Skip to main content

tv   Lectures in History  CSPAN  September 1, 2016 7:04pm-8:01pm EDT

7:04 pm
that was the most important thing to hunter. family was -- was secondary, for sure. >> also this weekend as part of our c-span cities tour, some history of denver, colorado, on american history tv. cindy souders, national fish and wildlife service ranger on the rocky flats nuclear site's transition into a national wildlife refuge. >> so we do have elk that use this area. they use the drainages for calving. we also have mill deer. so there may be some mill deer fawns out here. coyotes are other common mammals. occasionally, there's a bear in this area. >> and then kimberly fields, author of the book "the denver mint, 100 years of gangsters, gold, and ghosts" talked about how the mint changed the city. >> by the 1880s, denver itself had gotten rich from mining. and it wanted to become the queen city of the plains. the center of commerce, the leader in the western united
7:05 pm
states. and the city fathers at that point decided that a mint they could be proud of was going to be part of that process. >> the c-span cities tour of denver, colorado, saturday at noon eastern on c-span2's book tv and sunday afternoon at 2:00 on "american history tv" on c-span3, working with our cable affiliates and visiting cities across the country. now a look at how cyber criminals and hackers operate. an information systems analyst at the rand corporation discusses black markets on the internet, the organization of online criminal networks and the challenges facing law enforcement. this is just under an hour. [ applause ] >> thank you.
7:06 pm
we live in a digital age. our world is becoming more hyper connects, on demand, smart and public. some of our most sensitive personal, financial and health information resides online with companies and entities who are increasingly victims of cyberattacks. by now we're all familiar with the news stories. data breaches have become common place from retail to banking to health care to the government. no sector is immune. and these entities are often victims of cyberattacks, which are increasingly linked to markets where participants can both buy and sell the tools to carry out cyber crime attacks as well as buy and sell the take, the stolen data from those
7:07 pm
attacks. and the stolen data often appears within days on the black market sites. we conducted a study at rand to understand the character and the landscape of these black markets. so today i'm going to give you a lay of the land, a map, if you will, of what these markets look like now, how we got to where we are, and where we're going into the future. a bit on our moth dolling, rand is big on methodology. we interviewed experts with involvement in these black markets from a variety of angles. academics, security researchers, reporters, security vendors and law enforcement personnel. about a quarter of which agreed to speak to us only on condition of anonymity. we also researched the literature, the reports out there. and because i'm a hands on keyboard type of a person, i
7:08 pm
like to touch the data that i'm examining, i went into some of these forums. if you're interested at the end, i have screen shots in my backups and i'd be more than happy to show you some of them. one thing that became clear as we started to do the research is although there are people, each of these people is an expert in their do main, it was only one piece of the market, no comprehensive understanding. there were people who knew a lot about the markets where things are bought and sold on twitter or folks extremely knowledgeable about what chinese hackers were doing. others who knew about the vulnerabilities or the sale of bot anytimes. but no one had the comprehensive overview. understanding these are black markets so things are going to try to be hidden from us. to make sure we're on the same page in terms of terminology, when we say cyber crime markets,
7:09 pm
we mean the collection of skilled, unskilled, suppliers, vendors, potential buyers for goods and services to facilitate digitally based crimes. and digitally based crimes are things like stealing e commerce accounts, theft of intellectual property, blueprints or marketing plans as well as takedowns of sites. spoiler alert. what we found is that these markets for cyber crime tools and stolen data were rapidly growing, maturing and continuously innovating, full of increasingly sophisticated people, products and methods for communicating and conducting business transactions. resilient to takedowns by law enforcement and constantly adapting to security vendors and security events personnel. it's truly a cat and mouse game. and easy for almost anyone to get involved in, at least at the
7:10 pm
most basic level. this is a pretty sobering fact of the world that we live in. how did we get here? well, we can think about the growth of these markets, like the growth of a small city. to going back in time, ten to 15 years ago, cyber crime or hacking consisted of ad hoc networks of individuals largely motivated by ego and notoriety. they wanted to show off to their friends. they wanted to have a resume boost. they wanted to prove to themselves and their friends that they could do this kind of thing. this is the age of the lone wolf hacker. as time went on, as more digital native and technologically savvy individuals entered the world, as more computing components got connected, more people recognized the opportunity that
7:11 pm
there was by hacking for financial profit, especially criminal enterprises recognized the low risk for potential high reward. such motivation shifted from ego and notoriety to making money and financial gain. today we can liken these market to a thriving metropolis, where there are methods for conducting business transactions, specialized roles. and often cyber crime is solely connected with sophisticated traditional crime organizations. let me pause here and just note that we're talking about cyber crime and cyber criminals. this is only one type of cyber threat actors. there are many different types of cyber threat actors. we generally break it down into four groups, cyber criminals,
7:12 pm
state sponsored members, cyber terrorists which we can debate whether or not they exist and hackivist. here i'm just talking about cyber criminals. and if everyone -- if anyone has watched the abc show "shark tank" and you know mr. wonderful, all he cares about is making money. well all cyber criminals care about is making money. my impression could be better, i know. so we're just talking about people who care about making money. this's different cyber threat actors out there. what do the markets look like? we broke them down into four different components, participants, business conduits, products an pricing. i'm going to go through each one of those. but in addition to looking at the four different components, we also wanted to compare these markets to traditional markets to look at the economics of them and to see how mature these cyber crime black markets were.
