Cybercrime is out of control. It's everywhere. We hear about it every single day. This year, over two billion records lost or stolen. And last year, 100 million of us, mostly Americans, lost our health insurance data to thieves -- myself included. What's particularly concerning about this is that in most cases, it was months before anyone even reported that these records were stolen.
Sajber kriminal je van kontrole. Ima ga svuda. Slušamo o tome svakog dana. Ove godine, preko dvije milijarde podataka je izgubljeno ili ukradeno. A prošle godine, za 100 miliona ljudi, uglavnom Amerikanaca - uključujući i mene, ukradeni su podaci o zdravstvenom osiguranju. Ono što posebno zabrinjava je to što se u većini slučajeva to desilo mjesecima prije nego što je bilo ko prijavio krađu ovih podataka.
So if you watch the evening news, you would think that most of this is espionage or nation-state activity. And, well, some of it is. Espionage, you see, is an accepted international practice. But in this case, it is only a small portion of the problem that we're dealing with. How often do we hear about a breach followed by, "... it was the result of a sophisticated nation-state attack?" Well, often that is companies not being willing to own up to their own lackluster security practices. There is also a widely held belief that by blaming an attack on a nation-state, you are putting regulators at bay -- at least for a period of time.
Zato, ako gledate večernje vijesti, pomislili bi da se u većini ovih slučajeva radi o špijunaži ili aktivnosti protiv bezbjednosti države. Pa, nešto od toga to zaista i jeste. Vidite, špijunaža je prihvaćena međunarodna praksa. Ali u ovom slučaju, to je samo mali dio problema sa kojim se suočavamo. Koliko često čujemo o kršenju uz riječi ''...to je bio rezultat sofisticiranog napada na državu''? Zapravo, često se radi o tome da kompanije ne žele da priznaju svoje mutne bezbjednosne prakse. Takođe postoji i široko rasprostranjeno uvjerenje da time što krivicu svaljujete na napad na državnu bezbjednost, držite na odstojanju regulatore, makar za određeni vremenski period.
So where is all of this coming from? The United Nations estimates that 80 percent of it is from highly organized and ultrasophisticated criminal gangs. To date, this represents one of the largest illegal economies in the world, topping out at, now get this, 445 billion dollars. Let me put that in perspective for all of you: 445 billion dollars is larger than the GDP of 160 nations, including Ireland, Finland, Denmark and Portugal, to name a few.
Pa otkud sve ovo potiče? Ujedinjene nacije procjenjuju da se u 80% slučajeva radi o veoma organizovanim i ultrasofisticiranim kriminalnim bandama. Do sada, ovo predstavlja jednu od najvećih ilegalnih ekonomija na svijetu, prevazilazeći - pazite sada - 445 milijardi dolara. Da vam to približim: 445 milijardi dolara je više od bruto društvenog proizvoda 160 zemalja, uključujući Irsku, Finsku, Dansku i Portugal, da navedemo nekoliko.
So how does this work? How do these criminals operate? Well, let me tell you a little story. About a year ago, our security researchers were tracking a somewhat ordinary but sophisticated banking Trojan called the Dyre Wolf. The Dyre Wolf would get on your computer via you clicking on a link in a phishing email that you probably shouldn't have. It would then sit and wait. It would wait until you logged into your bank account. And when you did, the bad guys would reach in, steal your credentials, and then use that to steal your money. This sounds terrible, but the reality is, in the security industry, this form of attack is somewhat commonplace. However, the Dyre Wolf had two distinctly different personalities -- one for these small transactions, but it took on an entirely different persona if you were in the business of moving large-scale wire transfers.
