Sunday, March 29, 2020

Crime in the time of coronavirus: be wary of windfalls and refunds, even those that don't look pandemic-related

URGENT: Please click this link to claim your refund. 

Don't worry, that's not an actual link, but you will probably be seeing emails and texts with links like that in the coming weeks. At a time when many people could use a little extra cash, the temptation to click those links can be strong.

Scam text messageHere in this screenshot you can see one such message came to my iPhone today, supposedly from the UK government office that handles driving licenses, the DVLA.

The links in these messages take you to forms where, in order to get your refund—or other promised payment—you type in your bank account or credit card details.

Sadly, some people will click those links and supply those account details. (The form you see when you click on that link looks quite realistic - see below). Some time later those people will discover that criminals are helping themselves to the account, transferring funds out of bank accounts, running up charges on credit cards.

And criminals are betting that more people are more likely to click those links today than they were just a few months ago, in the time we now know as B.C. (Before Coronavirus). Why? Because right now people are worried about running short of money and thus more susceptible to scams like these. It's all part of a well-tested criminal strategy, one that has been used to generate ill-gotten gains for decades: exploit the times in which we live.

For example, back during the Great Recession of 2007-2009 I got several calls from otherwise sensible friends asking if some scam or other might just be real. They were hoping that a sudden windfall might really come their way, wishing that an unexpected source of funds might actually materialize. Criminals know these hopes and wishes and exploit them.

Tough times breed twisted crimes!

Of course, when the coronavirus first started to be a hot topic, criminals tried to exploit our eagerness for information as a hook to deceive and defraud. Then they shifted to fake coronavirus cures or deals on medical products in short supply. You may have noticed that security experts were quick to raise red flags about these tactics. That's because there is a well-established body of cybersecurity knowledge which predicts that these types of crimes will be attempted around any attention-grabbing event.

screenshot of searching for scam textCriminals know this too; they realize that there is a relatively small window of opportunity to leverage a timely hook before everyone hears the hook-specific warnings. So the next play in this particular chapter of the cybercrime playbook is to use deceptive messaging that is not linked to the current crisis, but still taps the desperate hopes and needs that the crisis has generated.

What to do? 

Be wary of any message or email that you receive if it offers you money or other benefits, particularly if you were not expecting them.

If you have any doubts, just use your phone or computer to search for a few words from the message, maybe adding the word scam for good measure.

As you can see from the screenshot on the right, when I did that on my iPhone the search results immediately provided me with enough information to know that this was a fraudulent message, containing a link that I definitely should not click, regardless of how much I wanted the money.

Remember: Think before you click!

Coronavirus and cybercrime: please say criminals, NOT hackers

Not all criminals wear hoodies.
Not all hackers are criminals.
Photo by Luis Villasmil on Unsplash
This BBC headline is both a sad sign of the times and also a sad reminder of how sloppy the media can be:

"Coronavirus: How hackers are preying on fears of Covid-19"

I bet the title was not chosen by the writer of the article.

The article itself, by Joe Tidy, is good stuff, and I encourage you to read it because everyone needs to be aware that—as he writes in the opening sentence—at this point in time, "Cyber-criminals are targeting individuals as well as industries, including aerospace, transport, manufacturing, hospitality, healthcare and insurance." And they are using the public's fear of coronavirus to advance a criminal agenda: infiltrate systems and compromise them. This is despicable behavior and people who engage in it should be ashamed of themselves.

But it is wrong to call the people who are doing this hackers. These are criminal hackers; or, if space is limited: criminals. To be clear: people hack for criminal purposes are criminals, not hackers. There are many people who hack for non-criminal purposes, some of them very noble and unselfish. For example, right now there are people "hacking" solutions to the shortage of medical equipment and apps to help capture and track data that could be critical to tackling coronavirus data (see "Good use of Hacker" below).

Editors who gloss over this extremely important distinction do the world a disservice. As someone who has spent the better part of three decades trying to explain why the world needs to do more to shut down the criminal abuse of information technology, I can assure you that confusion over the word "hacker" has been a serious distraction if not an outright impediment.

One of the main strategies for assessing the security of a computer network or digital device is to hire someone to try and defeat it, i.e. to hack it. That someone is an ethical hacker, but they are in short supply, due in part—in my opinion—to the stigma that the media has attached to the word hacker. The dynamics of the confusion over hacker are too complex to unravel here, but this article provides a simplified overview of the good/bad hacker landscape, and this one helps explain good hacking, You might also want to check out a session at a hacker conventions (DEF CON III, 1995) in which I explored arguments for and against hacking with some of the earliest practitioners.

