Tuesday, June 30, 2020

Taking down 'the Amazon of cybercrime' - a look inside a dark web story

Ads for websites that sell stolen payment card data and online accounts

Back in March, 2020, as the coronavirus pandemic began to dominate the news, one cybercrime story seemed to get washed aside by the rising tide of COVID-themed cybercrime attacks: the taking down of the 'Amazon.com of cybercrime.' I'm fairly sure that, in more normal times, more people would have paid more attention to this headline:
The FBI arrested the alleged hacker behind the 'Amazon.com of cybercrime,' which it says sold $17 million worth of stolen accounts for Gmail and other sites
For me, there were several reasons to smile when this headline appeared, not the least of which was the fact that it represents a very positive step forward for law enforcement in the ongoing effort to rein in cybercrime, an effort I have tried to support for many years.

On top of that, I happen to know Special Agent Brian Nielsen, whose very impressive work is cited in article and in the criminal complaint filed in US District Court in San Diego. The complaint named Kirill Victorovich Firsov as "a Russian cyber hacker, and the administrator of the Deer.io cyberplatform,"

Firsov was arrested on a Sunday night in March at JFK Airport and the complaint was unsealed the next day (a PDF of the complaint is here and if you look at the timing it suggests there was some very fast and skillful foot work by the San Diego feds).

However, the aspect of this headline that really put a smile on my face was the term Amazon.com of cybercrime. This way of characterizing dark web crime markets—like those that Firsov enabled—is something that I came up with in 2018; for example, see this article: Next Generation Dark Markets? Think Amazon or eBay for criminals.

When journalist Jeff Elder from Business Insider called me about the Firsov arrest I used that same characterization. Jeff obviously found it helpful because the article began like this: "When the FBI arrested the alleged leader of an illegal online marketplace last week, they may have made a small dent in what one expert calls "the Amazon.com of cybercrime."

That expert was me. You can read the article here (apparently MSN has a "reprint" arrangement with Business Insider—the article is now pay-walled on the latter's site). This is the part that cites me directly:

"This is the Amazon.com of cybercrime, with easy-to-use, easy-to-access availability and participation – as a buyer or vendor," says independent threat researcher Stephen Cobb, who previously tracked illegal marketplace activity for Eset, a cybersecurity company.

Apart from Eset being ESET, Jeff was true to our conversation and the point I was trying to make. My efforts were undoubtedly bolstered by the fact that I had prior experience—from early 2019—covering this topic with another journalist, Kai Ryssdal from Marketplace on NPR. That meant I had quite a bit of "evidence" that I could share with Jeff. Like this screenshot of an online market, annotated here for educational purposes:

As you can see, markets like this make buying stolen payment card data as easy as buying something on eBay or Amazon. And of course, they provide an easy way for the criminals who do the data stealing to monetize their operations. Like any well-organized market there are incentives—like seller and product ratings—to ensure that shoppers get good products at competitive prices.

These Amazon-style mechanisms help to explain how a bunch of criminals can buy and sell things without ripping each other off, as does the use of digital currency and an escrow system. The marketplace provider withholds payment to the seller until the buyer gets the goods and approves them.

By charging a fee for escrow and other services, the marketplace provider stands to generate considerable revenue while maintaining a semblance of respectability as "merely enabling commerce." (That is just one of many ethical cop-outs that help to sustain cyber-criminal activity.)

Flashback: Kai goes to the Amazon (of cybercrime)

So, how did I end up to talking to journalists about dark markets like this? Journalists who cover breaking news like to talk to people who are considered experts in the field of human endeavor to which the news pertains. Some experts welcome such conversations as an opportunity to provide context and clarity to complex topics, thus helping to broaden understanding of such topics.

If the expert happens to be self-employed and short of funds for marketing and PR, this interaction can be mutually beneficial. It can also be helpful to companies who are interested in "educating the market" for their products, which is why ESET—a maker of security software—was happy for me to work on this when I worked there (disclaimer: I no longer work for ESET and have zero financial ties to the company; I think they make good products but I know I make no money if you buy them).

The radio piece that I did with Kai Ryssdal about the business of cybercrime and the online markets that support it was skillfully orchestrated by Maria Hollenhorst. A lot of preparation was needed to produce a segment that was relatively short, but full of information. I thoroughly enjoyed working on it and was very impressed with how quickly Kai saw what I was hoping he would see: that the dark web enables "crime as a business enterprise," complete with Amazon and eBay style marketing techniques. So please enjoy listening to: Ever wondered what the dark web is like?

Thursday, May 21, 2020

Only 7.6% of Brits say they trust tech firms with personal information, and that's a problem for all of us

So, it’s May, 2020, and we humans are struggling to cope with a global crisis of unprecedented scope and scale, despite having unprecedented levels of technology at our disposal. Why are we struggling? One factor could be this: less than 10% of adults in the US and UK trust tech firms to protect their personal information.

That's according to a survey I commissioned around the middle of the month, a full account of which can be found in this article on Medium.

To rein in COVID-19, and future pandemics, people need to be able to share their personal information without fear that it will be misused or abused.

I think this pie chart reflects that fear. It shows the US results but the corresponding UK pie chart looks very similar: very few people say Yes when you ask them this question: “Do you trust tech firms to protect your personal information?”

Respondents could answer Yes, No, or Not sure. Less than 1 in 10 respondents answered Yes (7.6% in the UK, 8.9% in the US). More than half said No (55%). Just over one third said Not sure (36%). Who were these people? Adults in the US (n=756) and the UK (n=514).

Why is there such a lack of trust? I think that the Malware Factor has a lot to do with this. People don't trust tech firms to protect personal information because of the massive scale at which malware has enabled such information to be compromised and abused. Companies and governments just don't seem to have the ability to prevent this, either because of a shortage of concern or funds or skills or understanding, or an overabundance of criminal activity, or all of the above.

Ok, but what can we do about this?

My own opinion is that the overabundance of criminal activity, while not the whole problem, is a huge part of the problem. Yes, it's true than many organizations could do better at cybersecurity, but it's also true that the governments of the world have massively failed their citizens when it comes to malware-enabled cybercrime. This failure is so huge that it's now compounding the problems created by a deadly pandemic. Maybe, now that lives are very clearly on the line, more people in positions of power and influence will begin to take the Malware Factor more seriously.

But what would that look like? How does taking the Malware Factor more seriously at the highest levels translate into action? I'm going to list three suggestions. You may not like them. You may even scoff at some or all of them. But I'm already used to that, as I said in this blog post and Medium article from 2017 (same story, two different places). FYI, I'm still fairly sure I'm right.

1. International cooperation and global treaties are the only way to make a serious dent in cybercrime and cyberconflict, and the citizens of the world should push their governments in this direction. I realize this is going to be hard while three of the biggest malware-making countries are still run by Trump, Putin, and Xi, respectively—but that is no reason not to try.

2. Cybersecurity products and services should be made available at lower or no cost.

As I've been saying for more than a decade now, information system security is the healthcare of IT/ICT. Just as profit-based healthcare is, in my opinion and practical experience, a bad idea, so is people making large fortunes from protecting the world's digital infrastructure—as opposed to a decent wage. Besides, a profit-based approach to securing ICT has thus far failed to make any lasting dents in the cybercrime growth curves (see chart of Internet crime losses, from this IEEE blog post by Chey Cobb and myself). 

3. We need to consider an end to broadcasting and bragging about new and interesting ways to gain illegal access to information systems. Justifying this as a way to improve security and reinforce the message that it needs to be taken more seriously might have been valid at some point in the past, but that validity has been seriously eroded. Fully open, freely accessible, in-depth research on things that enable ethically-challenged individuals or governments to seriously undermine our collective future is not, in my opinion, a good idea. (Think of someone making and distributing a version of COVID-19 that doesn't give victims a tell-tale cough—cool?)

I'm happy to hear more suggestions, or your thoughts on what's wrong with these. Also happy to hear about any moves in these three directions. (I am already familiar with the work of the Global Commission on the Stability of Cyberspace—still hoping they take up the idea of an Comprehensive Malware Test Ban Treaty.)

#cybercrime #dataprivacy #privacy #infosec #FTC #FCC #COVID_19 #Covid19UK $FB $AMZN $AAPL $GOOG $MSFT #technology #trust #survey 

Saturday, May 09, 2020

Defcon 2020 Cancelled: Can sad news also be good news?

Now with audio! You can now listen to the blog post.

Talk about mixed emotions! Large swathes of the hacking and information security world are feeling all kinds of sad-and-yet-glad right now. Why? Because, as of May 8, 2020, this year's Defcon is canceled. This was to have been the 28th consecutive Defcon, a very popular annual hacking conference that is traditionally held in Las Vegas around the start of August.

It was also going to be an anniversary event of sorts for me. The canceled Defcon was to have been the 25th anniversary of my first Defcon. That was in 1995 and was known as Def Con III as you can see from the t-shirt.

Looking on the bright side, Defcon 29 in 2021 is already scheduled, as a meatspace event, for August 5 to 8 (see WIRED article). But the main piece of good news is the very thing that many folks—myself included—are also sad about: we won't be seeing each other this August, at least not in person.

There is more goods news: this year there will be a virtual conference. I know that not everyone enjoys this format, but I am pleased that his path was chosen. I am also grateful the hacking community has made a very difficult, yet also very sensible decision: let's not risk spreading COVID-19 by gathering in person in Las Vegas hotels in our tens of thousands to spend several days in packed talks and crowded corridors (estimated attendance last year was 30,000).

And there's even more good news, from way back in the 1990s. Back then, Jeff Moss—the founder of the event—had the wisdom and the foresight to insist that the talks delivered at Defcon be archived. That means anyone with spare time on their hands and an internet connection—maybe in a locked-down-shelter-in-place scenario—can binge on past events.

That also means people can still listen to what I said, 25 years ago, preserved as an audio (.m4b) file. Just scroll down this page: DEFCON III Archive. My talk was titled: The Party's Over: Why Hacking Sucks. My goal was to generate dialogue about the ethics of hacking, and I think I succeeded. In fact, the audio captures that quite well. (Bear in mind that this was 1995—I spoke at numerous events in the twenty-teens where organizers seemed incapable of capturing and curating audio this efficiently.) Click this link to listen in your browser; it's about 49 minutes long and while the sound starts out rough, it gets better quickly.

As someone who had been working on the computer security problem since the 1980s, I have to say that I learned a lot from that 1995 session and really appreciated everyone's input. I was invited back the next year and my talk was about how people might go about transitioning, from hacker to infosec professional. Of course, like many early DEFCON talks this one went in several other directions at first—there was even a steam train excursion—but you might still enjoy listening. Here is a link to that talk. Be warned that there is some swearing, but it is in a very polite voice.

Over time, the Defcon archives have evolved to become a quite amazing cornucopia of knowledge and history, a feast for eager minds, and a legacy for future generations.

Thanks Jeff! Thanks to your foresight, it's possible to find some good news in this sad news.

Friday, April 03, 2020

The Malware Factor: The biggest problem our postdigital world has refused to face, so far

Image for The Malware Factor, background based on screenshot of a frame in BBC documentary Hidden Life of the Cell

I believe that the misuse and abuse of information and communications technology (ICT) threatens to undermine all present and future human endeavors, from raising children to reining in pandemics.

[Update May 14, 2020: a longer version of this article is now available here, with narration. You can also find it on YouTube.]

I find it helpful to think of this phenomenon as “the malware factor,” mainly because it is enabled by, and embodied in, malicious software, or malware. The following is an attempt to explain this point of view.

A pandemic example

In one of his less empirical moments, the English philosopher Francis Bacon wrote that "prosperity doth best discover vice, but adversity doth best discover virtue." Clearly, this was said before the invention of email and its subsequent perversion by morally-challenged humans bent on leveraging adversity at scale.

