Tag Archives: CRISPR

Dark Web and Other Scary Cyber Trends

We have all heard the continued drum beat regarding hacking. Anthem, Sony, Target, Home Depot, Experian and various government and military branches have all been hacked and have received their fair share of negative press. In each case, people were harmed, leaders were fired, brands were damaged and no one was really surprised.

I am not a singularly focused cybersecurity expert, but I have been up to my neck in tech for 30 years and have a knack for seeing emerging patterns and macro trends and stitching those together to synthesize consequences and outcomes. In the case of the Dark Web, none of that is good news; The emerging patterns should worry us all. As English historian (1608-1661) Thomas Fuller wrote, “Security is the mother of danger and the grandmother of destruction.”

See also: Best Practices in Cyber Security

Below is my list of the “Top 10 Scary Macro Cyberthreat Trends” –and this is still early days for them.

1. The Dark Web Pareto 

Over the last decade, the hacker population has gone from 80% aficionados/hacktivists/deep-end-of-the-pool techies and 20% professional criminals to 80% professional criminals and 20% “other.” To be clear, by “professional criminal” I mean organized criminals who are there for the money, not just to someone who broke the law.

2. “Lego-ization” of the Dark Web

Over the last few years, technology in the Dark Web has been changed from intricate, end-to-end hacks to a place where one merely assembles “legos” that are commercially available (albeit inside an anonymized criminal environment.) People don’t just buy tool kits with instructions but also the ability to buy “lego-ized” services like illicit call center agent time for more complex criminal activities such as getting access to someone’s bank account. Parts of the Dark Web look like IKEA without the assembly difficulty or the inevitable leftover parts.

3. The Dark Web embraces the capital-lite approach

Of course, the Dark Web has embraced the cloud-computing model for the reasons we see in the enterprise world. What this means to the criminal hacker or, more likely, hacker organization, is that they can now go asset-free and rent the assets they need when they need them.

For example, there are services for running a few hundred million password permutations in less than an hour for a few hundred dollars. Hackers no longer need to infect a massive amount of computers to fire up a denial-of-service hack; they can simply rent time on a botnet, a massive amount of “hijacked” computers up for sale in the Dark Web. Most companies still do not have a botwall to deflect bots.

Gameover ZeuS is a massive example of a botnet with one variant able to generate 10,000 domains a day with more than three million zombie computers — just in the U.S. Botnets are sometimes referred to as “zombie armies” (surely there’s a TV series in there somewhere.) The Bredolab botnet may have had as many as 30 million zombie computers.

See also: Demystifying “The Dark Web”

4. Clandestine versus brazen 

The bragging rights for revealing a hacking “accomplishment” was once a hallmark of this space. Over the past decade or so, that factor has greatly diminished. The criminal enterprise would like nothing more than to go unnoticed. The recent massive Experian hack only came to light after the Secret Service let Experian know some of its stuff had been found for sale in the Dark Web. Focusing on avoiding detection by adopting smarter methods, targets, distribution models and revenue capture is better business and is in line with a longer, sustainable view of profit. None of the criminal organizations have boards of directors that pressure them to hit the quarterly sales and operating income figures. A hack is not a moment in time; if a hacker can go undetected, he or she can milk the hack for years. This is worrisome.

5. The total available market has grown and is target-rich 

The target space for crime connected to an IP node has grown tremendously, and so has the value of the content. The massive increase in mobile IP addresses, the online transactions we do and IP-related things like stored value cards or mileage points makes a rich target for crime. It is 100x bigger than what it was just 10 to 15 years ago.

The target space’s growth is accelerating. After banking regulations on the minimum size of banks were relaxed in 1900, 2,000 banks were added in two years along with growth in the relatively new credit union sector. This increase in “target space” spawned bank robbers. The target space for Dark Web crime loves the increase in the target area and doesn’t mind that the “banks” are smaller. The number of people using the Web and the average amount of time spent on the Web continues to increase. I think with the advent of things like the Internet of Things, 5G, Li-Fi and a quantum leap in cloud computing capacity per unit cost, this increase will accelerate.

6. Small many versus big few 

Over the past decade, the trend in conjunction with the above items moved toward smaller “heists” but a lot more of them. Someone in Venezuela took $2 a month off my credit card for 18 months before it stopped. How many people would miss a dollar or two off a stored value card/account that has an auto-refill function like my Skype account does?

What sort of statistical controls would you put on your revenue flows (as a business) to even recognize that leakage? Of course, there are still big hacks going on, but a lot of those are just the front end of a B2B transaction that then sells off that big pool of hacked data to buyers in the criminal bazaar. Small, often and dispersed is harder to catch and more clandestine by nature.

7. Automation of the Dark Web

Timing is everything. As the Dark Web evolved into a scale-based, organized criminal environment, it leveraged modern automation from provisioning to tool sets to communications and even to billing.

Blackshades creepware is a great example of automation extending into the consumer product end. Available for $50, it has a point-and-click interface and has internalized all of the complexity and has automated hacking even for actors with very low-level tech skills. It allows the bad actor to browse files, steal data/passwords and use the camera (often relating to extortion). Blackshades infected more than 500,000 computers in more than 100 nations. A lot of the people who bought this did not have the skills to do any hacking without this kind of automation.

8. Tech getting better, faster, cheaper while talent improves

Late last year, TalkTalk, an ISP quad-play provider in the U.K., got hacked and held for ransom by four teenagers. The company estimates $90 million of cost tied to this hack, and no one really knows what the cost of the brand damage has been. There’s also a third of the company’s market cap gone, and it lost 95,000 customers. In all fairness, TalkTalk’s security was poor. The point here is that the technology in the Dark Web is getting faster, better and cheaper. At the same time, the average talent level is rising, which may not be the case in the non-criminal tech world.

There are three factors at play:

  1. Communities of collaboration and learning are becoming commonplace. Blackshades is a great example of a malicious tool with a super-low point of entry (price and tech skills) backed up by great online help and a community site.
  2. The likes of the Metropolitan Police Cyber Unit (London), the FBI, Interpol, etc. are all very effective and are continually improving organizations that stop crime and lock up cyber criminals. In some ways, this is a culling of the herd that also serves to create a positive Darwinian push on the average talent in the Dark Web.
  3. The giant upside financial opportunity to using tech skills for nefarious purposes creates a big gravitational pull that is only enhanced by recent economic and national turmoil, especially in places like Eastern Europe, Russia and Ukraine. In addition to that, state-sponsored or affiliated hackers with military-like rigor in their training can often make money moonlighting in the criminal world.

The combination of forces raising the talent level and the continued improvement of technology make for a bad combo. The Dark Web is also embracing open sourcing. Peer-to-peer bitcoin-based plays may become the next dark commerce platform.

9. The Dark Web itself

The Dark Web has evolved over the past decade or so from a foggy, barely penetrable space to a labyrinth of loosely connected actors and now to a massive, modernized bazaar thriving with commercial activity with a huge neon sign on the front door saying “Open for Business.” It is not just a bazaar, it is a huge B2B marketplace where the best criminals can resell their wares whole or in “lego-ized” pieces. Some of these criminals even offer testimonials and performance guarantees!

The Dark Web has moved from what economists call “perfect competition” to a more imperfect model trending toward oligopoly. In simpler terms, it is not a sea of malevolent individuals but, rather, the domain of organized businesses that happen to be largely illegal. These are organizations of scale that must be run like a business. This new structure will evolve, adapt and grow so much faster than the prior structure because these organizations have mission-focus and cash-flow pressures. Of course, the market forces common in a bazaar will winnow out low-value and defective products quickly, simply because word travels fast and customers vote with their wallets. 

10. The truly ugly “What’s next?” section

Like many thriving businesses, there is a tendency to move into adjacencies and nearby markets. This has already happened.

