W5: Investigating Canada's big cyber security problem
Melissa Martin, W5 Staff
Published Saturday, March 19, 2011 6:43PM EDT
Here's something Canadian authorities don't want you to know: whether its people, organizations, businesses or governments, we are all at risk of being victims of cyber attacks.
"We have major cyber security problems in this country," says Ron Deibert, director of The Citizen Lab, at the University of Toronto. "The problem is nobody wants you to know about it."
Corporations and governments go to great lengths to avoid publicly revealing cyber breaches for risk of appearing vulnerable.
During the course of our research, dozens of experts told W5 there have been major cyber security breaches in this country but no one was willing to provide specifics, and for good reason, there's plenty at stake.
If, for example news spreads that a publicly-traded company has been hacked into, investors could lose trust in that company sending its stock price into a tailspin.
The truth is it can be a scary virtual world out there. These days most of the country's infrastructure is controlled online, everything from our air traffic control to our hydro systems. And yet, according to experts like Deibert, the current cyber security measures are inadequate.
"[The Canadian Government] allocates I think $80 million in total over four or five years. This may sound like a lot of money but in reality it's nowhere near adequate to deal with the scope of the problem," he said.
But, it's not just corporations that are vulnerable. Your personal information is at risk of being stolen online too, especially at public Wi-Fi zones.
W5 asked ethical hacker Mike Sues to show us how easy it is to break into someone's computer. We chose a Toronto coffee shop with free Wi-Fi for our demonstration. In a matter of minutes, Sues was changing someone's Facebook status, looking at another's financial information online and he could even read, word-for-word, what a third person was writing in an email.
All of the "victims" at the café had agreed to participate in W5's test and were aware that they might be hacked, but that didn't make the news easier to handle.
"I had no idea (he broke into my computer), said Caroline, a law student, whose Facebook account was changed without her knowledge, using information gleaned by W5's hacker. "Maybe someone else has done this to me in the past and I didn't know about it."
Deibert stresses that when it comes to online communications, nothing is private.
"I don't put anything on email that I don't expect to see in the Globe and Mail. To me it's like a postcard," he said.
Where hacking might once have been the pursuit of a few geeks out for a computer challenge, these days the illegal hacking community has become a multi-billion dollar underground economy largely controlled by organized crime. They have the time and resources to steal your personal information online.
"These people are well paid. Everyone gets the idea of some fat kid doing this in his basement for kicks but this is a multi-billion dollar world wide criminal network," said Keith Murphy, CEO of Defense Intelligence.
Murphy has first-hand experience in dealing with high-level hackers. In December 2009, he was involved in the investigation, along with the FBI, into the Mariposa botnet.
A botnet -- short for "robot" and "network" -- is a computer program that installs itself onto computers and automatically records user information, including passwords and financial data.
Botnets are often used to remotely control thousands of personal computers -- to send spam or to launch denial-of-service attacks by clogging up the Internet.
The Mariposa botnet was involved in collecting passwords, banking and credit card information and could also hijack a computer-user's Internet search results. Financial data on more than 800,000 people was collected by the malicious program.
Thanks to Murphy and the FBI, eventually three hackers in Spain were arrested for their involvement in Mariposa; all three are currently out on bail and awaiting trial.
After the arrests were made and their computers were seized from the hackers, Murphy was responsible for taking the computers apart and searching the hard drives to see what kind of information was stored on them. Murphy found that the Mariposa botnet had infected Canadian computers, and the criminals had stolen financial information from Canadians.
"[There were] thousands of people's credentials from Canadian banks [on the hackers computer]" said Murphy.
Because Murphy and his company were involved in the investigation, the Mariposa creators wanted to get even. The hackers launched an attack on Defence Intelligence.
"They found out we were investigating them and they launched an attack on us and tried to take us down," he said, although the Internet assault didn't just impact Murphy and his team. "They took out our Internet provider from Ottawa to Cornwall for an afternoon."
To make matters worse, not only was Murphy attacked by the hackers, he was also blacklisted by some Canadian corporations for making the security breach public.
"We've lost almost two million dollars in business," he said, although Murphy has never disclosed what specific companies were infected.
Murphy said there is no way of knowing if money was stolen as a result of the Mariposa botnet because the underground hacking world is so complex. He maintains that complexity is preventing police forces from properly investigating cyber crime.
"They (the police) understand somebody breaking into your home but they don't understand somebody breaking into your computer."