Embed Size (px)
Citation preview
Spam is Criminal Infrastructure
Botnets beget
• Spam– Adverts for criminal / defective products– Phishing– Advance Fee Frauds
• Denial of Service Extortion
• All Things ‘Cyber-bad’
What is Cyber-Terror?
Cyber-Bad
Lowering the barriers
Cyber-Bad for Hire
• Hacking tools (commodity ø day exploits)• Stolen credentials• Crime as Service– Spam– Botnets
• Unwitting Accomplices (mules)– Receiving stolen goods– Money laundering
Cyber-bad Purposes
VandalismVigilantism
FraudTerrorismWarfare
Criminals extend reach
• Compromise systems during manufacture– Pin Entry Devices compromised during
manufacture• Phone home with PIN data to Pakistan
• Criminal insiders– Blackmailed or bought prior to hire– US Cert: 41% incidents involve insiders
• Soc Generalé demonstrates €bn potential
Internet Crime Isn’t
The banks are still where the money is
Russian Business Network
Cyber Crime to Cyber Terror?
• RBN ‘customer’ 1488.ru
It’s not a new game…
Internet Terrorism Today
Internet = Outreach
Internet = Praxis
Realistic Future Scenarios
Internet = Research
• Open Sources– AQ manual claims 80% of information is available
• Criminal Expert Sources– Who can tell me X for $100?
• Espionage– Find an honest expert, penetrate their machine
Internet Crime = Funding
Internet Crime = Money Laundry
Internet Sabotage = Force Multiplier
Is a Hollywood Scenario likely?
Past Performance is no guarantee…
Security through obscurity works…
… until it fails
Fixing the Problem
What is the problem?
• Banks– Cost of Internet crime• Direct Losses• Customer Service• Opportunity Losses
• National Security– Potential criminal profits– Potential sabotage damage
Are there solutions?
• Chip and PIN– Eliminated Card Present Fraud in Europe• Remaining attacks exploit legacy channels
• Why not in the US?– Different market structure– Anti-trust used to block changes
Anti-Crime Solutions
• Email Authentication– SPF, DKIM, Secure Internet Letterhead
• Web Authentication– Extended Validation, Secure Internet Letterhead
• Secure Identity– SAML, WS-*, OpenID, OATH, Identity 3.0
• Data Level Security– CRM Infrastructure, Open CRM
• Network Security– Reverse Firewalls, DNSSEC, BGP Security– Domain Centric Administration, Default Deny Infrastructure
Conclusions• The threats are real– They are not necessarily Internet threats– But the Internet changes the game
• The threats are serious– They may not be “terrorism” as we know it– But they are worth caring about
• Criminal infrastructure is an ongoing threat– Some states are playing the privateer game– We cannot rely on international cooperation
