I picked up the ever-ubiquitous USA Today sitting in front of my hotel room door this morning and noticed an interesting article by Jon Swartz and Byron Acohido on cybercrime markets. (Full disclosure, I’ve served as a source for Jon in the past in other security articles). Stiennon over at Threat Chaos is also writing on it, as are a few others. About 2-3 years ago I started talking about the transition from experimentation to true cybercrime. It’s just one of those unfortunate natural evolutions- bad guys follow the money, then it takes them a little bit of time to refine their techniques and understand new technologies. I can guarantee that before banks started buying safes and storing cash in them, the only safecrackers were bored 13 year old pimply faced boys trying to impress girls. Or the guys who make the safes and spend all their time breaking the other guy’s stuff. Trust me, I have a history degree.
We all know financial cybercrime is growing and increasingly organized. Unlike most of the FUD out there, the USA Today article discusses specific examples of operating criminal enterprises. Calling themselves “carders” or “credit card resellers” these organizations run the equivalent of an eBay for bad guys. And this is only one of the different kinds of criminal operations running on the web.
We, as an industry, need to start dealing with these threats more proactively. We can’t win if all we do is play defense. I used to teach martial arts, and we’d sometimes run an exercise with our students where they’d pair of for sparring, but one person was only allowed to defend. No attacks, no counterattacks, blocking only. The only way you can win is if the other guy gets so tired they pass out. Not the best strategy.
This is essentially how we treat security today. As businesses, government, and individuals we pile on layers and layers of defenses but we’re the ones who eventually collapse. We have to get it right every time. The bad guys only have to get it right once.
Now I’m not advocating “active defenses” that take down bad guys when they attack. That’s vigilantism, and isn’t the kind of thing regular citizens or businesses should be getting into. Something like a tar pit might not be bad, but counterattacking is more than a little risky- we might be downing grandma’s computer by mistake.
One of the best tools we have today is intelligence. We in the private sector can pass on all sorts of information to those in law enforcement and intelligence who can take more direct action. Sure, we provide some intelligence today, but we’re poorly organized with few established relationships. The New York Electronic Crimes Task Force is a great example of how this can work. One of the problems those of us on the private side often have with official channels is those channels are a black hole- we never know if they’re doing anything with the info we pass on. If we think they’re ignoring us we might go try and take down a site ourselves, not knowing we’re compromising an investigation in the process. Basically, none of this works if we don’t develop good, trusted relationships between governments and the private sector.
When it comes to intelligence gathering we in the security community can also play a more active role, like those guys on Dateline tracking pedophiles and working with police directly to build cases and get the sickos off the street. Those of you on the vulnerability research side are especially suited for this kind of work- you have the skills and technical knowledge to dig deep into these organizations and sites, identify the channels, and provide information to shut them down.
We just can’t win if all we do is block. While we’re always somewhat handcuffed by playing legal, we can do a heck of a lot more than we do today. It’s time to get active.
But I want to know what you think…
Reader interactions
2 Replies to “Cybercrime- You Can’t Win Only With Defense”
Another example of law enforcement and private sector working together to combat cybercrime is the High Technology Crime Investigator’s Association (HTCIA). HTCIA is celebrating its 20th anniversary of being a non-profit professional organization devoted to the prevention, investigation, and prosecution of high tech crime. We have over 3,000 members throughout the world.
We come together on a regular basis through local chapter meetings and our listserve. Once a year we also have a three day annual training conference where major networking takes place and we receive quality training through lectures and hands on computer labs. Additionally, the biggest and best vendors will be there to demonstrate their newest products.
This year’s conference is being held in Cleveland, Ohio, October 30, 2006 through November 1, 2006. Attendees are registering from all of the world for this important training event and space is filling up.
This year we have Keynote/Lunch Speakers from MySpace, U.S. Dept of Justice, and the Brazilian Forensic Computer Crime Unit. We also have numerous lectures and labs during the conference (five rooms devoted to breakout sessions and seven rooms devoted to hands on computer labs). Here is just a sample of the topics and classes:
Artifacts of Deletion Utilities
Cell Phone Forensics
Network Crime and Network Intrusions
Internet Browser Forensics
Linux/SMART Enterprise forensics
ProDiscover Basic
Access Data FTK 2.0 Technology
Encase Tools
Investigation the Usenet Tips and Tricks
Mac Forensics
Google as an Investigative tool
Forensics on “Live” Running Networks and Systems
Wireless hacking and Cell Phone Forensics
Inside Illegal World of the WAREZ
Tool Shootout for Cell Phone Forensics
AOL Forensics
Detecting and Collecting Whole Disk Encryption Media
Access Protected Registry Forensics
Ultimate Boot Disk CD for Windows
Investigating Wireless Devices
Steganography Investigations
The Handheld – The next hacker workstation
Tripping over Borders in Cyberspace – Legal Issues
Introduction to Malicious Software Analysis (Windows)
AccessData Rainbow Tables
Guide For Handling Cyber-Terrorism And Information Warfare
Advanced Unicode and Code Page Keyword Searching
Moble IP, Secure Portable Metro Networks
Digital Crime Scene Forensics
Cyber laundering Informal Value Transfer systems
Electronic operations traceability. A challenge for IT Managers
Dissecting The Stream, IP forensics
Cell/Mobile Phones: The Good, the Bad, the GSM
Volatile Data collection from Running Windows Machines
Bypassing the Best Laid Plans: How They Steal Proprietary Information
Fuzzy Hashing- Matching similar documents
Proactive Forensics: The Data Before it Goes Bad
Advanced Unicode and Code Page Keyword Searching
Instant message Forensics
Detecting and Extracting Steganography
Using Back Track to Compromise a Network
CyberCrime in Brazil
Anti-forensics
Using Google Desktop in forensic Investigation
Handheld Forensics: Cell Phones, PDAs, and Hybrids
Google Hello,Access Data Password Cracking
The turtle tool – Peer-to Peer Investigations
Maresware Tools
Legal Discovery and Redaction Issues
Benefits and Risks of Undercover Internet Investig
Moving from LE into the private sector
Legal Issues in Civil Trials
Network forensics in the digital world
Benefits and Risks of Undercover Internet Investigations
Proactive Online Investigation
Artifacts of Deletion Utilities
Malicious software & Steganography Investigations
TCP/IP Protocol Analysis
Hacking with iPods and Forensic Analyst
Victims of Internet Crimes
Dissecting The Stream, IP forensics
This is an important training event for those serious about learning how to combat cybercrime (both law enforcement and private sector folks). The cost is very reasonable too. See http://ohiohtcia.org/conf_main.html, for more details.
Respectfully,
Art Bowker
HTCIA International Secretary
Conference Chairperson
Today I found a very nice article at securosis.com (which is a really great site, btw), Cybercrime- You Can’t Win Only With Defense. From the article there: We just can’t win if all we do is block. While we’re always somewhat handcuffed by playing legal, we can do a heck of a lot more than we do today. It’s time to get active.