Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Transcript of Cybercrime
Tallinn University of Technology
Aim of this session:
to give a general view of cybercrime, its place within the cyber security field both in the legal point of view and in the perspective of effective reality
Historical and present impacts of cybercrime
Myths and recent developments
Concepts, typology, actors
Challenges and elements of solutions?
Use of ICT and dependence of societies
Some statistics - number of internet users
1990 – 3 million people use internet
2000 – 360 million
2011 – 2 billion
No longer revolution, but reality
Cybercrime acts come to the attention of law enforcement most often through reports by individual or corporate victims
However, the proportion of actual cybercrime victimization reported to police ranges upward from 1% (Source: UN)
Concern about potential cyber threats
Securitization of cyberspace
Roll back to clock or bear the costs to our modern way of life
Cybercrime and cybersecurity are issues that can hardly be separated in an interconnected environment.
Cybersecurity plays an important role in the ongoing development of information technology, as well as Internet services.
Historical and present impacts of cybercrime
1971 first virus "Creeper"
1988 Morris worm
1994 Citibank heist
1997 "Eligible receiver"
2000 first DDOS
2003 "Titan Rain" advanced persistent threat (APT) discovered
2007 nation state under attack - Estonia
2007 "Zeus" banking trojan
2008 "Ghostnet" discovered
2012 "Red October"
2013 Mandiant report confirms Chinese APT
...the ongoing corporate cyber espionage and theft of intellectual property is the greatest transfer of wealth in history and it costs $ 340 billion a year...
/Gen. Keith Alexander,NSA and US Cyber Command/
"Unlimited operation" - th biggest bank heist in history as the media called it - in 2013 a worldwide cybercrime organization managed to steal
from a bank.
Also one record is set after the other in the viciousness of DDoS attacks. In the 2013 Spamhouse attack the DoS bandwidth reached 300Gbps , which was “beaten” in 2014 in the attack against CloudFlare services with 400Gbps. Both attacks are reported to have used the so called DNS reflection method, which target poorly configured DNS servers. These cases are illustrative of the process how for example breach of internal rules, company policies, disregard to good practices and standards, if taken place in large numbers, create vulnerabilities that can lead to increasingly serious cyber incidents.
There is nearly unanimity among states, international organizations, corporations, academia and industry on two basic issues:
must be employed and that
cooperation with the private sector
is essential in this field.
The comprehensive approach to cyber security has emerged in the last decade and it has been adopted by several states, including US, Estonia, Australia, Canada, etc.
This approach emphasizes that cyber security goals can be achieved by combining
expertise, experience, capabilities and resouces of all levels
of cyber incident handling in aspects of
prevention, detection, response and recovery.
About some myths...
Some of the biggest obstacles come from
of cybersecurity and the policies that are based on them - We had wrong assumptions about source of threats, effects of private sector responsibillity, capability of self-governance on internet
Cyberspace is not a commons
, internet is not borderless - it is a physical construct, has an architecture, it comprises of devices subject to state control and sovereignty. Also the architecture of internet may be effected by growing state presence
About some myths ...(cont.)
Although private sector owns 80-90% of
, but they cannot be leading in defense (market failure)
is hard, but not impossible and it is getting easier – main problems are not technical, but legal and "practical"
Immediate problems are (organized) crime, economic espionage and the risk of offensive military action;
The primary malicious actors in cyberspace are national governments, state-sponsored groups and organized criminal organizations
Cybersecurity is a national security and law enforcement problem where primary responsibility falls upon governments
The comprehensive legal approach reflects the three inseparable dimensions of legal decision-making:
Technology - art of the possible
Policy - art of the preferrable
Law - art of the permissible
breach of internal breach of legal
policies or regulations obligations crime terrorist activity cyber warfare
information society law criminal law national security law law of armed conflict
Law of cyber conflict
Source: NATO Cooperative Cyber Defence Centre of Excellence
Why there is a need for a coordinated legal approach?
1. Private sector performance and responsibilities largely determine law enforcement and response capabilities
2. Authority to respond may change swiftly
3. Little interaction between law, tech and policy produces gaps nd inefficient responses = no deterrence
Elements of solutions and implementation?
Awareness raising and education
Balancing 5 dilemmas
On the top of the pyramid, the law is the most nuanced and slowest
Human must be involved, analysis
Traditional legal counsel
Quality product, include political judgment
Real-life analogy: commander consults hours with legal advisor before responding to civilian protesters
The Pyramid: Law
Is also carried out by an automated system, but involves a logic tree to authorize further action
Requirement for additional information
Real-life analogy: sergeant requires to require a recognition signal from potential intruders
The Pyramid: Algorithms
Automatic responses, black&white rules
Must be drawn very narrowly
Needs identification and notification after the immediate threat has been neutralized
Use in SCADA systems for example, where stakes are high
Real-life analogy: sergeant orders to shoot anyone who crosses the borders of the military base near enemy territory
The Pyramid: Presumptions
It is a conceptual structure that allows to organize the process of cyber security implementation
Layers reflect the levels of decision-making
Precise, unambiguous determinations
Threat agents, their motivations, targets,tools
- creation of competitive advantages: collect business intelligence, breach IP rights, gather confidential information on competitor, to be engaged in intelligence gathering connected to bids, etc.
- infiltrate all kinds of targets both governmental and private in order to achieve their objectives: target state secrets, military secrets, data in intelligence, threatening the avaiability of infrastructure
- loosely and dynamically organized, ideologically motivated individuals: targets are selected such way that media attention to successful cyber attack creates visibility, public attention
- characteristic of this group is the indiscriminate use of violence in order to influence decisions/actions of states towards their politicallyor relationally motivated objectives: activities of this group are mostly impact oriented and may affect or harm a large part of a society, just to generate the necessary pressure.
Cyber terrorists may use technology both as means and target of their attack, while critical infrastructures comprise one of the main targets. Information collection, reconnaissance and social engineering are methods that may belong to the key capabilities of this group.
- objective is to obtain profit from illegal/criminal activitiesin the cyberspace: involved iin fraud schemes regarding all kinds of e-finance, e-commerce, ransomware, cybercrime-as-a-service, delivery and development of malicious tools and infrastructures.
- cyber fighters are groups of nationally motivated citizens. Such groups might have strong feelings when their national, political or religious values seem to be threatened and are capable of launhing cyber attacks. Act in support of governments or groups, activities involve conflicts with other groups and may form a considerable striking power.
- technically novice,"wannabe hacker" individuals: limited knowledge and skills, use of ready made tools, simple code, typically engaged in DDOS and code injection attacks. Susceptible to external influences from other groups.
Online Social Hackers
- increasing significance of social engineering as an element of cyber attack pattern. Individuals skilled with social engineering, analysing and understanding behaviour and psychology of social targets and creating false trustlationship: identity theft, collection of confidential personal data, user credentials, cyber bullying.
- this group is behind the insider threat, can be staff, contractor, former employee, etc. with different reasons for acting (revenge, dissent, frustration, malicious intent, etc) Technically low to medium skilled, but due to access rights and knowledge about assets may cause significant damage.
Trojan’s designed to steal banking data – credit card #, credentials, emails, etc.
2007 First banking Trojan “Zeus”- Spread by drive-by download and phishing, used keylogging, web injects, etc.
2008 Torpig – steals data, remote desktop, modifies data when typing beneficiary bank account number
2009 Spyeye – disables Zeus (note the competition for markets!!)
2010 ZitMo – Zeus version for Android? Runs as a program, (closeable) able to misuse SMS authentication
2010 Spitmo – Zeus version for Blackberry? Runs as a service - hard to notice
Zeus source code is leaked - wave of new developments
2011 Flashback – trojan for OSX users
2011 Shylock – injects data into network traffic, so cannot see it in the browser, because it intercepts network data
2012 Citadel – tracing is very hard because it is bouncing between the nodes and it is difficult to distinguish between “good” and “bad” node
CAAS - Crimeware-as-a-service
business model for illegal services: attacks, infections, money laundering, etc.
crimevertisement channels: underground forums and automated crimeware frameworks (botnets, exploit packs)
crimeware services: active bots as carrier agents (delivery mechanism for malware) or C&C panel rent
DDOS attack outlet: buyer creates account and provides IP addresses
bulletproof services: Anti-DDoS attack protection, real IP masking, fast flux, domain protection, secure sockets layer (SSL) deployment, remote desktop protocol (RDP), virtual private networks and others
code obfuscation services
Cybercrime and cyber security
Deterring cybercrime is an integral component of a national cybersecurity and critical information infrastructure protection strategy. In particular, this includes the adoption of appropriate legislation against the misuse of ICTs for criminal or other purposes and activities intended to affect the integrity of national critical infrastructures.
At the national level, this is a shared responsibility requiring coordinated action related to
prevention, preparation, response and recovery
from incidents on the part of government authorities, the private sector and citizens.
At the regional and international level, this entails cooperation and coordination with relevant partners.
Drives and generations of cybercrime
Social drive - geographical distance, “clean”, easy does not require much skills
Legal drive - transborder nature, jurisdiction issues, hard to trace, no deterrence, anonymity
Economic drive - economic advantage, cheap compared to possible benefits
Changes in the scope of criminal opportunity online, by David S. Wall:
1st generation – use of computers for criminal activity
2nd generation – committed in networks
3rd generation – cybercrime is automated and mediated by internet technology
4th generation - ???
CoE Cybercrime Convention
The 2001 Council of Europe’s Convention on Cybercrime was a historic milestone in the fight against cybercrime.
It entered into force on 1 July 2004. So far fourty-two states had ratified the Convention, while eleven states had signed, but not yet ratified, the Convention.
(1) harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime
2) providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form
(3) setting up a fast and effective regime of international co-operation
Digital evidence and investigative powers
evidence of cybercrime is almost always in digital form - highly fragile, main concern is integrity
issues in identification; collection and preservation; analysis, and presentation at court
traditional investigative powers of viewing, seizing or copying data, obtaing it from third parties (ISP) or intercepting communication may need to be complemented by cyber-specific powers
cyber-specific investigative powers: search, seizure, order for subscriber data, order for content data, real-time traffic data, real-time content data, expedited preservation, remote forensics, trans-border access
Reliance on ICT
Number of users
Availability of devices and access
Availability of information
Missing mechanism of control
Independence of location and presence at crime site
Speed of data exchange
Speed of development
Failure of traditional investigation methods
1. Computer assisted crime
Credit card fraud
2. Computer content crime
3. Computer integrity crime
We would like to inform you, that your most recent Direct Deposit via ACH payment (#363603363841) was declined, because of your business software package being out of date.
Please visit the secure section of our web site to see the details:
Please contact your financial institution to get your updated version of the software needed.
ACH Network Rules Department
NACHA | The Electronic Payments Association
15338 Sunrise Valley Drive, Suite 914
Herndon, VA 23334
Phone: 703-857-5813 Fax: 703-826-0642
Defacement - changing the visual appearance of website
Categories and tools
David S. Wall identified 3 types of cybercrimes:
Computer assisted crime
Computer content crime
Computer integrity crime
CITADEL $2399 - INCLUDES BOT BUILDER + ADMIN PANEL, RENTAL PRICE $125/MONTH
ZEUS $3000, PLUGINS JABBER $500, BACK-CONNECT $1500
BULLETPROOF HOSTING - $500/MONTH, IP CHANGE $10
CREDIT CARD DATA:
10K BOTNET RENTAL - $10/H, $40/DAY
International legal standards
Council of Europe Convention on Cybercrime (the Budapest Convention)
European Union - Directive 2013/40, proposed NIS Directive
International Telecommunication Union - ITU Toolkit for Cybercrime legislation, etc.
technology neutral language
petty or insignificant misconduct can be excluded
intentional offences only (willfully and/or knowingly) - left to national interpretations
typology - overlapping categories
no provisions on sope or aim of the Convention
includes definitions, substantive criminal law, criminal procedural rules and international cooperation
addressing signatory states
Article 1 – Definitions
For the purposes of this Convention:
a) ”computer system" means any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data;
b )"computer data" means any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function;
c ) "service provider" means:
i . any public or private entity that provides to users of its service the ability to communicate by means of a computer system, and
ii . any other entity that processes or stores computer data on behalf of such communication service or users of such service.
d) "traffic data" means any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service.
Confidentiality refers to protection of data and/or system from unauthorized disclosure;
Integrity means information or system is protected from unauthorized modification, it is accurate and complete;
Availability requirement refers to timely access to data and/or system.
the access to the whole or any part of a computer system without right
The mere unauthorised intrusion, i.e. "hacking", "cracking" or "computer trespass" should in principle be illegal in itself.
Access to any part of a system is covered, but merely sending an e-mail will not suffice.
Must be "without right" - freely accessible, open to public systems access is excluded, as well as security testing with consent.
the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data
The offence represents the same violation of the privacy of communications as traditional tapping and recording of oral telephone conversations between persons.
Applies to all forms of electronic data transfer, whether by telephone, fax, e-mail or file transfer
Content of 'non-public' communication is in focus.
Committed intentionally and "without right".
To gain access to sensitive information, some offenders set up access points close to locations where there is a high demand for wireless access (e.g. near bars and hotels). The station location is often named in such a way that users searching for an Internet access point are more likely to choose the fraudulent access point.
If users rely on the access provider to ensure the security of their communication without implementing their own security measures, offenders can easily intercept communications. (Example: Wireshark)
Acts related to the term “hacking” also include
such as the use of faulty hardware or software implementation to illegally obtain a password to enter a computer system, setting up “spoofing” websites to make users disclose their passwords and installing hardware and software-based keylogging methods (e.g. “keyloggers”) that record every keystroke – and consequently any passwords used on the computer and/or device.
the damaging, deletion, deterioration, alteration or suppression of computer data without right
The aim is a protection similar to that enjoyed by corporeal objects against intentional infliction of damage: the integrity and the proper functioning or use of stored computer data or computer programs.
Suppressing of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored.
Alteration = Modification of data: Malicious code, trojans, viruses, XSS, etc. are covered.
the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data
Hindering = interfeering with the proper functioning of a system + it must be "serious" in relation to the particular system
DOS , DoS attacks target specific computer systems. A DoS attack makes computer resources unavailable to their intended users.
By targeting a computer system with more requests than the computer system can handle, offenders can prevent users from accessing the computer system, checking e-mails, reading the news, booking a flight or downloading files, etc.
Misuse of devices
a/ the production, sale, procurement for use, import, distribution or otherwise making available of:
i) a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;
ii) a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,
with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and
b/ the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5.
Deals with hacking tools
Making available = includes hyperlinks
Convention restricts its scope to cases where the devices are
designed, or adapted, primarily for the purpose of committing an offence. Dual-use devices are usually excluded.
Implementation of this article has been a problem in many countries, because it covers preparatory actions also.
Offences related to child pornography
Offences related to infringments of copyright and related rights
Articles 7 – 10 relate to ordinary crimes that are frequently committed through the use of a computer system.
Most States already have criminalised these ordinary crimes, and their existing laws may or may not be sufficiently broad to extend to situations involving computer networks (for example, existing child pornography laws of some States may not extend to electronic images)
The convention does not apply to terrorist use of internet:
Scope of procedural provisions:
a) the criminal offences established in accordance with Articles 2 through 11 of this Convention;
b) other criminal offences committed by means of a computer system; and
c) the collection of evidence in electronic form of a criminal offence.
Expedited preservation of stored computer data
Search and seizure of stored computer data
Real-time collection of computer data
low number of ratifications
declarations and reservations made by state parties
scope of offences restricted - substantive loss, infringement of security measures
possibility not to criminalize certain offences
lack of coordination
general problems with cooperation
Challenges in drafting national laws
Adjustment to national law starts with the recognition of abuse of a new technology - specific departments within law enforcement qualified to investigate
Identification of gaps in penal code - often existing law can cover certain cyber offences
Drafting new legislation - amendments are necesary only for those offences that are omitted or insufficiently covered
Transnational nature of cybercrime - international harmonization of cybercrime legislation is important
Continuous legal analysis new and developing types of cybercrimes to ensure effective criminalization (for example online games, virtual currencies, etc.)
Adequate investigative instruments
Procedures for digital evidence
Thank you for your attention!
1. stimulate the economy vs improve security
2. infrastructure modernization vs critical infrastructure protection
3. private vs public sector
4. data protection vs information sharing
5. freedom of expression vs political stability
Overall, the Budapest Convention allows governments to meet the positive obligation of protecting individuals against cybercrime and at the same time to respect the rights of individuals when taking action against cybercrime.
process of legislative reform worldwide
increased criminal justice measures
increased trust and cooperation between parties
global outreach, global impact - over 100 countries
catalyst forcapacity building
increased legal certainty and trust by private sector
essential element of norms of behaviour in cyberspace
contribution to human rights and rule of law in cyberspace
LET'S DO THE MATH...
TROJAN RENT $125
E-MAIL DISTRIBUTION $1500
20 000 000 E-MAILS SENT
10% GETS THROUGH FILTERS (2 000 000)
PHISHING EFFICIENCY FACTOR: ~3% (60 000)
ONLINE CREDIT CARD USAGE: ~1% (600)
CREDIT CARD AVERAGE PRICE $5
= PROFIT $875