Photos: James Duncan Davidson

Cybersecurity specialist James Lyne takes the TED2013 stage to show us some of the newest and nastiest creations that cybercriminals have designed to steal data, make off with billions of dollars, watch people through their webcams and target power and utility companies. Every day, he says, about 250,000 new pieces of malware are created and 30,000 websites infected.

“People think that, if you get a computer virus, you’ve been on a porn site,” says Lyne, of the security firm Sophos. “Actually, statistically speaking, if you only visit porn sites you’re safer.” Shockingly, 80% of infecting sites are actually small businesses or other legitimate enterprises that have themselves been infected.

The world of malware is becoming commercialized. Cybercriminals now advertise online, offering their services for $10 to $50 per hour. Lyne shows this video as an example.

There are sites where you can test a virus to make sure it works before unleashing on the world, and sophisticated services for tracking your malware. Some of these services even offer customer support.

So what are some ways to infect a computer with malware? In addition to the old “Hello, I’m a Nigerian banker,” you could, perhaps, walk into a corporate lobby with a copy of your resume soaked in coffee, and make a sad face and ask the receptionist to plug in a USB key and print you a new copy. Or perhaps you can target a website that has an insecure comments section; anyone who visits the page will then be infected. And there’s a new tactic that Lyne has noticed — creating a virus that pops open a fake anti-virus protection software window on a person’s screen. By clicking the button, not only does a person give a hacker access to their computer, but might even pay for the .

So many stories about cybercrime are terrifying. But Lyne has a success story to share — a time he was able to track the group of cybercriminals behind the Koobface malware. This group didn’t protect their malicious code, which was written to send each of them a text message daily to show them how much money they’d accumulated. In other words, Lyne’s team had their phone numbers. From there, he could tell they were located in Russia.

Because many smartphones embed GPS data about where photo is taken, Lyne was able to find the hackers’ exact location through photos they uploaded to Flickr. From there, Lyne’s team generated a 27-page report filled with information about this group — including an ad one of them had posted for the sale of kittens, shots from a fishing trip, a photo of their office on the third floor of a building and images from the office Christmas party. He eventually even found their bank accounts.

Sadly, Lyne reveals that this report wasn’t enough to bring these hackers to justice. Most laws pertaining to cybercrime are national, and because there is no common definition between countries, this group is still at large.

Lyne stresses that, for the time being, the onus is on individuals to protect themselves by creating different passwords for different websites and using basic internet safety protocols. For example, don’t upload smartphone photos to an online dating site – Lyne has found that 60% of photos there contain location data. But vulnerabilites can be even more subtle than that. As you move through the world, using your phone to connect to wireless networks Lyne warns that you are “beaming a list of the wireless networks you’ve previously connected to.”

Lyne collected data on the TED2013 audience by tracing these signals:

• 23% had been to Starbucks recently
• 46% could be linked to a specific business
• 761 could be traced to a specific hotel
• And 234 could be traced to coordinates of their homes

“As we play with these shiny new toys, how much are we trading off convenience over privacy and security?” asks Lyne. ”The internet is a fantastic resource for business, art and learning. Help me and the security community make life much more difficult for cybercriminals.”

By Shyam Sankar and Gabe Rosen

The Internet is the new Wild West, a frontier big enough for every pioneer and outlaw to roam free. Today, The New York Times revealed that hackers in China had spent the last four months infiltrating its computer systems and pilfering employee passwords. As in the old West, it’s not a question of if you’ll be hit — but when and how. Online, primitive DDOS attacks rain down like arrows, while artful hackers can steal the data equivalent of 5,000 head of cattle before any breach is detected. There’s no choice but to defend the homestead as best you can – and retreating to civilization is no longer an option.

According to Mandiant, the infosec firm that conducted the investigation, the Times was first compromised on September 13. The attackers established at least three backdoors and installed 45 pieces of malware, only one of which was detected by Symantec security software. After two weeks, the attackers found the domain controller that contained all staff passwords. Times executive editor Jill Abramson maintains there is “no evidence that sensitive emails or files” were accessed, yet the investigation found that the attackers “created custom software that allowed them to search for and grab [Times journalists] Mr. Barboza’s and Mr. Yardley’s e-mails and documents.”

As the TED Blog recently recounted, we know a bit about this sort of thing at Palantir. Our platform was used to investigate “GhostNet”, a Chinese cyber espionage network. In 2008, an unnamed country received an email from China warning them not to host the Dalai Lama for a scheduled visit. The email was startling because this visit was not public knowledge. The country sought to find out how this sensitive information had been leaked. Not only the Dalai Lama’s personal computer been hacked, but 1,300 computers across the globe had been infected in the same way. This network had been operating for two years without notice.

Naturally, when we heard about The New York Times hack today, we looked for parallels. The Dalai Lama’s office was infiltrated by “spear phishing” — where hackers research a person and create an email, with an attachment, that looks like it came from a confidant. Spear phishing is suspected, though not confirmed, in the Times attack. Like GhostNet, the Times attackers covered their tracks through intermediaries in numerous countries, and employed remote access tools (RATs) and malware. The attacks also appear related to Chinese political sensitivities, though the exact loyalties in play are murky.

While it’s important to resist easy conclusions, Occam’s razor and common sense shouldn’t be ignored. The difficulty is that positive attribution is rare in cyber warfare, so when something looks like the work of someone who was never actually identified, it may not be exceptionally meaningful. As open-source sleuth Jeff Carr points out, there are several doubts. Beijing’s time zone includes numerous other cities. The attacks were ultimately traced to Chinese IPs, though their geo-locations encompass millions of people. The attackers used RATs, but these are widely available and hardly confined to China. According to Richard Bejtlich, Mandiant’s chief security officer, “When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction.” Given the vast spectrum of potentially interested parties, it’s a very general direction – but it’s a start nonetheless.

The lack of clear answers notwithstanding, Mr. Bejtlich is certainly correct that cyber defense “requires an internal vigilance model.” You have to sleep with one eye open, and preoccupation with one mode of attack leaves you vulnerable to others. As in the old West, it’s essential to make common cause with your neighbors, however distant. During the recent spate of suspected Iranian DDOS attacks, two global Top 20 banks shared threat data in real time with each other as well as US law enforcement, and collaboration across public/private lines is essential to countering the matrix of state and non-state combatants.

Above all, we need to adopt a Wild West approach of our own. The sheriff’s only hope is to become as swift, resourceful, and adaptive as the outlaws.

Shyam Sankar is the Director at Palantir Technologies. He gave the TED Talk “The rise of human-computer collaboration” at TEDGlobal 2012, as well as the talk embedded above at TED2010. Gabe Rosen works in Business Development at Palantir.