If the current state of the cybersecurity world could be captured as a weather forecast it would be cloudy with occasional periods of crankiness and despair.

Loss of data privacy is a foregone conclusion. The rise of digital currencies has opened huge holes for theft. And cybercriminals are getting smarter, better-organized and well-funded.

Although this week’s Usenix Enigma security gathering in South San Francisco was not three wall-to-wall days of doom and gloom, beleaguered security researchers from around the world offered plenty of evidence that the technology industry as a whole is losing the confidence of its users in being able to keep our connected world safe, especially when it comes to personal data.

“We took users and stopped making products for them and made their data the product,” said Denelle Dixon, chief operating officer at Mozilla Corp. “Consumers are angry and they’re losing trust. This industry is unrecognizable from where we started.”

Criminals as corporations

Dixon’s comments, which came at the end of the conference’s first day on Monday, echoed a common refrain throughout the event. Users are losing trust because a steady drumbeat of bad news over the past year has highlighted security vulnerabilities that neither industry nor the government appears capable of fixing.

Theft of personal data has created a robust underground marketplace in the cybercriminal world where groups of hackers know each other on a personal basis and conduct operations much like a traditional business. This was documented through seven years of field research conducted by Jonathan Lusthaus, director of the Human Cybercriminal Project at the University of Oxford.

Lusthaus conducted more than 230 interviews with law enforcement and former cybercriminals to piece together a more complete picture of how the hacking underground is currently doing business. His work was recently published in “Industry of Anonymity: Inside the Business of Cybercrime.”

What the Oxford professor found was a sophisticated organizational structure among many groups. Liberty Reserve, a digital currency firm which laundered money for other criminals, operated with its own corporate logo. It had offices in a Costa Rica commercial park that also included company branches of Procter & Gamble Co., Western Union Co. and Hewlett-Packard Co.

“The state is allowing criminal activity to become legitimized in some ways,” Luthaus said during his presentation on Tuesday. ““These are very skilled, intelligent, highly educated people. Many of the offenders know each other in person and they come from the same trusted groups.”

Robust underground marketplace

As cybercrime becomes more of a business, it’s also creating its own marketplace on the dark web, a shady part of the internet accessible with special software, where stolen data has value and hackers operate as enterprising entrepreneurs, complete with customer reviews and star ratings.

Denelle Dixon of Mozilla (Photo: Liz Farina Markel/Usenix)

A recent cache of 100 stolen credit card numbers could have high value if the seller can guarantee a 98 percent validity rate. “I think about the dark web as a really big, weird flea market,” said Munish Walther-Puri, principal consultant with Presearch Strategy. “Cybercriminals value freshness, reputation and customer service. There’s a real sense of marketing here.”

Stolen credit cards are not the only items of real value to be found in the underground marketplace these days. A report published in January documented how location data, gathered routinely by cell carriers from millions of smartphones, is beginning to find its way into the hands of black market entrepreneurs.

This data has value because it provides a rich trove of information which could be used by bounty hunters or bail bondsmen for monetary gain. People are willing to pay for information to locate people who might not want to be found.

Cryptocurrency flaws revealed

Although current cybersecurity systems may fail to prevent the loss of personal, location or purchasing accounts, the weaknesses now extend to digital currency as well, according to one security expert. Nicholas Weaver, a researcher with the International Computer Science Institute, presented a case at Enigma this week that highlighted significant security flaws in the world of blockchain and cryptocurrencies.

According to Weaver, attackers can install malware inside the automated functionality that controls bitcoin. He tested this with a graduate student who created a bitcoin wallet, only to see his coins stolen within two months.

Another concern is that the rise of various cryptocurrencies has spawned a cottage industry of new tools to rob them. Several altcoins have been targeted with what’s become known as the “51 percent attack,” a way to gain more than half of the bitcoin network’s computing power and control transactions.

As documented in a Forbes story in January, on-the-market services such as NiceHash allow criminals to rent enough computing power for a mining setup to wreak damage on many crypto tokens.

“Public blockchains based on proof of work are inefficient or insecure,” Weaver said. “The amount of criminality in this space is simply off the hook.”

Potential protection

The security community is mounting its own offensive against the rising tide of vulnerabilities. Conference attendees were provided with one encouraging option from Google Chrome this week as a Google LLC engineer indicated that the search giant was testing a warning system for domain names.

Use of deceptive URLs has been an issue for years in the online world, since users often access websites they believe are authentic, only to discover they’ve been sidetracked into a domain that can steal credentials. Google is trying to address this adding a drop-down panel that double-checks that the user really wants to venture to a site the company believes might be fraudulent.

Amazon Web Services Inc. is also pursuing an intriguing approach that applies mathematical logic to detect misconfigurations that could expose valuable data. The process, called “provable security,” is designed to provide absolute assurance for cloud users through sophisticated math algorithms and automated reasoning technology.

“This is turning security from an obligation to an advantage,” said Neha Rungta, principal engineer in the automated reasoning group at AWS. “I want a secure cloud environment and I can mathematically prove it is secure.”

Despite the best efforts by dedicated security researchers, market dynamics and a lack of urgency continue to raise the danger meter in a highly vulnerable connected world. When a 14-year-old iPhone user discovered a serious security issue with the FaceTime feature of the Apple iPhone on Jan. 19, it took the company more than a week to patch the eavesdropping audio bug.

And that’s a bug that was caught and disclosed. As recently documented in The New York Times, weaponized bug code which allows governments or cybercriminals to monitor user data can fetch millions of dollars from brokers who have created a lucrative market in the technology space.

“We kind of lost sight at the good that we can do and bring,” Mozilla’s Dixon warned. “If consumers don’t trust us, then none of this really matters.”

Photo: typographyimages/Pixabay