Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/30/2014
12:15 PM
TK Keanini
TK Keanini
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Welcome To My Cyber Security Nightmare

Happy Halloween. Here are three chilling scenarios that will keep even the most hardened infosec warrior awake all night.

This past year, we have seen some pretty scary stuff happen in cyber security. Since Halloween is almost here, I thought I would share some scenarios that keep me up at night. These are attacks that we are not ready to battle -- and are well beyond the horrific headlines we read on a daily basis. If you enjoy a good fright, read on.

Legions of citizen botnet armies
Most of the resources cyber criminals use to carry out their objectives are acquired through some method that results in compromised computers on the Internet. These resources remain available until the user or organization detects and remediates the incident. But what if the user participated willingly? Instead of bad guys having to compromise hosts, what if they instead cut other people such as corporate insiders in on the profits? Given crypto currency, the TOR network, and a few other factors, this could be a nightmare scenario, as we are not ready for this type of surge in distributed attacks.

The recruitment for this could be something like the "work from home" signs you see around your town. The work could be as easy as downloading and installing a package and could earn the host user as much as $10.00 per day. That is $300.00 a month for someone to simply leave his computer running and connected. The average citizen is not likely to know what type of activity his computer is involved in on a daily basis.

The end result would be a massive number of networked computers available for distributed denial-of-service, cryptographic brute forcing, or remote network sniffing. With the cooperation of the host, the capability list is endless, and because he's making money, the host will be motivated to help the cybercriminals persist. Service providers and law enforcement are not ready for this type of attack. This could lead to botnet armies with size and capabilities we have never seen before.

Crime and the sharing economy
Another horror story would be if cyber criminals expanded their marketplace networks to include citizen partners. Consider coordination networks like Uber, Instacart, Care.com, etc. These services are facilitators connecting a consumer who wants something delivered with a network of people who can deliver it.

Now think of applying this pattern to cybercrime. On one end there is a criminal who would like the login credentials of a Global 2000 executive. Via TOR networking, he can go to a site where he can place his request, submit his crypto currency, and a skilled global workforce accepts this objective and delivers it within the terms of the agreement. This lowers the coordination cost for cybercrime to near zero and connects the demand with the supply in ways that have never been seen to date. Worse, because so many people are motivated by money, a service like this could turn citizens into cyber criminals if they believe they cannot get caught and that they can easily make a few bucks on the side.

The last thing I will say about this type of participation and marketplace network is that it would fragment security events into small, seemingly disconnected pieces where one event might not look harmful. But when seen and evaluated as a whole, their impact would be significant.

Cybercrime-as-a-Service
Consider a SaaS service that helped people compute their cybercrimes. The power of big-data analytics and machine learning can compute amazing insight for businesses -- and it can do the same for criminals. Criminals could log in to a website, declare their objective, and the service would compute several alternative attack plans. This would work in the same way that travelers use GPS to reach a destination when getting directions online.

Cybercrime-as-a-Service would have social networks mapped, personal information on each individual, language analysis that yields a level of trust among individuals, mapping to various accounts (some of which may have been compromised), etc. All of this would be creating a corpus of data that can lead the criminal through a directed graph leading to the objective -- exfiltration of a file, ransomware, etc.

At the end of the day (Halloween or any other), cybercrime is a business, and profitable businesses only get smarter and more effective. It’s frightening to imagine how easily cyber criminals could execute these types of attacks and turn my worst nightmare into an even scarier reality.

TK Keanini brings nearly 25 years of network and security experience to the CTO role. He is responsible for leading Lancope's evolution toward integrating security solutions with private and public cloud-based computing platforms. TK is also responsible for developing the ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rook1
50%
50%
Rook1,
User Rank: Apprentice
11/5/2014 | 1:46:06 PM
Best original article I've read in a while.
A lot of original thoughts in here. Thank you.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/4/2014 | 5:07:10 PM
Re: Future result of a declining economy?
Many people would not willingly be duped into committing unlawful acts (though some definitely would). But I can conceive of a scenario where they would be tricked into doing someting seemingly harmless -- for instance we'll pay you $10 a day to download software that will monitor your YouTube preferences. As dad usefd to say, "If it seems to good to be true, it probably is." But, sadly, there are a lot of people who would take the money and run.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/31/2014 | 3:03:06 PM
Future result of a declining economy?
I can see people being duped by the "work from home" offer, but I don't think people would willingly commit criminal acts, yet. Another aspect of this that seems to make it less likely is that the criminal will expose themselves more using this scheme. They will have to either email, call or meet with their new "employees". Seems like a big risk.


To address the willingness to commit criminal acts, I personally think that if people who wish to work continue to drop out of the work force, this may come to pass. Think about it, people who want to work but are unable to find a job, run across an offer like this, would they take it? I think many would, just to make the money. So, in short this nightmare scenario may be more plausible than you may think.


Happy Halloween
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/31/2014 | 1:17:15 PM
Re: Hard to believe... and yet?
@Marilyn  It really is just way too believable, isn't it? Pyramid schemes work all the time, and they're miserable. Why shouldn't this? 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/30/2014 | 3:41:40 PM
Hard to believe... and yet?
Would people really be duped into downloading a software package in exchange for $10 a day. But then again, I'm sure the "recruiter" would be very slick and convincing. And how hard would it be to set up a web site with a seemingly legitimate purpose. Not that improbable, really.

Great timely, fun and frightening blog, TK. Thx for writing it for us.  

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-11094
PUBLISHED: 2020-06-04
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as ...