TIME women

A Million Peeping Toms: When Hacking Is Also a Hate Crime

"Serena" Premiere - 58th BFI London Film Festival
Jennifer Lawrence attends the premiere for "Serena" during the 58th BFI London Film Festival at Vue West End on October 13, 2014 in London, England. Stuart C. Wilson—2014 Getty Images

Soraya Chemaly is a media critic and activist.

Technology isn’t just mirroring offline crimes but amplifying them in ways that qualitatively change their impact

In her first public statements about the theft and distribution of her private nude photographs, Jennifer Lawrence called the act “a sex crime.” There are differences of opinion about using those words to characterize what happened. What is not debatable however is that, of the reportedly more than 100 celebrities targeted in this episode involving Lawrence, the overwhelming majority have been women. So, why aren’t we seriously discussing this in terms of gender-based hate? That’s also a serious charge.

The nonconsensual distribution of intimate photos is similar to offline voyeurism in many ways. We call these voyeurs Peeping Toms, a classic linguistic minimization of a sex crime that, like revenge porn, is gendered. Peeping Thomasinas aren’t really a thing. (The crime is treated differently state by state. In some states, but not all, voyeurs must register as sex offenders. Revenge porn is a non-registry offense.)

“There is no principled way to argue that this is any less serious than voyeurism,” explains Mary Anne Franks, Associate Professor of Law at the University of Miami School of Law and Vice-President of the Cyber Civil Rights Initiative. “There is no denying the blunt truth of [Lawrence’s] words: she alone has the right to control access to her naked body, and anyone who violates that right has committed a profound and inexcusable wrong. That means that laws against hacking are insufficient to address this violation.” Danielle Citron, author of Hate Crimes in Cyber Space, has also argued that these crimes clearly infringe on women’s civil rights.

However, what happens when there are millions of Peeping Toms? Given the scope and number of people who participated, and the time and effort the hackers took to gather the photographs and carefully plan their release, it’s clear that technology isn’t just mirroring offline crimes but amplifying them in ways that qualitatively change their impact and should prompt serious debate about gender-based hatred and bias crimes.

Federal hate crime legislation does not actually require that perpetrators of crimes express explicit hatred for the people they target. Instead, the salient information is that hate crimes are those in which a person is targeted because of, in this case, his or her gender. In addition, a “prominent characteristic of a violent crime motivated by bias is that it devastates not just the actual victim and the family and friends of the victim, but frequently savages the community sharing the traits that caused the victim to be selected.” While men are also the victims of revenge porn, as with the threat that a serial rapist of women poses to a community, how can anyone doubt that girls and women experienced the theft and sharing of these photos, which overwhelming involved women, in ways that men did not?

This wasn’t a privately executed sex crime, but a public one infused with gender bias. As the systematic theft, accumulation and mass sharing of these photos shows, we live in a culture in which violations of women’s privacy are normalized, where harms to women are routinely trivialized, where our sexual objectification is the norm and where society resists legitimate and reasonable consideration of the role gender and status play in what happened. (There have been at least four waves of photo released, the last of which included the first man.)

It’s not just that photographs like Lawrence’s violated women’s rights to privacy and constituted theft, or that they might be considered pornographic or offensive. It’s that the perpetrators sought to attack the women, humiliate them, assault their dignity, and interfere with their lives and well being because they are women. Revenge porn is overwhelmingly perpetrated against women by men, and is rooted in displaying male dominance. There is nothing new in this type of female dehumanization. What’s new is its digitized and scalable industrialization. The attack on female celebrities sends a clear message that even the most admired and powerful women can be treated this way.

We have a national predisposition to downplay gender as consequential. This November marks the fifth anniversary of the Matthew Shepard & James Byrd Jr. Hate Crimes Prevention Act, in which sexual orientation, gender, gender identity and disability were finally added to federal hate crimes law.

The purpose of the 2009 act was largely to ensure that people have the chance to pursue justice if they feel that their state courts have failed. Only some states have hate crime statutes and, of those, a sub-segment include gender as a category for consideration. The battle to include gender at the federal level was long and hard fought. Either way, social recognition of gender-based hate, as post Elliot Rodger’s public discussions showed, remains controversial.

Bias and hate crime laws exists so that members of groups that were historically discriminated against know that the societies they live in support their equal right to live their lives, raise their children, travel in public, and pursue their work, free of fear and discrimination. They are a challenge to social norms that would perpetuate violence and subjugation, an old-fashioned word no one likes to use in the United States, on the basis of immutable characteristics. Like being female.

