Archive for September, 2009

Cybercrime Trends

Cybercrime goes on year-after-year, but the way it manifests itself continually changes. I’ve been putting together a presentation on global security threats for an upcoming meeting and have had to do quite a bit of research on the types of cybercrimal activity that is currently occurring. After analyzing a fairly wide range of sources, I’ve concluded that viruses and worms, then laptop theft, then insider attacks, then denial of service (DoS), then network break-ins, and then data security breaches are currently the most prevalent types of attacks.

I remember when I started in the information security arena nearly 25 years ago how unauthorized access, insider tampering with systems, and viruses such as the Brain and Lehigh viruses constituted the overwhelming majority of types of cybercrime activity. Attacks in those days were incredibly crude by today’s standards, as was malware.

In 2000 I gave a presentation with the same title (“Global threat update”) as the one I am currently preparing; cybercrime statistics were quite different then. At that time, denial of service attacks were most prevalent, followed by man-in-the middle attacks, spam and mail bomb attacks, attacks exploiting vulnerabilities in services, exploitation of cgi-bin vulnerabilities in Web servers, buffer overflow attacks, exploitation of misconfigured FTP servers, and relay host attacks.

In 2006 I made another “global threat update” presentation. This time virus infections were most prevalent, followed by spyware infections, port scans, laptop theft, denial of service, and network break-ins. Interestingly, in 2006 wireless network abuse made the top ten for the very first time.

Looking at the trends over the years, viruses (and also worms), insider attacks, network break-ins and DoS attacks have had the greatest longevity. Some of you may remember when not all that long ago I proclaimed that virus and worm infections were on the decline. I believe that I was right at that particular time. Cybercriminals had by that time turned to other attack methods that were more likely to produce monetary gain; virus and worm infections are not conducive to monetary gain because they are so highly detectable. But then came the Conficker worm. No one is sure how many Windows systems Conficker has infected, but an estimate of 15 million or more systems so far would not be unreasonable. Conficker alone is largely responsible for the huge increase in malware infections over the last ten months. And I now believe that perpetrators have probably already designed a new “son of Conficker” that builds on Conficker’s base features, but also introduces new features. Given all the highly vulnerable Windows systems out there, it is reasonable to expect viruses and worms to remain at the top of types of cyberattacks for some time to come.

In preparing for my upcoming presentation, I’ve done a trend analysis that spans only over the last few years. The following types of attacks are becoming proportionately more prevalent: virus and worm incidents, data security breaches, financial fraud, DNS-related incidents, and targeted attacks. I’ve already discussed virus and worm infections, so I’ll turn to data security breaches. To put it simply, most organizations are not exercising due diligence in protecting information assets. As such, expect the proportion of data security breaches to continue to grow at a disproportionate pace. Financial fraud is always a problem, but the overwhelming majority of it over the last decade has been perpetrated by insiders. Insiders still perpetrate a large proportion of financial fraud, but organized crime and “hackers for hire” are becoming more and more prevalent with respect to this type of crime. DNS attacks, especially DNS poisoning and exploitation of Berkeley Internet name daemon (bind) vulnerabilities, are growing so fast because they are so useful in perpetrating other types of computer crime rather than their serving as an end to themselves. Targeted attacks are becoming increasingly frequent because they have such a high probability of succeeding in gaining access to restricted information. If you don’t believe me, just ask the US State Department, the UK Home Department, and the US Department of Defense!

According to available statistics, phishing, DoS attacks, and bots and botnets are all on the wane. (This is not to say that they do not pose very serious risks, however.) The combination of anti-phishing features in Web browsers and quick action by law enforcement to take down phishing sites has much to do with phishing becoming less prevalent. But the reason for the decrease in the relative prevalence in DoS attacks, which just nine years ago constituted over 40 percent of all reported attacks, is a bit of a mystery. A possible reason is that there is less money to be made from DoS attacks compared to other types. Finally, the decrease in bots and botnets may be due to the greater efficiency of law enforcement in finding and bringing to prosecution botnet owners and operators.

A final caveat—everything I have said is based on statistics. In most cases, little or no detail about the methodologies used to gather these statistics has been available. Always take statistics with a grain of salt. But I would rather have some statistics that are only partially valid than none at all.

Categories: Network Security Tags:

Legal Intrigue in the Cybersecurity Arena

Legal rulings in the cybersecurity arena keep getting more interesting. A federal appeals court just recently ruled that electronic searches are excluded from the “plain view doctrine.” This doctrine is based on a legal precedent in which evidence that is in plain view may be seized and used as evidence if a legally permissible search is being conducted. The ruling was in response to a case in which the US government had obtained a court warrant to find records potentially relevant to a drug testing company that is suspected of having provided illegal steroids to professional baseball players. The government investigators scoured through the company’s computers and found evidence related to baseball players other than the ten named in the warrant. Chief Judge Alex Kozinski ruled that the government overlooked constraints specified in the warrant and thus should not be allowed to “benefit from its own wrongdoing.” Additionally, Kozinski stated that the government should not be allowed to access data for which there is no probable cause.

Purely and simply, what happened in this case is that government investigators screwed up, and yet the government in its zeal to crack down on suppliers of illegal steroids to baseball players tried to get away with what the investigators did anyway. At a deeper level of analysis, this ruling realistically reflects the difference between searching for evidence in a computing system versus in the physical world. In a computing system, once someone, a.k.a. an investigator, has root or Administrator privileges on that system, that person can now access virtually every file and directory in that machine. An investigator in the proverbial heat of battle might very well be tempted to “take a shortcut,” so to speak, by accessing files that are not specified in a warrant. I suspect that a fair proportion of investigators feel that because they are in “cyberspace,” they will somehow not get caught.

In contrast, in physical investigations numerous physical barriers, many of which occlude physical objects from view let alone prevent physical access, are almost always present. Suppose, for example, that law enforcement has obtained a search warrant that allows investigators to enter an apartment of a suspected criminal. After entering that apartment, investigators are not likely to see certain things in the apartment—hard to find trap doors that lead to vaults or other rooms, ventilation and heating ducts in which contraband or evidence many be hidden, and so on. Furthermore, the search warrant used for access to this apartment will not allow access to the apartment next door after clues about the use of the next door apartment in a crime are discovered in the first apartment. The negative consequences of law enforcement entering the second apartment without a warrant serve as a strong deterrent to doing so.

Alex Stamos of iSEC Partners Inc. has added even more intrigue to legal issues surrounding electronic searches by arguing that the recent ruling in the case of the drug testing company is not likely to apply to information stored as part of software as a service (SaaS) as opposed to information stored on a company computer because there are fewer legal obstacles to accessing the former. I fail to comprehend Stamos’ reasoning. Just because information is owned by a variety of organizations happens to reside on a single computer does not allow someone with a warrant to obtain information belonging to company A to access company B’s information any more than the investigators in the case of the drug testing company’s computer. But who knows—Stamos could possibly turn out to be right. In a country with common law, as in the US, laws are passed, but their meaning is defined by court rulings. So let’s wait for the first ruling concerning a law enforcement search of a SaaS-related database to occur. Whatever the outcome is, rest assured it will again be intriguing.

Categories: Network Security Tags: