the biggest and most profitable criminals are not breaking into banks, stealing passwords, or stuff like that. they rather just abuse the features that already exist on sites, such as posting thousands of spam pill or porn links to Facebook or twitter using thousands of accounts or using paid shills on amazon,. very repetitious but it scales well and profitable and very hard to stop because it is not exploiting or hacking anything. You cannot really patch features in the same way you can patch bugs.
I've noticed it before but never thought too deeply about it. Where did this 'stereotypical hacker' image stem from anyway? Computer 'nerds' are often cast with pressed button-up shirts, pocket protectors, and thick glasses. But if they are a 'bad nerd', they suddenly don a mysterious hoodie that covers their face as they work in a cave-like room like some kind of new-age techno-troglodyte?
The hoodie is already used to typecast criminals, drug dealers in rough neighborhoods, etc. It's also a sign of relative youth (<40 years old). Dark places are an uninventive way to say they're doing something "bad".
What's funny is that while they are depicted as being smart/dangerous, they're also depicted as being white and male, which is also a usual sterotype and conveniently forgets the proportion of extremely knowledgeable people of various origins and genders out there.
I think it comes from recent popular media, like the Watch_Dogs games and the TV show Mr. Robot. Hoodies are a way to prevent people from seeing or identifying you, so media people use it as a visual shorthand for "this person wishes to conceal their identity". Back in the 90s, hackers were all cybergoth ravers; this image is more in line with the $CURRENT_YEAR zeitgeist in which pervasive surveillance is a top issue.
It’s not “media people”, I can assure you that most modern street criminals wear hoodies. It’s a cheap and easy way to switch to “incognito mode” at will. In places like London and Manchester, most crime-related CCTV will feature hooded thugs. There have been arguments about forbidding hoodies in public areas and shopping malls all the way back to the ‘90s.
To be honest it’s as old as capes, we’ve just lost the cape.
Images and ideas have entered the mythos over the years, I doubt there is a "source" but more of a collective myth which has grown and evolved with some sources in reality and some of reality fashioning themselves after the myth.
But also, I have just known lots of computer people that liked to work on their interests late into the night in a dark room.
They're symbolic, not realistic. The only reason they wear a black hoodie is because a striped black and white shirt with a black masquarade mask is because it's too silly.
Yes, cybercrime is boring, just like security is boring, or app development. The article is focusing on the mundane parts of the business side of certain enterprises (cybercrime-as-a-service), not the individual thrill of discovering something new & exploiting it or selling it to be exploited. Obviously being an article literally written by the opposition would mean it is going to paint their adversaries' life choice as one of a bored drone...
The way the media presents “cybercrime” makes it exciting. According to them, “hackers” are able to crack into any system and do whatever they want. Banks, ATMs, power grids, etc.
The reality of course is much more mundane and the majority of cybercrime is lots of grunt work and a major dose of luck, there is no “silver bullet” skill or hack that will allow you to breach into any system and do anything, it all depends on how lucky you get with unpatched hosts or users being stupid. For every high-profile hack being reported there are hundreds of thousands more “hackers“ banging their heads against the wall not being able to make any progress beyond basic spamming.
People in general think that crime in general is exciting. It’s just that cybercrime, in particular, is probably less thrilling than robbing banks in the same way that internet piracy is probably less thrilling than violently boarding and pillaging merchant ships on the high seas.
"Internet of Things is devices communicating over the network. Your printer, your fridge...". So, like... the internet?
"Digital Marketing is the hot new thing. It allows people to buy and sell through the internet". Have you been asleep for last twenty years?
Jesting aside, I think these terms are added to differentiate from things occurring in other spaces or channels. Fraud exists, sure, but it is varied. Email fraud might share some patterns with mail fraud, but I suppose there are differences dictated by the vectors being different, even for cases like email/mail where one word signifies the other nowadays.
It's largely arguing that most of the cybercrime jobs basically are desk jobs. It principally says two things.
First, that most jobs in cybercrime involve selling services to end users and whenever you sell services you not only have to provide customer support which sucks but your customers will have reliability and usability expectations which become annoying to fulfill when you have to maintain your infrastructure in a clandestine way.
Second, most of the positions in criminal orgs involve low skill bitch work because if you had the skills to do the real programming / security / ops work required to do more creative cybercrime then you could easily go get a legitimate job with great pay or go do your own thing.
I am really glad that I took the cyber security 101 course in college and the professor beat the idea of it being interesting or exciting right out of me. Steered me clear of a less engaging path (for me at least).
Most corporate security is about compliance, audits, regulation and balancing the need for security with the needs of the (often stupid) users. Very little of it is actually tech. There is pentesting and malware analysis for the actual "tech" stuff but it is quite a small market to be honest.
I get that impression too. I do some cybersecurity type stuff as a hobby and was hoping to make a business out of it somehow but it doesn't seem to be a easy market to crack.
> somehow but it doesn't seem to be a easy market to crack
There are 2600 companies in the space and they almost all do one small thing (and lots of them don't do it terribly well).
It turns out what every company wants is more of a comprehensive turnkey solution than exists, or at least a highly modular framework that can accept modules from other vendors. Companies generally don't understand that security is an attribute of everything, it isn't an end product. Hence executives would rather pay for a blinky box than remember to incorporate security planning into every other expense. Also most companies aren't willing to pay much to a cybersecurity vendor because cybersecurity is largely seen as a cost center and not a profit center (because that's accurate most of the time).
I got into bug bounties for a little while, but the work is tough. Selecting a program which pays out enough and doesn't have all of the low-hanging fruit picked is difficult. It's the kind of work where very well organized bounty hunters will take the lion's share of the winnings, which doesn't lend itself well to developers who can make a healthy salary elsewhere.
What’s military cyber security like and how does it compare with consumer or enterprise security? I‘d wager the appeal of cyber security is mostly in the domain of military. Think stuxnet or NSA
Nah, having been on active duty being involved in cyber warfare and later joining the corporate world, the latter is so much more advanced and interesting, with generally a lot better people.
My impression as well. I was thinking getting a career shift into pentesting (rumor has it that it's remote-friendly as well) but after a few job searches I came to see that the job market is tiny.
Many cases you set up something like Alienvault or Cygilant and then it never gets looked at again...huge waste of time and $ in the name of compliance
Like anything, it's usually the payoff that is exciting and glamorous. I know the old hacker mantra: 'boredom and drudgery are evil' hence why we automate everything, but I don't think the mantra holds true for most hackers. The best hackers know that programming essentially works against you when you do it, because there's no instant gratification. You have to constantly bang your head against the wall (even because of simple syntax mistakes that make you feel like a n00b all over again).
The payoff is always fantastic though. Whitehat or blackhat, knowing that all that hard work and grunt pays off is a wonderful feeling. I tend to veer towards whitehat stuff though because of the old saying: 'If you can't do the time, don't do the crime'.
This article missed a great opportunity to post that hacking scene from Swordfish as a counterexample of what hacking does NOT look like:
https://www.youtube.com/watch?v=u1Ds9CeG-VY
The thing that sealed the deal for me to never go back was meeting all the old mafia dumbasses that actually went to jail for so-called ‘cybercrime’. These guys could hardly read. Before computers they were shaking down hot dog vendors and smuggling drug money through hair salons. They drove expensive cars, wore lots of jewelry, and had a bunch of drug addict women falling all over them.
No thanks. I met a girl from Harvard and discovered that I actually liked talking to a smart human about real things. There was no comparison.
> But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious
Fighting cybercrime must also be mostly boring then, as it is also done through pay-for-service offerings.
Uh, funnily enough, the "boring" stuff they've mentioned in the article doesn't seem THAT bad to me. But maybe that's because I haven't been forced to do that sort of administrative work often enough for the novelty to wear off.
What do you mean by defense? Covering your tracks? In this case I'd argue it's the opposite - in pentesting the worst that can happen if you get spotted is a failed test, while in real crime this could be the difference between freedom and jail.
I'm a pentester, you generally don't fix the issues you find so much as provide guidance and references on how it might be done. The defenders/app developers are in a much better position to fix most issues, they generally either weren't aware of that class of vulnerability or unaware of a specific method of exploiting the issue. Most web devs, if you tell them you found an XSS, would know what you meant and basic prevention, but maybe not the specific way you exploited it. But I don't go tweak their whitelist or implement better output encoding for them.
That said, you do have to know the defensive side well, even if you don't implement it yourself.
The main problem with cyber crime for profit is you have to get the money at some point. So no matter what at some point you have to either trust someone (bad idea) or have the cahones to walk into a bank and withdraw the cash. Even then you to explain how you got the money if it's over like $10,000 or people start asking questions.
Yeah dumb people will focus on hacking but once you think it through you see there isn't a good exit strategy.
If your bank questions you for withdrawing $10,000 or more, I would use a different bank.
I withdrew about $13,000 a few months ago, and my (national) credit union didn't hesitate or ask me anything (except for an additional piece of identification).
Yes, they don't ask you any thing. However, banks/car dealerships/etc have to file CTRs(Currency Transaction reports). It is good that you withdrew $13K in one shot. Structured withdrawals (4k, one day, 5k three days later, another 4k ten days later) will be flagged by AML software of any financial institution. And folks in the compliance team will file SAR(Suspicious activity report).
Lesson: when you legitimately need $30K cash, just withdraw it in one transaction. Never ever withdraw $5K every week for six weeks. For every SAR, there are 100 CTRs filed.
Thank you, it sounds like you have some insight about the process.
I'm aware of structuring, but I don't think most people are. I've heard about it only once in the news where a store owner had his money seized because he was trying to avoid depositing more than $10,000 at a time, over a long time period.
That doesn't change anything about the comment I replied to or my comment though. I don't need to withdraw more cash, and I'm not going to do so based on a command from a random person.
In the US any cash withdrawal that large triggers a legal requirement for the bank to file a transaction report with the government. If the teller didn't ask you anything and you don't regularly make withdrawals like that then somebody messed up.
As far as I can tell, they are only required by law to ask for identification; no requirement about asking why. The report they make goes to the IRS where the IRS might ask a question.
Not only that, even if you manage to get decent profits uncaught, you'd still have to launder it to buy any large purchases like cars / houses etc without raising suspicion from the tax authorities.
Presumably those 'analog' crimes tend to pay in cash (which you may not be able to bank, but at least flies below the radar if you don't). But your botnet haul needs to be converted from BTC to USD in a bank account, and then when you try to buy anything bigger than a pair of shoes it may catch the attention of the authorities.
I've also heard that long distance prepaid calling cards had the same fungibility + market.
I'm not sure if either are still viable as it seems like money laundering is a treadmill where the older techniques become liabilities and require constant refreshing of tactics.
Can be traced. Monero is another option but I've heard it can be traced too. I certainly wouldn't bet my life on it. But in either case you still have to convert it into cash at some point.
I believe that if someone uses something that's private by default, then its okay. However if someone uses someyhing that isn't private by default, but goes through efforts to try to hide the source of the funds, then it's suspicious.
I agree that a long-lived distributed ledger is problematic. However it sounds like you're implying that Monero can currently be traced. If you have any links to any recent/relevant research, I'm interested in hearing about it. I'm not interested in speculation or rumors like the other comment wrote.
This isn't something I made up. Criminals have been using MMO's in-game currency to launder money for over a decade. The trick is to launder slowly over a long period of time. Very hard to catch.
I used Second Life (I believe, but may have been something else) years ago (a decade ago?) because it was one of the easiest ways to put money into anonymous paypal accounts (anonymous credit cards that get accepted by paypal weren't really a thing here back then). I bought crypto, used it to buy their in game currency, then cashed out their currency to the paypal account.
You pay a few percents of fees, and it's not "the NSA will not be able to find you", but it was more than good enough for my mildly paranoid ass.