There is a lot of money in fiddling with clickstreams and online advertising flows. Bots account for about 50% of the traffic on the Internet; of those, about 60% are bad bots.

There is money to be made in transportation. One can buy fake waybills on the Dark Web to ship a crate to, say, Kiev at a fraction of the price FedEx or UPS would charge, even though the package will travel through FedEx or UPS.

Here are four emerging and even more worrisome areas that could be leveraged (in a bad way) by sophisticated, tech-savvy commercial criminal enterprises that are alive and thriving today in the Dark Web.

  • Internet of Things – It is just the beginning for the IoT. If you click here, you can read a paper on what may drive the amazing growth and where the potential is. The available talent who know how to secure devices, sensors and tags from hacks and stop those hacks from jumping five hops up a network are few and far between, and they don’t normally work in the consumer and industrial spaces that make stuff and that have decided to make an IP-enabled model. Few boards in the Fortune 500 can have an intelligent conversation about cybersecurity at any level of detail that matters. In short, over the next few years, IoT may be a giant hunting ground. For instance, what if a hacker goes through the air conditioning control system to point-of-sale devices and steals credit card info? That is a target with a big bull’s eye on it. (That is what happened to Target.)
  • Robotics – This is a little further out, and the criminal cash flow is a little harder to predict, but IP-connected robots is a space that will grow exponentially over the next decade and be at key points in manufacturing, military and medical process flows. What is the ransom for holding a bottling plant hostage? The Samsung SGR -1 (no, not a new phone) is a thermal imaging, video-sensing robot with a highly accurate laser targeting gun that can kill someone from 3,000 yards out. The Oerlikon GDF005 is a less-sophisticated antiaircraft “gunbot” that is, in part, designed to be turned on and left to shoot down drones. These things are both hackable. 
  • Biochem – What if some of the above Dark Web trends extend into this area, renting assets and expertise, point-and-click front-end designs? The bad news is that this seems to have started. 
  • The over-the-horizon worries – Nanotech, Li-Fi, AI, synthetic biology, brain computer interface (BCI) and genomics are all areas that, at some point in their evolution, will draw a critical mass of criminal Dark Web interest. The advances in these areas are at an astounding pace. They are parts of the near future, not the distant future. If you have not looked at CRISPR, google it. Things like CRISPR, coupled with progressively better economics, are going to supercharge this space. Li-Fi, coupled with 5G and the IoT (including accelerated growth in soft sensors), will create a large target space. The Open BCI maker community is growing quickly and holds enormous promise. Take a look at the Open BCI online shop and see what you could put together for $2,000 or  $10,000. The Ultracortex Mark IV is mind-blowing (not literally) and only $299.

All of this is going to get worse before it gets better. This is clearly not a fair fight. This is a target-rich environment that is growing faster than almost anyone anticipated. The bad actors are progressively getting better organized, smarter and better built for “success.” Interpol, the FBI and other law enforcement agencies do great work, but a lot of it is after-the-fact.

Enterprises need new approaches to network-centric compartmentalized security. New thinking about upstream behavioral preventative design is needed for robustly secure IoT plays.

National organizations in law enforcement and intelligence need to think through fighting a borderless, adaptive, well-funded, loosely coupled, highly motivated force like those under the Dark Web umbrella. Those national organizations probably need to play as much offense as defense. Multiple siloed police and intelligence units that are bounded geographically, organizationally, financially and culturally probably will start out with a disadvantage.

This article was originally published on SandHill.com. The story can be found here.

The Questions That Aren’t Being Asked

In Aldous Huxley’s 1931 novel Brave New World, many original ideas were posited about a futuristic society. Two of those ideas, appearing in our present, involve eugenics and an ever-increasing reliance on technology.

