Is someone who uses the Internet or network to destroy or damage computers for political reasons?

Political Motives

Politically motivated cybercriminals include members of extremist and radical groups at both ends of the political spectrum who use the Internet to spread propaganda, attack the Web sites and networks of their political enemies, steal money to fund their militant activities, or plan and coordinate their “real-world” crimes. Examples include:

The 1996 case in which “hacktivists” infiltrated the U.S. DOJ through its Web site, deleted the DOJ's Web files, and replaced them with their own pages protesting the recently passed Communications Decency Act

The rash of Web site defacements that included the message “Free Kevin” (in reference to Kevin Mitnick, who was arrested for computer crimes) in 1998

The “cyberwars” between U.S. and Chinese hackers in summer 2000, following international disputes over the landing of a U.S. spy plane in China

The use of botnets (which we'll discuss in Chapter 10) in 2007, which Russian hackers used to orchestrate DoS attacks against Estonian commercial and government sites

Cybercriminals with political motivations range from relatively benign hackers who just want to make a political statement, to organized terrorist groups such as Hezbollah, Hamas, and Al-Qaeda. Cyberterrorism refers to using the Internet and computer skills to disrupt or shut down the critical infrastructure and government services of a country. Although no such large-scale attacks have thus far been implemented, security experts warn that such attacks are or will be within the capabilities of some terrorist organizations and could pose a huge threat to government and business operations.

The politically motivated cybercriminal usually devotes a good deal of time to his or her cause and often (though by no means always) has a prior criminal record for offenses such as criminal trespass, rioting, and similar activities. True terrorists are especially dangerous because they are willing to die for their cause. They also often have large networks of likeminded people they can call on to help them carry out their missions and to hide them from law enforcement.

What Is a Cybercriminal?

A cybercriminal is a person who conducts some form of illegal activity using computers or other digital technology such as the Internet. The criminal may use computer expertise, knowledge of human behavior, and a variety of tools and services to achieve his or her goal. The kinds of crimes a cybercriminal may be involved in can include hacking, identity theft, online scams and fraud, creating and disseminating malware, or attacks on computer systems and sites. The core factor of what makes a crime a cybercrime is that it’s directed at a computer or other devices and/or these technologies are used to commit the crime.

Cybercrime is prevalent because the Internet has become a major part of people’s lives. In 2014, the FBI’s Internet Crime Complaint Center (IC3) reported they received 269,422 complaints from people with an adjusted dollar loss of $800,492,0731 (Internet Crime Complaint Center, 2014). These numbers of course only reflect reported crimes, and not the numerous others who fall victim but never report it because they’re too embarrassed or for other reasons.

The suspect will make it easier

For basic computer use, cybercriminals use computers just like everyone else. Passwords are still written down and taped to the bottom of the keyboard, by everyday computer users and cybercriminals, such as seen in Figure 9.5. Weak passwords are used for logins, and communicating online is conducted in a manner as if no one will ever read the chats or comments made in social networking websites. Cybercriminals will still continue to brag about their crimes in online public forums and chats as if immune to detection.

Cybercriminals also backup their systems, using the same programs that everyone else uses. Some cybercriminals are unaware of evidence they create as they commit crimes, such as illegally accessing a network when using their home computer and IP address. Harassing emails and text messages are sent and deleted without thought of investigators tracing each email and message.

Basic human nature has always helped investigators in all criminal investigations, not just cybercrime investigations. In many cases, breaks in an investigation are solely due to a mistake or laziness on the part of the cybercriminal, which most likely will never change. These mistakes by cybercriminals turn a seemingly impossible case into an easy, open, and shut case.

Identifying the Target Audience

Assuming that the cybercriminal has identified the market and produced, procured, and packaged his or her goods and/or services, the cybercriminal then takes steps to identify the target audience. You may be wondering how this occurs within underground, black market economies. In many respects, target audience identification and acquisition among cybercriminals occurs in ways very similar to those in legitimate business. Amateurs and professionals alike rely on online advertising, but in well-controlled, vetted forums and underground criminal ecosystems. Figure 5.1 is an example of a simple yet effective form of underground forum-driven advertisement. You’ll note that this cybercriminal offers three options. The first option offers prospective clients the following features for $1,000:

ZeuS 2.0.8.9 binary1

VNC (virtual network connection) remote connectivity tool.

A month’s worth of hosting.

Back connection.

A domain with Web injects.

Three cryptographic packs.

Test installs.

The second option is much less mature and feature rich. This retails for $600 and consists simply of the ZeuS 2.0.8.9 binary sold with default Web injection technology. The third offering this individual is marketing retails for $2,500 and consists of access to Bank of America Automated Transmission Systems (ATSs) available via the ZeuS Trojan or botnet.

This ad, though simple in nature, is effective as it demonstrates a then-current version of the ZeuS Trojan/botnet binaries available in a variety of configurations. It’s important to note that this example was captured in November 2011, more than a year after the now infamous rivalry between the architects of the ZeuS Trojan and the SpyEye Trojan.[1] The significance of this ad lies not entirely in the availability of the binaries, Web injects, or ATSs, but rather, that it appeared approximately a year after the feud began (which, as Brian Krebs noted, is an uncommon affair; rare though not entirely without precedent[2]).

Furthermore, this example also illustrates that the alleged truce and surrender by the original author and steward of ZeuS, Slavik (a.k.a. Monstr), to the SpyEye crew (led by Harderman/Gribodemon) in March 2011 was a ruse. Most malware and botnet researchers believe the alleged surrender was nothing more than a false flag operation initiated to convince the SpyEye authors that their aggressive tactics (the demand for the surrender of the ZeuS source code by Slavik and agreement that he would not pursue another version of the botnet or perpetuate his struggle against them) had worked and that Slavik had in fact conceded defeat. The truth, evidenced by the ad shown in Figure 5.1, suggests otherwise, as we know Slavik released his code for a price, thus ensuring that ZeuS would continue on despite the efforts of a rival organization[3] (this version of ZeuS would also become the base for Ice IX[4]).

Figure 5.2 highlights a number of features that malware authors often advertise within the criminal underground. Some of the features that appeal to cybercriminals include the Bank of America Grabber (for user credential capture) and the CC grabber (useful to cybercriminals who either traffic in such commodities or retain them for their own use and illicit game). In Figure 5.3, the purveyor[5] of this variant of SpyEye is selling it for a remarkably low price ($150). The ad goes on to demonstrate the latest features associated with this version of the Trojan:

Newest software features (associated with this variant):

Admin panel.

Formgrabber panel.

Gate installer.

Back connect.

Collector.

Anti-Rapport (Anti-Thrusteer).

Web injects (USA, UK, Germany, Spain, and PayPal).

Built-in PE Loader.

SpyEye original complete setup manual from the author.

Injection types:

Internet Explorer.

Firefox.

Google Chrome.

Opera.

Plug-ins:

Custom Connector.

Webfakes.

RDP (Remote Desktop, untested).

DDOS.

Block.

Billinghammer.

USB-Spread.

Socks5 Back Connect.

FTP Back Connect.

Bugreport.

CC-Grabber or Creditgrabber.

FFcertificate grabber.

SpySpread.

Three months of free hosting ($15/month thereafter).

The seller goes on to offer his e-mail address and encourages interested potential customers to contact him via MSN for a chat. In Figures 5.1 and 5.3, respectively, you can see that the sellers (suppliers) are keenly aware of what their target audience seeks in an illicit malware package such as the ZeuS Trojan or SpyEye. Figure 5.4 shows another (albeit simple) example of a seller’s understanding of target audience and what drives their decision-making (purchasing) processes. This image was captured in October 2010. Notice the detail the seller provided and the language he used to describe this Trojan/botnet kit:

Similar to ZeuS and in fact based on Version 2 of ZeuS.

Core redesigned and enhanced to evade detection and threat mitigation technologies.

Compatible with Internet Explorer and Firefox.

Main functionality:

Key logging.

Form grabbing.

FTP client grabbing.

Windows Mail, Live Mail, and Outlook grabbing.

Socksv5 back connect.

False certificates.

Lateral movement capability.

Support for diverse C2 on an infected host.

Main advantages of the kit:

Tracker protection.

Higher response, longer vitality.

Updates and support.

Customization capabilities.

Design goals:

Tracker evasion.

Higher response.

Increased stealth.

Longer vitality.

In development:

HTTP fakes for Firefox.

Blocking/bypassing of SpyEye.

Dynamic algorithms for encryption.

Pricing:

$600 for version that binds to the host (bot, bot builder).

$1,800 for builder license without limitations.

The ad in Figure 5.4 provides a degree of detail that goes above and beyond the earlier examples; however, it still represents a relatively simple yet effective message crafted to provide crisp examples of feature functionality, efficacy, and cost in addition to value added attributes such as upgrades and support. Examples such as these represent only the tip of the iceberg that exists within cybercriminal underground markets.

Figure 5.5 depicts a slightly more professional-looking front end for an online professional distributed denial of service (DDoS) attack product. The sellers operating this site stress their value proposition (their cost and efficacy) throughout the site. Note the attributes they have cited: their trustworthiness, their efficacy and expedience, the diversity of their offerings (from one hour to one month), and of course, their price point, which by many accounts makes this a rather inexpensive (though not the least expensive) DDoS product available.(see Figure 5.6)

Level of Jurisdiction

Levels of jurisdiction correspond to the levels of law. Jurisdiction of enforcement agencies and courts can be local (city or county), statewide, federal, or international. Jurisdictional levels can overlap. Most U.S. citizens are familiar with the concept of double jeopardy. Based on the Sixth Amendment to the U.S. Constitution, this principle states that no one can be subject to being tried twice for the same offense. What many people don't understand is that a person can indeed be charged and tried twice for the same act if those charges are brought at different jurisdictional levels. This is what occurred when Sgt. Stacey Koon and other Los Angeles Police Department officers were tried and acquitted at the state level for police brutality in the Rodney King case in the 1990s, and were then tried again and convicted at the federal level. This is not considered to be double jeopardy.

Likewise, a cybercriminal could be charged with unauthorized network access under a state's computer crimes laws and also be charged at the federal level for the same act if the offense involved matters that come under federal jurisdiction (for example, if the computer belongs to a financial institution).

On the Scene

Avoiding Detection

Today’s sophisticated cybercriminal will avoid being detected at all costs, and will utilize multiple evasion techniques to ensure the target data is successfully moved outside the corporate environment. Here are some examples of typical evasion techniques:

Password-protected compressed/encrypted files One way to evade a data leakage solution is to password-protect a compressed file, as most DLP vendors will not be able to scan the contents of a file that is PGP-encrypted.

Commonly known open ports and protocols As we mentioned earlier, there are typically four ports that have to be allowed in order for any business to conduct Internet operations and receive e-mail. These are typically the only digital transportation vehicles out of a network other than printing it out and walking out the front door with it, or placing the information on a USB device.

Applications not supported by corporate policy Since most corporate environments are not monitoring for the use of TOR, anonymous proxies, Skype, or other Web-based applications.

As you can see, it is very easy for cybercriminals to utilize common applications, ports, and protocols that are legitimate conduits out of a network, but in reality are being used to exflitrate data. However, with the proper detection capabilities put in place you can actually provide more visibility and awareness to what is exiting your infrastructure.

Deleted Files

Many computer users—including cybercriminals—think that when they delete a file, it is erased from the hard disk. Even so-called computer experts have been heard to say on television and radio that once the Windows “trash” has been emptied, the files there are gone from the disk. As we saw in Chapter 7, this simply isn't true. Deleting a file does not remove the contents of the file; it merely removes the pointer to that file from the File Allocation Table (FAT), Master File Table (MFT), or other scheme that the operating system uses to pinpoint the location of a particular file on the disk. Data is stored on the disk in clusters, which are units consisting of a set number of bits. Because parts of a file are not always stored in contiguous clusters on the physical disk, but instead parts of it could be spread across the disk in separate locations, removing the pointer makes it difficult for the file to be reconstructed—but difficult does not equal impossible.

When the file is deleted, the disk location in which it is stored is marked as unallocated space, which means that it is available when new data needs to be written. However, on a large disk it might be a long time before that particular part of the disk is used to write new data. In the meantime, the old data is still there and can be recovered if the investigator has the proper tools.

A brand-new disk is thought of as being “clean,” or completely empty, but in reality it is full of format characters, which are repeated characters that are made by the test machine at the factory. When files and directories are created and saved to disk, they overwrite the format characters. When the files or directories are deleted, the clusters in which they are stored are not reallocated until new data is written there. Formatting the disk does not remove this data. Even if the disk is repartitioned, the data is still there until those clusters are overwritten.

Supposedly erased data can be located in many places on a computer. For example, when a disk is repartitioned, it is possible for data from the previously configured partitions to end up in the space between partitions, called the partition gap. Disk search tools can locate this hidden data, which can then become a potential source of evidence for investigators.

4.3 Cyber security and healthcare IoT

The healthcare system is also a target for cybercriminals, especially when they can lock up the whole database for money exchanges [10]. Data theft is also a severe issue where cybercriminals steal the medical data and sell it in the market. In this context, patientory is a distributed application that builds a blockchain-powered health information exchange, which is the Health Insurance Portability and Accountability Act-based (HIPPA) compliant. It will enhance cybersecurity protocols and electronic medical records interoperability to secure important medical data. The scenario of cyber security and healthcare IoT using blockchain is as shown in Fig. 4.

The Problem with Mobile Computing

Remember that every point of access on the network creates one more vulnerability. A remote access server provides a point of access, as does a VPN server.

Of course, mobile computing also provides an additional security consideration: the possibility that the entire computer will be stolen. You might think this isn't a security problem if you don't store sensitive information on the portable's hard disk—but what about your VPN or remote access software configuration, which would allow anyone in possession of the computer to connect to the company network? Although a password may be required for network logon, many users set up their systems to “remember” their passwords so that they won't have to take the time to type them in each time they connect, thus defeating the purpose of password security if someone else takes possession of the computer.

Mobile computing presents some special security concerns. User authentication is one of the biggest. Unlike the corporate environment, where there are security guards, surveillance cameras, and fellow employees to physically recognize the presence of suspicious strangers around the computer systems, a user connecting remotely to the network offers no assurance that he or she really is the person whose credentials are being used.

Oh, and there's one more reason cybercriminals love today's powerful, low-cost mobile computers: Now they can take it with them. Lightweight, compact computers are much easier to transport to a “secure” location such as a pay phone, from which a hacker can initiate a hard-to-trace online session, or to take on “drive-by hacking” expeditions to find wireless LANs to which they can connect surreptitiously.

On the Scene

So, What Is the Difference between Cybercrime and Cyber Terrorism?

The majority of cyber attacks are launched by cybercriminal gangs determined to steal money, credit card information, bank accounts, or personal information. The intent is to make money. A general description of the dark side of the Internet can be found in the paper by Kim et al. (2009). On the other hand not all hackers are cybercriminals. Many hackers are computer enthusiasts who take pleasure in gaining access to computers and networks just to leave their “calling card.” Defacing a Web site for political motives or simply to gain acclaim among their peers is their objective.

Attack patterns seen in criminal operations differ from incidents involving cyber terrorists. Cybercriminals typically use numerous targets and do not maintain prolonged control over servers, as the risk of detection increases proportionally (Krekel et al., 2012). However, the motives for a cyber attack are to some extent irrelevant. A criminal trying to steal money or a cyber terrorist trying to cause disruption, destruction, or steal secrets (cyber espionage), will both use the same methods. The main difference lies in the purpose of the covertness: the criminal stealing money or information would not want anyone to know what they were doing, to evade capture and prosecution; whereas, cyber espionage tries not to do damage to the attacked system so that information can continue to flow out (Saalbach, 2012).

As described previously, cyber terrorists would have a different agenda and their targets are likely to be a lot less secure. Currently, banks and credit card companies go to a lot of effort to secure customer information, but these are of limited interest to a cyber terrorist. In general, they are looking for softer targets with maximum public impact. The U.S. government is increasingly aware of government-run and -controlled cybergroups originating in China and Russia. It is not too far a step, and would seem to be only a matter of time, for a terrorist group to follow suit.

The main difference between cybercrime and cyber terrorism lies in the objective of the attack. Cybercriminals are predominantly out to make money, while cyber terrorists may have a range of motives and will often seek to have a destructive impact, particularly on critical infrastructure. Cyber terrorists also want to have maximum impact with the greatest stealth. Greengard (2010) identified a range of cyber attack methods that can be deployed by cyber terrorists, including “vandalism, spreading propaganda, gathering classified data, using distributed denial-of-service attacks to shut down systems, destroying equipment, attacking critical infrastructure, and planting malicious software.”

Cyber weapons are software tools used by cyber terrorists. These tools can manipulate computers, intrude into systems, and perform espionage. They are essentially the same as those used by cybercriminals (Saalbach, 2012). There is currently no evidence to suggest that terrorists are using malware or hacking into systems. However, it seems unrealistic to think that they have not identified the potential for doing so. They may even be developing a Stuxnet equivalent (described later in the chapter) for military targets at this time.