Computer Crime Research Center


The changed face of cybercrime

Date: February 22, 2008
By: Richard Kirk

The past few years has seen a major change in the world of cybercrime. The sheer number of crimes has increased substantially, but that’s not the whole story. Merely increasing the amount of money and people that your company throws at the problem is no longer enough to keep pace with the changes. Cybercrimes, and the cybercriminals that perpetrate them, have evolved. To protect your company from the new wave, your methods and attitudes must evolve too.

Just 4 or 5 years ago, cybercriminals were mostly young male nerds who did it for fun or experimentation. They weren’t out to profit from their endeavours. They simply wanted to impress their peers (or girls, in a small number of cases). They didn’t want to steal money or cause major disruption, but introducing some minor irritations was a legitimate part of the game. Changing the company logo on a web site was acceptable. Crashing the entire system and demanding money to return it to normal was never an option. Hacking was done to earn bragging rights and to boost egos. It was a couple of notches up the intellectual ladder from trainspotting. Crack a system, enter the details into your well-thumbed notebook, then move on.

But the golden age of hackers and cybercriminals has passed. Today, e-crime is the domain of organised gangs, often from eastern Europe or China. They have just one motive. Gone is any desire to embarrass website owners or cause mindless e-vandalism. Now it’s all about making money.

The main targets of today’s hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims.

A total of 143,757,645 database records have been reported to have been compromised since 2005, yet many incidents go unreported and unnoticed. Some 40 per cent of those involved in IT security can’t put a figure on the number of incidents that their company has experienced.

The big growth area in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Hackers have, understandably, latched onto this. According to Gartner, 75 per cent of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications.

As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems. During the same period, research carried out at the University of Maryland found that a computer system connected to the internet was typically subjected to an attempted hack every 39 seconds.

“Today's cybercriminals are highly sophisticated”, says Roger Thornton of Fortify, an IT security company. “Their technical expertise is extremely good, as is their knowledge of the systems they're trying to break into. They know the thresholds at which an online ordering system will seek additional verification of a customer's identity, and take care to stay below it when placing fake orders.

“They also have at their disposal the resources of large organised crime gangs who are fully aware that the world's police forces are woefully under-resourced for tracking down internet fraudsters.”

According to Garter, 90 per cent of IT security spend is on perimeter security such as firewalls. But maybe we’re doing it all wrong. After all, conservative estimates put the total annual IT security spend in the US at some $50 billion. Those same estimates suggest that losses due to e-crime are running at around $100 billion. We're spending 50 billion to lose 100 billion. As ROIs go, it’s not a particularly good one.

A firewall will happily let someone access an insecure Web application if they meet all the criteria for being allowed in. Surely this can’t be allowed to continue. We need to focus our efforts into building secure applications in the first place, which can't be compromised. Perhaps the decision on whether someone should be allowed to use an application should be based on whether that app is secure, not on the user’s IP address or the port they’re trying to connect to.

As the move to online applications expands beyond online shopping, the need for secure applications will become even more important. If an e-voting application allows someone to vote twice if they enter a couple of thousand random characters as their surname, a firewall isn’t going to help.

So how can we make our web-based applications more secure? Historically, software developers have always been so immersed in trying to make the software bug proof and resilient they have overlooked the security side. It is now time to change this approach.

We need to put more effort into designing secure applications, and to use proper procedures (as well as automatic software solutions) to help test them. This means tackling the developers, and readjusting their attitudes.

In the past, software developers have concentrated too much on availability. If their system appears to work most of the time, they're happy. They're fully aware that their code isn't perfect but they don't see a need to do anything about it. “If someone wants to enter a credit card expiry date of -1 and crash the application, that's not our problem”, they say. It is, and someone has to tell them.

Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo