FBI Director Robert Muller is asking for private businesses’ help to fight cybercrime. It is clear that an agency overwhelmed with terrorism investigations has a lower priority on cybercrime in terms of resources and importance and this is why the FBI is turning to private organizations and asking for help.

Those of you in the private sector are our first line of defense. We recognize that in certain areas we lack the expertise that you possess. We lack the specific knowledge of threats that affect individual businesses every day.

FBI hopes that the private sector and the government can work hand-in-hand to stay on the top of the technological advancements that are often used by criminals. The FBI also has several initiatives to work with private businesses, such as its InfraGard program, which has about 3,000 members. These efforts have helped identify new attacks and track down attackers, Mueller said. For example, in collaboration with Microsoft, the FBI found the alleged creators of the Mytob and Zotob worms.

[Via CNET News.com]

A recent opinion by Judge Kyle held that a company was not negligent because it failed to encrypt database with customers’ information stored on a laptop which was stolen. Guin v. Brazos Higher Educ. Service Corp., Inc, 2006 WL 288483 (D. Minn., Feb. 7, 2006).

Plaintiff Stacy Guin, a customer of Brazos Higher Education Service, sued the company for negligence for not encrypting customers’ personal information arguing that encryption should have been a routine security precaution which a reasonable student-loan provider would put in place. The information was stored on a laptop which was stolen after a burglary at the Silver Spring, MD., home of a Brazos financial analyst who worked remotely and analyzed loan portfolios.

As a result of the breach, Brazos hired a private investigator to recover the laptop but was unsuccessful. There has been no evidence of identity theft against any of the 550,000 customers whose information was compromised, and the company took steps to notify its customers in a reasonable time.

Even though Guin had not suffered any harm as a result of the breach, she argued that Brazos was required by the Gramm-Leach-Bliley Act to encrypt personal information and limit its disclosure. Under the statute, financial service companies are required "to protect the security and confidentiality of customers’ nonpublic personal information," 15 U.S.C. 6801.

Judge Kyle disagreed and held that the law does not specifically mandate encryption.

Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement.
..
While it appears that the FTC routinely cautions businesses to "[p]rovide for secure data transmission" when collecting customer information by encrypting such information "in transit," there is nothing in the GLB Act about this standard, and the FTC does not provide regulations regarding whether data should be encrypted when stored on the hard drive of a computer.

Judge Kyle is correct that the statute on its face does not require financial companies to encrypt data but it is not unlikely that in a different set of circumstances encrypting data would be the reasonable thing to do and a company may be held negligent for not doing so.

Dubbed by the press as the ‘NASA hacker,’ Gary McKinnon, the British hacker accused of illegally accessing US government computers faces a tough extradition hearing in his home country whether he should be extradited for prosecution in the U.S. McKinnon was charged with computer fraud and hacking into 97 US government computers causing $700,000 worth of damages.

McKinnon has said that his actions were prompted by an interest in the U.S. space program and the search for extraterrestrial life. He is "terrified" by the prospect of facing US court and possibly spending time in US jail, so the extradition hearing in his home country is of crucial importance.

The seven count indictment of United States of America v. Gary McKinnon can be found here. Most of the counts allege illegally accessing US goverment computers under 18 U.S.C. §1030.

Update:
District Judge Nicholas Evans ruled that he would deny the US extradition request unless the US could guarantee that they would not prosecute McKinnon as a terrorist.  The defendant’s attorney argued that if his client were treated as a terrorist, the U.S. would have the authority to detain him indefinitely.  The case will resume on March 14, 2006.

A law criminalizing fraudulent acquiring and reselling phone records is pending in Congress.

Anyone who "fraudulently" acquires and resells records of calls made by a telephone subscriber could face fines of up to $500,000 and prison sentences of up to 20 years, under a bill proposed Wednesday in the U.S. House of Representatives.

In light of increased congressional scrutiny of firms reselling phone records, lawsuits by phone companies, and outraged public, the proposed law, dubbed "Law Enforcement and Privacy Act of 2006" has been proposed by five republican and four democrats from the House Judiciary Committee.

[Via CNET News.com, CA -]

The Bush administration has proposed an increase of $14 million to cybersecurity projects as part of the FY’07 budget. This is an increase of 17% but many still consider the proposed financing for the National Cyber Security Division inadequate. Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) and one of the developers of the President’s National Strategy to Secure Cyberspace has said that while any increase in cybersecurity funding is welcome, "we are starting deep in the hole for R&D" and "well behind" in the cybersecurity work for which the NCSD is responsible.

In addition to inadequate budget, the Department of Homeland Security still has not filled the assistant secretary for cybersecurity and telecommunications position despite a July 2005 statement by Homeland Security Secretary Chertoff that filling the position is a key component if his key DHS reorganization plan.

Verizon Wireless, the #2 US mobile carrier, has won a permanent injunction against Passport Holidays, a Florida company, to stop them from sending unsolicited text-messages Verizon subscribers. The lawsuit was a result of 98,000 messages being sent to Verizon customes in October. At an average rate of 5¢ per text-message, this makes for approximately $5,000 in fees that Verizon charged its customers due to the spam. Verizon also received a $10,000 judgment from Passport Holidays.

Text-messaging spam has different economics that ordinary email spam. In addition to the annoyance of receiving an ad on the cell phone, many mobile subscribers are charged for each incoming text-message (in fairness, many plans have included a number of free in/out text-messages while other plans have free incoming messages.) Thus, mobile phone spam presents a more serious economic threat than email spam and it is good to see providers become active in prosecuting this type of threat.

How effective is text-messaging spam anyway? Users receive a short message on their mobile phones that tries to sell them a vacation cruise and lists a call-back number for people to dial. How many people actually do through the trouble to dial that number despite (possibly) the annoyance and (hopefully) suspicion?

How much is a major Windows exploit worth? Market says $4,000.

Competing hacker groups in Russia were peddling the exploit code responsible for the Windows Meta File attacks last December for $4,000, according to security company Kaspersky Lab.

Competing hacker groups? Imagine how much the exploit code would have cost had there been no competition among the hacker groups in Russia. Thank god for the market economy in Russia.

[Via CNET News.com]

Maybe identity theft is not such a big problem after all?

U.S. consumers lost nearly $57 billion last year to criminals who stole their identities, but online fraud was the culprit in just one in 10 cases, according to a survey released on Tuesday.

The study, released by the Council of Better Business Bureaus, showed that identify theft costs rose by 4% in 2005 compared to 2004. What is interesting is that the number of people who learned that they are victims of identity theft decreased by 4% in 2005 to 8.9 million. The survey said a typical fraud costs $422 and takes 40 hours to fix. While fraud takes an average of 84 days to detect, 40 percent of cases are resolved within one week.

These are interesting results. In light of the high profile massive thefts of personal information from banks, universities, and stores, among others, it is strange that the number of reported (or experienced) identity theft cases has decreased. This may lead to two conclusions. First, we have always had the same amount of stolen personal information, just it was more widely publicized over the past year or so. Or, second, the amount of stolen data has increased, but either thieves have been unsuccessful in using it to steal identifies, or banks and personal information-holding institutions have better safeguards to  prevent identity theft.

[Via CNET News.com]

If you are in the vicinity of Washington, DC on February 9th, you might want to check out the Anti-Spyware Coalition Public Workshop: Defining the Problem, Developing Solutions. The folks at the Anti-Spyware Coalition have a great lineup of topics and presenters.

Registration is free for government, education, non-profit, and press. All others should be able to pay $250. I will be attending, and I hope to see many of our readers there. Feel free to drop me a note if you plan on attending.

What is an easy way to get a number of plain-clothes FBI agents to storm your home and confiscate your computer equipment? Uncapping one’s cable modem bandwidth limit is one way. DSL Reports has a story from Ohio where local ISPs employed FBI’s assistance in going after customers who have hacked their cable modem to obtain higher broadband speed.

Many broadband cable modem users do not know that the limit on their speed is actually in the modem. Hacking the cable modem to unlock a higher speed is illegal and is easy and likely to be detected by the service provider.

Here’s the Ohio story. Paul Shryock, a VP for information technology at Buckeye Cablesystem found out that 23 of his subscribers were getting more bandwidth than they had paid for. Shryock is quoted saying that one subscriber had "altered his modem to handle 100 megabits per second, up and downstream", though the company could never realistically even obtain such speeds. So, instead of disconnecting the 23 users who had violated their terms of service by uncapping their modems, Buckeye decided to call the local branch of the FBI. Of the 23, 17 actually received visits from the FBI and local law enforcement. Seven were indicted by local grand jury and currently face fifth degree felony charges.

Does the punishment fit the crime? Hacking is a serious offense. Bandwidth theft has economic consequences. Damages were incurred by the service provider (although the precise amount is unclear). And similar conduct should be deterred. But employing the powerful arm of the FBI to prosecute a handful of home users in need of a faster connection may be an overkill. [Also, a Toledo Blade article on this story.]