I saw this this morning – have a great weekend:

Roger

From tomorrow on, UNDOC invited for an Open Ended Expert Group on Cybercrime in Vienna. I am really interested in seeing hoe these discussions will go. If – by any chance – you are there as well, please ping me and we will have a chat.

Otherwise, I will see what I can blog about. But at least it is a great and interesting “get together” of cybercrime experts from the public and private sector!

Roger

I just read this blog post by ESET laboratories: Inside a phishing attack: 35 credit cards in 5 hours.

They analyzed a very poorly designed phishing attack and found that:

• The first access to the site was on January 20 at 10:01 pm (as seen in picture). The latest registered access was on the same date at 15:24 pm. Therefore, the attack actively lasted just over five hours.
• During those hours, 164 people accessed the phishing site, which indicates an average of about 30 people per hour; therefore, there is a potential victim every two minutes.
• Out of the 164 participants, 35 entered valid credit card data, which indicates an effectiveness of 21%: one out of every five people who accessed the web site provided their sensitive data.

This shows that there is still a long way to go with consumer education and technology like phishing filters.

Roger

Often, when governments look into Critical Infrastructure Protection, they start to build a CERT (Computer Emergency Response Team) or a CSIRT (Computer Security and Incident Response Team). The questions then always comes up: How do you do that?

ENISA (European Network and Information Security Agency) just published a step-by-step guide on how to do this – something worth considering: Setting-up Guide - A step-by-step approach on how to setup a CSIRT

Roger

It is not really surprising that the criminals will leverage the economy of Cloud Computing for their illegal purposes. Especially activities, which consume a lot of processor power will be moved to the Cloud – like any other business.

Some way back, there were discussions on how to leverage GPUs to crack passwords: Graphics Cards – The Next Big Thing for Password Cracking? – that was back in 2007. Then in 2009 there were discussions on how to misuse Amazon EC2 to crack passwords: Using Cloud Computing To Crack Passwords – Amazon’s EC2. Now, there are announcements that it will become public knowledge how to use Amazon’s EC2 GPU to combine both – announced at BlackHat DC: Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC.

This development cannot be surprising. Crime is a business - illegal but following the same rules as any other business. If somebody is conducting illegal activities on a Cloud infrastructure, I expect every cloud provider to do their best to fight that. But it is close to impossible. Let’s assume you are a mathematician at a University doing crypto research. Part of your job is trying to understand how vulnerable the mathematical models for crypto are and how you can improve them. So, cracking crypto is a legitimate part of your job. Putting such work in the Cloud might make sense. How can you distinguish such use of a Cloud infrastructure from an illegal activity? Even worse: In Amazon EC2, you just rent an infrastructure, without Amazon knowing what is going on in the virtual machine. As a customer of Amazon, I would definitely not want them to look into my VMs – that’s my business.

How can we now make sure, that the criminals are not misusing a Cloud infrastructure but still retain confidentially? This will be a huge challenge.

Roger