Cyber-crime: Evolutionary End or A New Beginning?
At times it can be very difficult to focus on the facts in a world where one is barraged by information in ways that the greatest of science fiction writers could never have dreamed. Media figures along with industry pundits tend to spout facts and figures often in the absence of knowledge and authority. Many times this leads to outcries amongst the information security intelligentsia who seek to ensure as little flawed logic and FUD (fear, uncertainty, and doubt) is interjected on a daily basis as possible. Opposition from within the ranks of the intelligentsia is a good thing though many might suggest it is elitist and at times breaks from the tradition of all things ‘hacker’ in the sense that it establishes a clear ‘us’ and ‘them’. The truth however is that not all members of this informal fraternity are “experts” on cyber-crime nor do they all have more than a working knowledge of it as it relates to their day – to – day roles and responsibilities. No. In fact, many if not most are engaged in other noteworthy endeavors with the hope being that those who do possess an acute understanding of this subject matter shall use it to the benefit of us all. For many the overt goal is the sanctity of fact, preservation of information and its dissemination for the common good. There is not one thing wrong with this attitude and in fact I would go so far as to suggest that we not only wish it to be the case but need it to be so. The IC3 released its Annual 2009 report on cyber crime late last week and with it came a number of things:
- More solid, statistical information on cyber criminal activity going on around the world
- Many unanswered questions stemming largely from the obvious increases in activity and dollar loss to
The IC3 stated that the total dollar loss from all referred cases (that is cases which were referred to and studied by their team), was approximately $559.7 million dollars (US) with a median or average dollar loss per instance being reported. The significance is quite noteworthy in that it demonstrates that from the year 2008 (which saw a total of $264.8 million dollars (US) in losses) to 2009, the IC3 saw an increase in losses of approximately $295.1 million dollars (US). This growth represents a little more than two times what had occurred in the previous year. One need not look too much further in order to see patterns emerging if they ever doubted they had existed. That statistic alone should alleviate any doubt that cyber-crime is swiftly becoming (and will likely supersede) the most sought after element of modern criminal activity.
For many years, empirical evidence has been amassed and studied in order that trends could be determined via the careful application of analytics. Through deep analysis an analyst begins to note trends and pattern development. Similarly, an analyst would begin to note points of adaptation, deviation and evolution as they relate to the trends and patterns. Many factors influence these patterns of development. In the past I’ve found it both necessary and helpful to create impact lists of items that either influence or aid my topic of study. The following list, though detailed, is by no means complete. It demonstrates some of the more prominent elements at work (some of which the sub-economic environment shares with the traditional economic environment):
- Globalization – supply and demand
- Risk / reward ratio – re-evaluation of business models, lines of business, and operations
- Weak or unclear legislation—localized and international
- Qualification and articulation — inability of private citizens, organizations and industry professionals
- Interconnectivity – mass availability of broadband technologies (fixed and mobile)
Who’s To Blame?
We could easily begin finger pointing and assigning blame to corporations and individuals alike however it is my assessment that was not and will not be necessary. Would it be convenient to blame Microsoft for every bad piece of code written using their .Net framework? Of course it would. It would be just as convenient and likely every bit as easy to blame IBM for it’s rationale framework and in the same breath begin addressing the failures of individuals and organizations’ internal code developing. It would also be intellectually dishonest and morally suspect. I believe there is plenty of blame to go around and it is not entirely any one organization, or disciplines fault. It is all of our faults in the sense that we failed to communicate the value proposition of the importance of securing properly to avoid securing dangerously. We speak of evolution, adaptation and sophistication as though they were the norm; part of the meme if you will of our industry though the evidence shows that there is significant disparity between idealistic states and those anchored in reality. We talk of sophistication in attacks and exploits yet in many cases ‘sophistication’ isn’t even a consideration as many recently occur using unsophisticated means (Ghostnet). We use terminology such as ‘elegance’ to describe the state that is arrived at upon being owned (and being made aware of said owning), by those with questionable or nefarious intent if a level of sophistication was demonstrated. In reality, some of the more notable attacks of the last 18 months were not terribly sophisticated yet still quite effective.
