cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

How do we combat this, if the illicit bad community are making more money than legal companies?

According to a new report coming out of the RSA Conference 2018: 

 

https://www.darkreading.com/vulnerabilities---threats/cybercrime-economy-generates-$15-trillion-a-ye...

 

"The $1.5 trillion that cybercriminals generate each year includes $860 billion in illicit online markets, $500B in theft of trade secrets and intellectual property, $160B in data trading, $1.6B in crimeware-as-a-service, and $1B in ransomware. Evidence indicates cybercrime often generates more revenue than legitimate companies: large multi-national operations can earn more than $1B; smaller ones typically make between $30k-$50K."

 

How do we combat this?

 

 

22 Replies
Baechle
Advocate I

(@vt100) Vladimir,

 

I respectfully disagree! 

 

There was a time in recent history that certain types computer network “packets” were actually listed as munitions under United States laws (the International Traffic in Arms Regulations or ITAR).  Other than the hilarity of the guy that tattooed the code for RSA on himself (https://www.wired.com/1996/04/strong-arm/) leading to this concept being declared Unconstitutional, this creates all kinds of legal problems.

 

For example, when you use TOR or another anonymizer and your traffic flows through another country.  In this context literally and legally (by definition, not legally as in authorization) fired a weapon through that country’s critical infrastructure.  Think about the political, military, and legal issues that brings up.

 

Sincerely,

 

Eric B.

vt100
Community Champion

@Baechle Sorry, there is no way in this forum to see the replies in the context of the previous posts, which makes it difficult to determine what post you are disagreeing with. If it is the one where I compare exploits to the chemical and biological weapons, then the parallel you are drawing with certain crypto tech being listed as "munition" is, in my opinion, not apt. Nor is the use of anonymizers.

 

Yes, use of anonymizers may violate some country laws and, tangentially used for other illicit activities, but it is not destructive in nature.

 

Stockpiled and undisclosed 0 day exploits, on the other hand, outside of the generally accepted grace periods given by finders to the vendors, have no other use but as a weapon.

 

Weather someone extorts money from you by holding a gun to your head or encrypting data necessary to provide life-saving treatment, the outcome of not complying with with perpetrator's demands may well be the same. Similarly, if it is used to cripple vital infrastructure services (as was the case in Saudi Arabia, Ukraine and Atlanta).

 

The added scare factor is that every time those tools are used, the opposing side is automatically getting their hands on it. It may take some time to reverse engineer, modify the payload and repurpose, but so long as the original is kept secret, the blowback may be worth than the original intended use case.

 

Given the numbers of people affected by this, how could we not treat these threats as WMDs?

Baechle
Advocate I

(@vt100) Vladimir,

 

I apologize.  I did set my reading settings to be “Thread based” so I can see the replies in the context of the message it replies to.  I’ll try to use quotes more judiciously.  You are correct, I’m replying to your suggestion to place exploits on a munitions list.

 


Stockpiled and undisclosed 0 day exploits, on the other hand, outside of the generally accepted grace periods given by finders to the vendors, have no other use but as a weapon.

 

Weather someone extorts money from you by holding a gun to your head or encrypting data necessary to provide life-saving treatment, the outcome of not complying with with perpetrator's demands may well be the same. Similarly, if it is used to cripple vital infrastructure services (as was the case in Saudi Arabia, Ukraine and Atlanta).

 

The added scare factor is that every time those tools are used, the opposing side is automatically getting their hands on it. It may take some time to reverse engineer, modify the payload and repurpose, but so long as the original is kept secret, the blowback may be worth than the original intended use case.

 

Given the numbers of people affected by this, how could we not treat these threats as WMDs? 

I believe I understand the distinction that you are trying to make here in the word use of exploit vs a vulnerability.  Specifically, you are looking to make it illegal to possess the generic definition of a (here’s my best whack at this) “payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein.”  Correct?

 

If that law were enacted, I would be guilty simply by having a keyboard.  Because I possess an “&” I therefore have the code to perform URI parameter tampering.

 

Do you see the problem? 

 

Therefore we have to criminalize the act of use of an exploit rather than it's possession..  Even further, we have to restrict that criminalization to intentional use to avoid someone just being sloppy or having fat fingers when they’re typing.  Or the code being illegitimate in one place, but legitimate in another.

 

Sincerely,

 

Eric B.

 

vt100
Community Champion

Wording of definitions is of paramount importance, as it defines grounds for legal interpretations.

 

I would prepend the " “payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein.”  with Stockpiled and undisclosed 0 day resulting in:

 

"Stockpiled and undisclosed, previously unknown payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein. When the attribution of the use for the above mentioned purposes is conclusive.”

 

Caute_cautim
Community Champion

I think the recent RSA Conference 2018, indicates the same direction - hardening and getting down to some really hard work with honesty to resolve the current situation.

Baechle
Advocate I

@vt100

 

I appreciate you trying to work through this.  You should have the law named after you if you figure it out!  😄

 

You hit the nail on the head ... we’re not writing the law for IT pro’s… we’re writing it for lawyers.

 


@vt100wrote:

 

 

"Stockpiled and undisclosed, previously unknown payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein. When the attribution of the use for the above mentioned purposes is conclusive.”

 


 

How do you define what stockpiled is?  Who must it be disclosed to?  Leaving the term previously unknown hanging means that if the “hacker” has it, then they obviously know about it and therefore the law is self negating.

 

Sincerely,

 

Eric B.

vt100
Community Champion

Thanks 🙂 But I am afraid that being security specialist with self-evident Russian descent is not in vogue at the moment, so the likelihood of that is slim. 

Shannon
Community Champion

Perceiving a threat is one thing, but how you can act on it largely depends on what you're empowered to do.

 

Vladimir's question was How do we combat this, if the illicit bad community are making more money than legal companies? 

 

Before answering that, pose the counter-question Who / what does 'we' refer to here?

 

Let's divide those under the scope of 'we' into two categories: Potential Victims and Potential Combatants, and then sub-divide these into Individuals, Organizations and Governments, to see just what they can do: -

 

  • Individuals: Ensure you are well aware of things, & have properly protected yourself & assets you own / are responsible for. Try to imbibe security awareness into others & promote good measures. If you detect threats, report them to your organization / government, and attempt to counter them if you're authorized to.
  • Organizations: Set & enforce policies to ensure your assets are properly protected, & your people kept aware & trained to respond / react to IT threats properly. Report threats and comply with regulations of the government.
  • Governments: Set & enforce regulations to ensure that all entities (individuals & organizations) keep themselves aware of IT threats, properly protect themselves, and report these. Respond to reports, & control threats and threat vectors as required.

(There's also a third main category: Spectators --- those smart enough not to be victimized, but not keen on combating or reporting threats, particularly if there's little support from a higher level)

 

For combined efforts to be effective, everyone has to play their part properly. 

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Shannon
Community Champion

Correction to my earlier post :   John's question.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

Yes, the whole community needs to be involved.   It also needs to be a collaboration, or team work i.e. organisations working together to combat these issues.