Criminals Using Commercial Spamflooding Services
Cybercriminals are using commercial spamflooding services to distract their victims during key moments of a cyberattack.
Clever, but in retrospect kind of obvious.
Entries Tagged "cybercrime"
Page 9 of 15
Dropped USB Sticks in Parking Lot as Actual Attack Vector
For years, it’s been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn’t that people are plugging the sticks in, but that the computers trust them enough to run software off of them.
This is the first time I’ve heard of criminals trying this trick.
Cybercrime as a Tragedy of the Commons
Two very interesting points in this essay on cybercrime. The first is that cybercrime isn’t as big a problem as conventional wisdom makes it out to be.
We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.
Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around.
The second is that exaggerating the effects of cybercrime is a direct result of how the estimates are generated.
For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors— or outright lies—cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.
Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.
[…]
A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
How Changing Technology Affects Security
Security is a tradeoff, a balancing act between attacker and defender. Unfortunately, that balance is never static. Changes in technology affect both sides. Society uses new technologies to decrease what I call the scope of defection—what attackers can get away with—and attackers use new technologies to increase it. What’s interesting is the difference between how the two groups incorporate new technologies.
Changes in security systems can be slow. Society has to implement any new security technology as a group, which implies agreement and coordination and—in some instances—a lengthy bureaucratic procurement process. Meanwhile, an attacker can just use the new technology. For example, at the end of the horse-and-buggy era, it was easier for a bank robber to use his new motorcar as a getaway vehicle than it was for a town’s police department to decide it needed a police car, get the budget to buy one, choose which one to buy, buy it, and then develop training and policies for it. And if only one police department did this, the bank robber could just move to another town. Defectors are more agile and adaptable, making them much better at being early adopters of new technology.
We saw it in law enforcement’s initial inability to deal with Internet crime. Criminals were simply more flexible. Traditional criminal organizations like the Mafia didn’t immediately move onto the Internet; instead, new Internet-savvy criminals sprung up. They set up websites like CardersMarket and DarkMarket, and established new organized crime groups within a decade or so of the Internet’s commercialization. Meanwhile, law enforcement simply didn’t have the organizational fluidity to adapt as quickly. Cities couldn’t fire their old-school detectives and replace them with people who understood the Internet. The detectives’ natural inertia and tendency to sweep problems under the rug slowed things even more. They spent the better part of a decade playing catch-up.
There’s one more problem: defenders are in what military strategist Carl von Clausewitz calls “the position of the interior.” They have to defend against every possible attack, while the defector only has to find one flaw that allows one way through the defenses. As systems get more complicated due to technology, more attacks become possible. This means defectors have a first-mover advantage; they get to try the new attack first. Consequently, society is constantly responding: shoe scanners in response to the shoe bomber, harder-to-counterfeit money in response to better counterfeiting technologies, better antivirus software to combat new computer viruses, and so on. The attacker’s clear advantage increases the scope of defection even further.
Of course, there are exceptions. There are technologies that immediately benefit the defender and are of no use at all to the attacker—for example, fingerprint technology allowed police to identify suspects after they left the crime scene and didn’t provide any corresponding benefit to criminals. The same thing happened with immobilizing technology for cars, alarm systems for houses, and computer authentication technologies. Some technologies benefit both but still give more advantage to the defenders. The radio allowed street policemen to communicate remotely, which increased our level of safety more than the corresponding downside of criminals communicating remotely endangers us.
Still, we tend to be reactive in security, and only implement new measures in response to an increased scope of defection. We’re slow about doing it and even slower about getting it right.
This essay originally appeared in IEEE Security & Privacy. It was adapted from Chapter 16 of Liars and Outliers.
Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0
It’s the Browser Exploit Against SSL/TLS Tool, or BEAST:
The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target’s browser into the encrypted request stream to determine the shared key. The code can be injected into the user’s browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage.
Using the known text blocks, BEAST can then use information collected to decrypt the target’s AES-encrypted requests, including encrypted cookies, and then hijack the no-longer secure connection. That decryption happens slowly, however; BEAST currently needs sessions of at least a half-hour to break cookies using keys over 1,000 characters long.
The attack, according to Duong, is capable of intercepting sessions with PayPal and other services that still use TLS 1.0which would be most secure sites, since follow-on versions of TLS aren’t yet supported in most browsers or Web server implementations.
While Rizzo and Duong believe BEAST is the first attack against SSL 3.0 that decrypts HTTPS requests, the vulnerability that BEAST exploits is well-known; BT chief security technology officer Bruce Schneier and UC Berkeley’s David Wagner pointed out in a 1999 analysis of SSL 3.0 that “SSL will provide a lot of known plain-text to the eavesdropper, but there seems to be no better alternative.” And TLS’s vulnerability to man-in-the middle attacks was made public in 2009. The IETF’s TLS Working Group published a fix for the problem, but the fix is unsupported by SSL.
