 Cool. Everyone can hear me? Can see the screen? All right. Excellent. Cool. All right. Let's get started. All right. So we left off talking about ransomware. Somebody remind me, what are the key components of ransomware? Yeah, there's definitely an urgent component. How is that urgent component created? How is the attacker creating urgency? Yeah, loss of your data, there. And they've actually encrypted your program. So it encrypts your files. So it uses the cryptography that we know and love, but it doesn't in such a way that you can't get those files back. So yeah, kind of, you know, really interesting and type of attack here. Some interesting fun facts. It used to be that your encrypted files or some of the early ransomware would actually implement the crypto incorrectly. So people were actually able to make programs that could get your files back. So they'd be like, oh, if you've hit this ransomware, just run this program and it will decrypt all your files for you. And so, yeah, this is, you know, super interesting. You can see all this infrastructure. We talked about how they're sending Bitcoin here and how this actually, you know, helps led to the rise of ransomware because it's a way for criminals to get paid very easily. That's non-refundable or reversible. So that's really interesting here. And the other, another crypto-related type of cybercrime is called cryptojacking. So does anybody know what this term means? So yeah, we can go back. Thanks for that question. So somebody's, Caleb's asking in the chat about protecting from ransomware. Yeah, honestly, the best type of protection is to have backup, right? Because if you have a backup of your files, then you can recover your files. It's, you know, there's also other ways you can do it. You can try to look for signatures of programs that look like ransomware, right? How many programs probably iterate through every file on your system and then encrypt it and then overwrite those files. So there's probably a few, very limited number of those types of files. So you may be able to try to detect this behavior. But, you know, other types of things like backup software probably does that or Dropbox does that, right? It scans through all my files in my Dropbox folder and even can update those. So it actually made look like a ransomware if you just use that. So yeah, it's kind of tricky. Like ransomware is one of those really tricky things where it's very difficult to protect against. And if you think of like, okay, yeah, I'll just use backup. Well, you really, part of the problem that what some companies have is their backups are connected to each of their employees' machines through a network drive. So the ransomware can see that network drive and actually encrypts the backups. And then at that point, you are really in a bad spot. And there's other types. Yeah, so anyways, then let's go to cryptojacking. So cryptojacking is it could be malware that's either running on your machine or oftentimes actually what used to be really popular is running on a website. So you would visit a website, it would download some JavaScript code that would be running a Bitcoin miner or some type of cryptocurrency miner so that the person running that would get paid for running that miner as part of a pool. And this used to be a thing. So if you hijacked either a popular site or you hijacked a JavaScript library that was used in a popular site, now millions and potentially billions of people around the world would be running your JavaScript code, running cryptocurrency mining. And this is a really interesting example from 2017 where cryptojacking JavaScript code was found on Starbucks Wi-Fi networks. And what this happened was it wasn't all Starbucks Wi-Fis, it was I believe only in Argentina that this actually happened. And what somebody realized is the because all of your traffic at the Starbucks Wi-Fi network was going through a central point and I believe on non-http pages they would be injecting JavaScript code that would start mining cryptocurrency as you were browsing the network. So this was a huge issue that had to get brought up to Starbucks attention. And the interesting thing when you, I think what came out of this is Starbucks has many different corporate entities and like the foreign ones are different from the US ones. So you know, it wasn't, this wasn't a problem at any US things, but there were all kinds of crazy cases where people would use cryptocurrency miners inside your browser to force your browser to mine cryptocurrency. So let's think about this is that is what about this makes this malicious or cyber crime using other people and using their resources? Yeah, I think that's the key thing. Thanks. So people in the chat are talking about without permission or without consent, right? So you could imagine a website that said, hey, you want to browse this website for free without ads. If you agree to do this, then you agree to let us use your CPU to mine Bitcoin, let's say, right? And yeah, so that's the key is using it without permission or consent, right? So it's not necessarily that cryptocurrency mining is a is a is in itself cyber crime, but doing it, you know, doing such a thing without the user's notice or authorization, you are stealing basically resources from them and stealing power from them. So how do you detect something like this? So you're the browser, you say, ah, crypto jacking is a huge problem. How can we stop that? Yeah, you maybe know as a user that your fans of your laptop or whatever start to start up. Yeah, the browser itself could check is any JavaScript code using 100% of the CPU, right? And locking the CPU. But the question is how do you tell that versus a really crappy website? What if the JavaScript code of a website is eating up on your CPU? Or if you've ever browsed a page filled with ads, oftentimes those ads are using a lot of CPU to do different things. And so it's not actually that it's malicious, it could be poorly written. We may try to detect algorithms, algorithms can be obfuscated, they can be a little bit difficult to detect. So yeah, anyways, this is just a kind of a get you thinking about this, that it's actually a very difficult problem of how to detect crypto jacking. So it's completely, it's not a solved problem at all. Although I think attackers have basically shifted to ransomware as a way to gain money. And I don't think crypto jacking is quite as popular as it once was, but it's an interesting footnote that very much unlike what we talked about with ransomware, where they're actively encrypting your files and holding it ransom, that is very clearly criminal. Other things, viruses that infect your computer, spyware that's spying on what you do, all these things are inherently malicious. But the act of cryptocurrency mining is not itself malicious. So I think that's the interesting wrinkle here of this challenge. So other things that we can now look to more modern threats is mobile malware. So why do I care about mobile malware? Like why is it even interesting to talk about malware on your phone versus malware on your desktop in what we talked about? Yeah, so very connected devices always have a 5G. You probably have apps on your phone that have access to your bank accounts, phones. That's an interesting, interesting comment and chat phones probably see more activity than PCs. Yeah, what else? Phone is usually where you get your two factor authentication. So this can be where your SMS message is sent, or it could be a, it could be your phone could be have an app on it that has a pop up. Yeah, so these are definitely rich targets. What about, you know, are your text message communications probably on your phone? I mean, definitely on your phone. What about your pictures on your phone? What about your email, right? Everyone talked about that, but email, right? We talked about a way back in the beginning of the class, if you can even remember, you were all fresh-faced, enthusiastic students 15 weeks ago, or roughly, yeah, 15 weeks ago, man. Second to last class, right? That is right, right? This is the last week. Chat's not saying yes or no, so I don't think they know. They want one more week. Oh, they're chanting. One more week. One more week. I don't know. I think you guys should focus on your finals next week. So, okay, last week. Yeah, so anyways, the point here is that that your email access to your email really gives you access to almost every single site that you have an account on, right? Through the forgot password functionality. So you go there, you say you forgot your password, they email you a new one. So once you get access to somebody's email, you get access to everything. Now, what's the key difference in mobile devices and their operating systems and how applications work compared to the desktop environments that you're used to? Simpler in what sense? Questions. Definitely harder to diagnose and fix problems on mobile devices that I would certainly agree with. And why is that, though? Dig a little deeper. Why is it more difficult to diagnose and fix problems on mobile devices? I'd say limited hardware, but more about they like the operating system doesn't let you have full access to things. Yeah. And I think this is the real key. So one of the biggest differences that we've seen in the move to mobile devices. And I think this is deliberate. And it's something that you should be thinking about when you think about how secure software and operating system security and things have evolved over time, right? Our current models of like desktop or laptop computation, like PC software, we assume that we're running as a user and we're running a bunch of applications that all run, you know, technically as our user and they have access to all the data that we have access to. And this can become the problem in terms of ransomware, right? I run one executable. It has access to all the data that my user has, which is me. And then it can go and encrypt all those files. And so that's clearly not a great model, right? And so what's interesting is we're stuck in those models in the PC environments in laptops and desktops because we're kind of locked in based on legacy, right? We have all this history of decades of applications written that we want to actually work. But if you look at how mobile devices were created, they actually had an opportunity to recreate the ecosystem from the ground up. And essentially what they realized is, hey, this is a really bad model for all applications to have access to everything, right? And it comes down to those fundamentals of what we learned about how Linux and Unix works is everyone on, you know, think of Mac or Windows or Linux, you know, all the applications you run are running as your user. And so they have access to all files you have access to. And the key technical difference in both Android and iOS is that every application runs as a different user. So you think, and this is why we have things like, so now app A and app B rather than have access to all your data only have access to their own data. And this is enforced at the operating system level. And similarly, they don't just have let's say raw file system access, there's a bunch of APIs where they have to ask the operating system, hey, can I do this, can I do this? And that's where we get also this permission model, where you can give applications different permissions. And so by default, right, what's really cool is an application could be allowed, you know, by default doesn't use the internet, right? This is a very powerful idea, especially compared to desktop software, there's no real limit on what desktop software can do. But on the mobile applications, they're built from the ground up into to not require that, of course, what actually happens in terms of permissions. So how many of you when you install an application, read all the permissions that the app requires, especially I'm thinking of Android users. Yeah, somebody's claiming me in the chat, so I won't call you out in the recording, but so do you ever not install an app because of the permissions that requires? Good. Okay, okay, thanks. Yeah, so right, so sometimes you can choose which to allow and which to deny. And some people are conscious about if what it's asked for versus what it's required. But the question then of course is, you know, who actually the app itself is the one that's telling you it's required. So somebody is mentioning in chat a calculator application that needs access to your microphone. In what world does a calculator app need access to your microphone? And so that's a interesting problem. And so oftentimes the key problem is when we put these security decisions on the users, right, and we give them a big box that says would you like to do this yes or no, like 99% of them will always say yes. And so anyways, this is and think about the control you have over applications in your on your mobile device versus on your desktop or and it's, they're trending together, but we can see that applications have started to be more and more on the desktop, more and more like phone applications in this way that they're restricted. Yeah, and even if it needs it, right, it could be using it maliciously, it could be it could be doing all sorts of stuff, right, we'll never, we'll never necessarily know. So anyways, this is why there's a whole and so. So we talked about some targets of mobile malware, right, so like email, that's really bad writing email. We talked about texts, picks. And what else is on the phone? Anyone ever call a 900 number either as an adult or maybe as a child? What's a 900 number? Nobody, nobody wants to admit. Yeah, like 1900. 1,965 answers. I should create that. Yeah, it's a toll. It means you are paying for the call. And so oftentimes actually malware will use tricks like this and call 900 numbers that end up on your bill. They also have other ways and tricks that they can do to actually charge you directly and make money. They can, there's actually malicious software that will actually use your device as a VPN. So it allows other attackers to route traffic through your phone, which bypasses IP restrictions and all kinds of things. We actually didn't talk about this, but what have you heard the term before click fraud? So click fraud is everyone's seen a webpage that has ads, right? And so the one metric on internet ads that you can do that you can't do in physical ads is a cost per click. So that's what CPC means. It means the advertiser or the person that's posting the ad only gets paid when somebody clicks on it, right? Because a click means that somebody is redirected to your site. It's an indication that they're interested in things. And so click fraud is when people fraudulently create fake clicks onto ads so that the publisher buys them. So this website's actually controlled by the attacker. Nobody ever really visits that website, but they've created malware that clicks, fake clicks on these ads by sending, excuse me, web requests. So these are the types of things that mobile malware can do on your phone and they've actually been examples of this. And there's actually what I find fascinating. So there's things that are clearly malicious. And then there's an entirely other category of things specifically around mobile devices. What's called, it has two terms, PUA potentially unwanted application or potentially unwanted program. So let's say there's an application that sends every text message on your phone to an email address. Is that malware? Where's a case that it would not be malware? We can't just say potentially it's on the slide. So that's clearly involved in the answer somehow, right? So what would be a case where you'd want something like this? Yeah, maybe it's backup. So maybe it's a text message backup. So you forward all your texts to your email so I can see it on my computer. What if I'm a parent who wants to keep extra tabs on my kids? Maybe I've given a 10-year-old a phone. And so maybe they don't have any expectation of privacy. So I install it on their phone so I can see all their text messages to make sure they're not setting meetups with criminals or anything like that. So you can, especially I think this is probably the actual case that most of them would say. And the key is, again, it comes back to consent. Who's actually installing this? And of course, if you're installing this maliciously on somebody else's phone, this is clearly unwanted. So it's kind of in the similar category of spyware. Right? And spyware is a little bit older term, but this potentially unwanted application is super interesting because there's this really interesting area here of like, is this really malware? Is it a bad thing? Is it a good thing? I mean, it can be used for harm, but maybe it can be used for good and how do you decide between them? And similarly, there's basically a tons of mobile spyware out there. So applications that will, so some things they'll do is they'll look at all the applications that are installed on your phone and send them back to them so that they can either create a fingerprint of you, they can understand what apps are installed. There's other types of ways they can spy on you. It's all kinds of, you know, in a lot of advertising libraries will do similar concepts to this because they want to understand how well their ads are doing. So this is a whole category of potentially unwanted apps on mobile devices. And the other category that I want to talk about was stalkerware. So this is again, similar to that text message backup, right? So it's a really nice name to convey this notion and this idea that the software may enable stalking to the level of that somebody wouldn't expect. So you can create an application that gives you remote access to a phone and shows you everything that that phone is seeing, right? You could actually easily create that application. The APIs are there with accessibility APIs, you can do that. And of course, the problem is, and that may be something you want to do to remote into your system, but if somebody else installs it and uses it to stalk somebody, that's clearly a problem. You know, other examples like we're seeing here, reading emails, all these kinds of things. This is a, well, a really kind of a, and the sad thing is it took people pointing it out that, hey, this software is not just potentially unwanted, but it's actually mostly used in stalking people. And so we should really think about ways to limit this, right? And so things you can do is the operating system can maybe show you an indicator that says, hey, your screen's being recorded, because if you know it, then fine. But the point is, if this can do this without the user's knowledge or consent, and that is the major problem. And these are kind of things that have come up more and more in, on mobile devices. So this is why I wanted to mention it. I think it's pretty cool. Yeah. And so we are at the end of cybercrime. Does anybody have any questions on cybercrime? It's a very vast area. I tried to kind of pick and choose different topics and show you a historical timeline. So at this point, I'd like to open up to questions specifically on different aspects of cybercrime. Somebody is asking in the chat, the Prince of Nigeria emailed me asking for help. Do I click the link to send this person money? The answer is clearly no. So, yeah, you can Google a lot on Nigerian Prince scams. The other question is, do those really work? And I think the question you should be asking is, if they're happening, they're probably working. Somebody's following for it. So this is kind of the sad thing is that, and I think I mentioned this before, but what they've, the hypothesis is that they make those scams seem so scammy that only really susceptible people fall victim to them. And this actually helps the attacker in their return on investment. They send out, if they send out a million emails and then they get a thousand people that contact them back, they have to follow up with every 1,000 of them manually to try to scam money out of them. But actually, I'm going to stop sharing my screen. But if, but if you send out a million emails and only 10 people respond to you, but those 10 people, like 90% of them are going to fall for your scam, then that's actually great for you. Cool. Yeah. Okay. So how effective are more closed operating systems and shooting down malware? Interesting question. So the, the really interesting thing, so it used to be the case in the like late 90s, early 2000s, for instance, that Apple and iOS was considered more secure than Windows. And the actual fact is like, it's not that it's more secure. It was just that Windows had a 90 to 95% market share. So as a malware author, if you're going to write something, you want it to run on Windows. You actually don't care about the 5 to 10% of the market. So there is some benefit in being the small person. And so Windows kept getting hit over and over with virus, virus, virus, worm, worm, worm. And they actually significantly improved their security. And then finally, when Mac became more popular, there've been instances of malware for the Mac. And the Mac wasn't quite as ready for that. So I think it's not really a closed versus open. It's more like how much attention the developers have put into this problem. So for instance, and that's one of the really nice things about, let's say, mobile devices is because the operating system so tightly controls applications, they have kill lists. So there's a list in the operating system of both Google and Microsoft, Android and iOS that says, okay, kill any application that has this name. And that way, if they find something malicious, they can make sure it's actually removed from devices. Okay, somebody asks, we're not going to talk about dark net markets or any crime that happens in that sphere of this course. No, that's a whole other concept and discussion point. So I think we're okay there. Okay, what's a good resource for keeping up a date on the landscape of cyber crimes? Good question. The news honestly is pretty good. Like there's good news sources about various data breaches that happened. And those are good places to keep up to date. Honestly, there's a lot going on on the research space. That's how you can find the kind of cutting edge research there. Yeah, after the section of grass, I'm afraid to use the internet. You should have been afraid before this after everything you learned about software insecurity and how easy it is to make bugs that allow somebody to completely control your system. So right now we're just tying that into the human ambition of, okay, I found something. What do I do? So don't be afraid to use it, but just be knowledgeable. It's just like going back to that house example. If you don't think about the possible threats, you won't think of ways to mitigate them and work around them. So it's really important to be aware of what's out there so that you can be a safe, safely use the internet and just be aware. That stuff exists. It's not like Bigfoot. That stuff exists whether you believe it or not. So it's better to be aware of what's out there and know the landscape so you can manage that. Anything else? Well, it's actually a similar, there's a similar corollary between why we teach about all these security vulnerabilities is because we want you to understand, even if you don't go into security, I think knowledge of cyber crime is important. And similarly, even if you don't go into security, when you're out there building software, you want to be aware of what are potential pitfalls and how a bug can turn into a security vulnerability, which allows complete exploitation of your system. And so even if you're not an expert in security, that's fine. But as you're developing, as long as you're aware and you can go, ah, okay, I know we should, you know, we're using buffers, we should be really careful. How can we make sure that we don't have a buffer overflow, for instance? And that type of even being aware of the problem itself is super important. There's the famous line about, you know, the most dangerous things are unknown unknowns, right? If you don't know about any security bugs or vulnerabilities, then you're probably going to write code that has those because you're not you're not aware of those problems. All right, at that point, I will stop this for