Getting A Grip On Cybercrime

Nov 1, 2007 12:00 PM, By Sandra Kay Miller

Telecom worker William Bryant was asked to leave Cox Communications, the third largest cable provider in the country with more than 6 million residential and commercial customers. Little did his employer know that Bryant would retaliate with a cyber-attack that would crash significant portions of their extensive network, cutting off service to customers in Texas, Nevada and Louisiana, including critical 911 emergency services for several hours.

Bryant would retaliate with a cyber-attack that would crash significant portions of their extensive network, cutting off service to customers in Texas, Nevada and Louisiana, including critical 911 emergency services for several hours.

In early October, Bryant pleaded guilty in federal court and now faces a maximum sentence of 10 years in prison and a $250,000 fine.

Only a week earlier, Yung-Hsun Lin, a former systems administrator for Medco Health Solutions, also pleaded guilty in federal court to writing and planting a “logic bomb.” The malicious code was designed to cripple Medco's network, which handled billing, corporate financial and employee payroll information, as well as the Drug Utilization Review, a database of patient-specific information on conflicting drug interactions. Lin's actions were precipitated by the possibility that he would be laid off from his job during corporate restructuring. Similar to Bryant, Lin's crime could cost him up to 10 years behind bars and a stiff fine.

Lin escaped the lay-offs, but not the watchful eye of a fellow administrator who spotted the malicious code prior to its “detonation.” Had the logic bomb gone off, pharmacists would have had no way to determine if a patient's new prescription would adversely react with existing medications.

“It's not just a financial crime. It could have damaged life and limb. It shows the impact of cybercrime,” says Assistant U.S. Attorney Erez Liebermann.

Still, Lin's and Bryant's cybercrimes resulted in financial damages exceeding $100,000 for both companies.

“Hacking - introducing into and causing damage to a computer system - is a serious crime,” says U.S. Attorney David E. Nahmias. “Such electronic attacks threaten our nation's technological infrastructure, and we will aggressively investigate and prosecute them.”

The Justice Department has also racked up a number of high-profile convictions on external attacks. Most recently, convicted hacker Robert Moore began serving his two-year sentence for stealing voice-over-IP services from 15 telecom companies and hundreds of businesses.

According to Liebermann, a smaller telecom company folded due to having to pay their larger service provider for the services stolen by Moore. “They had to eat the bill and were unable to remain in business.”

Bryant and Lin represent only a fraction of cybercrimes that are actively being prosecuted by the Department of Justice. Currently, there are approximately 30 types of unlawful online conduct defined by the Computer Crime and Intellectual Property division, including denial-of-service attacks, Web site substitution and redirection, phishing, cyber-stalking, spoofing an e-mail address and spam.

Organizations must deal with cyber-threats on two fronts — the inside and outside. External attacks have made up the bulk of security issues, resulting in the extensive development and deployment of preventative technologies, such as firewalls, intrusion prevention and detection systems, malware scanners, anti-spam products and Web filters, that appear to be making a dent in the number of external attacks.

CSO Magazine's third annual E-Crime Watch Survey conducted in conjunction with Carnegie Mellon University's CERT Coordination Center, the United States Secret Service and Microsoft Corp. found companies are gaining ground against corporate cybercrime with 69 percent of respondents stating that the average number of security events had declined over the last two years.

While those numbers might paint a rosy picture for some, the reality is that digital attacks are becoming increasingly complex and continue to cause billions of dollars in damage annually to organizations throughout the world. The U.S. Treasury Department puts cybercrime annual net profits at an estimated $105 billion.

Computer security giant McAfee's CEO David DeWalt points out that cybercrime has surpassed the value of international illegal drug trade. “Worldwide data losses now represent $40 billion in losses to affected companies and individuals each year,” DeWalt says, “If you rob a 7-Eleven store, you'll get a much harsher punishment than if you stole millions online. The cross-border sophistication in tracking and arresting cybercriminals is just not there.”

Besides the challenges of prosecuting criminals that operate in an international arena as well as a virtual realm, cybercrime has shifted from the lone hacker trying to attain bragging rights to digital scams for profit operated by organized crime syndicates.

In an interview with Reuters, Christopher Painter, deputy chief of the computer crimes and intellectual property section at the Department of Justice, explained, “There has been a change in the people who attack computer networks, away from the ‘bragging hacker’ toward those driven by monetary motives. There are still instances of these ‘lone-gunman’ hackers but more and more we are seeing organized criminal groups, groups that are often organized online targeting victims via the Internet.”

Initially, organizations that fell victim to cybercriminals often failed to report the crime for fear of negative publicity. But with the growing demands of regulatory compliance combined with mounting financial losses, many companies have no choice but to report cyber-attacks to the proper authorities.

Unfortunately, many companies don't know where to turn when they fall victim to cybercrimes and muddle through various law enforcement agencies until they find the correct investigating authority.

Currently, the primary federal law enforcement agencies that handle domestic cybercrimes are the Federal Bureau of Investigation (www.fbi.gov), the United States Secret Service (www.secretservice.gov), the United States Immigration and Customs Enforcement (www.ice.gov), the United States Postal Inspection Service (postalinspectors.uspis.gov) and the Bureau of Alcohol, Tobacco and Firearms (www.atf.gov). Crimes should be reported to the Duty Complaint Agent of the state office, depending on the nature of the crime. The FBI handles intakes on all types of cybercrimes, but for example, if a complaint would involve the sale of illegal firearms, the ATF would also be notified.

From the state level, the case can be elevated to agency headquarters in Washington, D.C., where there are specialized divisions for specific cybercrimes, such as online child pornography, extortion, hacking, etc.

There are a number of other collaborative cybercrime reporting resources that augment the federal agencies' ability to track cybercrime.

The Internet Crime Complaint Center (www.IC3.gov) is a joint venture between the FBI and the National White Collar Crime Center (www.nw3c.org). When organizations do not know where to turn, IC3 offers a convenient and easy-to-use reporting mechanism for alerting authorities about possible Internet-related crimes.

The Department of Homeland Security (www.dhs.gov) also investigates cybercrime activities that have the potential to damage national infrastructure, such as communication systems. DHS also works with a number of public and private organizations on the U.S. Computer Emergency Response Team (www.us-cert.gov) to protect the nation's Internet infrastructure.

The National Association of Attorney Generals has a cybercrime division that has developed training for state prosecutors to deal with technology crime related subjects, such as the psychology of the online predator, computer hacking, intrusion and viruses, digital evidence, online auction fraud, identity theft and search and seizure of evidence.

Theft of trade secrets (also referred to as “economic espionage”) also falls under the umbrella of cybercrimes. In September 2007, two Bay Area men, Lan Lee and Yuefei Ge, were indicted on charges of conspiracy to commit economic espionage and to steal trade secrets from their employer, NetLogics Microsystems, and from a competitor, Taiwan Semiconductor Manufacturing Corp. The two defendants created their own company solely for the purpose of developing and marketing products manufactured using the stolen trade secrets. The twist to this particular cybercrime included the element of international intrigue, as one of the defendants was a Chinese national who attempted to obtain venture capital from the Chinese government. Despite the international implications, the Department of Justice has proceeded with the case.

“The vigorous enforcement of intellectual property statutes increases the economic vitality of this region and adds to the security of our nation as a whole,” says U.S. Attorney Scott N. Schools. “This office is committed to the prosecution of individuals who seek to benefit foreign governments or instrumentalities with stolen trade secrets.”

As the amount of business conducted online continues to grow, so will the opportunity for criminals to commit an assortment of cybercrimes. Even with the strictest of vigilance and security technologies in place, there is no guarantee that nefarious attempts against networks and information can be effectively thwarted. Fortunately, law enforcement has recognized the growing problem and has responded with comprehensive laws under which they can effectively prosecute cybercriminals.

No Additional Investment Needed For Security Threats

IT managers trying to figure out how much money to budget for information security purposes each year might want to take note of some recent advice from Gartner Inc., a technology research and advisory firm in Stamford, Conn. Despite the growth in targeted attacks and the continuing discovery of new vulnerabilities, almost 90 percent of the threats companies face today can be handled without any extra investment in security.

Instead, companies need to reduce some of the money they have spent over the past few years protecting against mass attacks - redirecting those freed-up resources to confront more narrowly directed emerging threats.

A lot of companies spend too much money on security controls such as firewalls, antivirus software and other desktop protection tools designed to defend against traditional mass attacks, Gartner analyst John Pescatore told ComputerWorld. Pescatore says that over the years such products have become highly commoditized and can be deployed for far less than many companies currently shell out for protection.

“A lot of it is just inertia,” he says. For instance, companies that signed up with one vendor years ago simply continue to do business with that vendor without exploring any of the cheaper and equally functional options available for desktop protection. Those who might be inclined to make the switch to cheaper technologies often mistakenly assume that such migrations are either prohibitively expensive or too complex.

The same is true for the multitude of remote access technologies that companies continue to support with very little reason to do so.

According to Pescatore, such inefficiencies have resulted in average organizations spending more than 5 percent of their IT security budget on security, and close to 12 percent if disaster recovery is included.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue