cybercrime threats and future
play

Cybercrime Threats and Future Dark Musings from a Professional - PowerPoint PPT Presentation

Jan 16, 2023 •305 likes •754 views

Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner March 31 st , 2009 https://www.isecpartners.com Our Discussion Today Where are we today? Notes from the security front Recent incidents

  1. Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner March 31 st , 2009 https://www.isecpartners.com

  2. Our Discussion Today  Where are we today?  Notes from the security front  Recent incidents  Interesting security research  What needs to change?  Predictions  Discussion and Q&A 2

  3. Who am I?  Co-Founder and Partner at iSEC Partners, Inc.  Application security researcher  Fortunate(??) to experience these issues from many angles  Work on prominent commercial software  Work on open-source  Incident response 3

  4. Where are we today? The Good The Bad The Ugly Truth

  5. Need a baseline  Let’s be Base -10-centric and pick 1998 CIH Virus = 8,643.12 5

  6. The Good  Some software is getting better  More parties are taking responsibility for security  The basic knowledge for building more secure systems is out there 6

  7. Some software is getting better  Companies and products with a security process 7

  8. Security Knowledge  Engineers have many more resources at their fingertips 8

  9. The Bad  The software that’s getting better only reflects a small fraction of the ecosystem  Computer crime has become professionalized  Law enforcement is doing better, but not good enough 9

  10. Professionalization Remember these? http://www.flashback.se/hack/1998/11/25/1/ 10

  11. Professionalization Technical Crimeware Phish Kit Kingpin Author Author International IT IT IT IT Volume Aggregators Volume Aggregators Support Support Support Support Recruiters / Recruiters / Recruiters / Recruiters / Recruiters / Recruiters / Launders Launders Launders Launders Launders Launders US Based Mule Mule Mule Mule Mule Mule Mule Mule Mule Mule Mule Mule 11

  12. Cyber Crime P&L Gross Revenues $250M Strategy 1 Strategy 2 Strategy 3 Business Areas - $75M - $100M - $75M Credential Collection $5M $10M $7M Expenses Monetization $10M $20M $15M Expenses Operating Expenses $7M $15M $8M Net Profit $63M $55M $45M 12

  13. Professionalization  Online markets  Iceman takes control of market, gets busted  Great story on DarkMarket FBI sting  Semi-automated identity theft  Cross-border collaboration  Immunity from local prosecution 13

  14. International Issue is Key  It’s pretty easy to hide your identity while hacking on the Internet  If you live in .cn, .ru, or .ro it might not be necessary  USSS and FBI have improved their contacts in these countries, but…  For the most part, prosecution or evidence gathering in many places is impossible, giving criminals free reign 14

  15. Mixture has changed http://www.ic3.gov/media/annualreports.aspx 15

  16. The Ugly Truth  The Internet cannot be safely used by most users  Technological improvements have diminishing returns  The security industry is failing you (sorry) 16

  17. News from the security front Incidents Research

  18. Recent Incidents  Many important incidents are still not reported  Those you have heard of… 94M Credit Cards 80K LEO Identities 100M+ Credit Cards 18

  19. Heartland Payment Systems  Processes CCs for 200K businesses, 100M transactions per month  Announced on Inauguration Day. That’s PR strategy!  Liability outcomes will be interesting, Heartland is probably toast  What can we learn? 19

  20. Heartland and PCI  Heartland has raised questions about the most important private regulatory framework  Had a valid PCI DSS certification from Trustwave  Now being sued by victims, ala Arthur Andersen  Perhaps the “Audit Model” doesn’t really work for InfoSec? 20

  21. Future of Payments  Maybe the credit card model is dead, we just don’t know it  What does a credit card hold?  CCN  Name  Exp Date  Billing Zip  CVV2  Where’s the secret? Where’s the crypto? 21

  22. Recent Research  Security researchers have been tearing down basic Internet infrastructure  First, this man ruined your DNS cache 22

  23. Recent Research Then, these guys: Made this: 23

  24. Other important research  Heap manipulation with JavaScript (Sortirov)  Flash hybrid exploit code (Dowd)  Cold (really cold) boot attacks (Halderman et. al)  Clickjacking (Grossman and Hansen) 24

