Cybersecurity: Event Recap
On Wednesday, December 7, Mark Lanterman, Chief Technology Officer at Computer Forensic Services, joined us for a night of Cybersecurity education at the Hopkins Center for the Arts. Mark showed us just how easy it is to buy stolen credit cards and passports, and reminded us all of the importance of understanding the relationship between convenience and security. Like your favorite horror movie, it was just as terrifying as it was entertaining. Let’s go over some of the things we learned.
The Dark Web
Mark gave us a first-hand introduction to “The Dark Web”. As he told the audience, “screenshots are lame”, so he brought us to the dark web in real time. Mark explained that the dark web essentially works the same as the rest of the internet. You can search for information, buy merchandise, read/watch content and just about anything else you can do on the web. However, the biggest difference is anonymity, and the main reason one would want to use the dark web is to conceal their online behavior, notably criminals and government agencies.
Ironically, the dark web was invented by the U.S. Navy as a way to anonymize their internet activity, so other users didn’t know what they were up to. But as Mark pointed out, word of this anonymous internet leaked and was promptly taken over by cybercriminals.
People use the dark web for a myriad of reasons, but some of the most common illegal activities on the dark web include:
- Buying and selling stolen credit cards
- Buying and selling illegal firearms
- Buying and selling illegal drugs
- Buying and selling identities (passport, driver license, etc.)
- Human trafficking
You may be asking yourself, “How big is the dark web and is this really a problem?” Well, according to Mark, Google only indexes about 14% of the Internet. And as for the question, “is this really a problem?” — just ask one of the 41 million Americans who had their identity stolen in 2015.
Rescator. That’s the online alias for the person behind 80% of all illegal credit card sales on the dark web. Rescator not only created the software that criminals use to steal credit card data, but also operates the online marketplace where criminals can sell stolen credit cards. Rescator is so effective cybercriminals are willing to pay a 40% commission because of the anonymity Rescator’s website and the dark web provide.
Mark brought us to Rescator’s website where he searched credit cards based on company, city, state, and bank. There were credit cards from big banks, small banks, even the Pentagon and White House Federal Credit Unions were fair game. Although, there is one place not listed: Russia, the same country in which Rescator resides.
As Mark was searching credit cards by location, he wanted to show us that this was not just a big city problem, but an every town problem. He searched the website for cards with billing addresses in Waite Park, MN – a town in Central Minnesota with a population of 7,000. The results were staggering: 1,980 stolen credit cards for their town alone.
Mark told us about one of his more recent cases in Minnesota. He got a call from the Hennepin County Sheriff’s Department regarding a person who was being held in the MSP airport. They had scanned his computer which resulted in them discovering illegal photos of children. When Mark started looking into his computer, he found that it was more than just photos. He found that this person was also in possession of a fake passport purchased on the dark web.
So why buy a fake passport? Mark made the point that having a new passport is like having a new life. You can get a job, flee a country, vote, open bank accounts, and more. In this particular case, it was a high wealth individual who was planning on divorcing his wife. The individual in custody opened two trusts overseas with his fake identity and over the course of several months moved all of his assets into those accounts so when he filed for divorce he wouldn’t have to give any money to his wife. Unfortunately for him, it didn’t work out how he had hoped.
Mark said cases like this, and bank fraud, are some of the more common cases he sees.
Internet of Things — Convenience vs Security
One of the recurring themes of the presentation was the balance between convenience and security. Mark illustrated an example of this by showing us how easily he was able to access a water tower’s control function – allowing him to flip the valve and flood the town, if he so desired. This was only possible because the water tower operators wanted the ability to control and maintain the water tower, via their computers, a very reasonable thing to want. The problem occurs when the user who wants the convenience doesn’t go through the necessary steps to ensure that the connection is secure. In this case, Mark had found that the water tower was not secure, called to notify them of the security risk and potential outcomes, then was brushed off and told it "wasn’t a problem." They still haven’t addressed the problem, and by so doing, are endangering lives and property of thousands.
This is important because everything from refrigerators to washing machines are being connected to the Internet. While all of this makes our lives easier, we need to be responsible as a society and make sure security and technology are being valued and advanced in a parallel manner. With technology not getting so far ahead of technology that it's leaving it's users unprotected.
How to Protect Yourself
If you’re going to shop using a credit card, only use a credit card – not a debit card. The reason why is this: if your credit card is stolen, it’s the banks money and the banks problem. Whereas if your debit card is stolen, it’s your money, and it’s your problem because it’s linked directly to your checking account. This means while your bank’s fraud department is investigating your case, your money will be tied up and possibly not recovered.
Mark said that he believes Apple products are typically better protected than Windows or other brands because they have security measures built into their underlying operating systems. An example of this is a new and very dangerous piece of malware, aptly named Zeus, doesn’t work on Apple computers, it can’t get through the default anti-virus. In contrast, you typically need to download anti-virus software for Windows computers.
Mark thinks the future of transactions will be one or all of the variations of Apple/Samsung pay. He says these are the most sophisticated forms of payments when it comes to security and that credit and debit cards will be obsolete within 10 years.
The most important takeaway is to simply be aware. As new technologies enter our lives as a means of convenience, understand that it's a double edged sword. Every time things become more convenient, your privacy becomes more vulnerable. This is not to say that these technologies are bad, rather, you just need to not use them without keeping protection top of mind.