The Hidden Problem with Easy Cybercrime
There was nothing shocking in a recent Computer Weekly article on the top UK cyber threats: Banking malware, DDoS, ransomware and CEO fraud. One quote did catch my eye. Mike Hulett, head of operations for the National Cyber Crime Unit was talking about how people get started in cybercrime.
“For just $10 of software, teens who would not otherwise commit a crime can set up a DDoS for hire business..."
Turn-Key Crime Online
Think about that for a moment.
Someone who would not otherwise be interested in committing a crime can easily start an online illegal enterprise that can target victims all over the globe. With next to nothing, they can begin down this path. The subsequent rewards are significant enough to keep them motivated to continue. Thieves don’t quit when they are making money. It all goes back to the Greed Principle.
In fact, we are seeing similarly low entry points for Ransomware-as-a-Service (RaaS), where culprits are basically using an established ransomware infrastructure and simply trying to get people to install a file or visit a malicious site. No technical or programming skills are needed. They just need to post or send emails with a malicious link or infected file. If they can lure unwary victims to click a URL or open a file, they have an opportunity to make money. The ransomware developer, which hosts all the back-end infrastructure, takes a percentage of the profits. The recently discovered Satan ransomware redirects 30% of the profits to the developer, while the criminal keeps the rest.
The Emerging Problem
This is a growing nuisance today, but you may not be seeing the long-term picture. Imagine 2 billion more people joining the Internet in the next few years. Many of the newcomers will be economically underprivileged. They will be hungry for ways to make a living, even if it is just a few dollars a day. With ransomware extortions in the hundreds of dollars, they don’t need to be successful very often.
Do you see an emerging threat now? Millions more people turning to crime when they are connected to the Internet. This will create a flood of attacks that target people all over the globe in creative ways. This problem is going to get worse for all of us. Much worse. The economics are just too compelling.
Interested in more? Follow me on Twitter (@Matt_Rosenquist), Steemit, and LinkedIn to hear insights and what is going on in cybersecurity.
This brings up anonymity.
These cyber-criminals will use anonymity tools to commit the crimes, launder the proceeds, and to get way with it.
Yet anonymity is one way for the individual to protect himself from tyrannical government.
Another consideration is that terrorists can also use these methods to communicate and conduct operations.
To make this more interesting, TOR was created for the specific purpose of protecting the anonymity of US intelligence assets; the more people that use TOR, the more anonymous the user.
So there is this dance of government vs citizen, government vs criminal, government vs terrorist, and criminal vs citizen.
I have posted and removed material from my reference library several times because I wanted the material available to privacy seekers, and yet was afraid it would be used for malfeasancant acts.
The best solution is for everyone that does not want to be victimized by cybercriminals is to learn the basics of cyber security, and to protect themselves.
Due to the dance of the anonymity influences, government solutions to the problem may be hard to come by, or even counter productive.
Technology, including those which promote privacy, are simply tools. Tools can be used for good or harm. We must understand and accept this fact as we create them. You cannot control others or how they may misuse tech. It is a difficult dilemma in some cases. Let critical thinking guide and your conscience decide (my 2 cents anyways). I am a huge fan of tech and firmly believe it will continue to revolutionize mankinds existence, but am also a realist in the risks it brings at the same time.
What are your thoughts on illicit autonomous agents? These can be developed today.
My thoughts: autonomous agents are just tools. They can be used for good or bad. Illicit ones are obviously for malicious acts, therefore they undermine the benefits of technology. They represent a threat, potentially an agile and capable one.
However, the fact they are autonomous does not inherently make them good or bad. It is the people that configure and use them that represent the core of the problem.
All attacks can be traced back to a person, the "threat-agent". Knowing your enemy is vitally important. Sun Tsu said it in the Art of War tome many years ago and it is still true. This is what we focus on in our think-tank when discussion threat agent risk assessments.
Cyber criminals have no additional abilities which haven't existed prior to cyberspace. Hawala has existed for a while.
The issue today is automation of crime in my opinion. A lot of criminal activities such as ransom or extortion can be automated in ways we cannot deal with politically, socially, legally or professionally.
References
The base motivation of threat-agents don't change (ex. greed, lust, financial gain, revenge, etc.). In fact, they likely have not changed since the dawn of time. Crime has occurred since then as well, but has largely been limited to availability of targets and objectives. A pickpocket is limited to the number of people in his area. Home burglars, the same. Then there is the element of time. It takes time to rob a home, therefore only so many people can be victimized in one night.
Modern technology changes the game. One attacker is not limited to his/her community, rather they can reach out to billions of potential victims. Same for the speed of attacks. Many attacks can occur simultaneously across a vast number of potential victims. So the scale has changed with tech. Now there are other factors as well (impact, positive-reinforcement, deterrence, etc.) that we can talk about later.
I think the risk you have with autonomous agents is that states can now sponsor it in such a way as to facilitate funding for their own purposes or to spy on others. I see no current defense against state sponsored autonomous agents which facilitate illicit activity.
Nation states are already well funded. They don't need to expose their work in such ways. They tend to focus on achieving an objective which is identified by higher-ups.
There are 29 known governments (as of 2016) that have offensive cyber operations. But this is really no different than the intelligence agencies which operated during and after WWII. They were well funded too. There is a difference between what a group 'can' technically do and if they 'will' do it.
For the most part, and I know most of the conspiracy theorist don't want to hear this (go ahead and flame me for it), but they simply don't matter enough to even be considered, to be monitored. The average citizen, assuming they are basically law abiding, are boring to these spy groups. They would rather watch sea otters mate on the Discovery channel, than conduct surveillance on boring people.
Yes, they could bug your cereal box, but would literally laugh if someone proposed it. ...and yes I know a few people in those agencies as well. Have shared beers, meals, and met their families. They too are just people trying to protect the country and our citizens. They don't have secret societies or malicious agendas, other than their kids soccer team strategy. They don't hold secret meetings unless you count poker-night with the guys. ...and when they do play poker, they talk trash about other government agencies (just like non-government folks do).
They watch the news in horror just like us, when something bad happens. Then they think "could we have somehow stopped that" (just like the rest of us). Then they go to work and focus on making sure bad things don't happen again. Bug average-Joe? Nope. (laughter) They have real threats to try and understand, track, and prevent them from hurting our citizens anywhere in the world.
Nation states are well funded but their deniable operations require funding which comes from illicit sources. Of course I'm basing this on assumptions and expectations on what states will do based on what they've done previously.
Some states particularly are under sanctions so they can't get as much funding from taxes as others. Other states are doing covert or clandestine warfare and don't want their citizens to follow the money. Cyberspace introduces an area where state sponsored individuals can operate with impunity. I don't think there is a need for conspiracy theories either because if they can do something and there is no deterrent it is most likely that they will.
So what could happen? It could be indiscriminate such as the case here: http://www.computing.co.uk/ctg/news/2416521/did-hacking-team-sell-software-to-plant-child-porn-on-suspects-pcs
I think the mistake you are making is assuming every intelligence agency and every intelligence agent is on your side. Some inevitably must see you as the enemy if there is warfare happening in the world. The intelligence agencies which are foreign, which see US citizens are targets, have no reason to have the restraint you speak of.
I would agree with you if you're talking about for instance NSA/CIA/FBI or other American agents. In this case there are laws specifically to forbid them from spying on American citizens. There is no law and no way to enforce as far as I know to prevent North Korea, Russia, China, Iran, or a whole range of foreign agencies from spying on US citizens. So depending on where in the world you happen to be at a particular point in time then you have to worry about different agencies targeting you but this doesn't mean they aren't. Cyberspace in particular changes things because hackers can be located anywhere on the planet and so the borders are pretty much meaningless.
Again while I don't have any specifics and most of my opinions are based on assumptions, I would assume that the governments mentioned will do anything they can get away with.
excellent point in bringing up Hawala; however, those are trust systems that require an "in" with the group.
privacy tools allow the cybercriminal to be anonymous in attack and transference of funds; they allow the cybercriminal to make attacks to the level of his own ability w/o needing to collaborate with other criminals or to join criminal networks. Even when the cybercriminal needs access to the black market to buy his tools, privacy tools can keep his identity secret.
don't get me wrong. I am all in favor of the average man having access to privacy tools; the ability to keep your own actions protected against potentially oppressive State actions...or even to go Galt...is a pro that outweighs the dangers presented by cybercriminals.
but it makes it all the more important for the average man to know how to protect any assets that can be reached via the net
Believe it or not, these cryptocurrencies are also trust systems. You still trust the developers, the compiler for instance may not be verified to compile the code for something even as important as Steem yet people put complete trust in compilers they did not compile themselves, run code they did not compile themselves, trust source code they cannot read themselves.
So this is still a trust based network. The point is people who use Bitcoins are willing to trust the cypherpunks more than they trust the federal reserve. The people who use Hawala trust their people more than the officially stamped process.
very true, but the difference in the Hawala system is that you have to know somebody in the network for access, while TOR is a download away ;)
Hawala is much more impervious to signals intercept, though. Neither LE or any intel agency is going to bust a transfer via Hawala, unless there is some HUMINT, or unless the Hawala operators havent set up decent comm security. Most crypto transactions can be tracked, especially BTC, IF the BTC user doesn't take some additional steps.
Crime in general has always been easy because the resources of law enforcement are finite. Also to increase the resources can actually create new risks which can express itself in tyrannical fashion depending on the checks and balances in place.
Agreed. But also consider there are other ways to control crime. Consider deterrence, strong cultural standards for ethical behavior, and the ability to dissuade. All can be done with or without law enforcement. The people I know (and support) in law enforcement are good people. I know many and their families. Although there are some bad ones out there, almost all the ones I have met were people trying to protect their community. Nothing more. They do play a crucial part of keeping crime down, but we as the citizens of the community also have a role. It would be very poor of us just to sit back and expect them to do all the work. The very word community means we should all be working together to make society a better place.
I agree with most of what you said. I think what civilians not in law enforcement can do is in the area of deterrence by the developing strong cultural standards, and in the case of blockchain technology it's captured in the ability to track reputation. In my opinion a lot of people care about honor, reputation, status, prestige, and this is a common element of human psychology where a human wants to be respected or loved among their peers is what really sets social rules in place.
On the topic of law enforcement, of course if you're closer to law enforcement due to your job you are going to form friendships. This in some ways can give you insights onto the current sentiment and thinking of law enforcement but at the same time it can bias you in favor of law enforcement if you're in a position where you have to be neutral. So my personal stance is it doesn't matter what a person's profession is, but what does matter is whether or not they are a friend to me.
The technology we have here with cryptography, blockchains, smart contracts, can reduce the load on law enforcement by providing an enhanced technological means of producing security. The common goals are the same, in that many people who develop blockchain technology want people to be safe or to protect rights by the software or social mechanism of doing so. In the case of cryptography and blockchain technology this is produced by mathematics, by logic, by algorithms, etc.
On the topic of cyber crime in specific we have a more complex problem because not every criminal is part of the same community. The Internet is global and cyberspace has barely developed the mechanisms to support a truly global community. There are efforts to bring this about in the form of virtual governance, or blockchain governance, or even technologies such as Steemit, but not everybody is on Steemit.
The issue in my opinion will be that there are more ways to attack than to defend technologically speaking. Traditional law enforcement is helpless to protect people from the sophisticated cyber attacks or even the unsophisticated stuff. The attackers might not be in the same country, speak the same language, or have the same culture, in which case the main mechanisms which deter people in a certain community might not actually work.
Do you have any specific ideas for what ordinary people can do to protect themselves and each other from the simple yet hard to prevent cyber extortion plots? The fact that there are these anonymous cryptocurrencies actually may facilitate these sorts of plots and I don't see any obvious way a community can defend itself from it.
My short answer (because I am crazy busy today, but I do love this topic and we should definitely continue it later!):
I believe technology is great. It can connect and enrich the lives of everyone on the planet. It can drive efficiencies which free up resources to push society, business, and innovation forward. But it also brings risk. Tech is just a tool.
For citizens, I think we can/should do 3 things: