DOCSLIB.ORG

Detection of Web Vulnerabilities Via Model Inference Assisted Evolutionary Fuzzing Fabien Duchene

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Detection of Web Vulnerabilities Via Model Inference Assisted Evolutionary Fuzzing Fabien Duchene Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing Fabien Duchene To cite this version: Fabien Duchene. Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing. Computation and Language [cs.CL]. Grenoble University, 2014. English. tel-01102325 HAL Id: tel-01102325 https://hal.archives-ouvertes.fr/tel-01102325 Submitted on 12 Jan 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THESE` Pour obtenir le grade de DOCTEUR DE L’UNIVERSITE´ DE GRENOBLE Specialit´ e´ : Informatique Arretˆ e´ ministerial´ : 7 Aoutˆ 2006 Present´ ee´ par Fabien Duchene` These` dirigee´ par Professeur Roland Groz et co-encadree´ par Docteur Jean-Luc Richier prepar´ ee´ au sein Laboratoire d’Informatique de Grenoble et de Ecole´ Doctorale Mathematiques,´ Sciences et Technologies de l’Information, Informatique Detection of Web Vulnerabilities via Model Inference assisted Evo- lutionary Fuzzing These` soutenue publiquement le 2 Juin, 2014, devant le jury compose´ de : M. Jean-Luc RICHIER Charge´ de Recherche, CNRS, France, Co-encadrant de these` M. Roland GROZ Professeur, Grenoble INP, France, Directeur de these` M. Bruno LEGEARD Professeur, Universite´ de Franche-Comte,´ France, Rapporteur M. Herbert BOS Professeur, VU Amsterdam, Pays-Bas, Rapporteur M. Mario HEIDERICH Docteur, Ruhr-Universitat¨ Bochum, Allemagne, Examinateur M. Yves DENNEULIN Professeur, Grenoble INP, France, Examinateur 2 Dedication 3 4 Acknowledgements 5 6 Detection´ de Vulnerabilit´ es´ Web par Frelatage Evolutionniste et Inference´ de Modele` Resum´ e:´ Le test est une approche efficace pour detecter´ des bogues d’implemen-´ tation ayant un impact sur la securit´ e,´ c.-a-d.` des vulnerabilit´ es.´ Lorsque le code source n’est pas disponible, il est necessaire´ d’utiliser des techniques de test en boˆıte noire. Nous nous interessons´ au probleme` de detection´ automatique d’une classe de vulnerabilit´ es´ (Cross Site Scripting alias XSS) dans les applications web dans un contexte de test en boˆıte noire. Nous proposons une approche pour inferer´ des modeles` de telles applications et frelatons des sequences´ d’entrees´ gen´ er´ ees´ a` partir de ces modeles` et d’une grammaire d’attaque. Nous inferons´ des automates de controleˆ et de teinte, dont nous extrayons des sous-modeles` afin de reduire´ l’espace de recherche de l’etape´ de frelatage. Nous utilisons des algorithmes gen´ etiques´ pour guider la production d’entrees´ malicieuses envoyees´ a` l’application. Nous produisons un verdict de test graceˆ a` une double inference´ de teinte sur l’arbre d’analyse grammaticale d’un navigateur et a` l’utilisation de mo- tifs de vulnerabilit´ es´ comportant des annotations de teinte. Nos implementations´ LigRE et KameleonFuzz obtiennent de meilleurs resultats´ que les scanneurs boˆıte noire open-source. Nous avons decouvert´ des XSS “0-day” (c.-a-d.` des vulnerabilit´ es´ jusque lors inconnues publiquement) dans des applications web utilisees´ par des millions d’utilisateurs. Keywords: Securit´ e,´ Frelatage, XSS, Algorithme Evolutionniste, Inference,´ Intelligence Artificielle, Applications Web Detection of Web Vulnerabilities via Model Inference assisted Evolutionary Fuzzing Abstract: Testing is a viable approach for detecting implementation bugs which have a security impact, a.k.a. vulnerabilities. When the source code is not available, it is necessary to use black-box testing techniques. We address the problem of automatically detecting a certain class of vulnerabilities (Cross Site Scripting a.k.a. XSS) in web applications in a black-box test context. We propose an approach for inferring models of web applications and fuzzing from such models and an attack grammar. We infer control plus taint flow automata, from which we produce slices, which narrow the fuzzing search space. Genetic algorithms are then used to schedule the malicious inputs which are sent to the application. We incorporate a test verdict by performing a double taint inference on the browser parse tree and combining this with taint aware vulnerability patterns. Our implementations LigRE and KameleonFuzz outperform current open-source black-box scanners. We discovered 0-day XSS (i.e., previously unknown vulnerabilities) in web applications used by millions of users. Keywords: Security, Fuzzing, XSS, Evolutionary Algorithm, Inference, Artificial Intelligence, Web Applications Contents 1 Introduction 11 1.1 Context............................... 11 1.2 Vulnerabilities............................ 13 1.3 Objectives.............................. 15 1.4 Contributions............................ 15 1.5 Dissertation Structure........................ 16 2 Problem Statement 17 2.1 Cross Site Scripting (XSS)..................... 18 2.2 Definitions.............................. 22 2.3 Fuzzing............................... 31 2.4 Other WCI............................. 32 2.5 Black-Box XSS Detection..................... 32 3 Our Proposal 35 3.1 Model Inference........................... 35 3.2 Evolutionary XSS Fuzzing..................... 38 4 Inference for XSS 43 4.1 Our Approach............................ 43 4.2 Control Flow Inference....................... 44 4.3 Taint Flow Inference........................ 61 4.4 Flow-Aware Input Gen........................ 65 4.5 Implementation........................... 67 4.6 Related Work............................ 69 5 GA XSS Fuzzing 73 5.1 Introduction............................. 73 5.2 Evolutionary XSS Fuzzing..................... 74 5.3 Implementation........................... 86 5.4 Related Work............................ 88 6 XSS Experiments 91 6.1 Evaluation methodology...................... 91 6.2 LigRE evaluation.......................... 92 6.3 KameleonFuzz evaluation...................... 97 6.4 Discussion.............................. 101 9 CONTENTS CONTENTS 7 Other Approches 105 7.1 White & GreyBox.......................... 105 7.2 Black-Box Approaches....................... 106 8 Discussion & Conclusion 109 8.1 Discussion.............................. 109 8.2 Conclusion............................. 114 References 117 List of Figures............................... 132 List of Tables............................... 133 List of Algorithms............................. 135 List of Listings.............................. 137 List of Acronyms............................. 139 A Web Scanners Configuration 141 B KameleonFuzz: List of Taint Aware tree Patterns 153 C 0-day Found XSS Vulnerabilities 155 Two of the 0-days XSS discovered by KameleonFuzz.......... 155 Examples of Vulnerabilities that KameleonFuzz is unable to detect... 158 Appendices 131 10 CHAPTER 1 Introduction Why did I rob banks? Because I enjoyed it. I loved it. Go where the money is...and go there often. [Sutton & Linn 2004] The world is a dangerous place to live ; not because of those who do evil, but because of those of the people who don’t do anything about it. [Einstein 1955] Computer security is the cancer of the software industry. There is no money to prevent it. Only sick persons care about it, but it is generally already too late. However, everybody will have to face it someday. [Ruff 2013b] Do not underestimate the importance of cyber-attack capabilities. I do not know how to defend a system if you are unaware of how to attack it. [Filiol 2013b] 1.1 Context Actors and Threats The Internet is a connected network of billions of devices. For the simplicity of administrating them, we plugged into this network of net- works devices having an impact on the physical world: traffic control, power plants, gas stations, etc. Corporations and governments have data-stores connected to the Internet [Duwell 2013]. Banks and trading systems offer an interface with the In- ternet. If not secured, those systems make the Internet a playground for hack- ers with varying motivations (e.g., enemy governments, army, individuals paid by Mafia, etc.). As security researchers, it is our duty to develop new techniques to protect bet- ter national assets such as: energy, money, communication and information. More 11 1.1. CONTEXT CHAPTER 1. INTRODUCTION specifically, in this cyber war, we want to protect computer assets from attacks exploiting vulnerabilities (flaws in the system). A way to achieve such goal is to detect vulnerabilities, and more precisely to detect them as soon as possible. If they are present in our systems, we need to patch them to prevent exploitation (defen- sive security). If they are present in enemy systems, attackers may want to exploit them to gain additional privileges (offensive security). The source code of appli- cations may not be available (e.g., when testing integrated or remote components). In such cases, we need to rely on black-box testing techniques. This thesis focuses on detecting certain classes of vulnerabilities in a black-box test context. Security and Vulnerabilities Figure 1.1 shows a dependability tree according to the [Avizienisˇ et al. 2004] taxonomy. We mark in bold our focus for this thesis. We detect errors and failures that affect availability
Load more

Recommended publications
  • The Underground Economy.Pdf
