Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Future Crimes(CH 1-11)Alexander Do, Josh Doman, Xinran Han, Tommy Kumpf, Stephanie Shi
Chapter 1Connected, Dependent, and Vulnerable
How would you rob a bank?
3
Bank robbery in the 21st century
4
Crime today is global and reaches a huge scale
5
Challenges facing law enforcement● Normal bank robbery has clear jurisdiction
○ NYPD and FBI jointly investigate the matter○ Suspect is physically located in the same jurisdiction○ Physical evidence left behind (finger prints, DNA, surveillance, etc.)○ Crime physically limited in scope (can only carry so many dollar bills)
● Cyber-crime○ Multiple jurisdictions across the world
■ Crime victim is in New York■ Suspect is in Russia■ Money routed through banks in multiple countries
○ Lack of physical evidence■ Borderless world makes tracking very difficult; criminals can hop from
country to country via virtual networks
6
Protection is lacking● Anti-virus software is failing to keep up
○ Symantec, McAfee, and others are trusted by the public but detected only 5% of new malware
○ Systems are months behind criminals○ Only block known malicious code, do not proactively search for
zero-day vulnerabilities■ “Zero-day”: a previously unknown vulnerability in a live
computer system● Corporate security isn’t much better
○ Study found 62% of intrusions took at least 2 months to detect○ Rarely caught by actual security professionals or software
developers○ Usually only noticed after law enforcement or a customer
notifies the company of the problem (already too late)
7
Chapter 2System Crash
Putting the real world at risk● With infrastructure coming online, cyber attacks can have real
consequences○ 14 year old boy caused train derailment in 2014 by hacking
switches○ More nefarious actors include:
■ Russian hacking of water treatment facility (2011)■ Terrorist attacks by al-Qaeda, ISIS on electric grid■ Organized crime in Brazil extorting money from utility
companies and local governments■ Nation states such as China, Russia, and the United States
● Other targets include credit cards, identity info, and source code from companies like Adobe and Symantec
● Criminal and terrorist organizations enabled by online forums, how-to videos, and illegal marketplaces on the dark web
9
Chapter 3Moore’s Outlaws
Crime benefits from Moore’s law too● Technology has enabled exponential growth in the scale and impact of
criminal organizations○ Only so many people can be robbed in a back alley○ The rise of trains suddenly allowed criminals to rob hundreds of
people at once (Jesse James, Butch Cassidy, and others)● Exponential growth in the number of people connected online over the
last few decades○ 2007: TJ Max hacked, financial data stolen from 45 million customers○ 2013: 110 million credit cards stolen from Target○ 2014: Russian group stole 1.2B usernames, passwords, and other
confidential data from 420,000 websites● Growing complexity of computer software results in more bugs and less
security○ Carnegie Mellon study found 20 - 30 bugs for every 1,000 lines of
code 11
Chapter 4You’re Not the Customer,You’re the Product
Our Growing Digital World● By 2013, Americans were spending more than five hours a day
online with their digital devices● 80% of people check their mobiles phones for messages within 15
minutes after waking up● Why exactly are sites like Google, Facebook, and Twitter free?● Take Google as an example
○ In 2000, began the selling of ad keywords for products○ Introduced many services that became commonly used (e.g.
Google Maps, Google Calendar)○ Products providing a good service or extracting more personal
data?● You are the product
13
The Social Network and Its Inventory - You● Google is not alone in its selling of your personal information to
advertisers● Facebook gets people to divulge pretty much everything about
themselves● Using this information, advertisers can market to individuals with
extreme precision● Even something as seemingly innocuous as clicking the like button
generates data that is sold to markets and data brokers around the world
● Twitter, Instagram, Pinterest, etc. all do the same thing
14
You’re Leaking -How They Do It● Websites place digital marking files known as cookies on your
computer/phone● All digital devices also have unique identifiers (e.g. IP addresses,
MAC addresses)● This data is tracked, unified, and exploited to give companies and
advertisers a look into you and your activities● Even your friends and family leak data about you● This even occurs when people you know use services you don’t
○ Gmail sued for reading email chains involving a Gmail user● Sites for children install more tracking technologies than those for
adults○ Children’s Online Privacy Protection Act
15
The Most Expensive ThingsIn Life Are Free● You are not receiving online services like Google for free - you are
paying with your privacy and data● Wall Street Journal did a study on the value of aspects of Facebook
to the company○ Long-term user: $80.95○ One user friendship: $0.62○ Profile page: $1800○ Business web page and ad revenue: $3.1 million
● Google “shared endorsements”● Facebook “sponsored stories”
○ Earned $230 million in 18 mo., settled lawsuit for $20 million
16
Chapter 5The Surveillance Economy
Meet the Data Brokers● Acxiom, Epsilon, DataLogix, etc. all part of a data surveillance
industry worth $156 billion a year○ Twice the size of the U.S. govt.’s intelligence budget
● Data brokers get information from internet service providers, credit card issuers, banks, etc., and increasingly our online activities
● Acxiom operates over 23000 computer servers that collect and analyze more than 50 TRILLION unique data transactions per year
● Has profiles on 96% of Americans, and over 700 million people worldwide
● Provide “behavioral targeting” to 12/15 top credit card issuers, 7/10 top retail banks, 8/10 top telecommunications companies, 9/10 top insurers
● Surveillance is the business model of the internet
18
Analyzing You● Each of us leaves a trail of digital transactions throughout the day
that will live on forever● Google Now provides consumers with convenient information such
as traffic alerts, when friends are nearby, when you need to buy milk, etc. at the cost of your entire digital footprint
● Analysis of locational data and that of the phones around you can approximate strengths and bonds of personal and professional networks
● Analysis of social network can even be used to determine sexual orientation○ MIT study “Gaydar” able to predict sexual orientation of
students with 78% accuracy
19
But I’ve Got Nothing to Hide● “If you have something that you don’t want anyone to know, maybe
you shouldn’t be doing it in the first place.” - Google CEO Eric Schmidt, 2009
● “Privacy is no longer the social norm.” - Mark Zuckerberg● Idea that the assertion of privacy rights is in contrast with “true
authenticity”● This is the wrong way to think of our dataveillance society● Fallacy that either we have nothing to hide or we are criminals
worthy of suspicion
20
Knowledge is Power, Code is King, and Orwell Was Right● Orwell depicts an omnipotent government surveillance state
controlled by privileged elite in 1984● We have allowed ourselves to be monetized and productized● Code is, in effect, law● Perhaps you can close your accounts/never make new ones? ● Facebook keeps your data even after you delete your account● Friends will tag you in pictures, GPS in car will track your location,
Target will track your purchases● We are no longer in control of our data, and hackers are hard at
work stealing the social data you have given up
21
Chapter 6Big Data, Big Risk
Data is the new oil● Every 10 minutes, we created as much information as did the first
ten thousand generations of human beings● “The more data you produce and store, the more organized crime is
happy to consume”.● Facebook’s security department acknowledged that over 600,000
accounts are compromised every day.○ These data can be used for identity theft, criminal
impersonation, tax fraud, health insurance scams○ 75 % of people use the same password for multiple Internet
sites; 30% use the same login information for all sites● Social media attack tools have become streamlined and one need
not even be a master hacker to steal information. E.g. Firesheep.
23
Identity Theft and More Issues● The explosion of data has led to creation of a brand-new industry for
transnational organized crime groups and mass identity theft.○ Identity fraud cost Americans nearly $21 billion in 2012○ More than 13.1 million Americans are reportedly victims of
identity fraud annually○ Children are the fastest-growing group of victims
● Cyber bullying. According to the National Crime Prevention Council, nearly half of all teenagers are affected by cyber bullying.
● Cyber stalking.● Social media profile may also make you vulnerable to hate crime
based on race, religion, gender …● 78% of convicted burglars admitted monitoring Facebook, Twitter to
pinpoint specific home to rob. Also use Google’s Street View to plan escape routes.
24
Chapter 7I.T. Phones Home
Mobile Phone Insecurity● Malicious apps are common:
○ By 2013, more than 42,000 apps in Google’s store had been found to contain spyware and information-stealing programs
○ Even more rampant in third-party app stores● Growing hacker attention targeting mobile payments
● Your location becomes the scene of the crime:○ used to ill effect in relationship discord and domestic violence○ In 2012, the U.S. Department of Justice revealed that there were 3.4
million victims of stalking annually, among those hundreds of thousands were tracked by spyware and GPS hacks
● Retails use wi-fi signals and MAC addresses on smartphones to follow you in stores
26
Big Data Risks and Surveillance ● All the major cloud service providers have already been remotely
targeted by criminal attacks, including Dropbox, Google, Microsoft.● Rights reserved in ToS mean that companies bear little or no liability
when data breaches occur.● Government’s aggressive pursuit of big data
○ NSA’s PRISM program○ Mass data surveillance can be used for the common good or to
the common detriment
Major threat to Big Data: Theft and LeakagePotential danger in the future: unauthorized alteration?
27
Chapter 8In Screen We Trust
“In Screens We Trust”
⬡ Motto of our age⬡ Life is characterized by screens
∙ Internet Search∙ Social Media∙ GPS
⬡ Screens are intermediaries, proxies for reality
29
Struxnet Worm
30
Social Media
⬡ Too much information to parse - Social Media companies do it for us⬡ Facebook, Google, Instagram, all edit what posts, results, and photos
you see∙ “Abortion” returns Planned Parenthood for some and
Catholic.com for others⬡ They use very proprietary algorithms for this, which make it very
difficult to know how your feeds are affected⬡ Not necessarily malicious, but opaque and indecipherable
31
Chapter 9Mo’ Screens, Mo’ Problems
Screens are Integral to Society
⬡ Screens are present in much of a countries “Critical Information infrastructure”:∙ “Those core elements of a modern society whose destruction or incapacity
would have a debilitating impact on national security, the economy, public health or community safety”
⬡ Our nation is entirely reliant on technology for much of this∙ Air Traffic∙ GPS∙ Medical Records∙ Energy Companies
33
Robin Sage
34
Swatting
35
Chapter 10Crime, Inc.
The Cyber Sopranos● Organized crime is believed to account for 15-20% of global GDP● Traditional crime groups like the Cosa Nostra (Italian Mafia),
Japanese Yakuza, and Chinese Triads all have opened cyber-crime divisions○ Cyber crime is borderless and offers great anonymity, and
prosecutions are exceedingly rare, perhaps occurring in less than one one-thousandth of 1 percent of all cases.
● According to a 2014 study by the Rand Corporation, a full 80 percent of hackers are now working with or as part of an organized crime group.○ Today, more than 40% of organized cyber criminals are 35+
● Criminals adapt technology quickly to stay ahead of law enforcement
37
The Org ChartSimilar to traditional technology companies:
● CEO● CFO● CIO● CMO● middle management● worker bees/infantry● research and development● coders, engineers, and developers● quality assurance
38
The Org Chart (cont.)Similar to traditional technology companies:
● affiliates○ many of the very best are located in Russia○ Partnerkas
● technical support● director of human resources● money mules
○ move cash to legitimate assets○ face of cyber crime and operate in true name → short shelf life○ According to one money-mule expert, the lack of available
mules is the key bottleneck facing Crime, Inc. today
39
Other Parallels ● Criminal “startups” tend to be lean and nimble, self-assembling
swarms● Organizations are very sophisticated: CRM software, bulk discounts,
technical support, track competition, and law enforcement● Some Crime, Inc. organizations use CRM software● Crime U: online tutorials, prison
○ Corrections officials in San Quentin maximum-security prison created a start-up incubator for prisoners
● Crowdsourcing and crowdfunding
40
Chapter 11Inside the Digital Underground
Tor: Passport to the Dark Web
● Originally created and funded as a project of the U.S. Naval Research Laboratory in 2004
● Tor (The Onion Router) routes web connections through 5K+ computer servers to hide source and destination of your connection○ Some websites only receive inbound connections through Tor
network○ All hidden services have own domain names that end in an
"onion" suffix● As of early 2014, downloaded nearly 150 million times and used by
two million people daily
42
Deep Web● Like a mirror of the normal web● Deep Web contains seventy-five hundred terabytes of information
(Googleable universe contains 19 terabytes)○ Dark Net (Dark Web) is nested within Deep Web
● In mid-2014, one highly innovative hacker created the Dark Web's first distributed search engine (Grams)
43
What is in the Dark Web?● Pirated Content● Drugs● Counterfeit Currency● Stolen Luxury Goods / Electronics● Cards / Accounts● Identity Theft● Documents● Weapons, Ammunition, and Explosives● Hit Men● Child Sexual Abuse Images● Human Trafficking● Human Organ Trafficking● Live Child Rape
44
Dark Coins● Encryption techniques and relative anonymity of cryptocurrency make it
strongly attractive to criminals○ Estimated nearly $10 billion in virtual currencies were transacted in
2013 alone● Hackers have been able to steal millions and millions of dollars in virtual
money from one another, with the largest attack to date directed against Mt. Gox, a Tokyo-based Bitcoin exchange that had $470 million pilfered from its digital coffers in early 2014
● Darkcoin (ultrasecret shadowy cousin of Bitcoin) was created specifically to obfuscate users’ purchases by combining any single transaction with those of other users so that payments cannot be tied to any particular individual
● Darkwallet: created by an org referring to itself as unSYSTEM○ tries to bring Bitcoin back to its libertarian roots by enabling "hyper-
anonymized" transactions45
Crime as a Service (CaaS)● One of the most purchased services is IT infrastructure (due to
special emphasis on privacy and anonymity)● By using reputable firms to host their crimeware, hackers are much
less likely to have their traffic blocked or detected by third parties. ○ 2013 study suggested that 16 percent of the world’s malware
distribution channels were hosted in the Amazon Cloud while another 14 percent emanated from GoDaddy’s servers.
● Cloud computing gives tremendous computing power at the disposal of legitimate users and hackers alike○ Using cloud computing and tools such as CloudCracker, you
can try 300 million variations of your potential password in about twenty minutes at a cost of about $17.
46
Crimeazon.com
● Like Amazon.com but for Crime● Can get repackaged tools for phishing,
spam, fraud, DDoS, and data theft○ Zeus Bilder○ Bugat○ SpyEye
● Crimeazon Prime
47
The Malware-Industrial Complex
● Professional firms whose sole business model is the trafficking in computer malware exploits to governments○ e.g. Vupen in France, Netragard in
Massachusetts, Endgame of Georgia, Exodus Intelligence in Texas, ReVuln in Malta
48
Botnets● botnet: a robot network of infected computers under the remote
control of the hacker● Infected machines can be used for criminal services like spreading
malware, perpetrating DDoS attacks, etc.○ e.g. Mariposa, Conficker, Koobface○ As of mid-2014, largest botnet known to be in existence was
called ZeroAccess (up to 2 million zombie computers under its complete controls)
49
Crime Automation● As of 2011, an estimated 61 percent of all online attacks were
launched by fully automated crime tool kits○ Ransomware○ CryptoLocker○ Trojan that encrypts all the files on a victim's computer so that
they can no longer be read or accessed
50
Thanks!
Extra resources
52
SlidesCarnival icons are editable shapes.
This means that you can:
⬡ Resize them without losing quality.⬡ Change fill color and opacity.⬡ Change line color, width and style.
Isn’t that nice? :)
Examples:
53
Find more icons at slidescarnival.com/extra-free-resources-icons-and-maps