The Future of High Tech Crime

Download Report

Transcript The Future of High Tech Crime 

The Future of
High Tech Crime
CJUS 453 - Dr. William Tafoya
Governor State University
Cynthia Hetherington, MLS
Overview
• Past
• Present
• Future
The Past
• Tri-corder = Palm Pilots
• Communications Badge = GPS Location
+ Cell Phone
• Multi Quadrant Communications
Channels = Internet
– “Secure Channel LT.” Capt. J. T. Kirk
• Multimedia viewing = Video Phones
• More?
The Present
• Pros vs. Cons
• Fruitcakes
Pros vs. Cons
• The Pro’fessors
– Gene Spafford
• Purdue CERIAS (Center for Education and
Research in Information Assurance and
Security)
– Dorothy Denning
• Computer Science at Georgetown University
(Cryptography & Information Warfare)
Pros vs. Cons
• The Pro’fessionals
– Donn Parker
• Automated Crime
– Fred Cohen
• Cyberforensics
– Dan Farmer
• Satan
– Phil Zimmerman
• PGP
Pros vs. Cons
• The Pro’tectors
– Winn Schwartau
• Infowar was not falling
– High Tech Crime Investigation Association
– Cybercops
– Robert Steele and other defectors
CONS
•
•
•
•
•
•
Disgruntled Employees
Malicious Crackers
Ethical Hackers
Newbies
Terrorists
Criminals
Cons & Contacts
•
•
•
•
•
•
•
Kevin Mitnick - www.freekevin.com
http://www.defcon.org/
http://www.zdnet.com/zdtv/cybercrime/
http://www.lopht.com/
http://www.hackernews.com/
http://www.astalavista.box.sk
http://www.antionline.com
Cons…. Who is a hacker?
• An informal idea:
– A talented and persistent individual with a
knowledge of computer systems.
– A system administrator or programmer.
– A nuisance or genius.
– Wannabe
– Not all deviant computer users are hackers, not all
hackers are deviant.
– A GOOD hacker talks about code, not dress code.
Some Famous Hackers
• Bill Cheswick, Bell Labs
– Firewalls and Fixes
• http://www.wavelet.org/cm/cs/who/ches/index.html
• Cult of the Dead Cow
– Back Orifice and BO2K
• Lopht and Mudge
– Lopht’s tools, Antisniff
• More.. http://www.antionline.com/features/WhoRU/
The Future
• Information Security Magazine,
November 1999
• That pain in the neck librarian
requesting information.
BILL CHESWICK
•
•
•
•
More denial of service attacks.
Worse viruses that spread further.
Attacks on the Internet infrastructure
Infowar will be:
– Real
– Noticeable
– Soon
– Especially during wars and military police actions.
• Smart criminals will continue to remain almost uncatchable on the net, hidden by anonymity.
• People will realize the Internet isn’t as reliable as
their telephone service.
A. PADGETT PETERSON
• The increasing population of telecommuters leads to
further social and cultural polarization. Attempts by
cities to attract affluent residents will fail. Likeminded people will tend to cluster in self-sufficient
residences.
• Technological anarchy is exacerbated by the
continuing lack of skilled security professionals.
Salaries lag behind until demand reaches a critical
stage.
BRUCE SCHNEIER
• As systems get more complex and
interconnected, security will get worse.
• Unless manufacturers are held liable for
security failures, security will get worse.
• In the short term, the best course of action
for enterprises is to outsource security to
companies that have the expertise to
understand the systems being secured.
WILLIAM H. MURRAY
• The end of PC-based computing and the
emergence of appliance-based, networkcentric computing are in sight.
• We will not secure the ’Net by patching UNIX.
We will have to add structure and use strongauthentication and end-to-end encryption.
E. EUGENE SCHULTZ
• Denial-of-service attacks will escalate in
comparison to other types of attacks,
resulting in several widespread incidents.
• Intrusion detection will become more
sophisticated. Incident response methods
that are less reliant on human intervention
will emerge.
HARRY DeMAIO
• "Set and forget" integrated security suites will
remain more desire than fact.
• Telecommuting for some portion of the
workweek will be normal for most information
workers, resulting in longer work weeks.
• Reliable and wider-band wireless
communication will take "telecomputing" to a
higher level of mobility, making strong, easyto-use authentication a critical factor.
SARAH GORDON
• Advances will include an increasingly large
selection of network-aware viruses.
• There will be a sharp increase in the
prevalence of worms.
• Without significant changes in antivirus
protection, a virus will bring down large
portions of cyberspace without warning.
PETER TIPPETT
•
•
•
•
•
•
Designed-in security isn’t…
Best practices aren’t…
Firewalls don’t…
1024-bit crypto won’t…
Antivirus never was…
Risk analysis almost never is…
ALAN PALLER
• Virtual private networks will offer a new
feature that requires minimum acceptable
security before allowing a new user to
connect—and the check will be completely
automated.
• Some corporations will refuse to do business
with suppliers that do not demonstrate they
have achieved minimum acceptable levels of
security.
DONN B. PARKER
• Those who abuse and misuse information will
continue to benefit from our inept information
security folk art unless we achieve a new and
complete information security business and
engineering discipline.
• Complete and perfect automated crimes
packaged in single computer programs will be
the next challenge we must defeat using
completely automated security.
CHARLES CRESSON WOOD
• Security Officers will be called upon to act as
traffic cops and mediators, and to make
sense of what is quickly becoming an
information-overloaded workplace.
• Job titles will change to reflect significantly
higher-level management positions.
• Salaries will increase at least 20 percent in
the next year to attract more high-caliber
people to the field.
RUSS COOPER
• As their connection to the ’Net becomes more
threatened than the deadbolt on their front
doors, consumers will demand action.
• If consumers were to demand greater
security, together with more realistic software
licenses, vendors would, inevitably, supply
this demand by providing what consumers
want.
FRED COHEN
• Digital forensics will adopt a marketing model
to gather more in-depth criminal evidence.
• Massive data collection and analysis
capabilities will become available to law
enforcement to combat cybercrime.
• In the cyber-realm, individual privacy rights
will whither and die on the vine.
• Same ol’ crimes, new venue.
WINN SCHWARTAU
• The United Nations will examine cyberwar issues as a
distinct aspect of the international law of war, preemption and escalation.
• Frustrated by the inability and unwillingness of law
enforcement to protect them, companies will strike
back at online attackers, and will be prosecuted by
an aspiring U.S. attorney for their actions. Congress
will rewrite the laws so that companies can protect
themselves.
IRA WINKLER
• Industry and government will continue to under fund
their administration staffs. As a result, both will
continue to suffer very preventable losses.
• There will be some very noticeable and preventable
attacks against key government systems.
• Government efforts to obtain voluntary industry
cooperation in securing the infrastructure will fail.
• Insurance companies will establish computer security
requirements.
• Computer security budgets will eventually increase.
PETER NEUMANN
• Commercial developments will continue to be very
slow in providing truly robust systems and networks
in the face of realistic adversities.
• Systems will continue to fall apart on their own,
without attacks. In addition, willful misuse will
accelerate, including seriously malicious activities.
• Moreover, in the absence of that massive Y2K hype, it
is likely that there would have been serious disasters.
DOROTHY DENNING
• The administration will open up exports to all forms
of encryption software, including source code and
toolkits, of unlimited key sizes and with or without
key recovery.
• Although most encryption products will be exportable
everywhere other than to the seven countries that
support terrorism, the export regime will not be
eliminated. Products will still need to undergo a onetime technical review. Business will still be required
to report exports.
• Americans will remain free to use any encryption of
their choice.
LANCE HOFFMAN
• The market for personal information will grow, as
half-a-million people or more sell their personal
information to marketers.
• Armed with your personal data, new portal tools will
be able to seamlessly integrate details about your life
and habits.
• Two-thirds of computer users will choose utility and
ease-of-use over security, but a vocal minority will
complain, forcing Web sites to slim down their data
requirements.
RICHARD THIEME
• Fully computerized homes will be as
hackable as Web sites.
• With the network always "on," there will
no way to unplug.
• Embedded systems, such as spoken
languages, will become filters for
primary experience.
JOHN GILMORE
• Every light bulb, stereo and parking meter
will be on the ’Net.
• Programmers will need to design code for at
least 10 million simultaneous connections.
• Neither manual administration, nor rebuilding
infrastructure later, will save us if we default
to lousy encryption now.
EUGENE SPAFFORD
• As network perimeters disappear, security will
become more and more focused on hosts.
• Computer crime will explode, as theft of
proprietary data, sabotage of competitors and
attacks against law enforcement systems
become major problems.
• Consumers and end-users will take more
responsibility for host security, while security
practitioners will become more specialized.
Pro’tectors Speak
• From Australia - We are going to have a
better generation of hackers and crackers.
• From US - The future of high tech crime is in
the movement of traditional organized crime
syndicates to use this medium.
• “Weaker" organizations (third world countries,
terrorist cells) using the computer and
Internet to gain power.
Pro’tectors Speak
• Financial crimes will rise significantly.
• Traditional crimes(i.e..Narcotics) will benefit
from strong keyless encryption.
• Denial of Service attacks will be used
routinely for corporate espionage.
• Employee damage will increase as computer
literacy increases.
• Voice over IP without adequate encryption
will be a nightmare.
Law Enforcement’s Future
• Local L.E. will have to take a far greater role.
Federal LE can not handle the problem nor
should they be considered the primary
contact. Some type of structure needs to be
created to allow local and state agencies to
investigate cases easier that cross state lines.
LE must change it's hiring practices and
recruit computer science majors.
Common Sense Approach
• The lack of loyalty displayed in the workplace is going
to cripple the integrity of internal security measures
over the next 5 years.
• CI analysts are finding it easier to interview new
hires.
• Deja.com!
• Shortages create desperate hiring practices.
• It is easy to break in, but terribly difficult to protect.
Cyber-Futuristic
• All that is needed to create the product is
the desire.
• An intelligent individual has no boundaries
to create whatever they wish.
• Use your imagination. There will be virtual
crime, on another dimension. There will be
“persona defenses.”
• Think ahead.
Summary
• Legislation will need a major overhaul in
order to meet the speed and flexibility of
digital crimes. Jurisdiction needs definition.
• Cybercops need money and support.
• System Administrations need money and
support.
• Software vendors need to be held
responsible.
• Hiring practices need drastic improvement.
Questions?