When I hear the news about the latest computer security breach, I am so dismayed that I want to turn off my smartphone, tablet, and laptop and quietly lock them in the bottom drawer of my desk. But I don’t. I have designed and written computer software for decades, and I will not accept that the work that I and many others have done over the years is being subverted by disgruntled misfits, criminals, and thugs. I take a deep breath and think through what has happened and why it took place.
Turning off personal computers does not help much. Lapses in security in other people’s computing systems can hurt you as much as a weakness in your own system. Many of the systems over which we have no control are critical to our safety, financial well-being, and even our health.
The dangers seem to have multiplied overnight. The devices that were once useful and entertaining seem to have spontaneously metamorphosed into menaces. Computing began in what seemed like a garden of Eden, far from crime and malice. Early computers were hidden in laboratories and their users were engineers and scientists. Computing as an instrument of crime was not in anyone’s mind. But this has changed. Instead of being protected behind locked doors, computers large and small are exposed in ways that could not have been imagined by their inventors. Nearly every computer is attached to networks that can be accessed from anywhere on the planet by almost anyone. Wireless networking further opens computers to both free and malicious access. In this open environment, the computing industry only noticed the opportunities for cybercrime in the last two decades of the millennium. Even then, most computer-related crime was embezzlement and inventory twiddling that could have been done as easily with paper books as by computing.
Computer and software manufacturers were not earnest about security until cybercrime grew into big business at the beginning of the millennium. Previously, engineers tended to think of security as an annoying hindrance to development that could be added in the last stages of a project. If a project got behind, security might be left for the next release. This attitude still sometimes exists, although engineering practices now acknowledge that security must be considered at every stage of product development, including decisions not to build projects that cannot be adequately secured.
Services, such as online banking, which we can scarcely imagine living without, loom as threats in news reports almost every week, and yet we become more and more attached to our plastic. Androids and iPhones burrow deeper and deeper into our lives with texting, email, Facebook, Uber, and hordes of other apps that make busy lives easier. But each of these devices and apps present new vulnerabilities to criminal attack. The vulnerabilities grow with each new device and app.
In their self-interest, computer users must understand the threats, correctly evaluate their potential, and take steps to avoid, block, or disarm attacks. Computer networks are a tough neighborhood. Doing business on the mean cyber streets is a difficult assignment in an environment that changes every day.
This challenge is not that different from challenges we face in other areas. After all, life is a dangerous venture. Heart disease or cancer can strike anyone, but we can improve our odds with exercise and a healthy diet. Driving a car is dangerous, but we can drive carefully in cars equipped with seatbelts, air bags, and anti-lock brakes. There are no guarantees that we will avoid a heart attack or an automobile crash, but our chances significantly improve when we are reasonably cautious. Most people can live a long and satisfying life while following good safety practices. The same applies to the cyberworld.
The cyberworld has no guarantees and there are many tradeoffs, but most people can use and enjoy their computers, tablets, and smartphones without becoming a victim of cybercrime. It’s like choosing to avoid sugary soda altogether but occasionally indulge in your favorite dessert. You must intelligently reduce the chances that a calamity will occur. Choosing a car or truck with anti-lock brakes will not guarantee that you will never skid on an icy road, but they will help control the skid and give you a better chance of steering out of a crash into the guardrail. Good cybersecurity practices will not guarantee that you will never be hacked, but they can turn away all but the most persistent hackers and limit the damage when an assailant smashes through your defenses.
Individuals can take heart from the statistics. Despite increases in computer use, cybercrime complaints to the FBI’s Internet Crime Compliance Center have drifted downward from 303,809 complaints in 2010 to 269,422 in 2014, a more than ten percent decrease. The significance of this decrease is greater than it may appear because the pool of computing devices has grown, with an increase in the number of smartphones and tablets to the existing pool of laptops and desktops.
Keep in mind that cybercrime is likely underreported. Not every victim of massive credit card theft reports the crime to the FBI. Cyberwarfare and terrorism seldom have individual persons as victims, and their impact is not reflected in FBI statistics. These are some of the most heinous and far reaching crimes, and yet they may not be reflected in the statistics.
Nevertheless, the crimes that are reported to the FBI are significant and they do show a decline, which seems the opposite of what we see on the news. The frequency of news stories on cybercrimes is different from the true frequency of cybercrimes. Cybercrime may simply have become more newsworthy. Later, as I probe into the industry’s efforts to deter or prevent computer crime, you may gain some insight into why the FBI numbers have gone down.
The Internet Crime Compliance Center reports that the largest financial losses were from conventional confidence fraud over the Internet and the most frequent complaint was non-payment and non-delivery on Internet transactions. For these crimes, the Internet was a convenient vehicle, but they could have been committed over the telephone or through the paper mails. These reports suggest that good old-fashioned dishonesty and fraud continues to be profitable in the 21st century, but they are not examples that are germane to the rise of crime enmeshed with computer and network technology.
Cybercrime is not quite as threatening to individuals as it appears, but don’t underestimate it. For individuals, the biggest threats do not come from hackers breaking into their laptops and tablets. The greatest threats are through break-ins and other mayhem done to computer systems that most people have little or no contact with. When those types of crimes are counted, cybercrimes occur more frequently than anyone would like. Some experts estimate that individual’s email account is more likely to be broken into than their house.1
Cybercrime
Cybercrime takes many different forms. The most spectacular crime is massive theft of critical personal information. Companies that hold this information can do much to prevent these thefts, but we individuals have little power because we have no control of the vulnerable systems that process and store our information.
The number of pieces of data and enterprises hacked into are surprising. RSA is one of the largest providers of security certificates used to guarantee that Internet sites are who they say they are. A major security company is, one would hope, an unlikely candidate for a hacker intrusion, but in 2011 RSA was embarrassed to be hacked to the tune of tens of millions of employee records.2
People think of hackers as Lisbeth Salander from Stieg Larsson’s Millennium Trilogy or Garcia on the television series Criminal Minds; geniuses who can work miracles from any computer attached to the Internet. In minutes, they hack into any computer anywhere and extract the precise information they need. That is not exactly the way real hacking works.
In the 1960s and 1970s, anyone working on a computer and not performing an assignment from a business, school, or government was called a hacker. Programmers and administrators who worked after hours on their own computing projects and students who hunched over terminals working on unassigned tasks were all an anomaly. These enthusiasts occasionally drifted past official rules either unintentionally or from curiosity, but seldom with malicious intent. But as computing advanced, some of these unofficial experts began to take advantage of opportunities for mischief and gain that they discovered in their preoccupation.
