To discuss this subject, we’ll answer the standard questions…[click]We’ll start with when. It’s an easy one.[click]It’s happening right now. And it’s been happening right now since there were enough computers on the internet to make it worthwhile. First known botnet was launched in 1996As of January, the largest known botnet is composed of nearly 10 million infected computers (zombies)The vast majority of all major botnets are controlled by organized criminal organizations
Cybercriminals aren’t just nerdy guys hacking away in their moms’ basements anymore.[click]The hacker who is motivated by reputation alone (whether for good deeds or malicious ones) is a dying breed.Hacking for profit – lots of money to be made legally and illegally[click]Malicious hackers are beginning to form organized groups and many are very profitableTraditional organized crime has taken notice and expanded operations
In short, everyone who has a computer or other device that is connected to the internet is a stakeholder.For the most part, “everyone” can be divided into [click] the bad guys and [click] the good guys. The bad guys include [click] malicious programmers and hackers, some of whom are in it for the money, some of whom are in it for the fun. When I talk about this group, I’m mostly referring to those who are working mostly independently. They might sell their warez or contract their services, but they don’t consider themselves to be part of any larger community other than perhaps the community of like-minded hackers in general.Hackers who work in or for more coordinated groups I consider to be part of [click] organized crime. This can include online communities of hackers, programmers, bot herders, spammers…It also includes your more traditional types of organized crime that exist in meatspace.Rogue and/or totalitarian governments may also be considered bad guys in this structure. They may deploy spyware and malware against their own citizens for purposes of information gathering and control, or they may utilize other methods to extort money, aid or concessions from other governments.As far as the “good guys” go, you have [click] the typical user, who wants nothing more than to have a computer free of viruses, spyware, malware, worms, bots…and pretty much problems in general. Usually they’re just the neutral victims in all of this, but they want to do good by their computers, and it’s not like they’re going out and infecting their computers on purpose…I don’t think…Then you have [click] security professionals and law enforcement. Let’s face it: for the most part, actual law enforcement can’t do anything about a DDoS attack or a slew of infected computers unless they know who’s responsible. And even then…well, we’ve talked about that before. This leaves things up to security professionals to “serve and protect” users and their computers.Finally, you have what I’m calling [click] “us.” It’s a bit of a play on words, as it can mean the United States and its’ allies’ cybersecurity initiatives or it can literally mean “us,” the security-aware power-users. We’re a little better off than the typical user, and we’re better equipped to protect ourselves and educate our friends and family.
One of the first things we need to do is get on the same page as to who we think the organized criminals I’m talking about are.[click]When most people hear “organized crime,” they think of people like Al Capone, Tony Soprano, the Godfather…when organized crime pops up in pop culture, it’s always about the American gangsters of Prohibition, the Italian mafia, the Russian Mob…That’s not to say that some long-established criminal organizations aren’t involved in cybercrime. [click] Thinking about the Russian Mob isn’t terribly far off when it comes to thinking about organized cybercrime. It’s widely believed that Russian organized crime was significantly involved in cyberwarfare attacks against the Republic of Georgia, Estonia, Lithuania, and possibly Kyrgyzstan.When organized crime turns to violent tactics, [click] they’re typically referred to as terrorist groups. Al Qaeda is particularly noted for its use of the internet for recruiting, organizing and planning. Some analysts believe that it is only a matter of time before Al Qaeda uses the internet as a primary means of attack.[Click]Goodwell is the founder of Green Army, a very nationalistic organization of Chinese hackers. It is uncertain if the organization had any affiliation or acquiescent relationship with the Chinese government, but it is one of the best illustrations of how the lines between organized crime and governments can be blurred and also a very good example of the new kind of organized criminal group that has spawned from the rise of the internet.
There are a vast number of agencies, groups, organizations and entities that work to prevent, combat and respond to cybercrime. [click]The first ones most people think of are government and military agencies. The ones up here are just a few, and they’re mostly American- and Euro-centric. IMPACT, or the International Multilateral Partnership Against Cyber-Terrorism is a 26-country coalition founded in 2008 for the purpose of enhancing the global community’s capacity for prevention of, defense from and response to cyberterrorism.The Cooperative Cyber Defence Centre of Excellence is NATO’s cybersecurity organization.The Air Force Cyber Command is a provisional and now rather pared-down cybersecurity force for the US military. Much of the original plans for the command were re-absorbed into the US Strategic Command’s cybersecurity and cyber warfare initiatives.The Department of Homeland Security, the NSA, the FBI and the Department of Justice all have cybercrime or cybersecurity divisions that have overlapping responsibilities involving preventing, detecting, researching and responding to various cyber threats.
In addition to specifically government agencies and initiatives, there are private and semi-private organizations such as GTISC and the SANS Internet Storm Center that work toward the aim of improving security on the internet through research, identification and neutralization of threats.
And of course, there are the users. Users are often the first line of defense when it comes to prevention and response. In home environments, the user and his or her usage habits are the first, last and only line of defense against any sort of threat or attack. In larger networks, where there is an administrator sitting between the user and the things he or she cannot or should not do, there is an additional layer of safeguards, but it still often comes down the user’s actions or responses.
Now, I’m going to make a bit of an aside here for a moment to talk about some nomenclature. It’s a bit of a pet peeve of mine when someone starts talking about hackers like they’re all criminals. Some people have tried to remedy this by attempting to introduce the word “cracker” into the vernacular to refer to malicious hackers. It never really caught on, and I don’t like using it because it feels a bit contrived. For the most part, when I talk about hackers in this presentation, I am talking about the bad ones. But I want to be clear that I know, you know, and you know that I know that not all hackers are evil.I also realize that the diagram really oversimplifies things, but at the same time, I feel that it helps to explain a lot about what I’m talking about.Moving along…
Now we know the who. The who is everyone.We still also know the when. This is happening right now.
So what kinds of threats are posed by organized cybercriminal groups?Perhaps not surprisingly, a lot of the same threats that were posed by traditional organized crime, just newer, shinier, faster and easier.The internet makes data so easy to find or steal that crimes such as identity theft and financial fraud have become the bread-and-butter for many criminal organizations. Criminals use the internet to traffic in illicit goods and services such as drugs, child pornography, prostitution, counterfeit goods and stolen goods. It’s faster and makes it harder to trace back to any one entity.Some organized criminal groups on the internet have shown a particular knack for using computers as tools of extortion by stealing access to resources (such as a database or a server) and holding it for ransom. Other than identity theft, probably the most high-profile of the threats posed by organized crime on the internet is cyberterrorism. Broadly defined, cyberterrorism differs from other types of cybercrime in that its goal is more to cause panic and fear than it is to make a profit. As a result, it is probably the most potentially destructive of all of these threats.Of the greatest concern to most analysts is the possibility that infrastructures such as power, water, communications or financial could be compromised or utterly destroyed given the right tactics. The Russian DDoS attacks on servers in the Republic of Georgia brought down the country’s financial infrastructure for several days. Proof-of-concept demonstrations have illustrated that given the right access and the right commands, an entire power plant could be shut down or even blown up.Cyberterrorism nearly always runs a risk of provoking retaliation and escalation from the attacked. Most retaliation occurs in cyberspace, but occasionally the escalation might move directly to an armed, military response.
