High-tech crimes: not too “high” after all

High-tech crime sounds impressive, but actually the tools are the only somewhat high-tech part, the goals almost never are.

High-tech crime. A popular term used in mass media, by law enforcement agencies, and occasionally elsewhere to describe crimes committed via electronic devices – computers, Web, etc. However, the only thing that makes most of these crimes “hi-tech,” is the tool used to commit them. Sometimes the level of sophistication renders these crimes high-tech as well. However, the goals are almost never high-tech, but are mostly the same – to steal something and get away with it, preferably undetected.

A few weeks ago The Verge ran an article on how MIT researchers were able to reconstruct speech through soundproof glass by watching plants. Since sound waves propagate with air, they incite minuscule wobbles on the plants’ leaves; by using a highly sensitive camera, scientists could “eavesdrop” on people behind the soundproof barrier, without actually seeing or hearing the people themselves.

That definitely makes plants in a sound-insulated room an information security problem. Sort of.

Well, isn’t it a balderdash – a chatty geranium giving out your secrets? You bet. But in fact, someone with highly sensitive hardware can truly read what you speak, watching the flowers on your windowsill. The question is only how difficult would it be to exploit this “vulnerability” and is there not any other, more mundane, and simple-to-execute way to eavesdrop on you? For example, wire tapping.

Interestingly, “watching the flowers” would be really hi-tech (of sorts, again), while wiretapping is considered “not so high-tech.” So, what is the difference? The answer is, wiretapping is just not exotic enough.

wide2

Let us recall Stuxnet, Flame and other high-tech “weapons.” High-tech? Definitely. The people that wrote Stuxnet were almost geniuses; almost, because they made a mistake that eventually exposed Stuxnet to the world. Had they not made that mistake, this worm would have stayed “behind the scenes” for good and the Pandora’s box that Stuxnet opened would have stayed closed for a short while more.

Then there was Flame, Miniflame, Duqu, Miniduke, and – well, you name them. Kaspersky Lab and other security vendors discover new APT campaigns on a disturbingly ad

regular basis. Some of them even appear to precede Stuxnet by a few years.

Their initial authors are really good at what they do, even though what they do is plain evil. More and more often, researchers detect modules, which have already been used by someone else, in the “newer” APT malware. Therefore, these new cyber-espionage tools prove to be not built from scratch at all, but rather, largely assembled from pre-existing parts.

wide1

Should we call the crimes committed with that malware “high-tech” then? Probably yes, but only because these tools require some intellectual effort to be used, as opposed to purely running off of malice, greed, and pathologic cunning (and the knowledge of where to download your next Miniduke-like Trojan).

Ultimately, criminals using high-tech tools usually pursue extremely “non-high-tech” goals: to steal. To rob. To eavesdrop. In rare occasions – to kill someone or sabotage something. Though the Earth spins in the same way for millennia, crime does not change much. It’s all about picking locks, sneaking in, stealing troves, and getting away unseen and unheard. How mundane.

The picklock used may be neutron-magnetic, with exchangeable multidimensional heads – utterly sophisticated. But let’s face it: the locks it is used against are, in most cases, not five-dimensional cross-phasing labyrinths, therefore, hardly presenting much of a challenge. Even today’s most mature software is riddledwith vulnerabilities, even if it is built from the ground up on a security-in-mind paradigm; its defenses are mostly very penetrable. Furthermore, there are errors in “human hardware” too: a cybercriminal doesn’t actually need to be much of a “cyber” to “social-engineer” some average user into releasing sensitive information. Kevin Mitnick’s old “achievements” prove it.

Even if the tools are very sophisticated, you should not overestimate their operators. Thieves may show a huge prowess in using sci-fi-like picklocks, but ultimately, they are still mere thieves, and their goals are as ordinary as they have been throughout human history.

A good example here is a derogatory term, “script-kiddie,” which became popular a few years ago, most likely because it is exceedingly accurate—think of a ‘kid’ that uses a downloaded malware written by someone else in order to wreak havoc at some weak, vulnerable server. The server’s owners then may complain of “cyber-terrorism,” but actually that “terrorist” has merely picked up a stone and thrown it through a glass window.  Later, though, that “stone” may grow its own thin spidery legs and hop behind the lockers. However, it is not the ‘kid’ who has constructed it that way. He merely picked it up somewhere.

The moral of the story? Businesses, watch out. The first thing your cybersecurity should start with is the following questions:

  • What might criminals be interested in? (hint: money and any sensitive data).
  • How can they access it? (hint: via digital software and “human hardware” vulnerabilities).
  • The way to kick them off? – Use data protection tools that would close the vulnerabilities and make all picklocks useless—even the most “multidimensional” ones.
Tips