Saturday, January 24, 2009

How to Catch a Cyber Criminal by Staging

The traditional village market has been replaced by the global digital market. The internet has transformed trading of goods, services and commodities fundamentally. Kenyans have swiftly embraced technology and once the national fiber and submarine cable infrastructure is in place, expect a boom in electronic commerce.

However the same problems of fraud that were witnessed in the village market have crept into the digital realm. Fraudulent schemes continue unabated even in the internet. Digital thugs are busy attempting to defraud online customers by misrepresentation and deception. These online criminals try to present goods and services that look, as much as possible, like those that legitimate e-commerce merchants offer.

Their access point is usually the website. The website today’s bank counter, the first access point. An e-commerce trader has to be more vigilant than the brick and mortar bank manager. This is because a cyber criminal can easily breach an e-commerce website, commit fraud and leave undetected.

It is therefore vital to counter these web attacks by understanding and using various profiling techniques. One of the most effective is Staging (or posing). This is a profiling technique that can be used to obtain a profile of a financial intruder.

Staging is the manner of website defacement or the way particular files or resources are left once penetrated by the intruder. The habit of leaving deliberate ‘calling cards’, is not common among cyber fraudsters. This is because their motive is to breach e-commerce websites and obtain the data. This can only be achieved by employing a sustained covert connection to the system.

They therefore go to great lengths to cover their tracks. The alteration of a crime scene to confuse or mislead is common and is a good example of staging. The forensic investigator looks for signs that not only indicate the presence of an online fraudster but also of cover-up signs.

Intruders attempt to hide or remove evidence of an intrusion by deleting logs, altering date-time stamps, and installing their own utilities to subvert the operating system. They also use strong encryption to cloak their activities by encrypting data before stealing it, encoding communications between compromised hosts and obfuscating executables.

It is therefore important to identify the absence of the obvious as well as the presence of the obvious online financial intruder tracks. The presence of encrypted packets within a network is evidence of an intrusion. The absence of router network logs is indicative of an intrusion.

Staging is, therefore, a useful profiling technique that can assist our budding local e-entrepreneurs.

1 comment:

john said...

Interesting concept but i feel it is not an effective method of catching cyber criminals, especially for local e-entrepreneurs.

It is one thing to find tale tell signs of an intrusion but quite another to use that information to build a an accurate profile of cyber-criminal.

A number of challenges come into mind, the use of common tools, and guidelines make it difficult to distinguish between diffrent intruders.

Secondly one without signature behaviors i.e. calling cards, one would require a substantial amount of information to be able to build an accurate profile, so unless you are working for the CID you are better of plugging the hole and make your systems more secure.

I admit that there is a lot of promise in this field but it is still far from a precise science, and should only be used to supplement other investigative methods