Privacy and Security Cyber crime, Cyber weapons and Cyber Wars

Privacy and Security Cyber crime, Cyber weapons and Cyber Wars

Privacy and Security Cyber crime, Cyber weapons and Cyber Wars

Permalink: ‎

Criminals are open-minded when it comes to new ways of stealing money. They learn fast. The biggest change in the business of cybercrime occurred when the most advanced groups moved from selling goods (stolen data or computer viruses) to the establish- ment of the criminal cyber services (stealing data, providing access to in- fected computers, or writing tools to steal data).

This transition in criminal business models was good for risk-averse cyber- criminals.3,4 It gave them stable cash flow and reduced their risks. It allowed them to interact with their customers (other criminals) without ever getting physically close to them. This approach attracted much less attention from law enforcement and old-style criminals— those carrying guns instead of laptops. Computer crime became an industry comparable in size to weapons traffick- ing and drug trafficking. Various sourc- es put individual monetary losses from cybercrime as more than $100 billion. Symantec in the 2012 Norton Cyber-

I n thE past the media focused on cyber criminals. For the last two years, whenever I see a news report related to un- scrupulous developments in

cyberspace, there is almost always a mention of weapons, the military, or an intelligence service. Nowadays, even when criminals are blamed for performing a major cyber heist, ven- dors call it “Operation Blitzkrieg” and the mass media announce, “Russian Hackers Declare War on USA.” A New York Times article attributed an attack by “Izz ad-Din al-Qassam Cyber Fight- ers” against U.S. banks to the state of Iran without any evidence other than “a level of sophistication far beyond that of criminals.”2

Has the world really changed that much in two years? I don’t think so. Even the most complex cyber attacks are within the reach of cyber criminal enterprises.

Criminals have always raced ahead of the pack, figuring out how to steal from somewhere before the rest of the

population realized there was money to be had. Cyber criminals have sites where they sell and buy things. In the early 2000s, criminals were selling credit card numbers.6 Then banks went online, and criminals invented phishing. As losses grew, the financial institutions responded by improving their security technologies. But cyber- crime had already moved on to the next best fraud.

DOI:10.1145/2461256.2461266 Stas Filshtinskiy

even the most complex cyber attacks are within the reach of cyber criminal enterprises.

viewpoints

june 2013 | vol. 56 | no. 6 | CoMMuniCATionS of The ACM 29

V I

l l

u S

t R

a t

I o

N b

y m

a R

I o

W a

g N

e R

crime report estimated an annual cost of up to $110 billion.8 Such reports might or might not be accurate, but even 1% of the perceived losses is a lot of money.

How can such money be made? Garden-variety criminals cannot pull off such expensive heists. That money comes from sophisticated, interlinked services that criminals have on offer. Here the some of the services available on cybercriminal trade portals:

˲ Sending unsolicited messages of all sorts—this now includes not only email messages, but also Twitter and social network messaging.

˲ Writing malware on-order, which includes online support and regular updates for additional licensing fees.

˲ Bulletproof—or as it is often termed, “abuse resistant”—hosting, for those criminals who need to have Web presence.

˲ Botnet access. ˲ Anonymous access to the Internet. ˲ Getting your video to the top of

YouTube. ˲ Hacking in general.

These services are on the market for anyone who wants to buy them—gov- ernments, activists of all persuasions, terrorists, and criminals. These ser- vices facilitate other criminal activities and are available for anyone who can pay. According to an interview with a provider,1 a denial-of-service attack is priced between $50 and $500 per day,a depending on the site and deployed defenses. This provider estimated the price of shutting down the popular blogging site LiveJournal.com at $250 to $400 per day.

Criminals have advertised: ˲ The price for hacking a private

email address is between $30 and $50. ˲ A forged copy of an identity docu-

ment of virtually any country in the world costs less than $30.

˲ Custom-made software to auto- matically register new accounts on pop- ular Web sites and bypass CAPTCHA protection costs less than $500.

˲ Custom-built malware costs $1,500

a All prices are in U.S. dollars

plus monthly support and consulta- tion fees.

Cybercrime services allow busi- nesses (for example, street gangs with soldiers on the ground) to buy a supply line of stolen credit card data or bank credentials belonging to individuals or companies local to their area. Once they pay for the service, these “busi- nesses” can exploit this information at their own risk. The suppliers are not there if the exploiters of the data are caught. They are jurisdictionally and logically far away from the crime and out of law enforcement’s way. Success- ful arrests of providers of cybercrimi- nal services are rare and require a long- term sting operation or entrapment like Operation Card Shop, which was a two-year undercover effort by the FBI that concluded in mid-2012.

Cyber criminals’ capabilities are impressive. Now consider some at- tacks that have been attributed to intelligence services, often with lan- guage about cyberweapons. Accord- ing to media reports, the proverbial

30 CoMMuniCATionS of The ACM | june 2013 | vol. 56 | no. 6

viewpoints

Georgia while the online capabilities of Georgia were severely degraded by a massive denial-of-service attack. Georgian official and private web- sites were also defaced.

The main shared feature of each of these stories is that those attacks used nothing more than was avail- able in the criminal markets at the time. Some of the example attacks may have been the work of govern- ment agencies,b but they are also within reach of determined criminal groups. Similar attacks can be easily designed from building blocks avail- able on the market. Sophisticated malware can be ordered online. Un- known (so-called zero-day) vulnera- bilities can be purchased and turned into exploits. Computing power equivalent of multiple, top-of-the- range supercomputers is on offer. Da- tabases of already-hacked passwords are available.

An attack sponsor need not be a hacker or social engineer to profit from the theft of valuable data. A decent project manager capable of understanding what items are in demand can identify particular in- formation as marketable and build and execute a project plan using purchased components and ser- vices. Custom exploits can deliver the payload into a protected perim- eter, unique malware can search and eventually reach valuable data, and individually crafted software can ex- filtrate the loot. The sponsor of the at- tack can then sell the data wholesale or piece by piece to any party able to pay, whether a criminal organization,

b The Stuxnet attack was attributed to the U.S. government according to David Sanger.7

crown jewels of the well-known secu- rity vendor RSA were stolen and alleg- edly used to attack multiple targets, including financial organizations and weapons manufacturers. The attack was not very advanced—it started with a known exploit, continued for some time, and ended with exfiltration of the data through a typical channel.

The Stuxnet attack occurred when a uranium enrichment plant in the Islamic Republic of Iran was sabo- taged. The attack allegedly used spe- cially crafted malware, delivered to the target by uncontrolled USB de- vices. The attack exploited previously known and unknown vulnerabilities in industrial control systems to dam- age centrifuges.

Georgia, a small nation in the Caucasus Mountains, got into the bad books of its bigger neighbor Rus- sia over the future of two pro-Russian separatist regions. It resulted in military conflict. Separatists’ online news agencies were allegedly com- promised by hackers associated with

An attack sponsor need not be a hacker or social engineer to profit from the theft of valuable data.

intelligence service, or terrorists. The scariest thing of all is that most of these recent attacks could be the work of a criminal.

According to security vendors, poli- cymakers, and media, the world is rife with secret services, intelligence opera- tives, and military commands engaged in cybercrime. This perception is par- tially based on truth: intelligence agen- cies and military do operate in cyber- space. But this perception leads to bad decisions. Business leaders are not sure how best to invest in protection. Politi- cal leaders pass laws that reduce free- dom of information on the Internet and empower counterintelligence services. Society is exposed because defenses ap- propriate to the threat are not built.

Most attacks, regardless of who is paying for them, are perpetrated by cyber criminals. We need to oppose them through better international en- forcement efforts, even though this has been difficult to achieve. We must also disrupt their business models by tak- ing down their ability to offer and de- liver their services. This has been done somewhat successfully by U.K. banks.5 Most important, we must recognize that most attacks are executed by crim- inal enterprises, and not by nation- states. These attacks can be defended against if we put in the tools to do so.

References 1. aif 2011 in Russian. Interview with the hacker about

ddoS attacks; http://www.aif.ru/techno/article/42414. 2. bank hacking was the work of Iranians, officials

say. The New York Times (Jan. 8, 2013); http:// www.nytimes.com/2013/01/09/technology/online- banking-attacks-were-work-of-iran-us-officials-say. html?_r=0&pagewanted=print

3. chiesa, R.N. cybercrime and underground economy: operating and business model; http://www. flarenetwork.org/report/enquiries/article/cybercrime_ and_underground_economy_operating_and_business_ model.htm.

4. filshtinskiy, S. cyber criminal economy. In Proceedings of the AusCERT 2007 Conference.

5. financial fraud action u.k. 2011. fraud, the facts; http:// www.financialfraudaction.org.uk/Publications/#/52/.

6. kabay, m.e. a brief history of computer crime; http:// www.mekabay.com/overviews/history.pdf

7. Sanger, d. Confront and Conceal. crown Publishers, 2012, 197–203.

8. Symantec. 2012 Norton cybercrime report. 2012 Norton cybercrime Report. http://now-static. norton.com/now/en/pu/images/Promotions/2012/ cybercrimeReport/2012_Norton_cybercrime_Report_ master_fINal_050912.pdf.

Stas Filshtinskiy (Stas.filshtinskiy@baesystemsdetica. com) is a principal consultant with bae Systems detica in melbourne, australia.

the views expressed in this column are those of the author and do not necessarily represent the views of the author’s employer or any organization with whom the author might be associated.

copyright held by author.

Computational

Epidemiology

The Information

Distance between

What I Said

and What I Mean

Cutting Cake Is

Not Just Child’s Play

Plus all the latest news about cooling computers from the inside, 3D printing of personal electronics, and when governments and makerspaces collide.

c om

in g

n ex

t m

on th

in C

O M

M U

N IC

A TI

O N

S

Copyright of Communications of the ACM is the property of Association for Computing Machinery and its

content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s

express written permission. However, users may print, download, or email articles for individual use.