What is Cyber Crime

Cybersecurity,University,Web.Posted November 21, 2014. 2116 words.

Here are notes from a group presentation from my very first semester studying at Southampton University. It’s rough, uncited, and a bit of a mess. But I thought it worth sharing. Click here to view the slides


What is Cyber Crime?

In order to talk or discuss Online Crime and Cyber Security, it is first important to understand what the phrase even means. According to Technopedia Online Crime, “Internet crime is any crime or illegal online activity committed on the Internet, through the Internet or using the Internet.”.

The term is rather far encompassing as it covers both crimes that require a computer and use the internet to take place and crimes that are simply conceived or completed over the internet, regardless of whether it was required at all.

The internet doesn’t have borders and just by visiting one web page you could be interacting with several different countries. Without borders the domain name, hosting, load balancer, embedded widgets, comments and company responsible for the page could each be situated anywhere on the planet.

With criminal activity located all over the planet, combatting Online Crime is expensive, time consuming and requiring international cooperation. As a result, organisations and people have turned to Cyber Security in order to combat this threat.

The First Hack

While Online Crime is a relatively new issue, Computer hacking may be older than you think.

Over a century ago in 1903, the magician Nevil Maskelyne interrupted a demonstration of Guglielmo Marconi’s (Shown on the left) wireless telegraphy, a system of sending morse code wirelessly. What was claimed to be a secure system by Marconi was clearly anything but secure.

Maskelyne sent rude and insulting messages which were shown on a projector, disrupting and embarrassing both the absent Marconi and John Ambrose Fleming who was demonstrating the technology.

In the past century, technological advances such as public key-cryptography has allowed secure communication to be a possibility. However, with more and more people using computers daily, the stakes have never been higher. Cyber security is becoming increasingly important to the modern world.

History

Nevil Maskelyne (magician) hacked and sent abusive morse codes in a demonstration for the idea of secure wireless to seem foolish.. in 1943, a french genius hacked the punched cards, which was used by nazis to track down jews.. 1982 US government set up first laws pertaining to cyber security after 60 computers were compromised. 1990, first wire fraud and money stolen over internet, credit card data stolen. And the list goes and on from here..2013 Burger King hacked to McDonalds twitter image, the responsibles twitter account was suspended.

  • 1932 Enigma crack - “one of the most important breakthroughs in cryptologic history” - David Kahn 1991.
  • 1965 IBM vulnerability - Worked by two people were editing at the same time, which swapped temporary message of the day and password files.
  • 1971 Phreaking - John Draper learns to make free calls on AT&T’s network by playing a certain tone (2600Hz) through the line, found from a free cereal-box whistle. Cap’n Crunch. Steve Wozniak and Jobs reportedly were phreakers.
  • 1988 First worm released - Released by son of NSA Chief Scientist on the government’s ARPAnet. Spreads to 6000 computers.
  • 1990 EFF founded - Due to what was perceived to be an uninformed response to cybercrime.
  • 1997 RIAA Piracy - $500,000 worth of counterfeit CDs seized.
  • 2000 ILOVEYOU - Worm that used a Visual Basic Script to overwrite image files and forward to all contacts. Infected over 45 million computers.
  • 2000 First DoS attack - Successfully released by 15yr old ‘mafiaboy’ to eCommerce sites such as eBay and Amazon.
  • 2011 Playstation network - 77 million accounts affected, $171 million in damages.
The Siberian Pipeline

In the middle of the Cold War, a 3 kiloton explosion from a ruptured pipeline shook the deserted Siberian wastes. As one of the largest non-nuclear explosions ever, it was detected by US early warning satellites causing NORAD to fear a missile launch.

The pipeline was complex and featured a sophisticated control system stolen from a Canadian company. Supposedly the CIA was tipped off to the theft and replaced the original plans and program with one of their own, designed to sabotage the pipeline. Designed to cause an explosion.

The incident was primarily reported by Thomas Reed in the book: At the Abyss: An Insider’s History of the Cold War. As there are few alternate sources and little evidence, doubt has been cast upon his tale. Moscow Times published a report by a KGB veteran confirming that while there was a major natural gas pipeline explosion in 1982, it happened to another pipeline and was the result of shoddy construction.

In 1996, the Farewell Dossier was declassified revealing that the CIA had indeed fed Soviet Russia defective technology. It mentioned that “flawed turbines were installed on a gas pipeline”, it did not mention a pipeline explosion.

As for the images, a stamp depicting the pipeline was circulated throughout the Soviet Union the next year as seen on the right. Also, congratulations if you guessed the pipeline pictured wasn’t the one mentioned, even with flickr and google images both supporting license filtering it’s still hard to find some images.

Extent
  • £70b worldwide cost: 42% from fraud. Survey was 2012, of 24 countries inc. Aus, China, Ger, Japan, Russia, UK, US.
  • 8% of UK businesses: Equates to 180,000 incidents, 75% of which were related to viruses. Survey was 2012, across sectors of accommodation and food; wholesale and retail; manufacturing; and transportation and storage.
  • 42% Businesses’ top risk: Second highest was traditional criminal activity at 17%. Survey was of 2,100 businesses across 27 countries.
  • 17% of Students: Survey was in US only.
Growth of Online Crime

Online crime is on the rise with more people being affected by it in some form each year. Malware is increasingly preying on the less secure smartphones that we choose to carry around with us every day and store extremely personal information on. Whilst most phones run applications inside sandboxes, many phones are not running or are unable to run the latest version of their operating system, allowing malware a way in. 79% of all mobile malware targets Android phones, which isn’t really that surprising considering the fact that Android has 85% of the global market share and is considered by some, fragmented.

Cyber Criminals

It’s 2014 and it’s still pretty common to see scary looking pictures of code, a guy in a balaclava hunched over a computer or a graphic straight out of the 90s.

Classifications of Cybercrime

Cybercrime can be categorized into three main sections: Privacy and Data, Financial and Property, and Harassment.

When someone gains unauthorised access to other people’s data, regardless if it was created by them or is about them, the assessor can cause immense damage and grief. Digital information about a specific person can be duplicated near instantly and shared across the entire planet; once it has been released it cannot be redacted. By simply attempting to remove data from the internet, you can fall victim to the Streisand Effect and end up drawing far more attention to the data than the data would have attracted on its own.

Cybercrime has the potential to not only extract information but the ability to cause monetary and physical damage to an individual or organisation.

Harassment is nothing new but the proliferation of technology allows bullies to interact with their targets on an unprecedented level. A presence in social media gives the bully a huge attack vector. Most sites allow a user to create a new account and start communicating with nothing more than an email address; making blocking accounts rather pointless. Unfortunately for most platforms, disconnecting yourself from the social web is often the best and only plan of action.

Examples
  • Privacy and Data: Apple Masque Attack allows malware to replace an iOS app.
  • Financial and Property: Stuxnet targeted industrial programmable logic controllers, which allow for automation in electromechanical processes. Could affect things from fairground rides to nuclear centrifuges. Reportedly ruined a fifth of Iran’s centrifuges for separating nuclear material by forcing them to tear themselves apart.
  • Harassment: Can range from repeated posting of rude comments on someone’s profile, to stalking, death threats and Doxxing. In its most extreme form, it has tragically driven some people to suicide, such as in the case of Amanda Todd.

Anti Malware products are pretty common place. You could argue about the effectiveness of anti-malware products bundled with most computers but at the very least, nearly every computer bought in the UK has some form of protection. In most larger organisations every computer will not only be running genuine and licensed software, but have up to date anti-malware deployed across their entire computer fleet. As a result, unless you are an expert in discovering 0 day exploits or have the money to purchase premade software that will quickly be added to anti-malware blacklists, attacking a computer is hard.

Often, it will be much easier to simply exploit the people instead of the machine. Usernames and passwords are numerous and people often have issues remembering them so they simply use one username and password for every account they have. This combined with writing the passwords down, a website using terrible security and being subject to a huge database leak, or the user falling to phishing can allow a person’s online presence to be completely hijacked.

Social Engineering can horribly affect large organisations, often if you act confident and persistently ask for something, you will eventually get it.

Future Threats

Technology and online crime is constantly evolving.

Cybersecurity is…

“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cybersecurity. According to a December 2010 analysis of U.S. spending plans, the federal government has allotted over $13 billion annually to cybersecurity over the next five years.” - Full Quotation.

Solutions

While an extreme solution, disconnecting devices from the internet and not connecting them to other devices makes a computer safe from pretty much any attack; if a device can not contact another it cannot deliver a malicious payload. If you have a machine running windows 95 which you cannot upgrade, it definitely should be disconnected from the internet and should not come into contact with any other device or media that could contain malicious data.

  • Heuristics malware detection involves observing the behaviour of software to detect whether it is malicious.
  • MailScanner - Open source (GNU) system to filter emails for spam or viruses. Made in ECS, 5 billion emails filtered per week.
Catching up to Cyber Crime

In the last few decades, the law is starting to catch up with computer crime, on and offline.

Legislation

Computer Misuse Act

  • From when Robert Schifreen and Stephen Gold accessed the BT Prestel service from an over the shoulder password. Found Prince Philip’s personal inbox.
  • Three new crimes:
    • unauthorised access to computer material
    • unauthorised access with intent to commit other offenses
    • unauthorised modification of computer material
  • punishable by 6 months prison and a £5000 fine or 6 months / maximum fine respectively

Data Protection Act

  • Concerns sensitive personal data and its processing.
  • Says that personal data should be…
    • Obtained and processed lawfully and for lawful purposes and in accordance with the rights of individuals.
    • Accurate, Relevant and not excessive.
    • Not kept beyond its usefulness to the original purpose.

Digital Economy Act

  • Concerns digital media including broadcasting and networks but most notably Copyright infringement.
  • Grants the ability of the government to request that ISPs block certain websites, as well as take other measures against infringing subscribers such as suspending or throttling of service.
  • Controversial, seen by some as rushed - Came into force two months after being introduced to Parliament, whilst some parts were effective immediately.
Nothing to Hide, Nothing to Fear

“If you’ve got nothing to hide, you’ve got nothing to fear”, once used to quell fears related to the nationwide rollout of CCTV, now central in the argument about privacy from mass surveillance.

One side argues that mass surveillance infringes on the privacy of the person and while the majority of people will not be affected, minorities can be singled out and what you or I view as normal could be twisted in such as way to make you look like a monster.

Others feel immune to surveillance and genuinely believe that they are hiding nothing.