BY JOHN D’AMICO
On December 25, 2011, Garicchi, a tech blogger and self-described Windows enthusiast, saw his inbox flooded with alerts. In his sent mail folder were recorded scores of virus-laden messages sent off without his knowledge to every person on his contact list. His account—and all the personal information on it—was completely compromised. When he began his blog post with the words “This was the absolutely worst Christmas ever,” he echoed the sentiments of many around Japan who found themselves victims of a series of cyber-attacks on Google Mail accounts that morning.
Until July 2011, Japan had no legislation on its books to prevent or prosecute cyber-attacks in the country. Now, the government can seize data of any kind from a computer suspected of affiliation with a cyber-attack, a potential opportunity for gross abuse of police authority. Yet the recent cyber-attacks raise questions regarding the success of both Japanese and international regulations. David Thaw, a fellow at the Information Society Project at the Yale Law School and an expert on cybercrime, noted that “the problem is one of metrics—how do we determine a means of measuring effectiveness?”
The methods behind everyday cybercrime help ensure the near impossibility of tracing, let alone cracking down on, offenders. A variety of popular techniques exist for hacking into email accounts, ranging from simply guessing the password to somewhat more sophisticated “dictionary attacks” which choose from a preselected list of likely words in order to find the password. Garicchi, however, suspected the crime arose from the free hotel Wi-Fi he connected to the day before. According to him, “intruders could much more easily gather relevant account information through an unsecured network.“ Iwakawa Yoshifumi, another tech-savvy blogger caught up in the recent cyber-attacks, hypothesized that the hackers gained access “via other website accounts with the users’ personal information on it,” exploiting the fact that people generally reuse passwords from account to account.
After accessing a few accounts, the hackers spammed the address lists of their victims with links which, when clicked on, would automatically hijack the recipient’s account. While it seems like common sense to avoid suspicious links in emails, the hijacking cases spread faster and faster throughout the end of December. Professor Thaw’s succinct explanation: “Yes, people are just that stupid.”
With bloggers swapping radically different theories about the original cause of the attacks, and with hijacking more or less occurring through self-propagation past the first few intrusions, it is no wonder that law enforcement finds it difficult to investigate even the most minor cybercrimes. Further complicating the story, virtually every victim traced the illegal access to a different source, although most came from cities within America. Attacks arrived by way of computers in Mountain View, California; East Rutherford, New Jersey; Bellevue, Washington, and many other cities. Since hackers can disguise their original location through such proxies with ease, the level of transnational coordination involved often makes enforcement by any one country alone too burdensome to pursue.
Yet the question remains—why did these hackers bother at all? After all, the moneymaking potential of the attacks pales in comparison to more newsworthy raids on corporations like eBay. Still, as the blogger Iwakawa pointed out, the connections between email accounts and a wide variety of other services “magnifies the scope of damage [and profit] of an account hijacking considerably.” Through the email account itself and any connected accounts, hackers can gain potentially valuable personal and financial data, such as credit card numbers or bank account information. Because the attacks can self-propagate, they bear little risk or cost and largely go under the radar of mainstream enforcement. As Professor Thaw stated, “The probability margins [of profit] are incredibly small, but the marginal cost of execution is even smaller,” making such hijackings low-risk and, in the long run, potentially lucrative.
Rather than worry about punishing the cyber-attackers, the Japanese blogosphere is focusing primarily on the prevention of future attacks. As national boundaries are blurred by the interconnectivity of online interaction, new responses to the issue of cyber-attacks will have to focus on how to coordinate international efforts to hold cybercriminals accountable for their actions. Given the ambiguity surrounding even the most basic of cyber-attacks, effective countermeasures will take time to develop.
John D’Amico ‘15 is in Pierson College. Conact him at john.c.damico@yale.edu.