Schneier on Security
A blog covering security and security technology.
« More on the HP Board Spying Scandal |
| On-Card Displays »
September 19, 2006
Cybercrime is getting organized:
Cyberscams are increasingly being committed by organized crime syndicates out to profit from sophisticated ruses rather than hackers keen to make an online name for themselves, according to a top U.S. official.
Christopher Painter, deputy chief of the computer crimes and intellectual property section at the Department of Justice, said there had been a distinct shift in recent years in the type of cybercriminals that online detectives now encounter.
"There has been a change in the people who attack computer networks, away from the 'bragging hacker' toward those driven by monetary motives," Painter told Reuters in an interview this week.
Although media reports often focus on stories about teenage hackers tracked down in their bedroom, the greater danger lies in the more anonymous virtual interlopers.
"There are still instances of these 'lone-gunman' hackers but more and more we are seeing organized criminal groups, groups that are often organized online targeting victims via the internet," said Painter, in London for a cybercrime conference.
I've been saying this sort of thing for years, and have long complained that cyberterrorism gets all the press while cybercrime is the real threat. I don't think this article is fear and hype; it's a real problem.
Posted on September 19, 2006 at 7:16 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Regardless of who is doing the cybercrime, whether it be a "bragging hacker" or an organized criminal group, there are ways to protect yourself from most dangers.
Unique enough passwords work well to a certain extent, however it is specific files you are trying to protect. Cyber criminals are going to get in somehow, but in reality it is how you protect yourself once they get in that could save you an identity.
Yes, it is a very real and urgent problem.
However like Identity theft of the individual and corperate organisations it does not get the attention it deserves from either the law makers or law enforcment agencies, often as it does not appear to involve physical harm to the individual.
In the UK it took something like ten years to get "cybercrime" legislation, however some 15 years later most police are not aware of the implications of it or how to go about investigating it (I susspect this is true of the U.S. as well as many otehr countries).
Even when cybercrime legislation comes along it is usually hevily biased at protecting the entertainment industries (content protection), not at individuals or small organisations (fraud prevention).
What we need is legislation that applies to the protection of the individual that can be used also to protect organisations. That can be used across national boundries and be used to also get restitution against companies that by their own negligence make cybercrime against the individual possible.
We also need to stop governements and otehr large organisation acruing information on the individual that can be used to their deficit.
For instance why o why are organisations (coperat / educational / governmental) alowed to carry on using Social Security Numbers as a means of identification when at one point the U.S. Gov quite happily made them available on line to anybody and everybody who wanted to look.
Sometimes I get the feeling the only way the individual is going to be protected is when enough victimes get together and start their own lobying campaigns
These sorts of techniques are well and good for the individual, but won't help much against extortionists utilising DDoS attacks.
Botnets controlled by quite ruthless criminals are a far more serious problem than the typical 'breaking and entering' type attack.
It's hardly a *new* trend - for several years already, most of the worms we've seen have been constructed with the goal of dropping malware for profit on victimized machines (adware, spyware, and botnet software, mostly).
Anyone got tips on starting a cybercrime investigation business? I think I'd be good at it.
Actually, I'm really just interested in breaking spammers kneecaps, anyone got tips on that?
The article quotes estimated annual losses at $400 billion. This works out at roughly $1,400 per head of the USA population. Personally, I'd like to know where these numbers come from. I could not find any recent figures for credit card losses but $1 billion to $2 billion seems like a decent guess based on figures for 2001.
Where did the other $398 billion go?
I imagine that fighting computerised fraud must be quite technical sometimes; how many police are knowledgeable enough about this sort of thing? Not nearly enough I bet - especially when so many resources are being used to watch out for terrorism.
"some organizations prefer to keep quiet rather than publicize that their networks have been successfully attacked." If a listed company does this then it is covering up mistakes that cost the shareholders. I thought there were rules against hat sort of thing.
"some organizations prefer to keep quiet rather than publicize that their networks have been successfully attacked." If a listed company does this then it is covering up mistakes that cost the shareholders. I thought there were rules against hat sort of thing."
Once upon a time the directors where reponsable for not releasing information that might be detrimental to the company well being / share values unless legaly required to do otherwise.
So the old directors view point used to be "if we reveal this" it will not benifit the shareholders only harm the company share price, therefore we have an obligation to keep the information confidential.
But as a number of well known companies showed it is very very easy for company directors to deliberatly engineer a situation where they can rely on that view point to cover up their defficiencies...
"A growing worry is that cybercrooks could target emergency services for extortion purposes or that terrorists may be tempted to attack critical utility networks like water and electricity."
