Modernizing Authentication — What It Takes to Transform Secure Access
Progressive criminals saw the evolution of technology as a means for upgrading their own malicious activities. Hackers, crackers, phishers, pharmers and social engineers used their knowledge stores to one-up the average individual in a vicious game of 'you are you but I also can be you'.
Identity theft was buoyed by the black market's supply and demand. Yet even criminal consumers are a fickle lot, and what was valuable last year is not so lucrative by this year's standards. According to Bindview's RAZOR research team -- a group of people focused on incorporating the latest up-to-date changes in the threat, vulnerability, and regulatory landscape into Bindview's products -- credit card numbers were worth approximately $25 each wholesale and $100 each retail in 2002. Fast forward to 2005 and they've dropped to $1 to $5 wholesale and $10 to $25 retail.
Yet 'products' such as email addresses weren't on the map in 2002 but are currently worth $.01 to $.05 each. A well-programmed bot could find many hundreds of valid emails a day, turning a tidy profit for black marketeers.
''The ease with which data can be stolen depends on the tools being used and the thief's level of sophistication in traversing through the network,'' says Jim Hurley, senior director of RAZOR Research, for Houston, Texas-based Bindview. ''Creating a breach ranges in difficulty from being intimately familiar with the innards of OS design, construction and network protocols to having absolutely no knowledge -- because you don't need it with the vast availability of pre-built tools. Sniffers, keyloggers, rootkits, loaders, Trojans and virus kits are but a few of the many offerings on thousands of accessible sites.''
In the recent past, online theft and criminal activity poured forth from highly advanced or severely disadvantaged nations. But today's online crime is far from being country specific. If you know how to compile a program, you can make changes to the source code of an application and make it do something else.
Just as online auctions launched a flurry of overnight entrepreneurs, so has the prevalence of online crime kits. You don't need a long list of contacts to get started on the dark side. Once a would-be criminal has found themselves some interesting information, it's not that hard to find a buyer using Web sites, bulletin boards, IM, email, cell phones and of course, the very lucrative Web auction ring.
Make no mistake, though the hierarchy has shifted from organized crime families, it is very much alive in the form of organized Web auction rings -- well-oiled machines that include many layers of people performing very specific roles and functions. From the top down they include the inner ring, evaluators, inspectors, enforcers/contacts, trusted fences and the buyer and seller.
Web auction rings, otherwise known as Web Mobs, have proved to be a very nasty problem for Federal investigators due to their cross-country logistics. Once sufficient evidence has been gathered to crack an auction ring, authorities must work within international boundaries, time zones and with foreign legal statutes.
''What's not well known is they're not in the business of stealing things and theyre not hackers,'' says Hurley. ''It's best to think of them as a fence between the buyer and the seller. They're not technologists and they don't care to be, they just want to make sure that their activities are not traceable and these are the organizations that are operating around the world.''
So what's for sale in this more accessible market? Falsified deeds, birth and death records, letters of credit, health insurance cards, source code, diplomas and even people are available for the right price. The anonymity and relative ease of criminal activity is gaining in attractiveness to the barely skilled programmers looking to cash in.
The modus operandi of today's cyber criminal includes commonly known tricks of the trade, starting with the path of least resistance, i.e., social engineering. According to Hurley, criminals go after their victims using a predictable set of steps: reconnaissance, target, evaluate the environment, install new service or backdoor, cover your tracks, hit pay dirt and run or decide to hang around to exploit and reuse the target, keep ownership of the device, or not, and then move on to the next victim.
With so much information so relatively easy to get to, it's a feast of sorts for the would-be Web Mobber. Using established channels spanning international date lines, and employing thousands of zombie machines, it's more difficult than ever to locate these extensive criminal networks but easier than expected to join one.
So what can be done to protect our organizations from this type of infiltration?
''There's what I'll call best practices and then there's reality,'' says Hurley. ''Based on our research over the past two to three years, there are significant differences in performance results that companies are experiencing with their security programs. There are some common things that are done very well among the best-class enterprises suffering the least amount of breaches and damages. But even having said that, there's probably no way to defeat a serious security threat today and it wouldn't matter what the tool is. The only way to do that would be to unplug the computers.''
According to Hurley, the firms that have a good chance of avoiding victimization are the ones with a very active risk management program in place. ''An executive team devoted to solving security issues, where the IT security function isn't buried in a hole somewhere in IT but rather implemented as a risk management function, cross-company and cross-functional.''
Although the U.S. government has been working in concert with international authorities to painstakingly dismember online Web Mobs, our indictments are but a grain of sand in the vast amount of criminal collectives forming and disbanding in a constant game of hide and seek. Individually, the indictments are a win, but with the ease and prevalence of online hacking tools and the lucrative nature of buying and selling through organized Web Mobs, many more will don the black hats as they continue to cross-over.
The reality of it is that weve only just scratched the surface.