Cybercrooks: Captains of Industry?
The idea that cybercrimes are the work of miscreants or gangs of hackers picking targets at random is outmoded. Analysts now see a mature industry with an underground economy based on the development and distribution of ever more sophisticated tools for theft or wreaking havoc. That is the takeaway from a report released on Wednesday by researchers at 41st Parameter, a maker of device recognition and intelligence solutions.
According to the report,
Cybercrime is on the rise: large-scale fraud attacks, consumer data breaches, and politically-motivated Distrbuted Denial of Service (DDoS) attacks on financial institutions and others are costing businesses billions of dollars every year…Much of this growth stems from the maturation of the criminal digital underground and its 'industrial' approach to cybercrime.
Of the trends in cybercrime identified by 41st Parameter, a Network World article about the research summarizes the top five as: data breaches, which the report calls “the fuel that drives the industrial fraud complex,” becoming an inevitability even for large businesses; smartphone hacking, driven by the new business opportunity presented by the 700 million smartphones sold in 2012 alone; better cloaking techniques that allow malware to keep itself hidden from human users and antivirus scans; and automation of cybercrime, which allows crooks to multiply their efforts. “Automation allows fraudsters to trade a large number of smaller transactions for fewer, larger transactions,” says the Network World article. “This makes anomaly detection systems less effective while introducing greater requirements to identify, document and reset compromised accounts.”
Two-thirds of Internet Users Have Been Cybercrime Victims
“Cyber security is something that should be taken seriously. No Internet user is safe. If you are online, you may be exposed to different kinds of cyber threats without even realizing it.” So says the Washington Times’ summary of the recently released 2012 Norton Cybercrime Report. It makes sense when you consider the report’s conclusions: over 1.5 million people become cybercrime victims every day; two out of three adult Internet users have been the victims of cybercrime at some point; and global damages due to consumer cybercrime, from 2011 to 2012, totaled US $110 billion.
And things are likely to get worse, says the report, because Internet users are increasingly likely to become ensnared by malware on legitimate and trusted websites. Social network users are being targeted at an ever-greater rate. As of the end of 2012, 1 in 5 adult Internet users had seen their mobile phones or social network accounts used against them.
EU Cybercrime Penalties Counterproductive
The European Union recently proposed new laws that present stiffer penalties for cybercrime, but fail to carve out a clear exception for so-called white hat hackers who, by spotting vulnerabilities in networks and reporting them, prevent an untold number of losses. The oversight, says a Techdirt.com article, did not make as much of a splash as it normally would have because the revelation came at roughly the same time that Edward Snowden’s revelations about NSA surveillance became the top story worldwide. Speaking of leaks, Techdirt says the thinking behind the EU’s flawed approach to cybersecurity—punitive instead of preventative or prescriptive—is revealed in a "group briefing’ document from the EU Parliament team that came up with the latest cybercrime directive,” that Techdirt posted on its site after it was given to one of its reporters.
The article notes that flaws in this early document, which was created a year ago, were not fixed in subsequent iterations and remain in the directive that came out. That turn of events was displeasing to Jan Philipp Albrecht, a German member of the group that put together the directive. "The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks,” Albrecht told Techdirt. He added that the current focus on harsher penalties—despite the fact that most cybercriminals know they will not get caught—will “leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."
U.S. Military Drafts New Cybercrime Response Procedures
The U.S. Department of Defense has come out on the, well, the defensive, with new emergency procedures meant to direct its agencies’ responses to cyberattacks. Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, made the announcement, noting that the first update of the rules in seven years was undertaken because intrusions to the Defense Department’s critical infrastructure have increased dramatically. Along with the revision of operating procedures and changes in the command and control structure for cyberforces, the military will add 4000 cybersecurity experts to its ranks over the next four years. And because the DoD does nothing on the cheap, it plans to devote US $23 billion to shoring up its online defenses. Dempsey added that although the Pentagon has a guidebook for cooperating with the Department of Homeland Security and the FBI to get to the bottom of attacks on civilian networks, protecting private sector networks is a tough challenge because few companies have invested adequately in cybersecurity.
And in Other Cybercrime News…
Cybersecurity startup FatSkunk hopes to halt mobile cybercrime using a technique known as software-based attestation. Instead of scanning each program being downloaded and comparing it to the malware researchers have catalogued, a bit of embedded software installed in a handset during manufacturing would “clear the RAM and scan the memory in a way that requires the device to execute a precisely timed set of instructions,” Mark Grandcolas, FatSkunk’s CEO, told Xconomy.com. “If the computation takes too long, the only explanation is that unauthorized malware is taking up space in the memory. The beauty of the concept is that it uses physics instead of heuristics to detect malware,” Grandcolas said.
Best cyber-understatement of the week: "Obviously the people who configured these print servers skipped firewall 101 class."
Photo: Randy Faris/Corbis