Predictive Crime La...
 
Notifications
Clear all

Predictive Crime Lab (PCL) All-IP

12 Posts
4 Users
0 Likes
600 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

As Switzerland is shutting down its TDM core networks and moving towards All-IP (Swisscom term) we run a tiny simulated private home with Smart Home components and an All-IP communications infrastructure to learn about predictive crime. In short think about a family of father, mother and two kids girl and boy. They all have smartphones both Android and iOS and integrate more and more all aspects of live towards digital. So the little ecosystem also contains three external hackers father ebanking, mother zalando odering and teens WhatsApp. 7 players and about 15 digital devices. Important No PCs, Laptops or Notebooks involved as future crime is on Mobiles.

We now try to define a virtual risk landscape for the family. Not single risks but aggregated to bring-in the risk of Social Engineering.

The challenge is to imagine new forms of Social Engineered Crime (SEC) based on the social vulnerabilities of a family like different time schedules, different levels of technical skills and confused communication during a typical busy workday with little time budget to think, validate, doublecheck or meet and greet.

So its about new - not old. Think outside the box.

What do you think should we take into consideration in our PCL?

What would you do with this little playground?

Be careful. Crime listens here - but still try to collaborate here please.

 
Posted : 11/05/2017 12:10 am
(@badgerau)
Posts: 96
Trusted Member
 

The risk falls into two categories

Technical vs Behavioral. Yes technology can be used to limit risk, and although it is never perfect it is getting smarter. The challenge lies in changing the behaviour of the end user, who are almost always too willing to click on a link or fall for "flavour of the hour" scam.

The technology providers ( hardware, ISP, Application) are very cautious in their approach as they don't want to scare off the end user with the reality but choose to take a softly, softly approach to the end users detriment.

My opinion is we need to see the types of awareness campaigns similar to the drink driving, car seat belts, anti-smoking etc campaigns that have proven to be successful, brought over into the online/cyber domain in order to program the caution into the users mindset when it comes to how to operate online.

The connected houses/offices with ever increasing amount of IOT carry an immense risk in itself as the vendors of Lightbulbs, Fridges etc will almost always release a product with a flaw or backdoor that may end up compromising the building from within. Government spy agencies jumped on this early in turning smart TV's into listening devices or turning on the cameras on laptops to spy on the subject and the hackers followed by infecting the home routers firmware.

The challenge of PCL is that with mobile devices that travel out of the house/building and possibly being compromised anywhere. The trusted device is then carried into the "safe" environment and connects to the wifi and infects other devices.

The mobile devices are the weakest point.

 
Posted : 11/05/2017 3:04 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

badgerau Very sharp analysis and excellent post. Thank you!

From my point of view you are right in all aspects. The challenge in a highly dynamic environment is to structure the chaotic elements to get more transparency. Additional to the layers of Technical and Behavioral we added the Awareness and Risk layers. As four layers are too much we definded the Awareness layer into High Risk if Awareness is low and Low Risk if the awareness is high.

Technical layer

Split into Hard- and Software and User Interaction HW, SW and UI

Lets assume the HW layer as static and the SW layer as dynamic. Newly added IoT devices e.g. are 'new static'. The SW layer is half a lost domain based on the Android devices. As Android is a three-player-domain Google, Manufacturer and User. The Manufacturer do nothing to patch Android. In addition Google Play apps are not properly reviewed before online. So we estimate the Android devices as more vulnerable in general. iOS on the other side is a two-player-domain (app developers on both OS platforms excluded). In addition HW and SW are built together. iOS devices SW-based are top in security but the Apple ecosystem is highly synchronized inter-device related which is a higher risk.

Android attack vector SW and UI
iOS attack vector UI

Behavioral layer

Split into Information Gathering, Order Processing, Social Interaction IG, OP, SI

For a long time spearfishing by email-embedded links or docs was the problem #1. As email
declines and messaging rises we expect a shift of spearfishing into messaging in-chat links.
Still OP is based on order confirmation by email but Over The Top (OTT) players like FaceBook
will force in-chat ads and in-chat OP including mobile payment. One for sure will also bring-in
the aspects of bots. As they are assistants for fully automated consume&pay they already are
a huge problem. But in general. As the user gets out of his hand the decision making and
visual observing potential (redirections, URLs, fake websites especially for bots) if bots are
part of situation they will increase the risk. The trend toward bots is looming so no chance
to avoid.

Android attack vector OP and SI
iOS attack vector OP and SI

conclusion OS not decisive.

Risk layer
High Risk sublayer
Low Riks sublayer

Risk is always related to damage and loss. We defined risk as negative and business related
potential in a positive way (e.g. uncertain but early innovation related to market and demand).

So how to predict the risk of UI? We discussed internally about if it is important to devide the location related to risk? Is mobile always more risky than home? Its a matter of time-budget. Normally mobile brings a tiny time-budget. This is more risky as the user has not time to 'think twice' and to double-check. Fast consuming is in general a high risk (eating too much, not taking into consideration relevant details). A good campain years ago in the U.S. was called

Stop-Think-Connect

But today its more about Stop-Think-DoNotTouch. We here are uncertain how to value risk and especially which attack vector is vulnerable by high risk. Is it important to take gender differencies into the game? Is it important to take the level of distraction into the platform?

Lets continue related on How can you user make more aware of distraction? Visual Distraction VD, Acoustic Distraction AD and Emotional Distraction ED. If you like you can add Brain Distraction BD.

What do you think?

 
Posted : 11/05/2017 3:27 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Is it important to take gender differencies into the game?

From my experience Yes, and there is some research out there, e.g. http//lorrie.cranor.org/pubs/pap1162-sheng.pdf

As an attacker who has got the choice, you mostly pick the woman. Women are easier to trick in user interaction and, which I find more relevant, are more tolerant towards technical malfunction.

If your exploit is invoked by systems interaction (which should be preferred over social engineering), but may cause some unwanted behaviour (error message, application hang, reboot etc.), your chances, that the user neither digs into it by herself nor asks anyone to investigate, are much better with women.

 
Posted : 11/05/2017 5:40 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

To reduce complexity What are the next crime attack vectors digitally looming up?

Train Your Brain!

 
Posted : 11/05/2017 11:28 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Thank you C.R.S. - will drop (SEC) Social Engineering Crime towards System Interaction Crime (SIC).

Lets look on women and splitting into 3 age segments Y Young 2-19, M Mid 20-67, W Wise 68-x.

Y

This segment often has the highest level of activity day and night. Speed and distraction combined bring a high level of Fast Moving Consuming (like the term out of marketing Fast Moving Consumer Goods FMCG, think about a bottle of coke filled in the shelf and minutes later already sold). But this segement is socially best connected, there is no lack of friends, help or advice. As genders are mixed the technical issues are assisted by boys highly affine digitally.

We found that in this segment both genders are vulnerable by malicious apps, infected downloads or Peer-to-Peer acid. Music and Clips are top on wishlist, Youtube to MP3… Not to forget the layer of education in this segment like schools and unis.

M

Combined experience in our team brought out that this segment is very heterogenous. Job, Partnership, Friends and Holidays have a high level of influence. But there must be a common ground of vulnerability in this segment as financial crime is high here. Holidays is on top of the list and not just by Credit Card Theft. Flights, Lodging and Activities of both genders contribute highly.

W

Actually not a high level of digital crime as low adaption. But what will be next generation of W which is digitally affine but tired of new trends. For sure this segment will be the top runner of digital crime as more money to steal at end of live.

But again What are your predictive digital crime trends for 2020? Where and Why?
Besides Who runs a PCL in law enforcement somewhere globally?

 
Posted : 12/05/2017 12:03 am
(@c-r-s)
Posts: 170
Estimable Member
 

Thank you C.R.S. - will drop (SEC) Social Engineering Crime towards System Interaction Crime (SIC).

To avoid misconceptions I used systems interaction complementarily to user interaction. Exploitation purely based on systems interaction (with data) is preferable, since it does not rely on tricking a user and does not raise suspicion (if it works). E.g. you send an email with an exploit against AV software to the victim, it gets scanned by the victim's AV software, you own the system. A relatively small portion of criminal actors is able to conduct these attacks. I "predict" that this will not change in the future, since digital crime is a numbers game. There is no incentive to gain the required abilities, as long as tricking users is still profitable.

What are your predictive digital crime trends for 2020? Where and Why?

Regarding IoT, a recent article from ENDGAME asks

So, are we all about to be subjected to a wave of ransomware that prevents you from flushing your toilet? Will ransomware disable your thermostat? Will ransomware burn your toast?

In an internal discussion some time ago about automotive ransomware we did not figure out, how this could be effectively monetized. The issue with IoT-controlled assets is, that they are either low priced or (in contradiction to generic computers and software) locked down against the user's misbehaviour and the vendor's liability actually works. You would not pay ransom to unlock your car or to switch on the micro wave oven, but ask the vendor to fix it for you, and they probably will have to do it for free. This could be a way to gain market shares against a competitor, but will not pay out immediately.

 
Posted : 12/05/2017 3:46 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Its all about money only. Pressing out money with ransomware or stealing money in any other forms. Crime - differentiated from spying (which is a different form of crime) will direct or indirect focus on money. So the question is Where first is the money in our PCL? Indirekt by ransomware is not so effective.

Inter-app mobile payment stealing is what we here think will rise. A new trend we found out is that some users order more and more from China directly online. As the prices are competitive they sometimes order many pieces. But as 'free delivery' for one piece still exists some webshops change this to 'shipment cost' if ordering more than one piece. To avoid this users order multiple times the same part in high numbers. Some sub-enterprises of bigger platforms used this to over-charge this number by one or two parts.

Make it tiny - the user will not recognize it.

In the area mobile payment we recognized that the Y segment makes use of Micro Granular Multi Payments (MGMP) and loses the ability to double-check at the end of the month.

Ransomware combined with mistakes or failures in job and family will rise. People running illegal activities should be aware that oppression in general and picture and video material of surveillance of illegal activities will hit them.

How to avoid, stay clean.

 
Posted : 12/05/2017 5:10 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In an internal discussion some time ago about automotive ransomware we did not figure out, how this could be effectively monetized. The issue with IoT-controlled assets is, that they are either low priced or (in contradiction to generic computers and software) locked down against the user's misbehaviour and the vendor's liability actually works. You would not pay ransom to unlock your car or to switch on the micro wave oven, but ask the vendor to fix it for you, and they probably will have to do it for free. This could be a way to gain market shares against a competitor, but will not pay out immediately.

Well, you seem to overlook two facts (that only applies partially to "good, solid" brands or well established manufacturers)
1) a large part (I would say nearly all) IoT devices are either el-cheapo things or "smart VC financed bright startups ideas (both - though possibly for different reasons either poorly implemented security wise or over-engineered)
2) people are mostly good, but a few people are either bad or stupid (or both).

Re #1 good luck having the Chinese no-name manufacturer or the startup that just closed honour your warranty or provide support for your bricked *whatever* IoT

Re #2 we have more than a few examples of computer related crimes committed either "for the fun of it" or "just for some spite against humanity" or "to give an example".

And then, again good luck in having the manufacturer take care of the effects.

I still remember pretty well when the Chernobyl virus struck
https://en.wikipedia.org/wiki/CIH_(computer_virus)

At the time I rescued (via BIOS chip swapping or hot-swapping) tens of motherboards which the manufacturer of the systems (mainly HP, at the time not exactly a "marginal" brand) refused to repair/replace (and for the record that our internal "IT guy" also deemed as unrecoverable).

jaclaz

 
Posted : 12/05/2017 5:38 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Your comments drift from the subject Its about the future. Not the past.

What do you mean by over-engineered? Can you give an example of an over-engineered IoT device?
Are there secure IoT devices as examples for best-of-class security? Can small-prized products ever be secure without proper IMPLEMENTATION of encryption and security principles? Is convenience the killer in general as strictly security never is automated and super-fast?

 
Posted : 12/05/2017 7:30 pm
Page 1 / 2
Share: