I’m at the Cambridge Cybercrime Centre’s Third Annual Cybercrime Conference. I will try to liveblog the event in followups to this post.
I’m at the Cambridge Cybercrime Centre’s Third Annual Cybercrime Conference. I will try to liveblog the event in followups to this post.
Dave Jevans started the cybercrime conference with a talk on his work on cryptocurrencies. He started tracking cryptocurrency valuation against security incidents in 2011, and until 2016 every price dip was associated with an incident, typically an exchange hack. By the beginning of 2018 there were 1500 coins listed on exchanges, of which he tracks several hundred. Even at £5000 per BTC it’s been a good investment over the past year and there’s plenty of liquidity; there’s been $4bn invested in CC startups, quite apart from money raised by ICOs. The first unicorn was Coinbase; Binance is the second biggest, starting June 6 2017, and were worth $1bn within nine months; now they’re at $4bn and moving to Malta. In 2016 he started working on ransomware, finding 10,000 victims and tracing their ransom payments. (They all went to BTC-e.) The Locky ransomware looked Russian anyway, using much the same code as bank trojans; the guy arrested last year had laundered $4bn from various scams. Bitcoin is used to pay for the criminal infrastructure though Monero is catching up. In addition to high-yield investment programs, the scammers are now running “mining operations” that pay 1–3% return per day out of the next investors’ money. The SEC says there’s a thousand or more, and Dave is working on a case where investors lost $50m. The next crime pattern is guys going after startups who’ve taken lots of money via ICOs: Tether, parity wallet, veritasem and coincheck are among the victims, with coincheck losing $534m; attacks include spear phishing, phone forwarding and the other usual tricks. MyEtherWallet was hacked when their DNS got phished. The fake MyEtherWallet was app no. 3 on the iPhone app store for a while. And then there’s the cryptominers that take over gazillions of computers to mine Monero. Another issue is the 260 people selling second-hand Tresor wallets on eBay; it’s open-source, so it’s a one line of code change to compromise the private the keys of all subsequent owners. One trojan had 600,000 bitcoin addresses and substituted the one closest to the address you really wanted to pay. And Google lets coinmixer.se pay for money laundering ads! The serious money launderers might use shapeshift, which lets you swap one CC for another with no KYC.
In questions, where are the launderers going now thet BTC-e is gone? Some to Binance, while some had guys just use a lot of accounts in different countries. Where’s the fiat money coming from? – investors, from mom and pop to Goldman Sachs. Maybe $100bn of real cash has gone into the system.
Gareth Tyson was next, talking about movie copyright infringement. Ten years ago people used bittorrent; now people use cyberlockers such as clips.com connected via streaming links to indexing sites such as putlocker.is, watchseries.gs and vodly.cr. Gareth collected 800,000 unique URLs and found that live links lasted longer for old films, presumably as enforcement people care less about them. There’s a lot of website churn, so who’s setting up the sites? Looking at website design and shared google analytics IDs, there appear to be three or four clusters using seven hosting providers, and the sites are full of ads; a third have coinhive cryptomining too, which often stalls the video. Two network providers (M247 and Cogent) account for most of it and there are geo hot spots with Romania having 44% of links. gorillavid.in is the most popular with users and gets the most complaints of infringement; it plus two similar sites daclips.in and movpod.in get half the complaints, while openload is the up-and-coming contestant. (It acts on all complaints while others don’t.)
Weulen Kranenbarg has been comparing cyber-dependent offenders with the traditional variety, wondering whether the crime patterns were similarly dependent on stage of life; other personal and situational factors; social network correlations, and other factors. She compared 870 cybercrime suspects with over a million traditional suspects over 2000–12 in the Netherlands; the stats have education, employment and family status; as with traditional offences, cyber offences were more likely when the suspect was living alone with few social ties. They were more likely to offend when working in IT, unlike traditional offenders who’re less prolific when employed. A large part of the population, victim-offenders, were risk-takers with some IT skills but low self-control; they are like traditional offenders, while the sophisticated operators are less so. There is a significant connection in deviance across social networks but it’s weaker; mentorship among hackers matters, with crimes in clusters sharing modus operandi and skillset. Offenders said that intrinsic motives such as curiosity or “spreading the word” were more important than money. She suggests that prevention might focus on satisfying youngsters’ curiosity in legitimate ways, with mentorship from older ethical hackers and teaching ethics and skills at the same time. She also think about vulnerability disclosure; the risk of being prosecuted may be less if you exploit a vulnerability than if you report it. Hackers driven by curiosity might tend to exploit while those seeking peer esteem might disclose, so long as this isn’t just lost in a large faceless bug bounty programme. In short, the behavioural context is important.
Next was Daniel Thomas discussing ethical issues around research using datasets of illicit origin. He had to tackle this issue when using honeypots to measure DDoS traffic and cross-checking his results against leaked booter databases. Similar issues arise with botnet data, password dumps, classified data such as the Snowden and Manning leaks, and financial data such as the Panama papers. Using such material requires ethical review; his paper discusses the wide range of issues that need to be explored in order to justify research, and the things you need to think of in advance if you might inadvertently be exposed to national security material, indecent images of children and so on. He also analyses the justifications cited by security researchers in the past to justify using illicit material; the potential harms caused by such use; and the safeguards it’s reasonable or prudent to use.
The morning’s last speaker was Giacomo Persi Paoli who has been studying the role of the dark web in the illegal arms trade. He showed a video of what was involved in registering for an underground marketplace which has since been taken down. He’s done a series of studies of what’s available online, and for a study of illegal weapons he used Datacrypto software to scrape markets in late fall 2016 from 12 of the 15 markets allowing firearm sales. 42% of the items for sale were firearms with prices below UK street prices, where $1000 will get you an old revolver; online you can get a Glock. He estimates 136 sales per month for a total of $80,000; this will include scammers and law-enforcement purchases, but many real vendors (of whom 35 were arrested recently). The monthly value of drug sales is $12-16m per month. Looking at English-language markets, self-reported country of origin was almost 60% US, 25% Europe and 15% not disclosed. However over 90% of arms dealers are prepared to ship worldwide, while drug sellers usually ship locally. The scale thus isn’t big enough to fuel civil wars but is certainly enough to arm street gangs and worth trying to disrupt.
David Wall had the post-lunch slot talking about three projects, Critical on cloud cybercrime, Emphasis on ransomware and Takedown on terrorism. He’s been studying the complex cascades involved in offences with complex suply and support chains, and the second-order effects downstream. The word “ransomware” is starting to disappear as it’s seen as just another kind of hacking; there is no NFIB code, and it’s treated as just another type of hacking. We are starting to see the emergence of narratives about “mafias” and perhaps given the sums of money now being laundered there might be a niche for organised crime; however most cybercrime seems still amateur, and the underground forums are more Amazon than mafia. As for the crime / terror nexus, there still seems to be more talk than reality.
Jair Santanna was next talking about DDoS, tracing its evolution from early hobbyist days through script kiddies, the arrival of 4chan in 2003, booters by 2013, smart attacks against key facilities such as DynDNS in 2016, to real scale in 2018. He’s been investigating the booter ecosystem by recording relevant DNS queries on Surfnet, the Dutch academic network and analysing 15 booters whose files fell into his hands. The top ones were earning $8000, $5000 and $2000 a month; the rest were much less. He paid 15 booters a total of €58 to do attacks; five did nothing while six used several thousand machines and the rest much less. Booter business perked up when they moved from PayPal to Bitcoin. He has a database of DDoS attacks to which researchers can request access.
Maria Bada works on profiling cybercriminals. There’s a lack of research applying theories of crime to cybercrime; and the stereotype of the nerd in his bedroom is wrong. Attacks are becoming more aggressive and organised, using extortion, instilling fear in victims. Modern profiling started at the FBI in the 60s/70s and started becoming more scientific 20 years later. Typically this involves demographics, the big five, the dark triad, psychological state, social interests and habits, linguistics, attitudes towards work, skillset and opportunity. Her model of insider threat follows Nurse et al; she discussed a number of case studies of what motivated specific offenders. Kids who drift in and out of various online and offline delinquent activities may not have a stable profile at all.
Sergio Pastrana has created a CrimeBB database of messages posted on seven large underground cybercrime forums; this is available under NDA to bona fide researchers together with the crawler he created, CrimeBot. Linguistic analysis has been led by Andrew Caines whose goals are to identify entities, classify posts and topics, and analyse sentiment. This is complex as the posts are in slang. Anyway, he uses unigrams for topic analysis, and has now applied this to over 10m posts, a quarter of the total. Sergio has started from 49 identified actors (mostly arrested) and done social network outwards to correlate them and their colleagues with RATs, booters etc. In total, 249,000 users have been active since 2009. Key actors are clustered, having been spotted by h-index and logistic regression: over 300 are probably involved in cybercrime. There are 20 prolific market traders with lots of cryptocurrency transactions; there are 24 into hacking, who have little social impact.
And finally, Richard Clayton gave a plug for the Cambridge cybercrime centre which curates a large and growing number of datasets on cybercrime and makes them available to researchers, so that data can be shared, results reproduced and research become more scientific. There are seven research groups signed up and a further six in the pipeline. We have five staff and are recruiting three more. We will be judged not by the number of papers we write but by the number of papers other people write using our data. To get access to our data, see here.