A postdigital perspective

Having done several stints as a writer and editor as well as publisher, I realize that it's a pain to have to constantly distinguish between good hackers and bad hackers, white hats and black hats, ethical and criminal—not to mention the hits to your word counts and screen space. On the other hand, think how good it is to educate your readers about this increasingly common aspect of daily life, the constant struggle between criminal hackers and the ethical hackers who work so hard to thwart them.

Furthermore, it is suitably postdigital to just say criminals. To use the word hackers when talking about criminals suggests you can't see how modern life has evolved. Allow me to quote Professor Gary Hall, Director of the Centre for Postdigital Cultures at Coventry University:
the ‘digital’ can no longer be understood as a separate domain of culture. Today digital information processing is present in every aspect of our lives. This includes our global communication, entertainment, education, energy, banking, health, transport, manufacturing, food, and water-supply systems. Attention therefore needs to turn from the digital understood as a separate sphere, and toward the various overlapping processes and infrastructures that shape and organise the digital and that the digital helps to shape and organise in turn.
For good or ill, hacking shapes and organizes the digital. The word for people who commit crimes in our postdigital world is criminal, not hacker. Crimes committed in cyberspace are crimes, not hacking. Bearing these things in mind will help us better understand the fact that we are way behind in our efforts to get a handle on crime (something that I have documented in depth).

Last year I was honored to be part of a much-needed international, vendor-neutral project to address the challenges of cyber-deterrence. The output of the project is freely available here. But even that project started out with a less-than-helpful headline: "To Catch a Hacker." I urged scaling back on that phrase as the project evolved, and I am now trying to be upfront with interviewers and editors: please don't quote me if your headline is going to imply—as the BBC's does—that all hackers are criminals.

Finally, to help out editors who like to learn by example—and to demonstrate that I am not singling out the BBC—here are some bad use cases and some good use cases:

Bad use of hacker:
Good use of Hacker:

Monday, February 24, 2020

Crime metrics matter: two charts of the big mess we're in, even if we're not sure how big it is

[Update: Advancing Accurate and Objective Cybercrime Metrics, my article in the Journal of National Security Law & Policy is now available online.]

We are now about 50 years into the information age, so let me ask you: How secure is your personal information? If you're like most adults in America, the answer is probably: "not as secure as it used to be."
 Chart linked to original report.

That is what the social scientists at Pew Research Center found last year when they carried out the survey behind the chart on the right (click to access the full report).

As you can see, 70% of folks said that they felt their personal information was less secure than it was five years ago; furthermore, they were more likely to think that way if they were 50 or older, more educated, or in a higher income bracket.

My take on these numbers is that they reflect the relentless increase cybercrime, or what my good friend, the gifted security researcher Cameron Camp, calls cyberbadness: the apparently never-ending litany of technology-enabled scams, frauds, thefts, losses, and disruptions that seem to be victimizing more and more people and organizations. Note that I used the word "seem" intentionally because some observers will point out that public perception of criminal activity is not always in sync with reality. At times that may be true, but before we can determine whether people are over- or under-reacting to cybercrime, we need to ask: what is the true scale and impact of cybercrime? And quite frankly, nobody has a good answer at the moment.

Why? Well, I've said it before, years ago, and again last year: "the importance of metrics to crime deterrence would appear to be both critical and obvious, but despite this there is a persistent cybercrime metrics gap." As far as I am concerned, that is a problem, one that I addressed at some length in a recent law journal article that is currently available online. The following quote may help to put the problem in perspective:

“[u]ntil there are accepted measures and benchmarks for the incidence and damage caused by computer-related crime, it will remain a guess whether we are spending enough resources to investigate or protect against such crimes… In short, metrics matter.”

Those words were spoken 16 years ago by an FBI agent, Edward J. Appel, someone who knew thing or two about metrics (his father, Charles A. Appel, founded the FBI's Technical Laboratory).

Unfortunately, casual use of Google gives the impression that we have an abundance of metrics of about cybercrime, with search results like "300+ Terrifying Cybercrime & Cybersecurity Statistics" and "110 Must-Know Cybersecurity Statistics for 2020." The problem is, the sources for such numbers are often suspect in terms of methodology and/or confirmation bias.

