The Future of High Tech Crime

The Future of High Tech Crime CJUS 453 - Dr. William Tafoya Governor State University Cynthia Hetherington, MLS Overview • Past • Present • Future The Past • Tri-corder = Palm Pilots • Communications Badge = GPS Location + Cell Phone • Multi Quadrant Communications Channels = Internet – ―Secure Channel LT.‖ Capt. J. T. Kirk • Multimedia viewing = Video Phones • More? The Present • Pros vs. Cons • Fruitcakes Pros vs. Cons • The Pro’fessors – Gene Spafford • Purdue CERIAS (Center for Education and Research in Information Assurance and Security) – Dorothy Denning • Computer Science at Georgetown University (Cryptography & Information Warfare) Pros vs. Cons • The Pro’fessionals – Donn Parker • Automated Crime – Fred Cohen • Cyberforensics – Dan Farmer • Satan – Phil Zimmerman • PGP Pros vs. Cons • The Pro’tectors – Winn Schwartau • Infowar was not falling – High Tech Crime Investigation Association – Cybercops – Robert Steele and other defectors CONS • • • • • • Disgruntled Employees Malicious Crackers Ethical Hackers Newbies Terrorists Criminals Cons & Contacts • • • • • • • Kevin Mitnick - www.freekevin.com http://www.defcon.org/ http://www.zdnet.com/zdtv/cybercrime/ http://www.lopht.com/ http://www.hackernews.com/ http://www.astalavista.box.sk http://www.antionline.com Cons…. Who is a hacker? • An informal idea: – A talented and persistent individual with a knowledge of computer systems. – A system administrator or programmer. – A nuisance or genius. – Wannabe – Not all deviant computer users are hackers, not all hackers are deviant. – A GOOD hacker talks about code, not dress code. Some Famous Hackers • Bill Cheswick, Bell Labs – Firewalls and Fixes • http://www.wavelet.org/cm/cs/who/ches/index.html • Cult of the Dead Cow – Back Orifice and BO2K • Lopht and Mudge – Lopht’s tools, Antisniff • More.. http://www.antionline.com/features/WhoRU/ The Future • Information Security Magazine, November 1999 • That pain in the neck librarian requesting information. BILL CHESWICK More denial of service attacks. Worse viruses that spread further. Attacks on the Internet infrastructure Infowar will be: – Real – Noticeable – Soon – Especially during wars and military police actions. • Smart criminals will continue to remain almost uncatchable on the net, hidden by anonymity. • People will realize the Internet isn’t as reliable as their telephone service. • • • • A. PADGETT PETERSON • The increasing population of telecommuters leads to further social and cultural polarization. Attempts by cities to attract affluent residents will fail. Likeminded people will tend to cluster in self-sufficient residences. • Technological anarchy is exacerbated by the continuing lack of skilled security professionals. Salaries lag behind until demand reaches a critical stage. BRUCE SCHNEIER • As systems get more complex and interconnected, security will get worse. • Unless manufacturers are held liable for security failures, security will get worse. • In the short term, the best course of action for enterprises is to outsource security to companies that have the expertise to understand the systems being secured. WILLIAM H. MURRAY • The end of PC-based computing and the emergence of appliance-based, networkcentric computing are in sight. • We will not secure the ’Net by patching UNIX. We will have to add structure and use strongauthentication and end-to-end encryption. E. EUGENE SCHULTZ • Denial-of-service attacks will escalate in comparison to other types of attacks, resulting in several widespread incidents. • Intrusion detection will become more sophisticated. Incident response methods that are less reliant on human intervention will emerge. HARRY DeMAIO • "Set and forget" integrated security suites will remain more desire than fact. • Telecommuting for some portion of the workweek will be normal for most information workers, resulting in longer work weeks. • Reliable and wider-band wireless communication will take "telecomputing" to a higher level of mobility, making strong, easyto-use authentication a critical factor. SARAH GORDON • Advances will include an increasingly large selection of network-aware viruses. • There will be a sharp increase in the prevalence of worms. • Without significant changes in antivirus protection, a virus will bring down large portions of cyberspace without warning. PETER TIPPETT • • • • • • Designed-in security isn’t… Best practices aren’t… Firewalls don’t… 1024-bit crypto won’t… Antivirus never was… Risk analysis almost never is… ALAN PALLER • Virtual private networks will offer a new feature that requires minimum acceptable security before allowing a new user to connect—and the check will be completely automated. • Some corporations will refuse to do business with suppliers that do not demonstrate they have achieved minimum acceptable levels of security. DONN B. PARKER • Those who abuse and misuse information will continue to benefit from our inept information security folk art unless we achieve a new and complete information security business and engineering discipline. • Complete and perfect automated crimes packaged in single computer programs will be the next challenge we must defeat using completely automated security. CHARLES CRESSON WOOD • Security Officers will be called upon to act as traffic cops and mediators, and to make sense of what is quickly becoming an information-overloaded workplace. • Job titles will change to reflect significantly higher-level management positions. • Salaries will increase at least 20 percent in the next year to attract more high-caliber people to the field. RUSS COOPER • As their connection to the ’Net becomes more threatened than the deadbolt on their front doors, consumers will demand action. • If consumers were to demand greater security, together with more realistic software licenses, vendors would, inevitably, supply this demand by providing what consumers want. FRED COHEN • Digital forensics will adopt a marketing model to gather more in-depth criminal evidence. • Massive data collection and analysis capabilities will become available to law enforcement to combat cybercrime. • In the cyber-realm, individual privacy rights will whither and die on the vine. • Same ol’ crimes, new venue. WINN SCHWARTAU • The United Nations will examine cyberwar issues as a distinct aspect of the international law of war, preemption and escalation. • Frustrated by the inability and unwillingness of law enforcement to protect them, companies will strike back at online attackers, and will be prosecuted by an aspiring U.S. attorney for their actions. Congress will rewrite the laws so that companies can protect themselves. IRA WINKLER • Industry and government will continue to under fund their administration staffs. As a result, both will continue to suffer very preventable losses. • There will be some very noticeable and preventable attacks against key government systems. • Government efforts to obtain voluntary industry cooperation in securing the infrastructure will fail. • Insurance companies will establish computer security requirements. • Computer security budgets will eventually increase. PETER NEUMANN • Commercial developments will continue to be very slow in providing truly robust systems and networks in the face of realistic adversities. • Systems will continue to fall apart on their own, without attacks. In addition, willful misuse will accelerate, including seriously malicious activities. • Moreover, in the absence of that massive Y2K hype, it is likely that there would have been serious disasters. DOROTHY DENNING • The administration will open up exports to all forms of encryption software, including source code and toolkits, of unlimited key sizes and with or without key recovery. • Although most encryption products will be exportable everywhere other than to the seven countries that support terrorism, the export regime will not be eliminated. Products will still need to undergo a onetime technical review. Business will still be required to report exports. • Americans will remain free to use any encryption of their choice. LANCE HOFFMAN • The market for personal information will grow, as half-a-million people or more sell their personal information to marketers. • Armed with your personal data, new portal tools will be able to seamlessly integrate details about your life and habits. • Two-thirds of computer users will choose utility and ease-of-use over security, but a vocal minority will complain, forcing Web sites to slim down their data requirements. RICHARD THIEME • Fully computerized homes will be as hackable as Web sites. • With the network always "on," there will no way to unplug. • Embedded systems, such as spoken languages, will become filters for primary experience. JOHN GILMORE • Every light bulb, stereo and parking meter will be on the ’Net. • Programmers will need to design code for at least 10 million simultaneous connections. • Neither manual administration, nor rebuilding infrastructure later, will save us if we default to lousy encryption now. EUGENE SPAFFORD • As network perimeters disappear, security will become more and more focused on hosts. • Computer crime will explode, as theft of proprietary data, sabotage of competitors and attacks against law enforcement systems become major problems. • Consumers and end-users will take more responsibility for host security, while security practitioners will become more specialized. Pro’tectors Speak • From Australia - We are going to have a better generation of hackers and crackers. • From US - The future of high tech crime is in the movement of traditional organized crime syndicates to use this medium. • ―Weaker" organizations (third world countries, terrorist cells) using the computer and Internet to gain power. Pro’tectors Speak • Financial crimes will rise significantly. • Traditional crimes(i.e..Narcotics) will benefit from strong keyless encryption. • Denial of Service attacks will be used routinely for corporate espionage. • Employee damage will increase as computer literacy increases. • Voice over IP without adequate encryption will be a nightmare. Law Enforcement’s Future • Local L.E. will have to take a far greater role. Federal LE can not handle the problem nor should they be considered the primary contact. Some type of structure needs to be created to allow local and state agencies to investigate cases easier that cross state lines. LE must change it's hiring practices and recruit computer science majors. Common Sense Approach • The lack of loyalty displayed in the workplace is going to cripple the integrity of internal security measures over the next 5 years. • CI analysts are finding it easier to interview new hires. • Deja.com! • Shortages create desperate hiring practices. • It is easy to break in, but terribly difficult to protect. Cyber-Futuristic • All that is needed to create the product is the desire. • An intelligent individual has no boundaries to create whatever they wish. • Use your imagination. There will be virtual crime, on another dimension. There will be ―persona defenses.‖ • Think ahead. Summary • Legislation will need a major overhaul in order to meet the speed and flexibility of digital crimes. Jurisdiction needs definition. • Cybercops need money and support. • System Administrations need money and support. • Software vendors need to be held responsible. • Hiring practices need drastic improvement. Questions?