{"id":2393,"date":"2014-08-18T18:18:49","date_gmt":"2014-08-18T18:18:49","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2393"},"modified":"2020-02-26T10:54:42","modified_gmt":"2020-02-26T15:54:42","slug":"high-tech-crimes-not-too-high-after-all","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/high-tech-crimes-not-too-high-after-all\/2393\/","title":{"rendered":"High-tech crimes: not too “high” after all"},"content":{"rendered":"

High-tech crime. A popular term used in mass media, by law enforcement agencies, and occasionally elsewhere to describe crimes committed via electronic devices \u2013 computers, Web, etc. However, the only thing that makes most of these crimes \u201chi-tech,\u201d is the tool used to commit them. Sometimes the level of sophistication renders these crimes high-tech as well. However, the goals are almost never high-tech, but are mostly the same \u2013 to steal something and get away with it, preferably undetected.<\/p>\n

A few weeks ago The Verge ran an article<\/a> on how MIT researchers were able to reconstruct speech through soundproof glass by watching plants. Since sound waves propagate with air, they incite minuscule wobbles on the plants\u2019 leaves; by using a highly sensitive camera, scientists could \u201ceavesdrop\u201d on people behind the soundproof barrier, without actually seeing or hearing the people themselves.<\/p>\n

That definitely makes plants in a sound-insulated room an information security problem<\/em>. Sort of.<\/p>\n

#High-tech crimes: not too \u201chigh\u201d after all #security, #protectmybiz, #enterprisesec, #cybercrime<\/p>Tweet<\/a><\/blockquote>\n

Well, isn\u2019t it a balderdash \u2013 a chatty geranium giving out your secrets? You bet. But in fact, someone with highly sensitive hardware can truly read what you speak, watching the flowers on your windowsill. The question is only how difficult would it be to exploit this \u201cvulnerability\u201d and is there not any other, more mundane, and simple-to-execute way to eavesdrop on you? For example, wire tapping.<\/p>\n

Interestingly, \u201cwatching the flowers\u201d would be really hi-tech (of sorts, again), while wiretapping is considered \u201cnot so high-tech.\u201d So, what is the difference? The answer is, wiretapping is just not exotic enough.<\/p>\n

\"wide2\"<\/a><\/p>\n

Let us recall Stuxnet<\/a>, Flame<\/a> and other high-tech \u201cweapons.\u201d High-tech? Definitely. The people that wrote Stuxnet were almost<\/em> geniuses; almost, because they made a mistake that eventually exposed Stuxnet to the world. Had they not made that mistake, this worm would have stayed \u201cbehind the scenes\u201d for good and the Pandora\u2019s box that Stuxnet opened would have stayed closed for a short while more.<\/p>\n

Stuxnet authors were geniuses. Well, almost. #cybersecurity, #protectmybiz, #stuxnet<\/p>Tweet<\/a><\/blockquote>\n

Then there was Flame, Miniflame, Duqu, Miniduke, and \u2013 well, you name them. Kaspersky Lab and other security vendors discover new APT campaigns on a disturbingly ad<\/p>\n

regular basis. Some of them even appear to precede Stuxnet by a few years.<\/p>\n

Their initial authors are really good<\/em> at what they do, even though what <\/em>they do is plain evil<\/em>. More and more often, researchers detect modules, which have already been used by someone else, in the \u201cnewer\u201d APT malware. Therefore, these new cyber-espionage tools prove to be not built from scratch at all, but rather, largely assembled from pre-existing parts.<\/p>\n

\"wide1\"<\/p>\n

Should we call the crimes committed with that malware \u201chigh-tech\u201d then? Probably yes, but only because these tools require some intellectual effort to be used, as opposed to purely running off of malice, greed, and pathologic cunning (and the knowledge of where to download your next Miniduke-like Trojan).<\/p>\n

Ultimately, criminals using high-tech tools usually pursue extremely \u201cnon-high-tech\u201d goals: to steal. To rob. To eavesdrop. In rare occasions \u2013 to kill someone or sabotage something. Though the Earth spins in the same way for millennia, crime does not change much. It\u2019s all about picking locks, sneaking in, stealing troves, and getting away unseen and unheard. How mundane.<\/p>\n

The picklock used may be neutron-magnetic, with exchangeable multidimensional heads \u2013 utterly sophisticated. But let\u2019s face it: the locks it is used against are, in most cases, not<\/em> five-dimensional cross-phasing labyrinths, therefore, hardly presenting much of a challenge. Even today\u2019s most mature software is riddledwith vulnerabilities, even if it is built from the ground up on a security-in-mind paradigm; its defenses are mostly very penetrable. Furthermore, there are errors in \u201chuman hardware\u201d<\/a> too: a cybercriminal doesn\u2019t actually need to be much of a \u201ccyber\u201d to \u201csocial-engineer\u201d some average user into releasing sensitive information. Kevin Mitnick\u2019s old \u201cachievements\u201d prove it.<\/a><\/p>\n

Even if the tools are very sophisticated, you should not overestimate their operators. Thieves may show a huge prowess in using sci-fi-like picklocks, but ultimately, they are still mere thieves, and their goals are as ordinary as they have been throughout human history.<\/p>\n

A good example here is a derogatory term, \u201cscript-kiddie,\u201d which became popular a few years ago, most likely because it is exceedingly accurate\u2014think of a \u2018kid\u2019 that uses a downloaded malware written by someone else in order to wreak havoc at some weak, vulnerable server. The server\u2019s owners then may complain of \u201ccyber-terrorism,\u201d but actually that \u201cterrorist\u201d has merely picked up a stone and thrown it through a glass window. \u00a0Later, though, that \u201cstone\u201d may grow its own thin spidery legs and hop behind the lockers. However, it is not the \u2018kid\u2019 who has constructed it that way. He merely picked it up somewhere.<\/p>\n

The moral of the story? Businesses, watch out. The first thing your cybersecurity should start with is the following questions:<\/p>\n