With all due respect, making statements like the above without providing any detailed facts is just spreading more FUD around, IMHO. Especially if you use words like "could" and/or "may" as in:
"Digital Pearl Harbors MAY/COULD be happening every day."
To quote Jack Webb "Just the facts Sir, please!"
> Anyone got tips on starting a
> cybercrime investigation business?
> I think I'd be good at it.
Quack, I have my doubts.
"With all due respect, making statements like the above without providing any detailed facts is just spreading more FUD around"
If you have a look at SCADA systems (industrial control systems) that are connected directly or indirectly to the internet you have a very real problem. Invariably they are connected as a cost saving measure to alow staff to access them from home (ie "on call" is a lot cheaper than "at work on site").
I posted to this blog just a short while ago about it,
Also have a look at this PDF from 2003,
or a blog aimed at SCADA security,
To say that this is FUD is to put it a little bluntly a bit like having your head in the sand...
It is not a question of IF but WHEN. The U.S. Military amongst others are known to have done considerable research into just this as a method of prosecuritng war against another nation. The only question is who will do it first a "Legitimate Government" or a "Terrorist Organisation"...
Yes, the SCADA scare has been going on for quite some time. More recently the quality (integrity) is becoming as important as the availability. But to Bruce's point, I've noticed when a water source is polluted in the course of "doing business" then there seems to be little concern expressed by authorities. Say the word terrorism, however, and your water district apparently will be endowed with funding for monitoring and protecting.
lol @ quack
"Actually, I'm really just interested in breaking spammers kneecaps, anyone got tips on that?"
Interesting article, the impact this type of cyber-blackmail this could have on ordinary businesses seems very realistic and possible. I doubt the average business would have the technical and PR skills to fight back, let alone prevent such a situation.
Interesting article, the organization of cyber-crime seems very realistic to me. I believe the average business would be very hard pressed to not give in to this type of situation. They do not have the technical or PR skills to handle, defend, and prevent this type of cyber-blackmail.
Yes, and what do organized criminals to do individuals and businesses who complain about their activities?
Just ask folks in the UK, where people who complain about spammers have occasionally been tracked down and threatened with violence, for some years now.
Which opens the question of how the spammers found out who these people are... "secure" government databases, anyone?
"To say that this is FUD is to put it a little bluntly a bit like having your head in the sand..."
Well I don't know about in the sand but I've been told by others that I have my head stuck up someplace else! ;-)
Anyway since I work with SCADA systems I am very aware of the REAL threats that are out there but the point I was trying to make is that if Bruce, and others, who all should know better, are going to make these kind of statements they need to provide the data to back them up.
I think in a past life I was born in Missouri AKA the "Show Me" state!
Cyberterrorism certainly exists but the incidence is orders of magnitude less than organised cybercrime. There has been an ongoing hacker battle between Israeli and Palestinian hackers for six years.
What should probably be a much greater concern is the risk that ordinary terrorists use cybercrime for fundraising. consider the history of the Red Army Faction (Baader-Meinhof gang) which did not amount to anything much until Meinhof helped spring Baader from jail and the group went to Jordan for training by the PLO. When they came back they robbed five banks before they got round to writing a manifesto.
Without the money from the bank robberies the RAF would never have amounted to anything.
Every political movement of any consequence realizes that the Internet is the tool they must learn to promote their ideas. This is even more critical for fringe groups.
The probability that these groups will turn to cyubercrime for fundraising is very high. And it is also likely that over time the opportunist cyber criminals will be displaced by more organized gangs. Groups like Shaddowcrew are essentially unstable, it only takes one or two defections and the whole group is in jail. A political group with a common ideological goal is much more likely to stay together. Moreover political groups generally adopt precautions against infiltration and are more disciplined in their handling of information.
Though i agree on the topic i think one should not hype things up. Things must be seen in perspective. The cyberworld as they call it is not better than the actual 'organic' or real world we live in. And like in this world we will make mistakes like we do in the real world. And a basic fact is that the internet was not build to be secure in the first place. It was architected to transmit text, and hypertext only. The flaw of the internet is really when they thought about letting users interact with the internet, by using clientside code and serverside code. So to my opinion i think that we will learn quick about these problems, like we did in the real world, and take action upon it. But still it one has to trust, just like in real life. If you cannot trust, you have no life anymore. Life comes with dangers, and so does the cyberlife, or cyberworld.
The only way for one to stop this cybercrime from happening to them is to never give out any information that could possibly lead to identity theft. Most people that are victims don't understand that and/or don't want to believe that. It's also risky to give out this information on paper, but computers are so much worse.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.