All posts by Richard Clayton

Inaugural Cybercrime Conference

The Cambridge Cloud Cybercrime Centre is organising an inaugural one day conference on cybercrime on Thursday, 14th July 2016.

In future years we intend to focus on research that has been carried out using datasets provided by the Cybercrime Centre, but for this first year we have a stellar group of invited speakers who are at the forefront of their fields:

  • Adam Bossler, Associate Professor, Department of Criminal Justice and Criminology, Georgia Southern University, USA
  • Alice Hutchings, Post-doc Criminologist, Computer Laboratory, University of Cambridge, UK
  • David S. Wall, Professor of Criminology, University of Leeds, UK
  • Maciej Korczynski Post-Doctoral Researcher, Delft University of Technology, The Netherlands
  • Michael Levi, Professor of Criminology, Cardiff University, UK
  • Mike Hulett, Head of Operations, National Cyber Crime Unit, National Crime Agency, UK
  • Nicolas Christin, Assistant Research Professor of Electrical and Computer Engineering, Carnegie Mellon University, USA
  • Richard Clayton, Director, Cambridge Cloud Cybercrime Centre, University of Cambridge, UK
  • Ross Anderson, Professor of Security Engineering, Computer Laboratory, University of Cambridge, UK
  • Tyler Moore, Tandy Assistant Professor of Cyber Security & Information Assurance, University of Tulsa, USA

They will present various aspects of cybercrime from the point of view of criminology, security economics, cybersecurity governance and policing.

This one day event, to be held in the Faculty of Law, University of Cambridge will follow immediately after (and will be in the same venue as) the “Ninth International Conference on Evidence Based Policing” organised by the Institute of Criminology which runs on the 12th and 13th July 2016.

For more details see here.

A dubious cyber security conference

I’ve written before about dubious “academic” journals… and today I’m going to discuss a dubious “academic” conference (which is associated with some dubious journals, but it’s the conference that’s my focus today).

Fordham University has been running the “International Conference on Cyber Security” since 2009 and ICCS 2016 (labelled “Sixth” because they skipped 2011 and 2014) will take place in New York in July. This conference has an extremely reputable program committee and is run by Fordham and the Federal Bureau of Investigation (I expect you’ve heard of them … they investigate cybercrime in the USA…).

There’s also another “International Conference on Cyber Security (ICCS 2016)” running this year as well … it will take place in Zurich in July and is run by WASET (the World Academy of Science, Engineering and Technology). The program committee for this one is somewhat less prestigious (I sorry to say that I have not heard of any of them … and to my mind the most reputable looking person is “Wei Yan of Trend Micro” … except he’s currently on his fourth job since he left Trend Micro in 2010, so that makes me wonder how many of the people on the list know that they’re mentioned ?

There’s other reasons for feeling this conference might be a little dubious, not least that this is apparently the “Eighteenth ICCS”. That might lead you to believe that there have been seventeen previous ICCS events … but I did a lot of searches and failed to find any of them !

My searches did turn up the “2nd International Conference on Cyber Security (ICCS) 2016” which will take place at the Rajasthan Technical University, India — this one looks pretty respectable, with PC members from India and the USA.

So if you fancy going to Cyber Security Conference in 2016 then you are spoilt for choice, but I would not myself recommend travelling to Zurich. A key reason is that you may find that the Dorint Airport-Hotel, where ICCS 2016 is to be held may turn out to be a little crowded… the same hotel is hosting no fewer than 160 other International conferences at exactly the same time: click here for the full list!

Alternatively, if you can’t make it this year, put a note in your diary. The “31st International Conference on Cyber Security (ICCS 2029)” is planned to take place in Zurich on July 21–22 2029… Wei Jan is on the PC for that one too … and the submission deadline is as soon as March 31, 2029, so best to get a move on with finishing that paper!

As a final note, invited papers from ICCS 2016 (the Zurich version) are to be published in a special issue of “Advances in Cyber Security”. Now you might cynically think that this was an open access journal from WASEC, but no they have no journal with that title (and in fact neither does anyone else)… but what do you know, “Advances in Cyber Security” is a fine looking book published in December 2012 by none other than Fordham University Press. Small world, isn’t it!

More Jobs in the Cloud Cybercrime Centre

The Cambridge Cloud Cybercrime Centre (more information about our vision for this initiative are in this earlier article) has up to three Research Associate / Research Assistant positions to fill.

