Cybercrime

Vol. 4 No. 9 – November 2006

Cybercrime

Interviews

A Conversation with Douglas W. Jones and Peter G. Neumann

Douglas W. Jones and Peter G. Neumann have long been active participants in promoting integrity in the election process, with special emphasis on the dependable use of information technology, as well as on the weak-link nature of the entire process, from beginning to end.

A Conversation with Douglas W. Jones and Peter G. Neumann

Does technology help or hinder election integrity?

Douglas W. Jones and Peter G. Neumann have long been active participants in promoting integrity in the election process, with special emphasis on the dependable use of information technology, as well as on the weak-link nature of the entire process, from beginning to end.

Elections form the fundamental basis of all democracies. In light of many past problems with the integrity of election processes around the world, ongoing efforts have sought to increase the use of computers and communications in elections to help automate the process. Unfortunately, many existing computer-related processes are poorly conceived and implemented, introducing new problems related to such issues as voter confidentiality and privacy, computer system integrity, accountability and resolution of irregularities, ease of administration by election officials, and ease of use by voters—with many special problems for those with various handicaps. Overall, the issues relating to computer security provide a representative cross-section of the difficulties inherent in attempting to develop and operate trustworthy systems for other applications. These issues, of course, have relevance internationally and are increasingly timely.

Opinion

Better Health Care Through Technology

Leveraging technology to support aging relatives in their homes is a cost-efficient way to maintain health and happiness and extend life. As the technology expert for my extended family, it has fallen to me to architect the infrastructure that will support my family’s aging loved ones in their homes as long as possible. Over the years, I have assisted four different senior households in achieving this goal, and although things have been bumpy at times, I have refined technical solutions and methodologies that seem to work well.

Better Health Care Through Technology

What can you do for aging loved ones?

Mache Creeger, Emergent Technology Associates

Leveraging technology to support aging relatives in their homes is a cost-efficient way to maintain health and happiness and extend life. As the technology expert for my extended family, it has fallen to me to architect the infrastructure that will support my family’s aging loved ones in their homes as long as possible. Over the years, I have assisted four different senior households in achieving this goal, and although things have been bumpy at times, I have refined technical solutions and methodologies that seem to work well.

There are two major elements involved here: the prompt response to a medical emergency and the consolidation and timely dissemination of current medical information. Here is some of what I have learned.

by Mache Creeger

Articles

Criminal Code: The Making of a Cybercriminal

NOTE: This is a fictional account of malware creators and their experiences. Although the characters are made up, the techniques and events are patterned on real activities of many different groups developing malicious software.

Criminal Code: The Making of a Cybercriminal

THOMAS WADLOW, INDEPENDENT CONSULTANT
VLAD GORELIK, SANA SECURITY

NOTE: This is a fictional account of malware creators and their experiences. Although the characters are made up, the techniques and events are patterned on real activities of many different groups developing malicious software.

“Make some money!” Misha’s father shouted. “You spent all that time for a stupid contest and where did it get you? Nowhere! You have no job and you didn’t even win! You need to stop playing silly computer games and earn some money!”

by Thomas Wadlow, Vlad Gorelik

Cybercrime: An Epidemic

Painted in the broadest of strokes, cybercrime essentially is the leveraging of information systems and technology to commit larceny, extortion, identity theft, fraud, and, in some cases, corporate espionage. Who are the miscreants who commit these crimes, and what are their motivations? One might imagine they are not the same individuals committing crimes in the physical world. Bank robbers and scam artists garner a certain public notoriety after only a few occurrences of their crimes, yet cybercriminals largely remain invisible and unheralded. Based on sketchy news accounts and a few public arrests, such as Mafiaboy, accused of paralyzing Amazon, CNN, and other Web sites, the public may infer these miscreants are merely a subculture of teenagers. In this article we provide insight into the root causes of cybercrime, its participants and their motivations, and we identify some of the issues inherent in dealing with this crime wave.

Cybercrime—An Epidemic

Can we protect ourselves from the hazards of an online world?

TEAM CYMRU

Painted in the broadest of strokes, cybercrime essentially is the leveraging of information systems and technology to commit larceny, extortion, identity theft, fraud, and, in some cases, corporate espionage. Who are the miscreants who commit these crimes, and what are their motivations? One might imagine they are not the same individuals committing crimes in the physical world. Bank robbers and scam artists garner a certain public notoriety after only a few occurrences of their crimes, yet cybercriminals largely remain invisible and unheralded. Based on sketchy news accounts and a few public arrests, such as Mafiaboy, accused of paralyzing Amazon, CNN, and other Web sites, the public may infer these miscreants are merely a subculture of teenagers. In this article we provide insight into the root causes of cybercrime, its participants and their motivations, and we identify some of the issues inherent in dealing with this crime wave.

