Adam B. Turner, Stephen McCombie and Allon J. Uhlmann
This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that…
Abstract
Purpose
This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that involve cryptocurrencies. The paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The approach proves particularly beneficial in facilitating information sharing and an integrated analysis across intelligence domains.
Design/methodology/approach
This study conducted data collection and analysis of the component Bitcoin elements of the WannaCry ransomware attack. A note of both technicalities of Bitcoin operations and current models for sharing cyber intelligence was made. Our analysis builds on and further develops current definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM) and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for collaborative investigation.
Findings
Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the intelligence problem of collecting and analysing data related to inflows and outflows of Bitcoin-related ransomware transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting, analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime.
Originality/value
The application of a target-centric intelligence approach to the cryptocurrency components of a ransomware attack provides a framework for intelligence units to break down the problem in the financial domain and model the network behaviour of illicit Bitcoin transactions relating to ransomware.
Details
Keywords
Angela S.M. Irwin and Adam B. Turner
The purpose of this paper is to highlight the intelligence and investigatory challenges experienced by law enforcement agencies in discovering the identity of illicit Bitcoin…
Abstract
Purpose
The purpose of this paper is to highlight the intelligence and investigatory challenges experienced by law enforcement agencies in discovering the identity of illicit Bitcoin users and the transactions that they perform. This paper proposes solutions to assist law enforcement agencies in piecing together the disparate and complex technical, behavioural and criminological elements that make up cybercriminal offending.
Design/methodology/approach
A literature review was conducted to highlight the main law enforcement challenges and discussions and examine current discourse in the areas of anonymity and attribution. The paper also looked at other research and projects that aim to identify illicit transactions involving cryptocurrencies and the darknet.
Findings
An optimal solution would be one which has a predictive capability and a machine learning architecture which automatically collects and analyses data from the Bitcoin blockchain and other external data sources and applies search criteria matching, indexing and clustering to identify suspicious behaviours. The implementation of a machine learning architecture would help improve results over time and would be less manpower intensive. Cyber investigators would also receive intelligence in a format and language that they understand and it would allow for intelligence-led and predictive policing rather than reactive policing. The optimal solution would be one which allows for intelligence-led, predictive policing and enables and encourages information sharing between multiple stakeholders from the law enforcement, financial intelligence units, cyber security organisations and fintech industry. This would enable the creation of red flags and behaviour models and the provision of up-to-date intelligence on the threat landscape to form a viable intelligence product for law enforcement agencies so that they can more easily get to the who, what, when and where.
Originality/value
The development of a functional software architecture that, in theory, could be used to detected suspicious illicit transactions on the Bitcoin network.
Details
Keywords
Adam B. Turner, Stephen McCombie and Allon J. Uhlmann
The purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the…
Abstract
Purpose
The purpose of this paper is to investigate available forensic data on the Bitcoin blockchain to identify typical transaction patterns of ransomware attacks. Specifically, the authors explore how distinct these patterns are and their potential value for intelligence exploitation in support of countering ransomware attacks.
Design/methodology/approach
The authors created an analytic framework – the Ransomware–Bitcoin Intelligence–Forensic Continuum framework – to search for transaction patterns in the blockchain records from actual ransomware attacks. Data of a number of different ransomware Bitcoin addresses was extracted to populate the framework, via the WalletExplorer.com programming interface. This data was then assembled in a representation of the target network for pattern analysis on the input (cash-in) and output (cash-out) side of the ransomware seed addresses. Different graph algorithms were applied to these networks. The results were compared to a “control” network derived from a Bitcoin charity.
Findings
The findings show discernible patterns in the network relating to the input and output side of the ransomware graphs. However, these patterns are not easily distinguishable from those associated with the charity Bitcoin address on the input side. Nonetheless, the collection profile over time is more volatile than with the charity Bitcoin address. On the other hand, ransomware output patterns differ from those associated charity addresses, as the attacker cash-out tactics are quite different from the way charities mobilise their donations. We further argue that an application of graph machine learning provides a basis for future analysis and data refinement possibilities.
Research limitations/implications
Limitations are evident in the sample size of data taken on ransomware campaigns and the “control” subject. Further analysis of additional ransomware campaigns and “control” subjects over time would help refine and validate the preliminary observations in this paper. Future research will also benefit from the application of more powerful computing resources and analytics platforms that scale with the amount of data being collected.
Originality/value
This research contributes to the maturity of the field by analysing ransomware-Bitcoin behaviour using the Ransomware–Bitcoin Intelligence–Forensic Continuum. By combining several different techniques to discerning patterns of ransomware activity on the Bitcoin network, it provides insight into whether a ransomware attack is occurring and could be used to trigger alerts to seek additional evidence of attack, or could corroborate other information in the system.
Details
Keywords
Nancy Adam-Turner, Dana Burnett and Gail Dickinson
Technology is integral to contemporary life; where the digital transformation to virtual information accessibility impacts instruction, it alters the skills of learning and…
Abstract
Technology is integral to contemporary life; where the digital transformation to virtual information accessibility impacts instruction, it alters the skills of learning and comprehension (Gonzalez-Patino & Esteban-Guitart, 2014; Lloyd, 2010). Although librarians/media specialists provide orientation, instruction, and research methods face-to-face and electronically, they recognize that digital learning instruction is not a linear process, and digital literacy (DL) is multi-disciplinary (Belshaw, 2012). Policy and public research findings indicate that higher education must be prepared to adapt to rapid changes in digital technology (Maybee, Bruce, Lupton, & Rebmann, 2017). Digital learning undergoes frequent transformations, with new disruptive innovation and research attempts at redefinition (Palfrey, 2015). Research often overlooks junior/community colleges. We are all learners and we need to understand the digital learning challenges that incorporating DL includes in the new digital ecology (Adams Becker et al., 2017). This study provides real faculty/librarian commentaries regarding the understanding needed to develop digital learning and contemporary digital library resources. The authors investigate faculties’ and librarians’ degree of DL perceptions with instruction at junior/community colleges. Survey data analysis uses the mean of digital self-efficacy of variables collected, revealing that participants surpassed Rogers’s (2003) chasm of 20% inclusion. Findings provided data to develop the Dimensions of Digital Learning rubric, a new evaluation tool that encourages faculty DL cross-training, librarians’ digital learning collaboration, and effective digital learning spaces.
Details
Keywords
In this chapter, I discuss the artistic representation of the musical illustration of funeral rites and ceremonies in contemporary Poland. The death of a person in many cultures…
Abstract
In this chapter, I discuss the artistic representation of the musical illustration of funeral rites and ceremonies in contemporary Poland. The death of a person in many cultures is perceived as an important point in the life of a given community, especially a family; hence, people tend to express feelings stemming from these circumstances through art. Songs sung at funerals and during the mourning period have been used for centuries as a way for the living to express their grief for the person who has died. From an anthropological point of view, the main function of music accompanying funeral rites is to help family and friends of the deceased recover from their loss.
To illustrate my argument, I analyse the recording of folk songs by Adam Strug and Kwadrofonik: ‘Requiem Ludowe’ (‘The Folk Requiem’), released on CD in 2013. The musical motifs and lyrical themes are based on original folk tunes of Eastern Poland (Podlasie and Lubelszczyzna regions) that are still used in the villages during the bereavement period. The songs on the CD, which are: ‘Czemu tak rychło, Panie’ (‘Why is it So Soon, my Lord’); ‘Żegnam cię mój świecie wesoły’ (‘Goodbye my Merry World’); ‘Żegnam was mitry i korony’ (‘Goodbye to you Mithra and Crowns’); ‘Żegnam was wszystkie elementa’ (‘Goodbye to you all the Elements’); ‘Powiem prawdę świecie tobie’ (‘I Shall Tell you the Truth, my World’); ‘Piekło’ (‘The Hell’); ‘Czyściec’ (‘The Purgatory’); ‘Niebo’ (‘The Heaven’); and ‘Wieczność’ (‘The Eternity’) are rooted in Christian funeral traditions and they are supplemented by elements of Slavic folklore.
The lyrics of the mourning songs published on the recording display a specific attitude to the mythology of death and bereavement present in the culture of Polish peasants. The main themes of these folk songs, namely, the praise of the deceased, the grief of the remaining family, the preparation of the dead one for eternal life or the attempts to cross the threshold of life and death, are presented by the artists as the soul’s journey from the Earth to the Underworld, and through Purgatory to Eternal life as a final stage of a person’s destination. They show how the rural people imagine death itself and express their feelings of loss and grief in art to overcome the fear of the unknown.
Details
Keywords
Adam Turner and Angela Samantha Maitland Irwin
The purpose of this paper is to determine if Bitcoin transactions could be de-anonymised by analysing the Bitcoin blockchain and transactions conducted through the blockchain. In…
Abstract
Purpose
The purpose of this paper is to determine if Bitcoin transactions could be de-anonymised by analysing the Bitcoin blockchain and transactions conducted through the blockchain. In addition, graph analysis and the use of modern social media technology were examined to determine how they may help reveal the identity of Bitcoin users. A review of machine learning techniques and heuristics was carried out to learn how certain behaviours from the Bitcoin network could be augmented with social media technology and other data to identify illicit transactions.
Design/methodology/approach
A number of experiments were conducted and time was spend observing the network to ascertain how Bitcoin transactions work, how the Bitcoin protocol operates over the network and what Bitcoin artefacts can be examined from a digital forensics perspective. Packet sniffing software, Wireshark, was used to see whether the identity of a user is revealed when they set up a wallet via an online wallet service. In addition, a block parser was used to analyse the Bitcoin client synchronisation and reveal information on the behaviour of a Bitcoin node when it joins the network and synchronises to the latest blockchain. The final experiment involved setting up and witnessing a transaction using the Bitcoin Client API. These experiments and observations were then used to design a proof of concept and functional software architecture for searching, indexing and analyzing publicly available data flowing from the blockchain and other big data sources.
Findings
Using heuristics and graph analysis techniques show us that it is possible to build up a picture of behaviour of Bitcoin addresses and transactions, then utilise existing typologies of illicit behaviour to collect, process and exploit potential red flag indicators. Augmenting Bitcoin data, big data and social media may be used to reveal potentially illicit financial transaction going through the Bitcoin blockchain and machine learning applied to the data sets to rank and cluster suspicious transactions.
Originality/value
The development of a functional software architecture that, in theory, could be used to detect suspicious illicit transactions on the Bitcoin network.
Details
Keywords
Mohammed Rahman and Adam Lynes
The purpose of this paper is to discuss the nature and extent of violent practice in the motorcycle underworld. It does this by considering the murder of Gerry Tobin, and then…
Abstract
Purpose
The purpose of this paper is to discuss the nature and extent of violent practice in the motorcycle underworld. It does this by considering the murder of Gerry Tobin, and then uses the biography of the founding member of the Hell’s Angels motorcycle club (HAMC) for a critical analysis. The authors are interested in understanding the role of masculine honour and collective identity, and its influences in relation to violence – namely, fatal violence in the motorcycle underworld. The authors argue that motorcycle gangs are extreme examples of what Hall (2012) considers “criminal undertakers” – individuals who take “special liberties” often as a last resort.
Design/methodology/approach
The methodological approach seeks to analyse the paradigm of “masculine honour”, and how the Outlaws MC (OMC) applied this notion when executing the seemingly senseless murder of Gerry Tobin. So too, the author triangulate these findings by critically analysing the biography of the founding member of the Californian chapter of the HAMC – Sonny Barger. Further to this, a case study inevitably offers “constraints and opportunities” (Easton, 2010, p. 119). Through the process of triangulation, which is a method that utilises “multiple sources of data”, the researcher can be confident that the truth is being “conveyed as truthfully as possible” (Merriam, 1995, p. 54).
Findings
What is clear within the OB worldview is that it can only be a male dominant ideology, with no allowance for female interference (Wolf, 2008). Thus, Messerschmidt’s (1993) notion of “hegemonic masculinity” fits the male dominated subcultures of the HAMC and OMC, which therefore provides the clubs with “exclusive” masculine identities (Wolf, 2008). For organisations like the HAMC, retaliation is perceived as an alternative form of criminal justice that is compulsory to undertake in order to defend their status of honour and masculinity.
Originality/value
Based on our understanding, this is the first critical think piece that explores a UK case of homicide within the context of the motorcycle underworld. It also provides a comprehensive understanding of violent practice with the motorcycle underworld from criminological and sociological perspectives. This paper will inform readers about an overlooked and under researched underworld culture.