7:13 pm
so we came up with five elements of maturity and i'm tick through them now. and as i go through the different components keep these in the back of your mind. the first is sophistication where the markets change and adapt to the current needs. next is resilience where external events do not affect the markets and if they do the markets bounce back. they can be man made or nonman made events. a man made event for example may be the arrest of the alleged creator of silk road, which is a black market website where there was illicit drugs and bond sold. a nonman made event, a natural event might be a tsunami in the world where a lot of hackers operate out of. accessibility, where there's low barrier to entry and it's easy for almost anyone to get involved. this is true at the most basic levels of these markets.
7:14 pm
reliability where people and products are what they say they are and do what they say they do. this is actually quite surprising for us. there truly is honor among thieves. you will get what you pay for and you will kind of be dealing with who you think you're going to be dealing with. you might get a little extra feature along with what you pay for but for the most part you're going to get what you pay for. and then finally specialization where there are distinct and customized roles, places for communicating and conducting business transactions as well as ways to communicate. so now on to these four different components. we'll start with participants and we'll stick with this theme of cyber crime markets being like a thriving metropolis. so participants, it's like any other corporate organization. they're all kind of connected in some way and there's
7:15 pm
hierarchies. up at the top are the administrators of forums as well as the subject matter experts. folks who might be skilled in one particular thing, like writing exploit kits or making or breaking crip to, crip top fi or encryption, setting up infrastructure or vetting participants. in the middle realm are the vendors, buyers, intermediaries, the general membership. if you or i were to participate in these markets, this is where we would find ourselves. ultimately there needs to be a cashout. it doesn't do us good if we're holding on to a bunch of stolen data if we can't make money. and this is where the mules come into play. these are folks that essentially turn the stolen data into cash or into money that can be used for financial gain. reputation matters a great deal in these markets.
