Attacks/Breaches
4/30/2014
10:55 AM
50%
50%

European Police Seek Cybercrime Triage

Many organized cybercrime gangs operate beyond European and US borders -- or jurisdiction -- thus making online crime eradication impossible.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Should European cybercrime investigators triage more cybercrime cases and pursue fewer low-level cases while devoting greater resources to taking down the biggest organized crime gangs?

That suggestion was voiced in the opening keynote presentation delivered at this week's Infosecurity Europe conference in London by Troels Oerting, head of the European Cybercrime Centre (EC3) and assistant director for the operations department at Europol, which is the EU's law enforcement agency.

Troels Oerting, head of the European Cybercrime Centre and assistant director for operations at Europol
Troels Oerting, head of the European Cybercrime Centre and assistant director for operations at Europol

"We might also have to say no to some cases, like we do with bicycle theft," said Oerting. "There might be some cases that police do not prioritize, simply because we prioritize where the greatest harm is."

As anyone who's ever been the victim of bicycle theft knows, the police hardly launch an investigation every time someone files a complaint. But Oerting suggested that, with the quantity and severity of online attacks increasing, cybercrime cops should more purposefully allocate their scarce policing resources for maximum effect. Still, with so much online crime being -- by its very definition -- borderless, and increasingly disguised via anonymizing networks, would resource reallocation really take a big bite out of crime?

"Criminals can attack anyone, anytime, anywhere," said Oerting. "I'm getting gray hairs, because most of the criminal activity is being done via the darknet... which not even the NSA can penetrate."

[AOL warns subscribers to change passwords, be wary of all email from AOL addresses. Read more: AOL Subscriber Data Stolen: You've Got Pwned.]

According to Europol, Europe loses about €1.3 billion annually to credit card fraud alone.

Furthermore, online attacks against European targets continue to rise. According to a report issued this week by security firm FireEye, based on the 40,000 unique attacks and 22 million pieces of malware command-and-control communications the company saw at customers' sites in 2013, the four most malware-targeted European countries were Great Britain, Switzerland, Germany, and France -- accounting for 71% of all infected European systems.

Meanwhile, the advanced persistent threat (APT) attacks seen by FireEye primarily targeted Germany and the United Kingdom, with federal government agencies, energy firms, and financial services businesses the primary targets in what is typically a long-running operation. "Each APT event is an element in a long-term campaign against an organization in an industry -- try, try, try," said Simon Mullis, European systems integration technical lead at FireEye, in an interview at Infosecurity Europe. "You want to be careful, because when the APTs stop, they're already in."

According to data released earlier this month by Mandiant's FireEye, the average breach goes undetected for 229 days -- if it gets detected at all. In 67% of cases where breaches were detected, it was thanks to a third party, such as the FBI or Europol.

Europol's Oerting said his organization has been helping the 28 EU member countries bolster their information security investigation capabilities. "We've built up a heavy forensic capability to help the member states by assisting them in evidence-gathering."

Might better tools help, too? While acknowledging discussions in Britain, where elements of the coalition government would like to distance the country politically from the EU, Oerting lauded the EU for helping countries work together, not least when it comes to combatting crime and making related research and development funds available. "The EU has allotted €80 billion for research and development, and I intend to grab some of this money in order to ask the 28 member states: What types of tools do you need? Then we use the money, and give the tools back to the member states."

Then again, the origin of so many of today's online attacks won't be tough to trace. "My department works with Russian language speakers in about 75% to 80% of all our cases," Oerting said. But one long-standing challenge is that neither Russia nor Ukraine, which many security experts see as the biggest safe havens for criminals who launch online attacks, have extradition treaties with either Europe or the United States.

It's still tough for European or US police to catch criminals that foreign governments won't extradite. In computer crime cases involving Russian-language speakers, for example, Europol sometimes shares case information with its Russian counterparts and hopes local police follow it up. "Or we do it in the good old-fashioned police way -- we wait until they leave, and then we capture them," Oerting said.

But trying to arrest cybercriminals goes only so far. "We will not prosecute our way out of cybercrime," Lee Miles, deputy head of the UK National Cyber Crime Unit, which is part of the country's recently formed National Crime Agency, said Wednesday at an Infosecurity Europe panel discussion. "Many of the issues are jurisdictional," he noted, referring to the difficulty of prosecuting people in countries such as Russia. "Many of them are the sheer volume and anonymity, and many are the low-level individual crimes that don't really rise into organized criminality."

Given limited time and resources, accordingly, don't expect police to be able to pursue -- or prosecute -- every criminal who targets people online.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
5/1/2014 | 10:15:59 AM
The problem is too big.
In my opinion, the issue of investigating and prosecuting cybercriminals shouldn't completely falls on the government.  The problem itself is far too large for law enforcement to handle it on its own.  Corporations should take ownership in this problem as well.

For example, corporations should have the minimum responsiblity of securing their networks.  Many corporations leave their networks poorly defended which makes it extremely easy for attackers to infiltrate.  To use an analogy this would be like leaving your corporate building unlocked without security guards or cameras and then being surprised that someone robbed you blind.  

This shouldn't fall completely on governments as the problem itself is exacerbated by poor security practices by corporations.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report