Cyber Crime – Cyber Terrorism

What do you really know about it?

In a time of uncertainty, one may often wonder what our future may hold. We hear so much today about virus attacks, spam, bot networks, identity theft, and even horrid stories of predatory child practices and extortion, but what does this all mean? To answer some of these questions, Hakin9 had the pleasure to talk with Professor Tom Holton about the attributes of Cyber Crime and Cyber Terrorism.

 

hakin9 team: Can you tell me a little bit about yourself and what you do.

Professor Tom Holton: Sure. My name is Tom Holton. I’m an assistant professor in the Department of Criminal Justice at the University of North Carolina at Charlotte. I have a Ph.D. in Criminology. My research focuses on computer crime, and the ways that the Internet facilitates all kinds of deviance.

h9: So in terms of computer crime and cyber crime why is there a difference?

TH: Well, some people say that they are interchangeable, but technically they do have two distinct definitions. Some would say that a cyber crime is any kind of crime that utilizes the Internet as a vehicle. So, say a virus, which can only be distributed through virtual means. Now you might be able to put something onto a floppy and transfer it that way, but it only works through a computerized medium and it has to be transferred through computer systems. So some would say that is a cyber crime, based on those parameters. There are others who say that there are computer crimes. Computer crimes are any sort of behavior that can be done without a computer, but they’re just made simpler using computer technology. Fraud, for example, is something that you can do without a computer, however, it is easier to target many people all at once by sending out spam emails saying you are some Nigerian prince and so contact me that way. So there is computer crime, and there is cyber crime, they are used interchangeably. Different agencies may call it computer-assisted versus computer-focused crime. But that’s really not all that important. What is important is just knowing that there are two different areas.

h9: What types of cyber crime are you aware of?

TH: The distribution of viruses and malware is huge. I mean that can’t be understated. There are so many variances of different pieces of Trojans or viruses or worms or bots that are circulating that are being used for everything from sending out spam to checking to see if stolen credit card data is valid. So malware is a huge problem on the cyber crime front.

h9: What types of cyber terrorism are you aware of?

TH: Cyber terrorism is a very tricky thing. I don’t have that strong skill set in terms of the foreign languages like Arabic, Farsi, Indi, all those iterations. What we do know is that there are a number of groups that are using the Internet as a vehicle to recruit others or to engage in what some might refer to as psychological operations. This type of activity can be considered information warfare against the U.S. using things like – sort of like a YouTube-type device where you can post your own videos or you can make your own news magazine and send it out through the Web. These are ways to provide misinformation to the public or spread your general message out to anyone who’s willing to listen, what some people refer to as the e-jihad. That’s pretty significant and that’s something that is going to garner a lot more attention in the coming months and years as we continue to deal with issues in the Middle East, Al Qaeda and various other problems.

h9: What types of tools are you using to analyze this type of activity?

TH: Well, I’m part of the UNC-Charlotte Honey Net Project, which is run out of the Department of Software and Information Systems. So, myself and three other professors from that department run this team where we have an open honey net system to run and analyze malware that we collect through different sources. We can actually see where, say a bot connects to for command and control, how they take their commands and what it does, say what IPs it will scan. We try to observe traffic in that way. We also use the honey net as a means to test some of the tools that we obtain from various malware and stolen data markets. In fact, people do provide access to the tools for free. They may say, I have this version of a bot so I’m going to provide you with the binary. You can do whatever you want with it. We’ll try to download those binaries and we’ll run them through the honey net to see what it does or how to make it function as per the description that’s provided. The other main tool that we use is the Internet. A lot of the places we visit online are publicly open web forums, where you control or ghost or however you like to refer to it. You don’t actually have to register, you can just scan everything and see what you want. This is important, especially with malware and stolen data since many of them are open. We also investigate closed IRC boards and web forums that require registration. Our main method of assistance is to examine public sources. We use Google Translator, we use Bagel Fish, and we use many machine translation programs to translate any foreign language into English. This is something we are experimenting a little bit with to see how we can examine cyber terrorism, or any of the various facets of government-sponsored or terrorist-sponsored behavior. We are having some success with this but our primary mechanism is to just use the Internet with various proxies to protect ourselves on the back end.

h9: What is the most serious threat that you’ve ever come across?

TH: It depends probably on what you define as a threat. Some people would probably be very concerned about their children and pedophiles and things like that. We are looking at pedophilia right now. In terms of financial and say, private sector harm, there are concerns of attacks on government targets and critical infrastructure issues. Some of the most significant things that we’ve seen are bots and other pieces of malware that track back to either organized crime groups or Eastern European groups that seem to be highly sophisticated. Many groups are making tools that seem to be only designed to steal data or to act as a key logger to obtain information, be it customer-based or otherwise, just even scanning networks. So that seems to be a pretty significant threat based on the types of information they could obtain. If it’s millions of customer accounts, if it’s a fast-flex network that is being used to fish hundreds and hundreds of thousands of people, that’s a pretty significant concern, not only for a bank or financial institution, but for the customer on the bank end who will wonder, Well, when is my account going to be compromised?

h9: Do you think that both corporate and government sectors are doing enough to combat these types of issues?

TH: I think that they are. I think there are some very good efforts on both fronts in terms of not only understanding how the groups that are operating different pieces of malware, how the individuals are selling stolen data and providing access to bot networks and other things. There’s an effort underway both in the private and public spheres to understand how these groups operate, how are they connected with one another? What can we do to, in some ways, either disrupt the flow of traffic or disrupt the groups themselves? That’s a very important issue. The second portion, in terms of say, law enforcement and interdiction efforts, that’s something that’s grown significantly. It’s now the third tier of the FBI’s mission to deal with computer crime and cyber terrorism. So the emphasis on this problem has definitely grown, and I think the resources are being shifted in such a way as to better combat the problem.

The real difficulty, from a personal point of view, lies in the sophistication of these groups. If you have nothing else to do but sit and figure out, How do I find the next exploit? What can I do to figure out a flaw in this specific system or piece of hardware of software, and that’s your entire reason for being. Then there’s no end to what you’re going to find next. So however people come up with to secure a system, they are going to find ways to get around it, whether it’s three-factor or four-factor or multi-factor authentication. You know, if the system uses keys and various other ways to protect you, someone will figure out a way to get that data eventually. Like what’s happened with virtual keypads, which were designed to be a way to disrupt or at least resolve the problem of key loggers.

So no longer are you typing in your password, you use your mouse to punch it into a virtual keypad. Now there’s tools out there that will do screen catchers every so many seconds or even picoseconds to capture every click. So there’s always somebody who’s going to be creative enough to get around your security protection. So I think that’s the real hard part.

h9: What do you foresee for the future?

TH: With the invention and distribution of fast flex networks for phishing purposes, it seems like that’s only going to continue to be a problem. We’re going to continue to see spam and even those penny stock messages and things like that going out where people are making money by simply preying on others in a very low-level fashion. So that’s something that I don’t think is ever going to go away. I think another thing that really hit this year that’s important to know is the Russia-Estonian conflict that occurred late April and early May where, because the Estonian government removed a Russian monument from a memorial garden, there were protests in the street in both Russia and Estonia as well as online where groups were attacking one another. They were attacking government websites and financial institution sites. In fact, of the major banks in Estonia had a denial-of-service attack that took it offline for a long time. That’s the kind of thing that really points to the significance of the Internet as what people call a forced multiplier, where you can be one person but you can make a staggering impact on someone else, on a government or a business and leveraging the power of your computer to do something, whether it’s a denial of service attack, whether it’s spamming the Estonian Embassy or something like that.

So individuals are using the Internet as a means of political expression and generally promoting a message. The same thing is true with Al Qaeda and other terrorist organizations throughout the world. So that’s another thing that’s probably going to become even more significant in the next few years.

h9: In conclusion, how can people help? How can they get involved to stop some of this kind of stuff? I mean, just the common person like myself?

TH: Well the good thing is that because it is all open source, this is information that is just floating around and it is publicly-accessible. If you stumble onto it, or if you go out looking for it in the course of your day-to-day job, say if you were on a PEN tester who likes to see what the black hat groups are up to or whatever it is that you may be looking at, law enforcement usually is always happy to take a tip or take some advice so that information can be communicated directly to federal agencies that may be in your area. If you have a branch of the FBI or the secret service, they may like to see what it is that you have found. In my case, since we have an intelligence team that I run, we have students that are looking at this as well as myself. We are always happy to take an email or we take whatever advice people have.

The good news is that there are so many different eyes that can look at these issues. This can really be useful. Because it is more than something that 5 or 10 or 15 people are going to be able to handle on their own. If you’ve got, even just a rough guess, if there are many individuals that are involved in the sale and distribution of malware and stolen data, then that is more than myself or even 20 or 30 people could manage in the course of a week or a month or a year. So in terms of assistance, contacting law enforcement, contacting researchers, is always something helpful. You can also subscribe and contribute to some of the malware.org lists, those kinds of things, private groups, public platforms – always a good outlet.

 

by Terron Williams