A ruthless campaign of killing, extortion and kidnapping by Mexico’s powerful Zetas drug cartel has created plenty of enemies, from the Mexican government to paramilitary vigilantes to rival cartels. But now the Zetas have a new adversary: the hacker collective Anonymous.

In a video uploaded Oct. 6, an Anonymous spokesperson said that unless the Zetas release one of the group’s members, the group will reveal the photos, names and addresses of Zetas-affiliated cops and taxi drivers. (The member was allegedly kidnapped in the western coastal city of Veracruz during an “Operation Paperstorm” demonstration.) Anonymous also threatened to out journalists accused of “crapping on honest authorities like the army and the navy,” the spokesperson said.

“For the time being, we won’t post photos or the names … of the taxi drivers, the journalists or the newspapers nor of the police officers, but if needed, we will publish them including their addresses, to see if by doing so the government will arrest them,” the spokesperson added.

Anonymous started out as a decentralized network of online griefers. But they’ve grown increasingly political, targeting websites ranging from Visa and Mastercard (for their alleged financial blockade of WikiLeaks) to a consultancy firm linked to the U.S. military. In October, they took aim at the underground child pornography network Lolita City, and hackers linked to the group leaked personal information from the servers of the International Association of Chiefs of Police and the Boston Police Patrolmen’s Association. Perhaps most importantly, Anonymous has provided support to the Occupy movement.

Last week, Anonymous followed up its threat to the Zetas by defacing the website of former Tabasco state prosecutor Gustavo Rosario Torres, accused by anti-crime activists three years ago of discussing a $200,000 cocaine deal with a deputy on audio tape. With a Halloween background, a message splashed above the group’s signature on Rosario’s homepage read: “Gustavo Rosario is Zeta.”

This wasn’t the first time Anonymous weighed in on the shady and rumor-filled world of Mexican political corruption. One month ago, the group launched a distributed denial-of-service attack on the state of Veracruz’s official website following speculation the recent election campaign of Veracruz governor Javier Duarte received funding from the Zetas.

Revealing Zetas associates, however, is a different matter than flooding a state website. And the Zetas have a history of making their online critics pay.

In September, the Zetas hanged two people from a pedestrian overpass in the border city of Nuevo Laredo with threats against bloggers written on a nearby banner. A week later, a contributor to social media site Nuevo Laredo en Vivo was found decapitated.

According to private intelligence firm Stratfor: “Loss of life will be a certain consequence if Anonymous releases the identities of individuals cooperating with cartels. Whether voluntarily or not, cooperating with criminal cartels in Mexico comes with the danger of retribution from rival cartels.”

This is a problem. At the very least, it’s worth noting that taxi drivers working as lookouts or mules for the cartels does not mean the drivers do so willingly. As targets for extortion, exposing their identities could mean deadly reprisal attacks, such as what occurred during a wave of violence in the resort city of Acapulco in February that left a dozen taxi drivers and their passengers dead — some decapitated by machete-wielding assassins as their cars were set ablaze.

Even worse, provoking the Zetas could lead to further attacks against social media users unrelated to Anonymous.

“Anonymous activists can threaten to reveal information about cartels or launch cyberattacks,” Stratfor says. “But even if the cartels cannot track down the individuals directing cyberattacks or releasing information, the cartels will continue to commit acts of violence meant to warn the online community about such activities.”

In other words, if Anonymous follows through (assuming they’re not just bluffing) then writing about the drug war could become even more dangerous for Mexican bloggers — and wearing a Guy Fawkes mask on a Mexican street might just become a death warrant.

Hackivist group Anonymous vows to “kill Facebook” on November 5, citing users’ lack of choice in privacy as its reason for attack.

Update: Anonymous confirmed via a tweet that while some of its members are organizing the upcoming attack against Facebook, the hacker organization as a whole does not necessarily agree with the attack.

The group of hackers has claimed participation in just about every recent notable hacking attack of this year and successfully broke into 70 law enforcement websites and took down the Syrian Ministry of Defense website this week alone.

This recent interest in Facebook, despite a slew of privacy concerns raised against the social network since its founding, may be a result of Anonymous’s recent announcement that it plans to create its own social network, called AnonPlus. After the group’s Google+ account, called “Your Anon News,” was banned, it began fleshing out AnonPlus.com, “a new social network where there is no fear … of censorship … of blackout … nor of holding back.”

Below is a video and statement released by Anonymous explaining the reason for its upcoming battle with the world’s largest social network. Let us know your thoughts on the group’s statement in the comments below.

XXXXXXX

 

 

 

---

Anonymous Statement

---

 

 

Attention citizens of the world,

We wish to get your attention, hoping you heed the warnings as follows:
Your medium of communication you all so dearly adore will be destroyed. If you are a willing hacktivist or a guy who just wants to protect the freedom of information then join the cause and kill facebook for the sake of your own privacy.

Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria.

Everything you do on Facebook stays on Facebook regardless of your "privacy" settings, and deleting your account is impossible, even if you "delete" your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more "private" is also a delusion. Facebook knows more about you than your family.

http://www.physorg.com/news170614271.html
http://itgrunts.com/2010/10/07/facebook-steals-numbers-and-data-from-your-iphone/

You cannot hide from the reality in which you, the people of the internet, live in. Facebook is the opposite of the Antisec cause. You are not safe from them nor from any government. One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.

The riots are underway. It is not a battle over the future of privacy and publicity. It is a battle for choice and informed consent. It's unfolding because people are being raped, tickled, molested, and confused into doing things where they don't understand the consequences. Facebook keeps saying that it gives users choices, but that is completely false. It gives users the illusion of and hides the details away from them "for their own good" while they then make millions off of you. When a service is "free," it really means they're making money off of you and your information.

Think for a while and prepare for a day that will go down in history. November 5 2011, #opfacebook . Engaged.

This is our world now. We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.

We are anonymous
We are legion
We do not forgive
We do not forget
Expect us

In the Masquerade wing of the Rio Hotel and Casino in the gambling capital of the world, there's a giant statue of a head hanging over a lobby of slot machines.

The masked figure has two faces and four digital eyes -- clairvoyant blue -- that track back and forth constantly, as if recording the movements of everyone who enters.

That awkwardly self-conscious -- even slightly paranoid -- feeling you get from seeing being watched by that enormous casino head is pretty much a steady-state for most of the hackers who attend the DEF CON hacker event, taking place at the Rio this weekend.

Started 19 years ago as an underground gathering of sometimes-nefarious computer wizards, DEF CON has sprawled into a 15,000-person, four-day convention where anyone with $150 -- in cash only, please, lest these hackers give up their identities -- can learn the latest tricks and trade of computer hacking, lock picking and security breaching.

The aim of the event is to better inform both insiders and everyday people about the risks of operating in our increasingly digital world and to work on solutions. But the practical result of gathering this many highly skilled hackers in one building -- in a Las Vegas casino, no less -- is that everyone here is experiencing some level of terror.

Insiders say there's no place on Earth where you're more likely to get hacked.

"You're on the most hostile network in the world. If you can perform business here, you can do it anywhere," said Brian Markus, referring to the public Wi-Fi network at DEF CON, which veterans know to steer clear of.

Unlike at other tech events, which tend to focus on Facebook-like concepts such as "sharing" and "connecting," DEF CON is all about who can stay the most private, and therefore, who will remain the most secure in this digital war zone.

Those who don't are shamed into doing so.

Markus, for example, sits in a dark room in the Rio's conference center watching Internet traffic. When he sees a password fly across the connection, which is often, he posts part of it, along with the user's log-in name and the site he or she was using, on a large projection screen, which he calls the "Wall of Sheep."

Within an hour of watching for passwords on Friday morning, his team from Aries Security had racked up 10 half-shaded passwords. (The team, and others, can see the full passwords and usernames, but they choose to protect the victims by only displaying the first three characters of each password. Kind of them, huh?)

So, how does one avoid the "Wall of Sheep"?

Markus suggests scrambling your Internet connection.

There are several free services that will do this, including OpenVPN and Ace VPN. That way, if someone like him is "sniffing" the Wi-Fi connection you're using, they won't be able to see exactly what you're up to.

Another method: Type in "https" instead of "http" in your browser bar. That puts you on a more secure version of many major websites.

Plenty of people, however, are subjected to more sophisticated hacks.

Dan Kaminsky, one of the world's most notable do-gooder hackers, said he had his personal passwords, e-mails and instant messages with a girlfriend dumped out into the public domain at a previous DEF CON event.

"If you walk onto a battlefield, you might get shot," he said.

People still try to dodge the bullets, though.

As he darted through a mob of black-T-shirt-wearing convention attendees, Eli, better known by his hacker handle "Dead Addict," told me how much he hates crowds.

Not only is there the social anxiety, there's also the chance someone with an RFID reader and an antenna in their backpack could swipe your credit card info right out of your pocket.

The readers are the size of an old Walkman and, with a proper antenna, can grab data right off of credit cards that use quick-swipe technology (you can tell if you have one of these cards by looking for a little radio-wave symbol).

Eli, who started hacking in his teens and stopped breaking into corporate sites after all of his friends got arrested for doing the same thing, carries a metal-lined wallet to block this attack.

Other DEF CON veterans said they purchase junk computers they can throw away after the convention because they figure they're going to get infected. Eli says he just leaves the laptop at home.

Most of the attendees carry cash. No one uses the ATMs after an incident in 2009 in which someone rolled a fake ATM machine into the event, according to Wired, and apparently used it to collect credit card information instead of dispensing money.

There's also the anonymity of it all. Some hackers only go by their handles. Others don't want digital records they attended the event, which does not require attendees to register or give their real names.

I got an e-mail warning me about some of these security idiosyncrasies before I got on a plane for Vegas. Written by a DEF CON spokeswoman, and reprinted with her permission, the note was full of jaw-dropping advice:

Hi John,

Great talking with you!

You are about to enter one the most hostile environments in the world. Here are some safety tips to keep in mind ...

- Your hotel key card can be scanned by touch, so keep it deep in your wallet.

- Do not use the ATM machines anywhere near either conference. Bring cash and a low balance credit card with just enough to get you through the week.

- Turn off Fire Sharing, Bluetooth and Wi-Fi on all devices. Don't use the Wi-Fi network unless you are a security expert; we have wired lines for you to use.

- Don't accept gifts, unless you know the person very well - a USB device for instance.

- Make sure you have strong passwords on ALL your devices. Don't send passwords "in the clear," make sure they are encrypted. Change your passwords immediately after leaving Vegas.

- Don't leave a device out of sight, even for a moment.

- People are watching you at all times, especially if you are new to the scene.

- Talk quietly. Conduct confidential phone calls off site ...

That is it for now.

For now?

After seeing that, I left my credit cards, debit card and company laptop in my hotel room -- hidden, of course, since I'm on this newly paranoid kick. I kept my iPhone on "airplane" mode for most of Friday, turning it on only to send a couple texts.

I was particularly concerned about this phone hacking stuff, so I asked Austin Steed, another security researcher-slash-hacker about that.

He said mischievous hackers can install their own cell phone towers to intercept your calls before passing them on to the real mobile carrier. These "man-in-the-middle attacks," he said, let hackers eavesdrop, but they can also alter the conversation you're having, without your knowledge.

"You send a text saying 'I love you,' and he (the hacker) says, 'I want to break up with you.'" Or worse than that, Markus said, you could be doing business -- maybe the hacker would change "sell it all" to "buy it all," with potentially huge ramifications.

The hackers who attend DEF CON -- now in their thirties instead of their teens as they were at the start of the hacker movement -- hope, in a strange way, that by teaching people about hacking they will make the tech world safer.

DEF CON is their playground of sorts. Many of the hacks aren't necessarily malicious. They are people toying around just to see what's possible.

If they don't do it, then the really bad guys will, they say. There are sessions on cracking Google, PayPal, Apple -- even cars and prison cells.

DEF CON attendees can also learn how to pick locks. On Friday, 17-year-old Cherry Rose de los Reyes picked her first lock while her dad, Roselito, an IT professional, watched admiringly.

"I think I got it," she said, turning a key she had reverse-engineered.

"There, now I don't have to pay Home Depot no more!" her dad said with a laugh.

Some parents might cringe at a dad helping his teenage daughter learn a skill that could be used for breaking and entering. But Roselito de los Reyes says they'd be missing the point.

It's not about breaking the lock, he said, it's about learning the lock can be broken.

"If you educate them not to have a false sense of security just because you have a lock, then being able to open a lock might teach them to use a barbell on the door at home."

So maybe there's a point to the paranoia after all.

IT security firm McAfee claims to have uncovered one of the largest ever series of cyber attacks.

It lists 72 different organisations that were targeted over five years, including the International Olympic Committee, the UN and security firms.

McAfee will not say who it thinks is responsible, but there is speculation that China may be behind the attacks.

Beijing has always denied any state involvement in cyber-attacks, calling such accusations "groundless".

Speaking to BBC News, McAfee's chief European technology officer, Raj Samani, said the attacks were still going on.

"This is a whole different level to the Night Dragon attacks that occurred earlier this year. Those were attacks on a specific sector. This one is very, very broad."

Dubbed Operation Shady RAT - after the remote access tool that security experts and hackers use to remotely access computer networks - the five-year investigation examined information from a number of different organisations which thought they may have been hit.

"From the logs we were able to see where the traffic flow was coming from," said Mr Samani.

"In some cases, we were permitted to delve a bit deeper and see what, if anything, had been taken, and in many cases we found evidence that intellectual property (IP) had been stolen.

"The United Nations, the Indian government, the International Olympic Committee, the steel industry, defence firms, even computer security companies were hit," he added.

China speculation

McAfee said it did not know what was happening to the stolen data, but it could be used to improve existing products or help beat a competitor, representing a major economic threat.

"This was what we call a spear-phish attack, as opposed to a trawl, where they were targeting specific individuals within an organisation," said Mr Samani.

"An email would be sent to an individual with the right level of access within the system; attached to the message was a piece of malware which would then execute and open a channel to a remote website giving them access.

"Once they had access to an organisation, they either did what we would call a 'smash-and-grab' operation, where they would try and grab as much information before they got caught, or they sometimes embedded themselves in the network and [tried to] spread across different systems within an organisation."

Mr Samani said his firm would "not make any guesses on where this has come from", but China is seen by many in the industry as a prime suspect.

Jim Lewis, a cyber expert with the Centre for Strategic and International Studies, was quoted by the Reuters news agency as saying it was "very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing".

Experts warned that commercial espionage was a bigger threat to business than Lulzsec and Anonymous.

"Everything points to China. It could be the Russians, but there is more that points to China than Russia," Lewis said.

However, Graham Cluley - a computer-security expert with Sophos, is not so sure. He said: "Every time one of these reports come out, people always point the finger at China."

He told BBC News: "We cannot prove it's China. That doesn't mean we should be naive. Every country in the world is probably using the internet to spy.

"After all, it's easy and cost-effective - but there's many different countries and organisations it could be."

Mr Cluley said firms were often distracted by the very public actions of LulzSec and Anonymous, groups of online activists who have hacked a number of high-profile websites in recent months.

"Sometimes it's not about stealing your money or publicly leaking your data. It's about quietly stealing your information, which can have a very high political, military or financial value.

"In short, don't let your defences down," he added.

Don Bailey says he can unlock thousands of cars across the United States simply by sending a few texts from his Android phone.

And that's not even the scary part.

Bailey, a senior security consultant with iSEC Partners, said in an interview with CNN at the Black Hat security conference here at Caesars Palace that the same hack he has used to demonstrate unlocking and even starting a car via text message also could be used to attack industrial systems, the power grid and the water system.

"I could care less if I could unlock a car door," he said. "It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat."

Bailey would not share details about which cars or which auto systems are vulnerable to the hack that he showed off publicly at the event.

The hack affects many kinds of devices that connect to cellular GSM networks, like the one used by AT&T. As cars and plenty of other stuff -- from pill bottles to trees, he said -- start connecting to cell grids and the Internet, Bailey said they become more vulnerable.

Certain electronic components that accept wireless signals are vulnerable to the hack, he said. Those components are in the cars Bailey said he can unlock remotely.

Again, he would not name which cars have them.

Strangely enough, Oprah Winfrey kinda-sorta inspired this research.

Bailey said he was watching an "Oprah" show about a device called the Zoombak, which the TV host said could be used by parents to track the locations of their kids.

"I heard that and thought, 'Oh dear God no. Please Oprah, no, no no!' " he said in a presentation at Black Hat. "This was my thinking: That's dangerous. That can definitely be owned. Let's own that thing."

In hacker-speak, "own" means to take control of a device.

Once he figured out how to take control of the kid-tracker, Bailey moved on to cars, which he said was more difficult but still not impossible.

"I couldn't just straight-up text message it and be like, 'Gimme yo' datas!' " he said, referring to the car parts. "So it was a little more work."

It's not all doom-and-gloom, though.

Bailey said manufacturers could purchase more expensive parts that would keep these types of hacks from being possible. He thinks industry associations should put out recommendations suggesting this approach, even though cost increases would be "highly significant."

"We have to," he said. "We have to find elegant ways to find that sweet spot between cost and security."

Black Hat is an annual gathering of hackers and security professionals in Las Vegas. Researchers hope that by showing off how to hack certain systems, the computer industry will take steps to make infrastructure and consumers safer.

Vulnerabilities in electronic systems that control prison doors could allow hackers or others to spring prisoners from their jail cells, according to researchers.

Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.

Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. — including eight maximum-security prisons — says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.

“Most people don’t know how a prison or jail is designed, that’s why no one has ever paid attention to it,” says Strauchs. “How many people know they’re built with the same kind of PLC used in centrifuges?”

Diagram showing the typical parts of a PLC used for door-control systems. Image courtesy of Teague Newman

PLCs are small computers that can be programmed to control any number of things, such as the spinning of rotors, the dispensing of food into packaging on an assembly line or the opening of doors. Two models of PLCs made by the German-conglomerate Siemens were the target of Stuxnet, a sophisticated piece of malware discovered last year that was designed to intercept legitimate commands going to PLCs and replace them with malicious ones. Stuxnet’s malicious commands are believed to have caused centrifuges in Iran to spin faster and slower than normal to sabotage the country’s uranium enrichment capabilities.

Though Siemens PLCs are used in some prisons, they’re a relatively small player in that market, Strauchs says. The more significant suppliers of PLCs to prisons are Allen-Bradley, Square D, GE and Mitsubishi. Across the U.S. there are about 117 federal correctional facilities, 1,700 prisons, and more than 3,000 jails. All but the smallest facilities, according to Strauchs, use PLCs to control doors and manage their security systems.

Strauchs, who lists a stint as a former CIA operations officer on his bio, became interested in testing PLCs after hearing about the systems Stuxnet targeted and realizing that he had installed similar systems in prisons years ago. He, along with his daughter Tiffany Rad, president of ELCnetworks, and independent researcher Teague Newman, purchased a Siemens PLC to examine it for vulnerabilities, then worked with another researcher, who prefers to remain anonymous and goes by the handle “Dora the SCADA explorer,” who wrote three exploits for vulnerabilities they found.

“Within three hours we had written a program to exploit the [Siemens] PLC we were testing,” said Rad, noting that it cost them just $2,500 to acquire everything they needed to research the vulnerabilities and develop the exploits.

“We acquired the product legally; we have a license for it. But it’s easy to get it off [eBay] for $500,” she said. “Anyone can do it if they have the desire.”

They recently met with the FBI and other federal agencies they won’t name to discuss the vulnerabilities and their upcoming demonstration.

“They agreed we should address it,” Strauchs said. “They weren’t happy, but they said it’s probably a good thing what you’re doing.”

Strauchs says the vulnerabilities exist in the basic architecture of the prison PLCs, many of which use Ladder Logic programming and a communications protocol that had no security protections built into it when it was designed years ago. There are also vulnerabilities in the control computers, many of which are Windows-based machines, that monitor and program PLCs.

“The vulnerabilities are inherently due to the actual use of the PLC, the one-point-controlling-many,” Rad said. “Upon gaining access to the computer that monitors, controls or programs the PLC, you then take control of that PLC.”

A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also other computers in non-essential parts of prisons, such as commissaries and laundry rooms, that shouldn’t be, but sometimes are, connected to networks that control critical functions.

“Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,” the researchers write in a paper they’ve released (.pdf) on the topic. “Access to any part, such as a remote intercom station, might provide access to all parts.”

Strauchs adds that “once we take control of the PLC we can do anything. Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.”

Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. Strauchs says a hacker could design an attack to over-ride the cascade release to open all of the doors simultaneously and overload the system.

An attacker could also pick and choose specific doors to lock and unlock and suppress alarms in the system that would alert staff when a cell is opened. This would require some knowledge of the alarm system and the instructions required to target specific doors, but Strauchs explains that the PLC provides feedback to the control system each time it receives a command, such as “kitchen door east opened.” A patient hacker could sit on a control system for a while collecting intelligence like this to map each door and identify which ones to target.

While PLCs themselves need to be better secured to eliminate vulnerabilities inherent in them, Newman says prison facilities also need to update and enforce acceptable-use policies on their computers so that workers don’t connect critical systems to the internet or allow removable media, such as USB sticks, to be installed on them.

“We’re making the connection closer between what happened with Stuxnet and what could happen in facilities that put lives at risk,” he said.

Two new victims took a hit in the Wild West world of computer hacking this week: Citibank, where 200,000 credit card holders were victimized, and the International Monetary Fund, which reportedly also endured a cyberattack.

The FBI is on the case — so much so that 1 in 4 hackers may now be an informant, according to some experts.  

Hackers And Spies

Ed Pilkington, who covers hacking for the Guardian, tells Weekend All Things Considered guest host Rachel Martin that the overriding atmosphere in the hacker community is one of paranoia and fear as more and more of them join the other side to get out of trouble.

"They don't really who know who's doing what," he says. "It seems such an extraordinary contradiction. Here is this community which in popular vision is a community of anarchists, anti-establishment people, and yet here are so many of them actually acting as the eyes and ears, as virtual spies, on behalf of FBI and Secret Service."

There are those in the cyber-community who think even more than 1 in 4 hackers are in cahoots with the U.S. government these days. Former hacker and information security consultant Kevin Mitnick says that informants are essential to America's defenses.

"I don't know of any case that involves computer hacking where there were multiple defendants charged where there wasn't an informant on the case," he says.

 

Here is this community which in popular vision is a community of anarchists, anti-establishment people, and yet here are so many of them acting as the eyes and hears on behalf of the Secret Service.

And Mitnick knows the community well. As a kid, he found he had a knack for what was then called "phone freaking" — essentially hacking phones before there were computers.

"When I got pretty adept with manipulating the phone company's systems, I was able to pull pranks," Mitnick says. "I was able to change a friend's home telephone's class of service to that of a payphone. So whenever he or his parents would pick up the phone to make a call, it would say, 'The call you have made requires a 25 cent deposit.'"

Years later, Mitnick went from hacking phones to breaking into phone companies' computer systems. Then in 1995, he was arrested on charges of computer fraud and served a five-year jail sentence. A fellow hacker testified against him in court in exchange for a lesser sentence.

"You definitely feel a great sense of betrayal," Mitnick says of the testimony. "If hackers, if anyone committing a criminal act, wants to reduce their risk, they obviously don't involve anybody else. The greater the circle of people that know what you're doing, the higher the risk."

Catching Small Fish

Today, the risk — and the stakes — have never been higher. As more and more personal and financial information has wound up on the Web, hackers have increasingly banded together to attack that information.

"The main group are the carders. They specialize in breaking into databases of credit cards, usually held by banks or credit card companies," Pilkington says. "They can do millions of dollars of damage in terms of stealing directly from bank accounts, or going out with fraudulent credit cards that they create using this database of information."

They do this with very sophisticated attacks. But the FBI has managed to fight them, Pilkington says, using an old-fashioned trick.

"It's the trick they use against drug gangs, it's the trick they use against mobsters and the mafia: You catch a little guy doing a little thing," he says.

Pilkington gives the example of Albert Gonzales, who was caught fraudulently taking money out of an ATM, which "in the scheme of this stuff is pretty small beer." Authorities got him out of prison early and set him up in an FBI office. They paid him $75,000 a year to set up networks to meet other hackers.

"He then became essentially a honey trap for big carders and identity thieves in the hacking community," Pilkington says.

But last year Gonzales got a 20-year sentence for hacking: While he was working as an informant for the FBI, he was secretly hacking government agencies and bank accounts.

Fifteen years ago, Mitnick says, things were not this complicated.

"When I was a hacker it was all about pursuit of knowledge, getting a bite of the forbidden apple, so to speak. Then of course the challenge and the seduction of adventure," he says. "Today it's all changed. I mean, the trend of hacking today is all profit — credit card numbers, bank account numbers. For example, Sony recently has suffered over 17 attacks."

Protecting The Cloud

Another tech company hackers were watching closely this week was Apple. CEO Steve Jobs announced the iCloud, a new service that will allow Apple users to store all their email, photos, music and documents on an array of servers.

"By centralizing their data, they've really painted a target on their back," says David Brumley, a computer scientist at Carnegie Mellon University in Pittsburgh. He says Apple's iCloud is a bank of servers in a building the size of two football fields in North Carolina.

"From the reports, they have barbed wire around the building, they have guards and you're going to need an ID to get into those buildings," he says. "So the physical security is actually pretty good. It would be a lot like getting onto a military installation to actually get into Apple's iCloud data center."

Though it may be tough to break into the server's headquarters, Mitnick says, breaking in online could be another story.

"I was hired to test this cloud infrastructure in South America. Literally in the 15 minutes that I was on the phone with the CEO of the company and one of the lead technical guys, I was able to get access that only system administrators should get access to," he says.

Mitnick says there are things everyday Internet users can do to protect their information, like using a VPN client or more secure browsers like Google Chrome, but he adds, "Anything out there is vulnerable to attack given enough time and resources."

 

It's hard to get a handle on the hacker community, but here's a look at the range of people -- from lone geeks to organized governments -- who could be behind recent security breaches.

The recent hacking headlines make it seem like we're in the middle of a cyberwar: In the past few weeks, there have been revelations of security breaches at organizations including Citigroup, Sony, the IMF, and -- as recently as yesterday -- the CIA's website.

Indeed, hackers are everywhere, according to Bruce Schneier, security expert and chief security technology officer for IT service-provider BT. But for the hacker community, the apparent cluster of attacks is really just business as usual: "This is hacking, it hasn't changed in decades," he says.

While the public may picture shadowy groups of Lisbeth Salander-like computer nerds taking down major networks around the globe, the truth is much less glamorous, Schneier says. Still, the hacker pecking order can be nuanced and tough to de-tangle. It runs the gamut from geeks messing around in their basements to organized national governments. What hackers do and how they do it often remains a mystery, but every day there are activities that fall under the wide umbrella of digital subversion called "hacking."

The lone wolf

Hacking has its roots in recreation. "The majority of people hacking are just people," Schneier says, meaning they aren't connected to a hacking network other than chat rooms and online forums. "It's just guys messing around."

Some members of this breed of hacker eventually go corporate. For example, Linus Torvalds, the man who wrote the central component for the Linux operating system, has a well-respected hacking history. He even co-authored a book called The Hacker Ethic, published in 2001. Another high-profile hacker is Apple co-founder Steve Wozniak, who speaks openly about his early days at UC Berkeley, building and selling devices that could hack phone networks to make free calls.

"Hacktavism"

There's another, relatively new breed of hacker that seeks publicity. These are typically politically-motivated groups, says Ethan Zuckerman, a researcher at Harvard University's Berkman Center for Internet and Society. The attacks they launch, he says, are "really designed to get the press release."

One of the most famous groups is Anonymous, an anarchic network of hackers that periodically organizes to shut down websites, either for fun or for some political purpose. Generally, the group launches a "denial of service" (DDoS) attack, which targets and cripples a specific site. Anonymous has launched several such campaigns, most famously its 2008 efforts to take down the digital presence of the Church of Scientology, which involved a DDoS attack and offline protests by masked members. Recently, the group forewarned an attack against the Federal Reserve, calling for the resignation of Chairman Ben Bernanke via a YouTube video, though none of the Fed's websites have been shut down yet.

Another group called LulzSec has also stirred up news recently. On Wednesday, it temporarily crashed the Central Intelligence Agency's public website, Cia.gov. LulzSec has also claimed responsibility for breaches at PBS, Fox and Sony. For the Sony attack, LulzSec's goal was to showcase a pitiful lack of online security at the company, according to Phil Blank, a senior security analyst at Javelin Strategy & Research, and it succeeded. "It's a very fundamental, basic attack that no modern corporation should be subjected to -- it's embarrassing."

While attacks like the one on Sony can be easy, the muscle power of hacktivist groups is generally limited, says Zuckerman. In fact, he notes that within the hacker community, DDoS and similar attacks don't even qualify as true hacking, which involves actually compromising a network, not taking down a site. LulzSec hasn't tried to harm large, critical infrastructures so far, and Anonymous has tried and failed, he says: The group couldn't pull through an attempt to crash Amazon in December 2010, for example. "Essentially, they're taking down people's marketing copy," says Zuckerman.

