Tablets optimize

Cybercrime: Why it's the new growth industry

Deb Shinder takes a closer look at cybercrime trends to explain why it is seeing double-digit growth and what is being done to counteract this expanding industry.

PCWorld reported earlier this month that in a struggling economy, one industry that has shown double digit growth year after year is, like many other high growth industries, an illicit one - in this case, cybercrime.

There was a time, as recently as the 1990s, when most of those who hacked into systems illegally or launched attacks on networks or websites were tech savvy males in their teens or twenties. They did it for fun, for the challenge, as a learning experience, and/or to prove to their buddies that they could. Today's cybercriminals tend to be older, shrewder, and more often motivated by money. And they don't even need to be talented coders to make big profits. As the Panda Labs report referenced in this recent MSNBC.com article notes, anyone can buy (or download for free) malicious software that can be used to make big bucks stealing credit card numbers and other personal information.

Consequently, the cost of cybercrime -- to individuals, corporations, governments and society in general -- continues to climb. According to a study by Britain's Office of Cyber Security and Information Assurance, the total cost to the British economy is 27 billion pounds (or $43.5 billion U.S.D.) per year, with most of that being shouldered by business.

Evolving trends

As cybercrime has become more profit-driven, its "business model" has evolved and new types of criminal activities (as well as new twists on the old types) have emerged. According to a recent report by Steve Wexler over at NetworkComputing.com, Cisco's market intelligence manager identified one significant change as "a shift away from Windows-based PCs to other operating systems and platforms, including smart phones, tablet computers and mobile platforms in general." This fits right in with the findings of other companies. Trend Micro, for instance, predicted that the growing use of mobile devices would help make 2011 a very profitable year for cybercriminals.

It makes sense, of course. The increasing popularity of smart phones and tablets means more and more people are carrying miniature computers with them everywhere they go, and using them for more of their daily tasks - including financial transactions. Yet, many people who wouldn't think of running their desktop PCs without antivirus and anti-malware software neglect to protect their phones and tablets in a similar manner, despite the fact that there are many mobile security products now available for all the popular platforms.

McAfee's Fourth Quarter 2010 Threats Report said mobile malware increased by 46 percent from 2009 to 2010, with such threats as the SymbOS/Zitmo.A and Android/Geinimi Trojan.

Many of the new mobile threats are aimed at accessing personal information such as banking or credit card data to be used for highly profitable identity theft schemes. And because so many mobile devices (even "semi-smart" phones) now have access to the web, the incidence of web browser-based threats is also increasing. Those mobile devices are also frequently being used to access social networking services such as Facebook, so we can expect attacks targeting those sites to become a growing problem.

Convenience vs. security

It's long been an accepted truism that security and convenience tend to sit on opposite ends of a continuum, and in most cases, the more you have of one, the less you have of the other. One reason for the popularity of new mobile platforms is the convenience and ease of use that they offer. Downloading and installing an app to your phone or tablet, for instance, is generally a simpler matter than installing a new program on your computer. On the computer, you would probably have to click through one or more security warnings and confirm that yes, you really want to install this program, then walk through a wizard where you might select various configuration options. On the mobile device, you touch a couple of buttons and your app is installed and ready to go.

But what do you sacrifice in security for this convenience? A Sophos researcher recently held that the Android Market's instant-download feature presents a serious security threat, due to the "background" nature of the app installation process. An attacker who gains access to your Google password could even install software on your phone without you being aware of it.

How bad can it get?

An article published a few months ago in the Economic Times of India paints a dire picture, predicting that in 2011, viruses will become more like the ones in sci-fi movies, with attacks on critical infrastructure and industrial establishments, along with increasing incidence of cyber-espionage. In fact, a number of security analysts have warned that cybercriminals are likely to become more organized, with new groups forming and existing groups joining together to create more serious attacks, perhaps even escalating to the level of cyberterrorism and/or cyberwarfare.

This is the type of scenario that seems like something out of a fiction novel. And Mark Russinovich, co-founder of Winternals Software and well-known technical fellow at Microsoft, has just published his first novel, Zero Day, that deals with that very plotline. Unlike many previous technothrillers, this is coming from someone who is intimately familiar with how computers and networks work and what really is or isn't possible - and that makes it all the scarier.

Fiction aside, the U.S. government takes the threat of cyberterrorism, which could be considered the ultimate form of cybercrime, very seriously. The Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) fund programs such as that of the Cyberterrorism Defense Analysis Center (CDAC).

On the international front, NATO's Cyber Defence Policy Advisor last month made headlines with the statement that the line between cybercrime and cyberwarfare is "very thin," noting that the same attack methods that are used to target individuals and businesses can also be used for military purposes.

The impact of the cloud

As more organizations consider entrusting some or all of their IT functions to public cloud providers, this raises the question of how cloud computing trends will impact cybercrime. Last summer, George Chang of Fortinet wrote that "cloud computing sets a perfect scene for the acts of cyber criminals." Certainly, concentrating huge amounts of data in a centralized location - whether a corporate datacenter or the datacenter of a cloud provider - gives criminals a bigger target, and everyone knows that the bigger the target is, the easier it is to hit it. Indeed, surveys have shown security concerns to be one of the biggest obstacles to adoption of cloud computing, although a plethora of security product vendors are rushing to fill that gap, and at this year's RSA Conference, RSA head Art Coviello said solutions already exist, through virtualization.

And just as cloud technologies can be used by cybercriminals to their advantage, cloud based fraud detection can also be used against them. By collecting and sharing information about millions of devices across the world, these cloud services can pick up on patterns of criminal activity that wouldn't otherwise be obvious, as ThreatMetrix CEO Reed Taussig pointed out in a recent interview with Sue Marquette Poremba for IT Business Edge.

A perfect trifecta

It's a basic tenet in criminal justice theory that in order to commit a crime, a criminal must have the motive, the means and the opportunity. Today's cybercriminals have a compelling motive: the ability to make big money, with far less risk than is involved in committing the same types of crime in the "real world." They have the means, thanks to readily available malware packages they can download for a fee or for free, so that they don't even need to possess the technical skills themselves. And the opportunity is there and growing all the time, with more people conducting more transactions - both business and personal - online, using new technologies such as mobile devices and cloud computing that in many cases, haven't yet matured in terms of security and protective mechanisms.

Despite governmental efforts to crack down on cybercrime, laws haven't yet completely caught up with the technology, and it's still dauntingly difficult to enforce the laws we do have because of jurisdictional and other issues that I discussed last month. That means those considering a career as cybercriminals could be looking at a much more positive outlook than those of us engaged in legitimate work.

What can be done about it?

It was just reported that the U.K. is planning to spend 63 million pounds (to be taken from a 650 million pound cyber security fund) to build up its resources for fighting cybercrime.

In the U.S., congressional legislators have expressed concern that the recent attempts to hack the NASDAQ stock exchange may raise questions about the Security and Exchange Commission's ability to protect against cybercriminal activities directed at the stock market.

The U.S. government is also planning a diplomatic effort to convince more countries to join in cybercrime investigations, since international cooperation is really the key to being able to enforce cybercrime laws when so many online criminals are based overseas.

It's not just government agencies that are trying to do something about it. Large companies such as Microsoft, with its Digital Crimes Unit (DCU), are also investing their resources in efforts aimed at tracking down and prosecuting cybercriminals.

Meanwhile, a number of leading technology companies, including Microsoft, Cisco, IBM and Boeing, have teamed up with NASA and the U.S. Department of Defense to develop international standards for making IT equipment more secure.

And despite the difficulties, there have been a number of important successes in the battle against cybercrime in the past year. Some high profile arrests included members of the Zeus Trojan gang and the mastermind behind the Mega-D Trojan, as well as the shutdown of the Mariposa botnet.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

7 comments
ap90033
ap90033

Ok so the world is coming to end and there is nothing we can do about it? Oh wait the GOVERNMENT is going to save the day? LOL if you believe that I have some unicorns for sale...

ibnanouk
ibnanouk

As with most things in life, cybercrime is a trade-off between convenience and security. The most secure device in the world is one that is turned-off, but it is also the least convenient . When people realize that they trade their security for instant gratification, it may change. However, as long as we believe that it only happens to others, the perpetrators will continue to thrive especially in this target-rich environment: smart phones, droids, iPhones, iPads, tablets, etc. The wireless world simply makes catching cybercriminals at least an order of magnitude more difficult. Check you mobile devices often and adequately -- or pay the price for convenience. Take care, Nanouk (cyber-chaser)

VytautasB
VytautasB

It is a given that cyber crime is a problem however there is very little proof of terrorists planning a cyber attack. For now they appear to be using it more for communications and propoganda purposes. An issue that merits more attention is the potential for conflict among the worlds' super "cyber powers". There is some evidence that governments are seeking to create offensive capabilities with the intent not only to disrupt but destroy criticial infrastructure. They use the same tools as cyber criminals but the application of them by Government's will result in damage on a far different scale. Last year an ISP with links to Government caused a significant percentage of the worlds internent traffic to be diverted. Many said that this was an accident, however it could also have been a test.

douglas.gernat
douglas.gernat

I find this an intrigueing topic, not just because of the ramifications in IT management, but to see the evolution of the electronic ecosystem. It is interesting, given the internet's histroy, to see that it is now directly parallel to a busy city, or travelling. One knows the bad spots, and knows assumed risks when travelling abroad, and now the same is true for conducting one's business daily (in the busy city) or going out to international destinations electronically, and the differences in what is legal/ illegal, and what is the norm. I digress...

apotheon
apotheon

The Pollyanna perspective of people who believe government will save them gets a bit old after a while.

awgiedawgie
awgiedawgie

If the line between cyber crime and cyber warfare is thin, the line between cyber terrorism and cyber warfare is even thinner. At exactly what point does an act of terror become an act of war? There have been governments who have engaged in terrorist activities, and non-government groups who have started wars, most times by overthrowing an existing government, and then going from there. And governments can get away with more questionable and borderline activities, since about the only way to prosecute another government is to go to war, and nobody's going to declare war based on questionable or borderline activities. And it's doubtful there will be much proof of planning for a cyber terror attack. Anything that does show up on the radar would often be called an accident, like the one you mentioned, or maybe even a demonstration to show that such an attack is possible, and then they (assuming they're not already a known terrorist group) could claim that they are working on ways to prevent such an attack from being made by a terrorist. Of course, if something shows up and they ARE a known terrorist group, well then they just unzipped their fly, showed their hand, or any other way you want to say their ball game is over. It could also become the onset of a cyber cold-war. Except back in the cold war, detecting an enemy attack could give the opposing side enough time to launch a counter-attack, which is why it stayed a cold war. In a cyber-offensive, it takes seconds for the attack to reach its destination, instead of hours, and a well-placed cyber-offensive could prevent a counter-offensive altogether. A little unnerving when you think of it that way.

apotheon
apotheon

The difference between war and terrorism is that acts of war target political entities (i.e., governments) for political purposes, while acts of terror target nonpolitical entities (i.e., civilians) for political purposes. Yes, the lines do blur quite easily.