If there is one silver lining in this, it’s that the women who were targeted are not being stigmatized or punished and that the trajectory of traditional shame seems to be reversing in a way that accrues to the perpetrator, and not the victims, of these assaults.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME Security

Snapchat Says Leak of Nude Photos Isn’t Its Fault

The logo of mobile app "Snapchat" is displayed on a tablet on January 2, 2014 in Paris.
Lionel Bonavent—Getty Images

Company says third-party applications were responsible for the breach of as many as 200,000 user accounts

Images from tens of thousands of Snapchat user accounts, many explicit, were leaked onto the internet late Thursday — but the messaging app said the hack wasn’t its fault.

Snapchat said that third-party applications were responsible for the breach of as many as 200,000 user accounts, and that their own servers were never compromised.

A 13GB database of Snapchat photographs taken over a number of years was leaked to online messageboards Thursday. It reportedly includes a large amount of child pornography, from teenage users.

“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security,” a statement read. “We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

The news comes just weeks after the release of nude photos of more than 100 celebrities in a massive hack of photos stored in Apple’s iCloud.

TIME Hong Kong

Hong Kong Democracy Protesters Are Being Targeted by Malicious Spyware

HONG KONG-CHINA-POLITICS-DEMOCRACY
A father and son take a selfie with a mobile phone in front of a barricade in the Mong Kok district of Hong Kong on Sept. 30, 2014 Xaume Olleros—AFP/Getty Images

The culprit is "a very large organization or nation state," experts say

A computer virus that spies on Apple’s iPhone and iPad operating system is targeting pro-democracy protesters in Hong Kong, according to tech experts.

Known as Xsser, the malicious software is capable of harvesting data including text messages, photos, data logs and passwords from mobile devices, Lacoon Mobile Security said Tuesday.

The spyware is hosted on the same Command and Control domain as an existing fake program for the Android operating system that was disguised as a protest-organizing app and distributed around Hong Kong last week.

“Cross-platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state,” said Lacoon in a statement.

Tens of thousands of people have paralyzed key areas of the city over the past few days in support of greater electoral freedom, much to the chagrin of the central government in Beijing.

TIME Opinion

Clicking on Jennifer Lawrence’s Nude Photo Is Sleazy, But Is It Really Sexual Assault?

Christian Dior : Frontrow - Paris Fashion Week : Haute-Couture Fall/Winter 2014-2015
Jennifer Lawrence attends the Christian Dior show as part of Paris Fashion Week in Paris, France. (Dominique Charriau--WireImage) Dominique Charriau—WireImage

When we call every crime against a woman "sexual assault," we dilute the meaning of the phrase

Words are important, and lots of harsh ones have been thrown around after hackers stole nude and semi-nude photos of celebrities like Jennifer Lawrence from various personal accounts and published them online. Specifically, some commenters are saying that anyone who views the stolen pictures is guilty of sexual assault.

What happened to Jennifer Lawrence, Kate Upton, and others is horrible. It’s also a crime and should be prosecuted as such. But some outraged online commentators are calling the photo-hacking incident a sexual assault, and that’s a bandwagon I just can’t get on.

While the theft and humiliating distribution of these photos is an enormous violation of personal privacy and sexual autonomy, it is not the same thing as a physical sexual assault. It is is not the same as being raped, or forced to perform oral sex, or molested as a child, or beaten. It’s not a question of “more or less awful,” because both scenarios are horrific examples of how women are treated in our society. But they’re different, and it’s especially important to be precise when we’re talking about violence.

“It’s a bad act, but I don’t know that it would meet a legal definition of sexual assault,” said Scott Berkowitz, president of the Rape, Abuse and Incest National Network (RAINN.) Is it possible for a sexual assault to be completely non-physical? “Sexual assault is a very general and vague term to begin with, each state defines it a little differently, it’s sort of a catch-all category that can include harassment and verbal abuse.” he said. “The idea is that it’s usually based on some physical interaction.”

When fighting to end sexual assault on college campuses, we like to say “rape is rape”-- this means that rape is not “nonconsensual sex,” it’s not a “misunderstanding,” it’s rape. If we insist on linguistic clarity when defining rape, then we should do the same for sexual assault. Cat-calling isn’t sexual assault. Viewing leaked photos online isn’t sexual assault. Even the horrific sexist comments made by online trolls don’t count as sexual assaults. Only sexual assault, which the Department of Justice describes as “forced sexual intercourse, forcible sodomy, child molestation, incest, fondling, and attempted rape,” is sexual assault.

What happened to Jennifer Lawrence, Rihanna, Kate Upton, and Aubrey Plaza was an enormous transgression, one that should be taken seriously as a criminal offense. And incidents like these remind us that we’re still experiencing a widespread degradation of women, and that helps enable sexual violence. But we should call things by their correct names, and this incident is most similar to revenge porn, which is when someone (often a former partner) distributes explicit photos without the subject’s consent. Revenge porn is now a felony in Arizona and against the law in nine other states, and 27 states currently have legislation in process.

When we are angry about something, especially something that happens to women, we tend to elevate it to the level of an atrocity. This is partly because of a widespread callousness towards issues affecting women– it’s hard to get people to pay attention to anything that isn’t a horrific rape. But when we dilute the specific meanings of our words, we leave them up to interpretation, and that is very dangerous for a movement working to fight the dangerous “he-said-she-said” narrative of sexual attacks. When we expand the definition of sexual assault to include every nasty thing that could happen to woman, we risk making the term meaningless. If everything is sexual assault, then nothing really is.

Instead of painting the photo-hacking incident as sexual assault, let’s use it to have a real discussion about how we can stop this from happening again. And let’s start by getting that revenge porn legislation through in those 27 states.

 

TIME Opinion

Stop Blaming Jennifer Lawrence and Other Celebrities for Taking Nude Photos in the First Place

Jennifer Lawrence
Jennifer Lawrence Mike Coppola—Getty Images

If your reaction to the hack attack on celebrities is to blame them for taking nude photos, you're pointing the finger at the wrong person.

There have been a lot of reactions to the massive leak of nude photos of some of Hollywood’s biggest celebrities, including actress Jennifer Lawrence and model Kate Upton, after an anonymous user posted stolen images to image-sharing website 4chan. But one of the most mind-boggling reactions has come from the people who say, “If you don’t take nude photos, they can’t be stolen.”

This is not a fringe reaction. From Ricky Gervais to rapper RZA to many people across the internet, there seems to be a common idea that the horrible and humiliating invasion of these women’s privacy and the theft of their property is in some way their own fault. When Mary Elizabeth Winstead, one of the actresses who had naked images stolen, tweeted, “To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” this was one of the responses she received: “‪@M_E_Winstead Stop posing nude on camera, dummy. Your husband not know what you look like nude? ‪#LessonLearned.”

Now, obviously, there is truth to this idea. A person can’t steal something that doesn’t exist. So if you don’t have nude photos, they can’t be stolen. Just like if you don’t have a car, it can’t be stolen. And if you don’t use a credit card, it can’t be compromised.

But that’s absurd, you might be saying. People need cars and they need to use credit cards, but no one needs to take nude photos of themselves. Despite the fact that neither cars, nor credit cards technically qualify as something we need, let’s parse this idea for a moment. In 2014, a huge part of our lives — working, shopping, socializing and dating — involves technology. From shopping history to credit card information to personal correspondence, digital devices store a stunning amount of personal and private information, making them an integral part of our culture. So it’s willfully naive to suggest that a person’s sex life should be kept wholly separate from that culture. Show me one person who can honestly say they’ve never taken or sent a suggestive photo, sext or email that they wouldn’t want splashed across the internet for millions to see, and I’ll show you someone who doesn’t use or understand modern technology.

Yet taking nude photos — or having a car or using a credit card — isn’t the problem here. The problem is the hacking and the stealing, in this case of something immensely private. And it’s not only a problem, it’s a crime. It’s true that posting naked photos of people without their consent is still largely a gray area, legally speaking, which is why so many revenge porn sites have exploded across the internet in recent years. But hacking and stealing photos is definitely a crime; just ask Christopher Chaney, the man currently serving a 10-year sentence for stealing and posting nude images of Scarlett Johansson and Mila Kunis, among others.

So why are people so quick to point the fingers of blame at the women who are victims of the hack? It’s likely because it’s easy — far easier than blaming a culture that nurtures this kind of misogynist attack — and also because it makes people feel safe. After all, if you’re not the kind of person who would take nude photos then you’re not the kind of person who has to worry about this kind of invasive crime, right? Yet that kind of thinking doesn’t get at the root of the problem (i.e. the hacker and protecting our devices from similar attacks) and it certainly won’t help you when it’s not celebrities who are being targeted and it’s not nude photos that are being stolen. And until people cut out the victim-blaming and focus on the real culprits, we’re all just a little bit more vulnerable.

TIME Security

How That Massive Celebrity Hack Might Have Happened

"The Other Woman" - Los Angeles Premiere
Kate Upton at the Los Angeles Premiere of "The Other Woman" at Regency Village Theatre on April 21, 2014 in Westwood, Calif. Jon Kopaloff—FilmMagic/Getty Images

Tech experts say hackers may have gained access to cellphone pictures of Jennifer Lawrence, Kate Upton and others in the iCloud via the "Find My iPhone" app

Correction appended

The leak of personal photos of more than 100 female celebrities, nude and otherwise, has tech observers questioning and debating potential vulnerabilities in Apple’s iCloud. But for those of us who don’t intuitively understand technology the questions remain: how could this happen and could it happen to me? Here are some answers:

Who was affected?

An anonymous user posted photos of celebrities like The Hunger Games star Jennifer Lawrence and model Kate Upton to the site 4Chan. The hacker claimed that there could be posts of more than 100 celebrities in total. Some celebrities, Lawrence and Upton included, confirmed the photos’ authenticity. Others, like Nickelodeon star Victoria Justice, claimed the photos were fakes.

How did the hackers do it?

The leading theory goes that hackers found a vulnerability in Apple iCloud’s “Find My iPhone” service, which helps users find lost or stolen phones via the cloud. Apple typically protects its products from so-called “brute force” programs that repeatedly guess random passwords for a given username until it gets a match.

But for some reason, various tech blogs have reported, Apple failed to do this with its Find My iPhone service. Hackers identified this vulnerability, TheNextWeb reports, and allegedly used a brute force service called “iBrute” to gain access to celebrities’ passwords — and consequently, the photos stored in their iCloud accounts.

Some tech observers are skeptical of this explanation, though. Most hacks occur through more straightforward methods of collecting a user’s personal data — via a lost cellphone owned by one of the celebrities, for example. There’s also evidence that some photos came from other devices that wouldn’t back up to the iCloud, like Android phones.

What does Apple have to say about all of this?

An Apple spokesperson told Re/code that the company is “actively investigating” the issue, but provided few other details. The company also reportedly rolled out a security upgrade Monday, just hours after the first hack, to eliminate the possibility of a brute force service gaining access to passwords via Find My iPhone.

Could this happen to me?

If the hackers did indeed use a brute force method on the iCloud and Apple has yet to fix the problem, then, in short, yes it could happen to you. Brute force methods can be applied so long as the hacker has your username. That said, this method does not collect broad amounts of data for a lot of people. Hackers would need a reason to target you specifically.

How do I protect myself?

The only way to completely protect yourself on the internet is to stay off it. But if you want to continue living in the 21st century, use two-step verification. Apple’s iCloud is just one of many services where you can set your account so that it asks you two personalized questions before you can access it. This makes it much, much harder for hackers to get where you don’t want them. Also, maybe think twice before uploading those nude photos?

The original version of this article misidentified the alleged role of code-hosting site GitHub in the data theft. Hackers reportedly used a code that was posted to the site.

TIME Security

UPS: We’ve Been Hacked

The United Parcel Service logo on the side of a delivery truck on April 23, 2009 in New York City.
The United Parcel Service logo on the side of a delivery truck on April 23, 2009 in New York City. Chris Hondros—Getty Images

Malware that impacted 51 franchises in 24 states may have compromised customers' credit and debit card information

The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS.

The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.

“The customer information that may have been exposed includes names, postal addresses, email addresses and payment card information,” wrote the company in a public statement. “Not all of this information may have been exposed for each customer. Based on the current assessment, The UPS Store has no evidence of fraud arising from this incident. The UPS Store is providing an information website, identity protection and credit monitoring services to customers whose information may have been compromised.”

A list of impacted franchises can be found here.

TIME Hacking

Hacking Traffic Lights Is Apparently Really Easy

181166696
Getty Images

Security researchers in Michigan reveal vulnerabilities in crucial roadway infrastructure

In the 1969 classic The Italian Job, Michael Caine and crew commit a major gold heist by hacking into the traffic light system of Turin, Italy, to cause a massive traffic jam, giving the robbers a perfectly synced path to escape through the gridlock.

As it turns out, this piece of high-action Hollywood theatrics is not merely screenwriter fantasy. According to cyber security researchers at the University of Michigan, pulling off a caper like that wouldn’t even be difficult today.

“Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” writes the research team led by computer scientist J. Alex Halderman.

“With the appropriate hardware and a little effort, [a hacker] can execute a denial of service attack to cripple the flow of traffic in a city, cause congestion at intersections by modifying light timings, or even take control of the lights and give herself clear passage through intersections,” according to the researchers’ findings.

The Michigan team identified three main weaknesses in traffic control systems in the U.S.: use of unencrypted wireless communication signals, default usernames and passwords, and the use of a traffic controller—the machine that interprets sensor data and controls lights and walk signs, etc.—that is vulnerable to known hacks.

Traffic signals that were at first use isolated machines have evolved into the interconnected systems we have today, which facilitates big improvements in traffic flow and safety. Unfortunately, it also leaves traffic control systems vulnerable to a system-wide attack that would have been impossible in a pre-computerized era.

Researchers also identified some relatively easy fixes for the vulnerabilities they found, but added that “the real problem is not any individual vulnerability, but a lack of security consciousness in the field.”

Here’s a clip of the traffic hack scene from the 2003 remake of The Italian Job. Computers really have come a long way.

TIME technology

Why We Might Be Stuck With Passwords for a While

168586679
Savushkin—Getty Images

They certainly don't keep us safe from hackers—but none of the alternatives out there are free from their own host of problems yet either.

Why do we still have passwords? Everyone hates them. They’re hard to keep track of and hard to type in, especially on your mobile device. And they just don’t work, judging by the all-too-frequent news of bad guys busting into this site or that app.

Two reasons they haven’t gone away: First, it’s easy for programmers to deploy a standard username/password setup. They more or less just push a button in their app-building toolkit. Second, the alternatives…well, they’re not quite ready for prime time. Let’s look at a few.

Biometric sign-in This is the term for signing in with your fingerprints or iris scan or another piece of yourself. For example, the iPhone 5s puts it to good use with a fingerprint reader. But there’s a big problem: If your password or your credit card is compromised by the bad guys, you can revoke it and get a new one. Your fingerprint? Not so much.

Federated sign-in These are those “Sign in with Facebook” (or with Google or Twitter) buttons we’re starting to see all over the place. This is actually a pretty good idea; big Internet operators are very good at security stuff, and every app that does it is one less password to remember.

On the other hand, Facebook and Google are already very powerful, and you have to be a little nervous about putting still more of the ‘net in their hands. Work is under way on the problem: Other companies like Amazon and Paypal want a piece of the action, and maybe your alma mater or bank or the AARP could be your “identity provider,” reducing the Google/Facebook over-centralization worries. There’s real promise in Federation.

Two-factor sign-in A 4-digit PIN and a piece of plastic are enough to get you cash from almost any bank in the world. Security experts call this “Something you know and something you have” and they like it a lot.

Similarly, most people who work for big companies carry around a physical doohickey that they have to use along with a password or PIN to access their corporate mail. Some of these display a number that you type in, others come as a USB, and so on. Another two-factor variation is sites that, when you log in, SMS you a numeric verification code.

The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords. The solution to that is obvious: just have one that works for lots of different apps. That will require some cooperation and infrastructure. There are smart people working on this idea, but we’re not there yet.

The whole notion of hardware assist is interesting. In Kenya, you can buy a lot of things with your mobile without being “online.” And in Japan, people use their phones to pay for small-ticket items like subway fares and items at vending machines. Why shouldn’t you be able to use your phone to prove who you are?

Email sign-in Since you give most apps your address anyhow, why not just give up passwords and have the app email you a sign-in URL or magic code when you need to prove who you are? This can work pretty well, but then there’s the fact that not all email addresses are created equal. An app might be happy to rely on a Gmail address, but not one from your high school.

This whole do-away-with-passwords thing is a gold rush and there are a bunch of startups working away at it. A few of them out there are claiming to have simple solutions you can start using today and kiss passwords goodbye forever. Well, maybe. But I still sure see a lot of passwords.

If we can’t do away with passwords, at least we can make them less painful. Password managers like 1Password or KeePass or LastPass are gaining popularity (I recommend them), but mostly among engineers and other geeks.

Another good practice is just to ask for passwords less often. If you’re signing in every day from the same computer in your basement, you’ll notice that Google hardly ever asks you to prove who you are.

Yes, passwords are awful and don’t work. Yes, the experts know this. Yes, we’re working on the problem and making progress. No, we’re not there yet. Stay tuned.

Tim Bray has founded two software companies, helped write Internet standards, worked for big operators, including most recently Google, and written over a million words on his blog.

TIME technology

The World’s Top 5 Cybercrime Hotspots

"More cyber criminals are entering into the game at a quicker pace than quite honestly we can keep up with."

A Russian crime ring is suspected of obtaining access to a record 1.2 billion username and password combinations, shedding renewed light on how vulnerable online personal information can be. Cybersecurity firm Hold Security said the gang of hackers was based in a city in south central Russia and comprised roughly ten men in their twenties who were all personally acquainted with each other, the New York Times reported.
Cybersecurity experts say this enormous data breach is just the latest evidence that cybercrime has become a global business—one that, including all types of cybercrime, costs the world economy an estimated $400 billion a year. Complex malicious software, or malware, is finding its way into the hands of hackers not just in known cybercrime hubs like Russia and China but also in Nigeria and Brazil, while expanding Internet access around the world means that there are more potential cybercriminals who can easily acquire online the skills and know-how to join the craft.
“It appears more cybercriminals are entering into the game at a quicker pace than quite honestly we can keep up with [in the US] to defend our networks from these malicious hackers,” says JD Sherry, the vice president of technology and solutions at Trend Micro, a Tokyo-based cyber-security firm.
Here’s a look at the global hotspots for these cyber criminals:
Russia

Crime syndicates in Russia use some of the most technologically advanced tools in the trade, according to Sherry. “The Russians are at the top of the food chain when it comes to elite cyberskill hacking capabilities,” he says. Even before the latest revelations of stolen online records, the United States charged a Russian man, Evgeniy Bogachev, of participating in a large-scale operation to infect hundreds of thousands of computers around the world. The massive data breach of the retailer Target last year has also been traced to Eastern Europe.
But why Russia, and its smaller neighbors? Trained computer engineers and skilled techies in Russia and countries like Ukraine and Romania may be opting for lucrative underground work instead of the often low-paying I.T. jobs available there. But the Russian government has in the past also been less than helpful in helping U.S. authorities track down wanted cybercriminals. “The key really is the lack of law enforcement environment, the feeling that you can do almost anything and get away with it,” says Dmitri Alperovitch, a Russia-born U.S. citizen and co-founder and CTO of security firm CrowdStrike. “They were able to grow and evolve into organized enterprises.”
China

China is considered to be another stalwart hotbed for hackers, though the spotlight has primarily fallen not on gangs of criminals, but on the Chinese government, which has been linked to economic and political espionage against the U.S. In May, the Justice Department moved to charge five Chinese government officials with orchestrating cyberattacks against six major U.S. companies. Unaffiliated Chinese hackers have also posed a problem inside and outside the country, but according to Alperovitch there’s a surprisingly low presence relative to the size of the country. “We can speculate as to why, but the most likely reason is that the people that are identified doing this activity by the Chinese government get recruited to do this full time for the government,” he says.

Brazil

Sherry calls Brazil “an emerging cybercrime economy.” Cybercriminals there and across South America are increasingly learning from their counterparts in Eastern Europe via underground forums. They’ll also pay for Eastern European tools to use in their own attacks, using highly complex Russian-made software that Sherry says can include millions of lines of code. That black market has become so sophisticated that Eastern European hackers now provide I.T. support for customers buying their malware, according to Sherry. So far, most of the attacks that originate in Brazil target local individuals and firms, including the recently reported cybertheft of billions of dollars from an online payment system. “The question is, when will that change?” says Jim Lewis, a senior fellow at the Strategic Technologies Program at the Center for Strategic and International Studies.

Nigeria

The original home of low-tech scam emails remains a key player in underground cyber activity and has become a destination for international cybercrime syndicates, according to Sherry. Authorities in Nigeria and other African countries have been slow to crackdown on scammers and hackers, even as more people connect to the Internet. “It’s proving to be a very comfortable environment for cybercriminals to set up shop, operate, and carry out their illegal activities,” Sherry says. Recent efforts by President Jonathan Goodluck to legislate cybercrime in Nigeria have served to push some of the activity into other countries in the region, such as Ghana.

Vietnam

Tech firms in Southeast Asia have a long history of working with Western software firms and other tech companies, Sherry says, meaning there is a broad base of tech expertise there. “People who are really good software engineers, those people are going to be naturals when it comes to taking off the ‘white hat’ and putting on the ‘black hat,’ Sherry says. In Vietnam, where the I.T. industry has expanded at a rapid rate in the last decade, a hacker allegedly masterminded the theft of up to 200 million personal records in the U.S. and Europe that included Social Security numbers, credit card data and bank account information. The communist government there has also been recruiting local hackers to spy on journalists, dissidents, and activists, according to the Electronic Frontier Foundation.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser