Crime and Cyber-crime

Download Crime and Cyber-crime

Post on 22-Feb-2016

26 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Crime and Cyber-crime. Pieter Hartel. Crime. Acts or missions forbidden by law that can be punished [] , against: persons (e.g. rape, assault, murder, suicide) property (e.g. fraud, arson, theft, vandalism) the state (e.g. riot, treason, sabotage, terrorism) - PowerPoint PPT Presentation

TRANSCRIPT

Distributed and Embedded Systems (DIES)

Crime and Cyber-crimePieter HartelFocus on targets and routine activity1Cyber-crime Science2CrimeActs or missions forbidden by law that can be punished [], against:persons (e.g. rape, assault, murder, suicide)property (e.g. fraud, arson, theft, vandalism)the state (e.g. riot, treason, sabotage, terrorism)morality (e.g. gambling, drugs, obscenity)Disorder is broader than crime, e.g.Littering, graffiti, loitering, etc.[Wil98] J. Q. Wilson and R. J. Herrnstein. Crime & Human Nature: The Definitive Study of the Causes of Crime. Free Press, Jan 1998.Cyber-crime Science3Example

http://www.oregonlive.com/clackamascounty/index.ssf/2010/03/burglars_steal_destroy_molalla.html

Problem: no backup3Cyber-crime Science4Cyber-crimeCrime where computers are used as a tool, target or place:Computer assisted crime(e.g. Advance fee fraud)Computer integrity crime(e.g. DDoS attack)Computer content crime(e.g. Software piracy)[New09] G. R. Newman. Cybercrime. In M. D. Krohn, et al, editors, Handbook on Crime and Deviance. Springer, Nov 2009. http://dx.doi.org/10.1007/978-1-4419-0245-0_25

Technology mediated crime is old, especially weaponsAdvance fee fraud with lettershttp://en.wikipedia.org/wiki/Alan_RalskyDDoS attack with mail order catalogs etcSoftware piracy see Dickens4Technology and crimeCyber-crime Science5Which of these are virtual?Which of these promote anonymity?TechnologyProblemSolutionWhenSailing shipsPrivateeringTreaties1856Paper moneyCounterfeitingLaws, Technology17th 20thRevolverGenocide??CarsTheftLocks20thPhoneNuisance callsCaller-ID20thInternetFraud, Theft??http://en.wikipedia.org/wiki/Piracy US constitution authorised Congress to issue letters of Marque in 1787 Ended by the treaty of Paris 1856http://en.wikipedia.org/wiki/Banknote Watermark & Thread technologyhttp://www.ecb.europa.eu/euro/html/security_features.en.htmlhttp://en.wikipedia.org/wiki/Revolver Invented 1836 http://en.wikipedia.org/wiki/Motor_vehicle_thefthttp://en.wikipedia.org/wiki/Caller_ID Invented 1968http://www.dnb.nl/echt_of_vals/echt_of_vals.html

Virtual : Paper money, Phone, InternetThese also promote anonymity5Cyber space vs meat spacevirtual but thats nothing new (why?)More easily automated (why?)Harder to police (why?)Cyber-crime Science6Money is equally virtualComputersGlobal issues, anonymity6Cyber-crime Science7Some examples

Cyber-crime Science8Computer assisted crimeMurder13-year old US girl bullied into suicide in 20063-month old Korean child dies from neglect in 2010ExtortionVirginia DHP ransom demand 10 M $ in 2009BetCris hacker sentenced to 8 years in 2006(New business http://www.prolexic.com/ )

8http://en.wikipedia.org/wiki/Suicide_of_Megan_MeierLori Drew, mother of friend invented Joshon social networkhttp://edition.cnn.com/2010/WORLD/asiapcf/04/01/korea.parents.starved.baby/index.html?hpt=T2Baby lost pound since birth because of neglegt, parents went to PC Banghttp://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.htmlhttp://www.csoonline.com/article/215921/online-extortionists-get-eight-yearsOffender in Balokovo (RU) tracked down by Barrett Lyon who founded ProlexicZmbie hunters: http://www.newyorker.com/archive/2005/10/10/051010fa_factCyber-crime Science9Computer integrity crimeDistributed denial of service (DDoS) Estonian Cyber war in 2007Operation Payback end 2010 mid 2011HackingComcast hackers sentenced to 18 months in 2008Sarah Palin email hacker sentenced to 1 year in 2010

9http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia began April 2007http://en.wikipedia.org/wiki/Bronze_Soldier_of_Tallinn relocated in April 2007DDoShttp://en.wikipedia.org/wiki/Operation_PaybackWar between proponents and opponents of online piracy;Bollywood hired Aiplex to take out sites. Retaliation too late, deflected to IFPI, MPAA etchttp://www.computerworld.com/s/article/9187978/Comcast_hackers_get_18_months_in_prisonSocial engineering of Comcast staff, access to DNS servers, routed traffic Comcast customers to hacker siteshttp://en.wikipedia.org/wiki/Sarah_Palin_email_hackDavid Kernell, son of Memphis Senator used account recovery of yahoo to gain access to Palins mailhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.htmlCyber-crime Science10Computer content crimePiracyPirate Bay four sentenced to 1 year in 2009US Software pirate sentenced to 2 years in 2011Data base theftSony Play station network hack in 2011 exposed 77M accounts, cost 171M$Sonypictures.com exposed 1M passwordsTJX Hacker sentenced to 20 years in 2011

10http://en.wikipedia.org/wiki/The_Pirate_Bay_trialThree Swedes who ran the site and a business partner sentenced, appeal refused in 2012Damages claimed to be $6.8Mhttp://torrentfreak.com/pirate-bay-witness-wife-overwhelmed-with-flowers-090227/DDoS with flowers for the wife of an expert witness for the defensehttp://www.forbes.com/sites/billsinger/2011/08/17/software-pirate-sentenced-to-prison/Jacinda Jones made $400,000 from selling pirated softwarehttp://en.wikipedia.org/wiki/PlayStation_Network_outagehttp://newyork.ibtimes.com/articles/158414/20110606/sony-hack-playstation-network-password-analysis.htmPlain text passwords seinfeld, password, 123456, winnerhttp://www.wired.com/threatlevel/2010/03/tjx-sentencing/Alberto Gonzalez comnducted war driving against TJX stores, stole magstripe info, sold this via Ukranian national Yastremskiy to carders. Yastremskiy sentences in 2007 to 30 years in princion in Turkey. Gozalez hired by secret service at $75,000 a year and continued his criminal careerCyber-crime Science11CertificateSigned bindingof a public keyand an identity

11http://en.wikipedia.org/wiki/Certificate_authorityhttp://en.wikipedia.org/wiki/DigiNotarhttp://www.pcworld.com/businesscenter/article/239607/diginotar_certificates_are_pulled_but_not_on_smartphones.htmlhttp://www.diginotar.nl/Portals/7/Persberichten/Operation%20Black%20Tulip%20v1.0a.pdfhttp://spectrum.ieee.org/riskfactor/telecom/security/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlandshttp://www.enisa.europa.eu/media/news-items/operation-black-tulipCyber-crime Science12How does a certificate work?ServerGenerates key pair and keeps private key secretSends public key to CA

Encrypt message with private key

CACA signs & publishes public key

UserObtain certificateCheck CA signature Check revocation list

Decrypt message with public keyUser knows that it is talking to the server.Operation Black Tulip http://www.youtube.com/watch?v=wZsWoSxxwVY Cyber-crime Science13Certificate fraud2001 VerisignOffender claimed to be from Microsoft2 rogue certificatesDiscovered by Verisign2011 DigiNotarOffender(s) hacked the server, No anti virus and weak passwordsHundreds of rogue certificatesDiscovered by Iranian Gmail user2011 Comodo13http://www.sans.org/reading_room/whitepapers/certificates/security-alert-fraudulent-digital-certificates_679http://www.computerworld.com/s/article/9215360/Comodo_hacker_claims_another_certificate_authorityCyber-crime Science14Additional problemsDigiNotar had been hacked before (2009)Microsoft delayed patches for NL by week to prevent blackoutNo backup certificatesThere are hundreds of companies like DiginotarFalse certificates still accepted by older browsers that have not been patched...

Cyber-crime Science15DifferencesOld CrimeSerialLabour intensiveLocalGeographical placeCyber-crimeCan be SimultaneousCan be automatedGlobalEffort?Requires conversion to meat spaceCyber-crime Science16SimilaritiesMost Cyber-crime a variant of old crimeAdvance fee fraud via email vs lettersClick fraud vs Replying to junk mail with bricksTechnology used for new crime beforePrinting press for counterfeitingTelegraph for books by Charles Dickens16Click fraud by fraudulent web masters who host pay per click advertshttp://en.wikipedia.org/wiki/Copyright_Act_of_1790Until 1891 only copyright for US citizensSocial cost cyber crimeEstimate (B$)YearAnti-virus3.42012Patching12010ISP clean-up0.042010User clean-up102012Defence firms102010Law enforcement0.42010Cyber-crime Science17[And12] R. Anderson, C. Barton, R. Bhme, R. Clayton, M. J. G. van Eeten, M. Levi, T. Moore, and S. Savage. Measuring the cost of cybercrime. In 11th Workshop on the Economics of Information Security (WEIS), Berlin, Germany, Jun 2012. http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf 17Cyber-crime Science18Cyber-crime triangleA motivated offender attacks a suitable target in the absence of a capable guardian:Attacks via vulnerabilities of the usersAttacks via vulnerabilities of the systemsPropagating attacksExploiting attacks

Cyber-crime Science19Attack vulnerable userSocial engineer a user2001 SPAM with AnnaKournikova.jpg.vbsPhishing (More later)Hacking into serverPassword crackerIntelligence from OSN as in the Palin email hack

19http://en.wikipedia.org/wiki/Anna_Kournikova_(computer_virus)Jan de Wit from Sneek created the virus in a few hours and turned himself in when he realised what he had donehttp://en.wikipedia.org/wiki/L0phtCrack of Jack the Ripperhttp://newyork.ibtimes.com/articles/158414/20110606/sony-hack-playstation-network-password-analysis.htmhttp://en.wikipedia.org/wiki/Sarah_Palin_email_hack

Cyber-crime Science20Attack vulnerable systemExploit known vulnerability and install malware on a clientTrojan like Zeus for key loggingPhysical access via USB sticks and autorunFind & exploit vulnerable systemVulnerability scanner like AcunetixSQL injection20http://en.wikipedia.org/wiki/Zeus_(trojan_horse)http://en.wikipedia.org/wiki/Acunetixhttp://en.wikipedia.org/wiki/SQL_injection

Cyber-crime Science21Propagating attacksChange the web site on the serverCreate a drive by download to infect a clientCreate a botnet out of infected clients to:Send spamPerpetrate a DDoS attackEvade detecti