Future trends in Cybercrime & Countermeasures

From CyberSecurity
Revision as of 08:01, 4 December 2005 by Fleizach (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The Future of Cybercrime

I. Introduction

During an eight day period in August of 2003, three separate worms cost the U.S. economy close to two billion dollars in lost production. Later that summer, the east coast of the United States experienced a massive blackout that might have been exacerbated by a worm called Blaster.i Robert Cringley believed that same year that “the cost to society of identity theft is in the range of $4-5 billion per year and may be even higher.”ii With the convergence of organized crime and technically savvy cybercriminals, the growing fear of cyberterrorism, the inability to understand security from major software vendors and the slow footedness of the government, the future seems to point to an Internet that is not only vulnerable to major attacks, but also infested with scams, thieves, and ever increasing opportunities for exploitation. Although inherently difficult to predict trends within the field of technology, there are some eventualities that seem certain, like the growth of extortion and fraud though the Internet. These difficulties will of course result in new responses that better protect customers and force criminals into new realms. Although it is a hackneyed saying, the Internet is still in the Wild West stages. It is important to remember, though, that the Wild West turned into suburbia and ranches after successful methods were found to control, police and make life extremely difficult for those choosing to exploit the populace. An examination of some of the potentialities will help to illustrate how the Internet and cybercrime can be envisioned, at least in the near term future.

II. Future Trends in Cybercrime

The pace at which cybercrime is growing is one of the most disturbing trends. Valerie McNiven, a U.S. Treasury Advisor, has proclaimed “Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion." She further added that "cybercrime is moving at such a high speed that law enforcement cannot catch up with it.”iii It seems clear that the issue will only become worse in the next few years, now that professionals have realized the potential windfalls if exploited properly.

Recently, there has been significant discussion over the amalgamation of organized criminals and cybercrime. Such a pairing indeed forebodes an ill omen for the near term future. With most of the criminal groups operating out of eastern Europe, Russia and Asia, where laws and enforcement are scanty, there seems little hope in containing and neutralizing the threat through traditional means. Phil Williams, a visiting scientist at CERT, summarized the issue succinctly. “The Internet provides both channels and targets for crime and enables them to be exploited for considerable gain with a very low level of risk. For organized crime it is difficult to ask for more.”iv

The result that can then be expected will be an increase in sophisticated phishing attacks and other means for identity theft that may be two pronged. For example, using call centers to notify “customers” ahead of time of some issue, and then following up with emails that request personal information. The aggregation of personal information in many third party data centers will prove to be valuable targets to infiltrate. It is not hard to imagine criminals using data mining techniques to find the most gullible consumers, or tailoring phishing emails for specific people based on their medical, financial or personal history. Identify theft will also move in more automated directions. For example, botnets will become vehicles not just for denial of service attacks and spam, but also as giant search platforms for finding personal information, like credit cards and social security numbers. Controllers of the botnets will then receive payment to run queries on their “database.”

With professional criminals managing the money laundering and organization of such schemes, it begs to ask where will all the technical know-how come from in order to perform cybercrime? Unfortunately, there are growing numbers of intelligent black-hats with university degrees spread around the globe, many of them operating in countries where legal employment does not pay as well and the chances of being caught are slim. But more troublesome is that it has become easier than ever before to be a hacker capable of inflicting great harm on networks and committing cybercrime. The Internet has created a repository of knowledge where anyone is able to learn the fundamentals of subverting computer systems, with numerous tutorials available that spell out in nearly layman's terms how to perform a buffer overflow or a man in the middle attack. Interestingly, the greatest problem is not those who will take the time to learn and find new exploits. In fact this group will probably remain a small, highly intelligent network of researchers and security groups focused solely on finding holes in software. In this, it is preordained, that even if someone is motivated to learn how exploits work, finding a new exploit takes a degree of investigation, skill and diligence that most are not willing to invest. The real threat comes from the profound ease at which anyone can run a program like “MetaSploit,” a framework for running exploits against targets that allows new modules to be imported and run automatically. The attacker literally needs to know nothing about how computers work, besides how to operate one. In fact, for almost all attacks, the hard work is done by a small group of people, and then released into the public domain, allowing almost anyone to just run the attack. Botnets are no longer hand-crafted software made by one group who truly understood the fundamentals, but instead are open-source collaborative efforts that aim to make it as easy as possible to control remote computers, such as BotNET, eggheads and CSharpBot, all available from SourceForge.

Thus, the barrier to entry to the field is so low that it allows almost anyone to experiment and join the swelling ranks of cybercriminals. With the learning curve so low, it should prompt discussion on the need for a new paradigm of thought in how to preempt and deal with criminals, in a way that is no longer tied to traditional methods. For example, for someone to break into a house, not only do they need to plan the opportune moment, but they may also have to be aware of lock picking, security system evasion and possess a degree of gumption to overcome moral thresholds. In opposition, the ease of cybercrime seems inversely proportional to the lucrativeness that it bestows and moreover, these trends show signs of accelerating.

Beyond the “who” and the “why” of future cyberattacks, the “how” will also change as operating systems become more secure and harder to exploit. With the damage that comes with each new security hole released, Microsoft, Apple and open source vendors have finally begun to seriously focus on security. Of course that hasn't stemmed the flow of vulnerabilities discovered, but techniques such as address space randomization to stop buffer overflows, advanced and automatic code reviews and more training will reduce the ability to compromise a machine through operating system protocols over time. The real danger in the future lies with user applications, which are created by individuals or small groups without the knowledge or training required to implement security correctly. Especially dangerous are web applications that can be installed on web servers. The traditional problem with these types of security vulnerabilities was finding susceptible hosts. But with Google, a program can automatically search for sites with a specific version of a program installed and then launch an attack. If remote code can be executed, the program may not be able to take over the whole system, but it can run programs as the user which is may be enough to install bots and automatically replicate. The first instance of such an attack occurred in December of 2004 with the Santy worm that attacked a popular bulletin board system by searching through Google to find hosts with a specific file that was vulnerable.v Such attacks aim their weapons at the least secure and vetted of software created. Although the installed base of such systems may be small, with “Google Hacking,” they can still be quickly located and exploited.

Another avenue of attack that will open up will be through embedded systems, such as cell phones, mobile devices and other electronics that may connect to the Internet for the most mundane of purposes. Software is usually recreated for each iteration of a device as it is specifically designed for the hardware. This allows for security problems to creep back in over time that may have been eliminated before. As these devices start to allow consumers to make purchases, while storing valuable information, they will become more attractive for criminals. The incentives now to do so are low, so security researchers have only seen “proof-of-concept” viruses, like the one that infected cellphones running a version of the Symbian OS that could spread automatically.vi It appears organized crime has not moved into this area due to the lack of research and understanding of how such attacks can be made profitable, but as with the Internet itself, it took time to exploit successfully.

In the same vein, eventually automobiles, home electronics devices, refrigerators and almost all devices can and will use the Internet in order to perform maintenance, download upgrades or monitor performance. These will present opportunities for maliciousness and blackmail that doesn't equate in the same way as the purely virtual environment of the Internet. If someone enters their car, controlled by a foreign agent that demands a wire transfer or else the car will be crashed at high speeds, a situation arises that people will no longer accept. Whether such a scenario will occur is debatable, but the possibility will certainly exist.

III. Mitigating Cybercrime

Although it is inevitable that cybercrime will increase and continue to explore new vectors for undermining privacy, authentication and law enforcement, there will also be valid and useful attempts for mitigating the abilities of criminals, as well as the effects of cybercrime. These solutions will take form in better software, anti-spyware and anti-virus software integrated into operating systems and more user education regarding phishing and identify theft. These solutions will come primarily from software vendors themselves. On the other side, legislators will work with banks to reduce and prevent fraud, putting some of the liability with those most able to prevent it. Finally, advanced solutions coming out of research and academia will try to inhibit the inherently anonymous and insecure nature of the Internet.

With Microsoft's upcoming release of Vista, the latest version of their operating system, they'll have a new chance to focus on not only improving the general security of the system through fundamental changes, but also in providing methods for eliminating common problems, such as botnets, spyware and phishing attacks. In October of 2005, Microsoft began working together with the FTC to educate customers about botnets and the danger of allowing a computer to turn into a zombie.vii To deal with the problem of phishing, Microsoft released a program in July of 2005 called the “Microsoft Phishing Filter,” which aims to invalidate the ability of phishers to reach Microsoft customers by dynamically notifying them when there is a high chance that what is being viewed is a phishing attack.viii Finally, Microsoft released their “AntiSpyware” program in January of 2005, to be included with Vista as well, that automatically scans your computer for programs that match spyware signatures or that try to perform suspicious actions, like modifying system functionality or trying to run upon computer start up.

If cybercrime continues to grow to epidemic proportions, as all indications seem to point to, legislation will invariably step in, but more importantly, those with the most to lose will become more involved. This includes credit card companies, banks, lending operations and other organizations dealing with monetary transactions. Paypal.com has quickly come to dominate the online payment industry, while also serving as a bank in many capacities. With only an email address and a password required to send money, this low hanging fruit has been one of the most heavily exploited realms for phishing attacks. In response, Paypal has offered at least a thousand dollars of purchase protection and a supposed one hundred percent protection against unauthorized payments sent from an account. A fraud investigation team responds to queries and according to their website, they have software that automatically monitors every transaction for inconsistencies.

This last measure used by Paypal has also become fertile ground for credit cards companies, as their systems have become powerful at identifying fraudulent purchases though the use of neural networks, a type of software emerging out of the field of artificial intelligence. In some cases, this software has been able to reduce fraud by thirty percent or more.ix It's important to remember that the systems are not perfect solutions, but do address a large portion of illegal activity. Combined with other efforts, the goal is to reduce the effect of fraud, while making it more difficult to achieve.

Legislation will attempt to do its part as well, even though it has moved notoriously slowly when dealing with cyberthreats. The past few years have seen laws specifically crafted for spam and dealing with attacks that threaten the integrity of the infrastructure of the Internet. If the botnet problem continues to grow, coupled with identify theft, surely more action will be taken. Although, it is still unclear how effective it will be without a significant contribution to cyberforensic development and funding for the various governmental enforcement agencies responsible for handling cybercrime matters. Another issue discussed in the Legal Policies section is the need for more international cooperation in locating, extraditing and prosecuting foreign criminals when possible, as the current system leaves much to be desired.

Finally, as with any dangerous and difficult problem, there will be new and inventive ways to handle security issues coming out of research. One contribution that has limited, but not eliminated many common security flaws that are exploited, is the use of randomization in dealing with code, data and other programmatic necessities. By introducing a factor of unpredictability, it can make the work of a hacker much more difficult and prone to error, limiting the ability of those who do not posses the skill to effect a novel attack. Other interesting proposals have included traceback systems that can remove the anonymous identity of data traveling through the Internet,x devising a system for fast and accurate discovery of the source of even one packet of data. Stopping distributed denial of service attacks and worm discovery has also been proposed as a method that can be automated and integrated into the backbone of the Internet, high speed routers. By analyzing similar patterns coming from separate locations, such detectors can realize an attack while it is in its infancy and isolate infected hosts.xi

There is also still room for ISPs to actively monitor and and discourage botnets, spam and DDoS attacks from occurring. As the first link in the chain for many zombie hosts, as well as attackers, they are in a prime position for stopping spam, either by blocking outgoing mail, which most users have no need for, or by identifying when one host is sending out a large amount of data that does not match expected behavior. Additionally, if they noticed that a number of hosts were acting in concert, with regards to the data being disseminated from those machines, they may assume with likelihood that they are being controlled remotely. Consequently, the ISPs can examine logs to find who is sending the commands and initiate a complaint with the F.B.I. The problem holding back this kind of proactive approach has not been technical in nature, but rather legalistic, as it can be considered an invasion of privacy. Furthermore, such methods are being used to track down minor copyright violations, instead of focusing on more substantial problems, such as cybercrime and identify theft.

IV. Conclusion

The future of the Internet is still up for grabs between criminals and normal users. Fears of a cyberapocalypse still abound, while the potential extent of damage that can be caused by wide scale fraud is nearly unbounded. These anxieties should be rationally tempered with the knowledge that the problems are being addressed, although perhaps not fast enough. The usefulness of the Internet has proved itself in numerous and myriad ways that will hopefully be enough to ensure it does not become a wasteland of criminal activity and a bastion for the malicious. The government still has an important role to play, but most of the prevention needs to be done by commercial entities producing software and those with the ability to stop fraud. Relying on consumer education programs will only affect a percentage of possible victims. The others need to be automatically protected through measures that do not stress and require considerable participation. Security needs to be easy and effective if it is do work. Whether cybercrime is still a pertinent issue ten years from now is unknowable in a sense, but if the Internet will continue to grow, it must be solved so that the realities of cybercrime will be proportional to real-world crimes, if not better.

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Future_trends_in_Cybercrime_%26_Countermeasures&oldid=3162"