A decision from the U.S. District Court for the Northern District of California held that the costs associated with the tracking and discovery of the identity of the person who stole proprietary information from a company does constitute "loss" for the purposes of calculation of damages under the Computer Fraud and Abuse Act (CFAA).

The dispute in the case was between a company and its competitor.  Plaintiff alleged that the defendant competitor company accessed privileged parts of plaintiff’s computer information system to, among other things, create a disparaging PowerPoint slide show.  Plaintiff based its claim under CFAA which prohibits unauthorized access to a protected computer and any person who suffers damage or loss in excess of $5,000 due to another’s misuse may maintain a civil action. 

Plaintiff relied on CFAA and its $5,000 threshold by arguing that the costs to identify that it was the competitor company who broke into its systems should be counted towards the $5,000 threshold. Defendant disagreed and moved for summary judgment, in reliance of Tyco Int’l v. Does, which holds that CFAA allows recovery for losses beyond mere physical damage to property but additional types of damages have generally been limited to accessing the damage caused to the system or to resecure the system following the attack.

The court distinguished the Tyco case on the facts and held that the costs of "responding to [the] offense" should include the costs, as in this case, of determining that defendant was one of the hackers who did access the computer system without authorization.

 

The challenge in the information security field today does not usually lie in the transmission; instead, it lies in securing the end points. There is a lot of mainstream press about Switzerland’s approach to securing their electronic elections by using quantum cryptography.  Most of the press touts the Swiss’ decision to "use ‘unbreakable’ encryption method in upcoming elections" as the solution to all of the recent woes in securing electronic elections.  The Swiss will use individual particles of light — or quantum technology — to encrypt election results as they are sent for central processing.

That sounds great, and many of the news stories seem to suggest that the Swiss have found the silver bullet to having secure elections. This cannot be further from the truth and many of the news accounts are misleading at best.  What the Swiss did was to find another (fancy-sounding) way of transmitting data securely. But this is not what bothers security researchers and governments wishing to conduct electronic elections. It is not the transmission, it is the endpoints that are causing the most security breaches. There are various (and pretty decent) solutions for securing traffic - PGP, SSL, SSH, VPN - but few good solutions of securing the actual voting machine. In fact, by writing about the ‘unbreakable’ security of the Swiss voting, the press does a disservice to anybody but the folks who are trying (and maybe succeed) to penetrate a voting machine.

The Swiss should be given credit for trying to strengthen the transmission security. But the press should tell the whole story.

All major news sources this morning are running the story of Jammie Thomas, the Minnesota woman who was the first to take the RIAA illegal file sharing accusations to court, and the jury judgment of $220,000 against her and in favor of the recording industry. [WaPo]

I will not comment on the merits of this lawsuit. Instead, I will mention one of Ms. Thomas’ defenses and its merits. During trial, Thomas defended on the ground that someone else was using her Internet connection. Her lawyer suggested in his questioning that someone other than Thomas — someone outside her window, or a neighbor — could have been responsible if she used a wireless router. That could have allowed anyone nearby to utilize her Internet connection, using the same IP address that led the record companies to Thomas.

If the jury had believed this possibility, they would not have found against Thomas. And this may be because of the specifics of this case - Thomas used the same login name in her P2P file sharing software as she used to login to her computer and myspace. If you are a neighbor stealing bandwidth, would you still use your neighbor’s unique login name to connect to file sharing services? Would you even know what the login name is? In theory, this information should be easily obtainable but I cannot think of a good motive to use such login name except maybe malice.

Seems like the "open wireless" defense becomes a staple for all cybercrime defense lawyers - it casts a shadow of a doubt on whether the defendant was the one actually using the connection at the time of the alleged wrongdoing. Almost every home now has a wireless router and there are statistics out there suggesting that a large portion of them have no or weak protection at all. (See more on wireless protection here.) But the Minnesota case shows that not every case is appropriate for this defense. In addition, at some point courts and juries may decide that if it is your wireless access point, you are responsible for what goes through it, with or without your knowledge. Currently the state of law is such that we are far from wireless point strict liability, but after a sufficient number of cases where such this defense is rejected, its usefulness may be zero.

Many businesses run their own wireless infrastructures and many know well to protect it. But how do you know when it is time to use a stronger encryption algorithm to protect the data sent wirelessly?