Techniques like CRISPR (clustered regularly interspaced short palindromic repeats) to genetically engineer a human embryo, and technological advances like self-driving vehicles, could be said to represent some of Huxley’s notions. However, professional liability underwriters, especially those underwriting cyber liability and tech E&O, are out of phase with this “brave new world,” and this fact creates a dangerous situation for both those underwriters and an economic world dependent on them. To be responsible and successful in the present and into the future, the professional liability insurance sector must look backward to look forward and, in so doing, create a breed of underwriters who are every bit as creative as the future will be.

Being out of sync with present-day reality is clearly represented in questions not asked on cyber liability and tech E&O applications. For instance, one current cyber liability application does not ask what type of firewall an applicant is using. A company can use a simple device with a firewall feature and claim to have a firewall in place, but that device will not come close to equaling the protection offered by a hardware-based NGFW, or Next Generation Firewall. The same application also does not ask if multiple hardware and software ecosystems are used, even though the answer to that question, especially for a medium-sized and large business, offers significant insight into the company’s cyber security approach. Additionally, this particular application does not ask whether an applicant is using the services of a cyber security firm. Those kinds of questions, and the answers to them, convey an enormous amount of information about the cyber security posture of an applicant and, in turn, provide significant insight into whether a risk is worth underwriting and at what cost. For such questions to be missing from an application is dangerous for insurance companies and the clients of those companies.

See Also: Space, Aviation Risks and Higher Education

The current situation with technology E&O applications is equally worrisome. For example, in the exclusions list on one recently updated technology E&O policy there is no exclusion for computer languages known to be highly prone to cyber breaches. Theoretically, an insured software company could be writing code in Adobe Flash or Java Script, languages that should be avoided. By not excluding those languages, the insurer is exposed to adverse results of claims and lawsuits caused by an insured using hazardous script. Perhaps even worse, this insurer does not exclude wireless products that do not include proper encryption. Thus, if a company that produces baby monitors creates a product that broadcasts the signal in an unencrypted format, claims could arise from a concerned consumer of that product. After all, what reasonable parent would allow anyone to spy on her child?

This issue is likely even worse because, time and again, successful lawsuits have already been brought against manufacturers of products that lack proper wireless encryption. The absence of such exclusions to protect itself and to encourage better behavior from its insureds calls into question whether a technology E&O insurer is in sync both with technology and the current legal environment. With underwriters being out of step in the present, one must wonder how they will be able to help drive the world forward in the future.

There are other parts of the professional insurance sphere that are not poised well to be in harmony with the future. In the near future, robots will be introduced into social environments like nursing homes. If a robot injects medication into a patient, prescribes a medication or lifts a patient from a wheelchair to a bed, then that takes an already risky situation into an unexplored legal realm. If a patient suffers an adverse reaction to a drug that was injected by a robot, then how will the nursing home be protected by any of its insurance policies? Or, what if a robot is provided by the nursing home to a patient who needs companionship? If the robot malfunctioned and could not be replaced and the patient drew into a depressed state and died, then how would insurance cover a wrongful death suit by the patient’s family? A general liability policy certainly would not cover such an event, and an allied health policy is not currently worded to handle such a risk. What about the manufacturer of that robot? Would a technology E&O policy step forward and indemnify the manufacturer of the robot?

Most countries, especially those like China, Japan and the U.S., have populations that possess far more elderly people than younger ones, and there are simply not enough people entering the field of senior care to handle the influx of those who need care in their golden years. This means that robotic companies are going to be filling that void and, in so doing, will create an unprecedented situation that will require the professional insurance sector to provide guidance and protection to the rapidly aging world. To provide that guidance and protection, however, will require professional underwriters to understand the intersection of technology, human care and the law, an intersection with which underwriters are currently less than conversant.

So how do insurance companies offering cyber liability, technology E&O and other professional insurance get into sync with the evolving world they are underwriting? There was once an international competition that encouraged students in the seventh through twelfth grades to form groups of two or three people and build educational websites. The competition was known as ThinkQuest. It was supported by both governmental and private organizations, had strong support from educators in more than thirty countries and rewarded the most successful competitors with scholarships of as much as $25,000. A similar approach must now be embraced and championed by the insurance industry. The brilliance of ThinkQuest was that it brought together young people who could appreciate and understand a multitude of ideas, numerous bodies of knowledge and people who were willing to learn and teach at the same time and who could convey their ideas both by the written word and binary. The spectrum of ideas that the groups put forth ranged from examining a social phenomenon like Harry Potter to examining how music affects people’s mental and physical health.

To be able to fully appreciate and understand nearly every cyber liability and technology E&O risk requires people who have an uncommon breadth and depth of knowledge that extends from simple areas like grammar to complex areas like quantum mechanics. When an underwriter tries to underwrite a risk like SSA (space situational awareness), to underwrite a risk in which a company produces electronic-photopic chips or to understand memory-resistant malware, that requires a degree of understanding that is clearly not being demonstrated by the majority of the current breed of underwriters. However, the degree of wide-ranging creativity needed here was what the ThinkQuest competitions were created to foster in young people. The insurance industry needs people who can draw from a wide range of knowledge, and it also needs people who can write binary code with exactitude. Insurance companies must employ cyber forensic engineers who can pinpoint where a security breach happened, how an intruder gained access to additional computers and how to remedy the situation.

Being able to work individually or in a team, being able to backtrack to the point of intrusion and being able to view the world in tangible and non-tangible ways requires more than someone who can simply write one line of code after another. Currently, insurance companies depend on other companies to investigate data breaches, but this will not work out in the long run. In the 20th century, numerous insurance companies owned law firms to litigate claims economically. The 21st century will require cyber liability insurers to employ cyber forensic engineers to investigate claims based on network breaches. Moreover, in the very near future insurers will need to create an organization that tests routers, switches, servers, smart phones, robots and other technology devices to determine how secure or how capable those devices are. As has already been argued on the PLUS Blog in November 2015, not all technology devices are created with the same expertise, and figuring out which devices are least and most secure will greatly facilitate insurers’ ability to price policies correctly. However, to find young people who can view the computer realm in multiple dimensions, and to find those who can function in a cross-disciplinary environment and approach a risk from a multitude of angles can only be successfully accomplished on a large scale through an instructional competition.

People who have a broad and deep appreciation for multiple disciplines and cyber forensic engineers are uncommon, and insurance companies are not the only ones who need such thinkers. cyber security companies, law firms, private and public educational organizations, research organizations, think tanks and governments are just a few sectors that need those type of people. This means that, as difficult as it is already to find thoughtful insurance people knowledgeable about the cyber world, the future is only going to be exponentially more troublesome.

When the 20-year-old who is going into her senior year at college thinks about the past and future, what will she strongly consider for a career? Will she remember the competitions that the insurance industry hosted that allowed her to cultivate friends from all over the world, and allowed her to gain the needed assurance in her skills as a programmer or a writer to pursue a major in computer science or history? Will she remember the competitions that helped fund her time at college, and in doing all of that proved that being a cyber liability underwriter is a fulfilling career opportunity? Or will that 20-year-old have nothing to remember where the insurance sector is concerned?

The Cyber Security Challenge is one competition that currently aims to increase the pool of cyber forensic engineers; however, it is not an international competition and focuses only on people who are capable of becoming cyber forensic engineers. Professional liability insurers need thinkers and tinkerers, and locating both on a large scale can only be accomplished through a competition like ThinkQuest. Nano-technology, advanced robotics, augmented reality and memory-resident malware are elements of a brave new world that cyber liability and tech E&O insurers are going to come face-to-face with in the short term. In three to five years, insurers are going to encounter robots where none have been before. If insurers do not create and enthusiastically support a competition like ThinkQuest, then insurers will not be acknowledged or remembered by those in college. Consequently, insurers will find themselves without a breed of underwriters who can thrive and understand the brave future. This must not be so!