Dr. Gail Joon Ahn
Modeling the Diversity of Cyberattacks
In this talk, we discuss a multi-dimensional approach to (a) understand net-centric attacks including malware investigation with on and off-line assessment, reverse engineering, and dynamic analysis, (b) discover distribution chain based on computer mediated communications (CMCs) that not only allows adversaries to identify easy-to-use or high quality tools, but also obfuscates the creation of malware by taking credit for a tool that was created by someone else, the diverse range of social communications platforms available on-line make it exceedingly difficult to understand and identify the resources used and abused by deviant groups on-line, and (c) correlate attack attributions from malware investigation and social dynamics to produce a comprehensive and effective intelligence. Our goal is to develop a comprehensive and effective intelligence and this vision is a complex and highly sophisticated one that requires ongoing research and analysis to continue concurrently with the changing role and face of digital information creation and usage in CMCs.
Gail-Joon Ahn, Ph.D, CISSP is a Professor of Computer Science and Engineering Program in the School of Computing, Informatics and Decision Systems Engineering (CIDSE) at Arizona State University and Director of Laboratory of Security Engineering for Future Computing (SEFCOM: sefcom.asu.edu). Prior to ASU, he was the Founding Director of Center for Digital Identity and Cyber Defense Research (DICyDER <http://dicyder.uncc.edu/>) at UNC Charlotte. His research foci include security analytics and big data driven security intelligence, vulnerability and risk management, access control and security architecture for distributed systems, identity and privacy management, cybercrime analysis, security-enhanced computing platforms, and formal models for computer security device. His research has been supported by NSF, NSA, DoD, ONR, DoE, DoJ, Bank of America, CISCO, GoDaddy, Hewlett Packard, Google, Microsoft and Robert Wood Johnson Foundation. He is currently the information director of ACM Special Interest Group on Security, Audit and Control (SIGSAC) and he is a recipient of US Department of Energy Early Career Principal Investigator Award, Educator of the Year Award from Federal Information Systems Security Educators¹ Association (FISSEA) and Best Researcher Award from CIDSE. Also, he serves as Associate Editor-in-Chief of IEEE Transactions on Dependable and Secure Computing, Associate Editor of ACM Transactions on Information and Systems Security and Editorial Board of Computers & Security. He is also the Steering Committee Chair of ACM Symposium on Access Control Models and Technologies.
Dr. Adam M. Bossler
Thunderdome II: Internet usage data vs. survey data
At the 2014 MSU Interdisciplinary Conference on Cybercrime, Bossler noted that criminologists are making a modest impact in shaping cybercrime policy and this can partially be attributed to the lack of cybercrime publications in top tier journals. Bossler suggested a proverbial Thunderdome approach – “Two will enter, one will leave” – may provide a foundation for moving the field ahead. In this presentation, Bossler summarizes strengths of using real Internet usage data in comparison to survey data to explain cybercrime offending as well as how internet usage data has been used in the field of criminology. Preliminary analyses will provide insight into which type of data may eventually leave the Thunderdome.
Dr. Adam Bossler is an Associate Professor in the Department of Criminal Justice and Criminology at Georgia Southern University. He earned his doctorate in criminology and criminal justice from the University of Missouri – St. Louis. His current research primarily focuses on examining the application of traditional criminological theories to cybercrime offending and victimization and how law enforcement responds to cybercrime. He is also currently completing a BJA grant exploring innovative correctional programs and a BJA Smart Policing grant in Evans County, GA evaluating the implementation of technology in rural law enforcement agencies. Finally, he is also currently working with collaborators on a NSF funded grant using real Internet usage data to examine computer deviance in a college sample.
Professor Susan Brenner
Threat Morphing in Cyberspace: Crime, Terrorism and War
To survive and prosper, societies must maintain a baseline level of order; as failed states demonstrate, when order erodes it becomes increasingly difficult for the members of a society to carry out the tasks that are essential to their survival and that of the society. Threats to order fall into two categories: internal (crime and terrorism) and external (warfare). The categories differ in terms of origin (internal versus external) and in terms of the source of the threat (individuals commit crime and terrorism, sovereigns commit warfare). Over the millennia, societies have developed strategies for controlling each type of threat: law enforcement deals with crime and terrorism; the military deals with warfare. This threat control model assumes (i) stable national boundaries and (ii) that threats fall into the categories noted above. Cyberspace erodes the validity of these assumptions and, in so doing, erodes the efficacy of the current threat control model. Cybercriminals can attack targets in other countries with essential impunity; transnational attacks are no longer the exclusive province of sovereigns. And a state’s military hackers can commit what would be transnational cybercrime if it was carried out by and on behalf of civilians . . . but is something else, something that may not be encompassed by the current threat classification and control model. The threat control model’s viability is further eroded by the difficulties that can arise with regard to identifying the point of origin of an attack and the person(s) responsible for it. The model assumes activity in the physical world and, as a result, assumes that point of attack origination and certain “markers” of the attack will explicitly or inferentially indicate the motive (personal gain versus political goal) and the perpetrator(s) (individual(s) or sovereign state), which will determine the appropriate response (law enforcement versus military). These assumptions are to an increasing extent inapplicable to threat activity mediated through cyberspace, which means the current threat control model is increasingly irrelevant in this context. States, therefore, must either modify the current threat control model so it can deal effectively with cyberthreats or devise a new, cyber-specific model of threat control, which would supplement the current model. The presentation will explore how such a model could be constructed.
Susan W. Brenner is a Professor and the Samuel A. McCray Chair in Law at the University Of Dayton School Of Law in Dayton, Ohio. She has spoken at numerous events, including Interpol Cybercrime Conferences, the Middle East IT Security Conference, the American Bar Association’s National Cybercrime Conference and the Yale Law School Conference on Cybercrime. She spoke at the Department of Homeland Security’s Global Cyber Security Conference and at a meeting on cyberthreats organized by the U.S. Department of State Bureau of Intelligence and at a NATO Workshop on Cyberterrorism in Bulgaria. Professor Brenner has published a number of articles dealing with cybercrime, including Cybercrime Metrics, University of Virginia Journal of Law & Technology (2004), Cyber-Threats and the Limits of Bureaucratic Control, 14 Minnesota Journal of Law Science and Technology 137(2013) and Offensive Economic Espionage, 54 Harvard International Law Journal 92 (2013). She has also published books dealing with law and technology, which Cyber Threats: Emerging Fault Lines of the Nation-States (Oxford University Press 2009) and Cybercrime: Criminal Threats from Cyberspace (Praeger 2010). In fall of 2012 the University Press of New England published Cybercrime and the Law: Challenges, Issues and
Joshua M. Dalman
Joshua M. Dalman is a second generation digital forensic examiner. Mr. Dalman has nearly a decade of digital forensics experience and has worked in a number of different roles. Mr. Dalman is an accomplished instructor who has designed classroom material and taught members of the Federal Law Enforcement and Department of Defense community. Mr. Dalman earned recognition for going to great lengths to support student achievement. In addition, Mr. Dalman has managed a digital forensics lab at a fortune 100 company and is currently serving as a cyber-security specialist within a highly regarded incident response team. Mr. Dalman has Master of Science degree in Digital Forensics from the University of Central Florida, and earned his Bachelor of Arts degree from Michigan State University. Mr. Dalman maintains a number of industry certifications such as the AccessData Certified Examiner (ACE), EnCase certified examiner (EnCE), Certified Computer Examiner (CCE), Certified Forensic Computer Examiner (CFCE), and the Department of Defense Forensic Examiner (DFE).
Dr. Thomas Holt
Discerning Signal From Noise in Cybercrime Markets and Cybercrime Research
Researchers from both the social and technical sciences are increasingly examining the market for stolen data, where hackers and cybercriminals dispose of information acquired through phishing, mass data breaches, and hacking attempts. These studies demonstrate that markets are influenced by seller reputation based on positive and negative feedback provided by customers, and the influence of social connectivity on a seller’s reputation in the market. Few of these studies have considered the relationship between the feedback sellers receive from customers and the market dynamics of a forum, such as the language of its users, the payment methods they accept, and the customer service resources sellers provide to prospective buyers. Thus, this study will attempt to address this issue through an analysis of threads from 13 active Russian and English language forums involved in the sale of stolen data. The relationships between the social and market practices of the forums will be considered relative to the positive or negative feedback individuals selling dumps and eBay and PayPal credentials receive. The implications of this study for law enforcement and criminological theory will be considered in detail.
Dr. Thomas Holt is an Associate Professor in the School of Criminal Justice at Michigan State University specializing in cybercrime, policing, and policy. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. He has published extensively on cybercrime and cyberterror in outlets such as Crime and Delinquency, Sexual Abuse, the Journal of Criminal Justice, Terrorism and Political Violence, and Deviant Behavior. He has also received multiple grants from the National Institute of Justice and the National Science Foundation to examine the social and technical drivers of Russian malware writers, data thieves, and hackers using on-line data.
Lance James, Allison Nixon, and J.B. O’kane
The chaotic adolescent actor: Pay attention, and change the channel
Currently, a great deal of attention is paid to nation sponsored actors and criminal actors, while the chaotic actor is discounted as too unskilled and unfocused to inflict much harm. Despite this prevailing attitude, our experience in researching online groups and advising the business community suggests that chaotic actors do in fact inflict significant damage to unsuspecting business targets. For this presentation, we focus on chaotic actors undergoing an intriguing transitional stage of physical and psychological human development – adolescence. Our applied research follows a dual approach. On a group level, we seek to understand delinquent online peer group formation. On an individual level, we target a specific form of impulsivity, sensation seeking – a behavior that rises dramatically during adolescence and increases risks to healthy development. We present a few recent case studies in order to frame and explore some of the observed behaviors, motives and typical backgrounds of the “chaotic adolescent” actor(s). On the solution side, we reference recent findings from developmental neuroscience that suggest lack of experience with novel adult behavior poses a much greater risk to adolescents than structural deficits in brain maturation (Romer, 2010). This view of adolescent risk taking helps to explain why educational interventions designed to change adolescents’ knowledge, beliefs, or attitudes have been largely ineffective, and suggests that changing the contexts in which risky behavior occurs may be more successful than changing the way adolescents think about risk (Steinberg, 2007). Consistent with this reasoning, we propose ideas for handling incidents involving such actors and offer a few context-changing strategies that could be piloted in order to serve and protect such at-risk youth as they transition to adulthood.
Rat-plague in Europe or: how to combat criminals with high tech IT skills?
A real rat-plague seems to take over Europe. Or at least European computers. What does it take to locate these rats and what do we do with them? Is the legal system capable of handling this form of crime? Is the police force, as we know it, fitted for this task? Floor Jansen will present the latest trends and challenges for law enforcement in combating cybercrime. She’ll argue that the police needs close cooperation with scientific researchers and that combining IT knowledge and criminology is crucial in understanding cybercriminals.
Floor Jansen is a criminologist who has been working for the Dutch police for seven years. After working on the combat of drug smuggling and human trafficking she swopped pills and powders for bits and bytes and THC for THTC. For two years now she works as a strategic advisor for the Team High Tech Crime. She’s an ambassador for applied criminology within the police and tries to connect the team with academia and universities where and whenever possible.
Keith J. Jones
Keith J. Jones has been called the “expert’s expert” by numerous domestic and international clients. Mr. Jones provides Computer Forensics, Litigation Support, Expert Witness Services and Training to commercial and government clients. Mr. Jones is very well known for tackling the hard problems and getting them done on or under time and budget, tackling the hard issues in litigation and demonstrating to the judge and jury in layman terms the truth, and generally being able to take on any forensic case involving computers that his deep hardware and software
development experience has given him. Mr. Jones is an internationally industry-recognized expert in computer security with two decades of experience in computer forensics and incident response. He is a co-chair of the American Bar Association’s Litigation Section’s Expert Witness Committee on Computer forensics and he has also served as the President of The Consortium of Digital Forensic Specialists (CDFS). His expertise also includes information security consulting, application security, software analysis/design and image/video/audio analysis. Mr. Jones has been an expert witness on behalf of the federal government on several high-profile criminal cases, such as US v Duronio, US v Raisley, and US v Zhu. Mr. Jones is an accomplished instructor and has trained computer forensics and security to thousands of students including the FBI, Secret Service, NSA, RCMP, Assistant U.S. Attorneys, private classes for clients, and public classes to the masses. Not only does Mr. Jones train, but he also develops the material for his and other trainers’ classes.
Mr. Jones is an accomplished author, and his works include Real Digital Forensics: Computer Security and Incident Response, Addison-Wesley, published in March 2005 and The Anti-Hacker Toolkit, McGraw-Hill, published in 2002, recognized in the security industry as a definitive reference on critical applications for security practitioners. Mr. Jones is often called for quotes by journalists and audio interviews by radio stations to share his expertise when needed. Mr. Jones holds two Bachelor of Science degrees. One is in Electrical Engineering and the other is in Computer Engineering. Mr. Jones also earned a Master of Science degree in Electrical Engineering from Michigan State University. Mr. Jones maintains the Certified Information Systems Security Professional (CISSP) certification, is a Certified Computer Examiner (CCE), served on the Board of Directors of The Consortium of Digital Forensic Specialists (CDFS) as President, is an IEEE member and peer reviewer, and is an associate member of the American Bar Association (ABA) serving as a Co-Chair of the Litigation Section, Expert Witness Committee, Computer Forensics Subcommittee. He also holds several lifetime memberships in the engineering, electrical engineering, and mathematical honor societies.
Dr. Alex X. Liu
TCAM Based Deep Packet Inspection
Regular expression (RegEx) matching is a core component of deep packet inspection in modern networking and security devices. Prior RegEx matching algorithms are either software-based or FPGA-based. Software-based solutions have to be implemented in customized ASIC chips to achieve high-speed, the limitations of which include high deployment cost and being hard-wired to a specific solution and thus limited ability to adapt to new RegEx matching solutions. Although FPGA-based solutions can be modified, resynthesizing and updating FPGA circuitry in a deployed system to handle RegEx updates is slow and difficult. In this talk, we present the first hardware-based RegEx matching solution that uses Ternary Content Addressable Memories (TCAMs), which are off-the-shelf chips and have been widely deployed in modern networking devices for packet classification. There are three main reasons why TCAM-based RegEx matching works well. First, a small TCAM is capable of encoding a large Deterministic Finite Automata (DFA) with carefully designed algorithms leveraging the ternary nature and first-match semantics of TCAMs. Second, TCAMs facilitate high-speed RegEx matching because TCAMs are essentially high-performance parallel lookup systems: any lookup takes constant time (i.e, a few CPU cycles) regardless of the number of occupied entries. Third, because TCAMs are off-the-shelf chips that are widely deployed in modern networking devices, it is easy to design networking devices that include our TCAM based RegEx matching solution.
Alex X. Liu received the Ph.D. degree in computer science from The University of Texas at Austin, Austin, TX, USA, in 2006. His research interests focus on networking and security. He is an Editor of the IEEE/ACM TRANSACTIONS ON NETWORKING and the Journal of Computer Communications. He is the TPC Co-Chair of ICNP 2014. Dr. Liu received the IEEE & IFIP William C. Carter Award in 2004, an NSF CAREER Award in 2009, and the Michigan State University Withrow Distinguished Scholar Award in 2011. He received Best Paper Awards from ICNP 2012, SRDS 2012, LISA 2010, and TSP 2009.
Dr. David Maimon
Surveillance Banner and its’ Influence on Risk-Averse and Risk-Seeking Hackers’ Behaviors During theProgression of System Trespassing Events
Extensive psychological and criminological research indicates that individuals are ‘ambiguity adverse’ (i.e. prefer to gamble with known risks as opposed to uncertain ones), and as a consequence, tend to comply with the law in the presence of ambiguous low-certainty sanction threats. Unfortunately, only scant research has examined this principle in the context of online deviant behaviors. We attempt to bridge this empirical gap by examining how the presence of a surveillance banner in an attacked computer system influences the online behaviors of risk-averse and risk-seeking system trespassers during the progression of system trespassing events. To assist in this investigation, we designed a randomized controlled trial and deployed a series of virtual target computers with known vulnerabilities into the computer network of a large public university in the U.S. The target computers were set to either display or not display a surveillance banner once system trespassers infiltrated them. Results indicate that risk-aversive system trespassers were less likely to enter ‘clean’ and ‘reconnaissance’ commands in attacked computer-systems that had surveillance banner installed on. Risk-seeking system trespassers, on the other hand, were more likely to enter ‘make new directories’ and ‘change password’ commands in attacked computer-systems that had surveillance banner installed on. These findings offer further support for the integration of psychological and criminological concepts in the study of system trespassing.
David Maimon is an Assistant Professor in the department of Criminology and Criminal Justice at the University of Maryland. He received his Ph.D. in Sociology from the Ohio State University in 2009. David’s research interests include theories of human behaviors, computer crimes and communities and crime. His current research focuses on computer hacking and the progression of system trespassing events, computer networks vulnerabilities to cyber attacks, susceptibility to malware victimization, and decision-making process in cyber space.
Brian McManus is currently a Supervisor in the Computer Crimes Section with NW3C, the National White Collar Crime Center. He has 30 plus years of experience in law enforcement and 10 years in computer forensic investigations. He is a Certified Forensic Computer Examiner (CFCE) through the International Association of Computer Investigative Specialists (IACIS). Prior to NW3C, Brian worked as a police officer with Lansing Community College in Lansing, Michigan, and was assigned to the Michigan Internet Crimes Against Children Task Force investigating crimes against children. He continued as a contract forensic examiner for the Michigan State Police on a federally funded grant before to joining NW3C as an instructor in 2013.
Dr. Stefan Savage
Demonetizing Advertising-Based eCrime
Advertising-based e-crime monetizes a vector (e.g., spam, search, OSN abuse, adware) by convincing consumers to pay for some good or service (eg., pharmaceuticals, pirated software, FakeAV, counterfeit consumer goods etc.) Ultimately it is these payments, typically via popular card brands such as Visa and Mastercard, that monetize the resulting ecosystem, including bots, bullet-proof hosting, domain sales, malware and so on. In this talk, I will briefly explain how this works, the role of ISOs, PSPs and acquiring banks, and how why the financial component is uniquely vulnerable to disruption. In particular, I will report on two years of activity in which key brandholders, working with financial services, have focused on shutting down fraudulent merchant accounts and the effective this has had on the associated criminal ecosystems. I will describe what is necessary to use this tool most effectively and finally, I’ll describe the operational challenges required to map the relationships between affiliate programs and payment networks and how this conflict is likely to evolve.
Stefan Savage is a professor of Computer Science and Engineering at the University of California, San Diego. He received his Ph.D. in Computer Science and Engineering from the University of Washington and a B.S. in Applied History from Carnegie Mellon University. Savage’s research interests lie at the intersection of distributed systems, networking, and computer security, with a current focus on embedded security and the economics of cybercrime. He currently serves as director of UCSD’s Center for Network Systems (CNS) and as co-director for the Center for Evidence based Security Research (CESR), a joint effort between UCSD and the International Computer Science Institute. Savage is a Sloan Fellow and an ACM Fellow, but is fairly down-to-earth guy and only writes about himself in the third person when asked.
Dr. Johan Van Wilsem
Moving targets: cybercrime victimization and routine activities in a dynamic perspective
Cybercrime victimization for hacking, fraud and harassment is related to people’s routine activities on the Internet, due to the fact that these activities unintendedly lead to exposure to offenders. However, most empirical research in the routine activity domain offers a static picture, with cross-sectional tests of the relation between criminal opportunities and victimization. This situation has ignored the fact that people can respond to victimization by changing their routine activities–either in ways to prevent future victimization, or, in contrast, in risk-seeking ways due to maladaptive coping. These changes may subsequently affect risks for future victimization. This presentation will focus on the relation between victimization and re-victimization for several types of cybercrime, and the dynamics of online routine activities in between. For this purpose, a representative Dutch victimization survey (the LISS panel) will be used, covering the behavior of approximately 4,000 respondents between 2008 and 2010.
Dr Johan van Wilsem is an associate professor of Criminology at Leiden University and an expert in cybercrime victimization. He has published on a diverse range of topics, such as receiving online threats, experiencing Internet consumer fraud and being hacked, in international journals such as the European Sociological Review, European Journal of Criminology and Journal of Contemporary Criminal Justice. He has received grants to collect large-scale, representative, longitudinal data on these subjects among the Dutch population. Currently, he is principal investigator in a research project on identity fraud victimization, which has been granted by the Dutch national police.