Raoul Chiesa – from cybercrime to state-sponsored hacking

Raoul Chiesa gives us his view on the current cyber threat landscape, from Snowden’s case to the links between cyber crime and state-sponsored hacking.

Next week the forth Cybercrime Conference will be held in Rome (http://www.tecnaeditrice.com/eventi/cyber_crime_conference_2014/presentazione), two days in which top experts in the field will analyze high-profile cyber attacks discussing also about legal issues, privacy, and cyber strategies implemented by different kind of attackers.

I took the opportunity to interview one of the foremost experts in the world of cyber security, Raoul Chiesa. Finding a definition for Raoul is impossible, someone called him a hacker, others expert, but my only certainty is that Raoul is one of those characters that “makes security”.

Following my short interview to Raoul:

Which is the impact of Snowden‘s case on the state-sponsored hackingStarting from the consideration that International law framework on hacking must be reviewed, do you think that governments will be more interested to promote a regulatory for hacking campaigns or they will try to improve their cyber capabilities or continuing to conduct even more complex cyber operations?

Raoul Chiesa : Snowden‘s revelations definitely ran a huge impact on the Intelligence world. My feeling is that we still have to wait in order to fully realize how much those leaks will impact on the whole world. Also, I don’t really think we will have a legal framework on hacking, since right now each country is acting in their own way (see USA, India, UK, and the Netherlands, from different perspectives, i.e. Intelligence VS Law Enforcement).
On the other hand, just as you said, each Government will improve its own cyber capabilities. It’s much alike the time of the Cold War, don’t you think so?

Mikko Hypponen during the recent TrustyCon conference declared that there is the risk that a Government-built malware and cyber weapons will run out of control. What’s your opinion on the topic? Which is the most feasible scenario in the next couple of years?

Raoul Chiesa : Well, this already happened, if you think about Stuxnet: it ran out different of control, infecting targets in different countries, not just the target one. Cyberweapons – while not regulated at this time, by no one – are an extremely critical asset to deal with.
Often, when speaking at public and private events, rather than train different MoDs, I highlight something which is very important in my opinion: those tools, techniques and approaches used by the Information Warfare and Black Ops scenarios, are basically coming from the Cybercrime, more or less. This means that, just as it happens with Cybercrime tools, the infection vectors (i.e. Malware) will impact on a target which will be different from the one originally planned.
The most feasible scenario I do see in the next couple of years is a “Far West” one. The only way we can avoid this, is through regulations, and international agreements. Here I think the United Nations should play a strong role, and the NATO as well, just as it happens when dealing with the “standard” peacekeeping and weapons proliferation control.
What I think it’s kind of weird, though, is that just a few security experts, such as Mikko, Marcus Ranum, myself and a few others, are public speaking about this. And, the silence of the EU is definitely embarrassing.

Is the availability of Government-built malware in the wild impacting the offer in the underground? (e.g. Cyber criminal gangs that are able to make reverse engineering of malicious code to resell it to other governments)

Raoul Chiesa : Here we are speaking about something which is really weird as well. The main customers of the Cybercrime, when speaking i.e. about 0-days, C&C centers, malware writing, are Governments. No matter if it’s about Intelligence agencies rather than MoDs, that’s a true fact. Once again, this is something which is already happening. It happened with Stuxnet, as far as I know: I learned from different colleagues that two different Ukraine-based malware factories were behind the coding of Stuxnet, acting just like “sub-contractors” for the US and Israel Governments.
Also, whenever we’re speaking about “State-Trojans” and Lawful Interception, well…. Governments (Intelligence Agencies, MoDs, and Law Enforcement Agencies) are doing  business with private companies – think about the “Spy Files” leak – which are buying 0days and vulnerabilities from the so-called hacking underground and, sometimes, from the Cybercrime market itself. Even if they will never admit this last point.

Is it possible a convergence between cybercrime and state-sponsored hacking? Which scenarios do you consider most plausible?

Raoul Chiesa : Just as I mentioned above, this scenario is already ongoing. Well, we should then also give a better definition, and insights, about what you name under the umbrella of “cybercrime”.
Today’s hacking world is composed by a plethora of different actors (think about the Hacker’s Profiling Project I started along with great colleagues at UNICRI back in 2004), which interact in different ways, while “coming from” and “belonging” to very different worlds. Also, think about what happened – and is still happening – in Ukraine, from a state-sponsored hacking perspective, plus what happened back in Estonia and Georgia. Gleb from UISG (Ukraine Information Security Group) released a great presentation, with very critical insights, back at a APWG.EU event a few weeks ago: Governments should read that presentation, analyze those facts and data, and learn from the lesson.

Do you consider realistic the possibility of a major cyber attack against a western critical infrastructure in the medium term? Which will be means and motivations?

Raoul Chiesa : I do consider this possible: from a technical perspective, it can already be done, now. The means would be standard vulnerabilities, both public or private ones. Entry points and attack scenarios could vary, depending on the target itself, and on the resources of the attackers (time, budget).
Speaking about motivations, what do I see right now are economic ones. I don’t believe that much in what the media and propaganda is telling us about the so-called cyberterrorism and so on. What I mean is that, luckily, the very bad guys (terrorists) haven’t yet well understood the possibilities and plausible attack scenarios that IT and TLC would allow them to abuse with. This is a good thing, tough, and it’s up to the security communities to be able to speak with, educate, aware, and teach to the decision makers in different areas, what’s the real status nowadays, and what may happen.

Does common people have a concrete means to protect their own privacy? In the name of security is really necessary to give up the privacy?

Raoul Chiesa : First of all, the concept of “privacy” vary a lot among countries and areas of the world. All of us, we know that the concept of privacy is much different between US and EU, for example.
I’ve really enjoyed Mikko Hypponen’s talk at TED Bruxelles some months ago, especially the last part. He said that privacy is one of the basics when speaking about democracy, while referring to the NSA affair. People are users, and users look like they really don’t understand yet what the privacy is all about. They post personal information and data on social mediathet connect to every kind of “free” access point and wifi hotspots, they do not encrypt critical data such as their PIN and credit card number, when storing them on their PCs and Smartphones.
We need the people to get educated. I think that, on this topic, we do have a lot of associations and projects which are doing a great job: I think about APWG, ENISA, CLUSIT in Italy (and, CLUSIF in France, CLUSIS in Switzerland, etc), many EU-funded research projects such as ACDC and Cyberoad, and a lot of so-called “underground” conferences, such as Hack in the Box AMS, CONFidence, St.Hack, ATHCon, just to mention some of the biggest and smallest we have in Europe.
On the other hand, security needs sacrifices, it isn’t an easy mission to accomplish. We must give up on something, if we want to rise up the security level around us. But it should be different from, let me say, the justification of “terrorism”: in the name of that threat, indeed, we gave up a lot of privacy, possibly too much. This approach is not working, all of us have been able to see this. We should rethink a better approach, and Governments must be more transparent when dealing with our personal data, behaviors, likes, ideas, and dreams.

Pierluigi Paganini

(Security Affairs –  Cyber security, Raoul Chiesa)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

43 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.