The objective is to look for
- Total amount spend on computer security in USA and or globally
- Total revenues of the major providers of anti-virus software
- Information on the number of hackers
- Estimated damages caused by hacking, viruses annual
- Current laws against violations of computer security and spreading of viruses.
- Current practice enforcing those laws and examples of who and how many are prosecuted and what penalties are given.
- Product liability of software companies such as Microsoft for virus and security vulnerabilities created by their products
- Largest product liability cases in the computer software industry
- Computer theft - stealing of credit card, bank account account information, and related matters - estimated value and examples of recent instances.
- Computer/Internet fraud - summary of different types that occur and information about the magnitude of the problem.
Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security
A long-overdue wake up call for the information security community.
by Noam Eppel
[Note: An update to this article has been posted.]
Boiling Frog Syndrome
They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerate it since we are used to it.
It is time to admit what many security professionals already know: We, as security professionals, are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate,first and foremost, to protect.
The ramifications of our failure are immense. The success of the Internet and the global economy relies on trust and security. Billions of dollars of ecommerce opportunities are being lost due to inadequate security. A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime. A recent Gartner survey that indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. People are simply losing trust in the Internet.
The security community is not just failing in one specific way, it is failing across multiple categories. It is being out innovated.
It is losing the digital battle over cyberspace.
Failing? Says Who?
Today we have fourth and fifth generation firewalls, behavior-based anti-malware software, host and network intrusion detection systems, intrusion prevention system, one-time password tokens, automatic vulnerability scanners, personal firewalls, etc., all working to keep us secure. Is this keeping us secure? According to USA Today, 2005 was the worst year ever for security breaches of computer systems. The US Treasury Department's Office of Technical Assistance estimates cybercrime proceeds in 2004 were $105 billion, greater than those of illegal drug sales. According to the recently released 2005 FBI Computer Crime Survey, nearly nine out of 10 U.S. businesses suffered from a computer virus, spyware or other online attack in 2004 or 2005 despite widespread use of security software. According to a Federal Trade Survey, approximately 9.9 million were victims of identity theft in 2003 alone - which is approximately 27,000 victims of ID theft per day! And companies like IBM are putting out warning calls about more targeted, more sophisticated and more damaging attacks in 2006. Something is seriously wrong. One only has to open a newspaper and view current headlines documenting the almost constant loss of personal and financial data due to carelessness and hacking. It isn't just careless individuals that are leaking confidential information - it is large, multinational corporations with smart, capable I.T. departments with dedicated security professionals and huge security budgets. Credit Card Breach Exposes 40 Million Accounts
Just How Bad Is It?
In some cases, even our best recommended security practices are failing. In a recent experiment, AvanteGarde deployed half a dozen systems in honeypot style, using default security settings. It then analyzed the machines' performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet. The average time until a successful compromise was just four minutes! A person can go to his/her local computer store and purchase an expensive new computer, plug it in, turn it on and go get a coffee. When he/she returns the computer could already be infected with a trojan and being used in a botnet to send out spam, participate in phishing attacks, virus propagation, and denial-of-service attacks, etc. The first thing most consumers do with a new computer is surf the Internet, play games, send emails - not install patches. However, even if a person was security-aware and even if the person followed SANS Incident Response Center's recommendations for Surviving the First Day of Windows XP, they will still be left vulnerable as the process of downloading and installing the latest Microsoft patches which may be as small as 70 megabytes (MB) or as large as 260 MB, takes longer than the time it takes for an unpatched computer to be compromised. "In some instances, someone had taken complete control of the machine in as little as 30 seconds," said Marcus Colombano, a partner with AvanteGarde.
The Failures Are Everywhere
The effects of our failure can be seen everywhere. SPYWARE
The average user's computer is absolutely crawling with spyware and popups. According to the National Cyber Security Alliance a staggering 91 percent in the study have spyware on their computers. According to a report from EarthLink and Webroot Software, a scans of over 1 million Internet-connected computers found there's an average of almost 28 spyware programs running on each computer. Spyware can cause extremely slow performance, excessive and unsolicited pop-up advertisements, hijacked home pages, theft of personal information (including financial information such as credit card numbers), monitoring of Web-browsing activity for marketing purposes, routing of HTTP requests to advertising sites, etc. Sometimes Spyware can cross the line when it expose adult pornography to children.
Eric Howes, a renowned security researcher at the University of Illinois at Urbana-Champaign, found that many of the best-performing anti-spyware scanner "fail miserably" when it comes to removing spyware from infected computers, with some missing up to 25% percent of the critical files and registry entries installed by the malicious programs. Recovering from malware is becoming impossible, according to Microsoft.
Phishing scams now exceed 40 million attempts per week. Phishing attacks started as poorly written email messages in broken English that only the most gullible would fall for. Today Phishing attacks are sophisticated operations with emails and fake websites that appear almost identical to the real thing. In June 2004, the Gartner Group reported that online bank accounts had been looted of $2.4 billion just in the previous 12 months. It estimated that 1.98 million adults in America had suffered losses with Phishing attacks which usually impersonate well known brands such as eBay, PayPal, Visa, SouthTrust Bank, KeyBank, AOL, Comcast, Earthlink, Citizen Bank, Verizon, etc.
George Ou revealed that many large American financial institutions are not using SSL to verify their identity to the customer. This makes it more easy for a phishing attacker to intercept and spoof a financial web site. Financial institutions that were identified as not using SSL properly include: American Express, Bank of America, Chase, Countrywide, DCU, Georgia Telco Credit Union, Keybank, NationalCity, NAVY Federal, PSECU, US Bank, Wachovia, and Washington Mutual.
TROJANS & VIRUSES & WORMS
There are literally thousands of new trojans, viruses and worms created each and every month. In the past, where as malware-creation was done mostly out of curiosity, entertainment or in search of notoriety, today they are being driven by financial returns and profits. Previously, the greatest potential danger was the deletion of computer files. Nowadays, your money and confidential information is at risk. The U.S. Federal Bureau of Investigation (FBI) estimates that computer crime costs American companies a staggering $62 billion a year—with computer viruses, worms or Trojan horses plaguing 84 percent of the 2,066 respondents to the agency’s 2005 security survey. Microsoft has had over two billion downloads of its malicious software removal tool in the last year, which tells us something about the overall size of the malicious software problem. While Bitdefender and Malwarebytes are now considered the top malware tools, there are plenty of malware guides online to help users. Malware is becoming ever more dangerous and sophisticated. A new class of cyrpto-viruses such as Ransom.A.Trojan and Zippo.A, infects a computer and encrypt documents on the hard drive. These viruses then demands the user to send money via paypal or Western Union to a designated account in order to reveal the password needed to decrypt the files. These "ransomware" viruses usually demand a relatively small amount of money (From 10.99 to a few hundred dollars) in exchange for the password which increases the likelihood that the ransom will be paid.
New generation of rootkits are becoming increasingly difficult to detect. Microsoft Research labs created the first proof-of-concept prototype for virtual machine-based rootkits called SubVirt. VM Rootkits drops a virtual machine monitor underneath an operating system, which makes the rootkit virtually impossible to detect from the host operating system because its state cannot be accessed by security software running on the target system. Today's malware propagation strategies are overwhelming and exploiting the weakness in the industry-standard, signature-based detection method of most anti-virus software.
The conventional signature-based approach, which involves maintaining a library of characteristics of each and every malicious attack, is fast falling behind. It is completely reactive. The speed of attack and propagation is such that patches simply cannot be issued quickly enough. In 2001, the infamous Code Red Worm was infecting a remarkable 2,000 new hosts each minute. Nick Weaver at UC Berkeley proposed the possibility of a "Flash Worm" which could spread across the Internet and infect all vulnerable servers in less than 15 minutes. A well engineered flash worm could spread worldwide in a matter of seconds. Another method to bypass signature-detection methods is custom-designed trojans such as Trojan.Mdropper.B and Trojan.Riler.C that are being created to target a specific company or industry. On June 16, the United Kingdom's incident response team, the National Infrastructure Security Co-ordination Centre, warned that stealthy Trojan-horse attacks were targeting specific U.K. companies and government agencies. "I think it would be very, very naive for any company to ignore these attacks. The lack of instances makes this more insidious, because it's likely that that no one is detecting the attacks. People may only notice it months later--by then, it is too late." said Mark Sunner, chief technology officer, MessageLabs. SPAM
Bill Gates, the co-founder and chief software architect of Microsoft predicted the Death of Spam by 2006. Spam activity has increased 65% since January 2002 according to Postini. And as of April 2006 they report that 70% of all emails - or 10 out of 14 emails - are spam which includes unsolicited commercial advertisements, stock scams, adult content, financial hoaxes, etc. Not surprisingly, spam is predicted to get much worse. At the 2006 European Institute for Computer Anti-Virus Research conference in Hamburg, John Aycock and Nathan Friess from the University of Calgary presented a paper on how spam can bypass even the best spam filters and trick experienced computer users who would normally delete suspicious email messages. The new technique relies on a new generation of spam zombies that monitor and mine email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others. The next generation of spam could be sent from your friends' and colleagues' email addresses – and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalization, and personal signatures) – making you more likely to click on a Web link or open an attachment. BOTNETS
When the U.S. Justice Department stepped up its investigation of cybercrime, it found spam originating from an unexpected source: hundreds of powerful computers at the Department of Defense and the U.S. Senate. The machines were "zombies" that had been compromised by hackers and integrated into bot networks that can be remotely controlled to send spam or launch distributed denial of service attacks. Botnets consisting of 100,000 and 200,000 nodes are not uncommon. There's even a case where a real botnet was found with about 1.5 million machines under one person's control.
According to data from PandaLabs, in 2005 more than 10,000 examples of bots were detected, representing an increase of more than 175 percent with respect to the previous year. Bots represented more than 20 percent of all malware detected in 2005. The number of variants of each bot could stretch into the thousands, a figure far too high for signature-based protection to cope with. For example, in the prolific Gaobot family, more than 6000 new variants were found in 2005 alone. WEB APPLICATION VULNERABILITIES
Mercedes Benz, Fuji Film, Panasonic, US Navy, US Army, Greenpeace, Coldwell Banker, Microsoft, Google, Standford Electric, the National Oceanic & Atmospheric Administration, The SCO Group, the National Weather Service, Stanford University, SANS Institute, Symantec, Mcdonalds, Sandia National Laboratories, the U.S. Geological Survey, Bottom Line Technology, Association of Chief Police Officers, Midwest Express Airlines, the Space and Naval Warfare Systems Command, the Office of Secretary Defense, the Defense Logistics Agency, NASA Jet Propulsion Laboratories.... what do all these have in common? Their web site were recently defaced.
Zone-h.org keeps a digital archive of web site defacements, documenting hundreds of new defacements every day of corporations, organizations, and governments around the world. The majority of these compromises were compromised using an admin configuration mistake (19.4%) or a known vulnerability to which a patch is available (15.3%) or other programming errors. In other words - entirely avoidable. The same insecure programming methods and same programming mistakes are being used over and over - even in web applications developed by tech-savvy corporations such as Google, Yahoo, Hotmail, eBay, Etc.
- October 2005 - A vulnerability in Google's Gmail's authentication and session management discovered allowed a cybercriminal the ability to potentially take complete control of a victim's Gmail account without requiring any involvement of the victim.
- February 2006 - A Hotmail vulnerability allowed cross-site-scripting attacks.
- February 2006 - An Ebay vulnerability was being actively exploited.
- April 2006 - An vulnerability in Yahoo Mail was actively exploited for targeted phishing.
- April 2006 - Phishers were using a Ebay vulnerability discovered April 2006 to trick victims.
- April 2006 - A Myspace vulnerability allowed malicious scripts to be inserted anywhere on the site.
DISTRIBUTED DENIAL OF SERVICE ATTACKS
A Distributed Denial Of Service attack is one in which a multitude of compromised systems flood a single target with data which drains computational resources, such as bandwidth, disk space, or CPU time, thereby causing denial of service for valid users of the targeted system. The attacking computer hosts are often zombie computers with broadband connections to the Internet that have been compromised by viruses or Trojan horse programs that allow the perpetrator to remotely control the machine and direct the attack. With enough such slave hosts, the services of even the largest and most well-connected websites can be denied.
Gaming sites, blogs, payment gateways, gambling sites, domain registrars advertising services, media organizations, large software companies, security vendors, security professionals and researchers, regularly face intimidation, extortion attempts and downtime caused by DDoS attacks. The extortion works by an attacker shutting down a site using a DDoS attack, and then follow-ups with an email saying, "Pay us or else we will shut down your site again."
"It's happening enough that it doesn't even raise an eyebrow anymore." says Ed Amoroso, chief information security officer at AT&T. Paying an extortionist a few thousand dollars to leave your network alone might make bottom-line business sense if the alternative is enduring a distributed denial-of-service attack that could cost your company millions in lost revenue and public relations damage. And many companies do pay.
"Six or seven thousand organizations are paying online extortion demands. The epidemic of cybercrime is growing. You don't hear much about it because it's extortion and people feel embarrassed to talk about it." said Alan Paller, director of research for security organization SANS. "Every online gambling site is paying extortion." Paller claimed.
The security weaknesses of Active-X controls have long been known. Yet they are still highly popular. And its about to get worse. Research by Richard M. Smith, suggests that as much as 50 percent of all Windows computers might contain one or more flawed Active-X control that could allow remote compromises. Smith used a tool to checks for "buffer overflows" in common Active-X controls. Smith found dangerous security problems in Active-X controls distributed by dozens of other major companies, including PC manufacturers and even some of the nation's largest Internet service providers. In some cases, these insecure Active-X controls come pre-installed on Windows PC from the factory.
The Yankee Group is quite clear about their opinion on Active-X when they say "Retire Active-X—now."
