The following special blog post is the conclusion of a note from Intersections VP, of Information Security, Tim Rohrbaugh.

The second day of briefings was honestly a blur. I couldn’t help but focus on the ancillary details that each presenter offered. Each presenter – I managed to attend only one out of three tracks – did have main goals that were clear and relevant, but all I heard were hidden details sprinkled throughout their talks that my shiny new perspective forced me to see. What were these details? Well, before I turn my keyboard to those let’s recap; US sourced Internet crime is for a large part orchestrated by Russian organized crime personalities. Those amazing facts that Joseph Menn discussed in his talk (and book) at the end of day one sat in my stomach all night. Which upon wakening for day two, I recalled a momentary thought at the beginning of the event where it felt natural to stick my head in the sand like the proverbial ostrich.  That natural instinct to focus on the details versus the big negative picture was broken the second I asked one of my peers what “pay-per-install” meant. This term was part of a presentation title I was thumbing through – my two decades of military, government and commercial jargon did little to aid in deciphering the subject of this technical talk. Unfortunately, the meaning of the term would signify that yesterday’s realization, brought on by Menn’s book talk, was truly just the start of the fear that we are losing the war on Internet safety in a big way.

Crime is a business. Who said that? Please, someone tell me because I truly missed this fact and want to give credit to the right person. Before yesterday, I couldn’t get my mind to accept that a criminal could be a good business person or that the mob could be run by highly technical people – square pegs are only supposed to go in square holes – or so I thought. It seemed like the demarcation between business, criminal, and technical acumen was very clear. And, while some crossed that line in all directions, and ended on the front page of newspapers, we security professionals could rely on the opposing goals of each area to hinder the melding of true thought leaders in these areas. What am I trying to say and what is bothering me? Criminals are using modern business practices without fear, kids born into technology have grown up to be skilled criminals, and highly trained foreign agents have left government work and are unchallenged as mob leaders.

Now the details: the owners of shrink-wrapped malicious code generators are providing customers 24/7 support. [Yes, never fear... your malicious code is supported 24/7 and phone queues are serviced by level 3 support around the clock.] If a customer’s malicious code is found by anti-virus vendors, the code will be regenerated and packed so the signature changes. Oh, and if you don’t pay your bill on time the signatures of your malicious code will be provided to the anti-virus vendors!

What about this “pay-per-install” term? Let’s cut to the chase… people are being paid to get others to install spyware, bots and key-loggers through any means possible… email scams, rogue web sites, piggy-backing malicious code onto legit software. They will only get paid if the source computer is located in certain countries, though. Think affiliate networks for organized crime… no, they will not pay you for installing spyware onto Russian computers. Why not? I’ll let you guess that one.

Maybe it’s just me, but reading between the lines I recognized the feeling that we are getting owned, used and manipulated by Eastern European criminaaaa… oh, I mean business people.

DatalossDB, which tracks breach notifications for loss of sensitive data including credit card numbers, has recorded a reduction in breaches over the last year. Is that good? Seems like it. But could that also mean that crime is happening still at the same rate but discovery did not occur at the same rate? Well, crime is still profitable, organized criminals have gone relatively untouched, technology is just as complex, AND, generally, peoples’ behavior has not changed. Also, since a highly technical criminal is not rewarded for releasing a vulnerability, and yet we know they still exist, we have to assume that theft of data is happening at the same rate because we have not changed the greatest weaknesses (underlying technology of the Internet and people’s behavior). My new found paranoia leads me to one conclusion: We need to provide the tools that educate the consumers to identify that their identity IS being misused and focus on changing behavior that more than likely caused the breach in the first place. How do we get through to people to make them understand that literally one mouse click or one web page can start a chain reaction that leads to hours on the phone with their bank; loss of bank funds; higher taxes; well-fed mobsters (who then have more money for hit men and weapons which then leads to higher under-the-table pay for underpaid foreign civil servants); and finally more revenue for struggling foreign local economies? I say, let’s cut out the middle man (organized crime) and just get our US banks to donate to small Eastern European cities.

Related posts:

1. Reflections from a Black Hat Hackers’ Conference (Part One)
2. The IDGuardian Podcast: Episode #004 — Why Black Friday Could Be a Red Carpet for Scammers
3. Why Black Friday Could Be a Red Carpet for Scammers
4. The IDGuardian Podcast: Episode #005 — Threats Facing Consumers Online
5. Saving Facebook: Perspectives on New Privacy Policies