Cybercrime is pervasive, nondiscriminatory, and dramatically on the increase. Countless dollars are being siphoned from innocent individuals and large corporate entities alike. With minimal risk, people are turning to cybercrime in ever-escalating numbers because of its low-skill entry requirements and promise of extremely high rates of financial return.

by Team Cymru

E-mail Authentication: What, Why, How?

Internet e-mail was conceived in a different world than we live in today. It was a small, tightly knit community, and we didn’t really have to worry too much about miscreants. Generally, if someone did something wrong, the problem could be dealt with through social means; “shunning” is very effective in small communities.

E-mail Authentication what, why how?

ERIC ALLMAN, SENDMAIL

Internet e-mail was conceived in a different world than we live in today. It was a small, tightly knit community, and we didn’t really have to worry too much about miscreants. Generally, if someone did something wrong, the problem could be dealt with through social means; “shunning” is very effective in small communities.

Perhaps we should have figured out what was going to happen when Usenet started to go bad. Usenet (aka Netnews) was based on an inexpensive network called UUCP (quaintly standing for Unix to Unix copy program), which was fairly easy to join, so it gave us a taste of what happens when the community becomes larger and more distributed—and harder to manage. Even the worst flame wars seemed fairly innocuous in the grand scheme of things, and kill files were really enough, but there was a seed of something ominous that was going to germinate all too soon.

by Eric Allman

Playing for Keeps

Inflection points come at you without warning and quickly recede out of reach. We may be nearing one now. If so, we are now about to play for keeps, and “we” doesn’t mean just us security geeks. If anything, it’s because we security geeks have not worked the necessary miracles already that an inflection point seems to be approaching at high velocity.

Playing for Keeps

Will security threats bring an end to general-purpose computing?

DANIEL E. GEER, VERDASYS

Inflection points come at you without warning and quickly recede out of reach. We may be nearing one now. If so, we are now about to play for keeps, and “we” doesn’t mean just us security geeks. If anything, it’s because we security geeks have not worked the necessary miracles already that an inflection point seems to be approaching at high velocity.

Many of us believe and many more of us say that complexity and security are antipodal. This complexity vs. security dichotomy is real but not exact; yet it is to some degree measurable, and news from that front is not good. The software industry sells a product that does not naturally wear out and that retains complete fidelity when copied—two characteristics, among others, that separate the digital world from the physical world. To continue to make money from existing customers, a software supplier must sell upgrades, maintenance, or both. Maintenance sells best when a product is unstable or hard to use—the very need for maintenance is an admission of complexity. New features, if they are to compel otherwise happy users to effectively repurchase a product they already have, tend to be at least linear (10 new features) if not geometric (10% new features). Absent perfection, each new feature comes with new failure modes, and features can sometimes interact; therefore, the potential number of failure modes quite naturally can grow faster than the feature count.

by Daniel E. Geer

Curmudgeon

The Joy of Spam

Not a day goes by that a large amount of spam doesn’t get past the two filters that I have in place (one on the server and one on my mail client). Most of this e-mail is annoying and some of it dangerous. But I have finally come to peace with spam and it no longer bothers me. How did I do that, you ask? I have learned to respect, even love, spam’s malicious beauty. I want to share my journey to inner peace, hopeful that you will find happiness too.

The Joy of Spam

Embracing e-mail’s dark side

Phillip A. Laplante, Penn State University

Not a day goes by that a large amount of spam doesn’t get past the two filters that I have in place (one on the server and one on my mail client). Most of this e-mail is annoying and some of it dangerous. But I have finally come to peace with spam and it no longer bothers me. How did I do that, you ask? I have learned to respect, even love, spam’s malicious beauty. I want to share my journey to inner peace, hopeful that you will find happiness too.

Why spam, why now?

I had been growing more agitated with the escalating intensity and elusiveness of spam for several years. At any given point in time my junk e-mail box featured hundreds of pieces of spam in more than 30 languages. This junk included phishing attacks disguised as e-mail from dozens of banks and credit unions, both real and imaginary; from PayPal and eBay (which I never use); from Internet lotteries; and every other form of confidence scam. I have been offered countless products for sale: discount drugs, computer supplies, sexual enhancement products, financial opportunities, and flattering offers of dates, marriage, and more.

by Phillip A. Laplante

Kode Vicious

Understanding the Problem

Is there any data showing that Java projects are any more or less successful than those using older languages?

I've done a one-day intro class and read a book on Java but never had to write any serious code in it. As an admin, however, I've been up close and personal with a number of Java server projects, which seem to share a number of problems.

by George Neville-Neil