The cyber attacks against Google, Adobe and a raft of other top U.S. corporations late last year were by most accounts sophisticated and targeted attempts to steal proprietary data. But lost in all of the resulting media hoopla over who the remaining victims were and whether Chinese hackers or indeed the Chinese government itself were responsible is the simple, terrifying truth that individual hackers now have access to the same arsenal of cyber weapons once reserved only for nation states.
The weapons at issue are, of course, botnets -- agglomerations of remotely controlled, hacked computers that are used for a variety of criminal purposes, from spam, to high-powered, distributed online attacks against virtual targets. In these attacks, the botnets acted as a sort of "cloud" data collection and storage network.
I caught up recently with Roland Dobbins, a solutions architect with the Asia Pacific division of Arbor Networks, a company that specializes in helping customers defend against botnet attacks. Dobbins said the Google incident a perfect example of how the botnet has enabled what he calls the democratization of espionage.
Brian Krebs: What does that mean—"the democratization of espionage"?Roland Dobbins, Arbor Networks: Well, ten to fifteen years ago, if you were going to be the target of state sponsored or corporate espionage, you yourself were going to be a government or a large corporation that had intellectual property or information that an adversary was going to have to invest a lot of time and effort to pry out of you. What we have seen over the last five to seven years is that the botnet has democratized that process, so that now an individual can commit his own intelligence reconnaissance and espionage, whether at arms legth on behalf of a state, on his own, or whether he's doing it for corporate espionage. This whole process has tons of implications for national and corporate security, and for individual privacy. For the attacker, the risk associated with launching these types of attacks has gone down quite a bit, too, no?
Absolutely. Whether or not you're a nation state, botnets allow you to mount an operation of this type for almost no cost, and there is pretty much no physical risk. In the spy world they talk about "black bag ops," where the spy tries to break into the corporate campus or government building to steal information. But with these attacks, there is no risk, and they can just keep trying and trying until they succeed.
What is the average Internet user supposed to take away from this?
Because it's so cheap through the use of botnets for bad guys to get this information, ordinary people are essentially the targets of espionage in a way that has never been true before in human history. Their personal information is being targeted by folks who have resources that in many cases are beyond what nation states would have been able to bring to bear only ten years ago. If you couple that with generational changes that we see, where younger people don't seem to place the same importance on privacy as those of the older genertions - in a way they tend to overshare - if you couple that with the force multipler of botnets, this is a really big change, and this is really reflected in the attacks we've seen talked about in the press lately.
Okay, now I'm scared.
Well, that's okay. It just means if you are on the Internet, you have to assume that there are nation-state level adversaries targeting you to get your information and gain from it. And you really have to have a 'wilderness of mirrors' type of attitude, and be functionally paranoid to protect yourself these days. This is a big change. Because the Interent is ubiquitous, and because it's become such a big part of so many peoples' lives, a lot of us have this feeling of being in that old Mad Magazine cartoon Spy vs. Spy, only from the inside it's not really that funny. But it is a profound change in human civilization that we just haven't seen before, and companies especially need to wake up to this fact.
CSOonline contributor Brian Krebs previously covered security for the Washington Post. He blogs at www.krebsonsecurity.com.