|
A
new war is being waged a war that is not fought with guns, missiles, or human
soldiers, but with code in cyberspace, using computers and the Internet. It's
a war on all fronts by governments against governments, governments against
corporations, organized crime and insiders against both, and even individuals
against other individuals (which is more often dubbed cybercrime, but that's
not a necessary distinction for our purposes).
The
point is that this war is pervasive, and we are all vulnerable to attack.
About
three years ago, Heartland Payment Systems discovered that hackers had
penetrated their systems for a period "longer than weeks" in late
2008, and were eavesdropping on the majority of transactions the company
processed. In all, more than 100 million credit cards were compromised,
resulting in the largest known case of credit card fraud in history. So far
(through December 31, 2010), the company has had to pay out about $115
million in settlements of claims with banks and VISA, along with more than
$30 million in legal fees.
More
recently we've had the China/Google fiasco, a situation that culminated in
Google all but accusing the Chinese government of at least abetting a
coordinated and sophisticated attack aimed at cracking the email accounts of
known political dissidents within the country. Google was forced to admit that
the attackers were successful to an extent, in that they managed to steal the
source code for the company's password system that protects all accounts. But
apparently no accounts were compromised in the attack, according to Google.
The
weapons being used to fight this war are becoming more sophisticated and
harder to protect against, while at the same time often becoming easier for
foes with little technical experience to wield.
In
2005, a Russian hacker group known as UpLevel
developed Zeus, a point-and-click program for creating and controlling a
network of compromised computer systems, also known as a botnet. By 2010, the
most recent version of the basic Zeus software could be downloaded for free
and required almost no technical skill to operate. It's now become one of the
most popular botnet platforms for spammers and criminals who deal in stolen
personal information.
UpLevel consisted of just four or five
developers who started working on Zeus in 2005. The next year they released
the first version of the program, a basic Trojan designed to hide on an
infected system and steal information. Soon thereafter, the team came out
with a more modular version, which allowed other hackers to add functionality
by creating plug-ins. Now the Zeus platform allows users to easily build
custom malware to infect target systems and manage a vast network of zombie
machines, i.e., the botnet. In fact, a whole cottage industry has cropped up
around creating add-ons for Zeus, satisfying the needs of the most novice
cybercriminal up to the most sophisticated organized-crime users.
(Note:
"Botnet" is short for robotic network and the general term used to
denote a collection of compromised computers that are running under a common
command-and-control (C&C) infrastructure. Thus one person can have a
large number of "zombie" computers at his fingertips. How many?
Well, the Mariposa botnet, busted by Spanish authorities in March 2010, was
found to have nearly 13 million computers under control.)
And
just as Trojans, like Zeus, are evolving, so, too, are the botnets
themselves.
Conventional
botnets are controlled by a few central computers. Take down those machines
and you'll disable the whole network. But a recent article by Kurt Kleiner in Technology Review (published by MIT)
warns that this weakness does not exist in botnets that use peer-to-peer
communications protocols and pass messages from machine to machine instead of
coming from a central command.
Using
these peer-to-peer communications protocols, Stephan Eidenbenz
and his team at Los Alamos National Laboratory designed and simulated a
botnet that would be much harder to kill than the traditional centrally
controlled variety.
According
to the aforementioned article by Kleiner:
Their
hypothetical botnet would randomly configure itself into a hierarchy, with
peers accepting commands only from computers higher up in the hierarchy. Any
computer taken over by an outsider would thus be less likely to be able to
disrupt the network. The botnet would reconfigure its hierarchy every day, so
outsiders would have scant time to track down the highest-level computers
that could do the most damage.
The
technique, together with strong encryption, would make such botnets hard to
analyze and attack.
Experts
expect that these stronger peer-to-peer botnets are only a matter of time.
"Once someone writes ways to strengthen a botnet's security into
easy-to-implement code, this type of botnet will quickly spread," says
Cliff Zou, network security researcher at the
University of Central Florida.
Now,
the point of all this is not to scare you into throwing your computer out of
the window it's to highlight the fact that as the weapons in this cyber-war
evolve, so, too, must defenses against them. And that's big business.
As
Intel CEO Paul Otellini recently said, "We
have concluded that security has now become the third pillar of computing,
joining energy-efficient performance and Internet connectivity in
importance."
I
have to agree with Mr. Otellini. And investors are
already capitalizing on the huge growth that will come in this area over the
next few years. Though estimates of its size vary broadly because of
differing definitions, even the most conservative valuations peg pure
security hardware and software expenditures at well above $15 billion
annually. And steady, double-digit growth is projected for years to come.
As
just one example of the gains that can be had by investing in this space, Casey
Extraordinary Technology subscribers were rewarded with a one-week
return of nearly 50% last August when we recommended buying ArcSight Inc. (a company that develops monitoring
software to seek out nefarious code or malicious insiders that have breached
the firewall). Just seven days after our recommendation, news of a potential
buyout of the company by HP at a 50% premium caused the shares to pop and we
exited with a huge gain.
Another
example: One of our core portfolio holdings that operates
in the network security space is up nearly 200% since we bought in just one
year ago.
Obviously,
not all the computer and network security firms out there are gems, but given
all the money that's necessarily going to be pumped into these industries in
the coming years, it might behoove you as an investor to investigate the
options.
[There are
still myths that cause many investors to shy away from the tech industry
– even though it is one of the fastest-growing sectors in the U.S.
economy. Don’t make the same mistake; read
here about the myth-busting truth of prudent tech investing today…
and how it can substantially boost your portfolio.]
Doug Casey
|
