Niloofar Howe: Good morn­ing and thank you. I think my role here today is take all the hope that you might’ve had after that ses­sion away as we head into lunch. So, Niloo Razi Howe, Chief Strategy Officer at RSA. And what I want­ed to talk about today is the hack­er indus­tri­al com­plex. At RSA we have this incred­i­ble fraud team that for the past ten years has basi­cal­ly gone under­ground and infil­trat­ed a lot of the crim­i­nal net­works and real­ly tried to study the lat­est tools, tech­niques, as well as some very inter­est­ing social pat­terns which are beyond the scope of the talk today. 

But I want­ed to start by just set­ting the con­text here, and why all this mat­ters, and to try and under­stand some the crazi­ness that’s going on. Everyone in this room real­ly knows what 2016 was all about. It was some of them biggest attacks we’ve had. And from my per­spec­tive it was just a win­dow into pos­si­bil­i­ties for the future. I don’t actu­al­ly think we under­stand the full ram­i­fi­ca­tions of what we saw in 2016

So whether you look at the Mirai bot­net, the largest DDoS attack in his­to­ry which showed that your refrig­er­a­tor can take down Twitter. You look at Yahoo! and the unend­ing sort of news sto­ries that seem to be com­ing from that breach. One bil­lion accounts hacked. There’s three bil­lion Internet users, so the impact there is pret­ty huge. 

Of course the DNC hack—you know, a coun­try with the eleventh largest econ­o­my the world has repeat­ed­ly shown how it can cause us to lose faith in our sys­tems, in our gov­ern­ment, in our most fun­da­men­tal process­es, despite the fact that they don’t have the eco­nom­ic pow­er that we do. And despite the fact that every demo­graph­ic trend is work­ing against them, they’ve been incred­i­bly effec­tive in cyber­space. 1.2 mil­lion pieces of mal­ware released every day. And it all has very inter­est­ing impli­ca­tions to what we call the hack­er indus­tri­al com­plex. Or the Wild Wild West of the Internet

So why is this all hap­pen­ing? It used to be the case that it was pret­ty hard to break into sys­tems and actu­al­ly extract valu­able infor­ma­tion. Rob Joyce, who is the new White House cyber­se­cu­ri­ty advis­er, for­mer head of TAO, gave a talk at the Enigma USENIX Conference in February 2016 where he— On YouTube, you can watch the guy who ran offen­sive cyber for the NSA talk about how he broke into sys­tems with the hope, by the way, of show­ing peo­ple what they had to do to defend their networks. 

And basi­cal­ly it’s a six-step process. Reconnaissance; you learn what sys­tems are being used. You can use scan­ning tools. You can use email attach­ments, removal media, etc. You exploit those sys­tems; you find a way in. You fig­ure out how to per­sist. Install your tools so can move lat­er­al­ly. And all with the goal of col­lect­ing, exfil­trat­ing, and exploiting. 

Now, this entire attack chain used to actu­al­ly be pret­ty hard to deploy suc­cess­ful­ly. The prob­lem is it real­ly isn’t that hard any­more. Not just because the tools are read­i­ly acces­si­ble, but what’s hap­pen­ing out there is there’s a crowd­sourc­ing of the attack chain that’s going on. So you only have to know one piece of this attack chain, and you can get together—through social media—with peo­ple who are experts in oth­er pieces of the attack chain, and you can actu­al­ly con­duct an entire operation—impossible to have attri­bu­tion because it’s dif­fer­ent groups doing it. 

And all of this makes of course our life on the defense side pret­ty hard. Because their goal of course is to get to know your net­works bet­ter than you do, which isn’t that hard. The only way you can actu­al­ly defend you net­work is to actu­al­ly know what’s going on. 

And it brings me to a cou­ple of ground truths. We have basi­cal­ly lost con­trol over our net­work. All of the advances that have made our lives more pro­duc­tive, more acces­si­ble, more con­nect­ed, have fun­da­men­tal­ly dis­in­ter­me­di­at­ed our abil­i­ty to pro­tect our envi­ron­ments. The democ­ra­ti­za­tion of infor­ma­tion, of tech­nol­o­gy, of goods and ser­vices, of bank­ing, of finan­cial trans­ac­tions with blockchain etc., means every aspect of our lives has become acces­si­ble and there­fore vulnerable.

We’ve moved from a world where you had to be invit­ed in and trust was pre­sumed in our net­works to a world where trust is pre­sumed not to exist. And when you look at the com­bi­na­tion of unman­aged devices, unman­aged dig­i­tal iden­ti­ties, the sheer num­ber of appli­ca­tions that are being cre­at­ed… And impor­tant­ly the chang­ing nature of the work­force, which today’s demand­ing to be able to access any appli­ca­tion from any device at any time from any­where in the world, means that with­out vig­i­lant ded­i­ca­tion to secu­ri­ty, know­ing our net­works let alone pro­tect­ing them has become very very hard.

Now, even when you have best prac­tices in place, right— (net­work seg­men­ta­tion, dual-factor authen­ti­ca­tion) there are some head­winds that those of us who are on the defen­sive side have to face. First of all it’s asym­met­ric. An attack­er only has to be right once to get into our sys­tems, where­as the defend­ers have to be right every sin­gle time to stop them. The ROI on attack tools is con­tin­u­ous and basi­cal­ly unend­ing. The same tools can be used over and over and over again. And when attri­bu­tion is dif­fi­cult, ret­ri­bu­tion is almost impossible. 

Layer on top of that the fact that attack­ers have increas­ing access to more and more sophis­ti­cat­ed tools—tools that nation-states only had access to a few years ago are in the wild and being used by them. And the fact that we have a glob­al Internet but no glob­al norms of behav­ior that we’ve all agreed to. Or, frankly, stan­dards as an indus­try that we’re going to build our prod­ucts to. You kin­da get to the Wild West.

Now, the weak­est link in all of this is us. It’s humans. Even with every­thing else in place, we kin­da keep mess­ing it up over and over again. And so there’s kind of an iden­ti­ty cri­sis going on. You have the world pop­u­la­tion over 7 bil­lion, 3.2 bil­lion Internet users, 60 bil­lion dig­i­tal iden­ti­ties. And the rea­son I say dig­i­tal iden­ti­ties is because it’s not just human iden­ti­ties, it’s not just you and me. It’s all the appli­ca­tions and devices also have their own iden­ti­ty. So it’s not just the Internet of things we’re talk­ing about, it’s the iden­ti­ty of things that we’re talk­ing about. 

And when you look at the attack vec­tors and why these iden­ti­ties are so impor­tant, web appli­ca­tions attacks, which were the most com­mon form of attack, 95% of them last year used stolen cre­den­tials. There were over three bil­lion account cre­den­tials that were com­pro­mised. And so it’s no sur­prise that phish­ing attacks are on the rise. What we saw between 2015 and 2016 was a three-fold increase in phish­ing attacks, and they con­tin­ue to be incred­i­bly suc­cess­ful. And the tools that are being used for ran­somware and all of that are real­ly start­ing to become avail­able to the bottom-feeders of the crim­i­nal com­mu­ni­ty. By that I mean the least sophis­ti­cat­ed folks in there.

So this brings me to basi­cal­ly the third ground truth. Which is crim­i­nals no longer need to hide in the dark. What we have seen is an absolute rise in a new indus­tri­al com­plex of hack­ers actu­al­ly work­ing in plain sight to con­duct all of their crim­i­nal activity. 

So today, you can buy cyber­crime as a ser­vice. You want a Point of Service mal­ware tool. You don’t know how to make it, that’s okay. You can go to a web­site and buy it. And here’s what’s amaz­ing. You don’t just get the mal­ware, you get all of the resources. All of the tools that you need to con­duct your attack is avail­able to you through these web sites. By the way, a lot of them also have call cen­ters and ser­vice lev­el guarantees.

You want to buy call cen­ter ser­vices. Pick your lan­guage, pick your gen­der, pick your accent. They’re all avail­able. Credit card troves, and we get to this in a sec­ond. But the Internet is lit­tered now with stolen cred­it card infor­ma­tion. And what’s inter­est­ing is in some geo­gra­phies like Brazil, they actu­al­ly take adver­tis­ing and try­ing to dif­fer­en­ti­ate them­selves through mar­ket­ing very seri­ous­ly. So they’re using movie posters to adver­tise the ser­vices that they sell.

Let’s say you want to launch a DDoS attack but you don’t exact­ly know how. Totally okay. You can buy a spot on the Mirai bot­net. Fifty thou­sand bots for $4600. That’s about ten cents a bot. Kind of afford­able. And they will launch the attack for you.

So what’s real­ly fas­ci­nat­ing as we look at what’s going on in this crim­i­nal indus­tri­al com­plex is the use of social media as the plat­form for con­duct­ing crim­i­nal activ­i­ty. So, out­side of the US, where there [are] still some laws in exis­tence, around the world the need to go into the dark web is becom­ing less and less required. Because pros­e­cu­tion rates are less than 1%. So the crim­i­nals have actu­al­ly moved to these social media plat­forms, and I want to show you real­ly quick­ly what the new dark web looks like.

[The next sev­er­al para­graphs nar­rate a demon­stra­tion run­ning approx­i­mate­ly 10:3813:48 of the record­ing, but the text and includ­ed screen­shots should gen­er­al­ly suffice.]

So this is my Facebook page. Let’s just make sure it’s work­ing. This is my son get­ting a hock­ey award. That’s my daugh­ter, my son’s putting on her goalie pads. So just show­ing you this is real.

So let’s say I got fired from RSA and I real­ly real­ly need­ed to buy a shoes and can’t afford them, so I kin­da need some­one else’s cred­it card to do that. So, you guys all know what CVVs are, right? The cred­it card ver­i­fi­ca­tion val­ue. It’s what you need in order to use some­one else’s cred­it card. So let’s just run a search on CVVs. 

Here we go, first post. There’s the cred­it card num­ber, and the expi­ra­tion date is April 2015, I don’t think I can use that one. Let’s keep going. Some adver­tise­ments for some places we can go. Let’s look at this one. He’s just adver­tis­ing his wares. You need to actu­al­ly con­tact him. Here’s a good one. Peter Bingham; does any­one know Peter Bingham in Australia? Because his cred­it card is right there, with the CVV infor­ma­tion as well as from the Commonwealth Bank of Australia. 

And you can keep going down. Here’s a good one from JPMorgan Chase, Michael Lynch. I even have his address. And a ZIP code and his phone num­ber. All right there for me to use, right on Facebook.

Now let’s go on Twitter for a sec­ond. So here’s what’s fun on Twitter. (By the way, before the elec­tion when you put in dump,” real­ly it was­n’t that that came up.) So here’s a Twitter feed that basi­cal­ly scrapes the Internet for all sorts of dumps of per­son­al information. 

And here’s what’s real­ly cool. I went on this this morn­ing just to make sure that we could do this fast. They post emails and pass­words. This just got got post­ed ear­ly this morn­ing. This is 68 mil­lion hacked Dropbox accounts. And they’ve list­ed the email address as well as the hashed pass­word for you to access. So they’re just giv­ing you a taste of what’s in that trove. If you want to actu­al­ly access all those accounts they give you the URL to go to. Which is awesome.

There were a few oth­er places that I liked this morn­ing. So here’s a more com­mon one that you find. This is actu­al­ly just anoth­er dump. But it’s got all the user names and pass­words for these emails. So if any­one knows ben_warhammer, for exam­ple in Germany, user name and pass­word is up here.

So in less than thir­ty sec­onds I can either go find a cred­it card on Facebook that I can use… By the way, I was look­ing Facebook last night just to see what was there, and there was a post on exact­ly how to use—step by step instructions—a stolen cred­it card on Amazon. How to set up the account, the min­i­mum pur­chase that would let you not get caught by their fraud team, and what dol­lar val­ues you should use as you made your pur­chas­es with these stolen cred­it card accounts.

[End of nar­rat­ed portion.]

Now inter­est­ing­ly, that post got tak­en down with­in a few hours of being put up there. And so these social media sites real­ly do try and scrape for con­tent, and the rea­son I liked a bunch of the feeds on Twitter is because they do get pulled every once in a while. But not before they can because a fair amount of damage.

So again, the whole rea­son that I want­ed to show this to you is it’s all out there. I mean, the amount of infor­ma­tion that you can access online is fair­ly crazy. So as we look at what’s going on out there, over the past six months we have seen a 300% growth rate in the use of social media online. It varies by geog­ra­phy. In China, Baidu and QQ tend to be the most com­mon plat­forms that are used, for exam­ple. They’re actu­al­ly real­ly good about scrap­ing crim­i­nal activ­i­ty off of those plat­forms. But the crim­i­nals have fig­ured out how to use eva­sive tech­niques, use char­ac­ters that don’t get caught with­in those systems. 

So WhatsApp con­tin­ues to be the most com­mon and favorite social media plat­form that’s being used. And when you go on to these social media plat­forms, the amount of activ­i­ty that’s going on is fair­ly end­less. The card­ing ser­vices I showed you [are] the eas­i­est thing to access when you’re there. But every­thing from mal­ware, hack­ing tools, mul­ing ser­vices, phish­ing, bot­net ser­vices, all of that is acces­si­ble with just a few clicks.

Now, as we look at how this activ­i­ty takes place— And this is just a map of coun­tries that are launch­ing the tar­gets and the coun­tries that are the target—the red being the attack­ers and the blue being who’s being attacked—you can see that the US and UK are the tar­get, and the attacks are com­ing from all over the world.

Now, you will notice, for any­one who knows much about cyber­crime, that Brazil’s not on this map. The rea­son Brazil’s not on the map is because Brazilians tend to be very local­ized in what they do. So their fraud activ­i­ties are pret­ty geo­graph­i­cal­ly lim­it­ed. They don’t tend to go out of their geog­ra­phy. But we are absolute­ly the tar­gets for most of these activities.

And the the skill set for sure varies by geog­ra­phy that you look at. So for exam­ple, the Russians tend to be incred­i­bly sophis­ti­cat­ed, very business-oriented. Probably they’ve come up a few times today, and I assume they’ll be con­tin­u­ing to come up a few times. The Chinese are also very sophis­ti­cat­ed. They they focus a lot more on hard­ware and mobile. And then as you make your way to West Africa it tends to be very much about finan­cial trans­ac­tions and things that can gen­er­ate mon­ey very very quickly.

