If your credit card number has been stolen recently, that may not be the work of a petty criminal. It could be a terrorist cell, according to cybersecurity consultant Tom Kellermann. Increasingly, Kellermann says, terrorist groups and organized crime syndicates are resorting to cybercrime to finance their activities. From 1999 to 2005, Kellermann was a member of the Treasury Security Team at the World Bank, where he advised central banks on monitoring illicit online activity. He’s currently vice president of security awareness at Core Security Technologies, in Boston. Robert N. Charette, IEEE Spectrum contributing editor, spoke with Kellermann in August.


SPECTRUM: Can you tell us how terrorists and others are using the Internet to coordinate activities, to learn, or to recruit?


KELLERMANN: Nonstate actors like al-Qaeda use the Internet as a means to acquire funds and lines of credit so they can support their physical initiatives. The most notorious al-Qaeda hacker and user of the Internet was Imam Samudra, the Bali bomber. He funded that attack, which cost more than [US] $150 000, by hacking American bank accounts and credit lines. In addition, he wrote a book on hacking, to teach his followers how to get the resources they needed. The traditional “silk road” avenues of getting money weren’t working because of the squeeze by Western governments on money-laundering activities.


In the last five years it has been well documented that organized crime syndicates and nonstate actors alike have realized the importance of utilizing the Internet, particularly alternative payment outlets like E-gold, to move money outside the financial sector. They also have been using the Internet to create lines of credit through identity theft. What you’re seeing is the financing of terrorists and other nonstate actors through the use of cybercrime.


The underground economy is going through a real metamorphosis. There is a complete community now where you essentially can hire mercenaries to build code to attack a targeted system and to data mine that system for your own use.


These cybercriminals have moved away from using Internet relay chat rooms, because they are so heavily monitored. Now they’re using Skype and voice-over-IP chat rooms. They’ve also moved away from conducting widespread attacks, because those generate signatures and thus can be thwarted. So the attacks have become largely targeted at individual systems. Oftentimes they are attacking remote users so they can tunnel into their VPN [virtual private network], which can lead to the very bowels of the network.


Usually they work in crews. So you get one person who creates the exploit code, one person who launches the code, one person who mines the data, one person who launders the funds or sells what was found and, lastly, one person who organizes the group and reaps the benefits. These groups never really meet, they just interact on various chat rooms or through encrypted channels. They may come from different backgrounds and ideologies. They are merely trading in services.


Nonstate actors are actually watching us as we watch them. If they don’t have the technical capacity, they hire it in the various underground chat rooms. The malicious code being developed today is highly targeted. The Trojan horses of today are not keystroke loggers; they are session-based so they can defeat most of the multifactor authentication mechanisms that the various organizations are using. They’re using automated penetration testing tools, like Metasploit, or password-recovery programs, like Cain & Able, to break into systems.


They know it is far better to keep a system alive and suck any of the valuable information out of it than it is to take it down. This is a huge paradigm shift. The digital Pearl Harbor that Richard Clarke [the former White House counterterrorism advisor] referred to is a myth. The reality is that we have more of a cyber-Fallujah going on—a war of attrition where the sniping and the IEDs are virtual, and the nature of the attack is simplistic. The Robin Hood mentality exists: steal and take what you can or barter what you find so that you can support your efforts in the real world.


SPECTRUM: Sounds like a parasitic approach. How quickly do nonstate actors learn and react to countermeasures taken against them?


KELLERMANN: They react very quickly. They are more intelligent than we are, because we are not playing a real game of chess with them. What we are doing is being reactive.


The information sharing in the underground community is 10 times better than the information sharing by the domain name and various entities that control the networks of today.


Their tactics of attack are far more insidious and devious than our defenses. We are far too reliant on perimeter-based defenses and far too reliant on scanner-based technology and encryption. They know full well that they don’t need to break the firewalls anymore. Instead, they can ride the application that’s moving through the open port. They know full well they no longer need to defeat the encryption, because they can compromise the private key by compromising the client machine on either end. And they know full well that they shouldn’t be breaking into systems using malicious code that has their signature.


Once they’re inside the system, the first thing they do is egress as much information as possible, including the keys for authentication—the keys to the castle. Then they set up as many back doors as possible by setting up rootkits. As most people will tell you, once they have penetrated in that deep, you basically have to rebuild the system to get rid of them.


SPECTRUM: So what can people do to protect themselves?


KELLERMANN: Fundamentally we need to appreciate the sophistication, the organization, and the capabilities of our adversaries. The only way to do that, and most organizations don’t, is to scrimmage our defenses and to play those games like our adversaries do. We currently do not conduct penetration tests or perform risk assessments with the latest attack vectors, with the latest exploit codes, with the latest configuration-based or phased attacks that we see today.


We need to attack ourselves like they attack us so we can understand how we are weak and how we can develop better responses.