Daily Archives: 2015-06-01

Crime-as-a-Service, the new emerging model of a 300+ billion$ business?

In its 2014 report on Internet Organized Crime Threat Assessment, Europol highlighted the rising of a new business model in the cybercrime community: Caas, Crime-as-a-Service. More and more hackers provide “services”, available through the darknet (like Tor), allowing to rent thousands of infected computers, undected payload for viruses, list of passwords, and so on. For a few years now, you can even pay anonymously using virtual currencies (like bitcoin). They often provide a very good customer service and sometimes even a cash back warranty.

We often underestimated the size and importance of the Cyber Crime market. In its 2013 report on the economic impact of cybercriminality, McAfee estimate the global revenue of the  cyber crime activities worlwide between 300 billion$ to 1 trillion$.

1.000.000.000.000 $/Year

 

With number as huge, it is dfficult to represent the magnitude of this market. In comparaison, the yearly worlwide drug market generate between 300 and 600 billions$ of revenue or bigger than the PIB of some European countries.

Caas is increasingly proposed and used by more traditionnal crime organizations to suport their activities. The Europol report mention a quite interesting figure on a russian underground forum dedicated to hacking having 13.000 members and 4.000 daily visitors. It is hard to find a security professionnal nowadays but on the dark side, they are legions of hackers (when you see the profit they can make, you may understand why they are so many).

Additionnally, the “dark side” is also offering other services, mirroring the “legit” community, as Iaas (Infrastructure-as-a-Service), Data-as-as service, Hacking, or Money-Laundering. The hacker world has developped its own eco-system. As it is more and more interacting with the other “worlds”, it may be soon possible (if it is not already) for everybody to use and pay anonymously for illegal services.

After online drug dealer like Silk Road on Wikipedia, we might soon see service to remove your speeding ticket or to have a preview of exam’s questions. Nor to say, in a more and more digital worl, with eGovernment and the Internet of Objects growing in size, might we soon be able to ask for a new identity, a true diplome we never studied for, or even worse, the death of our worst ennemy in a car crash (assuming he drives one of the new connected cars).

Some forms of cyber criminality are already well established and cost already a lot of money as well as a huge human cost (even more if we talk about child pornography, one of the big beneficiary of the darknet). We could think about hunting these tools and protocols used to create the darknet but they are also used by thousands of honnest people wanting to protect their anonymity, their privacy or to “speak freely” in oppressing regimes. Even more, should you try to suppress it, new technologies would be quicly invented or developped to create even deeper, even darker, networks. With such a big amount of money at stake, the means to create a dark zone on the Internet would be nearly unlimmited. They could even create a parrallel network hiding in plain sight if they once achieve a higher level of organization at a global level.

As always, eventually, our only weapons are the skills and means of the people fighting them and able to differenciate the right from the wrong, the bad from the good. Unfortunately, we don’t have enough skilled professionnal yet. We sure do have already a lot of very talented security professionnals (coder, hackers, network specialist, governance, auditors) but the fight remains inequal as they have to find only one faillure to succeed and we need to close them all to win. So, we definitely need better trainings, better information exchange, better research, higher standards for IT professionnals and better preparation of our future professionnals.

Clearly, we need also to make security more understandable, more user friendly. As Bruce Schneier was advocating a few years ago, security must become a convenience like any household appliance, easy to use, easy to sell, easy and efficient. It is maybe where the dark side is winning the competition at this stage.