Niloofar Howe: Good morn­ing and thank you. I think my role here today is take all the hope that you might’ve had after that ses­sion away as we head into lunch. So, Niloo Razi Howe, Chief Strategy Officer at RSA. And what I want­ed to talk about today is the hack­er indus­tri­al com­plex. At RSA we have this incred­i­ble fraud team that for the past ten years has basi­cal­ly gone under­ground and infil­trat­ed a lot of the crim­i­nal net­works and real­ly tried to study the lat­est tools, tech­niques, as well as some very inter­est­ing social pat­terns which are beyond the scope of the talk today. 

But I want­ed to start by just set­ting the con­text here, and why all this mat­ters, and to try and under­stand some the crazi­ness that’s going on. Everyone in this room real­ly knows what 2016 was all about. It was some of them biggest attacks we’ve had. And from my per­spec­tive it was just a win­dow into pos­si­bil­i­ties for the future. I don’t actu­al­ly think we under­stand the full ram­i­fi­ca­tions of what we saw in 2016

So whether you look at the Mirai bot­net, the largest DDoS attack in his­to­ry which showed that your refrig­er­a­tor can take down Twitter. You look at Yahoo! and the unend­ing sort of news sto­ries that seem to be com­ing from that breach. One bil­lion accounts hacked. There’s three bil­lion Internet users, so the impact there is pret­ty huge. 

Of course the DNC hack—you know, a coun­try with the eleventh largest econ­o­my the world has repeat­ed­ly shown how it can cause us to lose faith in our sys­tems, in our gov­ern­ment, in our most fun­da­men­tal process­es, despite the fact that they don’t have the eco­nom­ic pow­er that we do. And despite the fact that every demo­graph­ic trend is work­ing against them, they’ve been incred­i­bly effec­tive in cyber­space. 1.2 mil­lion pieces of mal­ware released every day. And it all has very inter­est­ing impli­ca­tions to what we call the hack­er indus­tri­al com­plex. Or the Wild Wild West of the Internet

So why is this all hap­pen­ing? It used to be the case that it was pret­ty hard to break into sys­tems and actu­al­ly extract valu­able infor­ma­tion. Rob Joyce, who is the new White House cyber­se­cu­ri­ty advis­er, for­mer head of TAO, gave a talk at the Enigma USENIX Conference in February 2016 where he— On YouTube, you can watch the guy who ran offen­sive cyber for the NSA talk about how he broke into sys­tems with the hope, by the way, of show­ing peo­ple what they had to do to defend their net­works.

And basi­cal­ly it’s a six-step process. Reconnaissance; you learn what sys­tems are being used. You can use scan­ning tools. You can use email attach­ments, removal media, etc. You exploit those sys­tems; you find a way in. You fig­ure out how to per­sist. Install your tools so can move lat­er­al­ly. And all with the goal of col­lect­ing, exfil­trat­ing, and exploit­ing.

Now, this entire attack chain used to actu­al­ly be pret­ty hard to deploy suc­cess­ful­ly. The prob­lem is it real­ly isn’t that hard any­more. Not just because the tools are read­i­ly acces­si­ble, but what’s hap­pen­ing out there is there’s a crowd­sourc­ing of the attack chain that’s going on. So you only have to know one piece of this attack chain, and you can get together—through social media—with peo­ple who are experts in oth­er pieces of the attack chain, and you can actu­al­ly con­duct an entire operation—impossible to have attri­bu­tion because it’s dif­fer­ent groups doing it. 

And all of this makes of course our life on the defense side pret­ty hard. Because their goal of course is to get to know your net­works bet­ter than you do, which isn’t that hard. The only way you can actu­al­ly defend you net­work is to actu­al­ly know what’s going on. 

And it brings me to a cou­ple of ground truths. We have basi­cal­ly lost con­trol over our net­work. All of the advances that have made our lives more pro­duc­tive, more acces­si­ble, more con­nect­ed, have fun­da­men­tal­ly dis­in­ter­me­di­at­ed our abil­i­ty to pro­tect our envi­ron­ments. The democ­ra­ti­za­tion of infor­ma­tion, of tech­nol­o­gy, of goods and ser­vices, of bank­ing, of finan­cial trans­ac­tions with blockchain etc., means every aspect of our lives has become acces­si­ble and there­fore vul­ner­a­ble.

We’ve moved from a world where you had to be invit­ed in and trust was pre­sumed in our net­works to a world where trust is pre­sumed not to exist. And when you look at the com­bi­na­tion of unman­aged devices, unman­aged dig­i­tal iden­ti­ties, the sheer num­ber of appli­ca­tions that are being cre­at­ed… And impor­tant­ly the chang­ing nature of the work­force, which today’s demand­ing to be able to access any appli­ca­tion from any device at any time from any­where in the world, means that with­out vig­i­lant ded­i­ca­tion to secu­ri­ty, know­ing our net­works let alone pro­tect­ing them has become very very hard.

Now, even when you have best prac­tices in place, right— (net­work seg­men­ta­tion, dual-factor authen­ti­ca­tion) there are some head­winds that those of us who are on the defen­sive side have to face. First of all it’s asym­met­ric. An attack­er only has to be right once to get into our sys­tems, where­as the defend­ers have to be right every sin­gle time to stop them. The ROI on attack tools is con­tin­u­ous and basi­cal­ly unend­ing. The same tools can be used over and over and over again. And when attri­bu­tion is dif­fi­cult, ret­ri­bu­tion is almost impos­si­ble.

Layer on top of that the fact that attack­ers have increas­ing access to more and more sophis­ti­cat­ed tools—tools that nation-states only had access to a few years ago are in the wild and being used by them. And the fact that we have a glob­al Internet but no glob­al norms of behav­ior that we’ve all agreed to. Or, frankly, stan­dards as an indus­try that we’re going to build our prod­ucts to. You kin­da get to the Wild West.

Now, the weak­est link in all of this is us. It’s humans. Even with every­thing else in place, we kin­da keep mess­ing it up over and over again. And so there’s kind of an iden­ti­ty cri­sis going on. You have the world pop­u­la­tion over 7 bil­lion, 3.2 bil­lion Internet users, 60 bil­lion dig­i­tal iden­ti­ties. And the rea­son I say dig­i­tal iden­ti­ties is because it’s not just human iden­ti­ties, it’s not just you and me. It’s all the appli­ca­tions and devices also have their own iden­ti­ty. So it’s not just the Internet of things we’re talk­ing about, it’s the iden­ti­ty of things that we’re talk­ing about. 

And when you look at the attack vec­tors and why these iden­ti­ties are so impor­tant, web appli­ca­tions attacks, which were the most com­mon form of attack, 95% of them last year used stolen cre­den­tials. There were over three bil­lion account cre­den­tials that were com­pro­mised. And so it’s no sur­prise that phish­ing attacks are on the rise. What we saw between 2015 and 2016 was a three-fold increase in phish­ing attacks, and they con­tin­ue to be incred­i­bly suc­cess­ful. And the tools that are being used for ran­somware and all of that are real­ly start­ing to become avail­able to the bottom-feeders of the crim­i­nal com­mu­ni­ty. By that I mean the least sophis­ti­cat­ed folks in there.

So this brings me to basi­cal­ly the third ground truth. Which is crim­i­nals no longer need to hide in the dark. What we have seen is an absolute rise in a new indus­tri­al com­plex of hack­ers actu­al­ly work­ing in plain sight to con­duct all of their crim­i­nal activ­i­ty.

So today, you can buy cyber­crime as a ser­vice. You want a Point of Service mal­ware tool. You don’t know how to make it, that’s okay. You can go to a web­site and buy it. And here’s what’s amaz­ing. You don’t just get the mal­ware, you get all of the resources. All of the tools that you need to con­duct your attack is avail­able to you through these web sites. By the way, a lot of them also have call cen­ters and ser­vice lev­el guar­an­tees.

You want to buy call cen­ter ser­vices. Pick your lan­guage, pick your gen­der, pick your accent. They’re all avail­able. Credit card troves, and we get to this in a sec­ond. But the Internet is lit­tered now with stolen cred­it card infor­ma­tion. And what’s inter­est­ing is in some geo­gra­phies like Brazil, they actu­al­ly take adver­tis­ing and try­ing to dif­fer­en­ti­ate them­selves through mar­ket­ing very seri­ous­ly. So they’re using movie posters to adver­tise the ser­vices that they sell.

Let’s say you want to launch a DDoS attack but you don’t exact­ly know how. Totally okay. You can buy a spot on the Mirai bot­net. Fifty thou­sand bots for $4600. That’s about ten cents a bot. Kind of afford­able. And they will launch the attack for you.

So what’s real­ly fas­ci­nat­ing as we look at what’s going on in this crim­i­nal indus­tri­al com­plex is the use of social media as the plat­form for con­duct­ing crim­i­nal activ­i­ty. So, out­side of the US, where there [are] still some laws in exis­tence, around the world the need to go into the dark web is becom­ing less and less required. Because pros­e­cu­tion rates are less than 1%. So the crim­i­nals have actu­al­ly moved to these social media plat­forms, and I want to show you real­ly quick­ly what the new dark web looks like.

[The next sev­er­al para­graphs nar­rate a demon­stra­tion run­ning approx­i­mate­ly 10:3813:48 of the record­ing, but the text and includ­ed screen­shots should gen­er­al­ly suf­fice.]