The hackers of today have a range of profiles. Some merely push boundaries for pleasure. Enthusiasts who spend hours searching for undocumented ways to change the behavior of their personal computers are at this end of the spectrum. Some of them are white hats: hackers who are paid by businesses and law enforcement to find security flaws by acting like black hats trying to break in. In the middle of the range are hackers who claim to perform victimless crimes that affect only institutions, not people. Other hackers claim to be activists who only hack for benevolent or political purposes. At the far end, organized criminals use hacking skills to wreck and steal. The most dangerous of these gangsters have adopted the brutal tactics of organized crime. Government or military operatives who create and use cyberweapons often are the authors of the most destructive exploits .
The Target Corporation Heist
How do hackers steal? Examining a well-known exploit helps explain what they do. A few days before Thanksgiving in 2013, hackers began an exploit that eventually stole information from 40 million credit and debit cards from a mass retailer, Target Corporation. To put this another way, more than one person in ten in the entire United States had a card number stolen. The stolen card numbers and other information were spirited off to “dark” trading sites, sort of criminal eBays, and sold for a few dollars apiece to other criminals called carders, who manufacture new cards bearing the stolen data. They use the fake cards to purchase expensive items on the unsuspecting cardholder’s accounts. The purchased items are often sold on the real eBay.
Like most hacking exploits , the Target heist began with social engineering . See Figure 1-1. Social engineering is jargon for tricking a person into revealing information that a hacker can use to gain entrance to a system. The tricks can be elaborate, often involving meticulously prepared fake emails, or simple, like asking someone for their password for a seemingly innocent purpose. Disgruntled former employees are often willing to be social engineered into helping with, or leading, an invasion.
Figure 1-1. The Target heist involved a series of carefully planned steps
Social engineering is less spectacular than cracking, a favorite tactic of hackers in the popular media. Crackers obtain user passwords by guessing or de-encrypting password information. Cracking a password is frequently possible, but hackers often decide cracking is too much work. Social engineering is much easier, so some form of social engineering is the first step in most hacking invasions.
For the Target exploit , hackers used social engineering to penetrate a weak point in Target’s defensive perimeter. Heating and air-conditioning equipment is now frequently connected to corporate computer networks. Corporate facilities staff use the network to adjust heating and air-conditioning, which is automated for comfort and energy efficiency. Heating and air conditioning contractors log into the system to monitor for issues and make remote adjustments. These contractors are frequently less experienced in managing cybersecurity. The Target hackers began by searching for contractors with connections to Target. They found a heating and air conditioning (HVAC) contractor with unsophisticated security and the kind of connection to the Target network they needed.
The hackers sent emails to the contractor’s employees to trick them into revealing a username and password . The social engineering challenge was to send a carefully contrived email that would trick a contractor employee into revealing their password. The effort succeeded and the hackers logged into the Target network. That login was the intrusion that began the exploit . They broke into the system using their knowledge of human nature and gullibility rather than technical knowledge or skill.
The contractor was apparently blind to the situation. They issued a press release stating that their connection was only used for billing, contract submission, and project management. In other words, the contractor was apparently unaware that they were an unwitting attack vector for the plunder that followed.
The hackers gained access on November 15, which was 12 days prior to the sales flurry of Black Friday on November 27. Using their access, the hackers got ready for Black Friday by loading their malicious software into the Target system. The software was then pushed down to most of Target’s automated cash registers all over the country. The hacker’s software was designed to grab credit card data as customers purchased their goods and slid their cards through card readers attached to the cash registers. The hackers had several days to ready their credit and debit card information collection system. The hackers, like good software engineers, used the time to test their systems before the full-scale launch.
By television hacker standards, the Target hackers were painfully slow and pedestrian, but unlike fiction, they stole real data and hurt real people. They stole so much data that transporting it out of the Target system was a logistical challenge. It is not clear exactly where all the data was sent. They covered their tracks by sending data over difficult-to-trace clandestine networks; the credit card information was eventually sent to computers in the United States, Brazil, and other obscure locations. The stolen data recipient’s systems may have been hacked and the owner was not aware that their computer was used for an illegal purpose.
Eventually, the credit card numbers appeared on criminal sites that traffic in goods like stolen credit card numbers. These sites are not difficult to access and they are a ready market for purloined data. Credit card numbers go for a few dollars apiece. As the data gets older, the price goes down as more card numbers are cancelled or flagged with a fraud alert.
Some estimate that Target lost nearly half a billion dollars from this hack, which did not have to take place. There were several points where the breach could have been prevented. The air conditioning contractor could have trained their employees to be more aware of efforts to swipe passwords . Target could have divided up their network so that contractors only had access to data they needed, not critical payment systems. Target could have monitored activity on their network and noticed that an air conditioning contractor was accessing data that had nothing to do with air conditioning. Target could have guarded their point-of-sale systems from installation of unauthorized software. Superior hindsight does not mean culpability for allowing these gaps, but stopping up any one of them could have prevented disaster. Although the issues of a large distributed corporation like Target are different from personal cybersecurity issues, Target’s woes offer clues to what can happen on our personal devices. I will discuss them in more detail later.
Tablets and Phones
Smartphones and tablets are replacing the desktop and laptop computers that have been the targets of cybercrime in the past. This does not mean cybercrime will go away. The larger computers still have some uses and some people will always prefer large keyboards and displays, so it is unlikely that big desktops and laptops will completely disappear. More importantly, when size and appearance are ignored, desktops, laptops, tablets, and smartphones are all similar and they have similar vulnerabilities. They all have random access memory, persistent storage, and network connections. Consequently, all are vulnerable to the same kinds of exploits. This book discusses many exploits and techniques that have been directed at desktops and laptops. These same exploits could be directed at smartphones or tablets, and likely will be. The hackers must change some code to work with different operating systems, but the basic pattern will be the same.
If exploits on these devices seem seldom now, it is only because hackers concentrate on the devices that will yield the most return for the least effort. As smartphones and tablets become more prevalent, hackers will direct more exploits in their direction. Devices that appear to be impregnable will begin to be hacked more often.
Cellular phones and phone systems have their own set of issues, but these are mainly privacy issues. For example, hardware, mainly used by law enforcement, can spoof a cellphone into believing the device is a cell tower. The device acts as a middleman who monitors the victim’s phone calls and messages and then passes them along to a legitimate tower. Other privacy issues involve accessing the records kept in the cellular system. Much of the wrangling that is going on over cellular phone privacy is about who should have access to what from these records. Since the records are kept on a computer system, they are subject to hacking also. When dealing with computer systems, the question is never whether breaking in is possible. It always is. The critical question is whether breaking in is difficult and time-consuming enough to discourage the most desperate from trying.
Wireless
Wireless networks open up new opportunities for hacking. Open wireless sites such as those in coffee shops, public libraries, hotels, and airports are convenient, but they are also treacherous. Even the sites that have passwords , like many hotels, are dangerous because there is little control over who has the password. Everyone who is using the hotel wireless network has access to all the traffic on the network. A password that is handed out to people whom you have no reason to trust does not protect you on a wireless network.
You may think that secured networks with passwords are there to prevent bandwidth theft. They do discourage bandwidth theft, but the most important reason for securing a wireless network is to keep untrusted persons out. Anyone on a wireless network can listen in on anyone else on the network. In public places, a potential victim has no idea who is nearby with access to the wireless network.
With access to the network, a hacker can watch all the traffic to and from a victim’s computer, which could be a laptop, smartphone, or tablet. While hackers are watching, they can skim any data they care to. A victim connecting with any site that might reveal valuable credentials or other valuable data invites a watching hacker to steal it. Encrypted transmission and virtual private networking make hacking more challenging, but a hacker who is willing to invest resources into obtaining the data can succeed most of the time.
Unsecured home systems are equally vulnerable. Some hackers drive through neighborhoods with their laptops, searching for unsecured wireless networks. When they find an unsecured, or poorly secured network, they can monitor the data on the wireless network, or use the network as a base for attacks. The attacks will appear to come from the compromised home wireless network.
Not all security standards are equal. The earliest wireless security standards were developed in the late 1990s and have been shown to be completely insecure. A hacker using readily available tools needs only minutes to break in. Unfortunately, the old standards (WEP and WPS) are still used occasionally. The currently preferred wireless security standard (WPA2) is safer. A long random password is difficult to crack, but a persistent hacker with abundant computing resources may still be able to break it.
Wireless networks can be treacherous in other ways. Most devices, especially smartphones, are set up to attach to a wireless network whenever one is available. The phone user may think they are using the cellular network and therefore they can log into their bank in relative safety. In fact, the smartphone may have latched onto a hacker -infested open network.
Wireless networks are a convenient pleasure, but they must be used with caution.
Crimes Against Devices
Can a network-controlled electric kettle be hacked? Sure. An electric kettle controlled by a smartphone may be an attractive idea. Use your smartphone to turn on the kettle from your bed and have boiling water when you arrive in the kitchen. Nice. But that kettle could be an open door into your wireless network. You can follow the article mentioned in footnote below to get the details on how to hack into one model of kettle.3 The steps are not difficult. The hack relies on sloppy programming and weak passwords . The group who produced the kettle were probably veteran kitchen appliance designers but new to networks and software. They would have been excited about an innovative new product and likely did not give a thought to a security review.
The fitness tracker you wear on your wrist is also hackable. One brand of tracker has been subjected to an attack in which a security researcher connected to the tracker through Bluetooth, changed data, and deposited code. The code was automatically uploaded the next time the tracker connected with its display on a laptop or smartphone.
Bluetooth has about a 30-foot range. You could be sitting on a bus and the nondescript guy sitting a couple seats away fiddling with his Android could be loading your wrist tracker with malware that will be loaded into your phone the next time you sync up. Before you know it, your friends are getting offensive messages that you did not send, but are from your phone.4
Personal cybersecurity extends beyond the traditional desktop and laptop personal computers to tablets, smartphones, and everything else that is connected to our home networks. Items in our homes, such as security cameras, electronic locks, and heating-air-conditioning systems, that are connected to the Internet are especially vulnerable. It’s bad enough that our bank accounts can be looted and our identities stolen, but we also have to worry about our children being spied upon in their beds, invaders electronically turning off alarms and unlocking our front doors, and our houses burnt down by malicious meddling with the controls on our furnaces. Checking on our children and controlling our house remotely is a remarkable modern convenience, but it can also be a threat. This is the Internet of Things. Like the heating and air conditioning contractors that became the route of attack in the Target heist , the designers of devices that are newly online can be unfamiliar with security practices and leave the devices they design poorly protected.
Large corporations and government agencies are attractive to cybercriminals because the loot available for plunder is usually much greater than the loot on personal devices. A personal device may hold a few credit cards, credentials for a few personal bank accounts, and not much else. Corporate systems may hold millions of credit cards and access to billions of dollars. To the individual, this comparison is no solace when their laptop, tablet, or smartphone is breached.
What Are Hackers Looking For?
By far the most common reason for invading a computing device is money, although a few hackers breach systems to make a political point or as a personal assault on the device owner. Obtaining access to personal email often goes with this sort of assault. Others invade with an intelligence or military objective. Still others are just snooping. Nevertheless, most hacking is for money.
Money can be made from a compromised computer in various ways. Personal data suitable for stealing an identity can be sold readily on the black market. Payment card information can also easily be sold, but a personal device is not likely to yield many cards compared to a business. Beyond stealing data, ransom is a possibility. An intruder can disable a critical resource, such as encrypting a file system, and then demand payment for releasing the resource.
Hackers may also try to “own” a victim’s device. An “owned” device is under control of the hacker. Usually, the hacker obtains administrative control of the device and has deposited code or scripts that prevent the true owner, or anyone else, from taking back control. An owned device can be very useful. It can become a slave computer that is part of a mass spam mailing machine. It might be used as a relay in an effort to obscure the source of an attack. Perhaps the worst part of having an owned computer is that the rightful owners may not be aware of the mischief their computers are performing.
Perhaps the most sinister use of owned devices is spying. Some malware can be installed that will capture the screen images, take control of the device’s camera, and install key loggers that record every stroke from the keyboard, as well as spirit away all the files on the system. Techniques like this are used by law enforcement and other government agencies for investigation and spying. Criminals use malware like this for less savory purposes such as stealing financial credentials or extortion. Cyberbullies and stalkers also use this kind of malware.
How Do Hackers Get In?
We have all heard about master hackers who have nearly supernatural powers for guessing or cracking passwords , but that is not the most common way personal devices are invaded. There are much easier ways.