As any information security professional will tell you, when people are stressed by the struggle to cope with a crisis—a global pandemic, for example—they are more likely to click links that lead to scams. Of course, COVID-19 has led to many examples of virtue, but it has also sparked a global surge in digitally-enabled vice, a.ka. cybercrime, a.k.a crime.

(As I have said elsewhere, in a postdigital world, the term cybercrime is of limited utility. While we cannot say—yet—that all crime is cybercrime, just about all crime has cyber elements.)

Fortunately, some of the fine folks working to keep at bay the surge in digitally-enabled COVID-19 vice have been documenting the situation. By March 12, Alex Guirakhoo, research analyst at Digital Shadows had already catalogued a sickening array of technology abuse in a lengthy blog post titled How cybercriminals are taking advantage of covid-19: scams, fraud, and misinformation.

Guirakhoo opens with an observation that has been true since at least September of 2001: "In the wake of large-scale global events, cybercriminals are among the first to attempt to sow discord, spread disinformation, and seek financial gain." He goes on to explain the implications of this twenty-first century reality:
"While COVID-19 itself presents a significant global security risk to individuals and organizations across the world, cybercriminal activity around this global pandemic can result in financial damage and promote dangerous guidance, ultimately putting additional strain on efforts to contain the virus."
While I might have said immediately instead of ultimately, Guirakhoo accurately framed the problem, one problem that is far more serious than most people realize, with implications very few have been willing to face—although I am hopeful that this is about to change.

Factoring in Malware

The current reality is that large-scale global events—as well as many regional and even personal human endeavors—are negatively impacted by unwanted human activity in cyberspace, activity that is enabled, at a fundamental level, by malicious code.

This is true of events or endeavors that take place in meatspace, or cyberspace, or both. For example, the physical distribution of medicine and equipment to contain a pandemic is negatively impacted, as is the strategy of having people use computers and the Internet to work from home to contain a pandemic.

Before digging deeper into the definition and role of malicious code in this current reality, let me address why I think it is helpful to refer to this reality as postdigital. These easiest way to do this is to quote Professor Gary Hall, Director of the Centre for Postdigital Cultures at Coventry University:
the ‘digital’ can no longer be understood as a separate domain of culture. Today digital information processing is present in every aspect of our lives. This includes our global communication, entertainment, education, energy, banking, health, transport, manufacturing, food, and water-supply systems. Attention therefore needs to turn from the digital understood as a separate sphere, and toward the various overlapping processes and infrastructures that shape and organise the digital and that the digital helps to shape and organise in turn.
There is no need for me to restate what Hall says there; I agree that we need to acknowledge that "the digital" is now part of our lives and life on Earth, whether we like it or not (and to be clear, while "going off the grid" can minimize your interaction with the digital, it is still a part of your world—just check the night sky if you don't believe me).

Which brings me to these three assertions:

1. the misuse and abuse of information and communications technology (ICT) threatens to undermine all present and future human endeavor, from raising children to reining in pandemics; and,

2. it is helpful to refer to this as “the malware factor” because it is enabled by, and embodied in, malicious software, or malware, and embedded in the infrastructure of our postdigital world.

3. The use of malware by criminals and governments during the COVID-19 pandemic is prima facie evidence that our postdigital reality is based on code, abuse of which is impossible to prevent.

Still image of virus components in a human cell from Hidden Life of the Cell
Virus components in a human cell (BBC)
I am going to end this piece right there, and leave it right here, with this coda: I'm not wedded to "The Malware Factor" as the name for this phenomenon, but before you discount it, please know that I have more to say on this, and it involves cells and viruses and infrastructure, and maybe a few passages from Genesis (the religious text, not the band).

In the meantime, it might be helpful to watch this BBC video: Secret Universe: The Hidden Life of the Cell (warning: contains scenes of simulated violence between a virus and a human cell; may be geo-fenced, so here is an alternative source and also here).

