This Story is Based on Actual Events
Everything described below actually happened to colleges, universities, and a member of the North Atlantic Treaty Organization (NATO) during the first five months of 2007. To the extent that fictional names correspond to real persons living or dead, this is purely satirical or coincidental.
Note: If this story starts scaring you too much, remind yourself that most criminals aren't this smart, and conspiracies are really hard to keep secret. With obvious exceptions, intelligent people also tend to be ethical people.
Part I: Al Connects to an Open Wireless Network
It is a dark and stormy night at the airport.
Al, a Music and Cinema double major at Puzo College, is waiting for his midnight flight to Georgia. He opens his laptop, intending to watch The Freshman, which he has legally downloaded from Amazon. He notices a popup message about "Free Public WiFi." He clicks "OK" to confirm that he really wants to connect to an unknown, insecure network. It's slow, but it works! Al spends 45 minutes online with no further security warnings, checking email and logging on to Facebook, where he has hundreds of friends.
The criminal who controls the wireless network in the airport reads Al's email, researches Al's family and Facebook friends, and plans his next move.
Part II: Bruno Receives a Curious Phone Call in the Day TimeBruno, an accountant in the Puzo College Comptroller's Office, receives a phone call from Al's mother, charging that lax procedures at Puzo must have led to the theft of her son's identity. The conversation does not go well, in part due to Al's mother's thick accent, and she demands to speak to a supervisor. Bruno explains that his supervisor is in a meeting, but provides her name, phone number, and email address. He warns his supervisor that an angry parent is going to call or email her about some alleged identity theft issue.
Part III: Comptroller Sofia Opens the Expected Email
Sofia Coppola, Puzo College's Comptroller, receives an email from Al's mother. Attached is a Microsoft Word file complaining about something, but no one can make sense of it. Sofia replies to the email message, expressing confusion, but carefully avoiding outright denial, as Al's father owns a major television network and is being solicited by the Office of Development.
Days pass with no reply.
Sofia looks up the student's home number and reaches Al. Al is not aware of any problem. He promises to talk to his mother and straighten things out. He wonders why his mother, a local television anchor with only the slightest hint of a Southern accent, would be hard to understand, but he is not terribly concerned. After all, Sofia Coppola herself has a strong Italian accent.
Part IV: Don Notices Some Money Missing
Meanwhile, $4,999 is transferred from Puzo College to banks in foreign countries whose diplomatic relations with the US are poor. Eleven staff and faculty report small, unauthorized charges to their College credit cards. A twelfth staff or faculty member accidentally clicks "OK" to confirm all charges as valid. Don, Puzo College's Vice President and Treasurer, calls the President at home, and advises him to cancel a major fund-raising trip in order to help deal with the current crisis. The Director of IT flies home early from a computer security conference in Denver.
Part V: Emilio Takes His Cut, Cannot Rat Out, and Goes to Jail
Emilio, a student at Eastern College, who previously responded to an email solicitation for "interns" to act as "secret shoppers," is sent a portion of the money stolen from Puzo. His supervisor instructs him to purchase items from specific web sites and mail them to a PO box in another state, where another unwitting accomplice re-packages the goods and mails them again. Emilio is subsequently arrested by the FBI and charged with money laundering. He is unable to help law enforcement identify his "supervisor," and goes directly to jail before he can spend his $200 share of the money.
Part VI: Frank Enjoys the Music, Invades Estonia in His Spare Time
Frank Ford, the criminal mastermind behind all this, is listening to September of My Years, purchased from iTunes with a Puzo credit card, on the new stereo that Emilio bought for him with Puzo's endowment, which Puzo College does not yet realize has also moved overseas. Frank is happy; he finally has enough cash to move out of his mother's apartment in Brooklyn and buy a small house in downtown Manhattan.
There is a loud knock on the door. The music stops.
It is a message from Gennady Girsanov, the former KGB officer turned Russian crime boss, with whom Frank has had some minor dealings. Gennady has heard that Frank, who previously dabbled in drugs and small-scale money laundering, has recently branched out into computers. Gennady has an offer that Frank can't refuse. Use his newly acquired contacts in the computer underground to disrupt the Estonian economy, or never see his girlfriend Kay again.
No problem! Frank uses Sofia's computer, joined by many of Al's Facebook friends and tens of thousands of others in a robot army commonly referred to as a botnet, to mount a distributed denial of service attack (more info) that effectively disconnects the entire nation of Estonia from the Internet. Neither Frank nor Gennady are ever brought to justice, but their exploits are so successful that their May 2007 attack on Estonia is covered in the New York Times.
Meanwhile, back in Georgia, Al's media-savvy family follows the news from Estonia closely. They wonder how even a nation-state as powerful as Russia could get away with such a bold and sustained attack. They have dinner, talk about current events, and then Al and his dad sit down on the couch to watch a pirated copy of Syriana on Al's computer. A virus left on Al's computer connects to a server in Brazil under Frank's control and receives instructions to continue the attack on Estonian government web sites. The virus spreads to Al's father's computer, and collects the saved password for his brokerage account.
Frank and Kay, stressed out by this experience, elope to Minnesota, get jobs in the previously owned vehicle industry, and live happily ever after until 2009, when Frank mentions Gennady's name and suffers a mysterious ailment.
One: The "Free Public WiFi" Spoofing Attack
Only connect to public wireless networks recommended by a trusted party. Never connect to an unfamiliar wireless network.
Criminals operate "Free Public WiFi" networks at airports and other public locations. They install a "monkey in the middle" server on their wireless network, intercepting your requests and relaying them to the real server so that you can't tell that the monkey is there. Only the most vigilant and security-aware user would have any inkling that the monkey in the middle has copied your password and other personal information. (Confidential to security experts: No, neither SSL nor SSH necessarily protect against this.)
