You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
cybersecurity

Developing a cybersecurity culture to influence employee behavior

Developing a cybersecurity culture to influence employee behavior

Jean-Loup Richet, IAE de Paris (Sorbonne Business School)

 

In our increasingly connected world, cybersecurity has become a critical concern for individuals, businesses, and governments alike. With the ever-growing threat of cyberattacks, it is more important than ever to raise awareness of cybersecurity risks and best practices. By promoting cybersecurity awareness, we can help protect ourselves and our data from malicious actors (Richet, 2021). Cybersecurity awareness helps to educate individuals about the dangers of cybercrime and the importance of taking steps to protect themselves online… But also to comply with organizational rules and deter them from deviant behaviors!

When it comes to deterring employee deviant behavior in information security, sanctions are one of the most commonly used methods. Organizations have long used sanctions as a way to deter employees from committing fraud. Sanctions can range from financial penalties to termination of employment.

However, research on this topic has been mixed, with some studies showing that sanctions are effective and others indicating that they are not. Trang & Brendel (2019) take a closer look at the role of sanctions in deterring employee deviant behavior and explore how contextual and methodological moderators can impact this deterrence approach. Their findings suggest that while sanctions have an overall effect on deviant behavior, their effectiveness depends on the context in which they are implemented and the methodology used to study them. In particular, they find that deterrence theory is more likely to predict deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with high uncertainty avoidance. By understanding the moderating effect of these contextual and methodological factors, organizations can better design sanction mechanisms that are tailored to their specific needs and objectives.

There is a growing body of evidence that suggests organizations with strong cybersecurity cultures are better equipped to manage cyber risks, to protect their data and systems, but also to manage employee deviant behaviors. Practitioner research (IBM, 2021) found that organizations with a security-conscious culture are three times more likely to have comprehensive security programs in place and four times less likely to experience a data breach originating from an insider.

While the benefits of a strong cybersecurity culture are clear, developing such a culture is no easy task. Alshaikh (2020) identify and explain five key initiatives that three Australian organizations have implemented to improve their respective cyber security cultures. The five key initiatives are: identifying key cyber security behaviors, establishing a ‘cyber security champion’ network, developing a brand for the cyber team, building a cyber security hub, and aligning security awareness activities with internal and external campaigns. These key initiatives have helped organizations exceed minimal standards-compliance to create functional cyber security cultures. Organizations looking to improve their cybersecurity culture should consider implementing some or all of these five key initiatives. By doing so, they will be better positioned to manage cyber risks and protect their data and systems. It will also help them to create a culture of security within organizations, making it more likely that employees will report suspicious activity, take precautions to prevent attacks, and comply with information security policy. In addition, raising awareness of cybersecurity issues can help to better inform policymakers as they work to enact laws and regulations to promote cybersecurity and protect our interconnected world.

References:

Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security, 98, 102003.

IBM. (2021). Cyber Resilient Organization Study 2021. Retrieved from: https://www.ibm.com/resources/guides/cyber-resilient-organization-study/

Richet, J.L. (2021). Trends in Cybercrime: Cases the Banking Sector. BPI France, Jun 2021, Paris, France. 2021.

Trang, S., & Brendel, B. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(6), 1265-1284.

Developing a cybersecurity culture to influence employee behavior

Cybercrime, cybersecurity

Cybercrime Trends: an Exploration of Ad-Fraudsters Communities

Cybercrime Trends: an Exploration of Ad-Fraudsters Communities

Jean-Loup Richet, IAE de Paris (Sorbonne Business School)

Abstract/ highlights of the paper

• This is one of the first studies documenting the way ad-fraud communities innovate and create value for their criminal customers.
• A multimethod approach was applied for data collection, integrating qualitative and quantitative assessment of six cybercriminal communities.
• Specialized ad-fraud communities provided a wealth of knowledge and incremental innovations in ad-frauds.
• General and customer-oriented ad-fraud communities showcased the most internal interactions, as well as exhibiting better performance and growth.
• General and customer-oriented ad-fraud communities have developed specific capabilities, focusing on innovation through artificial intelligence, which fuels customer engagement and fosters (criminal) attractiveness.

Reference

Richet, J.-L. 2022. “How Cybercriminal Communities Grow and Change: An Investigation of Ad-Fraud Communities,” Technological Forecasting and Social Change (174), p. 121282. (https://doi.org/10.1016/j.techfore.2021.121282)

Cybercrime Trends V2

cybersecurity, News

Using Escape Room to Gamify Cybersecurity Learning

Serious games are particularly popular in Business Schools and universities: we are used to run business simulations, marketing games, project management role-playing games, etc.

I have always been fond of gamification and engaging alternatives for learning complex topics (cybersecurity is one of them) and was always pushing the boundaries (how to teach technical and engineering topics to managers?). Hence, I developed at the Sorbonne an escape room for cybersecurity – a live action team game, where players are hackers/industrial theft and have to exploit cybersecurity vulnerabilities in order to steal confidential and strategic business data.

 

The game was designed for MBA and master students and comprised multiple activities … and even a lockpicking test! This is the kind of lockpicking game one could encounter at the Black Hat Conference or Defcon for instance, so it wasn’t complex (all the teams succeed).

Of course, this game would not have been possible without the talented project team at the Sorbonne Business School that made the project come alive! Congrats again to this highly motivated team of students for their hard work (Simone, Charline, Alice, Emma, Florine and Guillaume).
And thanks to Melodia and Antoine @ NTT for their technical support for this event 🙂

The game has been conceived and played in French, but it is currently being translated in English. I intent to publish it here in the coming months.

News

Updated FOTN report… and newly hired at the Sorbonne

Two great news before the end of December:

(1) The release of the latest Freedom on the Net report, featuring the rise of fake news and increasing governments attempt to tighten control over netizens’ data.  I work with Freedom House since 2015 on the section related to Internet Freedom in France.

Key developments in France from June 1, 2017 to May 31, 2018 were the following:

  • A hotly debated legislative proposal presented at the end of March would enable candidates to require judges to swiftly decide whether to stop the dissemination of allegedly false information online during electoral periods (see Media, Diversity, and Content Manipulation section of the report).
  • For the second time in 2017, the Constitutional Council struck down a provision that criminalized the regular consultation of websites deemed to incite or glorify terrorism. On the other hand, users continued to be sentenced for inciting or glorifying terrorism online (see Legal Environment and Prosecutions and Detentions for Online Activities section of the report).
  • While the prolonged state of emergency officially ended in November 2017, certain emergency measures were enshrined into ordinary law through the “Act to reinforce internal security and the fight against terrorism.” A provision obliging suspects to provide all their electronic identifiers to authorities was omitted from the final text (see Legal Environment section of the report).

(2) I have been recently hired by the Sorbonne Business School (IAE de Paris) as an Associate Professor in Information Systems. I will develop my research on cybersecurity, cybercrime (of course!), and Information Systems governance. Feel free to drop me an email at this updated address.

News

Freedom on the Net 2017: online manipulation and disinformation tactics on the rise

Since June 2016, 32 of the 65 countries assessed in Freedom on the Net saw internet freedom deteriorate. (1) Empowered restriction laws (Etat d’Urgence) and (2) fake news and disinformation both during and after the presidential election contributed to a score decline in France’s otherwise generally free environment.
I am glad to have participated in the redaction of this latest Freedom on the Net report.

Key Findings (global overview)

  • Governments manipulated social media to undermine democracy: Governments in 30 countries of the 65 countries assessed attempted to control online discussions. The practice has become significantly more widespread and technically sophisticated over last few years.
  • State censors targeted mobile connectivity: An increasing number of governments have restricted mobile internet service for political or security reasons. Half of all internet shutdowns in the past year were specific to mobile connectivity, with most others affecting mobile and fixed-line service simultaneously. Most mobile shutdowns occurred in areas populated with ethnic or religious minorities such as Tibetan areas in China and Oromo areas in Ethiopia.
  • More governments restricted live video: As live video gained popularity with the emergence of platforms like Facebook Live, and Snapchat’s Live Stories internet users faced restrictions or attacks for live streaming in at least nine countries, often to prevent streaming of antigovernment protests. Countries likes Belarus disrupted mobile connectivity to prevent livestreamed images from reaching mass audience.
  • Technical attacks against news outlets, opposition, and rights defenders increased: Cyberattacks against government critics were documented in 34 out of 65 countries. Many governments took additional steps to restrict encryption, leaving citizens further exposed.
  • New restrictions on virtual private networks (VPNs): 14 countries now restrict tools used to circumvent censorship in some form and six countries introduced new restrictions, either legal bans or technical blocks on VPN websites or network traffic.
  • Physical attacks against netizens and online journalists expanded dramatically: The number of countries that featured physical reprisals for online speech increased by 50 percent over the past year—from 20 to 30 of the countries assessed. In eight countries, people were murdered for their online expression. In Jordan, a Christian cartoonist was murdered for mocking Islamist militants’ vision of heaven, while in Myanmar, a journalist was murdered after posting on Facebook notes that alleged corruption.

To view the report, see www.freedomonthenet.org.

News

About the Journal of Strategic Threat Intelligence

About the Journal of Strategic Threat Intelligence

 

I would like to pay a special tribute to the team in charge of the Journal of Strategic Threat Intelligence (JSTI). The journal celebrates today its first anniversary!  I am very glad to collaborate with Harvard toward the success and growth of this journal.

Journal of Strategic Threat Intelligence (ISSN 2476-1990) publishes one issue per year and is already widely indexed and abstracted. It has been established as part of a joint academic project with ESSEC Business School on Cybersecurity awareness.

Journal of Strategic Threat Intelligence publishes research reports informed by a wide array of theoretical perspectives (from Sociology to Computer Science, through Criminal Law), innovative in form and content, and focused on both traditional and emerging topics in the fields of Cybercrime, Cyberwarfare and Cybersecurity. It welcomes articles concerned with managerial and strategic issues.

Recent reports:
ISIS Cyberstrategy; A strategic Approach to the Tor Network; Ethical and Societal Challenges of Privacy; Blockchain Regulatory Framework

Cybercrime

Cybercrime and Law Enforcement Training

abstract:

In this article, we discuss law enforcement initiative to respond to cybercrime and its undermining issues (fear, dependencies, culture). This paper highlights the need for a set of globally ratified cybercrime regulations through which the retribution of cybercriminals can be more heavily enforced.

Keywords:
Cybercrime, transnational, collaboration, prevention, law enforcement, education, user awareness, regulations

***

Recently a new bill was announced by Representative Katherine Clark in order to train more federal enforcement in dealing with cybercrime. This Cybercrime Enforcement Training Assistance Act would provide 20 million dollars for law enforcement to get a grip on an area of crime which is evolving faster than anyone can keep up with it. As David Wall (2007) wrote, before we have completely understood a certain criminal technique involving the internet, the information we have already seems to be outdated. How then can we truly train a group of people to deal with this type of crime whose nature is ever-changing?

Fear for Technology

Although the type of crime is continuously changing, there is nothing new to the idea that technology is something harmful and to be feared: a certain fear of technology has always been part of our lives. It is this fear that is at least partly responsible for the decision of a company like AT&T to not invest in the cell phone market in the early 1980s. “Using mathematical forecasts, the consultants anticipated cell phones being a niche market and not one AT&T should waste its time with,” wrote Ryan Stelzer, co-founder of Strategy of Mind.

But what is this fear based on? Technology is to be understood as a mechanism of understanding the world around us; its need to impose order belongs specifically to this epoch that we live in (Edwards, 2006, pp. 61-62). Technology is that mechanism which frames our reactions and our lives. Interestingly enough, our fear of the internet and new technologies to take over our lives is already part of this technological outlook on life itself. Technology is no longer limited to a specific gadget, it is a total mechanism within life takes place.

Increasing dependency

But as technology takes an ever increasing role in our lives, the way to control and limit its negative uses is underdeveloped. A group of researcher at Team Cymru (2006) already showed how “insufficient training, limited resources (personnel, equipment, budget), barriers to cooperation, outdated or non-existent legal remedies, a paucity of cross-border cooperation, high-latency cross-border cooperation processes, and individual organizations’ cultural paradigms create a fertile ground for success in cybercrime.” And this seems to not even consider our increasing dependency, the global aspects involved and the sheer amount of money and people that are affected by technology nowadays.

But should we reread science fiction novels like ‘Neuromancer’ by William Gibson (1984), so as to get an understanding of the direction we are heading when we let cybercriminals become the powerful leading sources of information and money? Or are powerful AI’s going to take over, limiting our options for us?

Limiting freedom

Perhaps thinking in these terms that science fiction writers started to introduce us with in the 60s and 70s does not bring us any closer to finding a way to handle the ever-increasing and changing cybercrime. Yet it does put a sore finger on what is stopping us from solving it. When in 2001 a convention on cybercrime was signed by the European States, and the United States, Japan, Canada and South-Africa, people started to question whether the US should actually ratify such an agreement. Fighting crime is one thing, but the more important question in these debates seems to be to as to how individual’s rights are protected.

That this is difficult question in a country where it is in many places deemed legal and even necessary for individuals to arm themselves in public places. Limiting the individual, and thus the hacker, is an infringement of one’s own personal rights to enter a door that one is allowed to enter. The recent debate as to whether large companies such as Apple and Google should open up their encryption to law enforcement so that criminals can be traced, tracked, spied upon, seems to take on the same form. Protecting the individual freedom is more important than protecting the individual. Or are we only dealing with this fear for technology taking over our lives, and limiting our lives, instead of really talking about the issues at hand?

The need for law to enforce

In order to deal with the vast area of cybercrime, from the manner in which big data is used by corporations to the network of money mules and individual hackers, we don’t just need to train law enforcement. We need to give them the laws they need in order to stop crime from taking place. The basis would require the harmonization of international law (Calderoni, 2010) which is more than national laws able to meets the global and changing demands that cybercrime requires. And it is questionable whether the convention on cybercrime from 2001 goes far enough to deal with this (Gercke, 2006). Because the growing dependency, together with the human fear of change, makes technology to be much more than simply a possible criminal means when it comes in the hands of the wrong people. Our technological lives are no longer distinguishable from the technology itself, the Internet of Things is not something out there, it is already in the personal, private space of individuals. And when we want to make sure this technology does not limit our personal freedoms, we need to let international law limit our freedoms – unless we want to live the future science fiction has shown us.

References:

Calderoni, F. (2010). The European legal framework on cybercrime: striving for an effective implementation. In: Crime, Law and Social Change 54.

Edwards, J.C. (2006) Concepts of Technology and Their Role in Moral Reflection. In: Surgically Shaing Children, Technology, Ethics, and the Pursuit of Normalcy. Parens, E. (eds.) John Hopkins University Press, Baltimore.

Gercke, M. (2006). The slow wake of a global approach against cybercrime: The potential of the Council of Europe Convention on Cybercrime as international model law. Computer Law Review International.

Gibson, W. (1984). Neuromancer. Penguin New York.

Team Cymru (2006). Cybercrime: An Epidemic. ACM Queue Magazine, Volume 4 Issue 9, November 2006.

Wall, D. S. (2007). Cybercrime, The Transformation of Crime in the Information Age. Polity Cambridge.

Download this article: “Cybercrime and Law Enforcement Training”

Cybercrime

Extortion on the Internet : the Rise of Crypto-Ransomware

4 Comments

abstract:
This article highlights the transition from traditional ransomware threats (ransomware 1.0) to new and more complex attacks (crypto-ransomware) targeting desktop computers. The article suggests that cybercriminals will capitalize on malicious codes and target emerging and less-secured areas: mobile devices, M2M and the Internet of Things

Keywords:
Crypto-ransomware, Cybercrime, Malware, Internet of Things, M2M.

***

We all know the ransom mechanics: a hacker threatens an online business to flood its website with requests, thus resulting in a Denial of Service—which means the website will become unavailable and the online business will not be able to sell its products. Kshetri (2013) describes the story of an online CD and DVD retailer that “paid a ransom of US$40,000 to a hacker based in Balakov, Russia […] the fund was wired to 10 accounts in Latvia. [Money] mules then rewired the money to St. Petersburg and Moscow. Another set of mules brought the money to Balakov. The computer server used to launch the attacks was in Houston” (p.9).
However, this case involves what we could term as a ‘manual,’ ‘targeted’ and ‘dedicated’ attack and management: the attack is focused on one target, involves a specific threatening action and a relationship with the target (exchange, negotiation, etc.).
What we will discuss today is ransomware and its evolution: malicious software spread en masse and ‘industrialized’ (Richet, 2013). The hacker just needs to spread the malware, and all the other processes will be automated (fund reception through bitcoin, automated delivery of the decryption key through email, etc.).

There is a lot of ‘basic’ ransomware on the internet; spread through drive-by downloads, torrent, scams, etc., these common pieces of ransomware aim to scare users. Some are just scams and fear appeals, with no impact on data—for instance, fake antivirus warnings showing annoying pop-ups everywhere with messages like “you have been infected by a dangerous malware, we are currently protecting your files, but sooner or later they will be deleted by the virus if you don’t act. Click here to buy our antivirus and solve all your issues.” Other ransomware can restrict computer use, preventing access to some programs or files—for instance, fake US government messages, again, through annoying pop-ups, with messages like “you have downloaded copyright-protected content. We have restricted the use of your computer. Click here to pay your fine.” In 2006-2007, ransomware attack processes were quite straightforward—it simply stored selected files in a compressed archive, then password-protected these archives (Luo & Liao, 2007).

Gazet (2010) studied the wave of ransomwares spread in the summer of 2007, and made the following conclusion: “Code is most often quite basic, no armoring, no pure jewel of low level assembly or nothing of this kind. […] The kind of ransomware we have analyzed for this study is clearly intended for mass propagation and we should not forget that ransomwares’ strength comes from the fear they generate into lambda-user mind, not from their technical skills. […] The ransomware phenomenon is a reality that has to be monitored but in some ways it is not a mature and complex enough activity that deserves such communication around it. Ransomwares as a mass extortion means is certainly doomed to failure. Their extinction […] means that criminals have evolved to something else and other sources of income.

However, should we review this conclusion in the light of current trends in the cybercrime underworld?

 

In their report, Fossi & al. (2015) highlight this emerging issue: ransomware attacks more than doubled in 2014, from 4.1 million in 2013, up to 8.8 million. While describing eHealth security in the context of Australia, Foster and Lejins (2013) outlined the threat of ransomware targeting small Australian health organizations.

 tox-crimeware-kit-jean-loup-richet

Image description: Crimeware-as-a-service and ransomware: Tox is a ransomware construction kit that allows cybercriminals to create crypto-ransomware in a few clicks.

Moreover, ransomware codes have become more sophisticated and shifted from basic programs to well-designed crypto-ransomware. I define crypto-ransomware as the following: “A crypto-ransomware is a type of malware that encrypts a users’ data. Data access is restricted until a ransom is paid to decrypt it.” Virlock is a good example of current ransomware sophistication; this crypto-ramsomware locks its victims’ screens, encrypts specific files (such as images, documents, musics, executable and so on) but has also self-spreading capabilities. What makes it stand out is the fact that this malware is polymorph (meaning the code changes each times it runs and is different for each infected host).

According to Fossi & al. (2015), crypto-ransomware expanded from 8,274 in 2013 to 373,342 in 2014.

What would be new areas of expansion for crypto-ransomware and their ‘basic’ counterparts?

My best guess is that cybercriminals will be taking advantage of the security loopholes of smartphones, as well as emerging IT trends such as M2M & the Internet of Things.

The number of mobile malware threats has exploded in 2013, and multiple mutated ransomware appeared in the Android application ecosystem (Apvrille, 2014)—what works on desktop computers could be easily mimicked in a mobile environment (Becher et al., 2011). According to Oberheide and Jahanian (2010), ransomware attacks have already targeted mobile users en masse in China.

As vehicles become increasingly connected in this Internet of Things era, they will also face the threat of ransomware in the years to come. Zhang, Antunes and Aggarwal (2014) highlighted this security challenge: “ransomware could allow an attacker to remotely disable selected vehicle functions (e.g., lock the doors or the in-car radio, immobilize the engine) in a way that the vehicle owner’s car keys can no longer activate them. The attackers can then demand ransom to be paid before reenabling these functions” (p.14).

To sum up, we are experiencing the transition from traditional ransomware threats (ransomware 1.0) to new and more complex attacks (crypto-ransomware) targeting desktop computers.
However, I believe cybercriminals will capitalize on malicious codes and target emerging and less-secured areas: mobile devices, M2M and the Internet of Things.

References:

Apvrille, A. (2014). The evolution of mobile malware. Computer Fraud & Security, 2014(8), 18-20.
Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., Uellenbeck, S., & Wolf, C. (2011). Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 96-111). IEEE.
Fossi, M., Egan, G., Haley, K., Johnson, E., Mack, T., Adams, T., & Wood, P. (2011). Symantec internet security threat report trends for 2015. Volume XX.
Foster, B., & Lejins, Y. (2013). Ehealth security Australia: The solution lies with frameworks and standards. Proceedings of the 2nd Australian eHealth Informatics and Security Conference, 2-4 December 2013, Edith Cowan University, Perth, Western Australia.
Gazet, A. (2010). Comparative analysis of various ransomware virii. Journal in computer virology, 6(1), 77-90.
Kshetri, N. (2013). Cybercrimes in the Former Soviet Union and Central and Eastern Europe: current status and key drivers. Crime, law and social change, 60(1), 39-65.
Luo, X., & Liao, Q. (2007). Awareness education as the key to Ransomware prevention. Information Systems Security, 16(4), 195-202.
Oberheide, J., & Jahanian, F. (2010). When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications (pp. 43-48). ACM.
Richet, J. L. (2013). From Young Hackers to Crackers. International Journal of Technology and Human Interaction (IJTHI), 9(3), 53-62.
Zhang, T., Antunes, H., & Aggarwal, S. (2014). Defending connected vehicles against malware: Challenges and a solution framework. IEEE Internet of Things Journal, 1(1), 10-21.

***
Download this article: ”Extortion on the Internet: the Rise of Crypto Ransomware”

Cybercrime

Decentralized Cryptographic Information Black Market

1 Comment

Abstract:
This article highlights a new business appeared on the cybercrime underworld: a decentralized and anonymous black-market in which one can sell any confidential and valuable information. What is promoted as a platform for whistleblowers is in fact a place where one could sell stolen credit cards data, 0 day exploits and software vulnerabilities, child porn, stolen databases, and so on and so forth. We describe the mechanisms of this platform for cybercriminals, explain its fallacy, and argue for the need of protection for real ‘moral heroes’ – individuals protecting our human rights and pushing back against corruption and state powers.

Keywords:
whistleblower, cybercrime, bitcoin, cryptographic, black-market, information marketplace.

Buy and Sell data leaks anonymously

I have recently discovered Darkleaks, a decentralized and anonymous black-market in which you can sell any confidential and valuable information.

The service advertised all over the internet with a sales speech like this:
Do you want to be a whistleblower – or do you want to make a few bucks out of data leaks? Have you ever dreamed of distributing an encrypted data leak to the world, let people bid on this dark secret, and earn money anonymously through bitcoin?

Project’s developers promote it as:

the best tool to trade any kind of media, information, video, data and documents that have value.
> Hollywood movie
> Trade secrets
> Government secrets
> Proprietary source code
> Industrial designs like medicine or defense
> Zero day exploits
> Stolen databases
> Proof of tax evasion
> Military intelligence
> Celebrity sex pictures
> Corruption

How does it work?

When the leaker selects a document, it is broken up into segments. Each of the segments is hashed, and a Bitcoin address is generated using the hash as the secret key. From this public key, a new key is generated to encrypt the segments. The encrypted segments are released for public download with the list of Bitcoin addresses.

To prove the authenticity of the document, the system uses a trustless provably fair mechanism. When announcing the leak, the leaker chooses a date and number of the chunks to be released. Based on the Bitcoin block hash at that time, some provably fair random numbers are chosen to select segments to be unlocked. This allows the community to verify the veracity of the file and decide whether they want to pay for the remaining encrypted segments.

The buyers then send Bitcoins to these addresses. When the leaker decides to claim the Bitcoins from the private key, due to how Bitcoin is designed he must release the public key which allows the buyers to decrypt the document.

Because the leaker cannot pre-choose which segments are released, the buyers can verify the addresses are correct, and the segments can be decrypted. This makes for an authenticable and trustless mechanism for selling information on the decentralized black market.

We need to protect ‘moral heroes’… not another cybercriminal underground marketplace

Of course, we need individuals to protect our human rights and push back against corruption and state powers – and we need to protect these individuals.
After the whistle, most leakers of government secrets have their lives changed. Sentencing in media leak cases has historically been relatively light from 1973 to 2005, with only 24 months of prison time for the three whistleblowers prosecuted. Yet, ACLU observed that Obama has “secured 526 months of prison time for national security leakers,” with the vast majority given to Chelsea Manning, who was sentenced to 35 years.
Edward Snowden, former NSA employee who released classified documents on U.S. monitoring plans is now in Russia, with his destiny at stake. The Justice Department declared mid 2013 that it won’t seek the death penalty in prosecuting him, but he is still charged with thievery and espionage.

However, in the case of Darkleaks, I fear that this platform will also be an area where one could sell stolen credit cards data, 0 day exploits and software vulnerabilities, child porn, stolen databases, and so on and so forth. Indeed, there is a huge market for personal data, from US SSN to email addresses through credit cards data (Acquisti, Taylor, & Wagman, 2014). This black market will soon be overcrowded with  scammers – no crystal ball is required to predict that it will become a future playground for cybercriminals…

Could we compare Darkleaks market model with software vulnerabilities markets?
On this very topic, I really liked Kannan & Telang (2005) research on software vulnerability disclosure markets. The authors demonstrate that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive infomediary-type mechanism.
To sum up, a movement toward a market-based mechanism might not lead to a better social outcome…

The issue of anonymity remains. Whistleblower Protection Acts are a false hope. According to Martin (2003), they are just an appearance of protection: remarkably inefficient, flawed and unhelpful.
How to protect ‘moral heroes’ (Malin, 1982)?

Syta, Michael and Ford (2014) might have the solution – their convincing research pitch is as follows:

“In privacy-sensitive communications, one user sometimes needs to prove to be a member of some explicit, well-defined group, without revealing his individual identity.

Consider for example a whistleblower who wishes to leak evidence of corporate or government wrongdoing to a journalist, via an anonymous electronic “drop box”.

The journalist needs to validate the source’s trustworthiness, but the whistleblower is reluctant to reveal his identity for fear their communications might be compromised, or that the journalist will be coerced into testifying against the source.

The whistleblower thus wishes to authenticate anonymously as a member of some authoritative circle who plausibly has knowledge of and access to the leaked information, such as a corporate board member or executive, or a government official of a given rank.

Even if the whistleblower convinces the journalist of his authority, the journalist may also require corroboration: e.g., confirmation by one or more other members of this authoritative circle that the leaked information is genuine. Other members of this authoritative circle may be just as reluctant to communicate with the journalist, however. If a potential corroborator also demands anonymity, how can the journalist (or the public) know that the corroborator is indeed a second independent source, and not just the original source wearing a second guise?

In general, if the journalist knows k pseudonymous group members, how can he know that these pseudonyms proportionally represent k real, distinct group members, and are not just k Sybil identities?

Finally, the whistleblower is concerned that once the leak becomes public, he may be placed under suspicion and any of his computing devices may be confiscated or compromised along with his private keys.

Even if his keys are compromised, the whistleblower needs his anonymity forward protected, against both the journalist and any third-parties who might have observed their communications. Further, the whistleblower wishes to be able to deny having even participated in any sensitive communication, including the fact of having authenticated at all (even anonymously) to the journalist.”

Syta, Michael and Ford (2014) protocol satisfy the above requirements (anonymity, proportionality, forward anonymity, and deniability). Their research paper might be an interesting reading for journalists and wannabe moral heroes waiting to uncover corruption and wrongdoing.

References:

Acquisti, A., Taylor, C., & Wagman, L. (2014). The economics of privacy. Journal of Economic Literature.

Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726-740.

Malin, M. H. (1982). Protecting the Whistleblower from Retaliatory Discharge. U. Mich. jL Reform, 16, 277.

Martin, B. (2003). Illusions of whistleblower protection. UTS L. Rev., 5, 119.

Syta, E., Michael, B. P. D. I. W., & Ford, F. B. (2014). Deniable Anonymous Group Authentication. Retrieved from cpsc.yale.edu

***
Download this article: “Decentralized Cryptographic Information Black Market”

Cybercrime, Money Laundering, online scams

a fraud with bitcoins? Mycoin scandal has nothing to do with Bitcoin

12 Comments

Abstract:
Bitcoin is again drawing scrutiny –media from all over the world titled in February 2015 about “a tremendous fraud with bitcoins”. In wake associated with this scandal, Hong Kong’s central bank informed customers against acquiring virtual currencies. However, we argue that Mycoin scandal has nothing to do with Bitcoin. It is just a bitcoin-based scam that could have been done with any other crypto, digital or physical currency.

Keywords:
Bitcoin, Mycoin, Ponzi scheme, scam, Hong Kong, currency exchange.

 

***

Last summer, local Chinese investors took a trip to Hong Kong for a bitcoin event financed by Mycoin, the Hong Kong company that just all of a sudden closed shop, getting an approximated $390 million along with it.

Today, Mycoin’s business office is vacant, a managing director has supposedly transferred the firm’s financial assets to an Uk Virgin Islands account before leaving, and increasingly more people say that in spite of promoting itself as a hub for currency exchange, Mycoin in fact had no bitcoin at all.

Bitcoin is again drawing scrutiny, and in wake associated with this scandal, Hong Kong’s central bank informed customers against acquiring virtual currencies.

However, this has nothing to do with Bitcoin at all: MyCoin was basically running a Ponzi scheme based on Bitcoins.

This generates negative publicity for this cryptocurrency and contributes to its poor notoriety: nearly anonymous (Reid & Harrigan, 2013), risky and insecure (Moore and Christin, 2013; Eyal and Sirer, 2014).

In 2012, the bitcoin trading platform Mt.Gox froze records of users who possessed bitcoins that could be directly related to theft and fraud (Moser, Bohme, & Breuker, 2013). In spite of this, scamming people with bitcoin hasn’t ceased at all: it even turn out to be a remarkably lucrative business for cybercriminals (Richet, 2013; Tropina, 2014).

In their empirical study of Bitcoin-based scams, Vasek and Moore (2015) identify 192 scams and classify them into four groups: Ponzi schemes, mining scams, scam wallets and fraudulent exchanges. In 21% of the cases, they found the associated Bitcoin addresses, which enables them to track money into and out of the scams. They find that at least $11 million has been contributed to the scams from 13 000 distinct victims. Indeed, the most successful scams depend on large contributions from a very small number of victims…

References:

Eyal, I., & Sirer, E. G. (2014). Majority is not enough: Bitcoin mining is vulnerable. In Financial Cryptography and Data Security (pp. 436-454). Springer Berlin Heidelberg.

Moore, T., & Christin, N. (2013). Beware the middleman: Empirical analysis of bitcoin-exchange risk. In Financial Cryptography and Data Security (pp. 25-33). Springer Berlin Heidelberg.

Moser, M., Bohme, R., & Breuker, D. (2013, September). An inquiry into money laundering tools in the Bitcoin ecosystem. In eCrime Researchers Summit (eCRS), 2013 (pp. 1-14). IEEE.

Reid, F., & Harrigan, M. (2013). An analysis of anonymity in the bitcoin system (pp. 197-223). Springer New York.

Richet, J. L. (2013). Laundering Money Online: a review of cybercriminals methods. arXiv preprint arXiv:1310.2368.

Tropina, T. (2014, June). Fighting money laundering in the age of online banking, virtual currencies and internet gambling. In ERA Forum (Vol. 15, No. 1, pp. 69-84). Springer Berlin Heidelberg.

Vasek, M., & Moore, T. (2015) There’s No Free Lunch, Even Using Bitcoin: Tracking the Popularity and Profits of Virtual Currency Scams.  Financial Cryptography and Data Security 2015 Conference.

***

Download this article: “Bitcoins based-scams”

Proudly powered by WordPress. Hosted by Pressable.