I addressed these issues in the Journal of National Security Law & Policy article mentioned above (Advancing Accurate and Objective Cybercrime Metrics (publication pending, but currently available online). And I had spoken at length about the problem at the 2015 Virus Bulletin security conference (you can find my paper, a video of my talk, and my slides here: Sizing Cybercrime: incidents and accidents, hints and allegations. The sad reality is that, when it comes to timely and objective official statistics about crimes committed in cyberspace, they are in short supply.

Even sadder is that fact that the metrics we do have, such the Internet Crimes Reports issued by the FBI and IC3, make for depressing reading, not to mention depressing charts like the one on the right. This documents the rise in total annual crime losses reported to the Internet Crime Complaint Center or IC3 from 2003 through 2019.

As you can see, the year-on-year increase has become quite acute. Yes, I know the chart is somewhat compressed to fit this page layout, but you would have to spread it quite wide to get rid of the "hockey stick" that is the last five years. I certainly wouldn't bet against it blowing through $4 billion in the next report.

And yes, there are issues with using the IC3 numbers as crime metrics. They are not collected as an exercise in crime metrics, but rather as part of just one avenue of attack against the crimes they represent. However, I have studied each annual report and am satisfied that collectively they provide solid evidence of a real world cybercrime impact trend that looks very much like the line shown here.

My law review article was one of several generated by a range of independent subject matter experts as part of the Third Way Cyber Enforcement Initiative. The initiative was an impressive multi-stage effort to coordinate inter-disciplinary input on efforts to tackle the cybercrime problem. When commissioned papers reached draft stage, authors attended a day-long, mid-summer workshop at New York University School of Law for live peer review. By October, this Third Way initiative had already produced results, including an excellent summary of the metrics issue in The Need for Better Metrics on Cybercrime, from Third Way Policy Advisor, Ishan Mehta.

As papers continue to appear, check the website of the Journal of National Security Law & Policy. For example, right now you can access this important contribution from Amy Jordan and Allison Peters on Countering the Cyber Enforcement Gap: Strengthening Global Capacity on Cybercrime, and this excellent review of the use of criminal charges as a response to nation-state hacking from Tim Maurer.

(Acknowledgement: I am deeply grateful to all who participated in this project, for their input, insight, enthusiasm, and support.)

Monday, January 20, 2020

Happy New Year? Decade? 2020?

Greetings! I am happy you're here, reading this page, because now that I'm no longer writing for We Live Security, this blog is one of the ways I will continue to share what I hope is useful research and analysis. (There's more on the big changes I made in 2019 here.)

I really do hope that you have a happy and safe and satisfying 2020, and a fulfilling decade, but I put those question marks up there in the title because right now I see serious challenges ahead. Frankly, I'm not sure the world is ready, or able, or even willing, to meet them.

But gloomy as that may sound, I do see some bright spots; I mean, the 2020 puns are bound to wear out soon, right? And people will eventually stop saying things like "I can see clearly now that 2020 is here." Which reminds me of the 2015 TEDx event in San Diego that was actually called 20/20 Vision.

I had the honor of speaking at that event. My topic was cybersecurity, cybercrime, and the need for more women and minorities in technology leadership. I framed these remarks (yes there's a pun there if you like), as a choice between two futures.

The first future that I sketch out is one in which technology enables humans to tackle existential risks like climate change and make life on the planet better for everyone. The second future turns out to be a dismal one because we failed to get to grips with core problems facing technology. Well, now that 2020 is here I have to say that the world pretty much went with Future #2, and we are no nearer to the bright and shining Future #1 now than we were in 2015.

And of course, that means I have a lot more work ahead of me - explaining what we're doing wrong, why we're doing it wrong, and how critical it is that we change. But just for the record, here's that 2015 talk. Happy 2020?

Wednesday, November 13, 2019

Cybercrime deterrence begins with metrics

The importance of metrics to crime deterrence would appear to be both critical and obvious and yet there is clearly a large cybercrime metrics gap: official statistics about crimes committed in cyberspace seem scarce relative to those documenting the incidence and impact of traditional or “meatspace” crimes. 

I have been talking about the cybercrime metrics problem for many years, notably at Virus Bulletin in 2015 (you can find my paper, a video of my talk, and my slides here: Sizing cybercrime: incidents and accidents, hints and allegations). 

More recently, namely Q3 of 2019, I wrote a law review article titled Advancing Accurate and Objective Cybercrime Metrics (publication pending). I did this as part of the Third Way Cyber Enforcement Initiative, an impressive effort to bring together an inter-disciplinary group of experts to develop ways forward on the cybercrime problem. This has already produced results, an excellent summary of input on The Need for Better Metrics on Cybercrime, from Third Way Policy Advisor, Ishan Mehta.

My paper for this project situates the efforts needed to obtain accurate and objective cybercrime metrics within the broader work of reforming traditional crime reporting which currently fails to meet the needs of information-based criminal policy. With a case study of identity theft, the paper illustrates disparities between current government and private-sector metrics while highlighting the importance of timely metrics to the work of countering rapidly evolving cybercrimes. After reviewing promising ways forward already developed by a range of experts, the paper concludes that meaningful action to improve crime metrics is possible; however, this will take more political will than has so far been mustered and so suggestions for how this might be generated are provided.

I will be giving a flashtalk on the paper at the upcoming symposium at New York University: Catching the Cybercriminal: Reforming Global Law Enforcement. Then I will report back here.

Friday, August 30, 2019

Potentially malicious use of QR codes and NFC chips

Like any technology,  QR codes and NFC chips can be abused and misused for selfish or criminal purposes. I was reminded of this by a recent Dark Reading article by Chris Franklin, Jr. titled "9 Things That Don't Worry You Today (But Should)."

One of the things that Chris highlighted was QR codes and when I saw this particular page it reminded me that I had written about the abuse of these codes myself (seven years ago). In fact, I not only wrote about them, I did some research on them and an adjacent technology, the NFC chip (both can be used to trigger events in an information system, and they are cheap to implement, easy to program, and also very thin). 

I made a very short video to demonstrate one potential type of abuse - tricking people into visiting a malicious website. Here is the video, with thanks to my former employer, ESET, for giving me the time and resources to make this demo:

As you can see, there is plenty of potential for hijacking or misdirecting people's interests via both QR and NFC technology, and I am indebted to my former ESET colleague, Cameron Camp, for pointing some of these out, way back in early 2012.

(Funny story: about that time, Cameron was in Hong Kong to speak at a security conference and noticed the extensive use of QR codes in public transportation vehicles. He pointed this out to a company exec who was there and said, "How about I write a blog post showing how someone could print their own codes on sticky labels and just plaster them over these legit codes?" Apparently, this produced a lot of head-shaking. ESET decided to go with the more low key demo you see here.)

Back then I wrote a couple of related articles on this blog:

Thursday, August 08, 2019

DEFCON III flashback: why hacking sucks

My session at DEFCON III back in 1995 has lived on as an audio recording (.m4b). Just scroll down this page: DEFCON III Archive. The title was intentionally provocative:

The Party's Over: Why Hacking Sucks

The idea was to generate dialogue about the ethics of hacking, and I think I succeeded. In fact, the audio captures that quite well.

(Bear in mind that this was 1995 and I've been to events in 2019 where organizers seemed incapable of capturing audio this well.

As someone who had been working on the computer security problem since the 1980s, I have to say I learned a lot from this session and really appreciated everyone's input.

I was invited back the next year and I will post a link to that DEFCON IV session when I find it again. My topic was how to go from hacker to infosec professional, but like many early DEFCON talks it went in several other directions as well (steam trains?).

Here is a link to initiate the audio file download for the DEFCON III talk, and yes, it is safe to do so. The audio is about 49 minutes long and while the sound starts out rough, it gets better quickly. The file is 18.2MB and the filename is: DEF CON 3 Hacking Conference Presentation By Stephen Cobb - Why Hacking Sucks - Audio.m4b

Monday, August 05, 2019

Experienced vendor-neutral panelist available to talk cybersecurity, cybercrime, data privacy, and more

Has this happened to you? You have this great idea for a panel at a conference, but you need to find great panelists, preferably people who are subject matter experts, but are not employed by a vendor, yet they do have experience as a panelist.

Well, I am one such person: a completely independent researcher specializing in cybersecurity and data privacy who is also an award-winning technologist with 30 years of industry experience. And yes, I have a track record of well-received panel appearances.

So, if you're putting together a panel proposal, or your proposed panel was accepted but now you need panelists, take a look at my areas of expertise. If you think I might be right for your panel, let's discuss - you can reach me on LinkedIn and DMs are open on Twitter.

Here are some of my areas of expertise and interest:
  • Cybercrime and cybercrime metrics
  • Cybersecurity education, skills gap, and workforce issues
  • Cyber-war and cyber-conflict
  • Data privacy and data abuse
  • New technology = risks and attacks (e.g. AI, IoT)
  • Public-interest technology and public policy related to the above
Here is me on video:

Friday, July 12, 2019

The big news from where I am, which will soon be somewhere else

Dateline San Diego, California, July 12:
Today is my last day at ESET, the company that I have worked for since 2011, and from which I am now retiring.

But wait there's more news! In early September, Chey and I will be relocating to the city of Coventry, England, birthplace of the pedal-chain bicycle, Jaguar carsthe turbojet, my parents, my brother, and me.

I will be writing more about this move as time permits, with the latest developments signposted on this blog (

If you want to stay in touch, and I hope you do, you can use email to reach me (use scobb at scobb dot net). You can also find me on Twitter, where I am @zcobb. I'm on LinkedIn as well and you may even spot me on Facebook - where my profile is stcobb - but I don't go there very often. In the past I have published on Medium and I may write some more articles there in the future.

So, that's the news of the day from where I am. What follows are a few random thoughts on the occasion of my departure, retirement, and relocation.

For the record, we will be flying to England, not sailing. I say this because I have twice moved from North America to England on ships. Once when I was six, and again in 1975 on the TSS Stefan Batory.

Postcard of TSS Stefan Batory from the collection of VMF at

Also for the record, I am leaving ESET with very positive feelings. I have never worked this long for anyone other than myself. In my opinion, ESET continues to set the standard for technical excellence, customer support, and dedication to helping the world enjoy safer technology. It was a privilege to work with such a great team of security researchers and I know that they will carry on the mission with courage, integrity, reliability, and passion. (Disclaimer: nobody's paying me to say this, I don't own stock or have any other financial stake in ESET.)

My relationship with ESET began exactly eight years ago this week, with a phone call about a job. The company wanted someone to do vendor neutral security research and education, which was great for me because that's been a passion of mine since the late 1980s. Adding to the appeal: the company wanted me to be based in California, my favorite state. (Chey and I met in California over 30 years ago, but left in the late 1980s to live in Scotland.)

As for my future, who knows? I do know I will keep researching and opining, mainly about technology. I will continue to blog, and there is a book I want to write. Coventry is home to a pair of excellent universities and there are more in the surrounding area - often referred to as "The Midlands" - including my alma mater, the University of Leicester. Doing some form of teaching is a possibility.

So, when Chey and I get properly settled into our new home, it is possible that I will reemerge, maybe as a something like a part-time, semi-retired, independent researcher and public-interest technologist. (I have been watching fellow security veteran Bruce Schneier move in this direction.)

At this point, and if this was a press conference, I would take questions. But I only have time for one right now, so I will answer the one I've been asked many times in recent weeks: Do you think you will miss San Diego?

Yes, I will miss San Diego, and not just because of the weather and the views. We have met so many wonderful people here, many of whom I have worked with in a business climate that is unique in my experience: San Diego has to be the Capital of Collaboration. This is great place to work on technology projects that benefit the community, the nation, and the world. I have often said that cybersecurity is the healthcare of IT, and San Diego is a center of excellence in both meatspace healthcare and cyberspace security. (The cuisine is pretty awesome too.)

On that note, I thank you for reading this far and wish you all the best. As the saying goes:

So long, and thanks for all the fish tacos!


(Note: Image of ESET/Coventry combines a photo that I took plus photography by Si Chun Lam. Some rights reserved. This image is licensed under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) Licence.)

Monday, April 15, 2019

Dark markets, threat cumulativity, siegeware, and a cybercrime barometer

This is an update on five parts of my research and writing so far this year. The first part built on a suggestion from ESET PR Manager Anna Keeve: help people better understand the cybercrime threat by showing them the "dark markets" that are used to sell stolen information and buy the tools with which to steal it. So I decided to highlight their “evolution” into mainstream online services for enabling cybercrime.

1. Next Generation Dark Markets? Think Amazon or eBay for the criminally-inclined
In addition, Anna set up a session with the wonderful folks at Markeplace on NPR. So, if you want to hear more about the dark web, close your eyes and take this audio tour: Exploring the dark web with Kai Ryssdal on Marketplace

A reflection on how, by acknowledging the cumulative nature of cyber-threats and understanding its implications, we can improve our approach to digital security.

I presented my analysis of the data from a large survey, paid for by ESET and designed to uncover attitudes to cybercrime and cybersecurity in North America. This confirmed that the majority of Americans fear the misuse of personal data they supply to websites, and view cybercrime as a threat to their country.

Recent news articles show that a vital part of the IT ecosystem - MSPs - are now being targeted by criminals for a variety of nefarious reasons. I wrote about why this is happening, and what MSPs should do about it.

Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities. It is real and it needs to be openly addressed.