- FANCY BEAR GOES PHISHING: The Dark History of the Information Age, in Five Extraordinary Hacks (Farrar, Straus & Giroux, 432 pp., $30)
For a guy who teaches law and philosophy at Yale, Scott J. Shapiro has a mighty strong computer science background—and a highly humanistic view of hacking, based on his personal experience.
He was a coder for 10 years. He had his own computer business. He published in the journal Theoretical Computer Science. But when he decided he wanted to learn about hacking, he found it virtually impossible. It took him years to learn how to do it.
His new book, Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks, is written for people like him, who wondered how hacking works and why the internet is so insecure.
His book couldn’t come at a more significant time, given the onslaught of cybercrime being waged against enterprises today by nation-states, rogue cyber gangs, disgruntled employees, and disaffected teenagers alike.
Despite the gravity of today’s cyber news, Shapiro wanted to write a book that presents threats in a realistic way but in a manner that’s lighthearted and, at times, almost comical. The history of hacking, he notes, is riddled with more goofs and gaffes than you might think. (Note to enterprise owners: It’s never too late to invest in threat hunts, cyber risk scoring, employee training programs, and other forms of smart cyber hygiene.)
Fancy Bear Goes Phishing takes you on a journey into the world and minds of the hackers behind five infamous cyberattacks:
- The Morris Worm—The world’s first major cybersecurity incident, which struck in 1988 and unfolds here like a mystery novel. A grad student whose father is head of cybersecurity for the National Security Agency (NSA) takes down the internet because of one big mistake in his code.
- The Bulgarian Virus Factory—In the 1990s, Bulgaria became the center of virus development, and for the first time, the world saw the impact of cyberattacks borne of computer viruses.
- The Paris Hilton Phone Hack—How can you see the contents of someone’s phone when you never had it in your possession? Cloud computing was a new concept in 2005 when a Massachusetts teen attacked the socialite’s cellphone address book and exposed contact info for celebrities like Eminem and Anna Kournikova. Shapiro introduces new information surrounding that hack.
- Fancy Bear’s Hack of the DNC—The spearphishing campaign by Fancy Bear, a notorious Russian cyber gang, led to the publication of 20,000 emails from the Democratic National Committee (DNC) in 2016.
- Mirai Botnet—Beginning with an obsession with the game Minecraft, two groups of teenagers flaunted their computer skills and developed an army of hacked computers, or botnet, that in 2016 made some of the most famous and vital websites inaccessible at their will.
In an exclusive interview, Focal Point connected with Shapiro to get the low-down on “upcode,” which he cites as the prime driver of cyberattacks like these. Ultimately, he says, we need to think of hacking (and hackers) in a whole new way.
(This interview has been edited for clarity.)
You’re the director of Yale’s Cybersecurity Lab, but you have a Ph.D. in philosophy and you teach law. How does your background impact or direct your approach to cybersecurity?
We always think of cybersecurity as though it is a technical problem that requires primarily a technical solution. But research shows how the law changes people’s incentives in their behaviors, why they act in appropriate or inappropriate ways. The natural thought process is, shouldn’t we be thinking about cybersecurity as a human problem?
Cybersecurity is about following rules—rules that are created by human beings that affect human behavior.
Cybersecurity is about following rules—rules that are created by human beings that affect human behavior. I call those rules “upcode.” Upcode is all about the code above your fingertips on the keyboard, while downcode is the computer code generated below your fingertips. What I try to show in the book is that the technical vulnerabilities that are exploited in all these hacks really have their origin in political, legal, social, and psychological vulnerabilities in the upcode.
A key point you make is that upcode shapes production of downcode. How do you get the people who are creating the technology being hacked to understand that?
You don’t. You have to get buy-in from companies, C-suites, Congress, government agencies. We need those people to start thinking about what they can do to change the incentives that developers face to address cybersecurity.
The exciting part of this approach is that there are so many ways to approach rethinking cybersecurity and hacking. You can do it directly by training developers differently. You can increase the liability on software companies to encourage them to give directives to their employees to code in a certain way. If they are held responsible, they will do things differently.
With your strong technical background, even being a coder for 10 years, it still took you a long time to learn how to hack. Why was it such a struggle to learn something that teenagers—at least the ones in this book—picked up so easily.
I didn’t know where to look to learn. When I started getting into it, the most natural thing I did was look at books, read dissertations, read articles. I would hunt for information, not realizing that’s where to find it. You learn how to hack online, through YouTube, in hacker forums. When I was learning, hacking was not a mature field.
You chose five cyber events to highlight in this book. Why those particular hacks?
I had wanted to do 25 hacks, but my agent said 25 was too many, so we narrowed it to five. But the rationale behind the five I chose is this: They are all well-known in the cybersecurity community and are understood to be representative of different styles of hacks.
Actually, I think hackers are like you and me.
The Morris worm, which is self-replicating, is the first hack, happening in the late 1980s, and there was a real element of mystery to it. I added the Bulgarian virus factory because I wanted to understand why Bulgaria was the virus capital of the world in the 1990s. The Paris Hilton story is to show how you can get so close to the phone of one of the most famous people in the world in the early 2000s, demonstrating risks in the cloud.
Fancy Bear isn’t so much a study of how they did it but how they managed to get away with it and why it took the FBI so long to tell the DNC the Russians were in their network. And finally, how can you not be interested in the Mirai botnet story, with three American teenagers having a fight with three Israeli teenagers?
The stories are presented chronologically, but they are also just good stories.
The book highlights a general misunderstanding of cybersecurity and hacking. What do you want people to take away from this book?
I think people have the wrong understanding of hackers, that they’re lone wolves, have mental health issues, are geniuses who can’t be controlled. Actually, I think hackers are like you and me but are going through some challenges.
The vast majority of hacking involves cybercrime, which is financially motivated. The hackers don’t care about you. But your job is to make sure you don’t make it easy for them, because the harder they have to work for a hack, the less money they’ll make. They want your credit card; they don’t want to watch you make dinner through your webcam.