And finally, here's a friendly reminder that, if Earth's leaders continue their pathetic track record on reining in malware, it will become a problem on Mars too. That's assuming humans make it to Mars safely, which I think is unlikely given the #MalwareFactor.

Monday, March 30, 2020

Crime in the time of coronavirus: be wary of windfalls and refunds, even those that don't look pandemic-related

URGENT: Please click this link to claim your refund. 

Don't worry, that's not an actual link, but you will probably be seeing emails and texts with links like that in the coming weeks. At a time when many people could use a little extra cash, the temptation to click those links can be strong.

Scam text messageHere in this screenshot you can see one such message came to my iPhone today, supposedly from the UK government office that handles driving licenses, the DVLA.

The links in these messages take you to forms where, in order to get your refund—or other promised payment—you type in your bank account or credit card details.

Sadly, some people will click those links and supply those account details. (The form you see when you click on that link looks quite realistic - see below). Some time later those people will discover that criminals are helping themselves to the account, transferring funds out of bank accounts, running up charges on credit cards.

And criminals are betting that more people are more likely to click those links today than they were just a few months ago, in the time we now know as B.C. (Before Coronavirus). Why? Because right now people are worried about running short of money and thus more susceptible to scams like these. It's all part of a well-tested criminal strategy, one that has been used to generate ill-gotten gains for decades: exploit the times in which we live.

For example, back during the Great Recession of 2007-2009 I got several calls from otherwise sensible friends asking if some scam or other might just be real. They were hoping that a sudden windfall might really come their way, wishing that an unexpected source of funds might actually materialize. Criminals know these hopes and wishes and exploit them.

Tough times breed twisted crimes!

Of course, when the coronavirus first started to be a hot topic, criminals tried to exploit our eagerness for information as a hook to deceive and defraud. Then they shifted to fake coronavirus cures or deals on medical products in short supply. You may have noticed that security experts were quick to raise red flags about these tactics. That's because there is a well-established body of cybersecurity knowledge which predicts that these types of crimes will be attempted around any attention-grabbing event.

screenshot of searching for scam textCriminals know this too; they realize that there is a relatively small window of opportunity to leverage a timely hook before everyone hears the hook-specific warnings. So the next play in this particular chapter of the cybercrime playbook is to use deceptive messaging that is not linked to the current crisis, but still taps the desperate hopes and needs that the crisis has generated.

What to do? 

Be wary of any message or email that you receive if it offers you money or other benefits, particularly if you were not expecting them.

If you have any doubts, just use your phone or computer to search for a few words from the message, maybe adding the word scam for good measure.

As you can see from the screenshot on the right, when I did that on my iPhone the search results immediately provided me with enough information to know that this was a fraudulent message, containing a link that I definitely should not click, regardless of how much I wanted the money.

Remember: Think before you click!

Sunday, March 29, 2020

Coronavirus and cybercrime: please say criminals, NOT hackers

Not all criminals wear hoodies.
Not all hackers are criminals.
Photo by Luis Villasmil on Unsplash
This BBC headline is both a sad sign of the times and also a sad reminder of how sloppy the media can be:

"Coronavirus: How hackers are preying on fears of Covid-19"

I bet the title was not chosen by the writer of the article.

The article itself, by Joe Tidy, is good stuff, and I encourage you to read it because everyone needs to be aware that—as he writes in the opening sentence—at this point in time, "Cyber-criminals are targeting individuals as well as industries, including aerospace, transport, manufacturing, hospitality, healthcare and insurance." And they are using the public's fear of coronavirus to advance a criminal agenda: infiltrate systems and compromise them. This is despicable behavior and people who engage in it should be ashamed of themselves.

But it is wrong to call the people who are doing this hackers. These are criminal hackers; or, if space is limited: criminals. To be clear: people hack for criminal purposes are criminals, not hackers. There are many people who hack for non-criminal purposes, some of them very noble and unselfish. For example, right now there are people "hacking" solutions to the shortage of medical equipment and apps to help capture and track data that could be critical to tackling coronavirus data (see "Good use of Hacker" below).