First Steps
So who is to blame? My answer is that we all have an ownership stake in this as I mentioned earlier. We live in a world driven by deadlines and meeting/exceeding customer expectations. There is nothing wrong with that. Managing against deadlines is both noteworthy and sensible from a business management perspective. I do however believe that sacrificing quality in order to meet deadlines introduces problems sooner or later. As my father is fond of saying, you can’t cheat death and I think (at least in spirit), the same sentiment can be echoed with respect to doing poor work: you can’t cheat quality. Often in my career I’ve worked with clients who simply could not afford to not meet deadlines (internal or external customer facing deadlines).
Recently my friend Josh Corman and I were discussing the basis for what became the Rugged Software initiative. During that conversation we discussed many of the arguments – pro and con, (most of which are quite old it should be noted) related to SDLC (software design life cycle) and the challenges which seem to manifest into reality all too often in development houses. My belief is that until SDLC is communicated in a manner to which demonstrates the value of the bits to the boardroom it will be an uphill battle. That doesn’t mean it isn’t worth fighting but rather that until it resonates with the stakeholders, the business unit owners who set and oversee (and who are overseen by the board for example), it will likely fall on deaf ears.
My suggestion is that organizations and those charged within them for managing risk within and as it relates to them should begin by evaluating the organizational risk posture. In doing so, provided the exercises are followed through upon, it will become clear what level of exposure the organization is incurring, what has been defined (formally or informally), as an acceptable level of risk and whether or not that needs to be re-addressed in order to align with the expectations set forth by the risk management team in preparing the organization for cyber threats such as those associated with ‘cyber-crime’.
There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations. The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter. It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value. First, APT’s have been around for a long time. Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices. What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few. These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted. Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.
APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about. Will and I recently gave a discussion on APT’s at ToorCon this past fall. Our ToorCon presentation can be found here: http://bit.ly/73tuYA . We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s. It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected. Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network. Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data. SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few. Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight. Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape. The paradigm from a silo data feed model needs to change. A vendor that’s leading this model is McAfee. Again, at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s. More to come on this topic.
2010 Predictions…sort of
Its 2010 people Happy New Year! Where did 2009 go? Last year was a very busy year for Cassandra Security. A lot has occurred since we launched and we as individuals and as a team have learned a great deal in the process. 2010 promises to be a very exciting year and if my estimations are sound, we will show no signs of slowing. This is a good thing. My first 2010 prediction is that in not too distant future you will see our site change. The evolution has begun and it is only a matter of time before it is complete. I am personally looking forward to this and other changes however; I will refrain from commenting until the appropriate time. I will say however our goal remains the same to provide the most comprehensive, thought provoking content we can related to our passionate study, devotion and understanding of our discipline. Expect to see more in the way of malicious code and content analysis, threat analysis, reversing, trending and a whole host of other technological and philosophical endeavors related to our work. It is an exciting time to be in our space; it is a time that calls for leaders to lead, followers to follow and those who are confused to kindly step out of the way. Before I get into the heart of this post, I would like to say thank you to those who have shown their love, appreciation and support to us thus far, believing in our work and us and rallying behind us regularly. Thank you. You know who you are and so do we. We are honored by your allegiance and support and hope that in achieving our goals we will also aid you in accomplishing your own whether in business or personal contexts.
This time of year resolutions are the norm and in our space so are predictions. I am not a resolution kind of guy so I will jump squarely into the predictions. Predictions are tricky. In our space often times you encounter a regurgitation of ideas or worse yet, a pilfering of them with the net effect being that they end up on someone’s prediction list. This entry is going to be different. I hope you’ll enjoy it and appreciate for what it is as opposed to yet another broadcast of what may or may not be the next big threat to hit (I will mention some things which fall into this category . As you will see, it will be done in a manner traditionally different from what one would expect in piece such as this). Predictions come in two varieties. They are either related or associated with the divine, the supernatural, or the result of anticipatory science (the type of predictions, which lead to the formulation of a hypothesis for example). As we neared the close of 2009, I read no one’s predictions for 2010. In fact, I still have not read anyone else’s’ to avoid muddying the waters of my own thought process. When I was a child, a very wise person told me that the true test of a prophet or one who makes predictions lies in his or her accuracy with respect to the prophecy or prediction coming true. I took that to mean (and still do), that there are many things which must fall into place either by divine design or by the design of man (some may argue the latter is influenced by the former however that is not the purpose of this piece so let’s table that for another time). I never took it to mean that we as intelligent, informed human beings perhaps lacking ‘divine’ insight could not arrive at conclusions after conducting enough individual and collaborative analysis to make educated guesses or predictions. In fact that is where I believe most predictions fall categorically; into the realm of those driven by anticipatory science. Does this mean that I am ruling out in terms of absolutes, the possibility of one’s “gut” or “instincts” playing a role in this process? Certainly not. However, what it does not mean is that what we conceive as predictions in our space are akin and par with messages delivered from on high, carved in stone and presented to a body of people.
Preface:
I feel that it is important to write and speak honestly about the world in which we live and work; the good and the bad; the sacred and the profane; the beautiful and the ugly. I believe that in doing so we remain in balance and present a realistic view of the world as opposed to one seen through tinted glasses. I believe that there are threats, very real threats, which are at work in the world some more noticeable than others and some operating quietly in remote locations readying themselves for their opportunity to strike. However, I do not believe it to be a healthy nor intellectually honest position to take which speaks only of those threats in an unbalanced light. This I fear leads us away from sound thinking and directly into the land of those who inappropriately talk of fear, uncertainty and doubt. We do not need to lead anyone down a road to perdition; people do that for themselves. Our role to identify the patterns, trends, activity, threats, vulnerabilities and risks may be exploited in order to achieve the goals set forth by those who seek to do harm in whatever form harm “means” to them. Furthermore, I believe we as professionals have a responsibility to avoid (when possible), sensationalism being entered into if possible. Sensationalism is fine for the circus or cinema however terribly inappropriate in other contexts, namely those within which we operate. I find that behavior to be distasteful and amateurish and so should you if you are a professional seeking to improve your skills and understand of that which we do.
Prediction #1: Evolution by Definition Will Fuel the Revolution
I do not believe that we will see a plateau or a peak with respect to illicit activity regardless of the form it takes: cyber crime, cyber espionage, and cyber warfare or cyber terrorism. I believe will see continued growth and likely see greater degrees of interconnectivity between organizations around the world (in addition to individual operators), as there is no shortage of demand for what is being supplied nor is there shortage of innovation taking place. I write often about cyber crime, cyber espionage, cyber warfare and cyber terror as they are passions of mine (in addition to being areas which I have professional experience in), in addition to psychology. I often quip that there is an ‘Evolution Revolution’ in full swing with respect to those factors that drives the creation, support, and growth of sub-economic ecosystems (sometimes referred to as shadow economies). Put plainly there are simply too many opportunities and too many parties ready, willing and able for a plethora of reasons (recall that agendas drive action) for this to not be the case.
Evolution occurs without the aid or impetus of a third party. It simply does not require it; it is not necessary for its manifestation. Revolution, on the contrary, requires an evolution of thought, ideals and action. So long as this evolution remains present (which I believe based on my understanding of Darwin and other’s writings it will), revolution will be made possible and continue unfettered. In our field, in our discipline I believe that we have seen over time examples of this and will no doubt see much more in 2010 and beyond. The world is not enough to quote Ian Fleming, and it is an intellectually dishonest position to take that suggests everything that can be monetized on the Internet (in other words given monetary value), already has been. Assertions such as this boggle the mind and suggest that human innovation and creativity has reached its apex (which we know has not occurred), and as a result markets will dwindle. Do you see that happening? I don’t. In fact, I would argue the opposite completely and passionately. So long as there is evolution pushing revolution within cyber criminal ecosystems (shadow economies), state sponsored cyber warfare and espionage not to mention sub-nationally sponsored (cyber terrorism) there will continue to be opportunities upon which to capitalize. We need now, more so than ever before, remain diligent and prepare ourselves for what is coming even if we cannot (in an unequivocal sense), “predict” exactly what will occur.
Prediction #2: The Sky is not falling, but it is Getting Gray
“All the leaves are brown and the skies are gray”. I love that lyric; it speaks a lot in few words; it evokes a visceral response that the listener can easily identify with should he or she have experienced winter and its realities. Ironically, it is winter and I am writing this less formal but still serious post about predictions. Often people make assumptions broadcasting them the absence of fact with respect to what is real and what is not within our industry. It does not require an advanced degree to recognize that this is foolish at best and quite dangerous as worst. Take the innovation for example. I believe that innovation both good and bad will continue and that in some respects that innovation that we perceive and recognize as being bad in our industry will supersede the readiness of the tools and tactics we have at our disposal should we become complacent and jaded. Cyber criminals for example, are extremely innovative and recognize at times more readily than we would like to admit, the challenges and inability of industry to address all that they have to offer and more. We must ready ourselves in all seasons, in particular the winter of our development in order to address this, as we know that cyber criminals do not sleep but often our industry does. Sound analysis and integrity driven research along with our desire and ability to enable ourselves and our clients to meet these challenges is what is needed, not sensationalistic ramblings or debates having to do with the validity of a new enablement technology or regulatory standard. Preparedness is key and the failure to plan is the equivalent of preparing to fail. Last year, there were ample examples identified and noted which influenced the industry’s belief that the sky is falling however there was little to lead us to believe that utter destruction was upon us. This is not to say that there were not very serious occurrences, which wreaked havoc upon the cyber world, and beyond (to suggest otherwise would be madness). No, some truly thing BAD things did happen and will continue to happen. Will the skies remain gray? I believe they will, I maintain that they will be cloudy and at times become more ominous than at other. Trends change; they evolve and mature. It is because they do that in my mind, it is better to expect the worst, hope for the best, and always be prepared. Very rarely (if ever), are people penalized for preparedness. Should you find yourself being penalized for being prepared, you can blame me or the boy scouts, whichever you would like 
but take solace in the fact that you were prepared.
Prediction#3: The Threat Landscape Will Remain Unpredictable
If I have learned anything in life, it is that life is unpredictable and perhaps that is what we need to focus. Unpredictability is what enables us to formulate strategy and tactics for dealing with everything we experience. Whether it is our car not starting to our enterprises, and our information personal or otherwise being placed at risk. Our goal for 2010 should be to remain vigilant and where appropriate become more so. This requires a reconsideration of risk and its management as opposed to the mindless adoption of the latest new fangled technology or audit requirement. We need to treat information security and risk management in 2010 as though they are living entities; sentient and in need of nurturing. Should we fail to do so then perhaps some of the more ‘sensational’ predictions made by others will come to a head.
On December 23, 2009, the United States Department of Justice concerning Stephen Watt released a statement. Stephen Watt is likely a name not rolling off the tongues in households across America however, his participation in what has been called to date the “largest identity theft in our nation’s history”, is likely quite familiar. You see, Watt, Stephen as I like to call him or soon-to-be federal prisoner Stephen Watt was an integral member of the team assembled by Albert Gonzalez (you remember Alberto right?), for the express purpose of stealing as many credit and debit card numbers as possible without being detected or ultimately prosecuted. The case in question is the now infamous TJX data breach. However, though not new news, the sentencing and pathology is something, which few, if any, are addressing.
In the statement released by the U.S. DOJ, Watt was sentence on December 22, 2009, for his role in the TJX breach, specifically for the creation of a sniffing (siphoning), application used to monitor and capture data including customer credit card and debit card information as it traversed across corporate computer networks. Watt, who pled guilty to conspiracy charges on October 28, 2008, was sentenced to two years’ imprisonment, to be followed immediately by three years of supervised release a condition of which was electronic monitoring of any computer use. Additionally, he was ordered to pay restitution for $171.5 million dollars US. For five years Watt unlawfully gained electronic access to corporate computer networks and in doing so downloaded customer’s credit and debit card information which he later used trafficked, sold and used for personal fraudulent gain. The United States Secret Service along with third party digital forensics firms investigated the case. Assistant U.S. Attorney Stephen Heymann, who is active Chief of the Computer Crime Unit of the Secret Service which spear headed this case, prosecuted it.
Watts’ attorney attempted to establish a scenario that suggests that he simply lacked sound judgment and was led to participate by his own intellectual curiosity and the bonds of friendship he had forged with Albert Gonzalez while the two were teenagers. I find this to be weak at best. Would I expect a defense attorney to suggest otherwise in a case such as this? No, I think that in a case such as this one if I were a defense attorney I would be looking for any plausible egress point possible in the hopes that one would lead to light. However, I would expect that those parties hearing and prosecuting the case would not fall prey to such delusional lines of thinking (I have no reason to believe nor am I insinuating that either Mr. Heymann or the Honorable Judge Nancy Getner did fall prey to such vapid arguments but rather arrived at a satisfactory judgment based on the facts and goals they were presented with and working toward).
The facts are clear: Stephen Watt willingly created ‘blaba’ for the express purpose of monitoring, collecting and siphoning credit and debit card information belonging to others. That this data resided on the TJX network and systems was but a technicality as Watt and his co-conspirators were, after all, engaged for the criminal profit. According to his defense, Watts’ had no idea his creation would be used for illegal activity (this is insulting to all who read it and to logic itself given the design intent, nature and use of the code). This clearly suggests that he is either a liar or lunatic given the amounts of evidence collected related to conversations and other salient details of the operation that he and Gonzalez led.
What I find interesting is the potential use of similar arguments of defense in cases such as Watts’ and others where the ability to distinguish right from wrong seems to be suspect. Let’s look a little more closely at Watts’ background. A highly intelligent software engineer with an impressive resume including, among others Morgan Stanley and Imagine Software (trading software manufacturer), Watt graduated high school at age 16 in Florida with a 4.37 grade point average. In 2004, he moved to New York to work for Morgan Stanley, and began frequenting nightclubs and experimenting with drugs. In 2007, he took a role with Imagine Software where he was working up to the time of his arrest. He cited his intellectual curiosity and as mentioned earlier, friendship with Gonzalez as being deciding factors in his participation however I believe (and so too did the prosecutors and judge involved), that the deciding factor was profit. Profit via criminal activity that did not seem to bother Watt or his accomplices in the slightest. Conventional thought suggests that they believed that the “banks” were insured by the FDIC and that the monies and profits acquired were reimbursable (never mind the damage they did to the reputations and credit ratings of countless thousands and overt brand damage they brought to the doorstep of TJX). Though Watt was not the mastermind of the breach, that honor belongs to Alberto Gonzalez who is currently awaiting sentencing in Boston, for up to seventeen years in federal prison. The two housed Watt’s code on a leased server located in Latvia and with it, over 16.3 million stolen credit card numbers while another 27.5 million stolen card numbers were located on a server in the Ukraine.
I worry that more will, upon being identified and caught, feign or claim ignorance or worse yet, the inability to determine right from wrong as a plausible defense making illegal activity of this sort, and its prosecution akin to violent crime prosecution and the insanity plea. I feel there is danger in this and in other defenses, being introduced into courts of law that suggest that a person guilty of committing (knowingly committing), a criminal act was unable to determine the legality of their actions due to some pre-existing circumstance or condition. Take the case of Gary McKinnon of the United Kingdom for example. McKinnon was found guilty of penetrating and disrupting computer systems and networks belonging to NASA and the United States Department of Defense. McKinnon, who claims to have been on a quest for truth regarding UFOs, penetrated over 90 classified systems and networks in 2001 and 2002. He faces extradition to the United States, which was granted by the courts of the United Kingdom however is currently fighting extradition to the United States based on his claims of suffering from Aspergers Syndrome (is a type of pervasive development disorder (PDD). PDDs are a group of conditions that involve delays in the development of many basic skills, most notably the ability to socialize with others, to communicate, and to use imagination), and based on the information gathered on it does not suggest a failure or inability to recognize wrong from right. In fact, there are many highly regarded, influential historical figures from all occupations that have been diagnosed with Aspergers.
Personally, I feel that defenses such as that posed by Watts’ attorney and by McKinnon are both scandalous and shameful. They insult and mock those who do suffer from diagnosable developmental disorders while, at the same time, attempt to insult the intelligence of the masses. In order to prevent them from becoming the defense de jour, it is my hope that the courts begin laying down much more restrictive, severe sentencing for criminal acts such as these. Failure to do so in many respects encourages the risk – reward calculation used by criminals in order to justify their activities.