Under certain circumstances, well-prepared criminals can even take over your computer based on security vulnerabilities in wireless drivers alone, even if you don't connect to their network. If your laptop contains sensitive information, turn off your wireless antenna when not in use. Some HP, IBM/Lenovo, and other laptops have a physical on/off switch for this purpose. For College-issued ThinkPad T43s, use the Fn-F5 key combination.
Two: The Pretext Call
Even without that preparatory work, a criminal like Frank might succeed with a phony complaint from a vendor, or a phony complaint from the Better Business Bureau, or a phony message claiming to be from the IT department.
Three: The Trojan Horse Email Attachment
In 1995, a predecessor to ITS News carried an article debunking the "Good Times Virus" hoax. It is absurd, the article stated, to suggest that a simple email message with a particular subject line could take over your computer.
A few years later, the ILOVEYOU virus was released. Distinguished by its subject line, which email administrators worldwide scrambled to add to security filters, the message's code took over certain email programs and destroyed files.
Today, Microsoft Word, Excel, PowerPoint, PDF, and RTF files can include computer viruses. Certain techniques may be effective even if your system, application, and antivirus software is completely up to date.
If you have any doubt that an attachment, electronic postcard, or instant message is really from a friend, pick up the telephone or write an email to confirm. Don't follow unsolicited links to web sites. Depending on your web browser, merely visiting the site could be enough to allow infection.
If you currently use GroupWise for email, the "QuickViewer" (Control-Q) is both more secure and faster for opening common file types. You could be infected if you open suspicious attachments in programs such as Microsoft Word.
Four: The Theft Itself
The security of your bank and credit card accounts does not depend on the secrecy of your account numbers. Ponder the origin of the phrase "checks and balances." Review your financial statements. If caught early enough, illegitimate charges can be reversed. Once international money orders have cleared, however, the money is gone. Imagine trying to get Chinese, American, Venezuelan, Pakistani, and Indian law enforcement agencies to cooperate to catch a thief who is smart enough to steal only a few thousand dollars at a time.
Five: The Mule
The term "mule" is used in both drug smuggling and money laundering contexts to describe people who help transport contraband, often unknowingly, for little reward. College students are popular as unwitting accomplices for certain kinds of financial crime. They tend to have good Internet access, spare time, and a need for money.
It is no exaggeration to say that there are cases where innocent college students have been used to relay money for really scary people. They might not even be stealing money from you; use of your bank account as a trans-ship point for further money laundering is often all they want.
Six: Don't Let the Really Scary People Affect Your Life
These are very serious issues, and it is entirely accurate to say that it all begins with a freshman connecting to an open wireless network.
The world of computer security is ultimately about Really Scary People (RSP) and other three letter acronyms (TLAs). Personally, I've received my share of hate mail from criminals, but I have always been two steps removed from anything deadly serious. If you are reasonably aware of and diligent in following some simple computer security precautions, this shadow world need have no more impact on your life than any other monster under the bed.
Has This Happened at Carleton?
As far as I know, no activity of this level of sophistication has been detected at Carleton. However, similar things have been happening at other colleges, universities, Fortune 100 corporations, small businesses, government offices, and military installations for years.
The threat is real. Please contact your technology support person if and only if you believe you may have already been victimized.
Things To Remember
- If an offer sounds too good to be true, it probably is
- Keep your software up to date, including antivirus software and wireless drivers
- Versions of the Mozilla Firefox web browser older than 18.104.22.168 are unsafe and must be updated; if you still have a version of Firefox older than 1.5, you need to download Firefox from Mozilla.com, uninstall the old Firefox (don't worry, you will not lose bookmarks/preferences), and do a fresh installation
- Please avoid sending email messages with HTML or Microsoft Word formatting if plain text is adequate to convey the same information; plain text is more secure, more compatible, and more accessible to people with disabilities
- Do not click on links in unsolicited email messages or instant messages, even "just to see" what the scam artist is "trying" to get you to do; clicking the link might be it
- Check your credit report at least twice per year; you have a right to review it free of charge three times per year, once from each major credit reporting agency
- Avoid signing up for credit scoring or credit monitoring services; if you follow the advice above, there is seldom any need, and some credit monitoring programs are themselves scams, or introduce security risks of their own
If You Believe That You Have Been Victimized...
- Don't panic; financial and other systems have abundant checks and balances that protect you even after your information has been compromised
- Unplug the network (not power) cable from the back of your computer, or disable your wireless connection
- Avoid doing anything else on your computer; you might disturb electronic evidence
- Seek out competent technical assistance; in most cases, this is the SCIC or your ITS coordinator, but in the event of active and continuing attacks only, systems and networking staff may be alerted via abuse at carleton dot edu
- Once you have calmed down enough that your memory will be reliable, go to a different computer and change your passwords, especially passwords for online banking
- If information useful for identity theft has been exposed, such as your name and social security number or bank account details, review this advice from the FBI and the US Federal Trade Commission's publication "Identity Crisis: What to Do If Your Identity is Stolen."
– Rich Graves is the senior unix and security administrator at Carleton. Rich, whose ancestors hail from the Friuli-Venezia Giulia region, enjoys Sicilian style pizza and bakes ciabatta at his Northfield home.
The text of the work "Computer Security & You: A Real Nightmare" is licensed under a Creative Commons Attribution-Noncommercial 3.0 License. Attribution to Rich Graves of Carleton College is requested. The form of the attribution (hyperlink to original, acknowledgment in the text) is up to you.