Hacking spies

Government-backed hacking efforts are a different story -- they have much more funding, but can still be next to impossible to trace. They're also happening all the time, Schneier says: "The U.S. is doing it, China is doing it. Governments have spied on each other for thousands of years."

While complicated, expensive hacks are more likely to involve government investment, it can be difficult to prove the connection. Earlier this month, the IMF announced to its faculty and staff that it had suffered a cyberattack, but hasn't released details. There has been speculation that the attack received funding from a foreign government, says Phil Blank, a senior security analyst at Javelin Strategy & Research, but there's little public proof. "To be able to create the attack from that distance requires a substantial infrastructure, IT work and research," he says. "Generally speaking, that is out of the scope of most individuals, and it's probably not corporate espionage."

The same is true for recent Gmail hacks: Earlier this month, Google announced that someone had broken into hundreds of Gmail users' personal accounts. That required fairly complicated, targeted hacks, Blank says. But the only evidence that a government was behind it was that Google traced the origin of the attack to computers with Internet Protocol (IP) addresses in the Jinan region in China. Also, the hack seemed suspicious because victims included U.S. government officials and Chinese political activists. But IP addresses can be fabricated, Blank says, and the Chinese government vehemently denied anything to do with the incident.

That hacking mystery, like so many others, may go unsolved. While the size or complexity of the hack can provide clues, "You never know who's behind anything really," says Schneier. "In general, you never know who did it or why."

The only requirements for becoming a hacker are an inquiring mind and plenty of time. Photograph: Daniel Law/PA

The only entrance requirements for becoming a hacker are an inquiring mind and plenty of time. These are things that young teenagers - especially, though not exclusively, boys - tend to have.

The classic - and outdated - picture of the hacker is of a teen sitting in his bedroom, obsessively coding something impenetrable on his own, waiting to unleash a terrible virus that will wreak havoc on computers around the world.

In fact modern hackers are a gregarious bunch, who have grown up in a world where instant messaging and video chatting makes it possible to be connected to people at all times.

Hacker conferences are often friendly events: Eric Corley, published of the hacker underground 2600 magazine (who styles himself Emmanuel Goldstein, after the figure of hate in Nineteen Eighty-Four), is a watchful but otherwise outgoing person. Conferences tend to be fun affairs, with people showing off their latest hacks.

The initial lure of hacking – getting past the security hurdles on computers that are intended to turn the vast majority of people away – is simply the achievement. There's also the attraction of the fact that machines will do what you tell them, without argument, again and again. Once mastered, it's a delicious power.

Hacking knows no national boundaries: China, the former Soviet states and eastern Europe all have produced dangerously effective hackers. The US, Germany and Britain do so as well. Some of the better hackers may be persuaded to work for governments. The suspicion is that in China the most successful are given no option.

Hacking is possible because modern computer systems are so complex that there will always be a flaw to be exploited somewhere.

The web offers hackers a bell curve of targets: most are fairly secure, some are very secure, but there's a long tail of sites running outdated software that can be exploited.

Roughly half of the world is using Microsoft's Windows XP, which is 10 years old and – in its original form – riddled with security holes. Many of the copies used in the far east are pirated, and Microsoft refuses to let them be updated, which leaves the holes "unpatched".

This is meat and drink to hackers, who can often call on widely distributed "hacking kits" that let would-be "l33t haX0rs" (elite hackers) target sites by clicking a few buttons.

Many start their hacking career by breaking into websites to deface them; this is regarded by their elders as the lowest form of hacking (getting caught is even lower).

The more time they spend doing it, the sooner they realise that a certain level of skills will make it possible to make money, either by stealing credit card details and using them to buy virtual goods, or by getting paid to create "malware" that others will pay for.

That might be programs that will silently take over a computer, or subvert a web browser so it goes to a particular site for which they get paid, or lace a website with commercial spam.

That is where the road forks. The commercial hackers do not go to conferences, and keep out of the public eye as far as possible, which can be hard when you are making serious money from it.

They are the ones who the security and police services try very hard to keep their eyes on by any means possible, including infiltration and coercion.