The new face of cybercrime

In this issue of Industry Insider, computer scientist Phillip Hallam-Baker says the rise of the professional hacker means the IT world must unlearn old lessons.

You once could explain away Internet attacks as destruction for destruction's sake. But many of the juvenile delinquents of the 1990s have since graduated from mere vandalism to hacking for monetary gain.

One of the consequences of this change is spam. Who hasn't received dubious e-mail propositions from people purporting to be Nigerian merchants? Respond to them, and you risk joining a crowd of people who have lost huge sums in scams run by organised crime.

Most spammers do not intend to sell. All they want is to "phish" your credit card number. Messages now zip around the Internet purporting to come from trusted companies and asking you to "verify your account." The victim is taken to a Web site that looks genuine but is run by a fraud ring. Besides the direct loss from the stolen card numbers, this fraud damages confidence in Internet security.

This is the new face of cybercrime. Whereas hacker vandals once coveted bragging rights, professional hackers have profit in mind. What's more, they are considerably more determined and have better resources than vandals. A new approach is necessary, and we must unlearn some of the lessons drawn from hacker vandalism.

Conventional wisdom has it that a system is only as secure as its weakest link. Hacker vandals instead concentrated their efforts on compromising the parts of the system that were the most difficult to break. That's where the bragging rights were to be had.

But latter-day professional hackers are not too proud to attack the weakest link in the system. Why spend months beating your head against the ring of steel constructed by a top security architect working for a major bank? That method doesn't make sense, when you can find customers who will just tell you their account number and password if you ask in the right way.

E-mail provides the gap in the ring of steel. Even though practically every e-mail client is capable of sending and receiving secure e-mail, these features are rarely used. Why bother, when the hacker vandals consider e-mail forgery beneath them? Phishing fraud creates the need for secure e-mail, but we cannot simply wait for the world to agree on that point.

We must design e-mail security for everyday use by real users, not occasional use by experts. When a real letter comes from my bank, it is printed on letterhead with a prominent bank logo. We need an e-mail security solution that shows the difference between genuine and fake e-mails with equal simplicity.

The Internet Engineering Task Force's MARID working group is currently considering Sender-ID, a simple proposal for e-mail authentication. Computer security specialists have often dismissed schemes of this type, arguing that an expert user could in theory circumvent them. But a professional spammer has no use for a security vulnerability that only works for a limited time and allows a limited number of messages to be sent. Such a vulnerability is not profitable.

I would like to see reverse firewalls embedded in every cable modem and wireless access point for home users.

Another example of the different approach required is the reverse firewall. A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out. This precaution reduces the value of recruiting your home computer as a member of a "botnet," a group of "zombie" machines hijacked to distribute huge amounts of fraudulent e-mail or launch denial-of-service attacks without being traced directly.

I would like to see reverse firewalls embedded in every cable modem and wireless access point for home users. Normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail.

Part of the VeriSign Anti-Phishing Solution is a service that tracks down the sources of phishing attacks and asks the Internet service provider to shut them down. This is not the type of service that VeriSign would have considered offering five years ago.

Traditional law enforcement techniques are a poor match for hacker vandals seeking thrills. The result often feels like playing "whack a mole," the carnival game that requires the player to smack mechanical moles quickly and repetitively with a mallet.

The professional hacker rarely tires of doing the same thing until it stops making a profit, establishing an identifiable modus operandi. The tools used, the targets chosen, the zombies exploited and the language used all combine to provide a detailed profile of the perpetrator. One long-term aspiration is that by combining data from all the information sources we manage -- payment services, firewalls and DNS (domain name service) infrastructure -- we may uncover future attacks and their perpetrators before they occur.

The rise of the professional hacker is certainly a cause for concern, but it is also a challenge and an opportunity -- one that I and many other security professionals intend to rise to meet.

biography
Phillip Hallam-Baker is principal scientist at VeriSign.

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Add your opinion

Add your opinion

All fields are required

Subject:
Comments:
Full name:
E-mail address:

Your e-mail will not be displayed

Posting options:

Display all details Do not display details

Security Code:

You must read and type the 6 chars within 0..9 and A..F

 

1. What nonsense! Who's to say how much outbound email is "normal" for a cable or DSL modem user to send? What right does *any* ISP have to dictate what kind of consensual, legal communications their users can have? Whatever happened to the end-to- Anonymous -- 21/07/04

   What nonsense! Who's to say how much outbound email is "normal" for a cable or DSL modem user to send? What right does *any* ISP have to dictate what kind of consensual, legal communications their users can have? Whatever happened to the end-to-end principle that made the Internet great in the first place?
   
   If firewalling were applied only after due process to proven spammers and spam relays, I wouldn't object. But experience shows that most ISPs would just rather assume we're all guilty.
   
   You don't have to be a spammer to strongly prefer your own email server over the often unreliable and overloaded (by spam?) mail relays provided by most ISPs. And with the recent court ruling that your ISP can freely rummage through your email while it sits on their servers, running your own email server becomes even more attractive.
   
   I guess I shouldn't be surprised to see such a misguided proposal from Verisign's chief scientist. After all, this is the same outfit that gave us Site Finder.

   • Reply to comment
   • Reply to story
   • Report offensive content

2. What an incredible idea!! This will stop normal user from sending out what they want to send out and the criminals will start making their own routers. What will we do then? To make a law to stop people from making their own routers? Make sure that yo Anonymous -- 21/07/04

   What an incredible idea!! This will stop normal user from sending out what they want to send out and the criminals will start making their own routers. What will we do then? To make a law to stop people from making their own routers? Make sure that you only buy "VeriSign" approved router!

   • Reply to comment
   • Reply to story
   • Report offensive content

3. So the next adsl router I receive with my internet subscription is 'email rate limited'? I would agree on it IF the user himself is able to "uncap" any and all rating and filterings. I purchase internet access and am respon Anonymous -- 21/07/04

   So the next adsl router I receive with my internet subscription is 'email rate limited'?
   
   I would agree on it IF the user himself is able to "uncap" any and all rating and filterings.
   
   I purchase internet access and am responsible for what happens to my computer, I do not want to 'outsource' this to another company with views and settings that do not align with my own.
   
   Internet Suppliers can offer personal firewalls that the end-(l)users can install if they choose to, but do not try to force ALL users to be limited and restricted just because SOME users are clueless morons.

   • Reply to comment
   • Reply to story
   • Report offensive content

4. This is about dumb. %95 of clients on the net are 'Windows' based PCs. Before one starts aguing this idea. Is it not true that the problem IS the operating platform? Whenever a virus hits, its windows machines infected. Whenever a spam trojan hits, its wi Anonymous -- 21/07/04

   This is about dumb. %95 of clients on the net are 'Windows' based PCs. Before one starts aguing this idea. Is it not true that the problem IS the operating platform? Whenever a virus hits, its windows machines infected. Whenever a spam trojan hits, its windows machines infected. Whenever a DOS attack happens, its windows machines causing it. Its TOO easy to send a trojan to someone's grandmother while she is using 'Outlook' and get her infected. All she has to do is click send-recieve, and she has it. Then the cracker/spammer has control over her whole machine to do with what he/she wishes. However, lets say user X on Slackware, or FreeBSD, or MacOS for instance sees one of these in Sylpheed, Mail.app, or Pine. What do they do? laugh, and hit the delete key. Shouln't we be looking at the security of the software and the people who designed it, and blame them? Make them pay the liability of owning their commercial software that a 12 year old can gain access to? Reverse firewalls arn't the answer. Software that isn't vulnerable to these problems is the answer.

   • Reply to comment
   • Reply to story
   • Report offensive content

5. When will the focus ever get right? It is the spammers who are the offenders. The spammers, the spammers, the spammers. The way to deal with the offense is to go after the spammers, not other victims of the spammers. The "other victims" are Anonymous -- 21/07/04

   When will the focus ever get right? It is the spammers who are the offenders. The spammers, the spammers, the spammers. The way to deal with the offense is to go after the spammers, not other victims of the spammers. The "other victims" are the poor unfortunates whose systems get compromised.
   
   The worst aspect of this is the assumption that nothing need be done about the spammers: only the home victims need attention. That's a huge gift to the senders of the spew: they can (and do) commit their abuse with a full license from those who should be stopping them. That attitude has persisted for years and is one of the main reasons spam still exists.
   
   But then, of course, many times when I trace a spammer's IP registration I find that it is false - and is maintained by a subsidiary of what passes for an important security company. Registrars who allow false registrations are more at fault than home users who buy the only software available: incredibly vulnerable, ill-designed montrosities. When wil registrars be required to verify and vouch for the integrity of the registration data? I don't know about you but when I see a phone number of 555-555-5555 I get suspicious right away. Is that really so hard for a registrar to see?

   • Reply to comment
   • Reply to story
   • Report offensive content

6. Is this guy serious? Firewalls operate on any directional flow of traffic today. I really can't believe this is getting such a large amount of coverage. He calls normal operating functionality a "reverse" firewall and people think he's come up w Anonymous -- 22/07/04

   Is this guy serious? Firewalls operate on any directional flow of traffic today. I really can't believe this is getting such a large amount of coverage. He calls normal operating functionality a "reverse" firewall and people think he's come up with some revolutionary idea. I can't believe this guy is the principal scientist at verisign. This is a complete joke.

   • Reply to comment
   • Reply to story
   • Report offensive content

7. Good job genius... NOT! This is not a new concept! Say it with me... eeeeegreeeessss fiiiilteeerrrring! Otherwise known as an explicit allow out rule set. Geez you're almost as up to date as CNN when it comes to technology. Anonymous -- 22/07/04

   Good job genius... NOT! This is not a new concept! Say it with me... eeeeegreeeessss fiiiilteeerrrring! Otherwise known as an explicit allow out rule set. Geez you're almost as up to date as CNN when it comes to technology.

   • Reply to comment
   • Reply to story
   • Report offensive content

8. I've never before heard the term "reverse firewall". Firewalls can regulate traffic in, and traffic out, of a machine - making up new terminology and pretending it's a new idea doesn't make any sense to me. ZoneAlarm, and similar tool Anonymous -- 22/07/04

   I've never before heard the term "reverse firewall". Firewalls can regulate traffic in, and traffic out, of a machine - making up new terminology and pretending it's a new idea doesn't make any sense to me.
   
   ZoneAlarm, and similar tools, can alredy do what the "reverse firewall" is supposed to do. ZoneAlarm can be downloaded for free.

   • Reply to comment
   • Reply to story
   • Report offensive content

9. I was hoping for a slightly different article. I WANT a reverse firewall. And, not because I'm afraid my machine is part of a botnet sending out spam. But, instead because I'm worried that some trojan keylogger may have gotten installed somewhere and m Anonymous -- 22/07/04

   I was hoping for a slightly different article. I WANT a reverse firewall. And, not because I'm afraid my machine is part of a botnet sending out spam. But, instead because I'm worried that some trojan keylogger may have gotten installed somewhere and my anti-virus anti-spyware software doesn't recognize it yet. That is truly scary to me.
   
   I want to use the internet to do my transactions with my bank and brokerage and checkfree and at the same time I want to use my machine to look for information and/or entertainment on the web. I don't want to have to worry that some professional hacker has

   • Reply to comment
   • Reply to story
   • Report offensive content

10. This is an amazingly stupid idea... Anonymous -- 22/07/04

    This is an amazingly stupid idea...

    • Reply to comment
    • Reply to story
    • Report offensive content

11. Please allow me to be skeptical about this idea. This is exactly in the same league as adequate virus defence. IT DOES NOT EXIST! All we do is fight with the consequences and not with the problems. If firewalls will be configured in a way to limit th Anonymous -- 22/07/04

    Please allow me to be skeptical about this idea.
    This is exactly in the same league as adequate virus defence. IT DOES NOT EXIST! All we do is fight with the consequences and not with the problems. If firewalls will be configured in a way to limit the number of e-mail messages that can be sent out, spammers will just try to target more hosts to expand their zombie network and reduce the load or spread it out to longer periods of time. Also it is naive to hope that this will happen overnight so spammers will have plenty of time to invent ways to circumvent the protection.
    The real problem is not in the network infrastructure, it's in e-mail software and most notably Outlook. Drop Outlook and the number of virus incidents in Your company drops like 30-70%. The problem is that many security professionals are just too wuss to call Outlook and Internet Explorer with names they well deserve. It's unfortunate to see that mozilla is also stepping to the same direction with those one-click installable extensions. The only way to reduce viruses, worms and takeovers on end-user PC-s is to make executing stuff that comes from the internet more inconvenient so that user is forced to think before actually doing it. A dialog pop-up with Yes/No button is certainly not enough.
    As for e-mail forgery the only solution is common sense and I do not see that changing in a long run. It is perfectly possible to forge a "real" letter sent by bank by simply putting a logo on top that is usually freely available from the banks' web site. The only working idea to combat this is the use of hardware tokens. If someone steals Your keys You can't get into Your house yourself so You must be aware that they were stolen. With weak electronic ID-s like passwords and credit card numbers this is not the case.
    Here in Estonia we have very strict online banking security. You have pin codes as well as a separate code card that includes 30 rotating passwords (the system prompts for them once in a while) and this is the weakest model possible that only grants You transactions up to about 3000 USD per day. Anything over that and You must use a PIN calculator.

    • Reply to comment
    • Reply to story
    • Report offensive content

12. My Norton firewall/AV combo is already set up to block and flag anything dubious occurring. Doesn't everyone do this? Also if OSes were inherently more secure (as some of the, err, less populist ones already are) we wouldn't need to make routers Anonymous -- 22/07/04

    My Norton firewall/AV combo is already set up to block and flag anything dubious occurring. Doesn't everyone do this?
    
    Also if OSes were inherently more secure (as some of the, err, less populist ones already are) we wouldn't need to make routers and cable modems more complex and expensive, and it wouldn't matter how each computer was attached to the net. Network security should be as fundamental as memory protection, and then this kind of thing wouldn't be an issue.

    • Reply to comment
    • Reply to story
    • Report offensive content

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Like 124,000 other people join the community and get the latest news from the IT industry.

Reader Services

Popular Topics

Essentials