Social Engineering
Social engineering, as mentioned previously, is security jargon for using psychology and sociology to trick victims into revealing critical information such as passwords . In a business, disgruntled employees might give away passwords to harm their employer. A hacker might call an individual on the telephone, posing as someone from an Internet provider, credit card company, or some other person with a legitimate interest in computing devices or accounts. The masquerade is to trick victims into revealing their usernames, passwords, and other critical information.
Phishing
Phishing is favorite method that uses deceptive emails. The invader sends a seemingly legitimate email to a user. The email requests an account and password for a seemingly legitimate reason. In the simplest form of phishing, the clueless victim replies with the requested account and password.
Since few people fall for that ploy anymore, subtler variations have appeared. One variant asks the victim to click on a link to a fake web site. The fake might be a clever reproduction of a legitimate site such as the victim’s bank. The victim logs in to the fake bank, and the phisher snaps up the victim’s bank credentials.
In another version of the fake website, the phishing expedition turns into a drive-by in which malware is deposited on the victim’s device. Drive-bys are explained in the next section.
Yet another phishing ploy uses an attachment that contains malware that is executed when the user tries to open it. An even more malicious variety embeds a script in a photograph or graphic that runs when the photo is opened. In some malware deposit versions, no password needs to be harvested. The malware establishes a backdoor into the device and the invader has access.
Drive-bys
Another method is the drive-by attack. The user is lured to a malicious website that, when it opens in a browser, executes scripts that deposit malware . Usually the malware opens access to the hackers who later work their mischief. Drive-bys usually occur on dodgy sites designed to attract the unwary. They often promise compromising photographs of entertainment stars, over-the-top tax advice, or too-good-to-be-true weight loss schemes.
Man-In-The-Middle
A man-in-the-middle attack inserts a third party between two communicating systems. For example, a victim might attempt to use an online interface to pay off a mortgage with a large wire transfer. The hacker hijacks the network connection between the victim and his bank, and inserts himself in the middle. When the victim sends the transfer request, the hacker intercepts the request, inserts his account as the recipient of the transfer, and sends the modified version to the bank. When the bank sends the confirmation to the victim, the hacker intercepts the confirmation and puts the original recipient back in. Neither the bank nor the victim is aware of the attack. The money is transferred to the hacker and the victim assumes the transfer went through until the mortgage company asks about the expected payment. See Figure 1-2 for a graphic depiction of a man-in-the-middle attack.
Figure 1-2. The man-in-middle interrupts normal communication between parties
A variant method inserts a fake version of a website a victim intends to connect with. The hacker then scoops up the information that victim enters, sends whatever they want to the target, and returns to the victim whatever the hacker wants the victim to receive.
In another man-in-the-middle exploit , an attacker sets up his laptop as a hot spot in a public place and names the hot spot something plausible like “Free Wi-Fi.” When users connect, the attacker skims the incoming data for valuables like bank credentials and passes on the connection to a legitimate Wi-Fi service.
How often man-in-the-middle attacks occur is contested. Some experts think they occur frequently; others think they are rare. This is an indication of the difficulty of detecting man-in-the-middle attacks. If the connection is a normal unsecured connection, a man-in-the-middle is nearly impossible to detect. Using a secured connection, the browser may raise an invalid certificate error. (I’ll discuss certificates later, but reliable certificates are a foundation of Internet security.) The error may indicate a man-in-the-middle attack, but there are other trivial reasons for certificate errors and a well-executed man-in-the-middle attack can avoid certificate errors.
Man-in-the-middle attacks can be used in different ways. Besides changing the intent of interactions, they can be used to glean information about the client or to deposit malware on the victim’s computing device.
Trojans
Remember your history? A Trojan horse is something dangerous that looks innocuous. A Trojan file looks like a file that should be there, but was placed on a computer by an attacker. Hackers and anti-virus tool developers play cat-and-mouse. The anti-virus tool writes code to find the Trojan and the hacker writes code to hide it. Trojans often are carefully designed to have the same name and size as legitimate files, but when they are executed, they can do almost anything, especially if they are executed with the administrative privileges necessary to make critical changes to a device.
Trojans are often used to install back doors. To do this, a Trojan typically has to modify the device’s settings and operating rules, and install code to permit the back door to work. Often, after the back door is installed, the Trojan will send a message to the attacker to let them know that the door is ready. The attacker then has secret and private remote access to the victim’s computer.
Back doors are not the only thing that Trojans can do. A Trojan might go to the user’s email address list and transmit it to the attacker, who will use it to target phishing attacks on the victim’s friends and acquaintances. Or the Trojan might be purely destructive and garble the victim’s files, delete them all, or encrypt them and request ransom for decryption.
Remote Access Tools
Remote access tools (RATs) are the key that unlocks computing devices to attackers. Each computer platform (Windows, Linux, Android, iOS) has its own remote access tools. Many are built for legitimate purposes like remote maintenance, but hackers use them for mischief.
The granddaddy of remote access tools is Telnet, a protocol and software for interacting with remote systems that was developed in the late 1960s, an era when security was not an issue. Telnet is implemented on almost all platforms, but it is highly insecure. Today, security experts discourage using Telnet, yet it is still widely available, simple to use, and popular for command line services that only deal in public data. Hackers look for sites where Telnet is enabled and use it to gain remote control. It is an easy tool for novice hackers to use. Fortunately, on Windows and most versions of Linux, the user has to intentionally configure the device to accept Telnet. Telnet-enabled victims are rare and Telnet hacks rarely succeed. When they do, the invader can take over the victim’s device, stealing data or setting it up as a slave to perform whatever nasty acts the invader chooses.
Telnet is not the only way to get remote access. Secure Shell (SSH) was designed to be a successor to Telnet. Secure Shell requires that an entity logging in must identify itself using secure credentials and passwords . The data that passes through Secure Shell is encrypted. Someone wishing to tap into the data must decrypt it first. This makes Secure Shell more private than Telnet, but only as private as Secure Shell encryption is strong. Users of Secure Shell are much safer. However, hackers have developed ways around Secure Shell and do use it to enter systems, perhaps using credentials snapped up in a phishing expedition. If invaders succeed using Secure Shell, their access is equivalent to Telnet. Invaders can take over the computer and steal data. Hacking in through Secure Shell has an added benefit to the invader: his communication to the victim device is probably not visible to law enforcement, which is very convenient.
Windows Remote Desktop Connection is another route into a Windows machine. Using Remote Desktop , a support technician can enter a machine and examine firsthand the settings of the computer and witness issues as they occur. Hands-on engagement through Remote Desktop can resolve issues quickly. The alternative, verbal descriptions of issues, is often inadequate. Remote access is powerful, but dangerous. If the support technician happens to be an attacker in disguise, he has the keys to the kingdom. There are few limits to the damage that can be done.
There are also back door remote login tools that were written as invasion tools. Neatly packaged versions of many of these tools can be downloaded from sites on the Internet. Most of them are designed to access versions of Microsoft Windows. Microsoft has steadily hardened its security and these tools have become more difficult to write.
Hacking novices don’t need any knowledge of Windows security to download remote access tool packages available on the Internet. These packages install a remote access code on the targeted computer and a client on the hacker’s computer. Some of these installations are polished and easy as any commercial installation. A hacker without programming skills and little knowledge of security can install these tools and, in minutes, start stealing data or subverting the target computer to the hacker's purposes.
These hacking packages rely on security flaws in their target. When flaws are discovered, the operating system and software vendors hurry to fix the flaws before invaders can make use of them and deliver patches to their users. By the time a hack is packaged up for download, patches are likely to be available that will thwart exploits . But availability of patches does not mean the patches have been applied. Users of prepackaged hacks search for unpatched devices, and they often do not have to search far.
Zero-Day Attacks
A zero-day attack is an attack on a previously unknown security flaw. When honest researchers or developers find a flaw, they notify the owner of the flawed software so they can develop a patch. That starts a count of days until the flaw is patched and the patch is publicly available. If a flaw is never reported, the count is zero and it is a zero-day flaw, simply a zero-day. When a hacker discovers a previously unknown flaw and launches an attack, the attack is a zero-day attack.
Zero-days have a market. The discoverer of a zero-day flaw, depending on how effective it might be, can sell the flaw on a black market exchange for thousands of dollars. Large criminal organizations are said to have stockpiles of zero-day flaws to use when the need arises. Government cyberwarfare organizations all over the world also are said to have stockpiles of zero-days, and have teams searching for zero-days to add to their stockpile. Some may be willing to pay for zero-day flaws found outside their organization. Much of this effort is directed toward the ubiquitous Windows operating system, but efforts are also aimed at Linux, mainframe systems, smartphone and tablet operating systems, industrial control systems, and any other systems that might yield control or monetary advantages.
Zero-days may provide routes into systems, but after a zero-day is used, it can be detected. Then it is no longer a zero-day and its value plummets. Instead of zero-days, social engineering is often the hacker’s first choice because it is easy and reliable. Phishing , drive-bys , and man-in-the-middle activity are also less expensive that zero-days, but sophisticated sites often avoid these more conventional attacks.
Password Cracking
A password cracker discovers their victim’s password without the participation of the victim. Cracking is more difficult and time consuming than social engineering . Usually, it is reserved for accounts that are likely to yield a large return for the effort and are resistant to social engineering. The extra effort is often applied to breaking into a corporate or institutional system rather than an individual. Celebrities like movie stars and high school principals are also likely victims of cracking, Still, anyone can be the victim of a cracker.
Password crackers typically first try to guess passwords. People are not as unique as they may think when choosing passwords. A handful of passwords are used all the time; “password”, “drowssap”, “123456”, and so on are all good first guesses for crackers. If the cracker has a little knowledge of his victim, other good guesses are birthdays, anniversaries, relative’s names, and pet names. These are easy to glean off Facebook and other social media . An experienced hacker is adept at using these resources to make good guesses. If guessing fails, the next step is often a brute force attack that tests many possibilities. Running through every possibility takes too many resources to be practical. One strategy is called a dictionary attack, which limits candidate passwords to words from a dictionary and runs through every word in a dictionary, perhaps including variants like replacing “a” with “@.” With sufficient computer speed and storage, brute force attacks that were impossible a few years ago are now run every day. Some sophisticated algorithms can make brute force attacks more efficient. However, even the most powerful brute force attacks cannot reliably conquer long random passwords .
For highly resistant passwords , other attacks assault the password encryption algorithms themselves. Researchers regularly discover flaws in even the most secure encryption schemes. Highly trained hackers , often military personnel, are no doubt able to break any password they care to, although the resources required may be huge and the cracking methods may be so secret that they are reserved for extreme situations and are not likely to be used on an individual account.
I will talk more about managing passwords later.
Denial of Service and Botnet Invasions
Denial of service (DoS) and botnets are related attacks that occur frequently. They are responsible for both economic disruption and annoyance. Denial of service attacks are often performed by botnets.
Denial of Service
Denial of service is a common way of attacking business and government websites. A denial of service attack is usually a flood of input messages that exceeds the processing capacity of the attack’s target, and the rush of bogus messages blocks the site’s legitimate customers. In other words, the customer is denied service. The customer usually sees the denial as performance so sluggish as to be unusable, or a site that is completely unresponsive. Businesses lose sales or other transactions and their reputation for service.
A more advanced form of denial of service is called distributed denial of service (DDoS) . A distributed attack is from more than one source at the same time. Distributed attacks are more effective than single attacks because the volume of messages is greater and they are more difficult for the victim to fend off. Botnets are an effective way of launching distributed denial of service attacks. More on botnets later.
The types of messages sent during an attack vary. One form is a barrage of emails. Other attacks use high-level protocols such as hypertext transfer protocol (HTTP). Others use lower-level protocols that bypass much of the processing of the higher levels. Some attacks are designed to damage servers and make them unusable in addition to overwhelming their capacity. Some of these attacks increase processor speeds, which can cause the processor to overheat and fail, possibly permanently.
Although denial of service attacks are not considered as sophisticated as some other types of attacks, they are becoming more frequent. Between 20I3 and 2014, the frequency of distributed denial of service attacks has roughly doubled. A sample of 70 attacks measured by the volume of data thrown at the victim has also increased sharply.5 The number of denial of service attacks continues to increase, although some experts predict that the intensity of each attack may go down because larger numbers of smaller attacks are harder for authorities to track down.
As the tools used by the attackers evolve to avoid detection and make attacking easier, the details of attacks change, but the concept of denial of service remains the same.6 As attack techniques evolve, strategies for evading attacks also evolve.
Botnets
Personal computing device users are more involved in denial of service attacks than they may think. Distributed attacks are often executed by systems called botnets, which run on the personal computing devices of unsuspecting victims.
Botnet is an elision of “robot” and “network.” A network of robots, or bots, is a botnet. Bots are devices, usually personal computers, that have been commandeered to do the bidding of a bot master. Bots are recruited using techniques such as phishing and drive-bys . See Figure 1-3.
