Oh yes, Hollywood...
As in Swordfish, Sneakers, Firewall...
Assumptions about cyber-criminals are all wrong, according to a study that argues many fraudsters are middle aged and possess only rudimentary IT skills - contrary to the elite bedroom teen hackers portrayed in movies. The research, led by criminologist Dr Michael McGuire of The John Grieve Centre for Policing and Security at …
For me, the "hacker films" (_Sneakers_ et al.) aren't even the worst. What really gets me is the lazy use of the magic computer in procedurals and the like. Every time the writers find they've put themselves in a corner, or can't be bothered to come up with a real bit of cleverness for their characters, they resort to the magic box. We all know the cliches - "cracking" the encrypted data, "enhancing" low-resolution photos, and so on - but writers still lean on them in nearly every story.
And sometimes they try to introduce some computer-related plot element, and that's nearly always a disaster. The "programmer fingerprint" embarrassment in a recent episode of _Out of Sight_ (US drama about the Witness Protection Program) is just one example.
On the other hand, Hollywood has given us some fine portrayals of high-powered hacking, like the infamous _NCIS_ "two hackers to a keyboard" scene:
This is exactly how XP "pair programming" works, I believe.
I suspect that the El Reg readership are not representative. The story headline really ought to have said "everything *most lay-people* ever assumed about...". With that borne in mind, it does sound like it would be useful if the general public (and politicians) were better informed about who is behind cyber-crime.
Perhaps we could start by not calling it "cyber-crime". Most cases depend on persuading the victim to do something unwise, rather than the perpetrator being really skillful at breaking into the system. Therefore it is "fraud" or "confidence trickery" rather than "cyber-" anything.
... it's taken quite a bit of bitching before the gratuitous "hacker" labeling of anything criminal with the vaguest of computer connotations got toned down just a bit. There are quite a few industry rags that still are completely stuck in the relevant hollywoodisms, and as such the supposed informers of the mainstream can't be expected to do any better. Even here you see people believing that crims-with-computers are necessarily ten feet tall. The proliferation of "cyber-" lots-of-things merely means that awareness is slowly seeping into politicians' minds, helped of course by biggening up the threat by various agencies hard-pressed for moar budget.
So, while we like to think of ourselves as knowledgeable, are we? We already knew plenty of cops are not. As such, reports that don't obviously misrepresent the criminal demographic will be useful for quite a while to come.
As to what we're calling it, well, for now I'll settle for identical reporting compared to "the real world" with a simple prefix, even "cyber-", over what is currently still common practice. Take a close look about how such reporting is structured and you'll see what I mean. But yes, maybe we do need the reporting to focus more on what happened rather than the medium it happened in.
> many fraudsters ... possess only rudimentary IT skills
At least if cyber criminals (or, more correctly: criminals) were evil masterminds with a brain the size of a planet there would be some, not totally lame, excuse for the number of attacks, break-ins, hacks and pwns. But if hey turn out to be only as bright as the average Joe, that doesn't put their nemesises (memesii?): the IT "experts" employed to keep them out is a very good light.
The few times the police actually DO anything about cyber crime, we often hear that the perpetrator was highly-skilled, elite, an expert or genius. That obviously bigs up the skills of the person (a policeman 'natch) who caught them and puts them on a par with Sherlock Holmes fighting his (fictional) arch-adversaries. Now we're being asked to believe that isn't the case - so presumably the police's "experts" are at a similar level of rudimentary-ness in their IT skills: just a bit luckier in their "collars".
...the success of an exploit against a victim depends more on the gullibility and/or greed of the individual and the success of the criminal in making the offer plausible and attractive. Criminals have always known how to craft an 'offer' so that it is irresistable to a certain group of people.
The technical aspect just allows more people to be targeted with less effort and doesn't need IT genius. Eg: Nigerian 419'ers could use snail mail, but bulk email is much more efficient.
I'm sure the reason we only read about the 'elite' hacking cases is that those are the only ones that have any news interest. 'Police nab stupid bloke for trying to sell fraudulent stuff on eBay' isn't likely to make the front pages.
There is also the issue of readily available attack tools. As an analogy, a gun criminal doesn't need a PhD in ballistics - they just need an IQ large enough to know which end is the 'shooty' bit. But on the law enforcement side, you need a highly qualified forensics team to prove that a particular bullet came from a particular gun fired by a particular person if you want to prosecute a case. I don't see why cyber-crime shouldn't be subject to the same asymmetry of expertise.
Agreed, with the amendment that it doesn't apply to people actually talking about cybernetics, as defined by Wiener. A perfectly good coinage now nearly ruined by a horde of idiotic portmanteaux. I hold Clynes & Kline partly to blame for coining "cyborg", though they at least had cybernetics in mind; and moreso Gibson, for the utterly vapid and unnecessary "cyberspace".
So if you can subvert the Windows Ecosystem (and that includes the likes of Adobe Flash and Acrobat Reader) by purchasing ready-made viruses, that means Windows security is indeed piss-poor.
Microsoft could do much more to improve *real* security, such as installing Admin and normal users and requiring sandboxing from all applications (and of course providing the sandbox infrastructure).
Instead, they suggest a virus scanner and otherwise let the average joe PC user be royally screwed. After all, only new features drives M$ sales. So fu$k security !
A box is as secure as its owner keeps it. Doesn't matter if its Windows or Linux or Apple.
And if you'll recall MS /has/ done more to increase security. Although I disliked the OS with a passion there's no denying that they raised the bar quite high in Vista. However, /that/ resulted in people getting pissed off by all the UAC pop up messages ("Do you want to...").
Worse yet; some people simply disabled the whole thing to make things easier on them again.
UAC was/is the wrong approach. The assumption behind UAC is that privilege elevation can be made easy so there is no need to question why end-users are asking to raise privilege every five minutes. Psychologically, this simply trains users to click-through.
Privilege escalation carries risks. Therefore, it should not be easy. Separate accounts is probably the only safe solution on Windows.
Life on planet Linux is slightly easier. The "sudo" command can be given a fine-grained list of users and applications that are permitted, so if you have some particular use-cases that cause most of the elevation requests you can allow them. This wouldn't work on Windows because lazy third-party applications would simply add themselves to the list and lazy end-users would never review the list. Sad, but true. On planet Windows, both end-users AND third-party developers are the enemy. Microsoft don't stand a chance.
Separate accounts won't work because at setup time you can usually only setup "for me" or "for everyone". Even in the UNIX world, it's a bit nontrivial to set everything up properly "for someone else" since each program does things differently.
As for UAC, you're looking at it the wrong way. The idea is to separate the ones you expect from the ones you don't. If you weren't expecting the UAC prompt, then you need to reconsider. Because even the most secure setup in the world won't stop a user running a malware disguised as an installer (one of the few times privilege escalation is necessary, desired, and expected). Even Ubuntu packages and Android apps can be tainted (and no, you can't train everyone). Only iOS seems to stay clean, and THAT'S only because they take the "Big Brother" approach (think the irony: the "1984" Mac commercial way back when).
I disagree with the notion that Windows is basically as secure as Linux. Only if you are an IT professional you will know about these issues and make sure they don't exist. Then, and only then, Windows might be as secure as Linux or MacOS X.
I really think that MacOS X and Ubuntu prove that an operating system can be made both user-friendly and secure. Microsoft will always value user convenience higher than security - that's what I infer from their practice regarding Admin accounts.
UAC is a pain in the a§§, as it requests the password way too often. Which is neither ergonomic nor fosters secure practices.
The lack of sandboxing and the lack of an appstore/repository are indeed a major security risk which have been created by microsoft neglicence. How many malware has been installed by users googleing for "Skype" and then downloading the latest Skype+malware from Russia ??
The Windows Ecosystem is Windows plus all the programs typically used on that platform. Acrobat Reader, Flash Player, Photoshop, MS Office and so on. From a security perspective they must be seen as a whole, as almost all attacks first come in as a document for these programs.
Also, Adobe products are especially bug-ridden and therefore insecure. If you can come up with a better term, please post here.
Microsoft already offer these things, but it is convenient for end-users to bypass them.
They could try some arm-twisting (say, a system that locked the "Administrators" group out of %ProgramFiles%), but users would simply go onto the web and download a "handy utility" that "fixed the problem" and installed a botnet.
No operating system can be made secure if the local administrator wants to blow it wide open.
The problem is not Microsoft. The problem is millions of people who prefer to run a botnet on their machine rather than occasionally log in under a separate Administrator account. (I mean "prefer", by the way. Most botnets are sufficiently benign for the infected PC that its owner is *not* penalised for being infected and therefore *any* inconvenience involved in keeping the botnet out counts as a "net cost" for the lazy end-user.)
Damn, I loathe Windows, but sad to say from an objective viewpoint Windows is actually starting to look pretty good on the security front and I truly dislike this type of unthinking post.
Vista and above *do* have admin / normal users, and arguably the sandboxing / separation is actually better than in the Linux GUI. For example, it's possible for a user-level process with X authority to send input events to a sudo'ed process - UAC in Windows, though incredibly annoying and badly implemented, prevents that attack.
Arguably, the *nix philosophy of "protect the operating environment" is obsolete because the stuff that matters now isn't the machine, it's the data... and the data is owned by the user, not by root. If some Evil Person manages to trash my OS, I'm really not that bothered (it's a mild inconvenience). But if they get hold of my personal info then I am. The problem is that the former requires root / admin and is heavily guarded against by Linux (somewhat by Windows these days), whereas the latter is the true problem and neither OS has a robust answer.
Ironically, the best true security design I've seen is actually Android aka Linux - it's just perceived as insecure because it relies upon the end user to make important decisions, and most of them can't. But, at the end of the day, as soon as there's a buffer overflow etc. it falls.
All the IT people unable to get jobs as HMG keeps offshoring them, even if only the "new" ones.
Once your own country starts stiffing you, the moral barriers to white collar crime get just that bit weaker.
Yeah, but the smart ones aren't going to answer honestly in any case -- it's like asking in a room full of college freshmen whether anyone has ever used marijuana or BitTorrent. Sure, probably no one is listening and likely no one would do anything about it even if they were, but better safe than sorry, right?
In that these stats are formed from known criminals, the ones that get caught, so it's hardly surprising they suggest tech crims are IT bozos that purchased an exploit kit.
I'd assume that the creators of those kits tend to be younger, smarter and very capable hackers, I'd also suggest that these before exploits become widely known and make it into these kits they're used in anger by a criminal tier the cops rarely see, basically that the cops are nicking users of a secondhand exploit market and drawing the incorrect conclusion that cybercrime is rife with old duffers, I expect that's good news for crime clean up stats but it's not even making a dent in the real problem.
Your assumptions --founded, apparently, entirely on what was previously generally accepted-- lack a certain, je ne sais quo, supporting research perhaps?
I think those assumptions stem more from sensationalistic hack writing than from reality. As an "elite teenage h4xx0r" you might find holes and exploit them, but to leverage the stolen identities, take and launder the money, and all that, requires a bit more effort and staying power. It requires teamwork, and organizing that isn't something that teenagers fixated on finding holes in computer systems tend to be good at.
The computer crime kit writers may or may not be younger and maybe they're smarter than what makes up the bulk of the field, perhaps enough so to stay out of sight, but that really doesn't matter. Even your "get them before they leak or sell exploits" doesn't hold. A little bit of really basic math tells you it's a losing proposition, for the same reason that "due dilligence" exploit finding is mostly an effort in futility. There are parallels with ever more expensive and invasive but curiously blind airport security scanners and other such security theatre.
What matters is that it's become an industry made up out of, well, average joe criminals, with the occasional outlier. Cunning, no respect for the law or other people's stuff, and so on. But it's not a field made up out of the vaunted brain-the-size-of-the-planet high-tech fixated "elite teen". We already could've inferred this from the simple fact that entire "production lines" became visible in "the underground digital economy". But it's nice to see presumably knowledgeable people catching on.
The real problem, though, indeed won't really be dented, but not because this report is somehow wrong. It's because our systems too often drop their pants for no reason, because privacy still is nothing more than a polite request to care for the other people's data you're sitting on, in short, because our existing infrastructure isn't up to snuff to "the digital age".
Even if we fix all that it won't make crime go away entirely, and that is because criminals really aren't that different from far too many other people. Look at the stereotypical advance fee fraud ("nigerian 419") scammer. Poorly educated, barely literate, and still manage to take in suckers for sometimes hundreds of thousands of pounds or dollars or euros. As long as people can be conned, they will be, regardless of whether or not it's over the internet.
But the really smart people usually can get less stressful and better paying jobs elsewhere, perhaps start their own company and sell exploits legally to governments the world over for rather more than the underground economy would ever afford. It isn't smart to get stuck in a criminality quagmire, so smart people tend to not do that.
I'm not going to lie to you, I didn't make it through your epic reply, but I just wanted to clear up that when I said biased, I was inferring selection bias, not a personal one.
Regardless, it stands to reason that if these cybercrims are buying exploit kits, that someone else must be creating said kits, we can further assert that these kits must be tested before they are sold, on the grounds that if they don't work, the 'customers' aren't going to be able to break the law with them and become statistics for this report.
I'd bet cash money that those real hackers tend to be younger and more tech savvy than the duffers this report documents.
Biting the hand that feeds IT © 1998–2020