I’ve written about the growth of Cyber-crime over the past few years and the vulnerability of not just financial institutions and related financial infrastructure but of corporates from multi nationals all the way down to SME’s. For example, I heard last week of one small provincial business which suffered a ransom attack. The criminals demanded a 500 GBP payment in Bitcoin or Bitcoin equivalent to unfreeze their network. These pernicious attacks are small, frequent and below the radar, given their size, of law enforcement. Further up the corporate ladder, annual losses are very substantial indeed. Rio for example are alleged to have lost $800m after being hacked by the Chinese allowing them to gain an advantage in the annual iron ore negotiations. The threat is very real at all levels and is growing to uncontrollable proportions. The police are way behind the curve.
The defence team is moving quickly, just not as quickly as are the bad guys. The government is making it clear that companies have to up their game and take responsibility for their own protection. Certainly, an 'it'll be all right on the night,' approach or an, 'it's an IT thing,' attitude is taking disproportionate risk for the company that would be unacceptable in any other part of a company's operations.
Down in the Dark Web, (which forms part of the Deep Web, that part of the web not indexed by search engines), there are active and growing communities of cyber criminals. We learn from the excellent Krebs on Security blog that there are active markets in cyber specialists and data about corporations including their systems and resources. Think of it as an Ebay for data breach targets. An example above, Enigma (shut down when the administrators feared they had been penetrated), shows requests from March to June for information pertaining to HSBC, Citi, Air Berlin and Bank of America.
The bids for information come at many levels from access to specific servers to internal corporate passwords. They also include names of insiders who might be vulnerable to recruitment by criminals. Obviously, some sellers of information will be disenchanted insiders, (80% of breaches are caused purposely or inadvertently by insiders). In the screenshot above you can see requests for information on more companies, Cisco, William Hill, Wells Fargo and Bank of America again.
The piece above appeared on a forum called ‘Gentlemans Club’ in June asking for ‘data and service,’ just three weeks before tens of millions of accounts were compromised. (My theory is it wasn’t a criminal but a driven husband or wife bent on destroying the cause of their marital breakdown!)
These forums are tightly controlled. New entrants require vetting and non-refundable deposits paid in Bitcoin or similar virtual currency. Inactive members, ie individuals who do not engage in active illicit trade are thinned out. The problem for law enforcement is that these forums allow aspirant hackers to test and or augment their skills and get a few rungs up the naughty boy ladder with ease and anonymity. The pool of bad guys is therefore a fast growing one. They are also geographically agnostic. That is, an attack could be planned in the US, initiated by for-hire criminals in Eastern Europe against a UK company for the end benefit of a South African paymaster. The bad guys range from sovereign players, criminal gangs, the spotty dislocated teenager all the way to the disgruntled current or former employee.
The full range of attacks that you will have read about are available but there has also been a steep rise in requests for information about individuals. These range from huge databases right down to single individuals in companies and organisations. Some of the large data grabs may be scrubbed, repackaged and reformatted and then resold as legitimate market research data. The problem for the ordinary decent public here is that they may be scored by credit / insurance / medical companies using flawed data. The requests for data on individuals meanwhile could lead to blackmail attacks, recruitment attempts or a straight attack to embarrass and discredit for whatever nefarious reason you can imagine because that is in fact the scope and scale of what is out there. Moreover, social media often provides an easy access point to access companies through the profiles of corporate officers.
The world is changing very quickly indeed; we all need to catch up in our awareness. It’s not just a ‘thing for the IT.guys’
Of course, there is an answer to all this.
I did not note the name but a top computer expert at one of the defence agencies in the US (about 15 years ago) had the following advice to avoid cyber-crime:
1) Do not own a computer
2) If you own a computer do not turn it on
3) If you turn it on do not use it.
My preferred option though is this, the Hartwell Dekatron (renamed WITCH), computer which in fact is the worlds oldest digital computer and I bet the smart arsed Telsa driving geeks in Silicon Valley don't have one. Let the buggers try and hack this puppy; made in the days when Made in Birmingham meant more than just spanners and car exhausts.