sponsored links
TED2013

James Lyne: Everyday cybercrime -- and what you can do about it

February 28, 2013

How do you pick up a malicious online virus, the kind of malware that snoops on your data and taps your bank account? Often, it's through simple things you do each day without thinking twice. James Lyne reminds us that it's not only the NSA that's watching us, but ever-more-sophisticated cybercriminals, who exploit both weak code and trusting human nature.

James Lyne - Cybersecurity specialist
Whether he’s taking on insecure hotspots, inept passwords, or lax OS designers, James Lyne exposes technology’s vulnerabilities while elevating the security awareness of everyday users. Full bio

sponsored links
Double-click the English subtitles below to play the video.
I'm going to be showing some of the cybercriminals'
00:12
latest and nastiest creations.
00:14
So basically, please don't go and download
00:16
any of the viruses that I show you.
00:19
Some of you might be wondering what a cybersecurity specialist looks like,
00:22
and I thought I'd give you a quick insight
00:25
into my career so far.
00:27
It's a pretty accurate description.
00:30
This is what someone that specializes
00:32
in malware and hacking looks like.
00:34
So today, computer viruses and trojans,
00:36
designed to do everything from stealing data
00:40
to watching you in your webcam
00:42
to the theft of billions of dollars.
00:45
Some malicious code today goes as far
00:47
as targeting power, utilities and infrastructure.
00:49
Let me give you a quick snapshot
00:54
of what malicious code is capable of today.
00:56
Right now, every second, eight new users
00:58
are joining the Internet.
01:01
Today, we will see 250,000 individual new computer viruses.
01:03
We will see 30,000 new infected websites.
01:11
And, just to kind of tear down a myth here,
01:17
lots of people think that when you get infected
01:19
with a computer virus, it's because you went to a porn site.
01:21
Right? Well, actually, statistically speaking,
01:25
if you only visit porn sites, you're safer.
01:27
People normally write that down, by the way. (Laughter)
01:30
Actually, about 80 percent of these
01:33
are small business websites getting infected.
01:35
Today's cybercriminal, what do they look like?
01:38
Well, many of you have the image, don't you,
01:40
of the spotty teenager sitting in a basement,
01:43
hacking away for notoriety.
01:45
But actually today, cybercriminals
01:47
are wonderfully professional and organized.
01:49
In fact, they have product adverts.
01:52
You can go online and buy a hacking service
01:55
to knock your business competitor offline.
01:57
Check out this one I found.
02:00
(Video) Man: So you're here for one reason,
02:01
and that reason is
02:03
because you need your business competitors,
02:04
rivals, haters, or whatever the reason is, or who,
02:06
they are to go down.
02:10
Well you, my friend, you've came to the right place.
02:12
If you want your business competitors to go down,
02:15
well, they can.
02:17
If you want your rivals to go offline, well, they will.
02:19
Not only that, we are providing a short-term-to-long-term
02:22
DDOS service or scheduled attack,
02:25
starting five dollars per hour for small personal websites
02:27
to 10 to 50 dollars per hour.
02:31
James Lyne: Now, I did actually pay
02:34
one of these cybercriminals to attack my own website.
02:35
Things got a bit tricky when I tried to expense it at the company.
02:38
Turns out that's not cool.
02:42
But regardless, it's amazing how many products
02:43
and services are available now to cybercriminals.
02:46
For example, this testing platform,
02:50
which enables the cybercriminals
02:52
to test the quality of their viruses
02:54
before they release them on the world.
02:56
For a small fee, they can upload it
02:59
and make sure everything is good.
03:01
But it goes further.
03:02
Cybercriminals now have crime packs
03:04
with business intelligence reporting dashboards
03:06
to manage the distribution of their malicious code.
03:09
This is the market leader in malware distribution,
03:13
the Black Hole Exploit Pack,
03:16
responsible for nearly one third of malware distribution
03:18
in the last couple of quarters.
03:22
It comes with technical installation guides,
03:23
video setup routines,
03:26
and get this, technical support.
03:28
You can email the cybercriminals and they'll tell you
03:31
how to set up your illegal hacking server.
03:34
So let me show you what malicious code looks like today.
03:38
What I've got here is two systems,
03:42
an attacker, which I've made look all Matrix-y and scary,
03:44
and a victim, which you might recognize from home or work.
03:48
Now normally, these would be on different sides
03:51
of the planet or of the Internet,
03:54
but I've put them side by side
03:56
because it makes things much more interesting.
03:58
Now, there are many ways you can get infected.
04:00
You will have come in contact with some of them.
04:02
Maybe some of you have received an email
04:05
that says something like, "Hi, I'm a Nigerian banker,
04:07
and I'd like to give you 53 billion dollars
04:11
because I like your face."
04:14
Or funnycats.exe, which rumor has it
04:16
was quite successful in China's recent campaign against America.
04:20
Now there are many ways you can get infected.
04:24
I want to show you a couple of my favorites.
04:26
This is a little USB key.
04:28
Now how do you get a USB key to run in a business?
04:31
Well, you could try looking really cute.
04:33
Awww.
04:37
Or, in my case, awkward and pathetic.
04:39
So imagine this scenario: I walk into one of your businesses,
04:41
looking very awkward and pathetic, with a copy of my C.V.
04:45
which I've covered in coffee,
04:48
and I ask the receptionist to plug in this USB key
04:50
and print me a new one.
04:54
So let's have a look here on my victim computer.
04:56
What I'm going to do is plug in the USB key.
04:59
After a couple of seconds,
05:02
things start to happen on the computer on their own,
05:04
usually a bad sign.
05:06
This would, of course, normally happen
05:08
in a couple of seconds, really, really quickly,
05:10
but I've kind of slowed it down
05:13
so you can actually see the attack occurring.
05:14
Malware is very boring otherwise.
05:17
So this is writing out the malicious code,
05:20
and a few seconds later, on the left-hand side,
05:22
you'll see the attacker's screen get some interesting new text.
05:26
Now if I place the mouse cursor over it,
05:30
this is what we call a command prompt,
05:32
and using this we can navigate around the computer.
05:35
We can access your documents, your data.
05:38
You can turn on the webcam.
05:41
That can be very embarrassing.
05:42
Or just to really prove a point,
05:44
we can launch programs like my personal favorite,
05:45
the Windows Calculator.
05:49
So isn't it amazing how much control
05:51
the attackers can get with such a simple operation?
05:54
Let me show you how most malware
05:57
is now distributed today.
05:58
What I'm going to do is open up a website
06:01
that I wrote.
06:03
It's a terrible website. It's got really awful graphics.
06:04
And it's got a comments section here
06:09
where we can submit comments to the website.
06:11
Many of you will have used something a bit like this before.
06:15
Unfortunately, when this was implemented,
06:18
the developer was slightly inebriated
06:20
and managed to forget
06:22
all of the secure coding practices he had learned.
06:23
So let's imagine that our attacker,
06:26
called Evil Hacker just for comedy value,
06:29
inserts something a little nasty.
06:33
This is a script.
06:35
It's code which will be interpreted on the webpage.
06:36
So I'm going to submit this post,
06:41
and then, on my victim computer,
06:43
I'm going to open up the web browser
06:45
and browse to my website,
06:47
www.incrediblyhacked.com.
06:50
Notice that after a couple of seconds,
06:53
I get redirected.
06:55
That website address at the top there,
06:57
which you can just about see, microshaft.com,
06:59
the browser crashes as it hits one of these exploit packs,
07:02
and up pops fake antivirus.
07:05
This is a virus pretending to look like antivirus software,
07:09
and it will go through and it will scan the system,
07:15
have a look at what its popping up here.
07:17
It creates some very serious alerts.
07:18
Oh look, a child porn proxy server.
07:20
We really should clean that up.
07:22
What's really insulting about this is
07:25
not only does it provide the attackers with access to your data,
07:26
but when the scan finishes, they tell you
07:31
in order to clean up the fake viruses,
07:34
you have to register the product.
07:37
Now I liked it better when viruses were free.
07:39
(Laughter)
07:43
People now pay cybercriminals money
07:45
to run viruses,
07:48
which I find utterly bizarre.
07:50
So anyway, let me change pace a little bit.
07:53
Chasing 250,000 pieces of malware a day
07:56
is a massive challenge,
08:00
and those numbers are only growing
08:02
directly in proportion to the length of my stress line, you'll note here.
08:04
So I want to talk to you briefly
08:07
about a group of hackers we tracked for a year
08:09
and actually found --
08:12
and this is a rare treat in our job.
08:14
Now this was a cross-industry collaboration,
08:17
people from Facebook, independent researchers,
08:19
guys from Sophos.
08:22
So here we have a couple of documents
08:24
which our cybercriminals had uploaded
08:27
to a cloud service, kind of like Dropbox or SkyDrive,
08:29
like many of you might use.
08:34
At the top, you'll notice a section of source code.
08:36
What this would do is send the cybercriminals
08:39
a text message every day telling them how much money
08:42
they'd made that day,
08:47
so a kind of cybercriminal billings report, if you will.
08:49
If you look closely, you'll notice a series
08:52
of what are Russian telephone numbers.
08:55
Now that's obviously interesting,
08:58
because that gives us a way of finding our cybercriminals.
09:00
Down below, highlighted in red,
09:03
in the other section of source code,
09:05
is this bit "leded:leded."
09:07
That's a username,
09:09
kind of like you might have on Twitter.
09:11
So let's take this a little further.
09:14
There are a few other interesting pieces
09:15
the cybercriminals had uploaded.
09:17
Lots of you here will use smartphones
09:19
to take photos and post them from the conference.
09:22
An interesting feature of lots of modern smartphones
09:25
is that when you take a photo,
09:27
it embeds GPS data about where that photo was taken.
09:29
In fact, I've been spending a lot of time
09:33
on Internet dating sites recently,
09:36
obviously for research purposes,
09:38
and I've noticed that about 60 percent
09:40
of the profile pictures on Internet dating sites
09:44
contain the GPS coordinates of where the photo was taken,
09:47
which is kind of scary
09:51
because you wouldn't give out your home address
09:52
to lots of strangers,
09:55
but we're happy to give away our GPS coordinates
09:56
to plus or minus 15 meters.
09:58
And our cybercriminals had done the same thing.
10:02
So here's a photo which resolves to St. Petersburg.
10:06
We then deploy the incredibly advanced hacking tool.
10:09
We used Google.
10:12
Using the email address, the telephone number
10:15
and the GPS data, on the left you see an advert
10:17
for a BMW that one of our cybercriminals is selling,
10:21
on the other side an advert for the sale of sphynx kittens.
10:24
One of these was more stereotypical for me.
10:30
A little more searching, and here's our cybercriminal.
10:33
Imagine, these are hardened cybercriminals
10:37
sharing information scarcely.
10:40
Imagine what you could find
10:42
about each of the people in this room.
10:43
A bit more searching through the profile
10:45
and there's a photo of their office.
10:47
They were working on the third floor.
10:49
And you can also see some photos
10:51
from his business companion
10:53
where he has a taste in a certain kind of image.
10:54
It turns out he's a member of the Russian Adult Webmasters Federation.
10:59
But this is where our investigation starts to slow down.
11:03
The cybercriminals have locked down their profiles quite well.
11:06
And herein is the greatest lesson
11:10
of social media and mobile devices for all of us right now.
11:12
Our friends, our families and our colleagues
11:16
can break our security even when we do the right things.
11:20
This is MobSoft, one of the companies
11:25
that this cybercriminal gang owned,
11:28
and an interesting thing about MobSoft
11:30
is the 50-percent owner of this
11:31
posted a job advert,
11:34
and this job advert matched one of the telephone numbers
11:36
from the code earlier.
11:40
This woman was Maria,
11:42
and Maria is the wife of one of our cybercriminals.
11:44
And it's kind of like she went into her social media settings
11:47
and clicked on every option imaginable
11:50
to make herself really, really insecure.
11:53
By the end of the investigation,
11:57
where you can read the full 27-page report at that link,
11:58
we had photos of the cybercriminals,
12:02
even the office Christmas party
12:04
when they were out on an outing.
12:07
That's right, cybercriminals do have Christmas parties,
12:09
as it turns out.
12:12
Now you're probably wondering what happened to these guys.
12:14
Let me come back to that in just a minute.
12:16
I want to change pace to one last little demonstration,
12:19
a technique that is wonderfully simple and basic,
12:21
but is interesting in exposing how much information
12:25
we're all giving away,
12:29
and it's relevant because it applies to us as a TED audience.
12:30
This is normally when people start kind of shuffling in their pockets
12:35
trying to turn their phones onto airplane mode desperately.
12:37
Many of you all know about the concept
12:41
of scanning for wireless networks.
12:43
You do it every time you take out your iPhone or your Blackberry
12:45
and connect to something like TEDAttendees.
12:49
But what you might not know
12:53
is that you're also beaming out a list of networks
12:54
you've previously connected to,
12:59
even when you're not using wireless actively.
13:02
So I ran a little scan.
13:06
I was relatively inhibited compared to the cybercriminals,
13:07
who wouldn't be so concerned by law,
13:10
and here you can see my mobile device.
13:13
Okay? So you can see a list of wireless networks.
13:16
TEDAttendees, HyattLB. Where do you think I'm staying?
13:18
My home network, PrettyFlyForAWifi,
13:23
which I think is a great name.
13:26
Sophos_Visitors, SANSEMEA, companies I work with.
13:28
Loganwifi, that's in Boston. HiltonLondon.
13:31
CIASurveillanceVan.
13:34
We called it that at one of our conferences
13:37
because we thought that would freak people out,
13:38
which is quite fun.
13:40
This is how geeks party.
13:42
So let's make this a little bit more interesting.
13:47
Let's talk about you.
13:49
Twenty-three percent of you have been to Starbucks
13:51
recently and used the wireless network.
13:53
Things get more interesting.
13:57
Forty-six percent of you I could link to a business,
13:58
XYZ Employee network.
14:00
This isn't an exact science, but it gets pretty accurate.
14:03
Seven hundred and sixty-one of you I could identify a hotel you'd been to recently,
14:07
absolutely with pinpoint precision somewhere on the globe.
14:12
Two hundred and thirty-four of you, well, I know where you live.
14:16
Your wireless network name is so unique
14:19
that I was able to pinpoint it
14:22
using data available openly on the Internet
14:23
with no hacking or clever, clever tricks.
14:26
And I should mention as well that
14:30
some of you do use your names,
14:32
"James Lyne's iPhone," for example.
14:34
And two percent of you have a tendency to extreme profanity.
14:36
So something for you to think about:
14:41
As we adopt these new applications and mobile devices,
14:43
as we play with these shiny new toys,
14:46
how much are we trading off convenience
14:49
for privacy and security?
14:53
Next time you install something,
14:56
look at the settings and ask yourself,
14:58
"Is this information that I want to share?
15:00
Would someone be able to abuse it?"
15:03
We also need to think very carefully
15:06
about how we develop our future talent pool.
15:08
You see, technology's changing at a staggering rate,
15:13
and that 250,000 pieces of malware
15:16
won't stay the same for long.
15:19
There's a very concerning trend
15:22
that whilst many people coming out of schools now
15:24
are much more technology-savvy, they know how to use technology,
15:27
fewer and fewer people are following the feeder subjects
15:31
to know how that technology works under the covers.
15:35
In the U.K., a 60 percent reduction since 2003,
15:39
and there are similar statistics all over the world.
15:44
We also need to think about the legal issues in this area.
15:47
The cybercriminals I talked about,
15:52
despite theft of millions of dollars,
15:53
actually still haven't been arrested,
15:55
and at this point possibly never will.
15:57
Most laws are national in their implementation,
16:01
despite cybercrime conventions, where the Internet
16:04
is borderless and international by definition.
16:08
Countries do not agree, which makes this area
16:11
exceptionally challenging from a legal perspective.
16:14
But my biggest ask is this:
16:18
You see, you're going to leave here
16:22
and you're going to see some astonishing stories in the news.
16:24
You're going to read about malware doing incredible
16:28
and terrifying, scary things.
16:30
However, 99 percent of it works
16:33
because people fail to do the basics.
16:37
So my ask is this: Go online,
16:41
find these simple best practices,
16:44
find out how to update and patch your computer.
16:47
Get a secure password.
16:49
Make sure you use a different password
16:51
on each of your sites and services online.
16:52
Find these resources. Apply them.
16:56
The Internet is a fantastic resource
16:59
for business, for political expression,
17:02
for art and for learning.
17:04
Help me and the security community
17:06
make life much, much more difficult
17:09
for cybercriminals.
17:13
Thank you.
17:15
(Applause)
17:16

sponsored links

James Lyne - Cybersecurity specialist
Whether he’s taking on insecure hotspots, inept passwords, or lax OS designers, James Lyne exposes technology’s vulnerabilities while elevating the security awareness of everyday users.

Why you should listen

In an ever-expanding world of networked mobile devices, security threats -- and our ignorance of them -- are more widespread than ever. James Lyne of security firm Sophos believes that if we continue to ignore basic best practices, security is on a trajectory of failure.
 
A self-described geek, Lyne spends time ripping apart the latest gadgets and software, builds true random number generators out of tinfoil and smoke alarm parts, among other unlikely objects. But his gift lies in his ability to explain complicated concepts and abstract threats to diverse audiences around the world.

sponsored links

If you need translations, you can install "Google Translate" extension into your Chrome Browser.
Furthermore, you can change playback rate by installing "Video Speed Controller" extension.

Data provided by TED.

This website is owned and operated by Tokyo English Network.
The developer's blog is here.