New malware invokes label "cyber weapon"

New malware invokes label "cyber weapon"

A report from the BBC News online technology section ( http://www.bbc.com/news/technology-18238326 ) highlighted the discovery by Kaspersky Labs of a new malware called 'Flame' and said to be a highly complex virus.

Of particular interest to me was the following taxonomy of attackers set out in the comments of Kaspersky's chief malware expert Vitaly Kamluk:  "Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states.

Back in 1998 I ran a series of reports published in FEN (Forensic Expert News) into Smart Card Hacking, which was before the successful 1998 attack on GSM SIM Cards ( http://trewmte.blogspot.co.uk/2007/08/cloning-gsm-sim-card-report.html ).

In the FEN Report Part 1 (images of original below) I referred to the following taxonomy of attackers with reference to its source:

"One of the few recent articles that discuss the subject describes the design of the current range of IBM products and proposes the following taxonomy of attackers [ADD+91]:

" Class I (clever outsiders):
They are often very intelligent but may have insufficient knowledge of the system. They may have access to only moderately sophisticated equipment. They often try to take advantage of an existing weakness in thesystem, rather than try to create one.
 

" Class II (knowledgeable insiders):
They have substantial specialised technical education and experience. They have varying degrees of understanding of parts of the system but potential access to most of it. They often have highly sophisticated tools and instruments for analysis.
 

" Class III (funded organisations):
They are able to assemble teams of specialists with related and complementary skills backed by great funding resources. They are capable of in-depth analysis of the system, designing sophisticated attacks, and using the most advanced analysis tools. They may use Class II adversaries as part of the attack team."

[ADD+911] DG Abraham, GM Dolan, GP Double, JV Stevens,  "Transaction Security System", in IBM Systems Journal v 30 no 2 (1991) pp 206-229

I thought I would comment on this taxomony of attackers first published in 1991 so that researchers can have traceability back to information that tends to get airbrushed from history in the course of re-invention of newly labelled threats.

  

Background material

A copy of FEN Index ref: UPD 5/1-Vol1-FEN98 is available upon request (trewmte@gmail.com).

 

Previous discussions about Cybercrime:

http://trewmte.blogspot.co.uk/2011/10/cybercrime-really-its-ict-crime-by-any.html

http://trewmte.blogspot.co.uk/2011/09/cybercrime-procedures-deterrent-and.html

http://trewmte.blogspot.co.uk/2011/08/research-critiques-of-author.html

http://trewmte.blogspot.co.uk/2010/11/cyberbullying-report.html

http://trewmte.blogspot.co.uk/2010/10/cyber-what.html

Cybercrime: procedures, deterrent and investigation

Cybercrime: procedures, deterrent and investigation

The title cybercrime Convention on Cybercrime is not new and has had numerous airings going back to the late 1990s and early 2000s. It has largely languished there, though, until it became the economic follow-up to the war on terrorism given there has been a signifcant shift towards electronic attacks or gained perception about the potential threat for crimes to be committed using technoology.

Cybercrime isn't actually a qualification in itself of the 'actual crime' that has been or is about to be perpetrated, rather on the one hand it provides a global statement under which preventions, deterrent and investigation can be defined about crimes where technology is or can be used as a conduit for a criminal or terrorist event. The technologies that are perceived to be relevant and 'usable' for cybercrime are set out in:

Proposal for a COUNCIL FRAMEWORK DECISION on attacks against information systems

Article 2
Definitions
For the purposes of this Framework Decision, the following definitions shall apply:
(a) "Electronic communications network" means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed"

So this represents a broad range of identified technologies (whether used in natural sciences or manmade systems) that are identified avenues for 'cybercirme' procedures, deterrent and investigation. Furthermore, and on the other hand, cybercrime equally requires the 'type' of crime (substantive or inchoate) to be identifed that has or could operate 'through' a single or combination of technologies. For instance:

- a virus that is inserted into the electronic communication messages sent via Broadband of Power Lines (BPL) that takes down or attempts to take down a power station causing blackout might range in criminal law as a type of crime indicted eg under criminal damage, ecomonic damage, computer misuse, terrorism etc
- a message mispresenting a genuine individual that allows funds to be removed from the indiviudals account using the wireless network may be indicted in criminal proceedings as a fraud etc 

In the UK, legislation covers crimes such as 'abstraction of electricity', 'obtaining a telecommunication service with the intention of avoiding payment', 'computer misuse', unlawful interception' etc. To re-write all the relevant Statutes to identify crimes like these and other as 'cybercrime' would not seem practical at all. Cybercrime, then, perhaps may well be best described for use as a 'global title' to identify a state of 'events' generated through the use of various technologies.

The International Telecommunications Union (ITU) recognises the need for cybercrime procedures, deterrent and investigation and published two highly informative draft guides that one would expect to find produced from such an experienced and authoritative organisation:

D010B0000073301PDFE.pdf

ITU toolkit cybercrime legislation.pdf

As these documents are drafts, it is clear that evolving documents will continue to refine and define 'cybercrime' but may remain unable to circumvent the identification of the actual technologies used in a crime. One possible consequence of this is that forensic exmainers and experts in their specific fields will continue to provide their services, but an adjustment to a report or opinion may be required to start with e.g.

"Cybercrime Report/Opinion: The use of  X-technology in such and such an alleged crime...."

Cyber What?

Cyber What?

We had a short discussion recently about "cyber" labels and their meanings. The wave that has been engulfing society for the last decade, driven by Psychology "with everything" NNNOOOOWWWW!!!!  and the use of 'label-ism' phenomenon to influence us that we need/must have/do something, is now causing much confusion. 

Cybering was discussed, done and dusted, in the late 1990s early 2000, thus cybering has not just occurred as a new phenomenon. Label-ism, in the case of cybering, isn't helping its cause either when announcing cyber threats to the UK or the World (for that matter) where mistakes in the use of definitions are publicly announced. It wont help the security services to do their job - protect the Realm - if society doesn't understand what the heck is discussed.  There must be a drive from top Government (David Cameron top table people) to make a substantive effort to clarify label-ism when discussing publicly threats we are led to believe are imminent.

Discussing cyber defintions with Simon "Si" Biles, the security specialist at Thinking-Security dot com, he offered these descriptions assigned to their labels identifying possible security threats that might be engineered from within cyber space:

"There seems to have been a general mixing of the terms : cyber-warfare, cyber-terrorism & cyber-crime : the news, as is oft the way with things they don't/can't/won't understand, interchanges them without consideration.

"cyber-crime is no better or worse than it has ever been, phishing, cracking etc. are much the same as allways - there are highs and lows, but nothing particularly extreme. Of course these figures are allways exagerated by the number of crimes that are committed that have a computer used in their research/planning/excecution - but this isn't cyber-crime anymore than stealing a knife is "knife crime".

"cyber-terrorism, to take the traditional use of the word "terrorism" ( or arguably "freedom fighting" depending on where you are standing ) is the "guerrilla warfare" of the computer world - denial of service, defacements etc. For example the "Anonymous" attacks on the Copyright crowd. Where this "terrorism" impacts on the general public is few and far between - a denial of service against a particularly greedy bank might impact on a few, but in real terms, this doesn't, and is unlikely to, create problems on the scale or magnitude of a traditional terrorist attack. And again, this has been going on, much of a muchness for sometime - highs and lows - usually associated with world events - but predominantly from individuals or insignificant groups.

"cyber-warfare is a bit different, and, really hasn't been seen except in Georgia - and even then, although that was suspected to be from Russia, that was never really proved - it could as well have been from a reasonable size hacker group just stretching in a country where there was little chance of prosecution or repercussion. I guess what Greg is suggesting above is probably the worst case scenario where the internet is compromised in some way that means that businesses can't communicate funds transfers - e.g. PoS - in reality though, as "the internet" is built on a wide variety of technologies ( from many and varied manufacturers ) and is designed to be resilient in the case of nuclear war ( or not ... http://en.wikipedia.org/wiki/Arpanet#The_ARPANET_under_nuclear_attack ) the chances of "taking out the internet" for a given country are fairly limited in a cyber-warfare scenario. Infact you'd stand a better chance of taking out the internet in the UK with some more traditional arson against certain backbone sites ...

"It is this, final, threat that is both having it's bandwaggon jumped on and is being blown out of proportion. Like most things - it's exciting, so it gets a lot of press - you are more likely to be burgled, have your car stolen, be involved in a hit & run or have your pocket picked than you are to be a victim of cyber-crime. Even Identity Theft ( which is portrayed as cyber-crime) is considerably easier to achieve through a dust-bin sift than a computer. Cyber-terrorism ? I'd be delighted to sell "cyber-terrorism" insurance to anyone who wants it ! "

The term 'Cyber' has been discussed above in context with types of threats that could be generated using it. The discussions above do not rule out or suggest that cyber is or could be put to good use too.