For those who think I’m a little paranoid on the subject of cybersecurity, I share this story – a nightmare made in China for a small US businessman. Brian Milburn’s parental control software was pirated and used in a China’s infamous Green Dam software.
For three years, a group of hackers from China waged a relentless campaign of cyber harassment against Solid Oak Software Inc., Milburn’s family-owned, eight-person firm in Santa Barbara, California. The attack began less than two weeks after Milburn publicly accused China of appropriating his company’s parental filtering software, CYBERsitter, for a national Internet censoring project. And it ended shortly after he settled a $2.2 billion lawsuit against the Chinese government and a string of computer companies last April.
In between, the hackers assailed Solid Oak’s computer systems, shutting down web and e-mail servers, spying on an employee with her webcam, and gaining access to sensitive files in a battle that caused company revenues to tumble and brought it within a hair’s breadth of collapse.
There are two particularly interesting, and troubling, aspects of the story. First, the hackers immediately attacked Milburn’s law firm as well as his company. This tactic is now part of the standard playbook for China’s hackers, but US law firms have not fully adapted to the threat. Second, I’ve long wondered when the Chinese hackers would go from stealing information to sabotaging networks. According to Milburn, that’s exactly what they did here:
While bulk sales and orders over the phone were up, 60 percent of Solid Oak’s business depended on users buying the $39.95 program directly from the website. As the network problems continued, so did the fall in sales. Milburn wouldn’t provide month-to-month sales figures, saying it could aid competitors, but he says the normally profitable company dipped into the red after a big drop in web sales the month the lawsuit was filed. Net losses averaged $58,000 a month after that, even as Milburn slashed expenses, he says.
Tracing the drop, he could see that customers were coming to the website to buy the software like always. They’d type in credit card numbers and click submit, but most of the orders — on some days 98 percent — weren’t going through, Milburn says. He replaced servers and tried other fixes. Nothing worked.
He went without pay, and DiPasquale agreed to forego her salary for a few months too. She and her husband, a professional chef, drew down their savings, but by the summer of 2010, the money was running out.
Examining the script that controlled the payment processing function in November that year, he noticed that a single character was missing from the string — an apostrophe. That was enough to cause the page to time out, rather than to complete the credit card transaction. Customers were leaving in frustration.
The apostrophe was sometimes there and sometimes not, so some payments went through. There may have been other ways that the hackers were sabotaging his sales, but Milburn was sure he had found at least one.
“A hacker could certainly edit the script and break it so it wouldn’t work,” says Stewart, the DellSecureWorks threat expert. “That would be a great way to do it without calling attention to the fact that they were in the system.”
If this is a harbinger of future Chinese conduct, the silent cybersecurity crisis is going to become very public, and very ugly.