So to high­light the com­plete absur­di­ty of what’s going on online I thought I would show this this web­site, this card­ing ser­vice web site. I don’t know if you can tell, but it’s a very kind of pro­fes­sion­al­ly set up web site. It has a cart, it has a place for billing ques­tions. Tickets, if you have ques­tions about what they do. And this par­tic­u­lar group was sub­ject­ed to a DDoS attack. And they were real­ly upset that they were sub­ject­ed to a DDoS attack. Now keep in mind, right, they’re sell­ing stolen infor­ma­tion. They’re sell­ing stolen cred­it cards. Here was their reac­tion. This is from June 2015, and for any­one who cares this is a web­site set up in West Africa. 

Dear friends. We noticed that our site was under sev­er­al attacks when a group of hack­ers’…” (Because they’re not.) “…tried to black­mail us, intim­i­dat­ing us with DDoS attacks and abuse.” Right? How dare they. Let’s keep going. “…with our friends and cus­tomers…” Right? With our friends and cus­tomers we over­came all the dif­fi­cul­ties and saved our busi­ness.” How many crim­i­nals talk about it this way? We always play fair, broth­ers, and we want you to play fair.”

So, what is beau­ti­ful about this, from my per­spec­tive, is just try­ing to under­stand the mind­set of the peo­ple who are doing these activ­i­ties. And their view of right and wrong is very very dif­fer­ent from our view of right and wrong. And some believe it’s a legit­i­mate busi­ness. Doesn’t real­ly have vic­tims. And it’s sim­ply a way to make mon­ey in very dif­fi­cult envi­ron­ments. And it kind of under­scores the need for us to keep work­ing and push­ing, which is why all of the pol­i­cy con­ver­sa­tions are impor­tant. This is the glob­al Internet, and we do not have norms of behav­ior that we’ve all agreed to. And clear­ly they vary so much by geography.

So I will end on that note. And hope­ful­ly it’s not com­plete­ly hope­less as you guys head into lunch. But I’m hap­py to enter­tain a cou­ple of ques­tions as well, if any­one has them. 

Audience 1: [ques­tion inaudible]

Niloofar Howe: No, there’s no need to be depressed. There’s just a real­i­ty out there. I mean the good news, right, is cred­it cards are pret­ty well-protected. But if you’re con­nect­ed to the Internet, this is the world and the peo­ple that you’re con­nect­ed to, and it’s just real­ly impor­tant to under­stand that reality.

Audience 2: So just fol­low­ing up on that final point about norms of respon­si­ble behav­ior. In your research or as you looked at these dif­fer­ent crim­i­nal actors, did you find that there were any attempts to estab­lish kind of of stan­dards for respon­si­ble behav­ior among that crowd? And if not, is that some­thing that you see coming?

Howe: So, the answer to that total­ly varies by region. I would­n’t say that there’s nec­es­sar­i­ly stan­dards of behav­ior. But there are folks who are invit­ed in and folks who are not invit­ed in. So if you take for exam­ple the Arab-speaking coun­tries, if you can’t inter­act with them using not just the lan­guage but also the way they greet each oth­er and speak to each oth­er and all the pleas­antries that goes around it, you will absolute­ly not become part of the com­mu­ni­ty. So there’s very well-defined norms in terms of com­mu­ni­cat­ing who’s allowed in, who’s not allowed in, where you con­duct your activ­i­ties. But there aren’t real­ly stan­dards of behav­ior emerg­ing, as far as we can see.

[To upcom­ing audi­ence mem­ber:] Okay, I know you guys do this for a liv­ing, so go easy on me.

Audience 3: Don’t wor­ry. So, we track a lot of—in addi­tion to Russian and Chinese cybercriminals—we look at a lot American cyber­crim­i­nals. And one thing that I was won­der­ing is, with­in your team’s research do you see sim­i­lar sophis­ti­ca­tion in US-based cyber­crim­i­nals? I know the tend to be kind of local­ized in their tar­get­ing. Do they run busi­ness­es in the same way? I’m just kind of curi­ous what you guys are seeing.

Howe: So, most of our research has focused on the inter­na­tion­al com­mu­ni­ties, for a lot of rea­sons includ­ing— And my talk here— Because in the US we actu­al­ly enforce our laws. So it is much more dif­fi­cult to con­duct busi­ness the way folks around the world are con­duct­ing busi­ness, where the laws may not be well-defined, pros­e­cu­tion sim­ply does­n’t hap­pen in cer­tain parts of the world. But it is a very dif­fer­ent envi­ron­ment in the US

Alright. Thank you. 

Further Reference

Cybersecurity for a New America event page