So this is my Facebook page. Let’s just make sure it’s work­ing. This is my son get­ting a hock­ey award. That’s my daugh­ter, my son’s putting on her goalie pads. So just show­ing you this is real.

So let’s say I got fired from RSA and I real­ly real­ly need­ed to buy a shoes and can’t afford them, so I kin­da need some­one else’s cred­it card to do that. So, you guys all know what CVVs are, right? The cred­it card ver­i­fi­ca­tion val­ue. It’s what you need in order to use some­one else’s cred­it card. So let’s just run a search on CVVs. 

Here we go, first post. There’s the cred­it card num­ber, and the expi­ra­tion date is April 2015, I don’t think I can use that one. Let’s keep going. Some adver­tise­ments for some places we can go. Let’s look at this one. He’s just adver­tis­ing his wares. You need to actu­al­ly con­tact him. Here’s a good one. Peter Bingham; does any­one know Peter Bingham in Australia? Because his cred­it card is right there, with the CVV infor­ma­tion as well as from the Commonwealth Bank of Australia. 

And you can keep going down. Here’s a good one from JPMorgan Chase, Michael Lynch. I even have his address. And a ZIP code and his phone num­ber. All right there for me to use, right on Facebook.

Now let’s go on Twitter for a sec­ond. So here’s what’s fun on Twitter. (By the way, before the elec­tion when you put in dump,” real­ly it wasn’t that that came up.) So here’s a Twitter feed that basi­cal­ly scrapes the Internet for all sorts of dumps of per­son­al infor­ma­tion.

And here’s what’s real­ly cool. I went on this this morn­ing just to make sure that we could do this fast. They post emails and pass­words. This just got got post­ed ear­ly this morn­ing. This is 68 mil­lion hacked Dropbox accounts. And they’ve list­ed the email address as well as the hashed pass­word for you to access. So they’re just giv­ing you a taste of what’s in that trove. If you want to actu­al­ly access all those accounts they give you the URL to go to. Which is awe­some.

There were a few oth­er places that I liked this morn­ing. So here’s a more com­mon one that you find. This is actu­al­ly just anoth­er dump. But it’s got all the user names and pass­words for these emails. So if any­one knows ben_warhammer, for exam­ple in Germany, user name and pass­word is up here.

So in less than thir­ty sec­onds I can either go find a cred­it card on Facebook that I can use… By the way, I was look­ing Facebook last night just to see what was there, and there was a post on exact­ly how to use—step by step instructions—a stolen cred­it card on Amazon. How to set up the account, the min­i­mum pur­chase that would let you not get caught by their fraud team, and what dol­lar val­ues you should use as you made your pur­chas­es with these stolen cred­it card accounts.

[End of nar­rat­ed por­tion.]

Now inter­est­ing­ly, that post got tak­en down with­in a few hours of being put up there. And so these social media sites real­ly do try and scrape for con­tent, and the rea­son I liked a bunch of the feeds on Twitter is because they do get pulled every once in a while. But not before they can because a fair amount of dam­age.

So again, the whole rea­son that I want­ed to show this to you is it’s all out there. I mean, the amount of infor­ma­tion that you can access online is fair­ly crazy. So as we look at what’s going on out there, over the past six months we have seen a 300% growth rate in the use of social media online. It varies by geog­ra­phy. In China, Baidu and QQ tend to be the most com­mon plat­forms that are used, for exam­ple. They’re actu­al­ly real­ly good about scrap­ing crim­i­nal activ­i­ty off of those plat­forms. But the crim­i­nals have fig­ured out how to use eva­sive tech­niques, use char­ac­ters that don’t get caught with­in those sys­tems.

So WhatsApp con­tin­ues to be the most com­mon and favorite social media plat­form that’s being used. And when you go on to these social media plat­forms, the amount of activ­i­ty that’s going on is fair­ly end­less. The card­ing ser­vices I showed you [are] the eas­i­est thing to access when you’re there. But every­thing from mal­ware, hack­ing tools, mul­ing ser­vices, phish­ing, bot­net ser­vices, all of that is acces­si­ble with just a few clicks.

Now, as we look at how this activ­i­ty takes place— And this is just a map of coun­tries that are launch­ing the tar­gets and the coun­tries that are the target—the red being the attack­ers and the blue being who’s being attacked—you can see that the US and UK are the tar­get, and the attacks are com­ing from all over the world.

Now, you will notice, for any­one who knows much about cyber­crime, that Brazil’s not on this map. The rea­son Brazil’s not on the map is because Brazilians tend to be very local­ized in what they do. So their fraud activ­i­ties are pret­ty geo­graph­i­cal­ly lim­it­ed. They don’t tend to go out of their geog­ra­phy. But we are absolute­ly the tar­gets for most of these activ­i­ties.

And the the skill set for sure varies by geog­ra­phy that you look at. So for exam­ple, the Russians tend to be incred­i­bly sophis­ti­cat­ed, very business-oriented. Probably they’ve come up a few times today, and I assume they’ll be con­tin­u­ing to come up a few times. The Chinese are also very sophis­ti­cat­ed. They they focus a lot more on hard­ware and mobile. And then as you make your way to West Africa it tends to be very much about finan­cial trans­ac­tions and things that can gen­er­ate mon­ey very very quick­ly.

So to high­light the com­plete absur­di­ty of what’s going on online I thought I would show this this web­site, this card­ing ser­vice web site. I don’t know if you can tell, but it’s a very kind of pro­fes­sion­al­ly set up web site. It has a cart, it has a place for billing ques­tions. Tickets, if you have ques­tions about what they do. And this par­tic­u­lar group was sub­ject­ed to a DDoS attack. And they were real­ly upset that they were sub­ject­ed to a DDoS attack. Now keep in mind, right, they’re sell­ing stolen infor­ma­tion. They’re sell­ing stolen cred­it cards. Here was their reac­tion. This is from June 2015, and for any­one who cares this is a web­site set up in West Africa. 

Dear friends. We noticed that our site was under sev­er­al attacks when a group of hack­ers’…” (Because they’re not.) “…tried to black­mail us, intim­i­dat­ing us with DDoS attacks and abuse.” Right? How dare they. Let’s keep going. “…with our friends and cus­tomers…” Right? With our friends and cus­tomers we over­came all the dif­fi­cul­ties and saved our busi­ness.” How many crim­i­nals talk about it this way? We always play fair, broth­ers, and we want you to play fair.”

So, what is beau­ti­ful about this, from my per­spec­tive, is just try­ing to under­stand the mind­set of the peo­ple who are doing these activ­i­ties. And their view of right and wrong is very very dif­fer­ent from our view of right and wrong. And some believe it’s a legit­i­mate busi­ness. Doesn’t real­ly have vic­tims. And it’s sim­ply a way to make mon­ey in very dif­fi­cult envi­ron­ments. And it kind of under­scores the need for us to keep work­ing and push­ing, which is why all of the pol­i­cy con­ver­sa­tions are impor­tant. This is the glob­al Internet, and we do not have norms of behav­ior that we’ve all agreed to. And clear­ly they vary so much by geog­ra­phy.

So I will end on that note. And hope­ful­ly it’s not com­plete­ly hope­less as you guys head into lunch. But I’m hap­py to enter­tain a cou­ple of ques­tions as well, if any­one has them. 


Discussion

Audience 1: [question inaudible]

Niloofar Howe: No, there's no need to be depressed. There's just a reality out there. I mean the good news, right, is credit cards are pretty well-protected. But if you're connected to the Internet, this is the world and the people that you're connected to, and it's just really important to understand that reality.

Audience 2: So just following up on that final point about norms of responsible behavior. In your research or as you looked at these different criminal actors, did you find that there were any attempts to establish kind of of standards for responsible behavior among that crowd? And if not, is that something that you see coming?

Howe: So, the answer to that totally varies by region. I wouldn't say that there's necessarily standards of behavior. But there are folks who are invited in and folks who are not invited in. So if you take for example the Arab-speaking countries, if you can't interact with them using not just the language but also the way they greet each other and speak to each other and all the pleasantries that goes around it, you will absolutely not become part of the community. So there's very well-defined norms in terms of communicating who's allowed in, who's not allowed in, where you conduct your activities. But there aren't really standards of behavior emerging, as far as we can see.

[To upcoming audience member:] Okay, I know you guys do this for a living, so go easy on me.

Audience 3: Don't worry. So, we track a lot of—in addition to Russian and Chinese cybercriminals—we look at a lot American cybercriminals. And one thing that I was wondering is, within your team's research do you see similar sophistication in US-based cybercriminals? I know the tend to be kind of localized in their targeting. Do they run businesses in the same way? I'm just kind of curious what you guys are seeing.

Howe: So, most of our research has focused on the international communities, for a lot of reasons including— And my talk here— Because in the US we actually enforce our laws. So it is much more difficult to conduct business the way folks around the world are conducting business, where the laws may not be well-defined, prosecution simply doesn't happen in certain parts of the world. But it is a very different environment in the US.

Alright. Thank you.

Further Reference

Cybersecurity for a New America event page


Help Support Open Transcripts

If you found this useful or interesting, please consider supporting the project monthly at Patreon or once via Square Cash, or even just sharing the link. Thanks.