POLICING BITCOIN: INVESTIGATING, EVIDENCING AND PROSECUTING CRIMES INVOLVING CRYPTOCURRENCY Crypt... more POLICING BITCOIN: INVESTIGATING, EVIDENCING AND PROSECUTING CRIMES INVOLVING CRYPTOCURRENCY Cryptocurrencies have increasingly become a common method of value exchange in a number of types of criminal activity; notably in May 2017 the NHS was crippled by a global cyber-attack whereby Ransomware was utilized to demand payment for the decryption of encrypted files in bitcoin. This collaborative project has brought together a variety of experts from different disciplines and practices to explore the challenges posed by criminal use of cryptocurrency with regard to the investigation, production of conclusive evidence of wrongdoing, and prosecution of offenders.
2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2021
This article contributes to the growing debate about the increasing importance of 'data' in moder... more This article contributes to the growing debate about the increasing importance of 'data' in modern cybercrime offending. In so doing, it illustrates the linkages between cyberdependent and cyber-enabled crime bringing into focus the inability of current cybercrime legal categories to reflect such linkages which ultimately reflects how practitioners interpret them. Drawing upon data from court cases the article models the cybercrime cascade effect that results from data crimes. We argue that cybercrime is not a single action, but a process of interconnected social and technical actions in which data from 'upstream' cyber-dependent data crimes cascades 'downstream' to enable additional cyber-enabled crimes, such as scams, frauds and deceptions. By modelling the various tipping points at which stolen data cascades downstream we increase knowledge about the cybercrime ecosystem to highlight points at which interventions can be more effectively targeted. The 'cascade effect' is modelled by using mixed methods from law and criminology which include the "intermediate-N" configurational comparative method. By refining the tipping points of the cascade into decision trees, additional hypotheses, and the identification of the means to test them can be formulated. The article suggests that tipping points occur at each stage of the cascade model, however, the cascade into more crime is not found to be an automatic outcome as more social factors may be involved. Moreover, there exist layers of victimisation, which highlights the need to further research ways to incentivize early-offender interventions. Finally, the article illustrates the complexities of online offending, which include the presence of diverse, distributed and even disorganized actors within organised groups which do not easily fit into the traditional organized crime narrative.
The implications of economic cybercrime for policing is published by the City of London Corporati... more The implications of economic cybercrime for policing is published by the City of London Corporation. The lead author of this report is Cardiff University. This report is intended as a basis for discussion only. While every effort has been made to ensure the accuracy and completeness of the material in this report, the lead author, Cardiff University, and the City of London Corporation give no warranty in that regard and accept no liability for any loss or damage incurred through the use of, or reliance upon, this report or the information contained herein.
Human Aspects of Information Security, Privacy and Trust, 2017
Crime scripts are becoming an increasingly popular method for understanding crime by turning a cr... more Crime scripts are becoming an increasingly popular method for understanding crime by turning a crime from a static event into a process, whereby every phase of the crime is scripted. It is based on the work relating to cognitive scripts and rational-choice theory. With the exponential growth of cyber-crime, and more specifically cloud-crime, policing/law enforcement agencies are struggling with the amount of reported cyber-crime. This paper argues that crime scripts are the most effective way forward in terms of helping understand the behaviour of the criminal during the crime itself. They act as a common language between different stakeholders, focusing attention and resources on the key phases of a crime. More importantly, they shine a light on the psychological element of a crime over the more technical cyber-related elements. The paper concludes with an example of what a cloud-crime script might look like, asking future research to better understand: (i) cloud criminal fantasy development; (ii) the online cultures around cloud crime; (iii) how the idea of digital-drift affects crime scripts, and; (iv) to improve on the work by Ekblom and Gill in improving crime scripts.
Coronavirus & Infectious Disease Research eJournal, 2021
The sudden disruption of work, recreation and leisure practices caused by the COVID-19 lockdown c... more The sudden disruption of work, recreation and leisure practices caused by the COVID-19 lockdown caught many organisations and their employees unaware, especially during the move towards working from home. This led adaptive cybercriminals to shift their own focus towards home workers as a way into organisational networks. The upshot was a massive acceleration in major cyberattacks upon organisations and a noticeable shift in offender tactics which scale up levels of fear in victims to encourage payment of the ransom. Such tactics include a shift towards naming and shaming victims, the theft of commercially sensitive data and attacks targeting organisations which provide services to other organisations. These developments have also led to changes in the organisation of offenders online. Such attacks negatively impact upon national and international economies as they try to recover from lockdown. Drawing upon an analysis of 4000+ cases of ransomware attacks collected for the EPSRC EMPH...
This academic research synthesis seeks to identify common research themes and areas of interest a... more This academic research synthesis seeks to identify common research themes and areas of interest among the eleven projects funded by the Partnership for Conflict, Crime and Security Research (PaCCS)/ ESRC/ AHRC, Transnational Organised Crime (TNOC) call 1. The call commissioned cross-disciplinary and innovative research projects that extend societal understanding of how transnational organised crime has evolved over time and in different cultural contexts. Projects that look at why TNOC extends across borders, identify the impact it has upon populations and sustainable international development and also identify effective ways of preventing and mitigating its impact. The debate over TNOC is distinguished from previous debates over organised crime largely because it crosses national boundaries 2 , but it will also be argued here that it is also evolving in scope with developments in communications and transactional technologies. The themes explored in this synthesis research include overlapping research questions, themes, arguments and academic outputs. By drawing upon an analysis of the TNOC applications and the research integrators' interviews with principal investigators, the report explores a TNOC (Meta) narrative and proposes a thematic framework for organising and understanding TNOC academic activity. The report then proposes a means for integrating academic outputs to ensure that their reach and impact are maximised. It was revised in the light of discussions and comments following an initial presentation at the TNOC Workshop (28-29 March 2017) and subsequently the PaCCS strategic advisory group meeting on 31 st May 2017. I must thank Dr Gabriela Nava, Senior Research Portfolio Manager in the Society and Global Security team at the ESRC for her detailed comments on an earlier draft, and also Dr Tristram Riley-Smith, the TNOC Research Integrator for his enthusiastic inspiration and allowing me to use the notes made from his introductory interviews with the various researchers. Following a summary of the report, the first part of this document is a 'think piece' that identifies the evolution of organised crime into transnational organised crime groups to try to create a framework for understanding the relationship between organised crime and transnational organised crime which, could be applied to the different types of TNOC outlined later. The second part of the report overviews the eleven research projects funded under the PaCCs TNOC call and their aims and objectives. The third part identifies synergies, future connections and themes and then offers some ideas for disseminating the project findings. The appendix is a matrix outlining the eleven projects.
2020 IEEE International Conference on Big Data (Big Data), 2020
As cybercriminals scale up their operations to increase their profits or inflict greater harm, we... more As cybercriminals scale up their operations to increase their profits or inflict greater harm, we argue that there is an equal need to respond to their threats by scaling up cyber-security. To achieve this goal, we have to develop a co-productive approach towards data collection and sharing by overcoming the cybersecurity data sharing paradox. This is where we all agree on the definition of the problem and end goal (improving cybersecurity and getting rid of cybercrime), but we disagree about how to achieve it and fail to work together efficiently. At the core of this paradox is the observation that public interests differ from private interests. As a result, industry and law enforcement take different approaches to the cybersecurity problem as they seek to resolve incidents in their own interests, which manifests in different data sharing practices between both and also other interested parties, such as cybersecurity researchers. The big question we ask is can these interests be re...
This study looks at the experiences of organizations that have fallen victim to ransomware attack... more This study looks at the experiences of organizations that have fallen victim to ransomware attacks. Using quantitative and qualitative data of 55 ransomware cases drawn from 50 organizations in the UK and North America, we assessed the severity of the crypto-ransomware attacks experienced and looked at various factors to test if they had an influence on the degree of severity. An organization’s size was found to have no effect on the degree of severity of the attack, but the sector was found to be relevant, with private sector organizations feeling the pain much more severely than those in the public sector. Moreover, an organization’s security posture influences the degree of severity of a ransomware attack. We did not find that the attack target (i.e. human or machine) or the crypto-ransomware propagation class had any significant bearing on the severity of the outcome, but attacks that were purposefully directed at specific victims wreaked more damage than opportunistic ones.
Successful Cybersecurity depends on the processing of vast quantities of data from a diverse rang... more Successful Cybersecurity depends on the processing of vast quantities of data from a diverse range of sources such as police reports, blogs, intelligence reports, security bulletins, and news sources. This results in large volumes of unstructured text data that is difficult to manage or investigate manually. In this paper we introduce a tool that summarises, categorises and models these data sets along with a search engine to query the model. The search engine can be used to find links between different documents in a way beyond the common-style search approach. The tool is based on the probabilistic topic modelling technique which goes further than the lexical analysis of documents to model the subtle relationships between words, documents, and abstract topics. It will assists researchers to query models and tap into the repository of documents and order them thematically.
European Journal on Criminal Policy and Research, 2019
The policy and practice of confiscating criminal assets to control crime and recover illicit weal... more The policy and practice of confiscating criminal assets to control crime and recover illicit wealth has come to occupy a central position in national and international policing and security agendas. However, this practice has raised many questions about agencies’ abilities to measure success and also the social impacts of asset confiscation. This article contributes to the crime control debates by exploring contemporary literature and drawing upon a subset of data from the Joint Asset Recovery Database (JARD). The first part of the article briefly outlines the key legislative provisions of asset recovery in the UK. The second part explores what the JARD data tells us about the performance of the confiscation of proceeds of crime approach and it will argue that seizing illicit wealth has not been the main priority for government. It will argue instead that the proceeds of crime approach, originally designed to target the most serious and organised crime, has effectively become a disc...
This study explores how aspects of perceived national culture affect the information security att... more This study explores how aspects of perceived national culture affect the information security attitudes and b ehavior of employees. Data was collected using 19 semi-structured interviews in Ireland and the United States of America (US). The main findings are that US employees in the ob served organizations are more inclined to adopt formalized information security policies and procedures than Irish employees, and are also more likely to have higher levels of compliance and lower levels of non-compliance.
Year in and year out the increasing adaptivity of offenders has maintained ransomware's position ... more Year in and year out the increasing adaptivity of offenders has maintained ransomware's position as a major cybersecurity threat. The cybersecurity industry has responded with a similar degree of adaptiveness, but has focussed more upon technical (science) than 'non-technical' (social science) factors. This article explores empirically how organisations and investigators have reacted to the shift in the ransomware landscape from scareware and locker attacks to the almost exclusive use of crypto-ransomware. We outline how, for various reasons, victims and investigators struggle to respond effectively to this form of threat. By drawing upon in-depth interviews with victims and law enforcement officers involved in twenty-six crypto-ransomware attacks between 2014 and 2018 and using an inductive content analysis method, we develop a data-driven taxonomy of crypto-ransomware countermeasures. The findings of the research indicate that responses to crypto-ransomware are made more complex by the nuanced relationship between the technical (malware which encrypts) and the human (social engineering which still instigates most infections) aspects of an attack. As a consequence, there is no simple technological 'silver bullet' that will wipe out the crypto-ransomware threat. Rather, a multi-layered approach is needed which consists of socio-technical measures, zealous front-line managers and active support from senior management.
Human Aspects of Information Security, Privacy and Trust, 2017
Successful Cybersecurity depends on the processing of vast quantities of data from a diverse rang... more Successful Cybersecurity depends on the processing of vast quantities of data from a diverse range of sources such as police reports, blogs, intelligence reports, security bulletins, and news sources. This results in large volumes of unstructured text data that is difficult to manage or investigate manually. In this paper we introduce a tool that summarises, categorises and models such data sets along with a search engine to query the model produced from the data. The search engine can be used to find links, similarities and differences between different documents in a way beyond the current search approaches. The tool is based on the probabilistic topic modelling technique which goes further than the lexical analysis of documents to model the subtle relationships between words, documents, and abstract topics. It will assists researchers to query the underlying models latent in the documents and tap into the repository of documents allowing them o be ordered thematically.
The critical importance of electronic information exchanges in the daily operation of most large ... more The critical importance of electronic information exchanges in the daily operation of most large modern organizations is causing them to broaden their security provision to include the custodians of exchanged data-the insiders. The prevailing data loss threat model mainly focuses upon the criminal outsider and mainly regards the insider threat as ' outsiders by proxy ' , thus shaping the relationship between the worker and workplace in information security policy. A policy that increasingly takes the form of social policy for the information age as it acquires the power to include and exclude sections of society and potentially to re-stratify it? This article draws upon empirical sources to critically explore the insider threat in organizations. It looks at the prevailing threat model before deconstructing ' the insider ' into various risk profi les, including the well-meaning insider, before drawing conclusions about what the building blocks of information security policy around the insider might be .
2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2019
Big data and cybercrime are creating 'upstream', big data related cyber-dependent crimes such as ... more Big data and cybercrime are creating 'upstream', big data related cyber-dependent crimes such as data breaches. They are essential components in a cybercrime chain which forms a cybercrime ecosystem that cascades 'downstream' to give rise to further crimes, such as fraud, extortion, etc., where the data is subsequently monetized. These downstream crimes have a massive impact upon victims and data subjects. The upstream and downstream crimes are often committed by entirely different offending actors against different victim groups, which complicates and frustrates the reporting, recording, investigative and prosecution processes. Taken together the crime stream's cascade effect creates unprecedented societal challenges that need addressing in the face of the advances of AI and the IoT. This phenomenon is explored here by unpacking the TalkTalk case study to conceptualize how big data and cloud computing are creating cascading effects of disorganized, distributed and escalating data crime. As part of the larger CRITiCal project, the paper also hypothesizes key factors triggering the cascade effect and suggests a methodology to further investigate and understand it.
J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 2015
The insider threat problem is a significant and ever present issue faced by any organisation. Whi... more The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access rights to a system, it is much more difficult to prevent them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their official work or indeed malicious. We present in this paper the concept of “Ben-ware”: a beneficial software system that uses low-level data collection from employees’ computers, along with Artificial Intelligence, to identify anomalous behaviour of an employee. By comparing each employee’s activities against their own ‘normal’ profile, as well as against the organisational’s norm, we can detect those that are significantly divergent, which might indicate malicious activities. Deal...
Uploads
Papers by David S . Wall