Post on 29-Oct-2014
description
Hamish Fraser - Partner, Truman Hoyle
David Jones – CTO & Founder, ThreatMetrix
Did You Know
Techy things that lawyers need to know
If you think that was fast…H
acki
ng a
nd C
yber
crim
e
is a
war
of
coun
term
easu
res
Cybercrime Foodchain(organised, cellular, distributed, technically skilled)
ThreatMetrix Confidential
Credit: Verisign
Cybercrime is mostly dealt with “in the trenches”
????
When credit-cards, logins and identities areStolen and traded - verifying or forensicallyinvestigating is time consuming and flawed.
Mostly prevention rather than remedy:-Local criminals pretending to be Overseas-Overseas criminals pretending to be Local
Step 1: Get some stolen ID/Card
Step 2: Bad Guys hide location with proxies and anonymisers
UTC+2
Countermeasure: Reveal True IP and Location
Transaction Time Threatmetrix Device ID Account EmailBrowser
Lang. Masked IP Add. Masked IP City8/25/2008 17:24 cf3fad94727611dd800000167e5d5632 wenthappy05@yahoo.com zh-cn 66.79.172.10 New York8/25/2008 18:17 cf3fad94727611dd800000167e5d5632 songlolvesky@aol.com zh-cn 208.77.47.109 New York8/27/2008 12:57 cf3fad94727611dd800000167e5d5632 fasterfeel148@yahoo.com zh-cn 78.129.235.30 Brussels8/28/2008 12:25 cf3fad94727611dd800000167e5d5632 leafsummer@decmail.com zh-cn 208.77.43.80 New York8/28/2008 19:09 cf3fad94727611dd800000167e5d5632 digtreejob3@yahoo.com zh-cn 204.16.192.197 Los Angeles
9/3/2008 13:33 cf3fad94727611dd800000167e5d5632 bardeep@usa-11.com zh-cn 64.32.7.84 Kalispell9/5/2008 12:24 cf3fad94727611dd800000167e5d5632 brightsun20@gmail.com zh-cn 66.79.172.10 New York
9/12/2008 13:08 cf3fad94727611dd800000167e5d5632 believelove@scotlandmail.com zh-cn 78.129.235.35 Brussels9/12/2008 13:20 cf3fad94727611dd800000167e5d5632 clickworldnow@verizonmail.com zh-cn 205.209.175.5 Los Angeles9/12/2008 16:48 cf3fad94727611dd800000167e5d5632 melanie.shiken@hotmail.com zh-cn 66.79.172.100 New York9/16/2008 14:33 cf3fad94727611dd800000167e5d5632 luckysmile@fastmail.net zh-cn 204.16.195.71 New York9/17/2008 14:19 cf3fad94727611dd800000167e5d5632 playgamehappy@hotmail.com zh-cn 75.126.8.13 New York9/18/2008 11:59 cf3fad94727611dd800000167e5d5632 everybeatens@yahoo.com zh-cn 75.126.8.13 New York9/18/2008 12:56 cf3fad94727611dd800000167e5d5632 rightfair@veryspeedy.net zh-cn 208.101.53.226 New York9/18/2008 15:02 cf3fad94727611dd800000167e5d5632 oscarwanhe7095@hotmail.com zh-cn 75.126.8.10 New York9/19/2008 12:38 cf3fad94727611dd800000167e5d5632 harrytop211@gmail.com zh-cn 208.101.53.230 New York9/19/2008 13:25 cf3fad94727611dd800000167e5d5632 yellowroad@sammimail.com zh-cn 78.129.235.34 Brussels9/19/2008 18:40 cf3fad94727611dd800000167e5d5632 eddylan3346@hotmail.com zh-cn 208.98.30.90 Kalispell9/22/2008 16:51 cf3fad94727611dd800000167e5d5632 oceanwideheart@catholic.org zh-cn 208.101.53.227 New York9/22/2008 17:35 cf3fad94727611dd800000167e5d5632 taylorzhu8911@hotmail.com zh-cn 75.126.8.13 New York9/22/2008 19:13 cf3fad94727611dd800000167e5d5632 heatteamfans@yahoo.com zh-cn 75.126.8.13 New York9/24/2008 17:29 cf3fad94727611dd800000167e5d5632 morgantong5198@hotmail.com zh-cn 66.2228.113.2 New York9/25/2008 12:45 cf3fad94727611dd800000167e5d5632 moomrising@rushpost.com zh-cn 64.32.7.97 Kalispell
One Month Same Device 23 User Names In China Pretending to be in…
Synthetic Identities generated by Fraudster spoofing IP
Botnets: Ultimate Anonymity
Botnet: DDOS impact(Distributed Denial of Service, rentable by the hour!)
Faking Emails
Faking Emails (manual and 5mins work)
Faking Emails (or send millions with a Botnet)
Why merchants need “some” info
CreatedAccount Login IP Address IP Geo
Cookies Enabled
Javascript Enabled
Payment Dollars
Payment Currency
Payment Response
12/9/2008 5:28 lehung 216.127.92.39 US no no 20 usd Reject12/9/2008 5:26 truyen2 216.127.92.39 US no no 20 usd Accept12/9/2008 5:24 truyen4 216.127.92.39 US no no 20 usd Accept12/9/2008 5:22 hungkt16 216.127.92.39 US no no 20 usd Accept12/9/2008 5:19 jtungss 216.127.92.39 US no no 20 usd Accept
CreatedAccount Login Device ID Proxy Ip
Proxy Ip Geo
Proxy Type True IP
True Ip Geo
12/9/2008 5:28 lehung cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:26 truyen2 cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:24 truyen4 cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:22 hungkt16 cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:19 jtungss cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN
With ThreatMetrix [Fraud Stopped 1st time]
Using old-school “velocity” detection[Fraud stopped on 5th try]
Stops Fraud First Time
ThreatMetrix Confidential
14
Stop fraud first time by detecting and piercing proxies to discover true location of device
CloudComputing Security
• PCI – Visa/Mastercard• TJMAX, Heartland Breaches
• PII – Personally Identifiable Information (SSN, DOB, Drivers License, combinations)
Problem for data owners: • Quite often they are not competent• Outsourced Development has risks• Zero-day flaws = Its easier to hack than protect (?)
Privacy and ALRC
• Australian Law Reform Commission (ALRC) report in Aug 2008 (after 2 ½ yrs)
• 2,700 page report making 295 recommendations• 2 parts, the easy (18 months) and the hard (no
likely time frame)• Nothing yet!
Not much better in USA
• CA SB1386 (PII)• “(e) For purposes of this section, "personal information" means an individual's first name or first initial
and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's
financial account. ”• Or not
• email address?• Combinations?• EU?
• Play Channel 7 Video seven.mp4
Google Buzz: Whats wrong with this picture?
BTW, Why can “I” see
this?
BTW, Why can “I” see
this?
Other ways to offend other laws
• Twitter• Blogs• Gaming• Web 2.0
(UGC)
•Defamation
•Vilification
•TPA
What issues arise here?
Copyright
• Filesharing• iiNet wasn't authorising• Lily Allen was offended, but still got it wrong!• Google images misconception. Google Books• YouTube content• General confusion
• JK Wedding
Chris Brown - Forever
• Song was released in May 2008 • JK Wedding in July 2009 (43M views – 16M in
first 10 days)• Got to #6 in iTunes Downloads in July 2009• What happened?
Chasing Copyrighted content is tough
• Digital Checksums/Fingerprints• Watermarks• Steganography• Media manipulation is easy (Shenzhen image touchup sweatshop)
• Photoshop in dating and outsourcing market (faked DL’s passports and avatars)
Questions? (Slides at: http://www.slideshare.net/djinoz)
David @djinoz
http://djinoz.com
http://www.google.com/profiles/david.jones
Hamishhttp://www.trumanhoyle.com.au/people.htm
http://twitter.com/hkbf
http://au.linkedin.com/pub/hamish-fraser/4/9a5/306