Figure 1-3. Victim computers become bots under the control of the bot master
Bots receive orders from the master. Depending on the sophistication of the botnet, a bot may take only simple orders, or they may be able to execute complex programs.
The user often is unaware that their device has become a slave to the bot master. Bots are not always active, and when they are, the slave device may be slow and occasionally hang, but these symptoms can be explained by any number of conditions. Most bots can be detected and removed by anti-malware software, although the bot software changes frequently to evade detection.
Botnets can be huge. Some nets have had millions of users, although lately there is a trend to limit sizes to tens of thousands. The rationale is guessed to be that bot masters have decided many smaller nets are harder to detect and shut down than a single mega-net. Individual bots are relatively easy to detect and remove compared to taking down an entire botnet. The nets can be managed in intricate hierarchies, as peer-to-peer networks, or other patterns. Even the botnet servers may be installed on compromised devices to thwart pursuit of the bot master. Authorities may take down a botnet and see it reappear a few months or weeks later.7
Tracing a net back to its origin can be very difficult. When an Internet message arrives, the author and location of origin may be buried in the body of the message, but they are not a required part of the wrapper where the information necessary to send the message appears. The only thing required on the wrapper is an address for the recipient and an address for a return message.
An analogy with paper mail may help fix Internet communications in your mind. The post office requires some information on the envelope, but the contents of the envelope can be anything the sender wants, similar to the requirement that an Internet message wrapper must have an address and a return address, but the body can be anything. The required envelope information is an address that the post office will use to deliver the letter. The envelope can have a return address, but the letter will still be delivered if the return address is blank, incorrect, or deceptive. The Internet is similar. Messages must have a deliverable address. If the address is wrong, the message can’t be delivered. End of story. An origin address is also required. In this the Internet is tighter than the post office, which ignores absent return addresses; but the Internet is lax about the contents of the origin address. Like a return address, it can be deceptive. The lack of a requirement for a verified return address on paper letters has been the crux of many mystery novels about anonymous threats and blackmail, which is not far from what can happen on the Internet.
To further complicate Internet messages, Internet addresses are not like a street address. They are more like street directions for getting to the address. They can be simple and direct, or they may be complicated and intentionally difficult to follow. Even when the directions are simple and direct, pinning down the exact device that sent a message is often difficult or impossible because a group of devices may have the same address. For example, a home Wi-Fi network with several devices is usually seen from the outside as all having the same address. The home Wi-Fi router, which is plugged into an Internet feed, sorts out the addresses. These routers keep tables that they use to match incoming messages to the correct device, but these tables usually don’t stay around for long, so finding the exact match later may be impossible. People who want to be anonymous make sure the directions are excruciatingly difficult to follow and their tracks are wiped out instantaneously. Most networks work more or less this way. Botnets and hackers in general rely on the vagaries of Internet addressing to evade discovery.
Botnets are used for several kinds of mischief. I’ve mentioned launching distributed denial of service attacks. Much of the Internet’s spam is distributed by botnets. Each bot sends out spam, combining into an avalanche of email. At some times, botnets have been estimated to generate from 10% to 20% of global email traffic. Besides launching distributed denial of service attacks, botnets can be used to provide the computing resources for cracking passwords or mining cyber currency like Bitcoin. The owners of botnets sometimes offer botnet services for sale on the same exchanges where credit card information is sold. Criminals with few computing or network can use these services to launch their own attacks.
Cyberwarfare
Cyberwarfare is a threat that individuals can do little to prevent but puts all in danger. Cyberwarfare means surreptitiously entering the computer networks of another nation in order to do harm, spy, or steal information. Like many Internet threats, the possibility of waging cyberwarfare comes from the wide accessibly of the Internet. Cyberwarfare is fought with the same tools as a hacker attack.
Cyberwarfare can harm us in many ways. An attack on the power grid could leave part or all of the country without electricity. Industry and commerce would stop. An attack on the financial system would stop our debit and credit cards from working and reduce the stock and commodity markets to shambles, which could hinder the economy for years to come. Nuclear plants, oil pipelines and refineries, railroads, and air traffic are all vulnerable to cyberattack and disastrous industrial accidents; fires and crashes are sure to result. The effect could exceed the destructive power of an attack with nuclear weapons.
Cyberwarfare is also found in tactical military fights. For example, a cyber assault can blind defense radar systems to approaching air attacks. Cyberattacks can scramble battlefield communications networks. The potential uses are many, and most of them are probably secret.
Less open countries like China and North Korea are better prepared for cyber defense because their networks are more easily shut off from the outside world than more open countries like the United States. The first defense against a prolonged cyberattack is to shut off networks from the Internet. Open countries like the United States do not have mechanisms in place for isolating the entire country from the Internet quickly and easily.8
Also, in less developed countries, computer networks have a smaller role in industry and commerce. Control networks are little used in their utilities. In other words, less developed countries do not have extensive systems to defend.
A cyberwar places the highly developed nations in a lopsided position. An advanced country like the United States has great resources for launching cyberattacks, probably exceeding those of any other country, but they also have the greatest vulnerability because the make most use of computer systems in their economy. In addition, their networks are largely privately owned. These private owners may not feel that cyber defense is their responsibility, but their networks are a logical point for defensive measures.
To be effective, a cyberattack relies both on computing access to critical systems and on knowledge of the workings of the content of the system. For example, an attack on a power grid requires knowing how to run the equipment that the computer system controls. Without that knowledge, the attacker won’t understand the effects of his attack, and instead cascading blackouts that blanket the country, the whole attack may fizzle into a minor event. This applies to all infrastructure cyberattacks. Attacking a financial system, air traffic control radar, or petroleum pipeline pumps and valves all require knowledge of the system to be attacked if the attack is to be a success. Infrastructure knowledge may be as hard to obtain as the computing skills necessary to hack into adversary systems. Consequently, a complex infrastructure such as a power grid or pipeline may not be as vulnerable to cyberattack as it might appear.
Traditional military strategy has difficulty with cyberwarfare. A cyberenemy may not be detectable until long after the damage is done. It may be difficult to ever identify the enemy. During the Cold War, strategies were based on detecting and neutralizing enemy missiles and bombers before they could do damage. A cyberattack may begin long before any effects are seen. For instance, the attackers may stealthily place scripts or snippets of code in place months before the visible attack begins or a worm may be launched that slowly winds its way through the network, searching for vulnerable points. The attack itself may be undetectable: a series of flaming oil train crashes may seem to be unrelated until months later when an internal system review reveals hacked code in the railroad control system. All of this must present challenges to military strategists for whom a nuclear attack was unmistakable.
Misuses of Cyber Systems
Cybercrime is not limited to attacks on computing systems. The Internet and the applications that run on it, such as Facebook and email utilities, can be abused and cause as much or more harm than the most vicious hacker . According to the 2014 Internet Crime Report from the FBI, confidence fraud and business email compromise accounted for 140 million dollars in victim losses.9 These crimes do not involve hacking. They use email and other forms of Internet communications in a legal fashion for illegal schemes.
Cyberbullies
Humans bully each other all the time. The desire to push other people around and make them feel bad is a perennial characteristic of human nature. Bullying among children and teenagers appears in the news often. The Center for Disease Control estimates that in 2013, one in seven high and middle school students were bullied in school. They also estimate more students were bullied electronically: one in five.10
The effects of cyberbullying , especially among children and teenagers, is troubling. Teenage suicides have been attributed to cyberbullying. Suicide is the most extreme form of loss of self-esteem, but many lesser forms, such as declining grades, depression, acting out, and drug use. At the most extreme, mass killings, such as Columbine, are blamed in part on cyberbullying. Unlike physical bullying, cyberbullying often occurs in the victim’s home, which turns what should be a sanctuary into a crime scene.
Electronic or cyberbullying is a form of cybercrime that is quite different from data theft. Bullies do not invade systems by taking advantage of security weaknesses. Much of the time, bullies do the same things that ordinary computer users do: they send emails, they send messages, they post photographs on Instagram and Facebook. In doing these things, the bullies don’t break computer system rules or encroach into forbidden areas. Instead, they maliciously break social rules by using these innocent tools to cause pain and anguish to their victims.
Cyberbullying is easy; individuals weakly inclined toward injuring others can be drawn into acts that they would probably not perform if the effort and risk was greater. Physical bullying relies on the bully’s power, which may be from physical strength, economic advantage, social position, or other traits. Cyberbullying requires only malice.
Social media makes communication easier and more efficient than physical interaction. Opening a Facebook page and posting a photograph of your latest family gathering is easier than physically visiting each friend to present a photograph. Unfortunately, the same efficiency applies to bullying. Bullies can take embarrassing photos of their victims and broadcast them to hundreds of friends in seconds. Without much effort, the identity of the bully can be obscured from the victim and their cohort. The prevalence of cyberbullying is not surprising. Malicious uses subvert the good intentions of the developers of social media, which is an unfortunate irony.
Authorities also have more difficulty dealing with cyberbullying than physical bullying. In the old version of the schoolyard brawl, the hulking bully threatens his scrawny victim, the principal rushes out, separates the combatants, and sends the bully to detention. Cyberbullying is much different. The aggression is hidden on the network. If the victim does not tell, the authorities are likely not to find out. If the victim tells, the authorities have to investigate before they can act. Authorities may be eager to pursue the bully, but this investigation is not nearly as easy as the old-school walk across the school yard.
What can be done to avoid cyberbullying? Cyberbullying is behavioral, not technical. Technical solutions may help identify bullying patterns in the use of computers and networks and help find the bully, but technical solutions are unlikely to prevent bullying. Most social media , such as Facebook, offer to remove objectionable material and restrict or ban users who don’t conform to published community standards. However, cyberbullies can conform to social standards and still hurt their victims.
Changing a social pattern is not like tightening security on a financial site or patching a flaw in a browser. Successful anti-bullying campaigns in schools or communities usually involve raising awareness of the problem and convincing victims to seek help instead of suffering in silence. The same applies to cyberbullying. If all cyberbullying victims realized that help is available, and managers and administrators can move to neutralize the bully, far less cyberbullying would occur. Some bullies will be clever enough to circumvent any barriers to abusive activity. Without the cooperation of the victim in spotting abuse, little can be done. This can be accomplished only when potential victims know what bullying is and how to find help. This applies especially to children and young people.
Social Media Abuses
Social media is one of the wonders of the Internet. Services like Facebook bring families and friends together and provide a communication channel for community organizations and governments. Unfortunately, the qualities that make social media effective and desirable to ordinary users also attract cybervillains.
Social media, such as Facebook, Google+, Pinterest, Instagram, Twitter, and others assume that people are sincere and well-intentioned. That is as true for most social media users, as it is in life. But there are exceptions and when the sample is large, the number of exceptions is also large. Facebook has around a billion users11 and Twitter has over 300 million users.12 If one in a thousand users are bad eggs, Facebook has a million and Twitter has 300,000 bad ones.
The bad eggs who want to maneuver in the background and avoid being identified like electronic social media. Anonymity is easy in electronic communications. A user can take on different personas to suit their purposes. Impersonation, using another person’s identity or shapeshifting, is not difficult. There are legitimate, or at least innocuous, reasons to be a shapeshifter on Facebook or Twitter, but shapeshifting also can cover up crime or vicious behavior. An impersonator can damage or destroy the reputation of the person impersonated. A shapeshifter can commit mayhem and disappear into another persona.
Geography means little on the Internet. Delivering a message from a block away can take longer than a message from the other side of the planet. Although some nations attempt to limit traffic in and out of their country, the Internet has no borders. An ordinary user has no easy way of finding the geographical origin of a message, and there are ways of hindering even forensic experts from finding the origin of a message. Geographic obscurity is a boon to miscreants. A scurrilous post on a Facebook timeline that appears to be from a hometown local could be from anywhere: Eastern Europe, South America, West Africa, anywhere. Unless someone tries to ferret out the origin of the message, no one will ever know where it came from. And even a smart cyberferret cannot guarantee that the origin will be found.
The anonymity and ignorance of location are in the design of the Internet. When the Internet was developed, an important goal was to connect existing networks into the Internet with minimal changes to their configuration. This was to promote rapid and wide expansion of the Internet. Requiring a verified identity and location of the sender would have complicated the interface between networks. Consequently, geography and authenticated identity are not part of the Internet’s design.
Social media attracts users because social ties are built and reinforced on the media. Distant relatives can be brought into family events. Acquaintances can converse and become real friends. With the casual exchange of images and communication, trust is easy to establish.
The combination of anonymity, ease of impersonation, and easily obtained trust with little oversight and few rules is an ideal environment for gulling the unwary. Predators of every stripe love a communication channel like Facebook, which gives them access to over a billion trusting users. They can hide behind a fake persona and not reveal their location. A grizzled and tattooed convicted felon can plausibly impersonate a 6-year-old girl. If he is good at mimicking the mannerisms of a little girl, his deception can go undetected and he is free to use the guise of an innocent to indulge in mischief and mayhem. This kind of deception, which is possible on all forms of social media based on the Internet, including chat rooms, provides opportunities for many varieties of troubling activities.
