Post on 17-Dec-2015
transcript
Botnets beget
• Spam– Adverts for criminal / defective products– Phishing– Advance Fee Frauds
• Denial of Service Extortion
• All Things ‘Cyber-bad’
Cyber-Bad for Hire
• Hacking tools (commodity ø day exploits)• Stolen credentials• Crime as Service– Spam– Botnets
• Unwitting Accomplices (mules)– Receiving stolen goods– Money laundering
Criminals extend reach
• Compromise systems during manufacture– Pin Entry Devices compromised during
manufacture• Phone home with PIN data to Pakistan
• Criminal insiders– Blackmailed or bought prior to hire– US Cert: 41% incidents involve insiders
• Soc Generalé demonstrates €bn potential
Internet = Research
• Open Sources– AQ manual claims 80% of information is available
• Criminal Expert Sources– Who can tell me X for $100?
• Espionage– Find an honest expert, penetrate their machine
What is the problem?
• Banks– Cost of Internet crime• Direct Losses• Customer Service• Opportunity Losses
• National Security– Potential criminal profits– Potential sabotage damage
Are there solutions?
• Chip and PIN– Eliminated Card Present Fraud in Europe• Remaining attacks exploit legacy channels
• Why not in the US?– Different market structure– Anti-trust used to block changes
Anti-Crime Solutions
• Email Authentication– SPF, DKIM, Secure Internet Letterhead
• Web Authentication– Extended Validation, Secure Internet Letterhead
• Secure Identity– SAML, WS-*, OpenID, OATH, Identity 3.0
• Data Level Security– CRM Infrastructure, Open CRM
• Network Security– Reverse Firewalls, DNSSEC, BGP Security– Domain Centric Administration, Default Deny Infrastructure
Conclusions• The threats are real– They are not necessarily Internet threats– But the Internet changes the game
• The threats are serious– They may not be “terrorism” as we know it– But they are worth caring about
• Criminal infrastructure is an ongoing threat– Some states are playing the privateer game– We cannot rely on international cooperation