Generally, there are two possibilities. One is to wait until hackers break into your network by exploiting the easy-to-break WEP encryption you have on your wireless network and as a result steak millions of customers’ credit card numbers and personal data. Example: the TJX story.

The second, and the better possibility, is to do it before your (or your client’s) organization is prominently featured in the Wall Street Journal. Example: the TJX story.

Here’s a short excerpt of what should make every IT director to think about switching from WEP to WPA or better.

Investigators found that TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn’t recommended by securities experts even for wireless home networks because it is so vulnerable to hackers.

TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company’s internal transaction database. They did so initially from outside two stores in Miami, the probe found.

- TJX’s Security System Faulted in Canada Probe, Wall Street Journal, September 26, 2007.

There is another recent case of a person getting in hot water for using freely available wireless Internet. We reported on similar cases in the past.

This time it is in the little town of Sparta, Michigan. Each day, around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car, and browse the Internet from the convenience of his car and without entering the coffee shop. His daily routine became suspicious to Police Chief Andrew Milanowski who approached him and asked what he was doing. Peterson, not realizing that his response may get him in trouble, admitted that he was using the coffee shop’s Internet access.

Milanowski didn’t immediately cite or arrest Peterson because he wasn’t certain that a crime had been committed. However, after doing some research, he found out that under Michigan’s “Fraudulent access to computers, computer systems, and computer networks” law, Peterson’s conduct is a felony punishable by five years in prison and a $10,000 fine.

The prosecution of Peterson under the Michigan law, originally enacted in 1979 and modified in 2000 to cover wireless networks, is the first time that such conduct has been charged, according to Kent County Assistant Prosecutor Lynn Hopkins.

The good news for Peterson is that he won’t be going to prison for freeloading. Because he has no prior record, Peterson will have to pay a $400 fine, do 40 hours of community service and enroll in the county’s diversion program.

It is not often when the Securities and Exchange Commission is involved in prosecution of cybercrimes. But in this case the SEC has successfully prosecuted cybercriminals for allegedly hacking into protected systems containing nonpublic information about publicly traded companies and then using the information to make trades for profit.

According to the SEC complaint, Blue Bottle Limited, a Hong Kong chartered company and Matthew Charles Stokes of Guernsey “fraudulently gained access to material nonpublic information through fraudulent devices, schemes, or artifices, which may include, but are not limited to, hacking into computer networks or otherwise improperly obtaining electronic access to systems that contain information about imminent news releases.” As a result, the defendants used the information to trade and make a profit of $2,707,177.

The SEC claims are under Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act), and Exchange Act Rule 10b-5. The complaint sought permanent injunctions, disgorgement of illegal profits plus prejudgment interest, and civil money penalties and on March 7, 2007, a United States District Court for the Southern District of New York entered a preliminary injunction order against the defendants.

It is interesting that it is the SEC bringing this action and not the Department of Justice. The Computer Fraud and Abuse Act would seemingly provide a better deterrent for criminals as it provides for jail time. However, the DOJ may not have been able to successfully prosecute the defendants as they may not be under the US jurisdiction. The SEC, on the other hand, can impose asset freeze and provide a relief when jurisdictional and other issues prevent successful criminal prosecution.

An interesting story floats around many NBC stations and other major news outlets about a site that protects you from identity theft. It goes along the lines of, "Do you want to make sure your social security and credit card numbers are not stolen? Then come to this website, enter your social security number or your credit card number and we will check for you."

I will not name the site because in my opinion it does not deserve any additional traffic. The point is that although it may seem a great idea and would seem very appealing to the mainstream media in times of heightened sensitivity of identity theft, this kind of services pose more dangers than benefits. It may be also somewhat ironic - by trying to prevent your social security number from appearing on the Internet, you go on the Internet and you voluntarily type it into a search engine, which, in turn, searches some portion of the Internet to figure out whether there is a match. This just sounds wrong.

The site owners make a statement in their defense (and in attempt to appease people like me who feel this is not right),

Your credit card number or social security number alone has little value. These numbers can only be used to commit fraud when they are attached to an address, name, date of birth, expiration date, CVV2, etc. We never know any of this information; therefore, searching for a number with StolenID Search carries little risk of harming you, even in the worst case scenario.

Although true, this statement doesn’t tell the entire story. Having somebody’s social security or credit card by itself may not be enough, but it is the most essential piece of information in attempting to steal one’s identity or money. If criminals had the social security number and IP address of a person who searched for this social security they can easily either social engineer or IP-lookup the name and address of the user at a particular IP address. In many cases this will not work, but in many cases it would. In addition, motivated hackers can penetrate the machine at the originating IP and obtain the necessary name and address needed to steal somebody’s identity.

I hope that I am wrong and that this site provides more help than damage. But as of now I don’t feel right about it.

The Computer Fraud and Abuse Act (18 U.S.C. 1030) was intended to criminalize criminal hacking into protected computers. However, one of its effects (unintended -?) was to create a private cause of action which is very easy to bring in today’s business environment. Essentially, in almost any commercial dispute where a computer is or has been involved to store or process relevant (and important) information, a litigant may raise a CFAA claim merely arguing that the opposing party "exceeded authorization" when accessing information  stored on a computer and can therefore be liable under CFAA for damages if the damages exceed $5,000.

In the past, courts have struggled to decide what exactly constitutes damages under CFAA. For example, we have discussed cases  holding that lost productivity constitutes damages while lost profits does not. A recent case from the Fifth Circuit fleshes the damages argument a little bit further. In Fiber Systems Intl v. Roehrs, the Fifth Circuit held that hiring a data loss consultant for a cost of $26,000 to analyze potential loss of information after defendants allegedly copied information on their way out of the company does constitute damages under CFAA and satisfies the $5,000 minimum.

Fiber Sys. Int’l v. Roehrs, 470 F.3d. 1150. Full opinion.

It it is connected to a computer - then it can be hacked. Two L.A. city employees are charged with hacking traffic lights over labor dispute. The two men, Gabriel Murillo and Kartik Patel, are charged by the L.A. district attorney’s alleging that the men illegally accessed the city’s Automated Traffic Surveillance Center last August and disconnected four signal control boxes at key intersections. Traffic engineers in the center operate a sophisticated computerized network that monitors road conditions. The engineers can react to traffic jams by adjusting signal timing to improve the flow of vehicles through intersections.

According to the DA’s office, the disruption took place shortly before a job action by members of the Engineers and Architects Association, a union representing employees, such as Murillo and Patel, that run the city’s traffic center.

Murillo is charged with one count each of unauthorized access of a city computer and identity theft. Patel is charged with one count of unauthorized access of a computer and four counts of unauthorized disruption or denial of computer services.

In the Seventh Circuit, damages attributed to lost productivity can be counted against the $5,000 requirement which allows prosecution under the Computer Fraud and Abuse Act.

The Facts

The defendant appealed his sentence following a guilty plea to accessing a computer without authorization and recklessly causing damage of at least $5,000, contrary to 18 U.S.C. §1030(a)(5)(A)(ii). The record indicated that the defendant, who had been recently terminated from his job as a computer technician, made unauthorized access on several occasions to the victim’s wireless Internet access account–conduct that had the effect of preventing the victim, a small business, from accessing the Internet at the same time. The trial court determined that the victim had suffered $6,014 in losses for "lost productivity" due to conduct by the defendant that "adversely affected" their productivity.

The Court’s Holding

In an opinion by Judge Bauer, the Seventh Circuit upheld that a trial court’s consideration of lost productivity is proper, however, expenses incurred by the victim assisting the government should be excluded from this calculation. The court stressed that costs incurred by victims primarily to aid the government in the prosecution and criminal investigation of an offense should be excluded. United States v. Schuster, 7th Cir., No. 05-4244, 10/27/06

Commentary

Note that the trial court found $6,041 in losses. This is not much beyond the $5,000 statutory requirement. And, based on the court’s holding, most of it probably comes from lost productivity. It is not hard to reach the statutory minimum of damages when you include lost productivity. Imagine you send spam to a CEO’s computer. The CEO loses 2 hours trying to contact the IT helpdesk, have the spam cleaned, and the computer restored. This all counts as lost productivity and at the high billing rate of a high-level executive, the $5,000 damages cap can be reached very quickly.

My point, after all of this, is that the statutory requirement of $5,000 is too low. Or the prosecutors should exercise more discretion in prosecuting cases that really strike at what the Computer Fraud and Abuse Act was aimed - hacking and unauthorized access to computers, as opposed to acts that affect computers and cause some incidental damage.

« Previous entries