̽��ֱ�� of Cambridge - hacking

Honour among thieves: the study of a cybercrime marketplace in action

Anonymous — Fri, 06 Nov 2020 16:19:06 +0000

Having seen a large rise in illegal transactions during the first national lockdown last spring, the researchers warned that the second lockdown is likely to result in another surge in cybercrime activities. But they also offer insights on how such activity can be disrupted.

̽��ֱ��researchers have been collecting the data on illicit trades from HackForums – the world’s largest and most popular online cybercrime community. Two years ago, it set up a market where contracts had to be logged for all transactions as an attempt to protect members of the community from scamming and frauds.

̽��ֱ��contract system was introduced in 2018, and then made mandatory in spring 2019, for all market users. It logged all the illicit buying and selling of – among other things – malicious software (malware), currencies including Bitcoin and gift vouchers, eWhoring ‘packs’ (e.g. of photos and videos with sexual content), hacking tutorials and tools that allow users illegally to access or control remote servers.

Ironically, HackForums had introduced the contract logging system in response to its members’ concerns that trades were being abused and they were being scammed. But in doing so, it unwittingly lifted the lid on the way such underground markets operate.

̽��ֱ��data the contract logging generated has been collected by researchers here. And after analysing it and using statistical modelling approaches, the researchers have been able to shed important new light on the way a cybercrime market operates, hopefully to the benefit of the security community.

̽��ֱ��researchers watched the market initially function as a forum where many individual users conducted one-off transactions. Then it changed. As the contract system became mandatory, within a few months, the market was becoming concentrated around a small group of ‘power-users’ offering goods and services that were attractive to many.

“This small group of users – representing about 5 per cent of all users – are involved in around 70 per cent of all the transactions,” said Anh Vu, a research assistant in the Cambridge Cybercrime Centre and co-author of the paper the Centre has just produced, ‘Turning Up the Dial: the Evolution of a Cybercrime Market through Set-up, Stable, and Covid-19 Eras’ .

And then came the global declaration of the coronavirus pandemic in March 2020. ̽��ֱ��research team saw the virus and the resulting lockdowns that were introduced significantly “turn up the dial” on the number of market transactions.

“There was a big rise in transactions in what we call the ‘Covid-19 era’,” said Anh. “Looking at the discussion forums, we could see that a period of mass boredom and economic change – when presumably some members were not able to go to school and others had lost their jobs – really stimulated the market.

“Members needed to make money online and they had a lot of time on their hands, and so we saw a rise in trading activity. We expect to see another rise during the second lockdown, but we don’t think it will be as large as during the first.”

̽��ֱ��increase in business during the pandemic also meant that contracts for transactions were concluded much faster. Where in the early months of the market, the completion time for contracts was around 70 hours, during the pandemic it dropped to less than 10 hours.

Online underground forums like HackForums are communities used for trading in illicit material and sharing knowledge. ̽��ֱ��forums support a plethora of cybercrimes, allowing members to learn about and engage in criminal activities such as trading virtual items obtained by illicit means, launching denial of service attacks, or obtaining and using malware. They facilitate a variety of illicit businesses aiming at making easy money.

̽��ֱ��Cambridge Cybercrime Centre researchers have done some previous work looking at underground forums. “But this is the first dataset we are aware of that provides insights about the contracts made in these forums,” says Anh. Previously, while traders might meet online in a forum, they would likely trade offline via private messaging. But the introduction of the contract system means all trades are now logged – and can therefore be tracked.

Using the data, the researchers looked at a variety of trading activities taking place in the market. ̽��ֱ��largest activities were currency exchanges and payments – for example, exchanging Bitcoin (a very popular currency in illicit trading because people believe that it leaves no trace) for PayPal funds.

This activity was followed by trades in gift cards (including Amazon gift cards) and software licences. “When you install a software package like Windows,” Anh said. “You have to input a key to activate it. People often buy software keys illegally in a market like this because it is cheaper for them than purchasing it officially from Microsoft – and sometimes they can obtain it for free in exchange for other items.”

Other products and services they found being traded in the underground market were hacking tutorials, remote access tools and eWhoring materials – photos and videos with sexual content that are sold to a third party, who pays for them believing that they are paying for an online sexual encounter.

They used several methods to try and estimate the values of trades taking place via HackForums and concluded that taking both public and private transactions into account and extrapolating by each contract type, the lower bound total of trades was in excess of $6 million.

What the researchers learned about the operation of an underground cybercrime market is valuable, they believe, to the security community. ̽��ֱ��logging of contracts when goods were traded has allowed users to build up a form of trust and reputation and this in turn led to the rise of the ‘power-users’ in the market.

“And now we know a small group of power-users are responsible for a large number of transactions, it would make sense to focus interventions on them,” Anh said. “As that will have a much bigger impact than going after a large number of individuals.”

In their paper they suggest interventions to undermine the perceived reputations and trustworthiness of the big players – for example by posting false negative reviews of them and using other methods, known as Sybil attacks, that disrupt the market’s reputation systems.

And the researchers are continuing to watch the market. “We’re interested to know how the marketplace evolves during this second lockdown and afterwards,” said Anh. “And will be looking to see whether any new trading activities emerge.”

Reference:
‘Turning Up the Dial: the Evolution of a Cybercrime Market through Set-up, Stable, and Covid-19 Eras’ was presented at a seminar series of the 2020 Internet Measurement Conference. It was also presented at the Workshop on Security and Human Behaviour taking place on Thursday 5 November 2020.

Researchers at the Cambridge Cybercrime Centre have revealed what they’ve learned from analysing hundreds of thousands of illicit trades that took place in an underground cybercrime forum over the last two years.

We’re interested to know how the marketplace evolves during this second lockdown and afterwards, and will be looking to see whether any new trading activities emerge

Anh Vu

Mika Baumeister on Unsplash

Someone programming a website in HTML

̽��ֱ��text in this work is licensed under a Creative Commons Attribution 4.0 International License. Images, including our videos, are Copyright © ̽��ֱ�� of Cambridge and licensors/contributors as identified. All rights reserved. We make our image and video content available in a number of ways – as here, on our main website under its Terms and conditions, and on a range of channels including social media that permit your use and sharing of our content under their respective Terms.

Yes

Most laptops vulnerable to attack via peripheral devices, say researchers

sc604 — Tue, 26 Feb 2019 00:01:28 +0000

̽��ֱ��research, presented at the Network and Distributed Systems Security Symposium in San Diego, USA, shows that attackers can compromise an unattended machine in a matter of seconds through devices such as chargers and docking stations.

Vulnerabilities were found in computers with Thunderbolt ports running Windows, macOS, Linux and FreeBSD. Many modern laptops and an increasing number of desktops are susceptible.

̽��ֱ��researchers, from the ̽��ֱ�� of Cambridge and Rice ̽��ֱ��, exposed the vulnerabilities through Thunderclap, an open-source platform they have created to study the security of computer peripherals and their interactions with operating systems. It can be plugged into computers using a USB-C port that supports the Thunderbolt interface and allows the researchers to investigate techniques available to attackers. They found that potential attacks could take complete control of the target computer.

̽��ֱ��researchers, led by Dr Theodore Markettos from Cambridge’s Department of Computer Science and Technology, say that in addition to plug-in devices like network and graphics cards, attacks can also be carried out by seemingly innocuous peripherals like chargers and projectors that correctly charge or project video but simultaneously compromise the host machine.

Computer peripherals such as network cards and graphics processing units have direct memory access (DMA), which allows them to bypass operating system security policies. DMA attacks abusing this access have been widely employed to take control of and extract sensitive data from target machines.

Current systems feature input-output memory management units (IOMMUs) which can protect against DMA attacks by restricting memory access to peripherals that perform legitimate functions and only allowing access to non-sensitive regions of memory. However, IOMMU protection is frequently turned off in many systems and the new research shows that, even when the protection is enabled, it can be compromised.

“We have demonstrated that current IOMMU usage does not offer full protection and that there is still the potential for sophisticated attackers to do serious harm,” said Brett Gutstein, a Gates Cambridge Scholar, who is one of the research team.

̽��ֱ��vulnerabilities were discovered in 2016 and the researchers have been working with technology companies such as Apple, Intel and Microsoft to address the security risks. Companies have begun to implement fixes that address some of the vulnerabilities that the researchers uncovered; several vendors have released security updates in the last two years.

However, the Cambridge research shows that solving the general problem remains elusive and that recent developments, such as the rise of hardware interconnects like Thunderbolt 3 that combine power input, video output and peripheral device DMA over the same port, have greatly increased the threat from malicious devices, charging stations and projectors that take control of connected machines. ̽��ֱ��researchers want to see technology companies taking further action, but also stress the need for individuals to be aware of the risks.

“It is essential that users install security updates provided by Apple, Microsoft and others to be protected against the specific vulnerabilities we have reported,” said Markettos. “However, platforms remain insufficiently defended from malicious peripheral devices over Thunderbolt and users should not connect devices they do not know the origin of or do not trust.”

More information is available at thunderclap.io.

Reference:
A. Theodore Markettos , Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson. ‘Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals.’ Paper presented at Network and Distributed Systems Security Symposium 2019. San Diego, California.

Many modern laptops and an increasing number of desktop computers are much more vulnerable to hacking through common plug-in devices than previously thought, according to new research.

It is essential that users install security updates to be protected against the specific vulnerabilities we have reported

Theodore Markettos

Theo Markettos

Macbook pro with dongle

Yes

Cambridge to host transatlantic cyber security competition

Anonymous — Thu, 20 Jul 2017 08:55:49 +0000

̽��ֱ��“Cambridge2Cambridge” cyber security competition, backed by government and industry, is the brainchild of the ̽��ֱ�� of Cambridge and the Massachusetts Institute of Technology (MIT) in the US, and will see talented students pitted against each other in a three-day showdown.

In total, 110 students from 25 universities from the UK and USA will form mixed transatlantic teams and battle against a fictional rogue state in the life-like cyber security competition backed by the National Cyber Security Centre (NCSC) and Cabinet Office.

̽��ֱ��annual event is now in its second year with prize money up for grabs for the winners. It will be held from 24-26 July at Trinity College, Cambridge.

With major cyber-attacks on the increase, according to the NCSC, the need for cyber security experts is more important than ever before.

Professor Frank Stajano, Head of the Academic Centre of Excellence in Cyber Security Research at Cambridge’s Computer Laboratory and the co-founder of Cambridge2Cambridge, said that the competition has been designed to promote greater cyber security collaboration between the UK and USA, and to give students the platform to explore creative ways to combat global cyber-attacks.

“ ̽��ֱ��aim of the competition is also to bring together different individuals in a fun and inclusive environment, where they can apply their cyber security abilities in a collaborative and competitive setting, allowing students to implement the skills they have been taught, while learning new ones in the process,” he said.

It also gives budding cyber enthusiasts the opportunity to meet like-minded individuals, and learn more about careers in the sector by introducing them to key players in the industry and government.

https://cambridge2cambridge.csail.mit.edu/

A major cyber security challenge, aimed at educating and inspiring the next generation of cyber defenders from across the UK and US, will be held at the ̽��ֱ�� of Cambridge next week.

̽��ֱ��aim of the competition is to bring together different individuals in a fun and inclusive environment, where they can apply their cyber security abilities in a collaborative and competitive setting.

Frank Stajano

Inter-ACE Cyber Challenge 2017

̽��ֱ��text in this work is licensed under a Creative Commons Attribution 4.0 International License. For image use please see separate credits above.

Yes