PCWorld reported earlier this month that in a struggling economy, one industry that has shown double digit growth year after year is, like many other high growth industries, an illicit one – in this case, cybercrime.
There was a time, as recently as the 1990s, when most of those who hacked into systems illegally or launched attacks on networks or websites were tech savvy males in their teens or twenties. They did it for fun, for the challenge, as a learning experience, and/or to prove to their buddies that they could. Today’s cybercriminals tend to be older, shrewder, and more often motivated by money. And they don’t even need to be talented coders to make big profits. As the Panda Labs report referenced in this recent MSNBC.com article notes, anyone can buy (or download for free) malicious software that can be used to make big bucks stealing credit card numbers and other personal information.
Consequently, the cost of cybercrime — to individuals, corporations, governments and society in general — continues to climb. According to a study by Britain’s Office of Cyber Security and Information Assurance, the total cost to the British economy is 27 billion pounds (or $43.5 billion U.S.D.) per year, with most of that being shouldered by business.
As cybercrime has become more profit-driven, its “business model” has evolved and new types of criminal activities (as well as new twists on the old types) have emerged. According to a recent report by Steve Wexler over at NetworkComputing.com, Cisco’s market intelligence manager identified one significant change as “a shift away from Windows-based PCs to other operating systems and platforms, including smart phones, tablet computers and mobile platforms in general.” This fits right in with the findings of other companies. Trend Micro, for instance, predicted that the growing use of mobile devices would help make 2011 a very profitable year for cybercriminals.
It makes sense, of course. The increasing popularity of smart phones and tablets means more and more people are carrying miniature computers with them everywhere they go, and using them for more of their daily tasks – including financial transactions. Yet, many people who wouldn’t think of running their desktop PCs without antivirus and anti-malware software neglect to protect their phones and tablets in a similar manner, despite the fact that there are many mobile security products now available for all the popular platforms.
McAfee’s Fourth Quarter 2010 Threats Report said mobile malware increased by 46 percent from 2009 to 2010, with such threats as the SymbOS/Zitmo.A and Android/Geinimi Trojan.
Many of the new mobile threats are aimed at accessing personal information such as banking or credit card data to be used for highly profitable identity theft schemes. And because so many mobile devices (even “semi-smart” phones) now have access to the web, the incidence of web browser-based threats is also increasing. Those mobile devices are also frequently being used to access social networking services such as Facebook, so we can expect attacks targeting those sites to become a growing problem.
Convenience vs. security
It’s long been an accepted truism that security and convenience tend to sit on opposite ends of a continuum, and in most cases, the more you have of one, the less you have of the other. One reason for the popularity of new mobile platforms is the convenience and ease of use that they offer. Downloading and installing an app to your phone or tablet, for instance, is generally a simpler matter than installing a new program on your computer. On the computer, you would probably have to click through one or more security warnings and confirm that yes, you really want to install this program, then walk through a wizard where you might select various configuration options. On the mobile device, you touch a couple of buttons and your app is installed and ready to go.
But what do you sacrifice in security for this convenience? A Sophos researcher recently held that the Android Market’s instant-download feature presents a serious security threat, due to the “background” nature of the app installation process. An attacker who gains access to your Google password could even install software on your phone without you being aware of it.
How bad can it get?
An article published a few months ago in the Economic Times of India paints a dire picture, predicting that in 2011, viruses will become more like the ones in sci-fi movies, with attacks on critical infrastructure and industrial establishments, along with increasing incidence of cyber-espionage. In fact, a number of security analysts have warned that cybercriminals are likely to become more organized, with new groups forming and existing groups joining together to create more serious attacks, perhaps even escalating to the level of cyberterrorism and/or cyberwarfare.
This is the type of scenario that seems like something out of a fiction novel. And Mark Russinovich, co-founder of Winternals Software and well-known technical fellow at Microsoft, has just published his first novel, Zero Day, that deals with that very plotline. Unlike many previous technothrillers, this is coming from someone who is intimately familiar with how computers and networks work and what really is or isn’t possible – and that makes it all the scarier.
Fiction aside, the U.S. government takes the threat of cyberterrorism, which could be considered the ultimate form of cybercrime, very seriously. The Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) fund programs such as that of the Cyberterrorism Defense Analysis Center (CDAC).
On the international front, NATO’s Cyber Defence Policy Advisor last month made headlines with the statement that the line between cybercrime and cyberwarfare is “very thin,” noting that the same attack methods that are used to target individuals and businesses can also be used for military purposes.
The impact of the cloud
As more organizations consider entrusting some or all of their IT functions to public cloud providers, this raises the question of how cloud computing trends will impact cybercrime. Last summer, George Chang of Fortinet wrote that “cloud computing sets a perfect scene for the acts of cyber criminals.” Certainly, concentrating huge amounts of data in a centralized location – whether a corporate datacenter or the datacenter of a cloud provider – gives criminals a bigger target, and everyone knows that the bigger the target is, the easier it is to hit it. Indeed, surveys have shown security concerns to be one of the biggest obstacles to adoption of cloud computing, although a plethora of security product vendors are rushing to fill that gap, and at this year’s RSA Conference, RSA head Art Coviello said solutions already exist, through virtualization.
And just as cloud technologies can be used by cybercriminals to their advantage, cloud based fraud detection can also be used against them. By collecting and sharing information about millions of devices across the world, these cloud services can pick up on patterns of criminal activity that wouldn’t otherwise be obvious, as ThreatMetrix CEO Reed Taussig pointed out in a recent interview with Sue Marquette Poremba for IT Business Edge.
A perfect trifecta
It’s a basic tenet in criminal justice theory that in order to commit a crime, a criminal must have the motive, the means and the opportunity. Today’s cybercriminals have a compelling motive: the ability to make big money, with far less risk than is involved in committing the same types of crime in the “real world.” They have the means, thanks to readily available malware packages they can download for a fee or for free, so that they don’t even need to possess the technical skills themselves. And the opportunity is there and growing all the time, with more people conducting more transactions – both business and personal – online, using new technologies such as mobile devices and cloud computing that in many cases, haven’t yet matured in terms of security and protective mechanisms.
Despite governmental efforts to crack down on cybercrime, laws haven’t yet completely caught up with the technology, and it’s still dauntingly difficult to enforce the laws we do have because of jurisdictional and other issues that I discussed last month. That means those considering a career as cybercriminals could be looking at a much more positive outlook than those of us engaged in legitimate work.
What can be done about it?
It was just reported that the U.K. is planning to spend 63 million pounds (to be taken from a 650 million pound cyber security fund) to build up its resources for fighting cybercrime.
In the U.S., congressional legislators have expressed concern that the recent attempts to hack the NASDAQ stock exchange may raise questions about the Security and Exchange Commission’s ability to protect against cybercriminal activities directed at the stock market.
The U.S. government is also planning a diplomatic effort to convince more countries to join in cybercrime investigations, since international cooperation is really the key to being able to enforce cybercrime laws when so many online criminals are based overseas.
It’s not just government agencies that are trying to do something about it. Large companies such as Microsoft, with its Digital Crimes Unit (DCU), are also investing their resources in efforts aimed at tracking down and prosecuting cybercriminals.
Meanwhile, a number of leading technology companies, including Microsoft, Cisco, IBM and Boeing, have teamed up with NASA and the U.S. Department of Defense to develop international standards for making IT equipment more secure.
And despite the difficulties, there have been a number of important successes in the battle against cybercrime in the past year. Some high profile arrests included members of the Zeus Trojan gang and the mastermind behind the Mega-D Trojan, as well as the shutdown of the Mariposa botnet.