Bots are how a lot of the internet’s dirty work gets done. Just like in meatspace, bots are created to do menial, repetitive, or overly time-consuming tasks, though some are created just for fun. Just like in the movies, most bots are evil. But not all bots are bad. The original bots were IRC bots, created to monitor and log activity in internet relay chats and act as an automated moderator. Many IRC bots today are evil cousins of mod-bots, but the good ones still do exist.Spider bots are what make search engines work. They crawl the web (like a spider, get it?) and index websites for search engines so that you can just go to Google, type in a search, and find a whole list of useful things. However, spider bots do also have malicious uses, like crawling for and mining e-mail addresses for spammers.Chatterbots and game bots are two types of bots that are mostly just for fun. An example of a chatterbot would be SmarterChild on AIM. A user can type messages to the bot and it will reply with a response that (hopefully) would make sense in a normal conversation. Some are intended simply for entertainment; others are meant to provide useful information by answering questions posed in natural language such as “What movies are showing at the theater in Atlantic Station?”Game bots are of a more dubious nature, as they are often intended to exploit or beat a system within an online game. For tasks that the use of a bot doesn’t provide an unfair advantage to the user, their use it generally tolerated. More blatant exploits of a game’s system, like using a bot to farm gold in World of Warcraft, is generally not ok.
Botnets are the primary means by which cybercriminals carry out the tasks that I identified earlier as threats. Botnets are networks of thousands, and sometimes millions, of computers that are quietly running a bot application, usually without the computer owner’s knowledge.As a side note about botnets, as you may have gathered from the description, botnets have some legitimate uses such as in distributed computing projects such as SETI@home. Whether a botnet is good or bad depends on whether the user intentionally installed the bot and what the bot is doing.For organized cybercriminal groups, the primary use for botnets is launching DDoS attacks. All of the zombie computers in a botnet are instructed to access a single internet system or service in such a manner that it overloads the capacity of the system. The result is that while the attack is going on, and usually for sometime after, the service or system is inaccessible to legitimate users. This tactic has many applications, from creating a mere nuisance to suppressing speech or a specific activity, to actually causing failure in a system, set of systems or infrastructure.Similar to a DDoS attack is an access number replacement attack, where a bot infects a number of dial-up systems, replaces the access number with the number of a target, and instructs the systems to attempt to connect to the internet. The victim then be bombarded by calls from these computers. This sort of attack is more of a nuisance than anything else, but it can have some dangerous implications depending on the target and it is notoriously hard to defend against.Cybercriminals use spyware to gather information for purposes of fraud or gaining unauthorized access to other systems and accounts. Spam and adware, while not exactly a signature of organized crime, are also spread by botnets. Some estimates blame botnets for upwards of 90 percent of all spam.Likewise, click fraud is not typically an activity of organized cybercriminals, but its distant cousin fast flux uses a DNS technique to hide phishing activities and malware delivery behind legitimate, but compromised, hosts.Organized cybercriminal organizations also rely on [click] discussion communities in order to communicate, sell information and sell access.Cybercrime has its own economic underworld that trades in illicit goods and services, data, access, and better botnets. The manufacture and sale of botnets is complex enough to be considered a full-fledged industry.
Now we’ve established that what we’re talking about here is a robot takeover of sorts. Everyone is affected, and it’s happening right now.
Even though we’ve already briefly touched on all of these things, I’m going to talk a little more in detail about why computer crime seems to be the choice activity for organized crime these days.At no time in the past was it so quick and easy to get money move money, hide money and launder money. And despite all of the security measures that are supposedly in place in the banking system, as long as criminals work within the bounds of non-detection, their activities are practically invisible.Cybercrime is generally a low-risk, high reward venture. Fraud and identity theft in particular have a very high return on investment with little risk posed in obtaining the data. The market for stolen credit card numbers is booming, and depending on where one falls on the supply chain and how the numbers are initially obtained, the payout usually settles at around $20 per card in the U.S. and anywhere between a nickel and $5 per card in the former Soviet states, depending on the completeness of the information. Another advantage computer crime has is that it doesn’t matter whether the members of a criminal organization live in the same city or if they live on opposite sides of the world. While most traditional crime organizations have remained “local” while branching out operations to the internet, criminal organizations that were born into the internet and cybercrime are more geographically dispersed.
Many of the reasons that computer crime is attractive are also the reasons why it is a problem.It’s quick, cheap and easy to steal information, move money, or launch a DDoS attack. However it’s time-consuming, expensive and difficult to effectively combat these crimes.The borderless nature of organized cybercrime and the decentralized nature of their attacks makes it difficult to trace back to a specific source, making determining any kind of legal remedy to the problem nearly impossible.
Now we know why organized crime has taken up residence on the internet. Computer crimes are generally cheap and effective. The robots might still be in league with the bad guys, but they’re taking over. Everyone is affected. And it’s happening right now.
So where do all of these criminal organizations have their secret, evil lair?[click]Yeah, another one of those catch-all, cop-out answers. But because of the decentralized, post-geographic nature of internet-based organized cybercrime, hackers with ties to organized crime really are everywhere.However, most of them are still concentrated in certain areas.[click]Pretty much anywhere with a depressed economy or a government in transition is going to be a hotbed for organized crime, in general. Organized cybercrime is particularly prevalent in Eastern Europe, though it is gaining significant traction in parts of Africa. Opressive and repressive regimes such as those in China, North Korea and Iran tend to spawn more nationalistic cybercriminal organizations that often border on cyberterrorism and espionage in their activities.Non-geographic organized criminal groups tend to reside in dark corners of the internet that can’t be located by a simple search. To find them, you generally have to have either really good sleuthing skills, get really lucky, or have someone tell you where to find the communities.
Any number of things can spawn organized criminal activity on the internet. For traditional organized crime, expansion into internet-based activities was a business decision.Some organized criminal activity arises as a result of political unrest, inter- or intra-nation conflict, or extreme nationalism.Such is the case in many Eastern European and African nations, involvement with organized crime rises in lieu of better, more legitimate economic opportunities. And while greed plays at least some part in all of this, it occasionally takes a leading role.
Now we know that organized computer crime can happen anywhere, but civil and economic unrest really catalyze it.These groups have taken to cybercrime because it’s cheap and effective, but they’re inadvertantly building Skynet. This effects everyone, and it’s happening right now.
The people who program bots rarely ever control botnets. Bot programmers may write a bot and sell the code to someone who will see to its distribution and the creation of a botnet. Some bot programmers will distribute the code themselves and sell a seedling botnet to a bot-herder. Bot-herders are generally non-technical, entrepreneurial individuals who will rent access to a botnet they control. The majority of bot-herders have ties to organized crime.Access to a botnet is surprisingly inexpensive, considering the impact one can cause. One bot herder quoted a cost of five cents per bot, which works out to $500 for an attack using 10,000 bots, which is enough for a fairly effective DDoS attack or a substantial volley of spam.Between the nearly pure profit of renting out botnets, the fringe benefits of having them around to use, and the fairly stable market for credit card information and personal data, major criminal organizations operating on the internet have no trouble paying the bills. Minor organizations, which are primarily internet-based, have little overhead.But what seems to be the biggest boon for cybercriminals is the complacency of most governments and individuals with regard to their actions. If more people were aware of the scale and scope of the threats some of these organizations pose and of what they’ve already done, there would be outrage over why nothing has been done.To that end, though, governments are complacent mostly because, well, what can they do? They’re aware of the threats; they’re aware of the incidents, but their protections are perpetually a few steps behind the hackers and there just isn’t the international cooperation necessary to have many effective legal solutions. So when incidents occur that would warrant a response had something comparable happened in meatspace, governments often just shrug their shoulders and say, “there’s nothing we can do.”