Pa kako to funkcioniše? Kako ovi kriminalci rade? Pa, ispričaću vam malu priču. Prije oko godinu dana, naši bezbjednosni istražitelji su ušli u trag donekle običnom, ali sofisticiranom bankarskom Trojancu koji se naziva Dire Wolf. Dyre Wolf bi ušao u vaš kompjuter kada kliknete na link iz mejla koji vjerovatno nije ni trebalo da imate. Zatim bi sjedio i čekao. Čekao bi sve dok se ne ulogujete na svoj bankovni račun. A kada to učinite, loši momci bi dobili pristup, ukrali vaše podatke i šifre, a zatim ih koristili da ukradu vaš novac. Ovo zvuči užasno, ali u stvarnosti, u bezbjednosnoj industriji, ovaj oblik napada je donekle uobičajen. Međutim, Dyre Wolf je imao dva veoma različita modaliteta - jedan za ove male transakcije, ali je poprimao potpuno drugačiji oblik ukoliko ste u poslu u okviru kojeg vršite velike elektronske transfere novca.
Here's what would happen. You start the process of issuing a wire transfer, and up in your browser would pop a screen from your bank, indicating that there's a problem with your account, and that you need to call the bank immediately, along with the number to the bank's fraud department. So you pick up the phone and you call. And after going through the normal voice prompts, you're met with an English-speaking operator. "Hello, Altoro Mutual Bank. How can I help you?" And you go through the process like you do every time you call your bank, of giving them your name and your account number, going through the security checks to verify you are who you said you are. Most of us may not know this, but in many large-scale wire transfers, it requires two people to sign off on the wire transfer, so the operator then asks you to get the second person on the line, and goes through the same set of verifications and checks.
Evo šta bi se desilo. Započnete proces izdavanja naloga za elektronski prenos novca, a u browser-u se pojavi ekran sa obavještenjem vaše banke da postoji problem sa vašim računom i da morate odmah da pozovete banku, kao i broj odjeljenja banke koje se bavi prevarama. I tako vi podignete slušalicu i pozovete. I nakon što prođete kroz uobičajena glasovna uputstva, spajaju vas sa operaterom koji govori engleski. ''Dobar dan, Altoro Mutual banka. Kako mogu da vam pomognem?'' I prolazite kroz isti proces kao i svaki put kad pozovete vašu banku, govoreći im svoje ime i broj računa i prolazeći sigurnosne provjere, kako bi se utvrdilo da ste vi onaj za koga se predstavljate. Većina nas to ne zna, ali za mnoge velike elektronske transfere novca potrebno je da dvoje ljudi potpišu elektronski prenos novca, pa vas tako operater pita da u vezu uključite i tu drugu osobu, sa kojom se prolazi kroz isti niz provjera.
Sounds normal, right? Only one problem: you're not talking to the bank. You're talking to the criminals. They had built an English-speaking help desk, fake overlays to the banking website. And this was so flawlessly executed that they were moving between a half a million and a million and a half dollars per attempt into their criminal coffers.
Ovo zvuči normalno, zar ne? Postoji samo jedan problem: ne razgovarate sa bankom. Razgovarate sa kriminalcima. Oni su otvorili službu za pomoć na engleskom jeziku, lažirajući podatke na web strani banke. I ovo je tako besprekorno izvedeno, da su u svoje kriminalne kofere prebacivali između pola miliona i 1,5 milion dolara po pokušaju.
These criminal organizations operate like highly regimented, legitimate businesses. Their employees work Monday through Friday. They take the weekends off. How do we know this? We know this because our security researchers see repeated spikes of malware on a Friday afternoon. The bad guys, after a long weekend with the wife and kids, come back in to see how well things went.
Ove kriminalne organizacije funkcionišu kao veoma disciplinovani, zakoniti biznisi. Njihovi zaposleni rade od ponedjeljka do petka. Slobodni su vikendima. Kako ovo znamo? Ovo znamo zato što naši bezbjednosni istražitelji primjećuju upade zlonamjernih programa petkom popodne. Loši momci se, nakon dugog vikenda sa ženom i djecom, vraćaju da provjere koliko dobro stoje stvari.
The Dark Web is where they spend their time. That is a term used to describe the anonymous underbelly of the internet, where thieves can operate with anonymity and without detection. Here they peddle their attack software and share information on new attack techniques. You can buy everything there, from a base-level attack to a much more advanced version. In fact, in many cases, you even see gold, silver and bronze levels of service. You can check references. You can even buy attacks that come with a money-back guarantee --
Dark Web je mjesto gdje provode svoje vrijeme. To je naziv koji se koristi da se opišu anonimne osjetljive tačke interneta, gdje kradljivci mogu da funkcionišu anonimno i da ne budu primijećeni. Ovdje planiraju svoje softverske napade i dijele informacije o novim tehnikama napada. Ovdje možete da kupite sve, od osnovnog napada do mnogo naprednije verzije. Zapravo, u mnogim slučajevima čak vidite i zlatne, srebrne i bronzane nivoe usluga. Možete da provjerite reference. Možete čak i da kupite napade koji dolaze sa garancijom o povraćaju novca -
(Laughter)
(Smijeh)
if you're not successful. Now, these environments, these marketplaces -- they look like an Amazon or an eBay. You see products, prices, ratings and reviews. Of course, if you're going to buy an attack, you're going to buy from a reputable criminal with good ratings, right?
ukoliko nijeste uspješni. Ova okruženja, ova mjesta za trgovinu - ona liče na Amazon ili eBay. Vidite proizvode, cijene, ocjene i komentare. Naravno, ukoliko hoćete da kupite napad, kupićete ga od poštovanog kriminalca sa dobrim ocjenama, zar ne?
(Laughter)
(Smijeh)
This isn't any different than checking on Yelp or TripAdvisor before going to a new restaurant. So, here is an example. This is an actual screenshot of a vendor selling malware. Notice they're a vendor level four, they have a trust level of six. They've had 400 positive reviews in the last year, and only two negative reviews in the last month. We even see things like licensing terms. Here's an example of a site you can go to if you want to change your identity. They will sell you a fake ID, fake passports. But note the legally binding terms for purchasing your fake ID. Give me a break. What are they going to do -- sue you if you violate them?
Ovo se ne razlikuje od provjere na Yelp ili TripAdvisor prije nego što odete u novi restoran. Evo jednog primjera. Ovo je pravi screenshot prodavca koji prodaje zlonamjerne programe. Vidite da je prodavac četvrtog nivoa i da ima stepen povjerenja šest. Imali su 400 pozitivnih kritika u protekloj godini i samo dvije negativne kritike prethodnog mjeseca. Čak vidimo stvari kao što su uslovi za davanje dozvole. Evo primjer sajta na koji možete da odete ukoliko želite da promijenite svoj identitet. Oni će vam prodati lažnu ličnu kartu, lažne pasoše. Ali obratite pažnju na zakonski obavezujuće uslove za kupovinu lažne lične karte. Molim vas. Šta će da urade - da vas tuže ukoliko ih prekršite?
(Laughter)
(Smijeh)
This occurred a couple of months ago. One of our security researchers was looking at a new Android malware application that we had discovered. It was called Bilal Bot. In a blog post, she positioned Bilal Bot as a new, inexpensive and beta alternative to the much more advanced GM Bot that was commonplace in the criminal underground.
Ovo se dogodilo prije nekoliko mjeseci. Jedan od naših bezbjednosnih istražitelja se raspitivao o novoj Android aplikaciji za zlonamjerni program koji smo otkrili. Zvao se Bilal Bot. U komentaru na blogu, ona je opisala Bilal Bot kao novu, ne mnogo skupu i beta alternativu mnogo naprednijem GM Botu, koji je uobičajen u kriminalnom podzemlju.
This review did not sit well with the authors of Bilal Bot. So they wrote her this very email, pleading their case and making the argument that they felt she had evaluated an older version. They asked her to please update her blog with more accurate information and even offered to do an interview to describe to her in detail how their attack software was now far better than the competition.
Ova kritika se nije dopala autorima Bilal Bota. Zato su joj napisali ovaj imejl, izlažući svoje argumente i tvrdeći da imaju osjećaj da je evaluirala stariju verziju. Molili su je da ažurira svoj blog tačnijim informacijama i čak su joj ponudili da uradi intervju, kako bi joj detaljno opisali kako je njihov softver za napad sada mnogo bolji od konkurencije.
So look, you don't have to like what they do, but you do have to respect the entrepreneurial nature of their endeavors.
Vidite, ne mora da vam se sviđa ono što oni rade, ali morate da poštujete preduzetničku prirodu njihovih poduhvata.
(Laughter)
(Smijeh)
So how are we going to stop this? It's not like we're going to be able to identify who's responsible -- remember, they operate with anonymity and outside the reach of the law. We're certainly not going to be able to prosecute the offenders. I would propose that we need a completely new approach. And that approach needs to be centered on the idea that we need to change the economics for the bad guys.
Pa kako ćemo ovo da prekinemo? Nije da ćemo biti u mogućnosti da utvrdimo ko je odgovoran - zapamtite, oni posluju anonimno i van obima zakona. Sigurno nećemo moći da krivično gonimo prestupnike. Predložio bih da nam je potreban potpuno novi pristup. A taj pristup zahtijeva da se fokusiramo na ideju da moramo da promijenimo ekonomiju za loše momke.
And to give you a perspective on how this can work, let's think of the response we see to a healthcare pandemic: SARS, Ebola, bird flu, Zika. What is the top priority? It's knowing who is infected and how the disease is spreading. Now, governments, private institutions, hospitals, physicians -- everyone responds openly and quickly. This is a collective and altruistic effort to stop the spread in its tracks and to inform anyone not infected how to protect or inoculate themselves.
A kako bih vam bliže predstavio kako ovo može da funkcioniše, hajde da razmislimo o odgovoru koji vidimo na zdravstvene pandemije: SARS, Ebola, ptičji grip, Zika. Šta je glavni prioritet? Znati ko je zaražen i kako se zaraza širi. Vlade, privatne institucije, bolnice, ljekari - svako odgovara otvoreno i brzo. Ovo je kolektivni i altruistički napor kako bi se zaustavilo širenje i kako bi se informisao bilo ko ko nije zaražen o tome kako da se zaštiti ili da se vakciniše.
Unfortunately, this is not at all what we see in response to a cyber attack. Organizations are far more likely to keep information on that attack to themselves. Why? Because they're worried about competitive advantage, litigation or regulation. We need to effectively democratize threat intelligence data. We need to get all of these organizations to open up and share what is in their private arsenal of information. The bad guys are moving fast; we've got to move faster. And the best way to do that is to open up and share data on what's happening.
Nažalost, ovo nije sve što vidimo kao odgovor na sajber napade. Organizacije su mnogo sklonije da informacije o tom napadu čuvaju za sebe. Zašto? Zato što su zabrinuti za prednost konkurencije, parnicu ili propis. Moramo da efektivno demokratizujemo obavještajne podatke o prijetnji. Moramo da natjeramo sve ove organizacije da se otvore i podijele ono što je u njihovom privatnom arsenalu informacija. Loši momci brzo djeluju: mi moramo da djelujemo još brže. A najbolji način da to učinimo je da se otvorimo i podijelimo podatke o tome šta se dešava.
Let's think about this in the construct of security professionals. Remember, they're programmed right into their DNA to keep secrets. We've got to turn that thinking on its head. We've got to get governments, private institutions and security companies willing to share information at speed. And here's why: because if you share the information, it's equivalent to inoculation. And if you're not sharing, you're actually part of the problem, because you're increasing the odds that other people could be impacted by the same attack techniques.
Razmislimo o ovome u konstrukciji bezbjednosnih profesionalaca. Zapamtite, u njihovoj DNK je programirano da čuvaju tajne. Moramo potpuno da promijenimo takvo razmišljanje. Moramo da navedemo vlade, privatne institucije i bezbjednosne kompanije da žele da dijele informacije i to brzo. Evo zašto: zato što ukoliko dijelite informacije, to je jednako vakcinaciji. A ukoliko ih ne dijelite, ustvari ste dio problema, zato što povećavate šanse da drugi ljudi mogu da budu pogođeni istim tehnikama napada.
But there's an even bigger benefit. By destroying criminals' devices closer to real time, we break their plans. We inform the people they aim to hurt far sooner than they had ever anticipated. We ruin their reputations, we crush their ratings and reviews. We make cybercrime not pay. We change the economics for the bad guys. But to do this, a first mover was required -- someone to change the thinking in the security industry overall.
Ali postoji jedna još veća korist. Uništavanjem kriminalnih naprava što je moguće više u realnom vremenu, mi kvarimo njihove planove. Informišemo ljude koje oni žele da povrijede mnogo ranije nego što su to ikada predvidjeli. Uništavamo njihovu reputaciju, rušimo njihove ocjene i kritike. Činimo sajber kriminal neisplativim. Mijenjamo ekonomiju za loše momke. Ali kako bismo ovo uradili, neophodan je prvi korak - neko mora promijeniti razmišljanje u cjelokupnoj bezbjednosnoj industriji.
About a year ago, my colleagues and I had a radical idea. What if IBM were to take our data -- we had one of the largest threat intelligence databases in the world -- and open it up? It had information not just on what had happened in the past, but what was happening in near-real time. What if we were to publish it all openly on the internet? As you can imagine, this got quite a reaction. First came the lawyers: What are the legal implications of doing that? Then came the business: What are the business implications of doing that? And this was also met with a good dose of a lot of people just asking if we were completely crazy.
Prije oko godinu dana, moje kolege i ja smo došli na radikalnu ideju. Šta ako bi IBM uzeo naše podatke - imali smo jednu od najvećih obavještajnih baza podataka na svijetu o prijetnjama - i učinio ih dostupnim? Sadržala je informacije ne samo o tome šta se desilo u prošlosti, već i o tome šta se dešava u skoro realnom vremenu. Šta ako bismo sve to javno objavili na internetu? I možete zamisliti, ovo je izazvalo burnu reakciju. Prvo su nastupili advokati: Koje su pravne posljedice tog postupka? Zatim su na red došli biznisi: Koje su poslovne posljedice tog postupka? A sve ovo je bilo praćeno velikim brojem ljudi koji su samo pitali da li smo potpuno poludjeli.
But there was one conversation that kept floating to the surface in every dialogue that we would have: the realization that if we didn't do this, then we were part of the problem. So we did something unheard of in the security industry. We started publishing. Over 700 terabytes of actionable threat intelligence data, including information on real-time attacks that can be used to stop cybercrime in its tracks. And to date, over 4,000 organizations are leveraging this data, including half of the Fortune 100. And our hope as a next step is to get all of those organizations to join us in the fight, and do the same thing and share their information on when and how they're being attacked as well.
Ali bio je jedan razgovor koji je stalno isplivavao u svakom dijalogu koji bismo vodili: saznanje da ukoliko ovo ne učinimo, da smo onda dio problema. Zato smo uradili nešto nezapamćeno u svijetu bezbjednosne industrije. Počeli smo da objavljujemo. Preko 700 terabajta obavještajnih podataka o prijetnjama koji su mogli biti korišćeni na suđenju, uključujući i informacije o napadima u realnom vremenu, koje se mogu koristiti da se u korijenima zaustavi sajber kriminal. Do sada, preko 4000 organizacija koristi ove podatke, uključujući i polovinu Fortune 100. Kao sljedeći korak, nadamo se da ćemo ubijediti sve ove organizacije da nam se pridruže u borbi, i da urade isto i podijele sa drugima svoje informacije o tome kada i kako su bili napadnuti.
We all have the opportunity to stop it, and we already all know how. All we have to do is look to the response that we see in the world of health care, and how they respond to a pandemic. Simply put, we need to be open and collaborative.
Svi imamo priliku da to zaustavimo, a već svi znamo i kako. Sve što treba da uradimo je da pogledamo odgovor koji postoji u svijetu zdravstvene zaštite, i to kakav je njihov odgovor na pandemije. Jednostavno rečeno, moramo da budemo otvoreni i da sarađujemo.
Thank you.
Hvala vam.
(Applause)
(Aplauz)