We are looking for enthusiastic researchers to work with the substantial amounts of cybercrime data that we will be collecting. The people we appoint will have the chance to define their own goals and objectives and pursue them independently or as part of a team. We will also expect everyone to assist with automating the processing of our incoming data feeds and adding value to them.

We are not necessarily looking for existing experience in researching cybercrime, although this would be a bonus. However, we are looking for strong programming skills — and experience with scripting languages and databases would be much preferred. Good knowledge of English and communication skills are important.

Please follow this link to the advert to read the formal advertisement for the details about exactly who and what we’re looking for and how to apply — and please pay attention to our request that in the covering letter you create as part of the application you should explain which particular aspects of cybercrime research are of interest to you.

Ongoing badness in the RIPE database

A month ago I wrote about the presence of route objects for undelegated IPv4 address space within the RIPE database (strictly I should say RIPE NCC — the body who looks after this database).

The folks at RIPE NCC removed a number of these dubious route objects which had been entered by AS204224.

And they were put straight back again!

This continues to this day — it looks to me as if once the RIPE NCC staff go home for the evening the route objects are resurrected.

So for AS204224 (CJSC Mashzavod-Marketing-Servis) you can (at the moment of writing) find route objects for four /19s and two /21s which have a creation times between 17:53 and 17:55 this evening (2 November). This afternoon (in RIPE NCC working hours) there were no such route objects.

As an aside: as well as AS204224 I see route objects for undelegated space (these are all more recent than my original blog article) from:

    AS200439 LLC Stadis, Ekaterinburg, Russia
    AS204135 LLC Transmir, Blagoveshensk, Russia
    AS204211 LLC Aspect, Novgorod, Russia

I’d like to give a detailed account of the creation and deletion of the AS204224 route objects, but I don’t believe that there’s a public archive of RIPE database snapshots (you can find the latest snapshot taken at about 03:45 each morning at ftp://ftp.ripe.net/ripe/dbase, but if you don’t download it that day then it’s gone!).

However, I have been collecting copies of the database for the past few days and the creation times for the route objects are:

    Thu 2015-10-29  18:03
    Fri 2015-10-30  15:01
    Sat 2015-10-31  17:54
    Sun 2015-11-01  18:31
    Mon 2015-11-02  17:53

There are two conclusions to draw from this: perhaps the AS204224 people only come out at night and dutifully delete their route objects when the sun rises before repeating the activity the following night (sounds like one of Grimm’s fairy tales doesn’t it?).

The alternative, less magical explanation, is that the staff at RIPE NCC are playing “whack-a-mole” INSIDE THEIR OWN DATABASE! (and although they work weekends, they go home early on Friday afternoons!)

Badness in the RIPE Database

The Cambridge Cloud Cybercrime Centre formally started work this week … but rather than writing about that I thought I’d document some publicly visible artefacts of improper behaviour (much of which, my experience tells me, is very likely to do with the sending of email spam).

RIPE is one of the five Regional Internet Registries (RIRs) and they have the responsibility of making allocations of IP address space to entities in Europe and the Middle East (ARIN deals with North America, APNIC with Asia and Australasia, LACNIC with Latin America and the Caribbean and AfriNIC with Africa).

Their public “WHOIS” databases documents these allocations and there are web interfaces to access them (for RIPE use https://apps.db.ripe.net/search/query.html).

The RIPE Database also holds a number of other sets of data including a set of “routes”. Unfortunately some of those routes are prima facie evidence of people behaving badly.
Continue reading Badness in the RIPE Database

Job Ads: Cloud Cybercrime Centre

The Cambridge Cloud Cybercrime Centre (more information about our vision for this brand new initiative are in this earlier article) now has a number of Research Associate / Research Assistant positions to fill:

  • A person to take responsibility for improving the automated processing of our incoming data feeds. They will help develop new sources of data, add new value to existing data and develop new ways of understanding and measuring cybercrime: full details are here.
  • A person with a legal background to carry out research into the legal and policy aspects of cybercrime data sharing. Besides contributing to the academic literature and to the active policy debates in this area they will assist in negotiating relevant arrangements with data suppliers and users: full details are here.

and with special thanks for the generosity of ThreatSTOP, who have funded this extra position:

  • We also seek someone to work on distributed denial-of-service (DDoS) measurement. We have been gathering data on reflected UDP DDoS events for many months and we want to extend our coverage and develop a much more detailed analysis of the location of perpetrators and victims along with real-time datafeeds of relevant information to assist in reducing harm. Full details are here.

