CS 2550 - Foundations of Cybersecurity
Essay 2: Cybercrime
Description and Deliverables
As we have discussed in class, and as you have read in Spam Nation, there are dozens of ways that cybercriminals make money. We have discussed (or will discuss in the future) several of these methods on depth, including pharmaceutical spam, fake anti-virus, Distributed Denial of Service (DDoS), and Pay Per Install (PPI). Sadly, we won't have time to cover any others, which is where this assignment comes in: your job is to research a specific form of cybercrime that is either widespread or emerging, describe how the attack functions, how the criminals monetize the attack, and design mitigations for the threat.To receive full credit for this project, you will turn in a single document:
- A file named report.pdf that includes your report in PDF format.
Options
For this assignment, you may choose which type of crime you would like to research from the list below:- Ransomware: ransomware is an increasingly prevelant type of malicious software that infects peoples' computers, encrypts their files, and then demands a ransom payment to unlock the files.
- IoT Botnets: botnets have existed for many years, but a new phenomenon has been the rise of IoT botnets, where criminals compromise and enslave large numbers of internet connected "things" like security cameras and DVRs.
- Click-fraud Botnets: click fraud is a very general type of crime where a criminal sets up crappy websites full of ads, then somehow drives visits and clicks to these websites in order to make money from the advertisements. One way to drive this traffic is to leverage botnets.
- Coinhive Abuse: Coinhive is a JavaScript library that can mine the Monero cryptocurrency inside a web browser. Although the library was not developed to be malicious, it has been appropriated by cybercriminals who use a variety of tactics to slip it into peoples' browsers, in order to steal their CPU cycels.
Your Goal
In this assignment, you are again assuming the role of a cybersecurity consultant. However, rather than focusing on a specific company, your goal is to write a report for a broad audience that describes an emerging threat in the cybersecurity space. This is the kind of report that your consulting firm might post on their website to inform potential clients and drive business; alternatively, perhaps its the kind of report that you would present to the executives at your firm to help explain a new threat and highlight the potential for your company to develop and sell novel mitigations.Regardless of which topic you choose to research, or which perspective you use when drafting your report, there are specific areas that you must cover (these should look very familier):
- Describe a complete and comprehensive threat model. What the are goals and capabilities of the attacker? Are there specific vulnerabilities (technical or otherwise) that the attacker is leveraging to implement their attacks? Clearly describe how attackers are monetizing the attack.
- Explain specific examples of the attack you have chosen. What happened, and how was the attack stopped (if it was stopped at all)? Is there any indication of how much the criminals profited? Was anyone ever arrested or convicted?
- Present a variety of potential mitigations to address the attack you have chosen. These mitigations may be technical, social, legal, or all of the above. If there are existing countermeasures that are used in practice, you should discuss them. Feel free to crtitique existing mitigations if you feel they can be improved or are ineffective. Regardless of whether you discuss existing mitigations, you should also propose several novel mitigations of your own design.
- Compare the tradeoffs between different mitigations and their associated costs. You should consider things like monetary costs, feasibility of deployment, adverse impact on other systems, and ethical and legal issues when characterizing mitigations. In your opinion, what mitigation(s) represent the most effective overall solution to the given problem?
The above outline is not meant to be strict. You may organize your report as you see fit. You may embellish your document as you see fit with citations, images, diagrams, etc.
Also note that this report will rely much more heavily on research than Essay 1. Thus, we expect a larger number of citations to support your research. Citations to sources of questionable quality, like Wikipedia, are forbidden.
The document should be at most 2,500 words, which is roughly 4 pages of single-spaced, size 10 font text. Shorter documents are acceptable, so long as they are complete and thorough.
Bootstrapping Your Research
Several of the topics have been studied by academic security researchers. These papers are all by top academics in the field, and may provide useful information for your own work.- Ransomware:
- Click-fraud botnets:
- IoT Botnets:
Also, as far as I know, Coinhive-based attacks are so new that they have yet to be studied academically.
Submitting Your Project
Before turning in the project, you must register yourself for our grading system using the following command:$ /course/cs2550/bin/register-student [NUID]NUID is your Northeastern ID number, including any leading zeroes. This command is available on all of the Khoury College lab machines.
To turn-in your project, you must submit exactly one file:
- report.pdf
$ /course/cs2550/bin/turnin essay2 <project directory>where <project directory> is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing a strategy.pdf file. You may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.
At any time, you can run the following command to see all of your current grades for projects, essays, quizzes, and tests.
$ /course/cs2550/bin/gradesheet
Grading
This project is worth 9% of your final grade, broken down as follows (out of 100):- 15 points - Threat model that clearly defines the attackers goals, capabilities, and monetization strategy.
- 15 points - Real-world examples of the attack, including technical details and any information about the criminals behind the attack (and their ultimate fate).
- 40 points - Proposed mitigations. Each mitigation should be clearly explained, including how it works, what threat(s) it addresses, and any shortcomings.
- 20 point - Concise discussion of costs and tradeoffs between different mitigations, especially in relation to the costs associated with successful attacks. Provide overall guidance about which mitigations you believe are most effective.
- 10 points - Quality of writing, including spelling, grammar, and appropriate use of citations.