  25. Recent Research  What trends do we see?  Most interesting research is either:  Making the unexploitable exploitable  Breaking down basic building blocks from the 70s and 80s  Lessons: Never say “that can’t be exploited” 1. If it’s older than you, don’t trust it 2. 25

  26. What needs to change? Security Industry Software Engineering Safety and Choices Patching

  27. Security as an industry is failing  20 some years of security “professionals” and things are even worse  Why?  Still more rewards for breaking things  Every solution gets turned into an over-priced, marketing driven $500K product  Industry is tiny rudder on huge ship of software engineering 27

  28. Software Engineering  Still not really engineering  Important time is first 2-3 years of professional experience  Knowledge is available, just not being used  Why are people using unsafe languages and constructs? 28

  29. Safety versus security  Time to stop asking users to make decisions they are not qualified to make: 29

  30. Let me fix that 30

  31. Patching  The old vulnerability disclosure cycle is failing Research Patching Disclosure Exploitation Development Announcement and Testing 31

  32. Patching  Patching has been the most important end-user security step  Users fail to do it all the time. Again, time to stop asking questions  Look at your screen, do you see these? 32

  33. Desktop user model  The standard OS user model is also failing  Based upon Unix multi-user model  Most desktops only have one user anyway, making most OS protections useless  Leadership from the mobile space: 33

  34. The Future

  35. Predictions  Now for the key part of my talk, totally unfounded predictions…  So, In the Year 2000…. 35

  36. Basic Infrastructure Failure What’s next?  BGP is terrifying  DNS is still scary  Mixed HTTP/HTTPS web sites are toast  SHA-1 is in rapid decline  MD5 Collision attacks will be useful elsewhere 36

  37. Social Network Madness  Social network sites are already great for stalkers  Location awareness fad will end with a horrible tragedy  Social networks are ruining “two factor authentication”. Breaking into my bank account?  Hmm, go to Facebook, pull the photos, and guess: 37

  38. Mobile Devices  Lots of challenges here, see C. Clark at RSA  Still, it’s a chance to reboot how security is done  Screen Real Estate makes security UI difficult: iPhish. Yuan Niu, Francis Hsu, and Hao Chen @ UC Davis 38

  39. Web Security  Repeat after me...  There is no browser security model.  There is no browser security model.  There is no browser security model.  Browser continues to be the most important attack surface on the computer  W3C is making things worse, by putting security at the end of the standards process 39

  40. Rich Internet Applications  We did a whole talk on this last year…  Fun with:  Client side SQL injection!  Theft of offline data!  Web XSS turning into control of the desktop!  Cross platform malware!  Yeah! Totally necessary! 40

  41. Rich Internet Applications  Get ready for this prompt: 41

  42. Real Human Impact  Next 20 years will show the impact from lack of law enforcement in some developing countries  Companies are already blacklisting certain ASes  Double-digit percentage of users in some countries are fraudsters  Will this generation of young Internet users be willing to collaborate with entrepreneurs from high-fraud countries? 42

  43. Conclusion  It’s a good time to be paranoid. They ARE out to get you!  Security industry needs a good look at itself  Prepare for a post-privacy post-security society 43

  44. Thank you for coming Q & A alex@isecpartners.com 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Future Threats to Future Trust Sotiris Ioannidis Institute of Computer Science (ICS) Foundation

Future Threats to Future Trust Sotiris Ioannidis Institute of Computer Science (ICS) Foundation

Emerging Risks http://www.ics.forth.gr/dcs Future Threats to Future Trust Sotiris Ioannidis Institute of Computer Science (ICS) Foundation for Research and Technology Hellas (FORTH) Crete, Greece Future Threats to Future Trust

367 views • 25 slides
The Underground Economy and Ecosystem of SMS Based Cybercrime Denis Maslennikov, Senior Malware

The Underground Economy and Ecosystem of SMS Based Cybercrime Denis Maslennikov, Senior Malware

The Underground Economy and Ecosystem of SMS Based Cybercrime Denis Maslennikov, Senior Malware Analyst, Kaspersky Lab 15.06.2011, 23 rd Annual FIRST Conference, Vienna, Austria Agenda SMS based threats Ransomware SMS Trojans The

1.39k views • 76 slides
Economics of Cybercrime The Influence of Perceived Cybercrime Risk on Online Service Adoption of

Economics of Cybercrime The Influence of Perceived Cybercrime Risk on Online Service Adoption of

W ESTFLISCHE W ILHELMS -U NIVERSITT M NSTER Economics of Cybercrime The Influence of Perceived Cybercrime Risk on Online Service Adoption of European Internet Users living knowledge WWU Mnster Markus Riek, June 23, 2014 Rainer

571 views • 40 slides
Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of Computer Science and Technology, University of Cambridge, UK SecHuman 2018 GPG: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9

479 views • 37 slides
Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of Computer Science and Technology, University of Cambridge, UK SecHuman 2018 GPG: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9

672 views • 40 slides
An Analysis of Cybercrime Activity within an Underground Gaming Forum Jack Hughes Cambridge

An Analysis of Cybercrime Activity within an Underground Gaming Forum Jack Hughes Cambridge

An Analysis of Cybercrime Activity within an Underground Gaming Forum Jack Hughes Cambridge Cybercrime Conference joh32@cam.ac.uk 11th July 2019 Background Research into the role of gaming as an entry point into cybercrime is growing

851 views • 29 slides
STOPPING CYBERCRIME A presentation by the Financial Cybercrime Task Force of Kentucky KY Dept.

STOPPING CYBERCRIME A presentation by the Financial Cybercrime Task Force of Kentucky KY Dept.

STOPPING CYBERCRIME A presentation by the Financial Cybercrime Task Force of Kentucky KY Dept. of Financial Institutions DISCLAIMER The views expressed in this presentation are solely the presenters and are not binding upon any state

773 views • 20 slides
Ecosystem Threats: Ecosystem Threats: What the fishing community can do to ensure a sustainable

Ecosystem Threats: Ecosystem Threats: What the fishing community can do to ensure a sustainable

Ecosystem Threats: Ecosystem Threats: What the fishing community can do to ensure a sustainable future do to ensure a sustainable future Val Brown JIMAR Coral Reef Ecologist JIMAR Coral Reef Ecologist NOAA Fisheries Pacific Islands Regional

497 views • 16 slides
The Rule of Law in Cyberspace What it means for business GERONIMO L. SY Assistant Secretary /

The Rule of Law in Cyberspace What it means for business GERONIMO L. SY Assistant Secretary /

The Rule of Law in Cyberspace What it means for business GERONIMO L. SY Assistant Secretary / Head, Office of Cybercrime Department of Justice Outline Legal Framework on Cybercrime Updates on Cybercrime Priorities How we can work

79 views • 6 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice

From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice

From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice Hutchings Computer Laboratory, University of Cambridge Presenta>on for the Inaugural Cybercrime Conference, 14 July 2016 Cambridge Computer

535 views • 32 slides
The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

Cambridge Cybercrime Centre: Fourth Annual Cybercrime Conference The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and Cybercrime Institute for Criminal Justice Studies (ICJS) University of Portsmouth

780 views • 24 slides
How Can We Collect Meaningful, Reliable Cybercrime Statistics? Thomas Holt (Michigan State)

How Can We Collect Meaningful, Reliable Cybercrime Statistics? Thomas Holt (Michigan State)

How Can We Collect Meaningful, Reliable Cybercrime Statistics? Thomas Holt (Michigan State) Tyler Moore (Tulsa) Background and Motivation Cybercrime scholars have called for better reporting mechanisms since 90s There remains no

177 views • 4 slides
Offline and Local: The Hidden Face of Cybercrime Jonathan Lusthaus & Federico Varese

Offline and Local: The Hidden Face of Cybercrime Jonathan Lusthaus & Federico Varese

Offline and Local: The Hidden Face of Cybercrime Jonathan Lusthaus & Federico Varese Jonathan Lusthaus Commonwealth Bank Fellow Director of the Human Cybercriminal Project University of Oxford Background Cybercrime is a largely

698 views • 16 slides
Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges,

Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges,

Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges, Magistrates and Prosecutors of the ASEAN Region Cambodian Cybercrime Legislations Case Study Hacking Facebook Account Case: A Facebook account was

207 views • 9 slides
A voice for cybercrime victims Kristin Judge CEO/President CYBERCRIMESUPPORT.ORG Guiding

A voice for cybercrime victims Kristin Judge CEO/President CYBERCRIMESUPPORT.ORG Guiding

A voice for cybercrime victims Kristin Judge CEO/President CYBERCRIMESUPPORT.ORG Guiding Principles (1) bringing a voice to and serving the victims of cybercrime; (2) ensuring victims are connected to local, state and federal law

802 views • 34 slides
Post COVID-19 A New Inclusive Economic Future for South Africa Delivering an Accelerated Economic

Post COVID-19 A New Inclusive Economic Future for South Africa Delivering an Accelerated Economic

Post COVID-19 A New Inclusive Economic Future for South Africa Delivering an Accelerated Economic Recovery Strategy 10 July 2020 1 A New Inclusive Economic Future: The COVID-19 crisis and the partnership created to respond, provides an

1.26k views • 111 slides
Diebold Solutions Corporate and ATM security Todays Agenda Consumer Sensitive 1)

Diebold Solutions Corporate and ATM security Todays Agenda Consumer Sensitive 1)

Diebold Solutions Corporate and ATM security Todays Agenda Consumer Sensitive 1) Information PCI DSS 2) Attacks on assets 3) 2 Diebold Confidential 2009 ATM Card Fraud Skimming: n Small read head designed to fit into ATM card

460 views • 25 slides
1 SE L MA UNIF IE D SCHOOL DIST RICT 2020- 21 BUDGE T Ma y 20, 2020 2 AGE NDA IT E M

1 SE L MA UNIF IE D SCHOOL DIST RICT 2020- 21 BUDGE T Ma y 20, 2020 2 AGE NDA IT E M

Califor nia Se nator s Califor nia State Asse mbly Dr . Joaquin Ar ambula Anna M. Caballe r o Ca pito l Offic e , Ro o m 5155 Sta te Ca pito l, Ro o m 5052 P.O. Bo x 942849 Sa c ra me nto , CA 95814-4900 (916)651-4012 Sa c ra me

329 views • 20 slides
AGENDA FOR TODAY

AGENDA FOR TODAY

AGENDA FOR TODAY

900 views • 22 slides
Memories of the Future S2S Presentation to the Foresight Synergy Network February 28, 2020

Memories of the Future S2S Presentation to the Foresight Synergy Network February 28, 2020

Memories of the Future S2S Presentation to the Foresight Synergy Network February 28, 2020 Ottawa ON The evolutionary race goes to the adaptable ... to those who can learn, not to those who know Kenneth Boulding Introduction to S2S

707 views • 60 slides
As an observer of the recent census debacle, what do you see as the key cause?: A. Technology

As an observer of the recent census debacle, what do you see as the key cause?: A. Technology

Poll 1 As an observer of the recent census debacle, what do you see as the key cause?: A. Technology failure B. Use of a third party service provider C. The threat landscape is too huge D. Ignorance / hubris A Revolution in Cyber Threats?

1.17k views • 78 slides
Professor Michael Woods Dr Jesse Heley Dr Laura Jones Dr Anthonia Onyeahialam Dr Marc Welsh

Professor Michael Woods Dr Jesse Heley Dr Laura Jones Dr Anthonia Onyeahialam Dr Marc Welsh

https://globalruralproject.wordpress.com Professor Michael Woods Dr Jesse Heley Dr Laura Jones Dr Anthonia Onyeahialam Dr Marc Welsh Background European Research Council Advanced Grant February 2014 January 2019 Understanding

523 views • 50 slides
Be In The Know 2019 Benefits Open Enrollment: October 29 November 9, 2018 Help Is at Your

Be In The Know 2019 Benefits Open Enrollment: October 29 November 9, 2018 Help Is at Your

Be In The Know 2019 Benefits Open Enrollment: October 29 November 9, 2018 Help Is at Your Fingertips Contact the Benefits Advocate Center (844) 632-2197 Monday through Friday, 7 a.m. to 5:30 p.m. PT champion@hubinternational.com For

306 views • 30 slides

More recommend