-called 'insiders' at companies have the ability to harm their employers, co-workers, and the company's clients, customers, and even products. This is but one example in the fight against cybercrime and our ongoing efforts to repel attacks and protect electronic systems.

Sam Yin was apparently the worst kind of disgruntled ex-employee. After he was fired from his job at Gucci he accessed a secret account he'd created while working there and began wreaking havoc on the fashion retailer's systems, shutting off off servers and in some cases deleting data. Mr. Yin then doubled down on his shenanigans by using a fake identity to somehow socially hack his way into the network and gain near total control via knowledge of administrator passwords. Mr. Yin ultimately deleted the company's email accounts, which the D.A. stated "cost Gucci hundreds of thousands of dollars in diminished productivity, restoration and remediation measures, and other expenses."

Sam Yin turns 36 tomorrow. With any luck could be out of prison before he turns 39. We suspect he'll have a hell of a time finding a new I.T. job once he's released.

Hackers were targeting pedophile and pedophile-interest websites in Usenet forums as far back as the 1990s but that was well before Anonymous had such a powerful name brand to put behind the effort.

Anonymous explained some of its motivation in a Pastebin document published July 7:

WE Anonymous aim to diminish if not eradicate this plague from the Internet. For the good of our followers, for the good of mankind, and for our own enjoyment we shall expel from the Internet and systematically destroy any such boards that continue to operate.

The message charged readers to spread the word to other Anons and the press. The statement also took a classic Anonymous shot at its target: "These pedos are very butthurt about being hit too, so there is some LULZ factor in it."

According to their reporting, Anonymous has already taken down a laundry list of sites with stomach-turning names like boychat.org, boylovenews.com and pedofilie.nl.

The firm surveyed 1,861 IT and security pros, the majority from organizations bigger than 500 employees. 64 percent expect to face cyber attacks in the next six months, and 61 percent point to Anonymous and its hacktivist fellow travelers as the most likely attackers. More generally, a solid two-thirds of respondents believe we’re really seeing an uptick in the rate of attacks, thanks to more hackers, stronger state-sponsored efforts, and so forth. They’re not exactly pulling that out of thin air, either. For one thing, attacks on financial companies tripled year-over-year in the first quarter of 2012.

It doesn’t sound like IT folks are feeling too good about their current security solutions, either. A mere 26 percent feel that their organizations’ laptops and desktops are protected, which goes a long way toward explaining why it feels like major breaches occur every couple of weeks.

The answer, as always, is better best practices: Get employees to stop opening sketchy email attachments and using random thumb drives. But given that even a security juggernaut like RSA can be brought low by spear phishing, that’s far easier said than done.

In his remarks at the R.S.A. Conference Thursday, the A.P. reports Mr. Mueller listed losses to cyber-criminals: "We are losing data, we are losing money, we are losing ideas and we are losing innovation," he said. Mr. Mueller also told attendees that together they "must find a way to stop the bleeding."

Mr. Mueller may have had an ideal audience for his remarks--this year's R.S.A. Conference also has an eye toward companies concerned about possibly falling prey to the Anonymous DDoS or email hack:

Protecting yourself and your company against cyber attacks and those who launch them is a full-time job. You need up-to-the-minute information, the latest technology, insight into techniques and trends, and so much more. And you'll get all of it at RSA® Conference 2012.

Mr. Mueller tried to calm businesses worried about the P.R. crises that sometimes follow a major cyber-attack, stating that the F.B.I. does "not want you to feel victimized a second time by one of our investigations."

The criminals pickpocketed people on the street and bribed JP Morgan employees to give them data. Apparently they also stole information from the banks computer system, although its not made clear how this was accomplished.

This brings us back to the question of what is cyber-crime in an age where almost all bank transactions involve a digital interface. It sounds from this press release like most of the criminal activity was good old fashioned robbery and bribery.

Its a fine distinction, but one worth drawing, as we pointed out with our piece about why the News of the World Scandal involves no actual "hacking".

Manhattan District Attorney Cyrus R. Vance, Jr., today announced a 148-count indictment of six members of a large-scale identity theft and cybercrime ring for stealing more than $1 million from J.P. Morgan Chase Bank, compromising at least 80 victims’ accounts at various bank branches.[1]

“Over the course of two years, accused criminals and corrupt bank employees colluded to defraud J.P. Morgan Chase and withdraw more than $1 million from the bank accounts of unwitting victims,” said District Attorney Vance. “The ring both pickpocketed these victims on the street, and colluded with the bank employees, to steal personal identification that in turn enabled the criminal organization to withdraw significant funds from bank branches from New York to Texas and Michigan. I would like to thank our Cybercrime and Identity Theft Bureau and J.P. Morgan Chase Bank for working together to ensure that this identity theft ring was brought to justice.”

The defendants are RICHARD DAMES, a/k/a "G," a/k/a “GK,” a/k/a “GEOVANNI KASANOVA,” 33; JAMALUDDIN ALMAHDI, a/k/a “RICK,” 66; WAYNE MITCHELL, a/k/a “WAYNE-O,” 42; RICKY MCCANTS, 30; MAKILA WILLIAMS, 25; and KIA WYLIE, 30. They have been indicted on multiple felony charges, including Grand Larceny in the First Degree, Identity Theft in the First and Second Degrees, and Conspiracy in the Fourth Degree.  In addition, MCCANTS and WYLIE have been indicted on numerous counts of Computer Trespass.  The crimes charged in the indictment occurred between February 17, 2009, and February 4, 2011.

According to documents filed in court, the identity theft ring is alleged to have operated as follows:

Members of the ring either pickpocketed victims or worked with J.P. Morgan Chase Bank employees whom they paid to obtain victim personal identifying information by infiltrating the bank’s computer system. In some cases, MITCHELL and his accomplices used some of the stolen property of victims who were pickpocketed to commit fraud weeks or months after the victim had been pickpocketed. In other instances, Chase Bank employees MCCANTS, WILLIAMS, WYLIE, and previously charged defendant Jon Emerenciano stole accountholder information—such as names, addresses, social security numbers, dates of birth, and account numbers—from the bank’s computer system and sold that information to DAMES and his co-conspirators. DAMES then provided the information to the members of the ring who would carry out the fraudulent bank transactions. The corrupt employees also copied accountholders’ bank signature cards, in order to allow members of the ring to better imitate a victim’s signature.

In addition, according to court documents, ALMAHDI conducted searches about the victims through internet websites, like ssndob.biz, to gain additional personal identifying information of victims. DAMES often ordered the victim’s credit report through annualcreditreport.com by impersonating the victim and entering his or her stolen personal identifying information as his own. DAMES and co-conspirators subsequently opened credit cards in victims’ names and purchased expensive items, including electronics, without paying for them.

On April 27, 2010, Bronx detectives conducted a search warrant at MITCHELL’s apartment and recovered, among other things, hundreds of stolen documents, including social security cards, driver’s licenses, checks, and credit cards, belonging to more than 100 different people. Some of the checks were from the same checkbooks used by Garnett, Walmsley, and Eli in carrying out fraudulent check cashings. Also recovered in MITCHELL’s apartment was a fraudulent identification card in a victim’s name containing Garnett’s picture. On December 29, 2010, Financial Crimes Task Force detectives conducted a search warrant at DAMES’s apartment, during which they recovered five stolen Chase Bank customer profiles.

In total, the defendants are alleged to have stolen more than $1 million dollars from J.P. Morgan Chase.

MCCANTS, WILLIAMS, and WYLIE have been fired by Chase Bank. Emerenciano was also previously fired by Chase Bank. DAMES and MCCANTS will be arraigned today in State Supreme Court. ALMAHDI, MITCHELL, WILLIAMS, and WYLIE are awaiting arraignment on this indictment.