At the least destructive end of the spectrum, are trolls who deceive, insult, and disrupt discussions. Some trolls are genuine cyberbullies; others are only distracting and annoying grumps. At best, they ignore the rules of social discourse and are distracting and annoying. At worst, they bully their victims with insults.
Other mild forms of social media abuse are phony reviews of various kinds. Businesses get bad reviews from competitors and biased good reviews are submitted by proprietors and their friends. Retail sites like Amazon have to deal with both bogus good and bad reviews. Some shady businesses offer reviews in bulk for a fee. These scams rely on the anonymity and openness of the Internet.
There are many lucrative and elaborate scams. An often-reported and lucrative Internet crime in 2014 was automobile fraud. The fraud commonly begins on a website or a solicitation from an acquaintance on social media or via email. The fraudster offers to sell an auto at an attractive price, probably an unreasonably low price. The fraudster explains that he is in the armed forces, about to be sent overseas, and needs quick money, or some similar story tailored to evoke incautious empathy. The victim transfers the money, perhaps by wire transfer or Western Union. The vehicle never materializes and the fraudster disappears in to cyberspace. Per the FBI, this was a common Internet fraud in 2014. Almost 1,800 victims lost a total of 56 million dollars.13And that is reported victims, which could be lower than the actual number of victims.
Sinister organizations like the Islamic State of Iraq and Syria (ISIS) or other hate groups use social media to promote and recruit because social media is an effective vehicle for any kind of subversive activity. The dilemma is that subversion and legitimate dissent are not easily differentiated. This dilemma is a challenge to a democratic and free society like the United States. Dangerous, subversive groups are hard to distinguish from legitimate dissenters. Both subversion and suppression of dissent threaten democracy. Consequently, protecting legitimate social media users and preventing misuse of social media at the same time is difficult.
Social media is subject to the same techniques as other Internet services. A link on Facebook can be as dangerous as a link anywhere else. A click on a social media site that leads to a page that requests confidential information like passwords or credit card numbers is likely to be harmful. Pages can also deposit drive-by malware that opens your device to the hacker or performs other mischief. Caution is advised. Later, I will talk about how to avoid and deal with this type of threat.
Where Are We?
Has this chapter scared you? I hope so. Cybersecurity is very serious. Cybercrime can harm individuals profoundly. Life savings can be lost. A stolen identity may plague a victim for decades. Spam may be only an annoyance, but when it is a phishing expedition or an attempt to deposit malware on your computer, it can do serious damage.
Public wireless networks are convenient, but they also harbor grave dangers.
Social media has enhanced our lives, and has made us vulnerable to bullies and scammers.
Cyberwarfare is another worry. I happen to believe that cyberwarfare is a more dangerous threat than the terrorism that has captured public attention. Highly industrialized countries are more vulnerable than under-developed countries. The under-developed countries may lack expertise, but expertise can be developed or bought. Unorganized hackers with few resources do damage every day. What can a well-organized and funded military group do?
What can we do to protect ourselves?
Footnotes
1 CBS. “ These Cybercrime Statistics Will Make You Think Twice About Your Password: Where’s the CSI Cyber team when you need them?” March 3, 2015.
www.cbs.com/shows/csi-cyber/news/1003888/these-cybercrime-statistics-will-make-you-think-twice-about-your-password-where-s-the-csi-cyber-team-when-you-need-them -/. Accessed December 2015.
2 See Taylor Armerding, CIO, February 16, 2012. www.cio.com/article/2399262/data-breach/the-15-worst-data-security-breaches-of-the-21st-century.html . Accessed December 2015.
3 Phil Ducklin. “Internet of Things- do you really need a kettle that can boil your security dry?” Naked Security. October 10, 2015. https://nakedsecurity.sophos.com/2015/10/20/internet-of-things-do-you-really-need-a-kettle-that-can-boil-your-security-dry/ . Accessed December 2015.
4 Alexandra Burlacu. “Experts Warn It Just Takes 10 Seconds To Hack Fitbit Fitness Trackers: Here’s Fitbit’s Response.” Tech Times. October 24, 2015. www.techtimes.com/articles/98427/20151024/experts-warn-it-just-takes-10-seconds-to-hack-fitbit-fitness-trackers-heres-fitbits-response.htm . Accessed December 2015. Fitbit denied that the hack can do damage. Let’s hope that they are working on a fix. They would not be the first to stick their head in the sand and hope the problem goes away.
5 See Arbor Networks. “Arbor Networks 10th Annual Worldwide Infrastructure Security Report Finds 50X Increase in DDoS Attack Size in Past Decade.” www.arbornetworks.com/news-and-events/press-releases/recent-press-releases/5351-arbor-networks-10th-annual-worldwide-infrastructure-security-report-finds-50x-increase-in-ddos-attack-size-in-past-decade . Accessed December 2015.
6 See Akamai Technologies, Inc. “State of the Internet Security Report Q3 2015.”
www.stateoftheinternet.com/downloads/pdfs/2015-cloud-security-report-q3.pdf . Accessed December 2015.
7 For an overview of the size and resilience of botnets, see Karl Thomas, “Nine Bad Botnets and The Damage They Did,” February 25, 2015. www.welivesecurity.com/2015/02/25/nine-bad-botnets-damage/ . Accessed December 2015.
8 Countries that are able to shut off the outside world have their own vulnerabilities. They may be isolated against their will by a hostile attack on their gateways. A country, active in international business, such as China, shut off from online business contact with their international partners by a hostile cyberforce could be economically devastated.
9 See Federal Bureau of Investigation, Internet Crime Complaint Center, 2014 Internet Crime Report. www.ic3.gov/media/annualreport/2014_IC3Report.pdf . Accessed December 2015. p. 47.
10 Center for Disease Control. Bullying Fact Sheet. www.cdc.gov/violenceprevention/pdf/bullying_factsheet.pdf . Accessed December 2015.
11 See http://newsroom.fb.com/company-info/ . Accessed December 2015.
12 See https://about.twitter.com/company . Accessed December 2015.
13 See Federal Bureau of Investigation, Internet Crime Complaint Center, 2014 Internet Crime Report. www.ic3.gov/media/annualreport/2014_IC3Report.pdf . Accessed December 2015. p. 41.