Analyst: Cybercrime Is 'Spiraling Out Of Control'

Nicolas Christin makes a living out of cybercrime. As the Associate Director for the Information Networking Institute (INI), and a professor at CyLab, Carnegie Mellon University's cybersecurity education and research center, Christin is on the front lines of academic research into how cybercrooks thrive and what can be done to stop them.

Christin spoke with SecurityNewsDaily, offering candid insight into the challenges of investigating the nefarious dark markets of spam networks, why average computer users make his life difficult, and what kinds of threats can be expected in 2011.

Hi, Mr. Christin, do you find that people aren’t as concerned with their online security as they should be?

They’re oblivious to it, and it’s quite disturbing. We did a study where we wanted to find out how much effort we could ask user to exert to secure their computers. We offered people between one cent and one dollar to run a piece of code on their machine. We didn’t tell them what the code was, and they didn’t know we were a university or anything. Most people said 'It sounds really fishy, but I’ll take the money.'

And a lot of them said, 'Well, my computer’s running antivirus software, so I assumed it was safe.'

That seems to be a typical response among most computer users when it comes to security.

It is, but it’s like saying that because you have an expensive alarm system, you would give the key to anyone on the street asking for it. People who wear helmets on motorcycles tend to be riskier, and people driving with seat belts tend to drive more dangerously. We see the same thing in computer security -- people doing boneheaded things because they feel secure. A false sense of security is actually very dangerous.

How then can the security community convince people to take more precautions?

We need to ensure that security measures come at zero cost or that the cost is negligible, because even if it costs a little, people are not going to use it.

Stepping back a little from your research, I want to know what brought you into this field, and what keeps you interested.

I trained as computer scientist, and I got incredibly frustrated with average Joes not doing what they should do and what we as engineers wanted them to do. Why are people so reticent to engage in safe practices?

When I started looking at why people aren’t investing in and deploying the security measures that they should, I started to realize maybe the security products are not protecting them against attacks. Then I wanted to explore what is making the attackers want to carry out these attacks.

What are some frustrations and challenges with studying security?

In two words: negative externalities. I can explain. I’m running a very secure computer myself, because I’m in the security profession. But it doesn’t matter. I still get spam, because other people are not securing their machines. In the time we’ve been talking, I’ve received 20 pieces of spam.

The frustrating thing is that people who want to invest in security still remain at the mercy of those who don’t . As long as you have vulnerabilities in the network, it affects everyone.

What can you do about that? How can you get the average Joes to do their part?

Right now, if you’re an aspiring criminal, if you’re deciding, 'Should I sell drugs, or deal weapons or get into online crime,' it makes sense to choose the third option. There is a lot of money to be made and the risks are very low.

We need to make security as painless and cheap as possible, and make it very expensive for attackers to carry out attacks.

How does the academic study of security differ from the work done by security vendors?

In my research, we can only observe public data or data that we can reverse engineer. There are some limitations. But the main advantage is we’re not trying to sell a product. If tomorrow I see a specific domain name that is really bad, I don’t have any agreement or contract with them and I can report it.

Security vendors are for-profit companies, they are out to make money, not necessarily to secure the world. Security makers don’t have the time to understand the attackers because it’s hard to monetize that. They are for-profit companies; they are out to make money, not necessarily to secure the world. But they can help us because they have access to very large data sets. I think collaboration between the two entities can really help.

Is this a good time to be in your industry?

It is, because there’s a lot of work to do. In 2000, there was virtually no online crime, and now 10 years later, it’s probably a billion-dollar industry. It’s really spiraling out of control. We’re seeing people say, 'For all the conveniences with online shopping, I’m scared , and I don’t wanna do this.' We’re seeing a change in attitude. People don’t really feel safe going online. That’s a pity. I really want to get it under control before people say the Internet is useless.

What’s your forecast for online safety in 2011?

From the criminal standpoint, I think that spam is starting to be a little bit passé. Google, Yahoo, Microsoft and all the open-source programs are doing a pretty good job at figuring out spam. I think criminals see that, and they’re looking for better ways to monetize their businesses. I wouldn’t predict we won’t have any spam in 2011, but I think spam will be less of a pressing issue than new forms like poisoned search results and social network malware .

So what are you currently working on?

What I’m doing is I’m trying to get a better sense of the motivations of the guys behind most security attacks. There are basically two different types of attacks: there are nation-states and extremists, and then there’s basically all the rest. I’m trying to understand what is driving all the rest.

How are you approaching understanding the motives of attackers?

The starting point for my research is economics. We’ve always tried to defend against the most powerful attacker we can. But the world has changed, the game has changed. And many more people are taking part in security attacks. They’re not all Doctor Evil -- they just want to make a profit.

I’m trying to understand the economic motivations and incentives of the attackers by looking at the economic structure of the underground markets, spam markets, pharmacy markets, etc. I’m looking at how the whole underground economy is built.

It seems like a very complex system.

It’s still pretty murky, because only now we’re getting little bit of a glimpse into the financial transactions these guys are taking part in. I always get a chuckle when I read in the news about a 'Spam King.' The whole thing with the 'Mega-D’ spam king ?'

He was king of spam for the month of November. He’s awaiting trial, and there will be another guy who will take over.

• Top 5 Most Costly Viruses of All Time
• Most Dangerous Countries to Surf the Web
• From Mitnick to Conficker: Cybercrime and Malware on the Loose