Education

Cybercrime: from Russia with love

Protecting TU Delft against cyberattacks in the form of malware, phish and hacking is all part of a day’s work for the university’s information security team.

In a wide-ranging interview, Alf Moens, the TU’s information security manager, discusses international cybercriminals, the fake emails regularly sent to the university’s students and staff, and the present danger posed by the incredibly malicious Conficker worm.

Protecting our computers and networks from cybercriminals is big business: a recent report estimates that the global Internet security market will be worth 58.1 billion by 2010. The man responsible for protecting TU Delft from these relentless cyberattacks is Alf Moens (50), together with his information security team, which includes an ICT Operations Control Center that investigates daily security incidents and a ‘Computer Emergency Response Team’ that is on-call 24/7.

What’s a working day in the life of an information security manager like? “I’m responsible for setting up and stimulating policies for information security, and reviewing whether they’re efficient and everyone follows the rules. I mainly look at trends, in order to prevent possible harm to TU Delft, and there are always several projects running aimed at improving our information security.” 

Given that TU Delft is continuously under cyberattack, your job must be rather stressful.“It can indeed be stressful, but it’s also fun. Once you realize that you can’t prevent everything from happening, you can start to enjoy it. And I don’t believe it’s possible to stop everything they fire at us, but I can still sleep at night, because I know we’re working hard to prevent things from happening.”

What are some Internet security threats the TU regularly faces? “The two most common threats are infected computers and spreading copyright protected materials. Each month there are about 150 information security incidents: 70% copyright related, and 20% infected computers. The threat of infected computers is growing, however, and these machines are mainly infected with botnet software, which means they’re controlled by cybercriminals.”

Are there any Internet security issues unique to a university of technology? “Since we have a mixed environment, with student houses on the same university network, we also have lots of ‘private’ traffic on the network. Unique compared to non-academic use are our quarantine facilities: TU Delft PCs that are infected or have been distributing copyright-protected materials are put in quarantine until the problem is fixed.”  

Do you regard the people sending phising emails and trying to hack into the TU’s system as ‘terrorists’? “They’re criminals for sure. Until about two years ago, all this could be labeled as ‘vandalism’, but nowadays big money is involved. Organized crime has taken over. The general opinion among my colleagues internationally is that terrorists are not yet using cybercrime as a weapon, although terrorists are definitely heavy Internet users.”

The fake emails that TU Delft email account holders receive, asking for our login names and passwords, do seem pretty authentic. “Indeed, some really do look legitimate and use ‘real’ TU Delft terms like NetID, which is the name of our email account system. The messages also seem to be coming from TU Delft addresses, like info

When cybercriminals gain access to a TU Delft email account, what do they do? “The account is used for sending spam, and sometimes dedicated spam messages to everyone in your address book, asking them to send some money. If others have your password/login, they can take over your digital identity and steal personal information from your files.”

Have any TU Delft students been tricked and given their passwords to cybercriminals?“Unfortunately, some people have fallen for these scams, and their accounts were taken over.”

Will this ever end, or rather just keep evolving into new and improved methods of attack and deception?   “The abuse of e-mail will continue and increase. Future threats will be those that combine multiple methods; for example, you’ll receive a phone call from a real person or automated voice-messenger saying they’ll be sending you an important email.”

Other than fake emails, what are some other ‘tricks’ of this cybercriminal trade? “The most frightening is a new ‘attack vector’, in which malware – a small virus – is inserted into legitimate websites. If you visit that site, you’re infected. Another scary trick is malicious middleware software that spies on your telebanking and tries to alter transactions.”

How else do hackers attempt get into the TU’s computer network? “Hackers try to do their ‘job’ in several ways. Some is just by brute force, guessing passwords, and some involves testing our systems for vulnerabilities. Clever hackers also exploit the naivety of users, trying to persuade them to click on malicious links.”

Are TU Delft’s systems especially attractive to hackers?“Our systems aren’t as interesting for hackers as they used to be, when the hackers purpose was to gain access to huge storage and large bandwidth. Today’s business model for hackers is based on controlling lots of computers via botnets, for spreading spam or organizing paid attacks on high profile institutions like banks, the Microsoft’s of this world, and governments. There’s also an entire industry in which money is paid for developing new viruses, harvesting computers for botnets, and harvesting financial information on these computers, like credit card and bank account numbers. And some hackers simply earn money by making toolkits for other hackers.”

Is there one particularly egregious hacker attack on TU Delft you can tell us about?“In one incident, three different hackers used a compromised TU Delft computer; they probably ‘sold’ the computer to each other. The first one was clever, hacked into the computer, but we couldn’t find a trace of how he did it. The second one gained control over this computer and installed malicious software for controlling it remotely, but he wasn’t so clever and left lots of traces, though none that we could use to nail him. The third one used this controlled computer for attacking and trying to break into other computers, outside TU Delft.”

In what country are most cybercriminals based? “The common opinion among the security community is that 90% of spam, phishing, etc, is controlled by two or three criminal rings, of which at least one is based in Russia. But it’s a highly multinational ‘industry’, and the brains of the organizations are based in countries that have limited legislation or limited investigative capabilities.”

Do you think some national governments are directly involved in cybercrime?“Not actively, although some governments might use these facilities for their own purposes. But I don think governments are the key players.”

,’Don’t take cookies from strangers!’

To win any war you must know your enemy, yet it seems we know very little about these cybercriminal organizations.
“I don’t personally see it as a war. The criminal gangs that now control most hacking will be replaced by others. We know our e    nemy and know it will be someone else tomorrow. Information security isn’t warfare, but rather simply using commonsense to protect what is of value to you.”

But enemy agents do launch relentless attacks on our money.
“Indeed, it’s a form of economic warfare. Internet started on a basis of mutual interest and openness. Internet is now evolving into a collection of mutual trusting private networks. The openness will disappear.”

What’s the profile of a guy working for a cybercrime ring? Is it just some computer geek sitting around in his underwear at home firing off zillions of spam mails and hacking around? “Sure, there are lots of geeks in underwear involved. Hacking is still high tech, so you need lots of nerds pulling all-nighters to get the job done.”

So they’re not highly educated, super computer geniuses, as Hollywood likes to portray them?“No, fortunately, the highly educated people work on our side, finding vulnerabilities in information systems and smart cards and helping to fix them. But of course, just as in other branches of crime, there are really clever people involved. Cybercrime has quickly evolved from idealism to profiteering.”

Are legitimate companies involved in cybercrime?“Not here in Western Europe. But in Eastern Europe and Asia there are probably legitimate business involved for laundering money.”

So cybercrime is a very profitable, mafia-controlled business? “Yes, it’s organized crime and very profitable if you steal enough credit card numbers. A botnet is worth money, and a piece of malicious software is worth money. People in this ‘business’ specialize.”

Assuming you caught someone, are there laws in place for prosecuting these criminals internationally? “Internationally it’s a problem. The EU, USA, Australia and others have pretty good cybercrime laws, but many other countries do not. There have been convictions for setting up and controlling botnets, however.

It seems that institutions, like TU Delft, are so passive, just erecting defensive walls, reacting to attacks, rather than proactively fighting the ‘evil doers’? Would you agree? “It’s a bit of both. As a single institution, you can’t do very much, but we contribute, through SURFnet and other ways. On the national level, several organizations are trying to make a difference: OPTA is the number one spam fighter, while NICC -the National Infrastructure to Combat CyberCrime – tries to organize various sectors, like banking. This results in efficient reactive powers, but also in pressure, internationally, for cooperation.”
 

If offense is the best form of defense, why doesn’t TU Delft go on the attack to better protect itself? “There is some research going on in these fields, but the bottom-line is that the technology for making this a better world is already there, but we just don’t use it, because it’s very expensive and useless unless everyone else is also using it. Discipline and hygiene are other reasons why we’re not doing better. There are just a few simple security things to remember, but we always forget. The most important is: Don’t take cookies from strangers!”

But surely if these cybercriminals are no match for TU Delft’s brightest IT minds, why not lob some dirty, computer-crashing bombs back at them?
“I wouldn’t want to do that. We’re bright, but not that bright. Such action would immediately backfire. First, you don’t always know who to throw a bomb at, so the collateral damage would be enormous. Second, we’re a legitimate business and therefore restricted by law. Thirdly, we’d draw fire from every hacker worldwide. A good defense is to keep a low profile, at least lower than your neighbors. When ABN-AMRO bank was in the news recently with their merger with Fortis bank, they immediately drew several new phishing attacks; they were under heavy fire because at the time they were very high profile.”

If not offensively, then how will Internet security defense evolve?“We’ll probably see a separation in Internet networking, with a trusted part, with trusted e-mail, and an untrusted, or not yet trusted, part.

When attacked, does the TU actively investigate to try to find out who is behind the attack? “For the more serious attacks, we start an investigation to discover the source, the way we were attacked, and who did it. Depending on the information found, we’ll then go through security incident channels, through SURFnet-CERT, or to the police. But these are very time-consuming investigations with limited results.”

Experts thought the Conficker worm would start a new, devastating phase on April 1 – April Fools Day. Was that an especially tense day for you?“April 1 was pretty much like all other days, although we did keep an eye open for jokers among us. The Conficker case did make me monitor news sources an extra time. Fortunately, not much happened.”

What makes Conficker so infamous and potentially destructive?“Conficker is a computer virus in the form of a backdoor; it can control the infected PC, and collects PCs into a botnet. The botnet controller then can update ‘his’ machines – which was scheduled to happen on April 1 – and he has command and control capabilities and can therefore have these machines perform tasks at will. Conficker uses a vulnerability in Microsoft that has been known for some time. A fix was created for this security hole, the bug, that Conficker uses, and this fix was applied on TU Delft computers last year, so we’re pretty confident we won’t have too much trouble on our TU Delft PCs.”

But student PCs in student houses and laptops remain vulnerable to Conficker attack?“Yes, student house PCs and laptops also use the TU’s ICT network, but they’re not managed by TU Delft. We’ve seen an increasing number of student systems infected with botnet stuff, like Conficker and others. These systems are primarily infected because they’re ill maintained, they’re behind with software patches and don’t run up-to-date virus scanners. And there is absolutely no reason for this, since TU Delft provides all such software and updates free of charge. If infected with a botnet, a computer is isolated and must be completely reconfigured. I you haven’t backed up your files, bad luck for you.”

As an information security expert, do you have access to classified Internet security information? “The information security community has an extensive ‘network’ for sharing information – some is public, some not. The April 1st Conficker alert didn’t come as a surprise. Conficker has been extensively researched, although they haven’t found the owner, the author, yet, and hackers have stopped signing their work.”

Which isn’t surprising, since Microsoft is offering a $250,000 reward for the Conficker creator’s head.“Indeed, Microsoft’s reward is proof that the legitimate world is joining forces to address these threats. By explicitly stating it is illegal, criminal, they’re sending a message to all those who are somehow related to organised cybercrime to step back; it’s a message that big organisations and governments are taking cybercrime seriously and working together to mitigate it.”

Edward Hulsbergen zal het laatste jaar voor zijn pensioen waarschijnlijk vooral fungeren als ‘geheugen van de leerstoel’ ruimtelijke planning en strategie.

“Ik had 35 meter boeken, die vrij toegankelijk waren voor studenten. Alles is weg. Net als het archief van de leerstoel waarvan ik zelf 2,5 jaar waarnemer ben geweest. Mijn onderzoeksdossiers en persoonlijke archieven zijn ook verbrand. Ik ben niet van plan alles weer bij elkaar te gaan zoeken. Ik ga over een jaar met pensioen.
Ik zat op de achtste verdieping toen de brand uitbrak, was al onderwijs aan het geven. Ik heb mijn tas gelukkig meegenomen en een usb-stick. Naast wat stukken die collega’s nog van mij hadden, is dat het enige wat ik nog heb.
Sinds de brand is de logistiek erg ingewikkeld. College geven, lezingen houden, onderzoek doen, daarvoor moet ik veel op en neer. Het gaat allemaal wel, hoor, maar ik word er niet vrolijk van. Ik heb alleen geen zin om daarover te zeuren.
Wat ik wel moeilijk vind, is overzicht houden. Ik werk vandaag thuis. Mijn stapeltjes papier liggen op de vloer. Die stapeltjes geven me overzicht, ik zie precies wat er moet gebeuren. Maar ik moet alles iedere dag weer opruimen, ook op de TU. Daar zit ik liever in tent vier dan bij het IRI. Ik wil dicht bij de studenten zitten.
Nu zit het overzicht dus alleen nog in mijn hoofd en dat kost heel veel energie. Aan het eind van de week ben ik op. Het voordeel is, dat ik me niet meer druk hoef te maken over waar mijn spullen heen moeten na mijn pensioen.
Ik heb trouwens aangeboden eerder met pensioen te gaan om plaats te maken voor vernieuwing. Maar collega’s hebben erop aangedrongen dat niet te doen. Volgens hen ben ik het geheugen van de leerstoel. Ik zit al sinds 1972 bij Bouwkunde. Je loopt alleen wel het risico dat het niet klopt wat er in je hoofd zit. Financiële zaken zijn moeilijk af te handelen. Soms word ik er wat droef van, maar achterom kijken heb ik nooit erg vooruitstrevend gevonden.
Ik denk dat het mijn rol is om het komende jaar flexibel te zijn, zodat ik de nieuwe professor bij kan staan. Dat zal wel ten koste gaan van mijn plan een onderzoeksvoorstel te schrijven, waarmee ik een brug wil slaan tussen het concept van netwerksteden en de archeologie.”

Protecting our computers and networks from cybercriminals is big business: a recent report estimates that the global Internet security market will be worth 58.1 billion by 2010. The man responsible for protecting TU Delft from these relentless cyberattacks is Alf Moens (50), together with his information security team, which includes an ICT Operations Control Center that investigates daily security incidents and a ‘Computer Emergency Response Team’ that is on-call 24/7.

What’s a working day in the life of an information security manager like? “I’m responsible for setting up and stimulating policies for information security, and reviewing whether they’re efficient and everyone follows the rules. I mainly look at trends, in order to prevent possible harm to TU Delft, and there are always several projects running aimed at improving our information security.” 

Given that TU Delft is continuously under cyberattack, your job must be rather stressful.“It can indeed be stressful, but it’s also fun. Once you realize that you can’t prevent everything from happening, you can start to enjoy it. And I don’t believe it’s possible to stop everything they fire at us, but I can still sleep at night, because I know we’re working hard to prevent things from happening.”

What are some Internet security threats the TU regularly faces? “The two most common threats are infected computers and spreading copyright protected materials. Each month there are about 150 information security incidents: 70% copyright related, and 20% infected computers. The threat of infected computers is growing, however, and these machines are mainly infected with botnet software, which means they’re controlled by cybercriminals.”

Are there any Internet security issues unique to a university of technology? “Since we have a mixed environment, with student houses on the same university network, we also have lots of ‘private’ traffic on the network. Unique compared to non-academic use are our quarantine facilities: TU Delft PCs that are infected or have been distributing copyright-protected materials are put in quarantine until the problem is fixed.”  

Do you regard the people sending phising emails and trying to hack into the TU’s system as ‘terrorists’? “They’re criminals for sure. Until about two years ago, all this could be labeled as ‘vandalism’, but nowadays big money is involved. Organized crime has taken over. The general opinion among my colleagues internationally is that terrorists are not yet using cybercrime as a weapon, although terrorists are definitely heavy Internet users.”

The fake emails that TU Delft email account holders receive, asking for our login names and passwords, do seem pretty authentic. “Indeed, some really do look legitimate and use ‘real’ TU Delft terms like NetID, which is the name of our email account system. The messages also seem to be coming from TU Delft addresses, like info

When cybercriminals gain access to a TU Delft email account, what do they do? “The account is used for sending spam, and sometimes dedicated spam messages to everyone in your address book, asking them to send some money. If others have your password/login, they can take over your digital identity and steal personal information from your files.”

Have any TU Delft students been tricked and given their passwords to cybercriminals?“Unfortunately, some people have fallen for these scams, and their accounts were taken over.”

Will this ever end, or rather just keep evolving into new and improved methods of attack and deception?   “The abuse of e-mail will continue and increase. Future threats will be those that combine multiple methods; for example, you’ll receive a phone call from a real person or automated voice-messenger saying they’ll be sending you an important email.”

Other than fake emails, what are some other ‘tricks’ of this cybercriminal trade? “The most frightening is a new ‘attack vector’, in which malware – a small virus – is inserted into legitimate websites. If you visit that site, you’re infected. Another scary trick is malicious middleware software that spies on your telebanking and tries to alter transactions.”

How else do hackers attempt get into the TU’s computer network? “Hackers try to do their ‘job’ in several ways. Some is just by brute force, guessing passwords, and some involves testing our systems for vulnerabilities. Clever hackers also exploit the naivety of users, trying to persuade them to click on malicious links.”

Are TU Delft’s systems especially attractive to hackers?“Our systems aren’t as interesting for hackers as they used to be, when the hackers purpose was to gain access to huge storage and large bandwidth. Today’s business model for hackers is based on controlling lots of computers via botnets, for spreading spam or organizing paid attacks on high profile institutions like banks, the Microsoft’s of this world, and governments. There’s also an entire industry in which money is paid for developing new viruses, harvesting computers for botnets, and harvesting financial information on these computers, like credit card and bank account numbers. And some hackers simply earn money by making toolkits for other hackers.”

Is there one particularly egregious hacker attack on TU Delft you can tell us about?“In one incident, three different hackers used a compromised TU Delft computer; they probably ‘sold’ the computer to each other. The first one was clever, hacked into the computer, but we couldn’t find a trace of how he did it. The second one gained control over this computer and installed malicious software for controlling it remotely, but he wasn’t so clever and left lots of traces, though none that we could use to nail him. The third one used this controlled computer for attacking and trying to break into other computers, outside TU Delft.”

In what country are most cybercriminals based? “The common opinion among the security community is that 90% of spam, phishing, etc, is controlled by two or three criminal rings, of which at least one is based in Russia. But it’s a highly multinational ‘industry’, and the brains of the organizations are based in countries that have limited legislation or limited investigative capabilities.”

Do you think some national governments are directly involved in cybercrime?“Not actively, although some governments might use these facilities for their own purposes. But I don think governments are the key players.”

’Don’t take cookies from strangers!’
’Don’t take cookies from strangers!’

’Don’t take cookies from strangers!’

To win any war you must know your enemy, yet it seems we know very little about these cybercriminal organizations.
“I don’t personally see it as a war. The criminal gangs that now control most hacking will be replaced by others. We know our e    nemy and know it will be someone else tomorrow. Information security isn’t warfare, but rather simply using commonsense to protect what is of value to you.”

But enemy agents do launch relentless attacks on our money.
“Indeed, it’s a form of economic warfare. Internet started on a basis of mutual interest and openness. Internet is now evolving into a collection of mutual trusting private networks. The openness will disappear.”

What’s the profile of a guy working for a cybercrime ring? Is it just some computer geek sitting around in his underwear at home firing off zillions of spam mails and hacking around? “Sure, there are lots of geeks in underwear involved. Hacking is still high tech, so you need lots of nerds pulling all-nighters to get the job done.”

So they’re not highly educated, super computer geniuses, as Hollywood likes to portray them?“No, fortunately, the highly educated people work on our side, finding vulnerabilities in information systems and smart cards and helping to fix them. But of course, just as in other branches of crime, there are really clever people involved. Cybercrime has quickly evolved from idealism to profiteering.”

Are legitimate companies involved in cybercrime?“Not here in Western Europe. But in Eastern Europe and Asia there are probably legitimate business involved for laundering money.”

So cybercrime is a very profitable, mafia-controlled business? “Yes, it’s organized crime and very profitable if you steal enough credit card numbers. A botnet is worth money, and a piece of malicious software is worth money. People in this ‘business’ specialize.”

Assuming you caught someone, are there laws in place for prosecuting these criminals internationally? “Internationally it’s a problem. The EU, USA, Australia and others have pretty good cybercrime laws, but many other countries do not. There have been convictions for setting up and controlling botnets, however.

It seems that institutions, like TU Delft, are so passive, just erecting defensive walls, reacting to attacks, rather than proactively fighting the ‘evil doers’? Would you agree? “It’s a bit of both. As a single institution, you can’t do very much, but we contribute, through SURFnet and other ways. On the national level, several organizations are trying to make a difference: OPTA is the number one spam fighter, while NICC -the National Infrastructure to Combat CyberCrime – tries to organize various sectors, like banking. This results in efficient reactive powers, but also in pressure, internationally, for cooperation.”
 

If offense is the best form of defense, why doesn’t TU Delft go on the attack to better protect itself? “There is some research going on in these fields, but the bottom-line is that the technology for making this a better world is already there, but we just don’t use it, because it’s very expensive and useless unless everyone else is also using it. Discipline and hygiene are other reasons why we’re not doing better. There are just a few simple security things to remember, but we always forget. The most important is: Don’t take cookies from strangers!”

But surely if these cybercriminals are no match for TU Delft’s brightest IT minds, why not lob some dirty, computer-crashing bombs back at them?
“I wouldn’t want to do that. We’re bright, but not that bright. Such action would immediately backfire. First, you don’t always know who to throw a bomb at, so the collateral damage would be enormous. Second, we’re a legitimate business and therefore restricted by law. Thirdly, we’d draw fire from every hacker worldwide. A good defense is to keep a low profile, at least lower than your neighbors. When ABN-AMRO bank was in the news recently with their merger with Fortis bank, they immediately drew several new phishing attacks; they were under heavy fire because at the time they were very high profile.”

If not offensively, then how will Internet security defense evolve?“We’ll probably see a separation in Internet networking, with a trusted part, with trusted e-mail, and an untrusted, or not yet trusted, part.

When attacked, does the TU actively investigate to try to find out who is behind the attack? “For the more serious attacks, we start an investigation to discover the source, the way we were attacked, and who did it. Depending on the information found, we’ll then go through security incident channels, through SURFnet-CERT, or to the police. But these are very time-consuming investigations with limited results.”

Experts thought the Conficker worm would start a new, devastating phase on April 1 – April Fools Day. Was that an especially tense day for you?“April 1 was pretty much like all other days, although we did keep an eye open for jokers among us. The Conficker case did make me monitor news sources an extra time. Fortunately, not much happened.”

What makes Conficker so infamous and potentially destructive?“Conficker is a computer virus in the form of a backdoor; it can control the infected PC, and collects PCs into a botnet. The botnet controller then can update ‘his’ machines – which was scheduled to happen on April 1 – and he has command and control capabilities and can therefore have these machines perform tasks at will. Conficker uses a vulnerability in Microsoft that has been known for some time. A fix was created for this security hole, the bug, that Conficker uses, and this fix was applied on TU Delft computers last year, so we’re pretty confident we won’t have too much trouble on our TU Delft PCs.”

But student PCs in student houses and laptops remain vulnerable to Conficker attack?“Yes, student house PCs and laptops also use the TU’s ICT network, but they’re not managed by TU Delft. We’ve seen an increasing number of student systems infected with botnet stuff, like Conficker and others. These systems are primarily infected because they’re ill maintained, they’re behind with software patches and don’t run up-to-date virus scanners. And there is absolutely no reason for this, since TU Delft provides all such software and updates free of charge. If infected with a botnet, a computer is isolated and must be completely reconfigured. I you haven’t backed up your files, bad luck for you.”

As an information security expert, do you have access to classified Internet security information? “The information security community has an extensive ‘network’ for sharing information – some is public, some not. The April 1st Conficker alert didn’t come as a surprise. Conficker has been extensively researched, although they haven’t found the owner, the author, yet, and hackers have stopped signing their work.”

Which isn’t surprising, since Microsoft is offering a $250,000 reward for the Conficker creator’s head.“Indeed, Microsoft’s reward is proof that the legitimate world is joining forces to address these threats. By explicitly stating it is illegal, criminal, they’re sending a message to all those who are somehow related to organised cybercrime to step back; it’s a message that big organisations and governments are taking cybercrime seriously and working together to mitigate it.”

Editor Redactie

Do you have a question or comment about this article?

delta@tudelft.nl

Comments are closed.