Cybercrime | Article by Chas Foster
Cybercrime - un crime sans frontières
Have you heard these terms:
- TOR-The onion router- an anonymous dark web access browser
- Silk Road 2-web site to enable purchase of drugs, guns, women
- The Slur market-allows anonymous trading of confidential information
- The Dark (or Deep) Web-first developed by US military to keep messages encrypted and hence secret
If not, good, you are unlikely to be a hacker.
A little bit of history
Since the 1980’s we have seen a consistent rise in globalisation which has significantly increased potential for trade and entrepreneurial opportunity. Combined with this, November 1989 saw the fall of communism and not only did communism collapse but many States collapsed with it. This situation also gave opportunity for criminal cartels to gain considerable power and assets and a base to expand their empires. We have since seen a World recession but the one area that has grown through this period is organised crime. It is opportunistic and has only one rule, there are no rules. It is estimated that organised crime now accounts for 15% of the World’s GDP with fraud, counterfeiting and the fastest growing area, cybercrime being the market leaders. The western desire to consume, regardless of recession is the primary driver to organised crime. This is assisted by corruption, which acts as an accelerator to crime as it facilitates access, and enables progress speedily in areas that would otherwise be difficult for the criminal to access. We are all impacted by organised crime. Through our credit cards, our bank accounts, our investments, our pension schemes, even the food we eat-horse meat sold as beef. There is no romanticism to modern day organised crime, it is not a Bonny and Clyde story, it is a faceless, violent force and needs to be taken very very seriously.
Let’s consider the fastest growing area - CYBERCRIME. The key to cybercrime is social engineering, or the technical name, there’s one born every minute. People’s natural carelessness, naivety, greed or desire for illicit goods such as drugs is at the bottom of many successful cybercrimes. We all live in a World of inter connected systems, we are dependent on computers. There are many examples of computers being of considerable benefit to mankind but also the IT environment leaves us vulnerable and we will become more and more reliant on computers. I am told by colleagues that the two 'next big things’ in the IT world are 'Big Data', the control of access to vast banks of data using in particular super Apps which monitor the efficiency and running of business Apps and ”The Internet of Things”- which is the connecting machines/men to the internet. This is the future. Stephen Hawking has predicted that the development of full artificial intelligence could spell the end of the human race. “It would take off on its own, and re-design itself at an ever increasing rate” but let’s assume there is a little way to go before we get to that point.
Therefore, concentrating on today, our level of awareness both in business and in our personal lives to the risk that access to computers presents has to be heightened. We are at the beginning of a mighty struggle worldwide for control of the internet. More public services are going on line, gathering more and more information about you and your company and soon you may have no choice but to use the internet- increasing the opportunity for crime. Very soon the internet will control our lives but do we ever question how well the organisations that ask for information on us keep the data?
The complexion is vast with multiple influences- politics, civil liberties, power, press freedom and now criminals, which includes terrorists who are much more sophisticated and their techniques are developing. During the recession when other natural outlets for criminals, e.g. selling drugs became less lucrative and outlets closed down, credit card fraud grew even to the extent that criminal websites were developed designed to overcome the problem of mutual mistrust and where an “honest broker” would act as an intermediary between criminals to aid them selling credit card lists. Internet fraud is a low risk high return industry facilitated by the internet.
A quote from the Times 2nd September 2014 sums this up:
“Police cannot cope with cybercrime. The scale of on line crime is so enormous that police cannot stop it and the public must do more to protect itself says Ian Leppard, the City of London Police Commissioner”.
The internet was not developed by one person but it was a concept, started over 50 years ago which has grown and Tim Berners-Lee, a British scientist at CERN, invented the World Wide Web (WWW) in 1989. The web was originally conceived and developed to meet the demand for automatic information-sharing between scientists in universities and institutes around the world, facilitated by the internet. The genius of the internet is its interconnectedness, which in turn presents huge risks. Whatever the good intentions of these developments they have proven an invaluable tool to people, even States to develop harmful or even criminal intentions.
We have all heard of the Sony Pictures Entertainment cyber hack, a release of confidential data belonging to Sony Pictures Entertainment on November 24, 2014. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries, copies of unreleased Sony films, and other information. The hackers called themselves the "Guardians of Peace" or "GOP" and demanded the cancellation of the planned release of the film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un. United States intelligence officials, evaluating the software, techniques, and network sources used in the hack, allege that the attack was sponsored by North Korea who denied all responsibility.
In 2014, World-wide there is registered 43,000,000 cyberattacks on businesses, that’s 117,379 per day, and this is growing.
Stuxnet was a virus designed to attack industrial sites and reportedly ruined almost 1/5th of Iran’s nuclear centrifuges discovered in June 2010. It was designed to attack industrial programmable logic controllers (PLCs). PLCs allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Stuxnet functions by targeting machines using the Micro Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, causing the fast-spinning centrifuges to tear themselves apart. It could be tailored as a platform for attacking modern PLC systems (e.g. in the automobile or power plants industries).
Everyday potential risks arise. The Times reported on 18th February 2015 “Mohammed Ammer Ali, 31, from Liverpool, is accused of attempting to buy 500mg of ricin on the internet, using the dark web, in an alleged FBI sting operation.” An article in the Times 19th February 2015 quoted Marillyn Hewson, the president and chief executive of Lockheed Martin, a leading provider of military and commercial cybersecurity services, who said that cyber adversaries had become as serious a threat to US military forces as the land, sea and undersee dangers they had faced for decades. Nobody was safe, she said: “Last year it is estimated that hackers accessed the personal information of almost half of all American adults.” In the face of constant attempts by hackers to steal sensitive intellectual property related to defence projects such as the F-35 fighter aircraft, which it is building with partners including BAE Systems and Northrop Grumman, Lockheed has developed a seven-step intelligence-based system called the “kill chain” to identify and neutralise threats.
This is scary stuff.
There are 3 pillars to the modern cyber world- warfare, industry and security. There is no international control and hence various groups with varying intent have sprung up. Anonymous-a scary hacktivist group who, among other targets have attacked Fox news and Paypal. The feeling is there are two types of companies in the World, those that know they have been hacked and those that don’t. Anonymous would say they are providing a service to mankind, demonstrating how poor companies are at protecting our data and they are resisting the attempts of companies and countries to take over our lives through the internet. Whatever your feelings, one thing is true, the modern World‘s dependency on IT represents an enormous risk extending from carding (extracting details from credit cards) to cyber warfare.
Eugene Kaspersky, who advises the UK Government and Interpol on Cybercrime, is quoted as saying “terrorists will soon be able to launch advanced cyber-attacks on critical national infrastructure”. When asked what Governments feared the most Mr Kaspersky said, “my advice is to watch Die Hard 4” which shows criminals attaching air traffic control systems, stealing from banks and infiltrating FBI computers for the purposes of blackmail. The UK National Crime Agency has a Cybercrime Unit with a specific brief of defending national institutions such as the Bank of England. The UK Government have announced that in 2015 they will testing the cyber defences of critical institutions to help improve defences against cyberwar.
Cybercrime is not just a problem for big organisations and countries, it impacts us all. We all know we have to take care of men or women knocking on our front door and purporting to be from the gas board but the risks of the person knocking on your computer door and gaining access is potentially a much greater financial risk. To beat these issues we actually need the help of the hackers, as they are the people with the skill. We need to gain their trust, not put them in jail where they fall into the hands of criminals.
To successfully orchestrate a cybercrime you need one important ingredient-the hacker. What is the profile of as typical hacker? Starting age 13, obsessed with computer games, although from very different social backgrounds, 95% are male. Invariably (60%) suffering from autism, Asperger syndrome or other related conditions, not in the first instance motivated by money, generally people that find it hard to relate to others, having poor social communication skills but with advanced ability in maths or more usually physics. This profile produces people with genius level IT skills. These people do not become hackers to start a life of crime, mischief maybe, but not crime. However this is where many end up, because these organised criminal groups recruit them. Slowly our forces of law and order have realised that they need to recruit such skills not punish them if we are to successfully defeat the criminal.
Your role in helping to fight the risk
The list below is intended to highlight simple steps that everyone, both in a work and a home environment should abide by. These points are very basic but we do not always follow them. They should be as natural to you as locking your front door when leaving the house. There are no surprises here but please ask yourself how many of these steps do you or your company actually implement?
- Do not allow anyone to use your computer as a host for their memory stick or CD. You cannot know if they have a virus encrypted therein.
- Do not use a memory stick unless you have bought it. Criminals have been leaving memory sticks lying around, particularly outside supermarkets hoping people would pick them up and use them. It will enable them to gain access to your machine.
- Do not open or click on anything that looks suspect. Whatever you are promised it will not happen and the likelihood is your computer will download a virus. Likewise do not open email attachments unless you are sure you are expecting an attachment from someone you know. Look at them with caution and when in doubt, get in touch with the sender before you open the e-mail. All it takes is one act of complacency on your part to catch a dangerous virus.
- Do be vigilant as to what you or other members of your family or company say when using social sites such as Facebook. It is known that criminals trawl these sites to gain information particularly to give clues as to your possible passwords.
- Do not disclose personal information in an email. Spammers are getting better and better at masking themselves to look like legitimate businesses and make their emails look very authentic. They maybe fraudulent emails trying to get access to bank accounts and other information.
- Do install anti-virus software. Anti-virus programs prevent viruses and spyware from infiltrating your computer. It’s better to prevent than to treat. Install a good anti-virus software program and make sure that it has the automatic update feature enabled by default. You also need a firewall, and Windows has one automatically installed. You need to ensure you do not turn it off.
- Do not install or remove any files or programs you are not sure of. If you are prompted to install a program, make certain you know exactly what that program is. Don’t install anything that says your computer has been infected and that you need to download their program. This opens a backdoor to your computer that allows viruses in. In addition, deleting a file could cause irreparable damage to your computer. If you are going to change or delete a file make a copy first.
- Do not trade on websites you are unsure of. Generally making online purchases is safe provided the company is reputable. If you are not sure you can do a Google search of the site and read what other customers are saying.
- Do install automatic Windows updates albeit it ends up asking you to restart your computer which is a pain. These updates are essential for your computer to keep up to date with the numerous security holes that are identified every day. Without these updates, your computer is like a car whose brakes never get checked and your computer will crash.
- Choose an effective password. Do not choose an obvious word, like “password” or your cat’s name. Do not to use an actual word. It should be at least 8 characters long and contain at least one capital letter and one number and one special character (punctuation marks and symbols). This will strengthen considerably your level of security.
Chas Foster, Director, Helvetic Fund Administration Limited.