Another article.
EDITED TO ADD: Good analysis.
Complex Electronic Banking Fraud in Malaysia
The interesting thing about this attack is how it abuses a variety of different security systems.
Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the registered handphones of online banking users to execute cash transfers from their victims’ accounts.
Federal CCID director, Commissioner Datuk Syed Ismail Syed Azizan told a press conference today that the syndicate had skimmed the personal online details of those who had used the kiosk by secrets attaching a thumbdrive with a spy software which downloaded and stored the usernames and passwords when the bank customers logged into their online accounts.
He said the syndicate members would discreetly remove the thumbdrive and later downloaded the confidential information into their computer from where they logged on to user accounts to find out the registered handphone numbers of the bank customers.
Then, using fake MyKad, police report or authorisation letters from the target customers, the crooks would report the handphones lost and applied for new SIM cards from the unsuspecting telecommunications companies.
“This new tactic is a combination of phishing and hijacking SIM cards. Obviously when a new SIM card is issued, the one used by the victim will be cancelled and this will raise their suspicions,” Syed Ismail said.
“To counter this, a syndicate member on the pretext of being a telco staff, will call up their victims a day ahead to inform them that they will face interruptions in their mobilephone services for about two hours.
It is during this two hours that the syndicate would get the new simcard and obtains the TAC numbers with which they can transfer all available cash in his victims account to another account of an accomplice. The biggest single loss was RM50,000.” he said.
MyKad is the Malaysian national ID card.
The criminals use a fake card to get a new cell phone SIM, which they then use to authenticate a fraudulent bank transfer made with stolen credentials.
Pretty Creepy Type of Cyberstalking
Luis “Guicho” Mijangos, “sextortionist.”
The Problem with Using the Cold War Metaphor to Describe Cyberspace Risks
Nice essay on the problems with talking about cyberspace risks using “Cold War” metaphors:
The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War first strike or what Defense Secretary Leon Panetta has called the “next Pearl Harbor” (another overused and ill-suited analogy) would certainly have major consequences, but they also remain completely theoretical, and the nation would recover. In the meantime, a real national security danger is being ignored: the combination of online crime and espionage that’s gradually undermining our finances, our know-how and our entrepreneurial edge. While would-be cyber Cold Warriors stare at the sky and wait for it to fall, they’re getting their wallets stolen and their offices robbed.
[….]
If the most apt parallel is not the Cold War, then what are some alternatives we could turn to for guidance, especially when it comes to the problem of building up international cooperation in this space? Cybersecurity’s parallels, and some of its solutions, lie more in the 1840s and ’50s than they do in the 1940s and ’50s.
Much like the Internet is becoming today, in centuries past the sea was a primary domain of commerce and communication upon which no one single actor could claim complete control. What is notable is that the actors that related to maritime security and war at sea back then parallel many of the situations on our networks today. They scaled from individual pirates to state fleets with a global presence like the British Navy. In between were state-sanctioned pirates, or privateers. Much like today’s “patriotic hackers” (or NSA contractors), these forces were used both to augment traditional military forces and to add challenges of attribution to those trying to defend far-flung maritime assets. In the Golden Age of privateering, an attacker could quickly shift identity and locale, often taking advantage of third-party harbors with loose local laws. The actions that attacker might take ranged from trade blockades (akin to a denial of service) to theft and hijacking to actual assaults on military assets or underlying economic infrastructure to great effect.
Ross Anderson is the first person I heard comparing today’s cybercrime threats to global piracy in the 19th century.
The Problem with Cyber-crime Surveys
Good paper: “Sex, Lies and Cyber-crime Surveys,” Dinei Florêncio and Cormac Herley, Microsoft Research.
Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N=1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.
I’ve been complaining about our reliance on self-reported statistics for cyber-crime.
Tennessee Makes Password Sharing Illegal
Here’s a new law that won’t work:
State lawmakers in country music’s capital have passed a groundbreaking measure that would make it a crime to use a friend’s login—even with permission—to listen to songs or watch movies from services such as Netflix or Rhapsody.
[…]
The legislation was aimed at hackers and thieves who sell passwords in bulk, but its sponsors acknowledge it could be employed against people who use a friend’s or relative’s subscription.
While those who share their subscriptions with a spouse or other family members under the same roof almost certainly have nothing to fear, blatant offenders—say, college students who give their logins to everyone on their dormitory floor—could get in trouble.
Sidebar photo of Bruce Schneier by Joe MacInnis.