7:16 pm
and one gets reputation by proving oneself to others, getting vetted by members who are good stand in the community. it's really like if you go to ebay or amazon or paypal or any of these places, these ecommerce accounts where you to rate the buyer and the buyer rates you and there's a number of thumbs-up or a number of stars, you get rated reviews. same thing with these markets where you want to have the highest numb boar of thumbs-up or stars or ratings and if you don't have that, then people won't buy and sell from you. you want to have a good reputation. but these are black markets and there are people called rippers who don't provide the goods and services they say they will. because a forum administrator wants everyone to come to their site and buy from their vendors, if someone gets reported as a
7:17 pm
vendor, they get reported and kicked out quickly. one common ripper scheme is to provide or say that you'll provide say 100 credit cards and so you'll give away ten for free and then if someone pays them money, they'll get the money from someone and then they'll ask duds, closed out by the bank, the bank accounts have been emptied by someone else or they've been sold to someone else. if that kind of ripper gets found out, they'll get kicked off. so this is a world economy and different groups tend to focus on different areas. so for example, there were reports of hackers in vietnam who focus on e commerce accounts. and it's believed that a majority of hackers tend to focus on attacking financial institutions. many believe that those in china who are hackers are focused on
7:18 pm
the theft of intellectual property. one of the interesting things that we heard from one of the experts that we spoke to was that groups that would traditionally never work together are working together now. so a couple of examples, vietnamese and nigerians were working tot on an ecommerce fraud. it's not just the nigerian prince scam. there's another story of columbians setting up villages to operate out of. there are other groups that go after other things as well. are you wondering about the u.s. participants? well ten years ago the majority of participants were from russia. fast forward to twro2013, and russians were no longer in the top third of participants. number one was ukraine, number
7:19 pm
two was china and number three with 19% of market participants was the u.s. there's a lot of u.s. pride maybe we'll go for the gold and go for number one pretty soon here. our second component, our business conduits. how do people community and conduct their business. well there's multiple access tiers and different channels for communicating. things like online stores, something akin to an ebay or an amazon, bulletin board style web forums where you can post information and post queries, e-mails, instant messages communication to allow for private one-on-one communications or open chat channels. some of these are easy to find. you can easy by google for them. others are hidden on the deep web or dark nets and either you to figure out the access, figure out the site to go to or you actually have to get vetted in so you'll have to be a member in
7:20 pm
good standing with good reputation in order to get access into some of these sites or these channels. any computer lit rate person can get involved in these. there are tools to teach you how to become a malicious attacker and cyber criminal. we saw google videos on how to buy and sale credit cards. i watched a youtube video on how to use e plait kids. i'm waiting on a yelp on which sites are the best to go to. so while english is the universal language of our commerce, it's not necessarily the universal language of this commerce. most of the sites tend to be in russian or ukrainian. there are certainly other language specific websites or websites in all different
7:21 pm
languages. all of that said, the majority of fishing, spear fishing and spam campaigns are done in english because the majority of victims know that particular language or are familiar with that language. something interesting about a lot of the sites being in russian or ukrainian, a piece of advice that i got from a researcher that i spoke to about this was if i wanted to go into some of the sites to be really careful about how i communicated because being a nonnative russian speaker, they can tell that right away and basically kick you off or not want to do any business with you. not that i was doing any business but if i wanted to communicate. and and interesting thing he brought up was google translate is really poor for translating into russian. but there are a couple of other sites that might be a little better. there's some hints of how to better communicate with cyber criminals on these different sites. i can tell you when we're not
7:22 pm
filming what those translation sites were. so now the third component are products which are goods and services which facilitate the entire life cycle of an attack. let me pause here. i gave this talk once and someone came up to me afterwards and say, you know, lily, all of your stick figures were men and i wanted to remember the lady hackers in the room. so goods and services they facilitate the full life cycle of attack, everything from initial attack tools, payloads and parts and features of the payloads, might be a piece of malware or something to make the malware change shape so it won't be caught by anti-virus system. services to enable the attack. support tools, for example setting up infrastructure or breaking crypto or caption.
7:23 pm
and consideration of what to do with the goods, the cyber laundering if you will when once you receive the goods at home. now i mentioned that any computer lit rate person can get involved but that's a lie. any computer illiterate person can get involved. all you need is cash to pay someone. you can hire a hacker to do whatever you would want. there are also -- we're seeing trends with more creative offerings with more capabilities. so there's more use of things going over vpns being harder to find, trends to use more of the dark nets tour which is one of the dark nets is very popular, as well as a shift towards other types of dark nets. and vendors can guarantee their product life span or value. so for example, they can guarantee that a particular piece of malware is good for ten
7:24 pm
hours before detection from an anti-virus entity or anti-virus system. or they can guarantee the amount of account balance of a credit card. they can also track what you're doing with their product. so remember how i said products will do what they say they do and people are what they say they are and then some. this is kind of that example where vendors might, for example, sell you the capability to have a bot that infects 1,000 machines. and if you steal data, they can steal the data to. if you find a way to infect 10,000 machines they can detect that as well and they're demand more money or ask you to tailor it back to the original thousand machines. it seems that vendors prefer to go below the noise and prefer
7:25 pm
for someone to be infecting less or what they paid for rather than getting more money. pricing ranges wildly depending on hardness of target, freshness of data, if it's do it yourself or as a service. a few examples, hack into e-mails accounts ranging from $16 to a couple hundred dollars. credit cards can go for pennies or up to a couple hundred dollars. and that really ranging on freshness of data. that's a big component. so, for example, after target got breached, the data that went on to the black markets, some credit cards were worth about $145. but now that the data has become steal and likely the cards have been shut down or no longer valid, they're on sale for pennies on the dollar. another difference for credit cards could be a european versus
7:26 pm
a u.s. -- or a nonu.s. versus a u.s. credit card. less so now but especially in the past when nonu.s. card were chip and pin whereas u.s. credit cards were signature and pin. chip and p.i.n. are worth a lot more because they're thought to be more secure. and exploit kits range if you're renting before the week, the month or the year or buying it outright. in terms of payment, typically anonymous crip to currencies or digitally based currencies like bitcoin are preferred for making transactions. that was a little overview of what the markets look like. where are we going in the future and what does that mean? well, there are more digital natives and technologically savvy individuals in the world. in the words of one of the folks that we spoke to, when it comes to hacking, it's like little league. everyone starts out early and
7:27 pm
spends a lot of time doing it. on the one hand this is good if you're a hacker and you want to decide to be a white hat hacker and do good. on the other hand it means there could be more digitally savvy, technologically savvy folk who are cyber criminals. with insulin pumps now enabled with bluetooth, pacemakers that have a network component, fridges, light bulbs, front door locks that can be controlled with a smartphone and vehicles that essentially computers on a set of wheels, more of the world has a digital component. by the year 2020 the number of connected devices will outnumber the number of connected people by a ratio of 6 to 1. that means that there will be six devices communicating and connecting with each other for every one person connecting or communicating with a device. and actually that statistic i've been using for a couple of years
7:28 pm
and it's crazy that we're in the middle of 2016. so 2020 is not that far away. so with more of the world with a digital component, we can expect there are more attack paths or the attack landscape for the cyber criminal to go after expands greatly. therefore enabling more crime to have a digital component. this means that there will be more successes as well as challenges for law enforcement. and when this happens, we tend to hear about it. there tend to be media stories about how, for example, the owner of silk road got taken down and arrested, or some other operation, which is exciting for us to read about, but it also means that participants in the markets learn how law enforcement are conducting their investigations and so they adapt their tactics and their techniques. similarly, people who were previously unaware of these
7:29 pm
black markets and all of the wonderful things that it could afford them are now away and they might want to jump in and participate. so really what we're seeing is the ability to attack is outpacing the ability to defend. where do we go from here? if we think about what we can do kind of in our world as it is, as individuals we can certainly redouble or online security efforts, things like making sure that when we're entering our personal or financial information it's on a site that we are reasonably sure is secure. we can be more aware of spear fishes or phishing campaigns. the use of password managers is real big. the combination of a user name and password is worth more on the black markets than a credit card because that password, it's
7:30 pm
often thought that password reuse is so common that sure you might not care about your instagram password but maybe that or a version of that with an explanation or a one on it is what you use for your financial institution which would reap great rewards. we can also patch immediately. and what i mean by that is upgrading or updating your systems or your computers. so for example, if you're on your computer and you get an alert from microsoft that patches or updates are available, that means that they've found some sort of vulnerability that malicious actors could use to get on your system and they have a patch for it that that's no longer an open hole. companies certainly can do more. things like employ saferer
7:31 pm