One-factor authentications using passwords is still the most common form of authentication. New password cracking tools based on Faster Time-Memory Trade-Off Technique which uses pre-generated hash tables can crack complex passwords in a matter of days. While many employees and even executives are still using passwords such as "password" and "12345", a very respectable password (by today's standards) of "Aq42WBp" can be cracked easily using free, downloadable tools. Ophcrack can recover 99.9% of alphanumeric passwords in a Windows SAM database in SECONDS. Two-factor authentication would do a lot to improve user security (such as prevent some forms of phishing attacks) and the industry would benefit to see greater adoption, yet some of the most popular email sites such as Hotmail and Gmail don't support it leaving users with no option. And while two-factor authentication does have benefits, Bruce Schneier is correct to state that, "Two-factor authentication isn't our savior." In response to the increased adoption of stronger authentication, cybercriminals are already proactively changing their tactics. Recent bank-stealing Trojans wait until the victim has actually logged in to their bank and then it just transfers the money out completely bypassing any authentication controls.
Too often, software vendors are slow releasing patches to fix critical flaws in their products, leaving their customers exposed. Oracle, which likes to claim its software is "Unbreakable", took an astonishing 800 days to fix two flaws, and last year took more than 650 days to publish a fix for another security flaw. Perhaps a good indication of the poor state of information security; the day Oracle announced the Unbreakable campaign, David and Mark Litchfield discovered 24 holes in Oracle products. Often critical patches released by Microsoft which are intended to protect their customers, instead causes system hangs and crashes.
The security company Scanit recently conducted a survey which tracked three web browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were "known unsafe." Their definition of "known unsafe": a remotely exploitable security vulnerability had been publicly announced and no patch was yet available. Microsoft Internet Explorer, which is the most popular browser in use today and installed by default on most Windows-based computers, was 98% unsafe. Astonishingly, there were only 7 days in 2004 without an unpatched publicly disclosed security hole. Read that last sentence again if you have to.
"There were only 7 days in 2004 without an unpatched publicly disclosed security hole." -- According to a survey by security company Scanit
On Dec. 27, 2005 a Windows Metafile (.WMF) flaw was discovered affecting fully patched versions of XP and Windows 2003 Web Server. Simply by viewing an image on a web site or in an email or sent via instant messenger, code can be injected and run on the target computer. The vulnerability was in the Windows Graphics Rendering Engine which handles WMF files, so all programs such as Internet Explorer, Outlook and Windows Picture and Fax viewer which process this type of file were affected.
Within hours, hundred of sites start to take advantage of the vulnerability to distribute malware. Four days later, the first Internet messenger worm exploiting the .wmf vulnerability was found. Six days later, Panda Software discovers WMFMaker, an easy-to-use tool which allows anyone to easily create a malicious WMF file which exploits the vulnerability.
While it took mere hours for cybercriminals to take advantage of the vulnerability, it took Microsoft nine days to release an out-of-cycle patch to fix the vulnerability. For nine entire days the general public was left with no valid defenses. The WMF Flaw was a security nightmare and a cybercriminal dream. It was a vulnerability which (a) affected the large majority of Windows computers (b) was easy to exploit as the victim simply had to view an image contained on a web site or in an email, and (c) was a true zero-day with no patch available for nine days. During those nine days, the majority of the general population had no idea how vulnerable they were. Most disturbingly, the WMF vulnerability was auctioned off to the highest bidder, and reportedly was sold for $4,000 more than a month before Microsoft issued a patch and two weeks before virus hunters started noticing the potential flaw.
Yes, Zero-day exploits are now a reality. If you aren't scared yet about your online security, you should be.
WIRELESS ACCESS POINTS
Millions of wireless access points are spread across the US and the world. According to a FBI presentation at a 2005 Information Systems Security Association (ISSA) meeting in Los Angeles, about 70% percent of these access points are unprotected and left wide open to access by anyone near that location. The rest are protected by Wired Equivalent Privacy (WEP) defined as a security protocol in the IEEE 802.11 standard. Only a small portion are using the new, more secure, WPA standard.
The problem is that the WEP standard is completely broken. Today, easily accessible tools can crack a 128 bit WEP key in minutes. One reason for the low adoption of the new WPA standard is that product manufactures and computer stores continue to make and sell devices which only support the insecure WEP protocol. So even if the average consumer takes the unusual step of attempting to enable security protection, he/she is still left highly vulnerable.
Internal attacks cost U.S. business $400 billion per year, according to a national fraud survey conducted by The Association of Certified Fraud Examiners, and of that, $348 billion can be tied directly to privileged users. And according to the 2005 Global Security Survey, internal attacks on information technology systems are surpassing external attacks at the world’s largest financial institutions.
VULNERABILITIES IN SECURITY SOFTWARE
Rather than just focus on operating systems, cybercriminals are now also targeting and exploiting anti-virus and security software - the very security software that's supposed to protect PCs. According to a Yankee Group research paper, in a 15-month period ending March 31 2005, 77 separate vulnerabilities have been discovered in products from security vendors Symantec, F-Secure and CheckPoint Software Technologies and others.
For example, in May 2004 a critical remote vulnerability affected almost the entire line of Symantec firewall product line (including versions of Symantec Norton Internet Security, Symantec Norton Personal Firewall,Symantec Client Firewall, and Symantec Norton AntiSpam) which allowed remote kernel access to the system - even with all ports filtered, and all intrusion rules set. In March 2004 the W32/Witty.worm damaged tens of thousands of computers by exploiting computer systems and appliances running security gateway software from network protection firm Internet Security Systems causing an unstable system and corrupted files.
We are discovering that no technology is immune from cybercriminals looking for ways to exploit it. Simply by using a cell phone, or personal digital assistant people can be a walking, talking security risk. There are currently dozens of viruses which target the popular Symbian phone operating system, however many of these are low-risk. While the problem is not yet widespread, it is only a matter of time before malware writers start to write more destructive mobile viruses. From a virus that will dial 1-900 numbers all day long, to the one that automatically buys a hundred ring tones that get added to your phone bill, there is money to be made and therefore there will be cybercriminals looking to exploit the technology.
THREATS EVERYWHERE - EVEN IN MUSIC CDS
Seemingly innocuous objects such as music CDs are now attack vectors which can leave you vulnerable. On Oct. 31, 2005 Mark Russinovich of Sysinternals discovered that Sony distributed a copy-protection DRM with music CDs that secretly installed a rootkit on computers. Once a CD is placed in the computer, the software tool is run without your knowledge or consent. The Sony code modifies Windows so you can't tell it's there - a process called cloaking which is a tactic usually used by virus writers - and It acts as spyware, surreptitiously sending information about you to Sony. And trying to remove it can damage Windows. Virus writers begin to take advantage of the Sony rootkit’s cloaking features, making their viruses undetectable by anti-virus software.
Under intense pressure by the media, Sony created an uninstaller program. However, the uninstaller didn't remove the rootkit - it only removed the cloaking features. It was then discovered that the uninstaller had a vulnerability which allowed any web page you visit to download, install, and run any code it likes on your computer. More than half a million networks, including military and government sites run were infected. The rootkit has even been found on computers run by the US Department of Defense.
There has been significant advances and cryptography research against security algorithms. In 1999, a group of cryptographers built a DES cracker, effectively killing off the Data Encryption Standard. It was able to perform 2^56 DES operations in 56 hours. The machine cost $250K to build, although duplicates could be made in the $50K-$75K range. A similar machine built today could perform 2^60 calculations in 56 hours, and 2^69 calculations in three and a quarter years. Or, a machine that cost $25M-$38M could do 2^69 calculations in the same 56 hours. In 2004 Eli Biham and Rafi Chen, of the Israeli Institute of Technology and separately Antoine Joux, announced some pretty impressive cryptographic results against MD5 and SHA. Collisions were also demonstrated in SHA. In February 2005, Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu from Shandong University in China showed that SHA-1 is not collision-free by developing an algorithm for finding collisions faster than brute force.
What does this mean for the average person? While these developments are big news for cryptographers, they present little real-world risks to the average user at the moment. However, what these developments make clear is that its time for a new standard.
Jon Callas, PGP's CTO, said it best: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off."
Come On In... The Water's Fine!
This is no doubt an information security pandemic occurring. We are passed rising temperatures and hot waters - the pot is boiling! Yet, SANS's Internet Storm Center's Infocon Threat Level is rarely at any level other than a consistent Green; the lowest threat-level rating. While the pot is boiling, the Infocon Threat Level is telling us, "Everything is normal. No significant new threat known." Symantec's ThreatCon is most often at l, which is the lowest threat-level rating. Panda's Software Virusometer is usually at Green - "Normal".
|Description||Status||What is Means|
|SANS's Internet Storm Center's Infocon Threat Level (at time of writing, May 1st 2006.)||The intent of the 'Infocon' is to reflect changes in malicious traffic and the possibility of disrupted connectivity.||"Everything is normal. No significant new threat known."|
|Symantec ThreatCon (at time of writing, May 1st 2006.)||"The Symantec ThreatCon rating is a measurement of the global threat exposure, delivered as part of Symantec DeepSight Threat Management System."||"This condition applies when there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted."|
|Panda Virusometer (at time of writing, May 1st 2006.)||"The Panda Virusometer measures the probability of users being affected by a virus at any given time."||"There are no signs of viruses or hoaxes that represent a threat. Low risk of being infected by a virus or malicious code, as long as the usual precautions are taken."|
To steal a line from Arthur Dent in The Hitchhiker's Guide to the Galaxy: "Ah, this is obviously some strange use of the word "safe" that I wasn't previously aware of." It is as if many in the information security community are so used to zero-days, 100,000-node botnets, daily virus threats, spam-clogged email boxes, organized-crime-funded aware, massive identity thefts, etc, that they look at this situation and believe this is "normal." Business as usual. This attitude is dangerous. And it must change.
Why Are We Failing?
We operate in a hostile environment. Cyberspace's digital battlefield heavily favors the cyber criminal. A cyber-criminal only needs to identify a single vulnerability in a system's defenses in order to breach its security. However, information security professionals need to identify every single vulnerability and potential risk and come up with suitable and practical fix or mitigation strategy. Furthermore, the freedom, privacy and anonymity cyberspace offers, gives cybercriminals the opportunity and confidence to target victims around the world with little chance of being caught.
Cybercriminals are simply out innovating us. The technology and information security landscape is in a constant state of change and security is a digital arms race with both exploits and defenses continuously improving. While the cyber criminals have adapted and modified their attack and exploit techniques, the security community struggles to modify and adapt not simply their defenses, but their mind set.
For example, when Microsoft wanted to limit Windows Updates to registered copies of Windows, they developed their "Genuine Advantage" system. In less than 24 hours, the it was cracked. Sony spent millions developing a DRM technology called key2audio for their music CDs to prevent unauthorized music duplication, track ripping and piracy. Shortly after CDs with key2audio started hitting store shelves, it was discovered that the DRM technology could be defeated - by a $0.99 cent pen by simply scribbling around the rim of a CD! Tsutomu Matsumoto, a Japanese cryptographer, recently discovered that many advanced biometric fingerprint scanners used for authentication can be bypassed 4 out of 5 times using Gummi Bears and $10 worth of equipment!
Cybercrime no longer requires exceptional technical skills. This perfectly innocuous device is actually a hardware keyboard logger which silently and undetectably captures key strokes! They can be bought online for less than $100 US
Computer users attempting to sign up for an email account or blog are now faced with a mishmash of letters and numbers that they have to try to decode. This system is called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) - the security community's answer to bot impersonating humans to register for computer services (such as free email accounts used to send spam) which is now in use on sites like Yahoo, Paypal, and Hotmail. However, computer software devoted to circumventing CAPTCHA is becoming so effective, sites have been forced to generate CAPTCHAS that are even difficult for humans to solve! And spammers have already engineered methods to bypass CAPTCHA. This system only serves to frustrate legitimate users and does little to hamper illegitimate bots.
Computer users attempting to sign up for an email account or blog are now faced with a mishmash of letters and numbers that they have to try to decode. This system is called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) - the security community's answer to bot impersonating humans to register for computer services (such as free email accounts used to send spam) which is now in use on sites like Yahoo, Paypal, and Hotmail. However, computer software devoted to circumventing CAPTCHA is becoming so effective, sites have been forced to generate CAPTCHAS that are even difficult for humans to solve! And spammers have already engineered methods to bypass CAPTCHA. This system only serves to frustrate legitimate users and does little to hamper illegitimate bots.
Cybercrime is accessible to anyone. Whereas once one had to possess extraordinary computer skill to become a cybercriminal, today you don't need special skills or knowledge to become a successful cybercriminal. Exploits and detailed vulnerability information are available to anyone on the Internet. Point-and-click wizards, virus generators, and hacking tools dramatically reduce the skill level required to attack a target. For $15 to $20, hackers can buy a "Web Attacker Toolkit" from a Russian web site which sniffs for seven unpatched vulnerabilities in Internet Explorer and Firefox, then attacks the easiest-to-exploit weakness. The toolkit then places a trojan on the victims computer which can be used log keystrokes, download additional code, or open backdoors. You don't even have to participate - armies of coders are available to code custom spyware for money, or perform denial of service attacks for hire such as the one a CEO of a web-based satellite T.V. retailer ordered against his competitors which caused outages as long as two weeks at a time and $2 million in losses.
The "Biggest Bank Heist in History" did not involve technological geniuses breaking encryption algorithms and cracking firewall defenses. In fact, the heist was so simple only the most basic of technological skills were required. Thieves masquerading as cleaning staff installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui. Hardware keystroke loggers are tiny devices which are physically installed on the back of a computer between the keyboard and CPU which silently and undetectably records every single key typed on the computer. They can be bought online for less than $100 US. They then attempted to transfer more that $440 million to various accounts in other countries but the plan was foiled by the UK National High Tech Crime Unit.
The number of PC users is expected to hit or exceed 1 billion by 2010, up from around 660 million to 670 million today. As the internet expands, it increases the number of opportunities and potential targets of cybercriminals.
Security isn't accessible. Security is a full time job which requires hiring skillful and dedicated security professionals and purchasing a deluge of costly technology systems and devices. For example, purchasing anti-DDoS services to protect against the costly distributed denial-of-service attacks can cost around $12,000 per month from carriers such as AT&T and MCI, according to John Pescatore, Gartner security analyst.
Individuals and most companies simply do not have the time, money, skill and resources required to effectively manage all of today's risks and threats. Complexity is the enemy of security. As technology becomes more powerful and advanced, the complexity often increases too which only serves to benefit cybercriminals. Today, simple office printers now come equipped with built-in services like Telnet and SMTP, SNMP, Bluetooth, etc. The security of an entire network can be compromised by a printer with a remotely exploitable vulnerability.
How can we fix this?
Solving the security absurdity is a daunting challenge and there is no simple, easy fix. It requires creativity, insight, persistence, adaptation, co-operation, action and support across the entire Internet industry and community. This document is not intended to contain all the answers. Instead it is written to raise awareness of the problem which too many people seem to not want to acknowledge. Through increased awareness can there be new dialogs and discussions on solutions. Because what is clearly missing is more dialog to come up with solutions to today's security challenges.
No one can deny the Internet's immeasurable benefits to our lives. This only heightens the need to confront and stop the overwhelming security threats. These threats are putting at risk the very benefit and value of the Internet. While the Internet opened up new means of communication and data sharing, security threats are closing doors and preventing opportunities. The pot is at a boiling point and action must be taken!
A DCI score of 57 (out of a 100) shows that neither government nor industry has made any headway in putting consumers at ease about network security.
In May of 2005, CSIA first conducted a survey that tested public attitudes regarding information systems such as the Internet. While the survey revealed a high level of anxiety on issues like consumer privacy and identity theft, the turbulence was still too small and too far out to sea to predict an imminent effect on the American political landscape.
However, CSIA’s recently completed national survey reveals that the waves of network insecurity detected a year ago are not only having an already profound economic impact, but are also giving politicians reason to act. For example, the still prevalent but previously vague fear of identity theft has become the top consumer complaint filed at the Federal Trade Commission. In responding to their constituent concerns – only 18 percent of whom think that existing laws are enough to protect consumer privacy – the federal and state legislatures are rushing to consider data breach bills.
Battle lines are being drawn, with companies fearful of burdensome regulation on one side and consumer advocates on the other. The survey demonstrates that when voters recognize that legislation is being considered that helps safeguard their personal information, their voting decisions may well be impacted by their representative’s vote on the issue in Congress.
In 2006, government’s response to network insecurity will not only drive the willingness of consumers to spend billions of dollars on-line, but it may also become an issue that candidates will debate in November’s election.
By every measure, Americans are not experiencing a gain in confidence when it comes to the computers and other machines that bind them. In November of 2005, CSIA first used the Digital Confidence Index. The DCI is a measure of the public’s perception of the effectiveness and safety of 6 major networks, like the Internet and the power grid, on a scale from 10 to 100.
With a DCI score of 58 in November, Americans were conveying their unease with the networks. However, all that has happened in the 6 months since is that their unease has grown marginally, as evinced by an April 2006 DCI score of 57.
Previous surveys revealed that Americans did not believe that government was doing enough to protect our information systems and networks; the current survey shows that the public believes that private industry does even less. While almost two thirds of Americans (66 percent) needs to make protecting our information systems and networks a higher priority (up 1 point from November), fully 72 percent believe that business needs to be doing more.
In May of 2005, CSIA discovered that voters were nearly unanimous in their fear of identity theft, with 97 percent ranking the issue a serious problem. The call to action could have not been any more clear, with only 17 percent of voters expressing a belief that existing laws were enough to protect consumer privacy over the Internet.
The plea for help transcended the usual divisions in American politics: 79 percent of Democrats thought that new laws needed to be written, as did 64 percent of Republicans. Yet the call has gone largely unheeded.
Today, 95 percent of voters consider identity theft a serious problem (down 2 points in a year). Less than 1 out of every 5 4 voters (19 percent) believe today that existing laws are enough to protect their privacy.
Especially around the holiday season, the big story in the press is the amount of money getting spent in on-line retail. The current survey reinforces the point that the much bigger story is the amount of money that is not getting spent. As stories of identity theft become more common, Internet users are becoming less rather than more confident about making purchases on-line.
Today, a majority (50 percent) of Internet users avoid making purchases on the Internet because they are afraid their financial information may get stolen, an increase of 2 percent from November. Almost half (49 percent) of Internet users who are worried about their financial information getting stolen say they do not make purchases on the Internet. Meanwhile, 91 percent of Internet users who are confident make purchases. These Internet users report spending an average of 116 dollars a month on-line.
While extrapolating from a survey by definition cannot give precise figures, it does provide a sense of the scale of the problem.
The adult population of the United States is approximately 200 million people. According to the survey, 79 percent – or 158 5 million adults – use the Internet.
Forty-four percent of Internet users – 70 million people – are confident that their financial information is safe when they make purchases on the Internet.
At $116 per month each, they report making over 8 billion dollars in purchases each month.
However, 50 percent are worried about their financial information being safe and just under half of them (24 percent) don’t make on-line purchases as a result. If these 38 million people were given reason to believe that their financial information was safe and made purchases at the same rate as the other Internet users who currently have that belief, 3.8 billion dollars would be injected into the American economy per month.
Another finding from the survey is that it is not only on-line shopping that is suffering as a result of government and industry inaction, but on-line banking as well. Barely a third of American adults believe that banking on-line is as safe as banking in person. Sixty-four percent believe that banking on-line is putting one’s financial information at risk.
The Rise of a Political Issue
In 2004, California – always at the regulatory vanguard – passed a data breach law. In 2005, the law got national attention when ChoicePoint was compelled by the California law to disclose that the personal financial records in the company’s database had been compromised, resulting in hundreds of cases of identity theft. Since ChoicePoint, the media has been filled with reports of more examples of data breach, resulting in the finding that half of American adults have heard such news stories. However, these facts on their own do not explain the potential that data security has to become the first network security issue of political consequence.
The key circumstance arises from the fact that strong interests are lining up on both sides of the issue – corporations afraid of burdensome disclosure requirements on one side and consumer activists on the other. The survey shows that the electorate is ready to take sides as well. Americans choose California-strength disclosure even when presented with the caveats that they will be bombarded with worthless notices and that prices will rise as companies pass along the cost of compliance. Seventy-one percent of respondents agree that Congress should pass a law like California’s compared to only 21 percent who think that California’s is too strict.
While Democrats are the most likely to support stronger data security (78 percent), 68 percent of Republicans favor a law like California’s while only 25 percent think it’s too strict. Voters who support stronger data security are prepared to hold candidates accountable.
Among those likely to vote in the 2006 elections, 46 percent say that a candidate’s opposition to a law like California’s would give them serious doubts.
While this does not rise to the level of the silver bullet a challenger would use to take out an incumbent, it is nonetheless a number that suggests that the issue will get more than a passing mention on the campaign trail. If a Member of Congress votes against a strong data security bill this session, the survey suggests that the Member’s opponents will bring up the issue in the fall campaign.
Holding Business and Government Accountable
Three surveys over the course of a year has shown that the public’s concern regarding cybersecurity issues is not only enduring but consequential. An issue like data security is showing potential for elevating the salience of protecting America’s information systems in a way that issues like spam never could. Not only is identity theft perceived by the public as more serious problem, but there are legitimate interests opposed to legislation like California’s. The most recent survey clearly shows that voters will care very much how government responds to the challenge of protecting sensitive personal information.
A Digital Confidence Index score of 57 (out of a 100) shows that neither government nor industry has made any headway in the past 6 months when it comes to putting consumers at ease when it comes to network security. For industry, the consequence has been billions of dollars lost in on-line revenue even as the growth in on-line sales has grown. For government, the open question is how will voters respond if decisive action is not taken on the data security legislation coursing through Congress.
From April 20 to April 27, 2006, Pineda Consulting conducted a national telephone survey of drawn from a random digit sample of telephone numbers selected from telephone exchanges in the United States. Of the 1,150 respondents who completed the survey, 926 are likely voters and 906 are Internet users. The total margin of error for the survey is plus or minus 2.89 percent. The margin of error for the various demographic subgroups is higher.
Calculating the Digital Confidence Index Score
The answers of each respondent on the battery of 6 network effectiveness questions and the battery of 6 network safety questions were added together. Both batteries employed a scale between 1 and 10, so the value of the respondent’s answer was added to the total. If the respondent did not know enough to assess or refused to answer, 5.5 (the midpoint between 1 and 10) was added to the total. Once each question from the two batteries was considered, each respondent had a total between 10 and 120. The total was then divided by 12, giving each respondent’s average response to the two batteries (a number between 1 and 10). Finally, the average was multiplied by 10, removing the decimal point and resulting in a number between 10 and 100 — the Digital Confidence Index Score.
About Pineda Consulting
Pineda Consulting is a strategic research and communications firm located in Pasadena, California. The firm’s principal is André Pineda, the former Deputy Commissioner of Corporations for the State of California. Pineda’s polling experience includes Peter D. Hart Research Associates, where he worked on the NBC/Wall Street Journal Poll, and Greenberg Research, conducting polls for Fortune 500 clients like BP. Pineda’s current clients include the California Chamber of Commerce and SmartPower, a nationwide clean energy marketing campaign. More information about Pineda Consulting can be found at www.pinedaconsulting.com.
TOTAL REVENUES OF MAJOR PROVIDERS OF ANTI-VIRUS SOFTWARE
F-Secure delivers steady growth 2006 total revenues 80.7m€ with 31% growth Operating profit for 2006 without a non-recurring write-off was 13.7m (7.4m) resulting in 17% operating profit. , , IND, 2007-01-30 16:08:04 (IndiaPRwire.com) Steady and profitable growth continued across all business segments in anti-virus and intrusion prevention. In 2006 total revenues were 80.7m (61.8m), representing 31% growth. Operating profit for 2006 without a non-recurring write-off was 13.7m (7.4m) resulting in 17% operating profit. During the fourth quarter the company's revenues grew 22% and reached a record level of 22.1 m. Profitability for the fourth quarter was according to expectations (excluding non-recurring write-off).
F-Secure's Security as a Service offering has been very successful with Internet Service Providers. F-Secure is leading the market in Europe in this business area with a market share of 34%, and has gained a strong position in the North-American market with a 10% market share. The total number of ISP partners was 136 operating in 34 countries at the end of the year, an increase of 11 partners from Q3. Service Provider revenue growth accelerated towards the end of the year.
F-Secure's consumer-focused flagship product, F-Secure Internet Security 2007 received a number of favourable nominations in product comparison reviews. For example the product received the 'Best i Test' nomination in PC World in Norway and it was 'editors choice' in the Window News publication in France. F-Secure also introduced next-generation messaging security solutions, protecting against spam and viruses already at the gateway level. Mobile security markets are gradually developing with F-Secure in the leadership position. F-Secure continued close cooperation with Nokia and other key players in the mobile market. F-Secure Mobile Anti-Virus was the first antivirus software for the S60 3rd Edition smartphone software and it will be available for the majority of the currently shipping or upcoming Nokia S60 3rd Edition devices, including Nokia Nseries and Eseries devices. The number of known mobile malware targeting open operating systems has now exceeded 340.
'We are pleased to report solid growth in revenues and operating profit in alignment with our projections', said Kimmo Alkio, President and CEO of F-Secure Corporation. 'We have ensured steady and profitable growth at group level and kept our leading market position in the Service Provider business. We start the year 2007 with full thrust and spirit to continue our growth faster than the overall market'.
The interim reports of 2007 will be made public on April 24th (Q1), July 31st (Q2) and October 24th, (Q3). On those days, a public press release will be sent at 9:00 Finnish time to the Helsinki Exchanges while a meeting for the press and analysts will be held at 11:00 Finnish time in Helsinki.
An international phone conference will also be arranged in the afternoon. More detailed information will be announced on the corporation's public website.
About F-Secure Corporation
India PRwire disclaims any content contained in press releases published on IndiaPRwire.com. Issuers of press releases are solely responsible for the accuracy of their content.
F-Secure Corporation protects consumers and businesses against computer viruses and other threats from the Internet and mobile networks. We want to be the most reliable provider of security services in the market. One way to demonstrate this is the speed of our response. According to independent studies in 2004, 2005 and 2006 our response time to new threats is significantly faster than our major competitors. Our award-winning solutions are available for workstations, gateways, servers and mobile phones. They include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions, as well as network control solutions for Internet Service Providers. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999, and has been consistently growing faster than all its publicly listed competitors. F-Secure headquarters are in Helsinki, Finland, and we have regional offices around the world. F-Secure protection is also available as a service through major ISPs, such as France Telecom, TeliaSonera, PCCW and Charter Communications. F-Secure is the global market leader in mobile phone protection provided through mobile operators, such as T-Mobile and Swisscom and mobile handset manufacturers such as Nokia. The latest real-time virus threat scenario news are available at the F-Secure Data Security
NUMBER OF HACKERS ATTACKING BANKS JUMPS 81%
Hackers no longer need to be technical wizards to set up an operation to steal people's banking information and then rob their accounts. By Sharon Gaudin InformationWeek August 2, 2007 01:11 PM
The number of hackers attacking banks worldwide jumped 81% from last year, according to figures released at the BlackHat security conference Thursday. Researchers from SecureWorks also reported that hackers going after the company's credit-union clients increased by 62% from last year.
So why are there so many more hackers this year than last? Joe Stewart, a senior security researcher at SecureWorks, told InformationWeek that highly technical and savvy hackers are no longer the only ones in the game. Hackers no longer need to be technical wizards to set up an operation to steal people's banking information and then rob their accounts or sell their identifying information to an even bigger cybercriminal. Hacking toolkits and malware are for sale in the online underground. All hackers need are basic technical skills and the knowledge of where to go to buy what they can't build themselves.
"You go to a Web site and pay a $100 to several hundred dollars, and you can buy a turnkey exploit package," said Stewart. "You can buy the malware too, and then you're in business You put these components up on a Web site and immediately start infecting people. All you really need to know how to do at this point is set up a Web site."
This new ease-of-use is evident in the numbers. SecureWorks reported that between June 2006 and December 2006, they blocked attacks from about 808 hackers per bank per month. From the beginning of this year through June, there's been an average of 1,462 hackers launching attacks at each of the company's bank clients. As for the credit unions, SecureWorks reported blocking attacks from 1,110 hackers per credit union per month. That number rose to 1,799 this year.
"The amount of stolen financial data we have found since the first of the year has been daunting," said Don Jackson, a security researcher with SecureWorks and the discoverer of the Gozi and Prg Trojans. "With the Gozi, Prg, and BBB Trojans alone, we found millions of dollars of data sitting in their stolen repositories. These data caches contained thousands of bank-account and credit-card numbers, Social Security numbers, online payment accounts, and user names and passwords, and we're finding new caches of stolen data every day -- evidence that more and more criminals are getting into the game."
RSA, the security arm of EMC (NYSE: EMC), reported earlier this year finding a new and more dangerous phishing toolkit that made online fraud a point-and-click process. Researchers said it was a bad omen for consumers. The kit, which RSA dubbed "Universal Man-in-the-Middle Phishing Kit," was being sold for about $1,000 on various hacker sites, according to RSA executive Marc Gaffan.
Estimated Damages Caused By Hacking
New estimate puts viruses/hacking at $1.6 TRILLION
Rob Rosenberger, Vmyths co-founder Tuesday, 29 August 2000
ANTIVIRUS EXPERTS RACED last week to find copies of a supposedly "new" version of the Pokémon Pikachu worm. (Gesundheit.) Instead, they sent each other a byte-for-byte clone of a virus first seen in May. At any rate, the media's momentary uproar seems out of place if you study this threat report.
This $1.6 trillion estimate leads to one overwhelming conclusion. We must dismantle the Internet as an abject failure. Pimply schoolkids really do qualify as national security threats!
Pikachu hasn't done a peekaboo, if you know what I mean. But hey, forget about Pokémon for a moment. Did you know viruses & hacking now exceed $1.6 trillion dollars? My cries about "billions of dollars" remain unanswered; now I gotta start attacking "trillions." These figures appeared in the August edition of Information Security magazine:
- $1.6 trillion: estimated worldwide loss last year due to downtime resulting from security breaches and virus attacks. [Source: InformationWeek]
- $266 billion: estimate cost of damages caused by viruses and computer cracking in U.S. firms last year, representing 2.5 percent of the nation's Gross Domestic Product (GDP). [Source: InformationWeek]
(A plug for Vmyths.com appeared in the same issue. I love irony.) The numbers come from a "global survey" conducted by InformationWeek, fielded by PriceWaterhouseCoopers LLP, and researched by Reality Research & Consulting. I quote from a highbrow press release:
In total, the bill to U.S. firms this year for viruses and computer hacking will amount to $266 billion, or more than 2.5% of the nation's Gross Domestic Product (GDP). The price tag worldwide soars to $1.6 trillion. "These estimates are based on the broadest sampling ever achieved in the security industry," noted Rusty Weston, Editor of InformationWeek Research and informationweek.com. "The findings indicate that viruses are far more disruptive to organizations than most people realize. Lost productivity will undoubtedly force many IT organizations to reassess their network defenses and security policies."
According to John DiStefano, principal researcher on the study at Reality Research & Consulting, which assisted InformationWeek Research on the project, the $266 billion figure represents the impact of viruses on U.S. businesses with more than 1,000 employees, or about 50,000 firms. "These are companies with infrastructures of IT professionals who, because of the dollar impact, are increasingly tracking the problem and can provide an accurate assessment of the scope of the issue. In reality, the true impact of viruses on U.S. business, including medium-sized companies and small businesses, is much greater," DiStefano explained. Think of it this way: if you live in the U.S. and spend $40 at the bijou, then $1 went to repair computers damaged by a hacker or virus. (Probably damaged by the kid running the movie projector, I'll bet.) DiStefano actually believes he made a conservative estimate.
I can't find a security vendor who touts "trillions" in a press release. What gives? "Billions" seems like bus fare these days... Oddly, PriceWaterhouseCoopers doesn't seem to agree with the kahunas at Reality Research & Consulting and InformationWeek. ("Reality Research." I love irony.) PWC's ad in the same issue of Information Security magazine says "last year, computer hackers cost businesses 45 billion dollars."
A paltry $45 billion? Man, that's bus fare. So what gives? I've yet to find a security vendor who touts "trillions" in a press release.
Associated Press technology writer Cliff Edwards went on to distill it for the world: "A study ... estimated businesses worldwide will lose more than $1.5 trillion this year because of computer viruses spread through the Internet." Amazingly, his very next paragraph claims ILoveYou "affected about 45 million computer files at a cost to companies of $2.61 billion."
Pull out your solar calculators, folks. Time for some quick math. The U.S. federal government spent roughly $142 billion per month in fiscal year 1999, compared to hackers & viruses which siphon roughly $107 billion per month worldwide. America could wipe out its national debt in seven years if they could tap into the RR&C/InformationWeek estimate. The $266 billion U.S. estimate for hacking & viruses almost equals the $276 billion spent on U.S. defense in fiscal year 1999.
AP's Edwards would report 575 ILoveYou catastrophes in 465 days just to match the RR&C/InformationWeek estimate. If every single human being on the planet owned a computer, they'd all get infected four times each in 15 months. (Hmmm, I'm definitely not doing my part. Who's picking up my slack?) If we instead use the Lloyd's of London estimate of $15 billion for ILoveYou, then we'd only see three Internet catastrophes every two weeks.
Such is the damage caused by hackers & viruses according to RR&C/InformationWeek. Now let's compare their estimate to Hurricane Andrew, the worst natural disaster in U.S. history. It temporarily wiped Miami off the map at a cost of roughly $26 billion. Andrew must slam into Florida almost once a week to equal the impact of viruses & hackers. Every hurricane to hit the U.S. since Camille, combined, doesn't match what hackers & viruses did worldwide in the last 15 months.
Now let's compare the RR&C/InformationWeek estimate to the ultra-rich. According to Forbes, you can buy out every one of the world's billionaires. All of them! And you'll have enough coins left to purchase General Electric. The U.S. estimate alone for hacking & viruses rivals the entire U.S. defense budget -- if you believe the fearmongers. Simple math, folks.
THE RR&C/INFORMATIONWEEK ESTIMATE leads to one overwhelming conclusion. We must dismantle the Internet as an abject failure. A different company's press release, for example, claims the entire worldwide e-commerce market will generate $160 billion this year. Translation: hackers & viruses cost $10 for every $1 of sales on the Internet.
These "sobering" statistics prove the PC and the web indeed qualify as national security threats. We should nationalize AOL/Time-Warner in an effort to eliminate computer networking. And we obviously should take computers out of the classroom. Pimply e-terrorists shouldn't carry automatic laptop weapons to school. I say we bring back the #2 pencil. "But Rob," you moan, "you're comparing apples to oranges again. We only measure monetary damage in a hurricane. This RR&C/InformationWeek study counts up lost productivity." Okay then, who's at fault here? Me? Bah. I didn't compare lost productivity to the U.S. GDP. "Lost productivity" seems relevant here, so let's talk. How many trillions of productivity dollars did United Air Lines steal from Americans in the last few weeks alone? Why doesn't the FBI raid some UAL cockpits? You should see the recent LaptopLane bills I racked up just at O'Hare airport. I want my lost productivity back!
Speaking of lost productivity... I might as well moan about a company named Cobalt. Their stock trades publicly and they sell a "slim server" known as the Qube2. I purchased one for my network early this year — and I've suffered for it ever since. My problems began almost immediately. The Linux kernel crashed at least once a week. It stopped supporting DHCP in mid-March. In late June the Qube2 stopped supporting DNS. In July it bit the dust after I installed Cobalt's buggy OS upgrade. I spent $149 for a spare-in-the-air — a refurb which crashed two hours after I opened the package. (Yes yes yes, that's when I learned my lesson about the buggy OS upgrade.)The refurb crashes when it tries to restore backups containing my critical business files. This Qube2 had the gall to crash during a Cobalt technician's telnet session. If a million Cobalt users worldwide over the last 15 months suffered like I did, it would amount to a whopping $1.6 trillion. Coincidence?
So I spent another $114 for an OS restore CD (only sold separately). I just wanted to roll back to a more stable version of Linux so I could restore critical business files. Sadly, it doesn't work. The technicians believe I received bad media, yet they won't send me a new one. (Cobalt doesn't replace CDs as a policy.) In hindsight, I should've bought another refurb instead of the CD. I remain unable to restore the OS on a refurbished Qube2 replacement box which crashes regularly. How much money have I lost so far in terms of productivity? Let's see, $50 an hour times 1.21 crashes per week, times 6 months, divided by the frustration factor, plus $149+33, plus $99+15... for a grand total of $1,608,007.53. I view it as a conservative estimate, of course. In reality, the true impact of Cobalt on my business is much greater.
Wow! If a million Cobalt users worldwide over the last 15 months suffered like I did, it would amount to a whopping $1.6 trillion. Coincidence?
Responsibility for Computer Crimes Provided by CIS and Baltic countries’ Criminal Law
Ukraine’s Criminal Code
Section XVI. Crimes committed by using electronic computers, their systems or networks.
Article 36. Illegal interference with the work of electronic computers, their systems or networks.
- Illegal interference with the work of automated electronic computers, their systems or networks resulted in distorting, erasing computer information or destroying its carriers, as well as spreading computer viruses by using software and hardware designed for illegal penetration into these machines, systems or networks and capable of distorting, erasing computer information or destroying its carriers are punished with fine up to seventy people’s free of tax minimum incomes or refinery works within up to two years, or freedom limitation within the same term.
- The same actions caused considerable damage, performed again or by a group of persons in prior agreement are punished with freedom limitation within up to five years or imprisonment within the same term
Article 362. Theft, misappropriation, extortion of computer information or its capture by swindling or abusing official position
- Theft, misappropriation, extortion of computer information or its capture by swindling or abusing official position are punished with fine from fifty to two hundred people’s free of tax minimum incomes or refinery works within up to two years.
- The same actions performed again or by a group of persons in prior agreement are punished with fine from one hundred to four hundred people’s free of tax minimum incomes, freedom limitation within up to three years or imprisonment within the same term.
- Actions provided by Parts 1 or 2 and caused considerable damage are punished with imprisonment within the term from two to five years.
Article 363. Violation of automated electronic computer operating rules
- Violation of automated electronic computer, system or network operating rules on the part of a person answering for their operation resulted in stealing, distorting, erasing computer information or destroying its protecting means, or copying illegally computer data, disturbing considerably the work of these machines, their systems or networks is punished with fine up to fifty people’s free of tax minimum incomes or denial of particular position or activity privileges within up to five years, or refinery works within up to two years.
- The same action inflicted considerable damage is punished with fine up to one hundred people’s free of tax minimum incomes, refinery works within two years or freedom limitation within up to five years with denial of particular position or activity privileges within up to three years or without it.
The Russian Federation’s Criminal Code
Chapter 28. Computer information crimes
Article 272. Unauthorized access to computer information
- Unauthorized access to law protected computer information in the electronic computers, their systems or networks or on the machine carriers resulted in erasing, blocking or copying computer information, disturbing the work of electronic computers, their systems or networks is punished with fine from two hundred to five hundred minimum wages, condemned person’s wages or another income within the term from two to five months, refinery works within the term from six months to one year, or imprisonment within up to two years.
- The same action carried out by a group of persons in prior agreement or an organized group or a person abusing his official position and having equally an access to electronic computers, their systems or networks is punished with fine from five hundred to eight hundred minimum wages, condemned person’s wages or another income within the term from five to eight months, refinery works within the term from one to two years, arrest within the term from three to six months or imprisonment within up to five years.
Article 273. Production, use and spread of detrimental electronic computer programs
- Production of electronic computer programs or introduction of changes into current programs resulted in erasing, blocking, modifying or copying information, disturbing the work of electronic computers, their systems or networks and use or spread of these programs are punished with imprisonment within up to three years with fine from two hundred to five hundred minimum wages or condemned person’s wages or another income within the term from two to five months.
- The same actions entailed serious consequences through imprudence are punished with imprisonment within the term from three to seven years.
Article 274. Violation of electronic computer, system or network operating rules
- Violation of electronic computer, system or network operating rules on the part of a person having an access to electronic computers, their systems or networks resulted in erasing, blocking or modifying law protested information and caused a considerable damage is punished with denial of particular position or activity privileges within up to five years, obligatory works within the term from one hundred and eighty to two hundred hours or freedom limitation within up to two years.
- The same action entailed serious consequences through imprudence is punished with imprisonment within up to four years.
Azerbaijan’s Criminal Code
Chapter 30. Computer information crimes
Article 271. Unauthorized access to computer information
- Unauthorized access to law protected computer information in the electronic computers, their systems or networks or on the machine carriers resulted in erasing, blocking, modifying or copying data, disturbing the work of electronic computers, their systems or networks is punished with fine from five hundred to one thousand minimum wages, refinery works within up to one year or imprisonment within up to one year.
- The same action performed by:
- a group of persons in prior agreement;
- an official person abusing his official position and having equally an access to electronic computers, their systems or networks;
- or caused great damage is punished with fine from one to two thousand minimum wages, refinery works within up to two years or imprisonment within up to three years.
Article 272. Production, use and spread of detrimental electronic computer programs
- Production of electronic computer programs or introduction of changes into current programs resulted in erasing, blocking, modifying or copying information, disturbing the work of electronic computers, their systems or networks and use or spread of these programs or machine carriers with them are punished with imprisonment within up to two years with fine from five hundred to one thousand minimum wages.
- The same action entailed serious consequences through imprudence are punished with imprisonment within the term from two to five years.
Article 273. Violation of electronic computer, system or network operating rules
- Violation of electronic computer, system or network operating rules on the part of a person having an access to electronic computers, their systems or networks resulted in erasing, blocking or modifying law protected computer information and caused a considerable damage is punished with denial of particular position or activity privileges within up to three years, or social works within the term from one hundred and sixty to two hundred hours, refinery works within up to one year or freedom limitation within up to two years.
- The same action entailed serious consequences through imprudence is punished wit refinery works within up to two years or imprisonment within up to three years.
Byelorussia’s Criminal Code
Section XII. Chapter 31. Crimes against information security
Article 349. Unauthorized access to computer information
- Unauthorized access to information in the computer system, network or on the machine carriers accompanied with breaking their protecting means and resulted in imprudently erasing, blocking, modifying information or putting computer equipment out of action, or caused another considerable damage is punished with fine or arrest within up to six months.
- The same action carried out for mercenary purpose, either by a group of persons in prior agreement or a person having an access to computer system or network is punished with fine, denial of particular position or activity privileges, arrest within the term from three to six months, freedom limitation within up to two years or imprisonment within the same term.
- Unauthorized access to computer information or use of electronic computers, their system or network entailed imprudently wreck, breakdown, disaster, accidents, negative environmental changes or other grave consequences are punished with freedom limitation within up to five years or imprisonment within up to seven years.
Article 350. Modification of computer information
- Alteration of data in the computer system, network or on the machine carriers, or introduction of obviously false information caused a considerable damage when there are no signs of a crime against property (computer data modification) are punished with fine, denial of particular position or activity privileges, arrest within the term from three to six months, freedom limitation within up to three years or imprisonment within the same term.
- Modification of computer information connected with an unauthorized access to computer system or network, or entailed imprudently consequences stated in Part 3, Article 349, current Criminal Code is punished with freedom limitation within up to five years, imprisonment within up to seven years with denial of particular position or activity privileges or without it.
Article 351. Computer sabotage
- Intentional deletion, blocking, destruction of computer information or programs and damage of computers, their systems, networks or machine carriers (computer sabotage) are punished with fine, denial of particular position or activity privileges, arrest within the term from three to six months, freedom limitation within up to five years or imprisonment within the term from one to five years.
- Computer sabotage connected with unauthorized access to computer system or network entailed grave consequences is punished with imprisonment within the term from three to ten years.
Article 352. Unauthorized capture of computer information
Unofficial copying or another illegal capture of information stored in the computer system or on the machine carriers, as well as interception of data transmitted by means of computer connection, or caused considerable damage are punished with social works, fine, arrest within up to six months, freedom limitation within up to two years or imprisonment within the same term. Article 353. Production or marketing of special means designed to obtain unauthorized access to computer systems or networks
Production and marketing of special software or hardware designed to obtain unauthorized access to protected computer system or network are punished with fine, arrest within the term from three to six months or freedom limitation within up to two years.
Article 354. Development, use or spread of detrimental computer programs
- The development of computer programs or introduction of changes into current ones to delete, block, modify or copy information stored in the computer system, network or on the machine carriers, or engineering of special virus programs, their obvious use or spread of carriers with those programs are punished with fine, arrest within the term from three to six months, freedom limitation within up to two years or imprisonment within the same term.
- The same actions entailed grave consequences are punished with imprisonment within the term from three to ten years.
Article 355. Violation of computer system or network operating rules
- Intentional violation of computer system or network operating rules on the part of a person having an access to this system or network entailed imprudently the deletion, blocking, modification of computer information, disturbance of the computer work or other considerable damage are punished with fine, denial of particular position or activity privileges, refinery works within up to two years or freedom limitation within the same term.
- The same action fulfilled when operating computer system or network with information of special value is punished with denial of particular position or activity privileges, freedom limitation within up to three years or imprisonment within the same term.
- Actions provided by Parts 1 or 2 entailed imprudently consequences stated in Part 3, Article 349, current Criminal Code are punished with freedom limitation within up to five years or imprisonment within up to seven years with denial of particular position or activity privileges or without it.
Georgia’s Criminal Code
Chapter 35. Computer crimes
Article 284. Unauthorized access to computer information
- Unauthorized access to law protected computer information in the electronic computers, their systems or networks or on the machine carriers resulted in erasing, blocking, modifying or obtaining data, or disturbing the work of electronic computers, their systems or networks is punished with fine, refinery works within up to two years or imprisonment within the same term.
- The same action performed by:
- a) Group of persons in prior agreement;
- b) Abusing official position;
- c) Person having an access to electronic computers, their systems or networks is punished with fine, refinery works within up to four months or imprisonment within up to five years.
- The action provided by Parts 1 or 2, current article and entailed grave consequences is punished with imprisonment within up to five years.
Article 285. Production, use or spread of electronic computer detrimental programs
- Production of electronic computer detrimental programs or introduction of changes into current ones resulted in erasing, blocking, modifying, copying information or disturbing the work of electronic computers, their systems or networks, as well as use or spread of such programs or machine carriers with them are punished with fine, refinery works within up to three years or imprisonment within the same term.
- The same actions entailed grave consequences are punished with imprisonment within the term from three to five years.
- Article 286. Violation of electronic computer, system or network operating rules
- 1. Violation of electronic computer, system or network operating rules on the part of a person having an access to electronic computers, their systems or networks resulted in deleting, blocking, modifying or copying law protected computer information or caused a considerable damage is punished with fine, socially useful works within the term from one hundred and eighty to two hundred hours or freedom limitation within up to two years with denial of particular position or activity privileges within up to three years or without it.
- 2. The same action entailed grave consequences is punished with imprisonment within up to four years.
- Kazakhstan’s Criminal Code
- Chapter 7. Economic activity crimes
- Article 227. Unauthorized access to computer information, as well as production, use or spread of electronic computer detrimental programs
- 1. Unauthorized access to law protected computer information in the electronic computers, their systems, networks or on the machine carriers resulted in erasing, blocking, modifying, copying data or disturbing the work of electronic computers, their systems or networks is punished with fine from two hundred to five hundred monthly wages, condemned person’s wages or another income within the term from two to five months, socially useful works within the term from one hundred and twenty to one hundred and eighty hours, refinery works within up to one year or imprisonment within the same term.
- 2. The same action performed by a group of persons in prior agreement, organized group or a person abusing his official position and having equally an access to electronic computers, their systems or networks is punished with fine from five hundred to eight hundred monthly wages, condemned person’s wages or another income within the term from five to eight months, refinery works within the term from one to two years or imprisonment within up to three years.
- 3. Production of electronic computer programs or introduction of changes into current ones resulted in illegally deleting, blocking, modifying, copying data or disturbing the work of electronic computers, their system, network, as well as use or spread of such programs or machine carrier with them are punished with fine from five hundred to one thousand monthly wages, condemned person’s wages or another income within the term from five months to one year, refinery works within up to two years or imprisonment within the same term.
- 4. Actions provided by Part 3, current article and entailed grave consequences through imprudence are punished with imprisonment within up to five years.
- Kirghizstan’s Criminal Code
- Chapter 28. Computer information crimes
- Article 289. Unauthorized access to computer information
- 1. Unauthorized access to law protected computer information in the electronic computers, their systems, networks or on the machine carriers resulted in erasing, blocking, modifying, copying information or disturbing the work of electronic computers, their system or network is punished with fine from one hundred to three hundred minimum monthly wages or imprisonment within up to two years.
- 2. The same action performed by a group of persons in prior agreement, organized group or a person abusing his official position and equally having an access to electronic computers, their systems or networks is punished with fine from two hundred to five hundred minimum monthly wages, arrest within the term from three to six months or imprisonment within up to three years.
- Article 290. Production, use and spread of detrimental electronic computer programs
- 1. Production of electronic computer programs or introduction of changes into current ones resulted in illegally deleting, blocking, modifying, copying data or disturbing the work of electronic computers, their systems or networks, as well as use or spread of such programs or machine carriers with them are punished with imprisonment within up to three years and fine from two hundred to five hundred minimum monthly wages.
- 2. The same actions entailed grave consequences through imprudence are punished with imprisonment within the term from three to seven years.
- Article 291. Violation of electronic computer, system or network operating rules
- 1. Violation of electronic computer, system or network operating rules on the part of a person having an access to electronic computers, their systems or networks resulted in erasing, blocking or modifying law protected computer information and caused considerable damage is punished with denial of particular position or activity privileges within up to five years.
- 2. The same action entailed imprudently grave consequences is punished with imprisonment within up to four years.
- Tajikistan’s Criminal Code
- Section XII. Crimes against information security
- Chapter 28. Crimes against information security
- Article 298. Unauthorized access to computer information
- 1. Unauthorized access to information in the computer system, network or on the machine carriers accompanied with breaking their protecting means is punished with fine from two hundred to four hundred minimum wages or freedom limitation within up to two years.
- 2. The same action entailed imprudently the deletion or blocking of information, failure of computer equipment or considerable damage are punished with fine from three hundred to five hundred minimum wages, refinery works within up to two years or imprisonment within the same term.
- 3. Actions provided by Parts 1 or 2, current article and entailed grave consequences through imprudence are punished with fine from four hundred to seven hundred minimum wages or imprisonment within up to three years.
- Article 299. Modification of computer information
- 1. Change of information in the computer system, network or on the machine carriers and introduction of obviously false information (when there are no signs of stolen property) caused considerable damage or threatening with it are punished with fine from three hundred to five hundred minimum wages, refinery works within up to two years or imprisonment within the same term.
- 2. The same action connected with unauthorized access to computer system or network and entailed grave consequences through imprudence is punished with fine from five hundred to one thousand minimum wages or imprisonment within up to three years.
- Article 300. Computer sabotage
- 1. Deletion, blocking, destruction of computer information or programs, damage of electronic computers, their systems, networks or machine carriers are punished with fine from two hundred to five hundred minimum wages, freedom limitation within up to two years or arrest within up to four months.
- 2. The same actions connected with unauthorized access to computer system or network and entailed grave consequences through imprudence are punished with fine from five hundred to one thousand minimum wages or imprisonment within up to three years.
- Article 301. Illegal capture of computer information
- 1. Illegal copying or another unauthorized capture of computer information stored in the computer system, network or on the machine carriers and interception of data transmitted by means of computer connection are punished with fine from two hundred to five hundred minimum wages or imprisonment within up to two years.
- 2. Compulsion to deliver information stored in the computer system, network or on the machine carriers under threat of divulging discreditable data on à person or his relatives, using violence against a person or his relatives, as well as damaging or destroying property of a person, his relatives or other persons controlling this information is punished with freedom limitation within up to five years or imprisonment within the term from two to four years.
- 3. Actions provided by Parts 1 or 2, current article:
- a) Connected with using brute force against a person or his relatives;
- b) Performed by a group of persons in prior agreement;
- c) Caused considerable damage to a victim;
- d) Carried out to obtain information of special value are punished with imprisonment within the term from five to seven years.
- 4. Actions provided by Parts 1, 2, or 3, current article:
- a) Performed again;
- b) Fulfilled by an organized group;
- c) Entailed imprudently human death or other grave consequences are punished with imprisonment within the term from seven to ten years.
- Article 302. Production and marketing of special means designed to obtain unauthorized access to computer system or network
- Production and marketing of special software and hardware designed to obtain unauthorized access to protected computer systems or networks are punished with fine from two hundred to five hundred minimum wages, freedom limitation within up to two years or arrest within the term from two to six months.
- Article 303. Development, use and spread of detrimental software
- 1. Development of computer programs or introduction of changes into current ones to delete, block, modify or copy data stored in the computer system, network or on the machine carriers in an illegal way, as well as development of special virus programs, their use and spread of carriers with such software are punished with fine from three hundred to five hundred minimum wages or freedom limitation within up to two years.
- 2. The same action entailed grave consequences through imprudence is punished with fine from five hundred to one thousand minimum wages or imprisonment within up to three years.
- Article 304. Violation of computer system or network operating rules
- 1. Violation of computer system or network operating rules on the part of a person having an access to this system or network entailed imprudently a deleting, blocking, modifying of computer information, disturbing of the computer work or caused another considerable damage is punished with fine up to three minimum wages or freedom limitation within up to two years.
- 2. The same action performed when operating computer system or network with information of especial value is punished with fine from three hundred to five hundred minimum wages, refinery works within up to two years or imprisonment within the same term.
- 3. Actions provided by Parts 1 or 2, current article and entailed grave consequences through imprudence are punished with fine from five hundred to one thousand minimum wages or imprisonment within up to three years.
- Turkmenistan’s Criminal Code
- Chapter 33. Computer information crimes
- Article 333. Breach of algorithm, electronic computer software, databases and integral microcircuit topology legal protection
- Production of other’s algorithms, electronic computer software, databases and integral microcircuit topologies under one’s name, as well as illegal reproduction or spread of those products are punished with fine from twenty to forty average monthly wages or refinery works within up to one year.
- Article334. Unauthorized access to computer information
- 1. Unauthorized access to law protected computer information in the electronic computers, their systems, networks or on the machine carriers resulted in erasing, blocking, modifying, copying information or disturbing the work of electronic computers, their system or network is punished with fine from fifteen to thirty average monthly wages or refinery works within up to one years.
- 2. The same action performed by a group of persons in prior agreement or a person abusing his official position and having an access to electronic computers, their system or network is punished with fine from twenty-five to seventy-five average monthly wages or refinery works within up to two years.
- Article 335. Production, use and spread of detrimental electronic computer software
- 1. Production of detrimental electronic computer programs or introduction of changes into current ones resulted in erasing, blocking, modifying, copying information or disturbing the work of electronic computers, their system or network, as well as use or spread of such programs are punished with fine from twenty-five to seventy-five average monthly wages, refinery works within up to two years or imprisonment up to one year.
- 2. The same actions entailed grave consequences through imprudence are punished with refinery works within up to two years or imprisonment within up to two years.
- Uzbekistan’s Criminal Code
- Section III. Economic crimes
- Chapter 10. Theft of other’s property
- Article 174. Violation of informatization rules
- Violation of informatization rules that is unauthorized access to information networks or authorized access to such networks without taking necessary steps of protection, or illegal data acquisition from these networks, as well as illegal change, loss, withdrawal or deletion of information at the authorized work with information system inflicted considerable damage is punished with fine up to fifty minimum wages, refinery works within up to three years or arrest within up to three months.
- Production of computer viruses or programs, their spread without appropriate sanctions to change data or programs stored in the computer systems or unauthorized access to the information system resulted in distorting, withdrawing, deleting information or interrupting the system operation are punished with fine from fifty to one hundred minimum wages, arrest within the term from three to six months or imprisonment within up to three years with denial of particular privileges.
- Estonia’s Criminal Code
- Computer information crimes
- Article 268. Computer Fraud
- Acquisition of other’s property or deriving of benefits through introduction of computer programs or data, as well as their modification, deletion, blocking or another kind of interference with the procedure of processing information that influences its results and causes direct property or another damage to a person are punished with fine, arrest or imprisonment within the term from one to six years.
- Article 269. Deletion of computer information or software
- Illegal deletion, damage, violation or blocking of computer information or software are punished with fine or arrest.
- The same actions:
- a) Caused a great property loss;
- b) Directed against main State registers;
- c) Performed by a group of persons in prior agreement are punished with arrest or imprisonment within up to two years.
- Article 270. Computer sabotage
- 1. Introduction of data or programs, their modification, deletion or blocking to create disturbance interferences in the work of computer or telecommunication system are punished with fine, arrest or imprisonment within up to two years.
- 2. The same actions:
- a) Inflicted great property loss;
- b) Directed at creating disturbance interferences in the work of main State registers are punished with imprisonment up to four years.
- Article 271. Illegal use of computers, their systems or networks
- 1. Illegal use of computers, their systems or networks through elimination of their protecting means (codes, passwords and so on) is punished with fine or arrest.
- 2. The same action:
- a) Committed again;
- b) Inflicted considerable damage;
- c) Performed by using computers, their systems or networks containing information of State secret or official application is punished with fine, arrest or imprisonment within up to two years.
- Article 272. Illegal interruption or blocking of the computer system connection
- Illegal interruption or blocking of computer system connection with the help of technical means are punished with fine, arrest or imprisonment within up to two years.
- Article 273. Obvious spread of computer viruses
- 1. Obvious spread of computer viruses is punished with fine.
- 2. The same action performed again, caused considerable damage, directed against State computer system or a network of universal application is punished with fine, arrest or imprisonment within the term from one to four years.
- Article 274. Transfer of protecting codes
- 1. Transfer of protecting codes for computers, their systems or networks is punished with fine or arrest.
- 2. The same crime if transferred protecting codes allow penetrating into computers or data banks with personal information of delicate character, State secret or official application is punished with arrest or imprisonment within up to two years.
- 3. The same action carried out to derive benefits or caused considerable damage is punished with arrest or imprisonment within up to four years.
- URL :http://www.security absurdity.com, http://www.information week.com, http://www.vmyths.com http://www.crime search.com http://www.indiaprwire.com
[ISN] Should Microsoft be Liable for Bugs?
PRODUCT LIABILITIES OF SOFTWARE COMPANIES
A defect is found in one of the world's most popular products. Less than a month later, its consequences emerge -- idling workers around the globe, causing huge losses for businesses and generally inconveniencing hundreds of thousands of people. Under different circumstances, this scenario might be a class-action lawyer's dream. But the product in question is software, and the companies that make it claim special protections from liability through the licensing deals that come as a condition of using their programs. Those protections help shield Microsoft Corp. and other software companies from paying what could conceivably amount to billions of dollars in damages. But they're coming under increased scrutiny amid a rising tide of computer viruses, many of which exploit known flaws in popular Microsoft programs. Consumer advocates and some computer users argue that the protections should be ended or diminished to let businesses and people try to hold software makers at least partially liable for the effects of product flaws. Doing so, they say, would make companies such as Microsoft more accountable, resulting in programs with fewer defects.
"It's crazy that Firestone can produce this tire with a systemic flaw and they're liable, whereas Microsoft produces an operating system with two systemic flaws per week and they're not liable," said Bruce Schneier, chief technical officer at Counterpane Internet Security Inc. and a longtime advocate of changing the software-liability rules. Add to the debate the profits Microsoft earns from its lucrative Windows and Office programs, and some users question why the company doesn't spend more to make its products more secure. Microsoft last week reported $8.4 billion in fiscal 2003 operating profit for its desktop Windows division alone. "My sense is that they could do a lot more than they are doing to protect people," said Doug Schuler, a professor who teaches courses on computers and society at The Evergreen State College. "As a consumer, I would like them to be more on the hot seat for quality of product. ... They've got the best programmers on the planet, so why does it seem to be so buggy?"
That issue was underscored this week, when Microsoft released another security alert -- its 39th this year -- about a "critical" Windows flaw that could allow a computer to be infiltrated, and urged users to download a patch to fix the problem. Who's to blame?
But the software industry and some legal experts contend that to go after companies such as Microsoft over their product flaws would be to misplace the blame. After all, it's a criminal act -- the unleashing of a virus -- that turns the flaw into such a problem for computer users. For that reason, some want the government to make an example of the teenager arrested for allegedly unleashing one variant of the Blaster worm, which infiltrated computers around the world last month by exploiting a flaw in Microsoft's Windows operating system.
"We're all hoping he just gets pounded. The consequences should be very, very high," said Jim Denison, owner and president of Seattle Micro, a computer support and sales company. "That's where I would lay the blame, more so than on Microsoft for writing an imperfect product." Some experts point out that opening software companies to liability would increase the prices charged to consumers and keep them from enjoying the benefits of software features that Microsoft, under threat of litigation, might deem too risky to release. They also say lawsuits wouldn't stop or stem the flow of viruses and worms.
"No matter how careful a software code writer and a manufacturer might be, there is likely to be a more crafty criminal element out there," said lawyer Christopher Wolf, partner in the Washington, D.C., office of law firm Proskauer Rose. "There is no such thing as an absolutely secure piece of software."
Even if lawsuits were allowed, it isn't clear that there would be overwhelming public sentiment to sue software companies. Although many consumers question why the company isn't liable, some people whose computers were infected by the latest wave of viruses aren't eager to point the finger at Microsoft. "It was a pain in the rear, don't get me wrong, but I don't blame Microsoft as much as I blame the individual" behind the worm, said Eric Vennes, 36, of Snohomish, whose home computer was infected by Blaster. "Maybe Microsoft should have been more diligent, but I still go back to the guy that's sitting in the room 14 hours a day trying to create havoc."
Others aren't so sure. True, the man accused of hacking may be getting what he deserves, but Microsoft's role shouldn't be forgotten, said Maggie Sullivan, 41, a Glenside, Pa., resident who experienced the latest wave of viruses at the law firm where she works as a Web content coordinator. "I don't hate Microsoft; I don't begrudge them their huge marketplace dominance," Sullivan said. "It just seems to me they have more of a responsibility to test before they send (their software) out into the world." In a report last year, the Computer Science and Telecommunications Board of the National Research Council recommended that legislators consider increasing the exposure of software makers and others to liability for security breaches. There has been an even greater push overseas to hold Microsoft accountable. Taiwan's Consumers Foundation is urging Microsoft to compensate consumers for losses resulting from viruses that attack software flaws. A South Korean civic group has reportedly sued Microsoft over the effects of the Slammer worm, which earlier this year targeted computers running Microsoft's SQL Server software. The fine print
At the center of the liability debate are the so-called end-user license agreements, also known as shrink-wrap agreements, that come with every piece of computer software. Taken as written, they would prevent businesses and individuals from collecting damages from software makers for the ill effects of any product flaw, even if the flaw results from negligence. Critics point out that consumers don't have any choice but to consent to such an agreement if they want to use a particular software program. Often consumers don't even see the agreements until they've actually made the purchase. As a result, some lawyers say, the deals could be challenged and possibly negated as so-called contracts of adhesion, agreements in which one party doesn't truly have any bargaining power. "That's an issue that all software vendors face, and I think Microsoft has a potentially larger challenge there than other parties might have because of its market strength," said Jeff Harmes, managing partner in the Seattle office of law firm Gray Cary Ware & Freidenrich. But since the mid-1990s, a string of court decisions has upheld the validity of using license agreements to limit a software maker's liability. Such decisions are premised in part on the concept that a person or business that buys software doesn't buy a product, but rather acquires a right, or a license, to use the software.
"A license is an intangible, and so all of the consumer protection laws that were written to cover every sale of goods become inapplicable," said Cem Kaner, a lawyer and professor of computer sciences at the Florida Institute of Technology and an expert on the subject of flawed software. That's why software makers aren't held to the same standards of liability as are manufacturers of other products, such as automobile tires.
Yet the comparison between tires and software isn't entirely fair, some experts point out. For one thing, software problems don't generally result in death or bodily harm. For another, while it's possible to create a safe tire, no one has figured out yet how to create completely secure software in an open, complex and ever-changing system like the Internet.
"We're not living in a stagnant environment, where the tools of cyber-criminals remain constant," said Microsoft spokesman Sean Sundwall. "If that were the case, software companies would have this thing licked." In a January 2002 memo, Microsoft Chairman Bill Gates launched what the company calls its Trustworthy Computing initiative, declaring security and related issues Microsoft's top priority.
Microsoft takes issue with the presumption behind the call for the ability to sue over product flaws -- that the company isn't doing enough about security, and that there needs to be some kind of economic or legal incentive for security to be improved.
"The premise is just flat-out incorrect," Sundwall said. "We're taking drastic measures to make sure that our software is secure." A maturing industry Despite Microsoft's efforts to prevent flaws and to issue patches when flaws are found, legal experts said the company may find itself facing increased resistance to the blanket protection from liability it asserts in its licensing agreements. A mature industry "has to take its rightful place and follow the rules that everybody else does," said Frances Zollers, professor of law and public policy at Syracuse University's Whitman School of Management. The law will clamp down, she said, "if software companies keep writing what I believe are unconscionable clauses in their contracts such that their obligations are none and the other side's obligations are many."
Kaner, the expert in flawed software, said he would like to see the software industry and computer users find a middle ground. "I think it's unreasonable that software customers have no rights," he said. "I think it would be unreasonable, as well, to put software companies at a risk of damages for every defect their product carries because we don't know how to make perfect products, and we could easily destroy the industry by holding it to too high a standard."
But even if courts or legislators limited the protective effects of software licenses, it wouldn't mean certain victory for consumers seeking to hold software companies liable for flaws exploited by viruses. On the contrary, legal experts said, consumers would face the daunting task of proving that a company was negligent in allowing the flaw to exist. "If you have somebody who's intent on a criminal activity, I can't imagine how you would blame the person who created the weakness unless it was negligent and it was completely foreseeable," said Hwan Kim, co-chair of technology and telecommunications practice in the Washington, D.C., office of law firm Chadbourne & Parke. That means, for the time being, the best way for consumers to protect themselves may be to watch for security alerts and download patches. But even that isn't a perfect solution. It has been difficult for Microsoft to persuade some individual consumers to take the time to download and install patches. At the same time, hackers have demonstrated the ability to unleash a virus within a few weeks of a flaw's discovery, which is too quick for some companies. "Most organizations will tell you, if they're honest, that it takes them six to eight weeks to deploy a given patch across a large organization without making it an emergency," said Steve Larsen, CEO of BigFix Inc., an Emeryville, Calif., patch management company.
"If they drop everything else, they can probably do it a little faster."
- URL ;http://www.landfield.com
Product liability claims and their attendant financial impact and public relations consequences present increasingly serious challenges for product manufacturers and sellers. To effectively manage these risks, companies partner with outside counsel who can provide effective and efficient legal services. We are committed to delivering creative and candid product liability advice and prompt service As a result, we build strong, long-lasting relationships with clients. Why Holland & Knight?
Our in-depth knowledge and experience in product liability and toxic tort law allow us to handle any size or group of matters. The broad geographic reach of our team’s talent means that, on both a national and local basis, your questions and concerns can be addressed with a combination of local understanding and national, often international, perspective. Add to that the wealth of talent available through the Regional Trial Counsel Network, of which we are a member. The product liability lawyers in this network have defended major companies on national product liability claims. Holland & Knight provides truly integrated service to clients and has formed many strong, long-standing relationships. Our track record validates that we have partnered effectively and on many fronts with our major clients. We have worked in the courts for both the specific needs of our clients and the general needs of this practice area (through amicus work with the Product Liability Advisory Council, for example). We have loaned staff, provided training, constructive criticism and case management, and developed personal relationships and many other intangibles.
Clients and Industries We Serve
We serve clients across all industries and in multiple jurisdictions. Our lawyers are proficient in highly specialized areas such as science, engineering, medicine and technology. We study the industries we serve, and we stay abreast of current issues and trends that may impact your business. In addition, we are sensitive to the particular regulatory and public relations concerns that may arise during times of crisis.
Among the product groups we have defended:
- aircraft and components
- alcoholic beverages
- automotive equipment
- aviation equipment
- electrical and pneumatic tools and equipment
- electronic devices
- elevators and escalators
- food products
- glass and bottles
- home appliances
- HVAC equipment
- industrial machinery
- marine equipment
- medical equipment
- power tools
- printing presses
- rail equipment
- rolling stock
- valves and controls
In addition, we are an active leader in the exceedingly complex field of medical device and pharmaceutical litigation, including cases involving silicone gel breast implants, blood products, vaccines and an array of pharmaceutical products.
We believe in using personnel with only the seniority appropriate to each task. This includes the appropriate use of legal assistants in product liability work and maximizes their use in a professionally responsible manner. Many of our legal assistants have extensive product liability experience. Fact-intensive product liability cases often require superior investigative skills. Our affiliate, Corporate Integrity Services, provides highly trained investigative professionals to assist our lawyers and clients. A majority of the investigators have federal agency backgrounds from the FBI, DEA or CIA.
Of particular importance to many of our clients is our role in advising both foreign and domestic manufacturers about their exposure under applicable product liability law and governmental regulations. Our advice also routinely covers contractual matters involving warranties, indemnities, insurance needs, disclaimers and limitations of liabilities and remedies, hold harmless provisions, as well as issues such as labeling, warnings, record retention and the particulars of sales and distribution contracts.
We counsel clients regarding compliance with the U.S. government agencies’ regulations, such as those of the Consumer Product Safety Commission, the National Highway Traffic Safety Administration, the Federal Aviation Administration, and the Environmental Protection Agency, as well as state and local regulatory authorities. Sometimes our most important role is to give advice regarding proper labeling and warnings and the preparation of manuals and instructions for the operation of machinery, equipment, aircraft, computer software and other consumer products. Of particular importance is our handling of the due diligence portion of acquisitions of businesses whose current and potential product liabilities need to be surveyed, evaluated and addressed in the acquisition agreements.
Recognizing that the product liability laws of the United States place increased emphasis on intangible and difficult-to-prove factors relating to product design, we also counsel manufacturers regarding the manner in which they should keep records — to show how their designers have dealt with the intricate technical and economic aspects that must be balanced in each new or revised design and to show that their laboratories and testing procedures comply with federal and state standards.
We present interactive seminars and multimedia presentations to our clients that include lively discussions, hypothetical situations tailored to the situation, video clips, documentaries and real world experience. We counsel manufacturers about the consequences of inappropriate document control management, about how decisions need to be approached and about how to solicit and use feedback effectively both internally and “in the field.”
Holland & Knight’s Litigation Section is one of the largest in the U.S. Our Product Liability Team provides international, national, regional and local counsel involving product liability suits and product line litigation, including multidistrict litigation and class action defense. We stay current not only on issues affecting our clients’ industries, but also new trends and tactics in the legal profession, including mass tort litigation, federal and state consolidated litigation, preemption, toxic torts, successor liability and corporate veil piercing. We have tried countless product liability cases to verdict and, as frequently, have resolved such cases by motions based on such defenses as statute of repose, intervening cause, product identification and spoliation.
The damages analysis aspect of product liability and any mass/toxic tort case is a critical part of the defense. We have a broad base of experience in cases involving the full range of injuries, including catastrophic medical conditions and systemic illnesses allegedly associated with products and mass tort claims. Our team includes trial and appellate lawyers who have extensive experience handling asbestos/toxic torts and mass torts. We have very recent experience handling “bet the company” litigation and have saved clients a significant amount of time and money by resolving disputes en masse rather than on a case-by-case basis.
As part of our ongoing Commitment to Corporate Counsel™, we have developed and implemented a Settlement Counsel Program to help you reach earlier, more cost-efficient settlements. Our program is based on a “dual track” system, in which an experienced lawyer, knowledgeable about the client, its product lines and the industry, works independent of trial counsel to formulate and execute settlement strategy. In this dual track system, the trial lawyer’s role is to prepare the case for trial. The settlement counsel’s role is to prepare the case, in a manner of speaking, for settlement. Clients have discovered a number of advantages to using outside lawyers as settlement counsel, particularly in the context of product liability litigation.
These advantages include:
- an independent sounding board for in-house counsel in analyzing settlement strategy
- an advocate dedicated to cost-effective resolution
- an authorized substitute for in-house counsel at mediations and settlement conferences
- consistency in and coordination of approach to settlement strategy across the entire litigation docket
- earlier resolution where appropriate and desired, and consequent savings of outside lawyer fees and costs
We have achieved significant cost and docket reductions through our Settlement Counsel Program, particularly in connection with our work for Bridgestone/Firestone. In fact, the Bridgestone/Firestone National Settlement Counsel program that we helped design and implement was awarded the CPR Center for Dispute Resolution’s 2003 Outstanding Practical Achievement Award in the area of dispute resolution.
We advise foreign and domestic manufacturers, lessors, and distributors of various kinds of products regarding product safety and potential legal problems arising out of product design, testing, manufacturing, inspection, marketing, previously purchased products, contracts, sales brochures, promotional materials, manuals and instructions, and warning labels for those products. We also provide educational forums for international clients regarding issues of U.S. product liability laws and issues.
Our product liability lawyers have worked extensively with non-U.S. manufacturers on litigation issues including parent-subsidiary liability, “forum-shopping” non-U.S. cases to the U.S., choice of law questions and other related international issues.
We are experienced in product recalls and the execution of voluntary and mandatory product notification campaigns. Our lawyers are well-known among federal, state and local regulatory agencies and industry groups that are involved in product safety.
Introduction to Cyber Crime
The first recorded cyber crime took place in the year 1820! That is not surprising considering the fact that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era of modern computers, however, began with the analytical engine of Charles Babbage. Cyber crime is an evil having its origin in the growing dependence on computers in modern life. In a day and age when everything from microwave ovens and refrigerators to nuclear power plants is being run on computers, cyber crime has assumed rather sinister implications. Major cyber crimes in the recent past include the Citibank rip off. US $ 10 million were fraudulently transferred out of the bank and into a bank account in Switzerland. A Russian hacker group led by Vladimir Kevin, a renowned hacker, perpetrated the attack. The group compromised the bank's security systems. Vladimir was allegedly using his office computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into Citibank computers. He was finally arrested on Heathrow airport on his way to Switzerland.
What is a Computer Crime?
Criminals Can Operate Anonymously Over the Computer Networks.
- Be careful about talking to "strangers" on a computer network. Who are these people anyway? Remember that people online may not be who they seem at first. Never respond to messages or bulletin board items that are: Suggestive of something improper or indecent; Obscene, filthy, or offensive to accepted standards of decency; Belligerent, hostile, combative, very aggressive; and Threaten to do harm or danger towards you or another
- Tell a grown-up right away if you come across any information that makes you feel uncomfortable.
- Do not give out any sensitive or personal information about you or your family in an Internet "chat room." Be sure that you are dealing with someone you and your parents know and trust before giving out any personal information about yourself via e-mail.
- Never arrange a face-to-face meeting without telling your parents or guardians. If your parent or guardian agrees to the meeting, you should meet in a public place and have a parent or guardian go with you.
Hackers Invade Privacy'
- Define a hacker - A hacker is someone who breaks into computers sometimes to read private e-mails and other files.
- What is your privacy worth?
- What information about you or your parents do you think should be considered private? For example, medical information, a diary, your grades, how much money your parents owe, how much money your family has in a savings account or in a home safe, and your letters to a friend.
- Would this kind of invasion of your privacy be any different than someone breaking into your school locker or your house to get this information about you and your family?
Hackers Destroy "Property" in the Form of Computer Files or Records.
- Hackers delete or alter files.
- When you write something, like a term paper or report, how important is it to be able to find it again? Would this be different if someone broke into your locker and stole your term paper?
- How important is it that data in computers like your term paper, a letter, your bank records, and medical records, not be altered? How important is it for a drug company or a pharmacy to not have its computer files altered or deleted by hackers? What would happen if a hacker altered the chemical formulas for prescription drugs, or the flight patterns and other data in air traffic control computers? What does the term "tamper" mean? To interfere in a harmful way or to alter improperly.Is tampering with computer files different from tampering that occurs on paper files or records?
Hackers Injure Other Computer Users by Destroying Information Systems
- Hackers cause victims to spend time and money checking and re-securing systems after break-in. They also cause them to interrupt service. They think it's fine to break-in and snoop in other people's files as long as they don't alter anything. They think that no harm has been done.
- Hackers steal telephone and computer time and share unauthorized access codes and passwords. Much of the stealing is very low-tech. "Social engineering" is a term used among crackers for cracking techniques that rely on weaknesses in human beings rather than on software. "Dumpster diving" is the practice of sifting refuse from an office or technical installation to extract confidential data, especially security compromising information. Who do you think pays for this? How much stealing of computer time do you think there is? For example, there is $2 billion annually in telephone toll fraud alone. Would you want someone going through your garbage? Have you ever thrown away private papers or personal notes?
- Hackers crash systems that cause them to malfunction and not work. How do we use computer information systems in our daily lives? What could happen if computers suddenly stopped working? For example, would public health and safety be disrupted and lives be endangered if computers went down?
Computer "Pirates" Steal Intellectual Property
- Intellectual property is the physical expression of ideas contained in books, music, plays, movies, and computer software. Computer pirates steal valuable property when they copy software, music, graphics/pictures, movies, books (all available on the Internet).
- How is the person who produced or developed these forms of entertainment harmed? Is this different from stealing a product (computer hardware) which someone has invented and manufactured? Who pays for this theft?
- It may seem simple and safe to copy recordings, movies and computer programs by installing a peer-to-peer (P2P) file sharing software program. However, most material that you may want to copy is protected by copyright which means that you are restricted from making copies unless you have permission to do so. Making copies of intellectual propertyincluding music, movies and software--without the right to do so is illegal. P2P software and the files traded on the P2P networks may also harm your computer by installing viruses or spy ware, or allow others to access the files contained on your hard drive beyond those you intend to share.
Copyright violations have civil and criminal remedies.
- Civil remedy: copyright holder can sue infringer for money to cover loss of sales or other loss caused by infringement.
- Criminal remedy: jail or fine paid to the government (not copyright holder) where person infringes a copyright for commercial advantage or private gain. For example, a person who makes multiple copies of a video, and sell the copies.
Defining Cyber Crime
Defining cyber crimes, as "acts that are punishable by the Information Technology Act" would be unsuitable as the Indian Penal Code also covers many cyber crimes, such as email spoofing and cyber defamation, sending threatening emails etc. A simple yet sturdy definition of cyber crime would be "unlawful acts wherein the computer is either a tool or a target or both".
This would include cheating, credit card frauds, money laundering etc. To cite a recent case, a website offered to sell Alphonso mangoes at a throwaway price. Distrusting such a transaction, very few people responded to or supplied the website with their credit card numbers. These people were actually sent the Alphonso mangoes. The word about this website now spread like wildfire. Thousands of people from all over the country responded and ordered mangoes by providing their credit card numbers. The owners of what was later proven to be a bogus website then fled taking the numerous credit card numbers and proceeded to spend huge amounts of money much to the chagrin of the card owners.
This would include pornographic websites; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc). Recent Indian incidents revolving around cyber pornography include the Air Force Balbharati School case. A student of the Air Force Balbharati School, Delhi, was teased by all his classmates for having a pockmarked face. Tired of the cruel jokes, he decided to get back at his tormentors. He scanned photographs of his classmates and teachers, morphed them with nude photographs and put them up on a website that he uploaded on to a free web hosting service. It was only after the father of one of the class girls featured on the website objected and lodged a complaint with the police that any action was taken.
In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear for obscene photographs. They would then upload these photographs to websites specially designed for paedophiles. The Mumbai police arrested the couple for pornography.
Sale of illegal articles
This would include sale of narcotics, weapons and wildlife etc., by posting information on websites, auction websites, and bulletin boards or 167 simply by using email communication. E.g. many of the auction sites even in India are believed to be selling cocaine in the name of 'honey'.
There are millions of websites; all hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering.
Intellectual Property crimes
These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc.
A spoofed email is one that appears to originate from one source but actually has been sent from another source. E.g. Pooja has an e-mail address email@example.com. Her enemy, Sameer spoofs her e-mail and sends obscene messages to all her acquaintances. Since the e-mails appear to have originated from Pooja, her friends could take offence and relationships could be spoiled for life. Email spoofing can also cause monetary damage. In an American case, a teenager made millions of dollars by spreading false information about certain companies whose shares he had short sold. This misinformation was spread by sending spoofed emails, purportedly from news agencies like Reuters, to share brokers and investors who were informed that the companies were doing very badly. Even after the truth came out the values of the shares did not go back to the earlier levels and thousandsof investors lost a lot of money.
Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers and scanners. Outside many colleges across India, one finds touts soliciting the sale of fake mark sheets or even certificates. These are made using computers, and high quality scanners and printers. In fact, this has becoming a booming business involving thousands of Rupees being given to student gangs in exchange for these bogus but authentic looking certificates.
This occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a website or sends e-mails containing defamatory information to all of that person's friends. In a recent occurrence, Surekha (names of people have been changed), a young girl was about to be married to Suraj. She was really pleased because despite it being an arranged marriage, she had liked the boy. He had seemed to be open-minded and pleasant. Then, one day when she met Suraj, he looked worried and even a little upset. He was not really interested in talking to her. When asked he told her that, members of his family had been receiving e-mails that contained malicious things about Surekha's character. Some of them spoke of affairs, which she had had in the past. He told her 168 that, his parents were justifiably very upset and were also considering breaking off the engagement. Fortunately, Suraj was able to prevail upon his parents and the other elders of his house to approach the police instead of blindly believing what was contained in the mails. During investigation, it was revealed that the person sending those e-mails was none other than Surekha's stepfather. He had sent these e-mails so as to break up the marriage. The girl's marriage would have caused him to lose control of her property of which he was the guardian till she got married. Another famous case of cyber defamation occurred in America. All friends and relatives of a lady were beset with obscene e-mail messages appearing to originate from her account. These mails were giving the lady in question a bad name among her friends. The lady was an activist against pornography. In reality, a group of people displeased with her views and angry with her for opposing they had decided to get back at her by using such underhanded methods. In addition to sending spoofed obscene e-mails they also put up websites about her, that basically maligned her character and sent e-mails to her family and friends containing matter defaming her.
The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking involves following a person's movements across the Internet by posting messages (sometimes threatening) on the bulletin boards frequented by the victim, entering the chat-rooms frequented by the victim, constantly bombarding the victim with emails etc.
Frequently Used Cyber Crimes
Unauthorized access to computer systems or networks
This activity is commonly referred to as hacking. The Indian law has however given a different connotation to the term hacking, so we will not use the term "unauthorized access" interchangeably with the term "hacking". Theft of information contained in electronic form
This includes information stored in computer hard disks, removable storage media etc
Email bombing refers to sending a large number of emails to the victim resulting in the victim's email account (in case of an individual) or mail servers (in case of a company or an email service provider) crashing. Some of the major email related crimes are:
- Email spoofing
- Sending malicious codes through email
- Email bombing4. Sending threatening emails
- Defamatory emails6. Email frauds
This kind of an attack involves altering raw data just before it is processed by a computer and then changing it back after the processing is completed. Electricity Boards in India have been victims to data diddling programs inserted when private parties were computerizing their systems.
These attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed.
Denial of Service attack
This involves flooding a computer resource with more requests than it can handle. This causes the resource (e.g. a web server) to crash thereby denying authorized users the service offered by the resource. Another variation to a typical denial of service attack is known as a Distributed Denial of Service (DDoS) attack wherein the perpetrators are many and are geographically widespread. It is very difficult to control such attacks. The attack is initiated by sending excessive demands to the victim's computer(s), exceeding the limit that the victim's servers can support and making the servers crash.
Virus / worm attacks
Viruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and to other computers on a network. They usually affect the data on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves and do this repeatedly till they eat up all the available space on a computer's memory
These are event dependent programs. This implies that these programs are created to do something only when a certain event (known as a trigger event) occurs. E.g. even some viruses may be termed logic bombs because they lie dormant all through the year and become active only on a particular date
A Trojan as this program is aptly called, is an unauthorized program which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing.
Internet time thefts
This connotes the usage by an unauthorized person of the Internet hours paid for by another person. In a case reported before the enactment of the Information Technology Act, 2000 Colonel Bajwa, a resident of New Delhi, asked a nearby net caf owner to come and set up his Internet connection. For this purpose, the net caf owner needed to know his username and password. After having set up the connection he went away with knowing the present username and password. He then sold this information to another net cafe. One week later Colonel Bajwa found that his Internet hours were almost over. Out of the 100 hours that he had bought, 94 hours had been used up within the span of that week. Surprised, he reported the incident to the Delhi police. The police could not believe that time could be stolen. They were not aware of the concept of time-theft at all. Colonel Bajwa's report was rejected. He decided to approach The Times of India, New Delhi. They, in turn carried a report about the inadequacy of the New Delhi Police in handling cyber crimes. The Commissioner of Police, Delhi then took the case into his own hands and the police under his directions raided and arrested the net cafe owner under the charge of theft as defined by the Indian Penal Code. The net caf owner spent several weeks locked up in Tihar jail before being granted bail.
This occurs when someone forcefully takes control of a website (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on that website In a recent incident reported in the USA the owner of a hobby website for children received an e-mail informing her that a group of hackers had gained control over her website.
Theft of computer system
This type of offence involves the theft of a computer, some part's of a computer or a peripheral attached to the computer.
Physically damaging a computer system. This crime is committed by physically damaging a computer or its peripherals.
Kids (age group 9-16 etc.)
It seems really difficult to believe but it is true. Most amateur hackers and cyber criminals are teenagers. To them, who have just begun to understand what appears to be a lot about computers, it is a matter of pride to have hacked into a computer system or a website. There is also that little issue of appearing really smart among friends. These young rebels may also commit cyber crimes without really knowing that they are doing anything wrong.
Hacktivists are hackers with a particular (mostly political) motive. In other cases this reason can be social activism, religious activism, etc.The attacks on approximately 200 prominent Indian websites by a group of hackers known as Pakistani Cyber Warriors are a good example of political hacktivists at work.
One can hardly believe how spiteful displeased employees can become. Till now they had the option of going on strike against their bosses. Now, with the increase independence on computers and the automation of processes, it is easier for disgruntled employees to do more harm to their employers by committing computer related crimes, which can bring entire systems down.
Professional hackers (corporate espionage)
Extensive computerization has resulted in business organizations storing all their information in electronic form. Rival organizations employ hackers to steal industrial secrets and other information that could be beneficial to them. The temptation to use professional hackers for industrial espionage also stems from the fact that physical presence required to gain access to important documents is rendered needless if hacking can retrieve those.
The World's Most Famous Hackers
His claim to fame is that this mathematician who graduated from St. Petersburg Tekhnologichesky University was the brain behind the Russian hacker gang that cheated Citibank's computers into giving out $10 million. Although his first use of a computer is unknown Vladimir was allegedly using his office computer at AO Saturn, a computer firm in St.Petersburg, Russia, to break into Citibank computers. Vladimir Levin was arrested at the Heathrow airport in 1995. Tools used by him included computer, computer games and disks, a camcorder, music speakers and a TV set all of which were found by the Russian police at his apartment. During his trial, Levin alleged that one of his defence lawyers was actually an FBI agent.
He was known to run the world's most popular re-mailer programme called penet.fi. Surprisingly, this re-mailer, the busiest in the world, was run on an ordinary 486 with a 200-megabyte hard drive. His other idiosyncrasy was that he never tried to remain anonymous.The Finnish police raided Johan in 1995 due to a complaint by the Church of Scientology that a penet.fi customer was posting the "church's" secrets on the Net. At that time Johan had to abandon the re-mailer.
Kevin Mitnick alias on the Net was Condor. As a teenager Kevin Mitnick could not afford his own computer. He would therefore go to a Radio Shack store and use the models kept there for demonstration to dial into other computers.One of the unusual things about Mitnick was that he used the Internet Relay Chat (IRC) to send messages to his friends. A judge sentenced him to one year in a residential treatment center. There, Kevin enrolled in a 12-step program to rid him of what the judge also termed his "computer addiction". Mitnick was immortalized when he became the first hacker to have his face put on an FBI "most wanted" poster. His repeated offences - and an image of a teenage hacker who refused to grow up - made him The Lost Boy of Cyberspace.
He was known to the Internet community as "rtm". But he was distinguished by much more than his fame as a hacker. He was the son of the chief scientist at the National Computer Security Center -- part of the National Security Agency (NSA), USA. In addition, this graduate from Cornell University rocketed to fame because of the Internet worm, which he unleashed in 1988, practically maiming the fledgling Internet. Thousands of computers were infected and subsequently crashed. Suddenly, the term "hacker" became common in every household in America. Surprisingly, Robert's father is to be held responsible for introducing him to the world of computers. He brought the original Enigma cryptographic machines home from the NSA. Later, as a teenager, Morris was recognized as a star user at the Bell Labs network where he had an account. This recognition was due to his earlier forays into hacking.
Dennis Ritchie and Ken Thompson
He was also known as dmr and Ken were the legendary coders who designed the UNIX system for mini-computers in 1969. They were the creative geniuses behind Bell Labs' computer science operating group. UNIX really helped users and soon became a standard language. One of the tools used by them included Plan 9, the next-generation operating system, created after UNIX by Rob Pike, their colleague at bell Labs. Dennis also has the distinction of being the author of the C programming language.
Denial of Service Tools
Denial-of-service (or DoS) attacks are usually launched to make a particular service unavailable to someone who is authorized to use it. These attacks may be launched using one single computer or many computers across the world. In the latter scenario, the attack is known as a distributed denial of service attack. Usually these attacks do not necessitate the need to get access into anyone's system.
These attacks have been getting decidedly more popular as more and more people realize the amount and magnitude of loss, which can be caused through them. What are the reasons that a hacker may want to resort to a DoS attack? He may have installed a Trojan in the victim's computer but needed to have the computer restarted to activate the Trojan. The other good reason also may be that a business may want to harm a competitor by crashing his systems.
Denial-of-service attacks have had an impressive history having, in the past, blocked out websites like Amazon, CNN, Yahoo and eBay. The attack is initiated by sending excessive demands to the victim's computer's, exceeding the limit that the victim's servers can support and making the servers crash. Sometimes, many computers are entrenched in this process by installing a Trojan on them; taking control of them and then making them send numerous demands to the targeted computer. On the other side, the victim of such an attack may see many such demands (sometimes even numbering tens of thousands) coming from computers from around the world. Unfortunately, to be able to gain control over a malicious denial-of-service attack would require tracing all the computers involved in the attack and then informing the owners of those systems about the attack. The compromised system would need to be shut down or then cleaned. This process, which sounds fairly simple, may prove very difficult to achieve across national and later organizational borders.
Even when the source(s) of the attack are traced there are many problems, which the victim may be faced with. He will need to inform all the involved organizations in control of the attacking computers and ask them to either clean the systems or shut them down. Across international boundaries this may prove to be a titanic task. The staff of the organization may not understand the language. They may not be present if the attack were to be launched during the night or during weekends. The computers that may have to be shut down may be vital for their processes and the staff may not have the authority to shut them down. The staff may not understand the attack, system administration, network topology, or any number of things that may delay or halt shutting down the attacking computer's. Or, more simply, the organization may not have the desire to help.
If there are hundreds or even thousands of computers on the attack, with problems like the ones mentioned above, the victim may not be able to stop the attack for days by which time the damage would have been done. His servers would be completely incapacitated to administer to so many demands and consequently would crash. It is very simple for anyone to launch an attack because denial-of-service tools can easily be procured from the Net. The major versions of distributed denial of service attack tools are Trinoo (or trin00), TFN, TFN2K and Stacheldraht. Denial-of-Service tools allow the attackers to automate and preset the times and frequencies of such attacks so that the attack is launched and then stopped to be launched once again later. This makes it very difficult, in fact almost impossible, to trace the source of the attack.
These tools also provide another service by which the attacking computer can change its source address randomly thereby making it seem as if the attack is originating from many thousands of computers while in reality there may be only a few. Distributed denial-of-service attacks are a very perturbing problem for law enforcement agencies mainly because they are very difficult to trace. In addition, usually these attacks are directed towards very sensitive systems or networks sometimes even those that are vital to national security. Sometimes, even when the perpetrators can be traced, international extradition laws may prove to be a hitch in bringing them under the authority of the law.
How Can We Prevent Computer Crime?
a. By Educating Everyone.
For example, users and systems operators; people who hold personal data and the people about whom it is held; people who create intellectual property and those who buy it; and the criminals. We must educate people to:
- Understand how technology can be used to help or hurt others.
- Think about what it would be like to be the victim of a computer hacker or computer pirate.
b. By Practicing Safe Computing.
- Always ask: Who has or may have access to my log-in address?
- Remember: People such as computer hackers and pirates who hurt others through computer technology are not "cool." They are breaking the law.
Information Security News: Fighting cyber crime remains an elusive enterprise
Fighting cyber crime remains an elusive enterprise
By Husna Ali Karachi
April 15, 2007
The government has announced that it will install high technology mechanisms at the National Response Center of the Federal Investigation Agency (FIA) to counter cyber-terrorism but what cannot be ignored is that the existing Cyber Crime Wing of the FIA lacks not only the advanced technology, but is devoid of any infrastructure as well.
Launched on March 13, 2003, the Cyber Crime Wing was established after the murder of American journalist Daniel Pearl. In this case, Pakistani agencies had to rely on American investigators to trace the e-mails sent to the media by his abductors. That is when the need was felt for such a unit.
The Pakistan government was criticized at that time heavily by certain quarters of the Western media, as controversies kept on pouring from all corners over the circumstances in which the murder took place.
Born out of this need, the Cyber Crime Wing was launched with a bang-soliciting international coverage, as well as accolades for this initiative. However it never evolved completely as an independent unit and remained under the Crime Circle of FIA. Yes it is not a separate set up and is still in the offing, and working under crime circle, said Deputy Director FIA Immigration, Khalique-uz-Zaman.
Such programmes take time and investment, he said, admitting that the current Cyber Crime Wing, despite the huge publicity it received from the media, is not effective even after three years of its launch.
Khalique-uz-Zaman, who solved the first cyber crime case involving Western Union where Rs5 to 6 million were laundered, thinks that cyber crime is not a very common type of crime in Pakistan. This crime is still few and far between, but creating a separate facility will help us control and handle such crime effectively in the future, he disclosed.
However, another official belonging to the Personal Identification Secure Comparison and Evaluation System (PICES) department of FIA, contradicts this. He says that the problem is that of detection. He says that the problem of cyber crime is that it is disguised and people cannot distinguish between regular and internet based crime.
With its headquarters in Islamabad and zonal directorates in the provincial capitals, the current Cyber Crime Wing is in dire need of technical staff to carry out raids and solve complicated net crimes. It took more than three years for the government of Pakistan to finally allocate a budget of approximately Rs181.42 million to establish a separate and fully equipped facility. To tackle this fast growing crime in the country, many in the FIA hope for a speedy clearance of this budget to start building the facility soon.
Mehmud-ul-Hasan, the Deputy Director for National Response Center for Cyber Crime (NRSCC), talking to The News during his recent visit to Karachi from the capital, said that since its launch in 2003, no technical or additional staff has been hired for this wing and it stands in urgent need of trained manpower.
We used to function from the office of crime wing because we did not have either the set up or the manpower, he stated, adding there was no appointment as such except that of Ammar Hussain Jaffery, Director NRSCC and myself were assigned to handle crime related to the Internet, he said.
The new set up, as promised, will offer state of the art facilities including a forensic lab and a staff of 184 trained personnel. But this is still a dream
The current staff will also be imparted training. Currently the US Federal Bureau of Investigations (FBI) is providing training whenever needed, under an MOU signed between the two agencies in 2005. While cyber crime has evidently increased over the years, only 33 cases were registered in 2006 due to lack of public awareness about the existence of this wing.
Yes people do not know about cyber crime wing because there has been no proper publicity to acquaint the masses with the department, he said. A large chunk of the budget will now be allocated to educate citizens about the new facility of Cyber Crime Wing and its working. A mass awareness campaign would be launched to enlighten the public on the concept of cyber crime and the existence of a facility where they can lodge their complaints, said the enthusiastic Hasan.
However he feels that such awareness should not be limited to the media alone but should be included in school curricula as well.
The allocation of this huge budget is no surprise to anyone because right after the US invasion of Afghanistan, US officials had claimed that the next attack on its soil could be in the form of cyber terrorism. On account of being a close ally on War against terrorism, Pakistan had to focus its attention too towards this area.
Pakistan too is also a victim of cyber terror. Hacking of official government websites is also reported to have increased in Pakistan since September 11, 2001 attacks and later the invasion of Afghanistan and Iraq by American forces, making Pakistan also vulnerable to cyber terrorism.
Right after the US invasion of Afghanistan, some pro-Taliban Pakistani hackers entered the official websites of India and left threatening messages, reported a website. Hasan agreed that hacking of official websites was also a concern for developing this new facility, along with other Internet based crimes which ranged from financial crimes to criminal act of aggression, both against the state and against the citizens. He, however refrained from giving any more information regarding e-crimes committed against the Pakistani government.
As for how many Pakistani websites have been hacked since then, Hasan again refused to give details but agreed that some important websites have been hacked in the past. It is interesting to mention here that despite the immense growth that Pakistan has made in the IT sector, Pakistan government websites are not hosted locally.
Yes we are on foreign servers and have to rely on them in case of break down, Hasan accepted reluctantly, adding, we have been asking to host our websites locally but to no avail. While cyber crime was earlier limited to financial crimes which included credit card theft, illegal transactions through online banking and money laundering, it has now reached new heights and creates new concerns amongst the government and masses alike.
The new worries are pornography, email-spoofing and cyber defamation which has increased here over the years but have gone unpunished in absence of a separate facility and lack of awareness.
A recent addition to the cyber crime, which requires the attention of authorities here in Pakistan is the telecom sector through which crime has increased.
With the boom in the cell phone business, many consumers are complaining of their accounts being misused or their amount being unduly deducted by the phone companies. Such theft usually goes unreported because people do not know where to lodge complaints, he informed adding, and this is s very lucrative crime for some companies.
Hasan explained that even if 10 rupees, which a very small amount for a user, was illegally deducted from one subscriber, imagine the huge amount of money that would come in given the large number of users in the country. This is a big scam we are talking about.
The new facility promises to control this and many other Cyber Crime being committed everday. But all this depends on when the promised money will come through and whether it will be used for the purpose earmarked.