Many of our readers know that the principal cybercrime statute in the United States is the Computer Fraud and Abuse Act, 18 U.S.C. 1030.  It has served well over the years since enaction but some prosecutors (and civil plaintiffs to which it also applies) have complained that it does not keep up with newer types of cybercrime. Possibly in response to these critics, Senators Hatch (UT), Biden (DE), and Cochran (MS) have introduced an amendment to Section 1030.

The new bill, "Cyber-Crime Act of 2007" (S. 2213) (Thomas tracker) would make three substantial amendments:

First, it would prohibit "conspiracy to commit an offense" as well as the offenses actually committed. Currently Section 1030 does not cover explicitly "conspiracy" to commit any of its prohibited offenses, although prosecution was possible under other "conspiracy" provisions of Title 18. This makes it explicit now.

Second, the bill seeks to expand the required damage to protected computers threshold from $5,000 in a one-year period to "damage affecting 10 or more protected computers during any one-year period."  Currently, in order to be able to prosecute a cybercriminal under some provisions of 1030, there must have been a minimum threshold of $5,000 in damages caused by the alleged cybercrime.  In many cases this was not an issue, for example where the cybercrime had a direct financial loss of $5,000. However, other cases may not be so clear-cut. For example, if a small company’s computer is breached and the company expends some time and effort to investigate and fix the problem, the question becomes whether the expenses that the company incurred meet the $5,000 threshold.  Should full-time employees’ time be calculated on a per-hour basis to determine damages? How should loss of good will be calculated if the breach becomes public? In some cases these questions have created difficult questions.

Other reasons to introduce the damages to 10 computers requiremens are a couple of relatively new types of crime - Distributed Denial of Service (DDoS) and botnets. Both are very closely interrelated in that the cybercriminal obtains control of a high number of computers (sometimes called ‘zombies’ and almost always substantially more than 10) which they use to disable Internet resources, send spam or phish emails, or use the substantial aggregate computing and network power of these botnets for other evil purposes.  Because by definition the owners of the zombie computers would not know that they are part of the botnet, they would not be able to assert damages and meet the $5,000 threshold.  Creating a 10 or more damaged computers provision would allow prosecution of botnet operators under Section 1030 without having to show monetary damages to a particular zombie machine. 

The reality is that botnet operators can possibly be targeted under Section 1030 for the damages they do as a result of using the botnet to commit a specific act (e.g. spam, phish, DDoS); however, the new proposed provision would allow prosecution before the cybercriminals strike, not after.  Kudos for giving tools for proactive legal measures against such acts.

The third of the proposed substantial amendments adds cyber-extortion and threats to reveal confidential information illegally obtained from computer to be computer damage and thus eligible for prosecution under 1030. This provision also aims to deal with a frequent type of cybercrime where there is no verifiable damage.  Cyber-extortion can take many forms, but most often the cybercriminals seek to obtain money or something of value in exchange of either i) not attacking or disabling a certain computer or network resource or ii) not releasing confidential information obtained in an illegal way.  The new provision covers these and similar situations.

The proposed amendments to Section 1030 are a good step towards catching up with cybercriminals. Senator Biden’s statement in connection with the proposed bill says that, the "[c]urrent law hasn’t kept up with the fast pace of new criminal technologies–right now there are holes in the law that cyber-criminals can readily exploit. The Cyber-Crime Act will fix this, update the law and put us one step ahead of the cyber-criminals, instead of one step behind."

The Wall Street Journal reports on a troubling new vector of cyber attacks - emails carrying Trojan-infected Microsoft Word attachments directed to senior executives in major corporations. The emails purported to be from an employment service and offered attachments supposedly containing information on potential job candidates. Luckily for these executives, the emails were captured by MessageLabs, an email security company, which monitors the incoming email traffic of its clients for spam and viruses.

According to MessageLabs, during a two-hour period on June 24, 514 messages tailored to senoir executives were captured. On Sep. 12 and 13, the company captured 1,100 messages in a 16-hour period. Although email security experts are well familiar with phishing, this form of attack seems to go beyond the mass-scale fraudulent emailing with the hope that even a very low response rate would yield some personal information. The new email attack has been seen in the past but in smaller numbers and mainly directed to sensitive personnel in government or military. The new attacks suggest that a fairly low-tech attack can yield an open-door access to a major executive’s computer and all the information stored on it. This potentially places high-value information, such as incoming deals, regulatory or other action, at the hands of criminals who can abuse it directly or profit from it by trading securities before the news reaches the public.

This happened to me very recently. I applied to join a certain credit union. The credit union has a wonderful website and, as it should, it has an online application which seems secure enough. I filled out the necessary personal information and submitted my application over the SSL connection. Among the standard questions were few security questions such as mother’s maiden name, favorite teacher, and others.  In response to my completed application, I received an email which also seemed to meet adequate financial institution information security and privacy requirements (e.g. no account numbers, login names, passwords, etc. being sent in plain text over email.)

Everything seemed fine. Until the next day when I received a phone call from an "unknown name/unknown number" phone. The lady on the other end identified very politely as X from the credit union, welcomed me to the union, and asked me whether I would be willing to talk with her briefly about my finanical needs and how the credit union may be able to help. This was nice customer service, I thought, and agreed to talk with her for a "couple of minutes." The next thing she asked me was whether I can verify the security information on my account and proceeded to ask me about my mother’s maiden name.  The call ended shortly after this question and after I calmly tried to explain to X that asking such questions during an outbound phone call is not a good idea because anybody could, in theory, make this phone call and obtain my security information.

I went to the credit union’s website and was impressed by the thorough explanations they have on Internet security and in the effort they make to "teach" their customers not to respond to phishing emails asking for personal login or financial information. I am sure the credit union has a policy prohibiting outgoing emails from soliciting customers’ security information. But did anyone at the credit union think to put in place the same security policy for outgoing phone calls to customers?  Apparently not.

There is another recent case of a person getting in hot water for using freely available wireless Internet. We reported on similar cases in the past.

This time it is in the little town of Sparta, Michigan. Each day, around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car, and browse the Internet from the convenience of his car and without entering the coffee shop. His daily routine became suspicious to Police Chief Andrew Milanowski who approached him and asked what he was doing. Peterson, not realizing that his response may get him in trouble, admitted that he was using the coffee shop’s Internet access.

Milanowski didn’t immediately cite or arrest Peterson because he wasn’t certain that a crime had been committed. However, after doing some research, he found out that under Michigan’s “Fraudulent access to computers, computer systems, and computer networks” law, Peterson’s conduct is a felony punishable by five years in prison and a $10,000 fine.

The prosecution of Peterson under the Michigan law, originally enacted in 1979 and modified in 2000 to cover wireless networks, is the first time that such conduct has been charged, according to Kent County Assistant Prosecutor Lynn Hopkins.

The good news for Peterson is that he won’t be going to prison for freeloading. Because he has no prior record, Peterson will have to pay a $400 fine, do 40 hours of community service and enroll in the county’s diversion program.

I now have the complaint. Thanks JP.

Symantec has released its annual Internet Security Threat Report. Its coverage of Internet attacks, vulnerabilities, malware, phishing, spam, and trend in the Internet security area is a must read for security and legal professionals. Here are some of the highlights.

Phishing, Spam, and Security Risks

• The Symantec Probe Network detected 157,477 unique phishing messages, an increase of 81%.
• Financial services was the most heavily phished sector, accounting for 84% of phishing activity.
• Spam made up 54% of all monitored email traffic, up from 50% in the last period.
• The most common type of spam detected in the first six months of 2006 was related to health services and products.
• Fifty-eight percent of all spam detected worldwide originated in the United States
• Eight of the top ten reported security risks were adware programs.
• Three of the top ten new security risks are what Symantec calls “misleading applications.

Attack Trend Highlights

• Microsoft Internet Explorer was the most frequently targeted Web browser, accounting for 47% of all Web browser attacks.
• Symantec observed an average of 6,110 DoS attacks per day.
• The United States was the target of the most DoS attacks, accounting for 54% of the worldwide total.
• The Internet service provider (ISP) sector was the most frequently targeted by DoS attacks.
• China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total.
• The United States had the highest percentage of bot command-and-control servers with 42%.
• Beijing was the city with the most bot-infected computers in the world.
• The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total.
• The home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks.

Read the full report (120 pages).

Personal Information Theft Case Du Jour: McAfee employees are now vulnerable to ID theft after McAfee’s auditor, Deloitte & Touche USA lost a disk with McAfee employee information.

The disc contained personal details on all current U.S. and Canadian McAfee workers hired prior to April 2005 and on about 6,000 former employees in the same region, (McAfee spokeswoman Siobhan) MacDermott said. (The security company currently has approximately 3,290 employees worldwide.) The information wasn’t encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.

Deloitte & Touche confirmed the incident. “A Deloitte & Touche employee left an unlabelled backup CD in an airline seat pocket,” a representative for the professional services firm said. “We are not aware of any unauthorized access to this data in the two months since the CD was lost.”

Source: ZDNet

How ironic. Of course, this is not McAfee’s fault (or at least the article and the facts on their face do not suggest so) but the story shows how even the most-protected or vigilant organizations are not immune to theft of important personal data.

The increased rise in phishing websites has been attributed to the increasing use of so-called "phishing kits". The Anti-Phishing Work Group has revealed in a December 2005 report that although the absolute number of phishing emails sent has decreased, the number of sites hosting phishing "action" pages has increased from 4,630 to 7,197 (over 50% increase). Readily-available "phishing kits" are circulating in underworld websites. These "phishing kits" allow even non-technical people to create and manage a multitude of phishing sites. Although usually the sophistication of such "amateur" phishing sites is likely to be low and subject to easy detection, the 50+ percent increase of such sites shows an alarming trend.

Joel Camissar, country manager for Australia and New Zealand at Websense, has told ZDNet that the situation is similar to what happened when virus-making kits started appearing a few years ago.

The commercialisation of these phishing tools is what we saw in the antivirus industry… when toolkits to create mass-mailing worms started becoming increasingly popular. We are seeing the same parallel in the phishing world, whereby these techniques are becoming mainstream.

[Via ZDNet UK, UK -]

A Massachusetts man has been charged (and will be indicted on Jan. 18 at Suffolk Superior Court) with hacking into dozens of eBay customer accounts and incurring up to $32,000 of fraudulent charges. Sean Galvez of Boston has been indicted on one count of larceny and 10 counts of unauthorized access to a computer and identity fraud committed during 2003.

According to the prosecution, Galvez is believed to have illegally accessed and taken over more than 40 eBay accounts, then used them to buy gift certificates for eBay’s half.com merchant site. While it is not clear how Galvez obtained control over these 40 accounts, it is believed to be either via phishing or by purchasing them from another. According to sources close to Massachusetts’ AG office, the prosecution strongly believes that the source of eBay accounts is a phishing scam. eBay reported the incident to the United States Postal Service after the affected users reported being locked out of their accounts.

It is nice to see that eBay and law enforcement are working together to prosecute crimes which lately have stolen the headlines. What is somewhat bothersome is that the incident occurred in 2003 and yet Galvez is just being indicted in 2006. Also, considering that there were only 40 eBay accounts affected (a relatively minor case, compared to thousands of records) it begs the question how long would a major (multi-thousand) scam take to investigate and prosecute?

According to a new study by AOL and NCSA,

roughly one in four U.S. Internet users are targets of phishing attacks–phony e-mails seeking personal financial data–according to a study conducted by Time Warner’s Internet unit AOL and the National Cyber Security Alliance.

Only 1 in 4? Considering that 100% (or close to it, anyway) of Net users receive spam, it is surprising that only 25% have been identified as receivers of phishing attacks. After all, it is often the same guys who fill our inbox with medication offers or mortgage deal-of-a-lifetime who graduate into sending phish email attacks.

The study showed that 81 percent of home PCs lack either updated computer software, spyware protection or a secure firewall.

And this explains why home networked PCs are the #1 source of spam, phish, or other Internet garbage.

[Via CNET News.com, United States -]

« Previous entries