Please follow the links to read the relevant formal advertisement for the details about exactly who and what we’re looking for and how to apply.

Cambridge Cloud Cybercrime Centre

We have recently won a major grant (around £2 million over 5 years) under the EPSRC Contrails call which we will be using to set up the “Cambridge Cloud Cybercrime Centre”:

https://www.cambridgecybercrime.uk/

The will be a multi-disciplinary initiative combining expertise from the University of Cambridge’s Computer Laboratory, Institute of Criminology and Faculty of Law. We will be operational from 1 October 2015.

Our approach will be data driven. We have already negotiated access to some very substantial datasets relating to cybercrime and we aim to leverage our neutral academic status to obtain more data and build one of the largest and most diverse data sets that any organisation holds.

We will mine and correlate these datasets to extract information about criminal activity. Our analysis will enhance understanding of crime ‘in the cloud’, enable us to devise identifiers of such criminality, allow us to build systems to detect this type of crime when it occurs, and aid us in showing how it is possible to collect extremely reliable evidence of wrongdoing. When it is appropriate, we will work closely with law enforcement so that interventions can be undertaken.

Our overall objective is to create a sustainable and internationally competitive centre for academic research into cybercrime.

Importantly, we will not be keeping all this data to ourselves… a key aim of our Centre is to make data available to other academics for them to apply their own skills to address cybercrime issues.

Academics currently face considerable difficulties in researching cybercrime. It is difficult, and time consuming, to negotiate access to real data on actual abuse and then it is necessary to build and deploy data collection tools before the real work can even be started.

We intend to drive a step change in the amount of cybercrime research by making datasets available, not just of URLs but content as well, so that other academics can concentrate on their particular areas of expertise and start being productive immediately. These datasets will be both ‘historic’ and, where appropriate ‘real-time’.

We will maintain high ethical standards in everything we do and will develop a strong legal framework for our operations. In particular we will always ensure that the data we handle is treated fully in accord with the spirit, and not just the letter, of the agreements we enter into.

We will shortly be hiring for the first few research positions … pointers to the job adverts will appear on this blog.

Phishing that looks like another risk altogether

I came across an unusual DHL branded phish recently…

The user receives an email with the Subject of “DHL delivery to [ xxx ]June ©2015” where xxx is their valid email address. The From is forged as “DHLexpress<noreply@delivery.net>” (the criminal will have used this domain since delivery.net hasn’t yet adopted DMARC whereas dhl.com has a p=reject policy which would have prevented this type of forgery altogether).

The email looks like this (I’ve blacked out the valid email address):
DHL email body
and so, although we would all wish otherwise, it is predictable that many recipients will have opened the attachment.

BTW: if the image looks in the least bit fuzzy in your browser then click on the image to see the full-size PNG file and appreciate how realistic the email looks.

I expect many now expect me to explain about some complex 0-day within the PDF that infects the machine with malware, because after all, that’s the main risk from opening unexpected attachments isn’t it ?

But no!
Continue reading Phishing that looks like another risk altogether

Which Malware Lures Work Best?

Last week at the APWG eCrime Conference in Barcelona I presented some new results about an old Instant Messaging (IM) worm from a paper written by Tyler Moore and myself.

In late April 2010 users of the Yahoo and Microsoft IM systems started to get messages from their buddies which said, for example:
foto ☺ http://www.example.com/image.php?user@email.example.com
where the email address was theirs and the URL was for some malware.

Naturally, since the message was from their buddy a lot of folks clicked on the link and when the Windows warning pop-up said “you cannot see this photo until you press OK” they pressed OK and (since the Windows message was in fact a warning about executing unknown programs downloaded from the Internet) they too became infected with the malware. Hence they sent foto ☺ messages to all their buddies and the worm spread at increasing speed.

By late May 2010 I had determined how the malware was controlled (it resolved hostnames to locate IRC servers then joined particular channels where the topic was the message to be sent to buddies) and built a Perl program to join in and monitor what was going on. I also determined that the criminals were often hosting their malware on hosting sites with world-readable Apache weblogs so we could get exact counts of malware downloads (how many people clicked on the links).

