Nobody expects the white hats of the IT world to be able to eliminate cyber crime entirely. But, according to McAfee Labs’ Threats Report for the fourth quarter of 2013, the good guys are having a tough time even making life difficult for the bad guys.
According to the report, what was most notable during the quarter was not the stream of headlines about massive credit card data breaches affecting retailers like Target, Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports and Michaels Stores. Instead it was, “how well the malware industry served its customers,” who don’t need much technical expertise to launch their attacks.
The Target malware was a customized version of BlackPOS, which McAfee described as, “far from ‘advanced.’ The BlackPOS malware family is an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality,” the report said.
In short, all the attackers needed was criminal intent and a safe place to work, which is provided by the so-called “Dark Web.” As Security Week put it, “cybercriminals are settling into a comfortable place in the ‘Dark Web’ where they test, refine and distribute malware for online thievery.”
Vincent Weafer, senior vice president for McAfee Labs, said in a statement that the attacks "represent a coming of age for both Cybercrime-as-a-Service and the 'Dark Web' overall,” which allows criminals to operate as easily as any other legitimate online business.
Indeed, experts agree that there is little hope that law enforcement can disrupt criminals on the Dark Web in any major way. Even the highly publicized shutdown last October of the online narcotics black market Silk Road came after it had been operating for two and a half years. And that was, by the FBI’s own admission, because the alleged administrator of Silk Road, Ross William Ulbricht, made a “simple mistake.”
The bust didn’t do much to curb the market either. A month later, Silk Road 2.0 made its debut, with a similar line of illegal products.
In an interview last December, IDTheftSecurity CEO Robert Siciliano said the Dark Web is, “exponentially larger than what everyday consumers have access to. The tools to search and navigate via Tor (The Onion Router) are getting better every day.”
Raj Samani, EMEA CTO at McAfee agreed, saying that a combination of better tools and better service means that it no longer takes special skills to get into the business. The attacks, “are enabled through cybercrime-as-a-service. In other words the ability to outsource products, tools and services to enable a cyberattack means the number of persons capable of conducting an attack is increasing,” he said.
Ironically, Tor was “originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory … for the primary purpose of protecting government communications,” according to the Tor Project website.
It is favored by privacy advocates, who point to a number of its legitimate uses: Journalists can communicate anonymously with whistleblowers and dissidents; employees of non-governmental organizations (NGO) can connect to their home website from foreign countries without alerting that government of their activities; corporations use it to protect their sensitive information from competitors and it is generally seen as a way to protect domestic online civil liberties from government surveillance.
But, as has been widely reported – increasingly in mainstream media as well as the IT trade press – it is a haven for criminals.
While Tor, “piggybacks over the same Internet as everybody else, it has its own little secret handshakes and requires end-to-end encryption to each site,” said Kevin McAleavey, a malware expert and cofounder of the KNOS Project.
He said there have been a few attempts to index Tor sites, “but by and large they change with the wind direction. The really dodgy ones probably change their onion URLs multiple times per day.”
McAleavey noted that Tor has been around for more than a decade (the first version was announced in 2002), but the scale of the criminal activity has spiked. “The only thing that's changed since 2006 – even the malware has barely changed – is that there's big money in hitting big places, so the kids are better financed now,” he said. “The criminals are willing to pay far bigger rewards for zero-day attacks than the software companies. It's free enterprise – pure supply and demand financing.”
Still, while the McAfee report described the illicit activities on the Dark Web as “healthy and growing,” enterprises are not entirely defenseless. Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals, offered three recommendations.
Enterprises should not, “overspend on new technologies without understanding their efficacy and before optimizing their current security controls. Next, assess risks that are not addressed by your current technology stack. Then, balance additional protection with deeper monitoring capabilities and incident response,” he said.
Samani said organizations have to move beyond the traditional approaches to capturing malware. “There are multiple ways that organizations can defend themselves – whitelisting, sandboxing, etc.,” he said. “So the innovation within the security industry is equally healthy and growing.”
McAleavey said the notion that the Dark Web is, “some immutable, impenetrable wall of doom … is nonsense. Tor connections are suspicious to authorities simply because of the ports used and the encryption standing out like a lighthouse in the middle of the Pacific,” he said.
But he agrees it is, far more difficult to track down criminals using it, “because of the randomness, anonymity and most of all, the encryption.”
To do that, he said, requires HUMINT (Human Intelligence). “It's just a matter of wasting a lot of time hanging out where the criminals or the Lulzboat people and ‘carders’ (people buying and selling credit card information) do.”
Beyond that, he said an enterprise’s anti-virus (AV) software should be able to monitor all attempts at incoming and outgoing connections. “If it ain't on the list of known and safe, then don't let it communicate. How hard a concept is that?”
But he and others agree that it may get worse before it gets better, and that the high-profile breaches at the end of last year may indeed just be the “tip of the iceberg.”
“As long as consumers are able to pay by merely showing a sequence of numbers, and as long as that information is aggregated in POS terminals or, even better, in online transaction systems, these will be attacked,” de Boer said.
“As long as security is a fight between convenience and lockdown, then it's not going to get any better,” McAleavey added. “Especially now with all those abandoned XP machines out there or older. And same goes for those stuck with old versions of OSX that can't be upgraded because the hardware is obsolete.”