Vigilance: don’t click on sketchy things. Install anti-virus. Install a firewall. Scan for malware regularly.Honeypots: lure the hackers and the bots in, then study themProactive response: use forensic information from attacks on other systems to try to find the bad guys before they find you
The most common way to deal with dealing with a DDoS attack is to take all of the traffic and route it into a black hole. That is to say, route it to someplace that doesn’t exist. This is sort of the equivalent of trying to kill a fly with a sledgehammer, as while it protects the rest of a network or a service, the end result is that the target still winds up being taken offline until the attack ends. A slightly more targeted approach is to trace the traffic back to the botnet server, the place where the commands operating the botnets are coming from, and block it. This would work better if it weren’t so hard to actually trace the traffic back to the botnet server. Most traces wind up at dead ends or decoys. In the worst case, you could trace the botnet to someone who has absolutely nothing to do with it. If you just block them, that might disrupt service quality for the user or users for awhile, but blocking is relatively harmless. If you decide to escalate, however, you’d better be really sure you’ve got the right guy.In any case, the next step, cleaning and patching, is just kind of common sense. If you discover that your computer is a zombie, then you take steps to clean off the offending malware and bot applications. Whether you’ve just de-zombified your machine or defended it against an attack, you still want to scan for threats and patch and make sure everything is up-to-date. This won’t protect against a DDoS attack in the future, but it’s a reasonable precaution in case anything was illicitly installed.Once you’ve mostly recovered from an incident, the question becomes whether or not to escalate. It’s a delicate balance, and sometimes even recovering and putting yourself back online with better protections is viewed as escalation and an invitation to the attacker to try harder. This is what happened to a website called Blue Security. [talk about Sixapart, changing hosts and eventually shutting down]Launching counter-attacks is a controversial tactic. You have to make sure that you got the right guy, and if you’re about as successful as your attacker was, he’ll be back, bigger and stronger, in a few days. Active escalation is always riskier for the “good guys,” as researchers have found that the security sector is perpetually 2 or 3 generations behind the kinds of technology the bad guys are using. Internet warfare is their game, and they have all of the good cards.
So now we’ve mostly answered the questions we set out to answer. Everyone is affected by the robot takeover that was brought about because botnet use is cheap and effective. It’s happening now, and if we knew exactly how the latest technologies and tactics worked, none of us would be here, looking to figure it out.
Questions? Comments? Here’s a little editorial cartoon that I feel is pretty relevant to this talk that you can look at instead of giving me a blank stare.
Evil Geniuses: How organized cybercriminals could take over the world
Evil Geniuses<br />How organized cybercriminals could take over the world<br />Hillary Lipko, 1st-year MSPP<br />CS 6725 – Information Security Policies and Practices<br />22 October 2009<br />
What’s going on? Who are these guys?<br />The profile of the “typical” cybercriminal has changed.<br />The motivation behind criminal activity on the internet has changed.<br />Malicious hackers are getting organized and “The Mob” wants in.<br />
Who are the stakeholders?<br />Everyone.<br />The “bad guys”<br />Malicious programmers/hackers<br />Organized crime<br />Rogue governments<br />The “good guys”<br />Typical users<br />Security professionals/law enforcement<br />“Us”<br />
What are the threats?<br />Identity theft<br />Fraud<br />Trafficking<br />Extortion<br />Cyberterrorism<br />Compromised infrastructures<br />Warfare<br />
So about those bots…<br />(a.k.a “internet bots” or “web robots”)<br />Software applications that run automated tasks over the internet<br />Not all bots are bad<br />Spiders<br />IRC bots<br />Chatterbots<br />Game bots<br />
What are the means?<br />Botnets<br />DDoS, access number replacement<br />Spyware<br />Spam, adware<br />Click fraud, fast flux<br />Discussion communities<br />Communication<br />Marketplace<br />
How does organized cybercrime work?<br />Malware and botnet marketplace<br />Financing<br />Complacency<br />
How do we protect against these threats?<br />User vigilance<br />Honeypots<br />Proactive threat response<br />
How can we respond to incidents?<br />Black holes<br />Tracing<br />Blocking<br />Clean & patch<br />Escalation?<br />
Questions to answer<br />Everyone<br />Who?<br />What?<br />When?<br />Where?<br />Why?<br />How?<br />Robot takeover<br />Now!<br />Everywhere<br />Cheap +effective<br />LOLcats<br />Listen to the bunny<br />If we knew, we wouldn’t be here<br />