passwords. if you're not familiar with fult tack tore awe then occasion, that means you have multiple things that you can authenticate. when i log into gmail i not only have my password but i get a number texed to my cell phone, i have that number as well as the password and those are two factors i use to authenticate myself. companies should also encrypt data at rest and in transit, mandate security awareness training for all employees, enact a patch management process for all devices and tighten access controls. interestingly enough, we did a follow up research after this study -- this study was looking at the landscape of the attackers. we looked at what do the defenders do and how the defenders, how they view the cybersecurity landscape. for that we interviewed chief information security officers at a number of international companies and we found that they
7:32 pm
cared more about their reputation than anything else. they cared more than any ahack had occurred rather than what the actual data was that was taken. we also found there was no comprehensive understanding of how to conduct a risk assessment and there were other issues where we really felt that the defenders were in dilemma. it's what we named our report. but i think all of these things are kind of no duhs in the security world. things we probably already know and shouldn't necessarily be surprising, especially if you're an information security official. how can we shift t. all companies, organizations an governments should, rather than slapping on a band aid or bolting on security after an incident has occurred, really
7:33 pm
think about baking it in from the start. this might mean a rehaul of infrastructure and designing the infrastructure from the ground up. it also means to place liability with responsible parties. right now vendors are not held liable for bad code and this becomes a big deal especially with the internet of things, all of the new connected devices where a crash with that is no longer a crash on your computer or a crash of code, but a crash of a car or something that has a physical component. companies and organizations in governments could consider moving away from a defensive only reactionary position. there is certainly a lot of discussion about hacking back and the legalities of that. but that's something to consider even more. and then we really should consider or assume that we're going to be breached. it's -- the saying is it's not a matter of if, but a matter of when. it's not possible to be 100%
7:34 pm
secure. the best we can do is make it difficult for an attacker in terms of time, resources, personnel and effort that they have to put into it. and then perhaps one could use the black markets to their advantage. from a government perspective, harness these product to protect their own highly sensitive tools. and in thinking about how we actually take down the black markets, one of the main reasons they're so successful is due to confidence. participants are confident that they won't get detected, that there's low attribution. participants are confident that they're going to be able to carry out the attacks and use the tools in a way where they know they're going -- they know how they're going to work. and they're confident that they're going to make money and get away with it. if there's a way to reduce the confidence, that can significantly tarnish the
7:35 pm
reputation and make a dent in these black markets. so with that i'd love to open it up for questions or discussion, be more than happy to show you my screen shots. over to you. [ applause ] >> we'll start back here. >> say for example i don't have tv and i want to watch the dodgers game so i'm streaming the dodgers came. am i the mark or the cyber criminal in that setup? i suppose i mean multiple popups come up, it looks like a shady site but you close down the popups as quickly as you can in order to watch the dodger's game. kershaw is pitching and it's crucial you watch that. what's the type of malware that might be coming after me on those sites and is closing the
7:36 pm
popups enough to protect myself? >> the types of things that can -- no. i think there's still a chance of getting infected no matter how quickly you close down a popup. and the type of stuff that could be running, it actually could be benign malware in which someone wants to use your computing resources or they could be trying to take over different processes on your system. >> lily, we have a question here. >> the market seems to be recognizing that there's a certain level of threat that's tolerated. if you make 100 nld in sales and there's 5% theft, there's a level that merchants are happy because cutting back means only $90 million in sales which is a loss to them. and secondly, if you look at the
7:37 pm
music colder, people are downloading the music which means the price of cds go up. are you a fool for buying a cd or do they actually expect you to be downloading the cd. the market seems to be accepting a certain level of theft open bidding that into their processes and revenue stream. how do the companies justify what they're doing and how do they crack down under that scenario? >> that's absolutely true that companies seem to be okay with a level of fraud or a level of theft. unfortunately it's not necessarily clear that that trickles down to us as the consumer. so take target, or take, i don't know, any data breach. it might go on to the bank that has to deal with the kind of
7:38 pm
fraud. but then there are higher transaction fees that us as the consumer gets. we actually just finished a study examining consumer attitudes toward data breaches and towards the companies who they received notifications from. and this is exactly what we found. consumers are forgetful that breaches happen, they're forgiving of companies and they really don't see a lot of inconvenience to themselves. so consumer, we as consumers don't seem to be up in arms that data breaches are happening. companies are putting the pain on consumers without us really noticing it a lot. so there really isn't a lot of incentive or a lot of -- yeah, i guess incentive for us to make -- for the world to make big changes. just a couple of statistics because they're in my head.
7:39 pm
consumers actually after a breach occurred after they were notified of a breach, they found that 77% of consumers were highly satisfied with how companies responded. only 11% reported that they stopped doing business with the company. and we found that in the past year, a quarter of americans had received data breach notificati notification. 64 million americans received a breach notification in the last year. over half of those received two notifications. we're getting notified of being breached more and more. discount opm out of that. and consumers can kind of continue to do business as normal and forgive the companies. >> office of -- >> opm is office of personnel management. right. >> hi, lily. okay. so you talked about how efficient these markets are becoming, how advanced they are
7:40 pm
and especially one key word is how resilient they are, even though there's a lot of effort to try to shut them down by law enforcement. so what can business, and especially government and critical infrastructure learn from building systems from these markets and these actors? what takeaways can we learn noshd to build more resilient systems in the private and government sectors? >> i think there's two aspects of resilience here. governments and critical infrastructure organization should definitely be more resilient in the sense that we should have backup systems, redundant server, should be the normal security things like encryption. and things like that will help to prevent ransom ware attacks and we can talk about that in a second. what i mean by resilience of the markets is that even if an
7:41 pm
individual site or individual tool developer gets taken down or arrested, they're not necessarily resilient but the market is in the sense that there's this market share available once something has been taken down for everyone else to take over. so it's not necessarily a lesson -- the analogy would be once a big company gets taken down that there would be other companies to take other that market share or other companies to take over the critical infrastructure rather than actually going back up. so actually in 2013 the biggest exploit kit developer was arrested and he had, i don't know, 60% of the market share or something huge. he got arrested and all of the sudden it's not as though exploit kits were not available. but the hundreds of others of exploit kits jumped on that market share and made themselves
7:42 pm
available. it's simply that the market was resilient, that anyone could get an exploit kit if they really wanted. an unsatisfying answer. i apologize. >> we have a question here. >> okay. >> hi. so when you attend defcon you'll walk in the vendor room and everybody is like we have zero day, which in hacker speak is a day too late, as we know, because it's already happened. that's the preday. and when we ask all of these companies who are building these boxes and these defenses and all of that, you say, well this is great, you got everything that's already out there but what are you doing to create anything new? do you have your program heres working on or developing -- in the military we call it a red
7:43 pm
zone event, do you have anybody acting like a terrorist or a bad guy to build new technologies to get ahead of zero day. negative one day would be a good idea. and every single one of these companies from the tiniest guy to all of the big guys who have the latest in technology that they charge hundreds of thousands of dollars for their box because it's the best say no. so how can you use this information or encourage these people to kind of, you know, wake up and start to apply these kinds of measures? you're giving them the data? when is that overcome? and is it just an institutional mediocrity or is it just nobody cares or is it the value proposition? >> people definitely care. i mean so -- one of the things we noted is it's a cat and mouse game. as soon as there's a defense created, a new counter measure or a new measure by defenders were attackers have a counter
7:44 pm
measure or they figure out a way to get around it. it's a constant back and forth. and i think vendors or cybersecurity vendors are at a loss because they have to -- defenders in general have to try to protect every single hole or every vulnerability where attackers only have to be right once. they have to figure out how to get around a mitigation or endoesn'ter once. i think the computer vendors really care about it. of course if you go in the halls at the conferences, it's beautiful marketing fluff. there's not always a lot of substance. and one of the unfortunate things is that a lot of times tools for defensive measures are kind of a lemon market. it's all about how well you can sell it and there's not a lot of metrics or reliability measures that they can go up against. in fact, you know, ma calf fi and semantic aren't thought to
7:45 pm
be the very best anti-virus systems but they happen to fin out with their marketing. what are companies doing these days? a big shift is toward behavioral analytics on machine learning. there's a lot of people trying to throw math behind figuring out different types of malware. so malware can be -- can shift -- it can have a lot of different forms. so if you have a signature trying to detect one piece of malware, if it's just looking for that particular signature of that malware and that malware changes, then it can go past it. well there are companies trying to figure out what are the fundamental characteristics of a piece of malware so even if you don't have a signature you can understand the behavior and characteristics and stop the malware. although how much of that is true mathematics and how much of it is good algorithms or
7:46 pm
marketing fluff. but more than anything it's a cat and mouse game where you're going to go back and forth. we're going to go back and forth until the end of time. >> i have a question here. >> so given the pessimistic view that this is just going to be this ongoing cat and mouse game, i'm wondering about, okay, in that case, how do individuals, especially as their digital identities are number one brking bigger and bigger parts of our lives, number two, becoming more consolidated, google and youtube integrating, for example. it's almost to me that there's a digital monopoly. if that's the case and the hacking game is going to keep going on and on, what can individuals do? can they be incentivized to take different measures, use different passwords across different sites. people don't cothat but there's good reason to and it's almost
7:47 pm
as if they feel like a large part of their identity is so out of their hands that anything they do, they're just helpless to do anything long term preventive about it. >> sure. well, for most aspects of people's lives, functionality trumps security. and until security is as big of a deal as functionality, we're likely going to have the same mind-set of password reuse. it's a mind-set change and perhaps with everything getting connected, there may be a culture shift there, or perhaps because everyone is so used to everything being online there won't be. in terms of all of our information being out there, there may be a shift in the concept of hiding is no longer not being online or rather hide in the noise. what that actually looks like is up for debate but there can be
7:48 pm
shifts of how we think about the same things like hiding or keeping our information private. yes. oh, wait for the microphonemicr >> here we are. >> thank you for that. i have a question for you. so you said that your -- during your introduction my understanding is that you have quite a bit of experience in social engineering. a lot of the stuff that you're discussing in your presentation have a lot to do with the more technical aspects. can you please tell us more about the trends that you see in the social hacking space? >> sure. so absolutely. two of the most -- two of the biggest things that make us vulnerable are software vulnerabilities but also the human element. more people are connected, whether or not they want to be, whether or not they're aware of it. in 2014 five out of every six
7:49 pm
companies had been attacked with a spear phishing attack. spear phishing is on the rise -- social engineering is essentially using the human element to convince someone to do something that they don't necessarily know that they should or should not be doing. things like giving your their password or giving technical information away, or convincing them to do something for you like click on a link or plug in the thumb drive or something to that effect. i think all of that? general is on the increase. people are more active online and so it's easy to think about phishing or spear phishing or influencing humans. i'd be happy to show my screenshots too if anyone is interested in that. >> can i ask, is there a sense of the size of these markets,
7:50 pm
like total size, how many people are employed? how does it rank with other illicit markets? >> that is a great question. and in the course of our research that was one question we asked almost every asked almost every single person there is no concrete answer. and answers ranged from over, it's similar to the size of a small country to i have no idea to an example of one of the bigger hacking forms or carding forums where credit cards were sold that got taken down over ten years ago had 70 to 80,000 people registered on it. one of the reasons it is difficult sits so tied or connected with traditional crime. so separating cybercrime from traditional crime for elicit drugs or ilyse it is activity is really difficult. getting the size is a question we really wanted to know but couldn't get. >> we'll have one final question and we'll let lilly show some of
7:51 pm
the screen shots. >> lilly, in 1960s, '70s, '80s, '90s, we had police officers that patrolled the streets. they did foot beats. they might have even been in our high schools. they were kind of everywhere the crime was. i'm wondering in your research, since you have spoken to law enforcement, i'm assuming extensively, when we look at the amounts of calls for service, whether it was my car has been stolen, somebody broke into my house, i'm being raped, in those years, versus the number of calls for service today of my credit card has been stolen, my identity has been stolen, i've been hacked, et cetera, how do you -- are there any statistics that provide any evidence that law enforcement has responded in any measurable way to understanding their responsibility in this space? because it seems that if you knock on the door of the lapd or
7:52 pm
l.a. county sheriff or nypd or d.c. metro, the number of police officers that we might call cybercops seems to be a very, very small number compared to a tremendously large number of victims. >> so i can't speak for the fbi or law enforcement, but i do though there certainly are growing organizations of people who focus on cybercrime. and so there is certainly people in all realms of law enforcement who care about cybercrime, who are trying to respond to cybercrime attacks. i think one of the difficult things is the scale of cybercrime compared to the scale of traditional crime is vastly different. and so trying to respond to all the digitally based crimes, especially when tracking down who actually did it can be difficult, or what actually is happening or what is still happening can be difficult. and so law enforcement certainly
7:53 pm
is available to respond to hacks and breaches. what we're seeing is an increase in vendors, commercial companies who have taken on kind of a symbiotic relationship with law enforcement where law enforcement can only go so far in a sense of perhaps there is only so much they can say about an attack because there might be sensitive pieces of information or they need to go to respond to other victims. but now commercial companies can take over and start to help the remediation process or incident response or forensics on a particular breach. so i think law enforcement certainly is getting better and getting more involved. they certainly have had their challenges in the sense that traditionally they're not -- there haven't been as many digital natives in the ranks. but they're certainly getting better and getting more involved. all right. a few screen shots.
7:54 pm
so here is an example of a shop. and a couple of things. so basically you can click and point and drag into your shopping cart. here you can see there is u.s. versus european credit cards. and there is a difference in price. these are bitcoins. also down in the bottom there is paypal. some of those are verified. some of those are unverified accounts. here is an example of another store where they're semi-ing different kinds of ecommerce accounts. they really want to make surer that you know they have 80% guaranteed so they're reliable. and also, one of the reasons why it's difficult to find these types of sites is that a lot of them are what's called the tor hidden service. so they are websites that end
7:55 pm
in.onion, which tor stands for the onion router. it's a way to essentially an nonmize who you are and where you're going on the deep web. for this, another kind of example of that dot onion address. you can see it's a bunch of garble digook. there is a search on the dark web, but it's not that good. here is an example of different kinds of paypal accounts with different account balances for different bitcoins. this one they really are proud of the fact that their valid rates are 98%. so you definitely should shop at cc4all. here is an example of a bulletin board style web forum where you can get information.
7:56 pm
things like hack ebooks, guide to making money where. is the best place to get counterfeit usd. from stolen paypal to bank account. how? we have a site. this is one of the russian sites i went to. and you can see there is a protected forum. this is where i didn't have enough reputation points in order to get me access into this forum there is other information that you can get here. and then finally, this isn't as a service site. this is where you can rent a hacker. and he has many -- or she has -- he has many of his skills. i would love to say she. perhaps it's a she has many of the skills that you can hire. thank you so much for your time. [ applause ] for campaign 2016, c-span continues on the road to the white house. >> i will be a president for
7:57 pm
democrats, republicans, and independents. >> we're going win with education. we're going win with the second amendment. we're going to win. >> ahead, live coverage of the presidential and vice presidential debates on c-span. the c-span radio app, and c-span.org. monday, september 26th is the first presidential debate, live from hofstra university in new york. then on tuesday, october 4th, vice presidential candidates governor mike pence and senator tim kaine debate at longwood university in farmville, virginia. and on sunday, october 9th, washington university in st. louis hosts the second presidential debate. leading up to the third and final debate between hillary clinton and donald trump. taking place at the university of nevada las vegas on october 19th. live coverage of the presidential and vice presidential debates on c-span. listen live on the free c-span radio app. or watch live or any time on demand at c-span.org.
7:58 pm
this weekend, c-span cities tour, along with our comcast cable partners will explore the literary life and history of denver, colorado. on book tv, we visit the tattered cover bookstore, founded in 1971. it's considered the cornerstone of literary culture of denver. >> if you look at tattered cover, you'll see in the store green carpets and sometimes brass fixtures and the dark wood. the original barnes & noble superstores were modelled on. this. >> and author juan thompson talks about living with his father, journalist hunter s. thompson in his book "stories i tell myself." >> he was born in 1936. so when he is growing up, he didn't grow up in an era when fathers were, you know, typically heavily involved with raising the kids. so that was part of it. second, writing was always -- that was the most important thing. family was secondary for sure.
7:59 pm
>> also this weekend as part of our c-span cities tour, some history of denver, colorado on american history tv. cindy souters, national fish and wildlife ranger on the rocky flats nuclear site transition into a national wildlife refuge. >> so we do have elk that use this area. they use the drainages for calving. we also have mule deer. so there may be some mule deer farms out here. coyotes are other common mammals. occasionally there is a bear in this area. >> and then kimberly field, author of the book "the denver mint: 100 years of gangsters, gold, and ghosts" talks about how the mint changed the city. >> by the 1880s, denver itself had gotten rich from mining. and it wanted to become the queen city of the plains, the center of commerce, the leader in the western united states.
8:00 pm
and the city fathers at that point decided that a mint they could be proud of was going to be part of that process. >> the c-span cities tour of denver, colorado, saturday at 9:00 eastern on c-span2's book tv. and sunday afternoon at 2:00 on american history tv on c-span3. working with our cable affiliates and visiting cities across the country. u.s. air force academy professor chuck steele teaches a class on the role of sea power during world war i. he talks about the state of the british grand fleet and the activity of german submarines prior to the u.s. entering the war. he also argues that the actions of u.s. admiral william simms helped keep the allied naval forces united. his class just over 50 minutes.

42 Views

info Stream Only

Uploaded by TV Archive on