The new face of cybercrime

Most spammers do not intend to sell. All they want is to "phish" your credit card number. Messages now zip around the Internet purporting to come from trusted companies and asking you to "verify your account." The victim is taken to a Web site that looks genuine but is run by a fraud ring. Besides the direct loss from the stolen card numbers, this fraud damages confidence in Internet security.

This is the new face of cybercrime. Whereas hacker vandals once coveted bragging rights, professional hackers have profit in mind. What's more, they are considerably more determined and have better resources than vandals. A new approach is necessary, and we must unlearn some of the lessons drawn from hacker vandalism.

Conventional wisdom has it that a system is only as secure as its weakest link. Hacker vandals instead concentrated their efforts on compromising the parts of the system that were the most difficult to break. That's where the bragging rights were to be had.

But latter-day professional hackers are not too proud to attack the weakest link in the system. Why spend months beating your head against the ring of steel constructed by a top security architect working for a major bank? That method doesn't make sense, when you can find customers who will just tell you their account number and password if you ask in the right way.

E-mail provides the gap in the ring of steel. Even though practically every e-mail client is capable of sending and receiving secure e-mail, these features are rarely used. Why bother, when the hacker vandals consider e-mail forgery beneath them? Phishing fraud creates the need for secure e-mail, but we cannot simply wait for the world to agree on that point.

We must design e-mail security for everyday use by real users, not occasional use by experts. When a real letter comes from my bank, it is printed on letterhead with a prominent bank logo. We need an e-mail security solution that shows the difference between genuine and fake e-mails with equal simplicity.

The Internet Engineering Task Force's MARID working group is currently considering Sender-ID, a simple proposal for e-mail authentication. Computer security specialists have often dismissed schemes of this type, arguing that an expert user could in theory circumvent them. But a professional spammer has no use for a security vulnerability that only works for a limited time and allows a limited number of messages to be sent. Such a vulnerability is not profitable.

Another example of the different approach required is the reverse firewall. A traditional firewall is designed to stop attacks from the outside coming in; a reverse firewall stops an attack going out. This precaution reduces the value of recruiting your home computer as a member of a "botnet," a group of "zombie" machines hijacked to distribute huge amounts of fraudulent e-mail or launch denial-of-service attacks without being traced directly.

I would like to see reverse firewalls embedded in every cable modem and wireless access point for home users. Normal users have no need to send out floods of e-mail, which reverse firewalls can stop, but they do allow a normal flow of e-mail.

Part of the VeriSign Anti-Phishing Solution is a service that tracks down the sources of phishing attacks and asks the Internet service provider to shut them down. This is not the type of service that VeriSign would have considered offering five years ago.

Traditional law enforcement techniques are a poor match for hacker vandals seeking thrills. The result often feels like playing "whack a mole," the carnival game that requires the player to smack mechanical moles quickly and repetitively with a mallet.

The professional hacker rarely tires of doing the same thing until it stops making a profit, establishing an identifiable modus operandi. The tools used, the targets chosen, the zombies exploited and the language used all combine to provide a detailed profile of the perpetrator. One long-term aspiration is that by combining data from all the information sources we manage -- payment services, firewalls and DNS (domain name service) infrastructure -- we may uncover future attacks and their perpetrators before they occur.

The rise of the professional hacker is certainly a cause for concern, but it is also a challenge and an opportunity -- one that I and many other security professionals intend to rise to meet.

biography
Phillip Hallam-Baker is principal scientist at VeriSign.