    THE THE The seeds of cybercrime grow in the anonymized depths of the dark web – underground websites where the criminally minded meet to traffic in illegal products and services, develop contacts for jobs and commerce, and even socialize with friends. To better understand how cybercriminals operate today and what they might do in the future, Trustwave SpiderLabs researchers maintain a presence in some of the more prominent recesses of the online criminal underground. There, the team takes advantage of the very anonymity that makes the dark web unique, which allows them to discretely observe the habits of cyber swindlers. Some of the information the team has gathered revolves around the dark web’s intricate code of honor, reputation systems, job market, and techniques used by cybercriminals to hide their tracks from law enforcement. We’ve previously highlighted these findings in an extensive three-part series featured on the Trustwave SpiderLabs blog. But we’ve decided to consolidate and package this information in an informative e-book that gleans the most important information from that series, illustrating how the online criminal underground works. Knowledge is power in cybersecurity, and this serves as a weapon in the fight against cybercrime. THE Where Criminals Congregate Much like your everyday social individual, cyber swindlers convene on online forums and discussion platforms tailored to their interests. Most of the criminal activity conducted occurs on the dark web, a network of anonymized websites that uses services such as Tor to disguise the locations of servers and mask the identities of site operators and visitors. The most popular destination is the now-defunct Silk Road, which operated from 2011 until the arrest of its founder, Ross Ulbricht, in 2013.
    [Show full text]
  • Beware of These Common Scams
    Beware of these common scams Nigerian Scams People claiming to be officials, businessmen or surviving relatives of former government officials in countries around the world send countless offers via e-mail, attempting to convince consumers that they will transfer thousands of dollars into your bank account if you will just pay a fee or "taxes" to help them access their money. If you respond to the initial offer, you may receive documents that look "official." Unfortunately, you will get more e-mails asking you to send more money to cover transaction and transfer costs, attorney's fees, blank letterhead and your bank account numbers and other sensitive, personal information. Tech Support Scams A tech support person may call or email you and claim that they are from Windows, Microsoft or another software company. The person says your computer is running slow or has a virus and it’s sending out error messages. Scammers will ask you to visit a website that gives them remote access to your computer. If the caller obtains access they can steal personal information, usernames and passwords to commit identity theft or send spam messages. In some cases, the caller may even be asked for a wired payment or credit card information. Lottery Scams In foreign lottery scams, you receive an email claiming that you are the winner of a foreign lottery. All you need to do to claim your prize is send money to pay the taxes, insurance, or processing or customs fees. Sometimes, you will be asked to provide a bank account number so the funds can be deposited.
    [Show full text]
  • Shadowcrew Organization Called 'One-Stop Online Marketplace for Identity Theft'
    October 28, 2004 Department Of Justice CRM (202) 514-2007 TDD (202) 514-1888 WWW.USDOJ.GOV Nineteen Individuals Indicted in Internet 'Carding' Conspiracy Shadowcrew Organization Called 'One-Stop Online Marketplace for Identity Theft' WASHINGTON, D.C. - Attorney General John Ashcroft, Assistant Attorney General Christopher A. Wray of the Criminal Division, U.S. Attorney Christopher Christie of the District of New Jersey and United States Secret Service Director W. Ralph Basham today announced the indictment of 19 individuals who are alleged to have founded, moderated and operated "www.shadowcrew.com" -- one of the largest illegal online centers for trafficking in stolen identity information and documents, as well as stolen credit and debit card numbers. The 62-count indictment, returned by a federal grand jury in Newark, New Jersey today, alleges that the 19 individuals from across the United States and in several foreign countries conspired with others to operate "Shadowcrew," a website with approximately 4,000 members that was dedicated to facilitating malicious computer hacking and the dissemination of stolen credit card, debit card and bank account numbers and counterfeit identification documents, such as drivers' licenses, passports and Social Security cards. The indictment alleges a conspiracy to commit activity often referred to as "carding" -- the use of account numbers and counterfeit identity documents to complete identity theft and defraud banks and retailers. The indictment is a result of a year-long investigation undertaken by the United States Secret Service, working in cooperation with the U.S. Attorney's Office for the District of New Jersey, the Computer Crime and Intellectual Property Section of the Criminal Division of the Department of Justice, and other U.S.
    [Show full text]
  • Online Money Laundering Operations to Take Place
    Laundering Money Online: a review of cybercriminals’ methods Jean-Loup Richet Tools and Resources for Anti-Corruption Knowledge – June, 01, 2013 - United Nations Office on Drugs and Crime (UNODC). Executive Summary Money laundering is a critical step in the cyber crime process which is experiencing some changes as hackers and their criminal colleagues continually alter and optimize payment mechanisms. Conducting quantitative research on underground laundering activity poses an inherent challenge: Bad guys and their banks don’t share information on criminal pursuits. However, by analyzing forums, we have identified two growth areas in money laundering: Online gaming—Online role playing games provide an easy way for criminals to launder money. This frequently involves the opening of numerous different accounts on various online games to move money. Micro laundering—Cyber criminals are increasingly looking at micro laundering via sites like PayPal or, interestingly, using job advertising sites, to avoid detection. Moreover, as online and mobile micro-payment are interconnected with traditional payment services, funds can now be moved to or from a variety of payment methods, increasing the difficulty to apprehend money launderers. Micro laundering makes it possible to launder a large amount of money in small amounts through thousands of electronic transactions. One growing scenario: using virtual credit cards as an alternative to prepaid mobile cards; they could be funded with a scammed bank account – with instant transaction – and used as a foundation of a PayPal account that would be laundered through a micro-laundering scheme. Laundering Money Online: a review of cybercriminals’ methods Millions of transactions take place over the internet each day, and criminal organizations are taking advantage of this fact to launder illegally acquired funds through covert, anonymous online transactions.
    [Show full text]
  • Issues Confronting US Law Enforcement
    The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement Updated January 17, 2013 Congressional Research Service https://crsreports.congress.gov R41927 The Interplay of Borders, Turf, Cyberspace, and Jurisdiction Summary Savvy criminals constantly develop new techniques to target U.S. persons, businesses, and interests. Individual criminals as well as broad criminal networks exploit geographic borders, criminal turf, cyberspace, and law enforcement jurisdiction to dodge law enforcement countermeasures. Further, the interplay of these realities can potentially encumber policing measures. In light of these interwoven realities, policy makers may question how to best design policies to help law enforcement combat ever-evolving criminal threats. Criminals routinely take advantage of geographic borders. They thrive on their ability to illicitly cross borders, subvert border security regimens, and provide illegal products or services. Many crimes—particularly those of a cyber nature—have become increasingly transnational. While criminals may operate across geographic borders and jurisdictional boundaries, law enforcement may not be able to do so with the same ease. Moreover, obstacles such as disparities between the legal regimens of nations (what is considered a crime in one country may not be in another) and differences in willingness to extradite suspected criminals can hamper prosecutions. The law enforcement community has, however, expanded its working relationships with both domestic and international agencies. Globalization and technological innovation have fostered the expansion of both legitimate and criminal operations across physical borders as well as throughout cyberspace. Advanced, rapid communication systems have made it easier for criminals to carry out their operations remotely from their victims and members of their illicit networks.
    [Show full text]
  • Understanding Online Carding Forums
    All Your Cards Are Belong To Us: Understanding Online Carding Forums Andreas Haslebacher, Jeremiah Onaolapo, and Gianluca Stringhini University College London [email protected] fj.onaolapo,[email protected] Abstract—Underground online forums are platforms that The sales volumes thus generated appear to be substantial. enable trades of illicit services and stolen goods. Carding forums, It is estimated, for example, that the closure of several credit in particular, are known for being focused on trading financial card related forums in 2012 prevented international fraud to the information. However, little evidence exists about the sellers that tune of £500 million [2]. It is therefore important to understand are present on active carding forums, the precise types of products the characteristics of these online forums and the activity of they advertise, and the prices that buyers pay. Existing literature cybercriminals using them. focuses mainly on the organisation and structure of the forums. Furthermore, studies on carding forums are usually based on literature review, expert interviews, or data from forums that The body of research into underground forums is growing have already been shut down. This paper provides first-of-its-kind but still limited. In particular, there are only a few studies avail- empirical evidence on active forums where stolen financial data is able about credit card related forums. These studies mainly traded. We monitored five out of 25 discovered forums, collected focus on the organisation and the structure of the forums posts from the forums over a three-month period, and analysed but less on the content itself, that is, the products traded them quantitatively and qualitatively.
    [Show full text]
  • Inside Online Carding Courses Designed for Cybercriminals
    Inside Online Carding Courses Designed for Cybercriminals Card fraud more sophisticated than ever, and what you can do about it Executive Summary Payment card fraud costs banks and merchants billions every year. As consumers spend more and more money online, the opportunities for fraud increase; experts project a loss of $24 billion to payment card fraud by the end of 2018.1 Payment card fraudsters do not operate in a vacuum, instead relying on a sophisticated ecosystem and support network that provides a wide range of credit card details, fraud tools and online tutorials. This paper looks at one recent online course designed for bad actors in order to shed light on the latest fraud tactics and tools, allowing consumers, merchants and credit card companies to better understand the threat and make it harder for the fraudsters. Table of Contents Executive Summary................................................................................................... 2 Payment card fraud is big business – and it’s getting even bigger....................... 3 Fraudsters are only one part of a broader ecosystem........................................... 4 Stage 1: Learn the latest techniques......................................................................... 6 Stage 2: Buy payment cards from a reputable site.................................................. 8 Stage 3: Commit payment card fraud and cash out................................................ 10 Fraudsters score big...............................................................................................
    [Show full text]
  • The President's Identity Theft Task Force
    The President’s Identity Theft Task Force Combating IDENTITY THEFT A Strategic Plan April 2007 COMBATING IDENTITY THEFT A Strategic Plan Table of Contents Glossary of Acronyms .................................................................v Identity Theft Task Force Members ............................................... vii Letter to the President .............................................................. viii I. Executive Summary .............................................................. 1 A. Introduction .................................................................................. 1 B. The Strategy .................................................................................. 2 II. The Contours of the Identity Theft Problem ............................. 10 A. Prevalence and Costs of Identity Theft ......................................... 11 B. Identity Thieves: Who They Are .................................................. 12 C. How Identity Theft Happens: The Tools of the Trade ................... 13 D. What Identity Thieves Do With the Information They Steal: The Different Forms of Identity Theft ........................ 18 III. A Strategy to Combat Identity Theft ....................................... 22 A. Prevention: Keeping Consumer Data out of the Hands of Criminals ..................................................................... 22 1. Decreasing the Unnecessary Use of Social Security Numbers ........................................................ 23 2. Data Security in the Public Sector .........................................
    [Show full text]
  • Learn the Slang and Operational Techniques of Online Payment Fraudsters
    Fraudster Dictionary Learn the slang and operational techniques of online payment fraudsters 1 Table of Contents Intro 3 Real darknet stories - Wall Street Exit Scam 15 Step 1: Learn the language. Fullz 16 Dictionary. 4 MMN 16 MSCS 16 English Language Sphere Ripper 16 Spoofing 17 Altcoins 6 TOR 17 Anonymity Checker 6 VBV 17 Automatic Vending Cart (AVC) 6 AVS 7 Russian Language Sphere BIN 7 Bulletproof hosting 7 Вбив 19 Real darknet stories - Hosting servers Вещевой/Вещевуха 19 inside a military bunker 8 Дроп 19 Carding 9 Дропоwод 19 Cashout 9 Энрол 20 Cardable websites 9 Закладка 20 Credit card checkers 10 Кладсмен 20 Criminal forums 10 Pазогревать Шопa 20 Cryptocurrency mixer 11 Реролл 21 Darknet 11 Фулка 21 Darknet market (DNM) 11 чернухи 21 Darkweb 12 Dead fullz 12 Step 2: Learn techniques. DOB 13 Profiler. 22 Drop 13 Dump 13 Profiler Technology 23 Escrow service 14 Main Profiling Attributes 24 Exit scam 14 Intro Going up against online fraudsters is a tough battle. There isn’t one rule that can help you win it all, but there are certainly some crucial steps each fraud specialist should undertake. Anti-fraud tools are a “must-have’’, but a more sophisticated approach is to understand the behaviour and language of your opponent. However, 75% of fraud analysts admit that they do not research and collect evidence from the darkweb. We totally understand that. Digging through the darknet is a time-consuming job, and it’s hard to keep up with evolving criminal threats and technological advances. It’s also a risky activity.
    [Show full text]
  • I Was a Cybercrook for The
    I Was a Cybercrook for the FBI For 18 tense months, a computer-savvy grifter named David Thomas runs a thriving online crime hub for bank heists, identity theft and counterfeiting, with the FBI paying the bills. By Kim Zetter 02:00 AM Jan, 30, 2007 By the time David Thomas eased his Cadillac into the parking lot of an office complex in Issaquah, Washington, he already suspected the police were on to him. An empty Crown Victoria in one of the parking spaces confirmed it. "That's heat right there," he told his two passengers -- 29-year-old girlfriend Bridget Trevino, and his crime partner Kim Marvin Taylor, a balding, middle-aged master of fake identities he'd met on the internet. It was November 2002, and Thomas, then a 44-year-old Texan, was in Washington to collect more than $30,000 in merchandise that a Ukrainian known as "Big Buyer" ordered from Outpost.com with stolen credit card numbers. His job was to collect the goods from a mail drop, fence them on eBay and wire the money to Russia, pocketing 40 percent of the take before moving to another city to repeat the scam. But things didn't go as planned. Ignoring Thomas' suspicions, Taylor walked into the Meadow Creek Professional Center to collect the Outpost shipment, and found the cops waiting for him. Thomas and his girlfriend tried to escape in the Cadillac but were caught half a mile away. An ID badge that Taylor wore when he was arrested indicated that he worked for Microsoft.
    [Show full text]
  • Site Isolation: Process Separation for Web Sites Within the Browser
    Site Isolation: Process Separation for Web Sites within the Browser Charles Reis, Alexander Moshchuk, and Nasko Oskov, Google https://www.usenix.org/conference/usenixsecurity19/presentation/reis This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Site Isolation: Process Separation for Web Sites within the Browser Charles Reis Alexander Moshchuk Nasko Oskov Google Google Google [email protected] [email protected] [email protected] Abstract ploitable targets of older browsers are disappearing from the web (e.g., Java Applets [64], Flash [1], NPAPI plugins [55]). Current production web browsers are multi-process but place As others have argued, it is clear that we need stronger iso- different web sites in the same renderer process, which is lation between security principals in the browser [23, 33, 53, not sufficient to mitigate threats present on the web today. 62, 63, 68], just as operating systems offer stronger isolation With the prevalence of private user data stored on web sites, between their own principals. We achieve this in a produc- the risk posed by compromised renderer processes, and the tion setting using Site Isolation in Google Chrome, introduc- advent of transient execution attacks like Spectre and Melt- ing OS process boundaries between web site principals. down that can leak data via microarchitectural state, it is no While Site Isolation was originally envisioned to mitigate longer safe to render documents from different web sites in exploits of bugs in the renderer process, the recent discov- the same process.
    [Show full text]
  • Carding” Reveals
    DATA BREACHES: WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS Kimberly Kiefer Peretti U.S. Department of Justice Computer Crime and Intellectual Property Section Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal Data Breaches: What the Underground World of “Carding” Reveals Kimberly Kiefer Peretti1 “Cyber-crime has evolved significantly over the last two years, from dumpster diving and credit card skimming to full-fledged online bazaars full of stolen personal and financial information.”2 Brian Nagel, Assistant Director, U.S. Secret Service Individuals have been at risk of having their personal information stolen and used to commit identity-related crimes long before the emergence of the Internet. What the Information Age has changed, however, is the method by which identity thieves can access and exploit the personal information of others. One method in particular leaves hundreds of thousands, and in some cases tens of millions, of individuals at risk for identity theft: large scale data breaches by skilled hackers. In this method, criminals remotely access the computer systems of government agencies, universities, merchants, financial institutions, credit card companies, and data processors, and steal large volumes of personal information on individuals. Such large scale data breaches have revolutionized the identity theft landscape, in particular as it relates to fraud on existing accounts by use of compromised credit and debit card account information. Large scale data breaches would be of no more concern than small scale identity thefts if criminals were unable to quickly and widely distribute the stolen information for subsequent fraudulent use (assuming, of course, that the breach would be quickly detected).
    [Show full text]