Full details, and the story of a number of related worms that spread over the next two years can be found in the academic paper (and are summarised in the slides I used for a very short talk in Barcelona and a longer version I presented a week earlier in Luxembourg).

The key results are:

  • Thanks to some sloppiness by the criminals we had some brief snapshots of activity from an IRC channel used when the spreading phase was complete and infected machines were being forced to download new malware — this showed that 95% of people had clicked OK to dismiss the Microsoft warning message.
  • We had sufficient download data to estimate that around 3 million users were infected by the initial worm and we have records of over 14 million distinct downloads over all of the different worms (having ignored events caused by security monitoring, multiple clicks by the same user, etc.). That is — this was a large scale event.
  • We were able to compare the number of clicks during periods where the criminals vacillated between using URL shorteners in their URLs and when they used hostnames that (vaguely resembled) brands such as Facebook, MySpace, Orkut and so on. We found that when shorteners were used this reduced the number of clicks by almost half — presumably because it made users more cautious.
  • From early 2011 the worms were mainly affecting Brazil — and the simple “foto ☺” had long been replaced by other textual lures. We found that when the criminals used lures in Portuguese (e.g. “eu acho que é você na”, which has, I was told in Barcelona, a distinctive Brazilian feel to it) they were far more successful in getting people to click than when they used ‘language independent’ lures such as “hahha foto”

There’s nothing here which is super-surprising, but it is useful to see our preconceptions borne out not in a laboratory experiment (where it is hard to ensure that the experimental subjects are behaving quite the way that they would ‘in the wild’) but by large scale measurements from real events.

A dubious article for a dubious journal

This morning I received a request to review a manuscript for the “Journal of Internet and Information Systems“. That’s standard for academics — you regularly get requests to do some work for the community for free!

However this was a little out of the ordinary in that the title of the manuscript was “THE ASSESSING CYBER CRIME AND IT IMPACT ON INFORMATION TECHNOLOGY IN NIGERIA” which is not, I feel, particularly grammatical English. I’d expect an editor to have done something about that before I was sent the manuscript…

I stared hard at the email headers (after all I’d just been sent some .docx files out of the blue) and it seems that the Journals Review Department of academicjournals.org uses Microsoft’s platform for their email (so no smoking gun from a spear-fishing point of view). So I took some appropriate precautions and opened the manuscript file.

It was dreadful … and read like it had been copied from somewhere else and patched together — indeed one page appeared twice! However, closer examination suggested it had been scanned rather than copy-typed.

For example:

The primary maturation of malicious agents attacking information system has changed over time from pride and prestige to financial again.

Which, some searches will show you comes from page 22 of Policing Cyber Crime written by Petter Gottschalk in 2010 — a book I haven’t read so I’ve no idea how good it is. Clearly “maturation” should be “motivation”, “system” should “systems” and “again” should be “gain”.

Much of the rest of the material (I didn’t spend a long time on it) was from the same source. Since the book is widely available for download in PDF format (though I do wonder how many versions were authorised), it’s pretty odd to have scanned it.

I then looked harder at the Journal itself — which is one of a group of 107 open-access journals. According to this report they were at one time misleadingly indicating an association with Elsevier, although they didn’t do that on the email they sent me.

The journals appear on “Beall’s list“: a compendium of questionable, scholarly open-access publishers and journals. That is, publishing your article in one of these venues is likely to make your CV look worse rather than better.

In traditional academic publishing the author gets their paper published for free and libraries pay (quite substantial amounts) to receive the journal, which the library users can then read for free, but the article may not be available to non-library users. The business model of “open-access” is that the author pays for having their paper published, and then it is freely available to everyone. There is now much pressure to ensure that academic work is widely available and so open-access is very much in vogue.

There are lots of entirely legitimate open-access journals with exceedingly high standards — but also some very dubious journals which are perceived of as accepting most anything and just collecting the money to keep the publisher in the style to which they have become accustomed (as an indication of the money involved, the fee charged by the Journal of Internet and Information Systems is $550).

I sent back an email to the Journal saying “Even a journal with your reputation should not accept this item“.

What does puzzle me is why anyone would submit a plagiarised article to an open-access journal with a poor reputation. Paying money to get your ripped-off material published in a dubious journal doesn’t seem to be good tactics for anyone. Perhaps it’s just that the journal wants to list me (enrolling my reputation) as one of their reviewers? Or perhaps I was spear-phished after all? Time will tell!