Editors who gloss over this extremely important distinction do the world a disservice. As someone who has spent the better part of three decades trying to explain why the world needs to do more to shut down the criminal abuse of information technology, I can assure you that confusion over the word "hacker" has been a serious distraction if not an outright impediment.

One of the main strategies for assessing the security of a computer network or digital device is to hire someone to try and defeat it, i.e. to hack it. That someone is an ethical hacker, but they are in short supply, due in part—in my opinion—to the stigma that the media has attached to the word hacker. The dynamics of the confusion over hacker are too complex to unravel here, but this article provides a simplified overview of the good/bad hacker landscape, and this one helps explain good hacking, You might also want to check out a session at a hacker conventions (DEF CON III, 1995) in which I explored arguments for and against hacking with some of the earliest practitioners.

A postdigital perspective

Having done several stints as a writer and editor as well as publisher, I realize that it's a pain to have to constantly distinguish between good hackers and bad hackers, white hats and black hats, ethical and criminal—not to mention the hits to your word counts and screen space. On the other hand, think how good it is to educate your readers about this increasingly common aspect of daily life, the constant struggle between criminal hackers and the ethical hackers who work so hard to thwart them.

Furthermore, it is suitably postdigital to just say criminals. To use the word hackers when talking about criminals suggests you can't see how modern life has evolved. Allow me to quote Professor Gary Hall, Director of the Centre for Postdigital Cultures at Coventry University:
the ‘digital’ can no longer be understood as a separate domain of culture. Today digital information processing is present in every aspect of our lives. This includes our global communication, entertainment, education, energy, banking, health, transport, manufacturing, food, and water-supply systems. Attention therefore needs to turn from the digital understood as a separate sphere, and toward the various overlapping processes and infrastructures that shape and organise the digital and that the digital helps to shape and organise in turn.
For good or ill, hacking shapes and organizes the digital. The word for people who commit crimes in our postdigital world is criminal, not hacker. Crimes committed in cyberspace are crimes, not hacking. Bearing these things in mind will help us better understand the fact that we are way behind in our efforts to get a handle on crime (something that I have documented in depth).

Last year I was honored to be part of a much-needed international, vendor-neutral project to address the challenges of cyber-deterrence. The output of the project is freely available here. But even that project started out with a less-than-helpful headline: "To Catch a Hacker." I urged scaling back on that phrase as the project evolved, and I am now trying to be upfront with interviewers and editors: please don't quote me if your headline is going to imply—as the BBC's does—that all hackers are criminals.

Finally, to help out editors who like to learn by example—and to demonstrate that I am not singling out the BBC—here are some bad use cases and some good use cases:

Bad use of hacker:
Good use of Hacker:

Monday, February 24, 2020

Crime metrics matter: two charts of the big mess we're in, even if we're not sure how big it is

[Update: Advancing Accurate and Objective Cybercrime Metrics, my article in the Journal of National Security Law & Policy is now available online.]

We are now about 50 years into the information age, so let me ask you: How secure is your personal information? If you're like most adults in America, the answer is probably: "not as secure as it used to be."
 Chart linked to original report.

That is what the social scientists at Pew Research Center found last year when they carried out the survey behind the chart on the right (click to access the full report).

As you can see, 70% of folks said that they felt their personal information was less secure than it was five years ago; furthermore, they were more likely to think that way if they were 50 or older, more educated, or in a higher income bracket.

My take on these numbers is that they reflect the relentless increase cybercrime, or what my good friend, the gifted security researcher Cameron Camp, calls cyberbadness: the apparently never-ending litany of technology-enabled scams, frauds, thefts, losses, and disruptions that seem to be victimizing more and more people and organizations. Note that I used the word "seem" intentionally because some observers will point out that public perception of criminal activity is not always in sync with reality. At times that may be true, but before we can determine whether people are over- or under-reacting to cybercrime, we need to ask: what is the true scale and impact of cybercrime? And quite frankly, nobody has a good answer at the moment.

Why? Well, I've said it before, years ago, and again last year: "the importance of metrics to crime deterrence would appear to be both critical and obvious, but despite this there is a persistent cybercrime metrics gap." As far as I am concerned, that is a problem, one that I addressed at some length in a recent law journal article that is currently available online. The following quote may help to put the problem in perspective:

“[u]ntil there are accepted measures and benchmarks for the incidence and damage caused by computer-related crime, it will remain a guess whether we are spending enough resources to investigate or protect against such crimes… In short, metrics matter.”

Those words were spoken 16 years ago by an FBI agent, Edward J. Appel, someone who knew thing or two about metrics (his father, Charles A. Appel, founded the FBI's Technical Laboratory).

Unfortunately, casual use of Google gives the impression that we have an abundance of metrics of about cybercrime, with search results like "300+ Terrifying Cybercrime & Cybersecurity Statistics" and "110 Must-Know Cybersecurity Statistics for 2020." The problem is, the sources for such numbers are often suspect in terms of methodology and/or confirmation bias.

I addressed these issues in the Journal of National Security Law & Policy article mentioned above (Advancing Accurate and Objective Cybercrime Metrics (publication pending, but currently available online). And I had spoken at length about the problem at the 2015 Virus Bulletin security conference (you can find my paper, a video of my talk, and my slides here: Sizing Cybercrime: incidents and accidents, hints and allegations. The sad reality is that, when it comes to timely and objective official statistics about crimes committed in cyberspace, they are in short supply.

Even sadder is that fact that the metrics we do have, such the Internet Crimes Reports issued by the FBI and IC3, make for depressing reading, not to mention depressing charts like the one on the right. This documents the rise in total annual crime losses reported to the Internet Crime Complaint Center or IC3 from 2003 through 2019.

As you can see, the year-on-year increase has become quite acute. Yes, I know the chart is somewhat compressed to fit this page layout, but you would have to spread it quite wide to get rid of the "hockey stick" that is the last five years. I certainly wouldn't bet against it blowing through $4 billion in the next report.

And yes, there are issues with using the IC3 numbers as crime metrics. They are not collected as an exercise in crime metrics, but rather as part of just one avenue of attack against the crimes they represent. However, I have studied each annual report and am satisfied that collectively they provide solid evidence of a real world cybercrime impact trend that looks very much like the line shown here.

My law review article was one of several generated by a range of independent subject matter experts as part of the Third Way Cyber Enforcement Initiative. The initiative was an impressive multi-stage effort to coordinate inter-disciplinary input on efforts to tackle the cybercrime problem. When commissioned papers reached draft stage, authors attended a day-long, mid-summer workshop at New York University School of Law for live peer review. By October, this Third Way initiative had already produced results, including an excellent summary of the metrics issue in The Need for Better Metrics on Cybercrime, from Third Way Policy Advisor, Ishan Mehta.

As papers continue to appear, check the website of the Journal of National Security Law & Policy. For example, right now you can access this important contribution from Amy Jordan and Allison Peters on Countering the Cyber Enforcement Gap: Strengthening Global Capacity on Cybercrime, and this excellent review of the use of criminal charges as a response to nation-state hacking from Tim Maurer.

(Acknowledgement: I am deeply grateful to all who participated in this project, for their input, insight, enthusiasm, and support.)

Monday, January 20, 2020

Happy New Year? Decade? 2020?

Greetings! I am happy you're here, reading this page, because now that I'm no longer writing for We Live Security, this blog is one of the ways I will continue to share what I hope is useful research and analysis. (There's more on the big changes I made in 2019 here.)

I really do hope that you have a happy and safe and satisfying 2020, and a fulfilling decade, but I put those question marks up there in the title because right now I see serious challenges ahead. Frankly, I'm not sure the world is ready, or able, or even willing, to meet them.

But gloomy as that may sound, I do see some bright spots; I mean, the 2020 puns are bound to wear out soon, right? And people will eventually stop saying things like "I can see clearly now that 2020 is here." Which reminds me of the 2015 TEDx event in San Diego that was actually called 20/20 Vision.

I had the honor of speaking at that event. My topic was cybersecurity, cybercrime, and the need for more women and minorities in technology leadership. I framed these remarks (yes there's a pun there if you like), as a choice between two futures.

The first future that I sketch out is one in which technology enables humans to tackle existential risks like climate change and make life on the planet better for everyone. The second future turns out to be a dismal one because we failed to get to grips with core problems facing technology. Well, now that 2020 is here I have to say that the world pretty much went with Future #2, and we are no nearer to the bright and shining Future #1 now than we were in 2015.

And of course, that means I have a lot more work ahead of me - explaining what we're doing wrong, why we're doing it wrong, and how critical it is that we change. But just for the record, here's that 2015 talk. Happy 2020?

Wednesday, November 13, 2019

Cybercrime deterrence begins with metrics

The importance of metrics to crime deterrence would appear to be both critical and obvious and yet there is clearly a large cybercrime metrics gap: official statistics about crimes committed in cyberspace seem scarce relative to those documenting the incidence and impact of traditional or “meatspace” crimes. 

I have been talking about the cybercrime metrics problem for many years, notably at Virus Bulletin in 2015 (you can find my paper, a video of my talk, and my slides here: Sizing cybercrime: incidents and accidents, hints and allegations). 

More recently, namely Q3 of 2019, I wrote a law review article titled Advancing Accurate and Objective Cybercrime Metrics (publication pending). I did this as part of the Third Way Cyber Enforcement Initiative, an impressive effort to bring together an inter-disciplinary group of experts to develop ways forward on the cybercrime problem. This has already produced results, an excellent summary of input on The Need for Better Metrics on Cybercrime, from Third Way Policy Advisor, Ishan Mehta.

My paper for this project situates the efforts needed to obtain accurate and objective cybercrime metrics within the broader work of reforming traditional crime reporting which currently fails to meet the needs of information-based criminal policy. With a case study of identity theft, the paper illustrates disparities between current government and private-sector metrics while highlighting the importance of timely metrics to the work of countering rapidly evolving cybercrimes. After reviewing promising ways forward already developed by a range of experts, the paper concludes that meaningful action to improve crime metrics is possible; however, this will take more political will than has so far been mustered and so suggestions for how this might be generated are provided.

I will be giving a flashtalk on the paper at the upcoming symposium at New York University: Catching the Cybercriminal: Reforming Global Law Enforcement. Then I will report back here.

Friday, August 30, 2019

Potentially malicious use of QR codes and NFC chips

Like any technology,  QR codes and NFC chips can be abused and misused for selfish or criminal purposes. I was reminded of this by a recent Dark Reading article by Chris Franklin, Jr. titled "9 Things That Don't Worry You Today (But Should)."

One of the things that Chris highlighted was QR codes and when I saw this particular page it reminded me that I had written about the abuse of these codes myself (seven years ago). In fact, I not only wrote about them, I did some research on them and an adjacent technology, the NFC chip (both can be used to trigger events in an information system, and they are cheap to implement, easy to program, and also very thin). 

I made a very short video to demonstrate one potential type of abuse - tricking people into visiting a malicious website. Here is the video, with thanks to my former employer, ESET, for giving me the time and resources to make this demo:

As you can see, there is plenty of potential for hijacking or misdirecting people's interests via both QR and NFC technology, and I am indebted to my former ESET colleague, Cameron Camp, for pointing some of these out, way back in early 2012.

(Funny story: about that time, Cameron was in Hong Kong to speak at a security conference and noticed the extensive use of QR codes in public transportation vehicles. He pointed this out to a company exec who was there and said, "How about I write a blog post showing how someone could print their own codes on sticky labels and just plaster them over these legit codes?" Apparently, this produced a lot of head-shaking. ESET decided to go with the more low key demo you see here.)

Back then I wrote a couple of related articles on this blog: