Weblog Entries: Crime and Security

Email Bomber Faces Retrial

An anonymous reader writes "A UK teenager who was cleared last year of launching a denial-of-service attack now faces a retrial. Judges have ruled that crashing a server with five million emails probably isn't permitted under the law. With NASA hacker Gary McKinnon vowing to fight on after losing his extradition fight yesterday, it's been a busy few days for the UK courts."

Originally by CowboyNeal at Slashdot: Your Rights Online, 2:22 PM  Read more »

3rd Circuit: Computer Fraud and Abuse Act Provides for Civil Remedies

In its first interpretation of remedies available under the federal Computer Fraud and Abuse Act, the 3rd Circuit ruled that civil claims are allowed. In the case, an employer alleged that former employees used information wrongfully obtained from the employer's computer system. The 3rd Circuit's decision is particularly significant to employers, who may now obtain federal court jurisdiction and assert a claim without meeting all of the requirements under traditional common law and trade secret claims.  Read more »

Chilean Dictator Stripped of Immunity

Chile's Supreme Court has stripped former dictator Augusto Pinochet of his immunity in order to bring him to trial on charges of embezzling public funds. The prosecution case alleges that secret overseas bank accounts were established for his family members.

Originally by ABC News: Politics, 9:15 PM

Italian mozzarella crime syndicate foiled

According to this report, four Italian police officers have been arrested for allegedly accepting cheese as bribes from motorists they pulled over.  Read more »

Cyberspace Battleground in Gaza

The Israeli Defence Force (IDF) has reportedly hacked into a Hamas television station as part of an ongoing war of information in Gaza. According to local media reports, the IDF took over the Al-Aqsa television station last weekend, and is using it to broadcast pro-Israeli military propaganda, including:

an animated clip of Hamas’ leadership being gunned down. “Time is running out,” the clip warned, in Arabic.

The day before, AFP reports, a “broadcast on Al-Aqsa television was interrupted with an image of a ringing phone that no one was answering.” ‘Hamas leaders are hiding and they are leaving you on the front line,’” a voice in “Hebrew-accented Arabic” said. Similar messages were sent out on Al-Aqsa radio, as well.

The Al-Asqa station was probably chosen because of its previous association with anti-semitic childrens’ cartoons. The station itself was also targeted and destroyed during aerial strikes last week.  Read more »

2008 Cybersecurity Year in Review -- Part I: Data Security

It should come as no surprise that 2008 was an eventful year for online security pundits. Record instances of data breaches, identity theft, vulnerability disclosures and hotfixes were seen throughout the year. Both state and non-state actors were involved — on the public side, cyberwar in Georgia and alleged Chinese cyber-espionage; in the private sector, new low-level DNS exploits, SSL flaws and routing bugs were uncovered.

In a series of posts, I summarise the eight top cybersecurity issues for 2008 and their likely outcome in 2009, beginning with data security.

  • Data breaches up 69 per cent in 2008
    In July 2008, researchers at the Identity Theft Resource Centre reported 342 data breaches since January, up 69 per cent compared with 2007. Most breaches affected government or military entites, followed by education and business sectors.  Read more »

Facebook accidentally exposes members' dates of birth

During a public beta test of its new user interface, social networking website Facebook has accidentally exposed personal information — at this stage limited to the date of birth and age — of all its members.

According to Sophos, which created a YouTube video illustrating the flaw, as many as 80 million dates of birth have been disclosed, even of users who opted to keep it hidden. The flaw was probably caused by the new site template not adding the proper privacy hooks to the birthday field, causing it to be displayed regardless of a user’s privacy preferences.  Read more »

Largest ever securities fraud rocks Indian outsourcing goliath

This week’s high-tech crime is a new twist on an old favourite: securities fraud. It recently emerged that one of India’s largest outsourcing firms, Satyam Computer, had ‘overestimated’ its cash reserves and asset values by around 50 billion rupees (AUD $1.38bn). According to the company founder and chairman, this was ‘purely on account of inflated profit over a period of several years’. The fraud came to light when a recent asset acquisition fell through, forcing the company to acknowledge the ‘attempt to fill fictitious assets with real ones.’ According to a taped confession to Indian police by the chief financial officer:

Srinivas said he suspected that something was wrong when the company was late with bills, but Satyam’s chairman and managing director forbade him from using fixed deposits to pay them. He was told to “manage” the bills with operational cash instead, he said. That situation occurred continuously for the past five or six years, he said. …

Srinivas said he believed the company’s fixed deposits were “unreal” and “managed” and that they were a result of an “understanding” between management and the “audit section.”

Price Waterhouse, the Indian division of PricewaterhouseCoopers, was the external auditor for Satyam. The firm has come under fire since the Satyam fraud came to light: India’s accounting board is investigating Price Waterhouse’s work on Satyam, and investors in the computer company are considering lawsuits against the auditor.

 Read more »

Corporate cyber-espionage alleged by petroleum software developer

The president of Platte River Associates, a United States software development company, has pleaded guilty to charges of hacking into a competitor’s website and copying commercially sensitive files. The company develops specialist petroleum exploration software, and the target of the cyber-espionage was Zetaware, one of its chief competitors. It all smells rather suspect: the executive, a Mr Leonard, admitted to accessing a password-protected area of Zetaware’s website using a password he had been given, and then copying the files from an anonymous wireless hotspot in a Houston airport. When he mentioned the files in a Platte River staff meeting the following week, word leaked back to Zetaware and subsequently to the police. Leonard was sentenced to 12 months’ probation and a fine of USD $100 000.

One has to wonder about this case. Why were ‘sensitive documents’ left in an unencrypted format on a corporate website, protected only by a simple and widely-known password? How did Leonard happen upon the password? Perhaps there were information conduits on both sides — how else did word get back to Zetaware? Injury aside, is it possible Zetaware had a commercial motive of its own for ensuring Leonard was prosecuted? Although it’s unclear from the news reports whether the basis of the conviction was recorded under an anti-hacking or unfair competition statute, either avenue was potentially available to prosecutors. This is interesting because it reflects a growing overlap between subject-specific cybercrime legislation and generic norms of criminal conduct. This case is a timely reminder to businesses why private documents should never be entrusted to a public web server, whether or not protected by an .htaccess mechanism.

Melbourne game pirate convicted of commercial copyright infringement

According to The Age, a fellow University of Melbourne alumnus has been convicted of three counts of commercial copyright infringement and fined $20 000 for running a duplication lab in (wait for it) his mother’s basement:

Jeffrey Lim, 28, converted the ground floor of his parents’ Doncaster home into a work office that held six hard drives, a computer flat screen, three printers, three DVD burners, three computer towers, four scanners and various printer cartridges.

Hmm, sounds like my living room, sans the printers. Lim apparently sold various console games for $4 each using an online mail order website. Ms Tickey for the Crown relied on a tipoff from a PwC investigator and evidence from a police raid of the premises:

The man, who deposited $714 in to Lim’s account, later found that none of the 138 Playstation2 games he received displayed any genuine features.

Gosh, how unexpected! $5 games turn out not to be originals. Unsurprisingly, Lim pleaded guilty. Mr Simpson for the defence argued in mitigation that the piracy business emerged after ‘repeated but failed attempts’ to gain employment in the computer industry. Guess a Melbourne BSc isn’t what it used to be.

Individual to be prosecuted for domain name 'theft'

A number of news agencies are reporting that Daniel Goncalves, a 25 year-old law firm technician, is being prosecuted for the ‘theft’ of domain name P2P.com:

Attorney Paul Keating told DNN that most cases of domain theft recovery that he has dealt with have been complicated at best. The real problem stems from the fact that domain names aren’t considered property. “The laws do not specifically identify domains as property. That has been the subject of various court decisions. Not all courts have issued consistent decisions. For example, bankruptcy courts have no difficulty treating domains as property. The IRS treats domains as a form of intellectual property and allows amortization along the lines of a trademark though over a shorter period,” Keating said. Further complications come in to play when we look at the rulings in different states. “California is believed to treat them as property after the Sex.com case but that was a federal decision interpreting California law. The Eastern District of Virginia (where the Verisign registry is headquartered) clearly holds domains to be the subject of a license and thus not property. I have been involved in various state-level cases seeking recovery of stolen names or trying to specifically enforce a domain purchase agreement in California and the courts have always honored the claim.”  Read more »

More hyperbolic warnings of Chinese 'cyber spies'

A report produced by the US–China Economic and Security Review Commission suggests that malicious attacks on United States military computer systems increased by 20 per cent in 2008, a figure that is projected to grow by 60 per cent in 2009. Experts attributed much of the increase to attacks originating in China:

“A large body of both circumstantial and forensic evidence strongly indicates Chinese state involvement in such activities,” the commission said in its 367-page report to Congress.

“China’s peacetime computer exploitation efforts are primarily focused on intelligence collection against US targets and Chinese dissident groups abroad.”

“China is changing the way that espionage is being done,” said Carolyn Bartholomew, who chaired the commission.

The report offers an alarming, though perhaps premature, conclusion:

China is likely using its maturing computer network exploitation capability to support intelligence collection against the US Government and industry by conducting a long term, sophisticated, computer network exploitation campaign. The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months.  Read more »

Illegal logging in an age of computer crime: lessons from Brazil

To combat deforestation of the Amazon rainforest, the Brazilian province of Pará has been using computer technology to administer a system of forestry permits. Unfortunately, the system has led to widespread abuse by logging companies that have allegedly hired hackers to issue fake permits:

Companies logging the rainforest for timber or charcoal production are only allowed to fell a certain amount of timber every year and this is controlled by the use of transport permits issued by the … computer system. … each shipment of timber requires one of these transport permits, and the volume of timber in each shipment is deducted from the total amount allowed under the company’s forest management plan. Once that amount is reduced to zero, no more transport permits are issued so there’s no profit in felling more trees.

At least, that’s what’s supposed to happen but today the public prosecutor will release details of how hackers employed by 107 logging and charcoal companies have compromised the system, falsifying the online records to increase the timber transport allocations for certain areas of the forest.

The government is seeking a US$833 million fine for the contraventions. A Greenpeace worker noted that “this method of controlling the transport of timber was subject to fraud,” and that “this is only the tip of the iceberg, because the same computer system is also used in two other Brazilian states.” It is unclear when the authorities plan to fix the security holes in this deeply flawed permit administration system

Bulletproof hosting, cybercrime and botnets

The Register has an interesting piece analysing how cybercrime botnets are connected and why they seem impervious to outside attack. It seems that the botnets are programmed to reconfigure themselves if one upstream provider goes down, and are each strongly interconnected, which creates a whole lot of redundancy:

“What they’ve worked really hard to do for themselves is build a spiderweb of connections to the outer ring if the outer ring were the internet at large,” Sean Brady, manager of RSA’s identity protection and verification group, told The Register. “As you start picking off threads, they work to reroute, to crawl along different threads.”

Needless to say, this redundancy is pretty attractive to botnet controllers (who typically seem to buy or lease access from malware creators). What’s really interesting, though, is that it turns out all the major botnets rely on about nine commercial ISPs, which are legitimate businesses. Take those ISPs offline — or require them to block botnet communications — and it will be much harder for botnet operators to re-establish contact with infected computers once the command and control link is severed (as recently happened with the Zeus botnet). This raises a very interesting legal question about whether those ISPs are, or should be, liable to block access.

Iran launches cyberattack on human rights websites

According to Iranian news reports, Iranian intelligence forces have hacked into 29 human rights activism websites which they allege are a front for US espionage and intelligence agencies. The attack follows the finding of an Iranian domestic court that the websites were developed to spy on Iran’s nuclear programme, and for the purpose of ‘provoking sedition and illegal demonstrations and rallies through releasing unreal and unfounded news and reports after the June presidential elections … providing media and news support for the Jundollah terrorist group and the monarchist opposition groups.’ Apparently, the network also distributed American anti-censorship software.

Update: Following the attacks, Iranian security forces arrested dozens of people accused of being involved in the websites’ operation. However, Western media tells a very different story, with The Tech Herald now reporting that those arrested in the operation:

were tortured for their access to the various websites, and as such the sites were taken down by physical violence, and not hacking. They have 30 members of our group held hostage, including the sister of one of our members, who has nothing to do with this matter. Each of the 30 hostages is a human rights activist and nothing more. …

Botnet hosts strongly clustered around safe haven providers

Interesting survey of the connection between website hosts and botnet ‘command and control’ servers, which are used to direct networks of malware-infected clients:

For the first half of 2010, almost a quarter of botnet CnC servers were hosted by service providers in the US, with the top three countries (US - 23.9 per cent, Germany - 17.9 per cent and France - 8.6 per cent) hosting more than half of all CnC servers.

“Half of the servers used by cyber-criminals for the purpose of controlling their botnet empires are located in commercial hosting facilities within countries not traditionally associated with this kind of crime,” writes Gunter Ollmann, VP Research at Damballa.

Internet hosting firms 1&1 Internet AG in Germany and AT&T have unwittingly become favourite control points for cybercrooks, according to Damballa. 1&1 Internet alone accounts for more than one in 10 botnet command and control servers.

Fraudulent transfers of title and Nigerian scammers

It looks like the Nigerian 419 scammers are getting more sophisticated. A South African investor found his Australian property sold to third party purchasers without his knowledge after having his email account hacked:

Fraudsters swiped Mildenhall’s email login credentials and obtained personal property documents before selling a house and sending funds to Chinese bank accounts. The scammers hoodwinked real estate agents, banks and local land registrars.

Mildenhall only learned of the scam, seemingly by chance, after he contacted by a former neighbour last week, just in time to stop the finalisation of the sale of a house. Another house owned by Mildenhall was sold in June.

“They had a comprehensive understanding of how transactions take place and of the legal processes. If they are sophisticated as they seem to be, identity checks will not be enough — they can forge them.”

Here’s the property in question. Unfortunately for Mr Mildenhall, under Western Australian real property law, he’s unlikely to have a claim against the purchaser if the new interest was registered. However, he will probably be able to get compensation from the Torrens claim pool.  Read more »

The Great Cyberheist: Inside the life of an identity thief

The New York Times has a fantastic writeup of the criminal activities and investigation of Alberto Gonzalez, a black-hat hacker who masterminded the TJX and Heartland Payment Systems credit card data breaches and who was sentenced to 20 years’ imprisonment earlier this year. The story has a cinematic, but slightly tragic quality:

At the same time that Gonzalez was stealing all this bank-card data, he was assembling an international syndicate. His favored fence was a Ukrainian, Maksym Yastremskiy, who would sell sets of card numbers to buyers across the Americas, Europe and Asia and split the proceeds with him. Gonzalez hired another EFnet friend, Jonathan Williams, to cash out at A.T.M.’s across the country, and a friend of Watt’s in New York would pick up the shipments of cash in bulk sent by Williams and Yastremskiy. Watt’s friend would then wire the money to Miami or send it to a post-office box there set up by James through a proxy. Gonzalez established dummy companies in Europe, and to collect payment and launder money he opened e-gold and WebMoney accounts, which were not strictly regulated (e-gold has since gone out of business). He also rented servers in Latvia, Ukraine, the Netherlands and elsewhere to store the card data and the software he was using for the breaches. Finally, he joined up with two Eastern European hackers who were onto something visionary. Known to him only by their screen names, Annex and Grig, they were colluding to break into American card-payment processors — the very cash arteries of the retail economy.

Facebook and the 2011 London riots

Be careful what you write. In R v Blackwell [2011] EWCA Crim 2312, Lord Judge CJ offers this blunt description of the role played by “modern technology” (principally Facebook, Blackberry’s BBM protocol, Twitter and SMS messaging) in the recent London riots. Rejecting the appellants’ argument that incitement via Facebook was a less serious offence because it did not lead to criminal activity in the real world, his Lordship commented:

[73] We are unimpressed with the suggestion that in each case the appellant did no more than make the appropriate entry in his Facebook. Neither went from door to door looking for friends or like minded people to join up with him in the riot. All that is true. But modern technology has done away with the need for such direct personal communication. It can all be done through Facebook or other social media. In other words, the abuse of modern technology for criminal purposes extends to and includes incitement of very many people by a single step. Indeed it is a sinister feature of these cases that modern technology almost certainly assisted rioters in other places to organise the rapid movement and congregation of disorderly groups in new and unpoliced areas.