I’m sitting in the Inaugural Cybercrime Conference of the Cambridge Cloud Cybercrime Centre, and will attempt to liveblog the talks in followups to this post.
I’m sitting in the Inaugural Cybercrime Conference of the Cambridge Cloud Cybercrime Centre, and will attempt to liveblog the talks in followups to this post.
The first speaker was Mike Hulett, who heads operations at the National Cyber Crime Unit at the NCA; although the unit only has 5% of their budget (and 220 people out of 4000+), cybercrime is now 53% of the total. Most of the time and effort goes into dealing with banking Trojans; DDoS is moving up the agenda as the banks find it harder to deal with; then there’s ransomware, facilitated at scale by bitcoin; then there’s network intrusion, some of it linked to espionage. Dark markets enable the emergence of virtual crime groups whose members don’t know each other in the real world, which makes policing harder. Things to worry about in the future range from Scada to the Internet of Things more generally. The main difference from traditional policing is the range of people the NCCU must work with. What might academia add? The NCA wants to be seen as a graduate employer of choice. Research questions include the cost of cybercrime, pathways into cybercrime, links to mental illness, and means for suppressing the marketplace. Future operations might include mitigation at scale, such as by helping clean up botnets.
Alice Hutchings described the database she’s been compiling of reported cybercrime offences in the UK. There were 456 entries from 1 Jan 2010 to 30 June 2016, of which 286 are finalised (sentenced or awaiting sentence) and 16 dropped or acquitted. 85.8% of offenders are male, where sex is known; 57% of offences used technical methods; fraud was 32.2%, 27.25% were breaches and 24.5% malware; there was an age correlation, with teens doing DDoS while fraudsters tended to be in their early 30s; only 18.8% of offences were related to the workplace. Police offenders are disproportionately represented as it’s policy to prosecute them. 82.5% of prosecuted cases had no international aspect, which may also reflect bias by investigators and/or prosecutors. 37% were sole offenders, with the proportion increasing over time (to 51% in 2016). 64.2% of convicted offenders got a custodial sentence, averaging 3.5 years.
David Wall surveyed academic cybercrime research. The actual policing is in a confused state; every officer gives you a different story. But we’re starting to challenge the weather reports from umbrella manufacturers. Above all there’s a reassurance gap: the threat talk creates expectations that the police can’t meet, and there have been only 400 prosecutions under CMA in 25 years. The high-profile consumer organisations are driving policing to Internet bad behaviour rather than computer misuse. A growing problem is crime aggravated by social media abuse, such as online breaches of restraint orders by former partners, auction frauds and dating scams. These are adding to local police workloads, and we don’t understand the dynamics yet. And then there’s sexting! Closing the reassurance gap is hard (vetting, senior-middle management expectations gap, staff turnover, incompatible data systems, varying interpretations of counting and prosecution …). It’s hard to turn tactical data into information that can be used strategically or for social science research.
Mike Levy discussed the definition of crime. Why was Volkswagen not prosecuted for international organised crime? And what about the large-scale mis-selling scandals? There seems to be a principle of “de maximis non curat lex” (the biggest crooks go unpunished). One of his jobs is trying to improve fraud and e-crime data; the NFIB figures are mostly plastic crime, and are the reported ones. There’s a long tail of diverse fraud types with varying degrees of cyber involvement. The political question vexing the Home Office and the Office of National Statistics is the worry that the fall in crime over recent years is actually just a move online, which calls into question the legitimacy of the crime statistics. What about mass-marketing frauds, of which there were 800,000 victims in 2012? Who’s going to do something about this – the police? The Met’s priorities are the DCPCU which deals with payment fraud, and the Falcon mission to reduce the harm caused by fraud and cybercrime in London. But feeling safer and being safer are different; do we end up with reassurance policing? What’s the criterion for success – it seems to be visiting a website once! And is the DCPCU model of getting the private sector to pay for specialist police units the right one? The politics of international opportunity reduction are hard. The Met commissioner’s comment that banks should stop refunding victims of fraud was, to put it mildly, controversial.
Adam Bossler has been studying police perceptions of cybercrime in England and Wales. In the USA, local police forces try to push cyber up to state or federal levels; there’s little outcry compared with violent crime, it’s hard to maintain a capability, and people get their money back from the credit card company. It’s also at or near the bottom of their priorities compared with being a first responder. Adam emailed sergeants, constables and CSOs in 36 UK forces and got 2,834 to complete a web survey. The model respondent was 25–34 with 10 years’ experience. Officers largely see online crime as different, rather than traditional crime with a computer, but that traditional offline crime now often has a digital element; they agree that digital evidence can be a feature of all crime types; a large majority (85.6%) agree that online crime is serious, and 70.7% that online harassment is more serious than the traditional variety. 66.8% see stealing £100 online as the equivalent of pickpocketing £100, but bigger majorities agree that the community doesn’t recognise the threats or the risks and slightly fewer that victims are careless. Most had heard of spam, spyware and phishing, but most hadn’t heard of DDoS. Only 41% were fairly or very confident in their ability to respond to online fraud; 56.4% said that online crimes should be dealt with by a specialist unit.
Nicolas Christin’s topic was Beyond Silk Road. Anonymous online marketplaces based on Tor hidden services and bitcoin were pioneered by Silk Road but have proliferated since it’s been taken down. Nicolas has been monitoring them since late 2011 when he started crawling the Silk Road website; quite a lot of information is available, such as the buyer feedback which is typically mandatory and world-readable. Between February and July 2012 over 20,000 items were offered (over 90% of them drugs) and over 180,000 feedback comments posted. About half of the items vanished within 19 days, suggesting most sellers don’t have much stock; but the number of active sellers doubled to about 600 in that period, their lifespan being a bit over three months. Daily turnover grew from just over $20k to about $50k; so the revenue in the first year was maybe $15m and the operator’s revenue about $1m (it took 7% and offered escrow and hedging services). This was basically an insurance and financial services company, selling risk management. After the operator Ross Ulbricht was arrested on September 23 2013 (by which time he was tunring over $300k a day), a number of competitors emerged. From 2013–15 he’s been trying to scrape multiple dynamic marketplaces, and that’s harder; for the details, see his publications. For example, Operation Onymous didn’t make a huge difference to overall volume. A good three-quarters of the goods sold are recreational drugs, mostly weed and ecstasy. Validation of their analysis comes, inter alia, from cross-validating their estimates of volumes and values against trial proceedings. It’s still less than the $150m of prescription drugs that Canadian pharmacies sell every year.
I then spoke on “The Fraud Telescope”: fraud victims find our publications and come to us with their tales of woe. Many of our publications on card fraud and online crime over the past ten years have been at least inspired by this constant flow of intelligence about the latest tools and methods.
Tyler Moore‘s topic was a scientific approach to fighting web-based cybercrime. He started with web redirection attacks. A common modus operandi is to compromise a website and inject code that will redirect visitors interested in (say) drugs to an illegal sales site, while responding to crawlers by returning the original content. He searched for pharmaceuticals and then visited the sites directly to see if he got redirected. Almost 40% of the results were actively redirecting to other websites. The various search ranking changes by Google, and search encryption, had at most small transient effects. There median time to clean up compromised websites has reduced from about four weeks to about two, but as cleanup become quicker, the number of hacked websites went up. What about mitigation? They found that malware URL notifications basically worked only if they were full and detailed. They also did a case-control study of which websites got hacked; their search redirection dataset plus data from PhishTank and APWG showed that the content management system matters; WordPress and Joomla sites were much more likely to be compromised, and, curiously, more up-to-date versions were more likely to be hacked, and the same went for plugins.
Maciej Korczynski descriibed the “Clean Netherlands” project whose goal is to rid .nl of child sexual abuse websites and cyber-criminality generally; currently it has about 3% of the total. He’s been analysing AS badness against the observed IP space in passive DNS, against the number of unqiue second-level domains, and also measuring the uptime and recurrence of bad domains of child abuse material in particular. Hosting providers suggested that he look more deeply at the aggregators and resellers further down the food chain. Further work will be on which measures work best: client screening, automated abuse handling and subscription to abuse feeds.
The last speaker of the event was Richard Clayton, the new Cambridge cybercrime centre‘s director. In 2007, he and Tyler Moore analysed the Rockphish gang’s fastflux system which forced defenders to remove domains rather than individual machines. This taught that banks underestimated average takedown times as they didn’t shared data with each other. This taught that datasets are bigger than you think, biased, proprietary and full of errors. If you don’t understand scale then you’ll be swamped. It also taught that cybercrime wasn’t repeatable. Hence the new cybercrime centre will aggregate cybercrime data and make it available to other academics, subject to a number of licensing and confidentiality conditions: data suppliers don’t want us giving data to customers who currently pay for it; many data sets are contaminated with personal information; and nobody wants to the bad guys to be able to reverse engineer where the sensors are. So the data cannot be open data. However sharing it within a closed community will enable researchers to get started much more quickly, and it will also enable the work to become scientific in the sense of being open to others repeating, refining and challenging it. The outcome should be that a lot more of us work on cybercrime.