The Good, the Bad & the Internet
- 25 May, 2005 15:44
Good guys versus bad guys: That's every crime reduced to its most elemental level. In the shadowy world of cybercrime, though, the rules and tools for both sides are evolving at a breakneck pace. The following two stories offer a glimpse at some leading electronic law enforcement groups - and their adversaries - in different parts of the world.
The Good Guys
Police agencies fighting cybercrime must find ways to collaborate across organizational charts and national boundaries
To prevent crime on the streets, you put more officers on the beat. To prevent cybercrime more effectively, you . . . well, what do you do? Without a beat for cyberofficers to patrol, law enforcement groups have initially responded in reactive mode, dealing with crimes that have already been committed. Deterrence and future crime prevention are still largely addressed by setting examples. That means catching the perpetrators sooner, and levying stiff penalties to show that the law has teeth.
Unfortunately, some countries have only in the past few years enacted any laws against electronic crime. Some have laws, but no effective law enforcement agencies. And many countries (think sub-Saharan Africa, and Asia's more impoverished nations) simply have other priorities. In the world's more violent cities, catching criminals who rob and kill at gunpoint or knifepoint is a higher priority than protecting Western corporations from hackers and malware coders.
But there is some good news; the tide is turning, slowly. Here we profile three organizations that exemplify what can be done to combat the perpetrators of cybercrime. The bottom line: The most effective tool in the fight against cybercriminals isn't fancy equipment or bloated budgets, but cooperation.
The Australian High Tech Crime Centre:
A national strategy in action
Until July 2003, Australia's high-tech crime investigators battled wrongdoers with one hand tied behind their backs, says Ajoy Ghosh, a consultant and lecturer in cybercrime at the law faculty of Sydney's University of Technology. The problem - unlike in many countries - wasn't the lack of laws. As electronic crime had evolved, Australian lawmakers had regularly enacted or amended legislation to reflect lawbreakers' changing modi operandi. Laws spread across several separate pieces of legislation dating from 1988, 1989 and 1995 were eventually combined in 2001 into the Cybercrime Act: a landmark piece of legislation that took effect at the beginning of 2002, enshrined within Australia's Criminal Code Act of 1995.
Instead, the problem was that - through accidents of history - the enforcement of high-tech crime laws was spread piecemeal throughout various government departments and agencies. Fraud against corporations, for example, fell to the corporate crime agencies of federal and state police. Denial-of-service attacks, viruses and hacking were dealt with by the Australian Federal Police's Computer Crime Unit. Consumer fraud was dealt with by a department in charge of consumer affairs, while spam (criminalized in early 2003) was dealt with by the Australian Communications Authority.
The laws were good, but doubts remained over whether they were being enforced as effectively as they could be, explains Ghosh. Consultation among federal and state police commissioners and lawmakers finally resulted in the Electronic Crime Strategy of 2001, which identified high-tech crime as a priority for Australia's law enforcement agencies, and created a separate organization to spearhead the work.
That organization, the Australian High Tech Crime Centre, came into being in July 2003, hosted by the Australian Federal Police in Australia's capital, Canberra. While the original agencies still "own" their respective offences and remain responsible for prosecuting wrongdoers, the creation of the new agency means that investigative power is pooled and used more efficiently. "For the first time, Australia has a coordinated ability to respond to cybercrime, in terms of people, dollars, resources and links with the security industry," says Ghosh.
At the launch of the new agency, South Australia police Commissioner Mal Hyde, who chairs its board of management, aimed squarely at reducing turf wars over jurisdiction, as well as at creating nationwide consistency when dealing with high-tech crimes, training investigators, disseminating intelligence and fabricating policy. "It will significantly improve our ability to monitor and respond to high-tech crime trends as they emerge," he said.
Some months later, in October 2003, the new agency scored its first arrest under the new legislation, taking into custody a 17-year-old Brisbane youth for hacking into the system of an Australian ISP, Pacific Internet. According to the Australian High Tech Crime Centre, just 24 hours had elapsed between being notified by Pacific Internet that a breach had occurred and making the arrest in Brisbane.
London's Metropolitan Police:
Computer crime unit forges cooperative links
It's fitting that one of the world's oldest police forces should also be home to one of the first law enforcement agencies dedicated to computer crime. London's Metropolitan Police - colloquially known as Scotland Yard - established its Computer Crime Unit in 1984. Since then, working cooperatively with both national and international allies, it has dispatched a continual stream of wrongdoers to jail to repent at Her Majesty's pleasure. Or if not repent, at least stay safely behind bars.
For example: 22-year-old Welsh Web designer Simon Vallor was sentenced in January 2003 to two years in prison for infecting 33,000 computers in 42 countries with the Gokar, Admirer and Redesi viruses. The United Kingdom "has strong international links, good laws, and effective police who are aggressive at enforcing those laws", says James Lewis, director of the Technology and Public Policy Program at the Washington, DC-based Center for Strategic & International Studies. True to form, Vallor's conviction under Britain's 1990 Computer Misuse Act was aided by one of those strong international links: a tip-off from the FBI.
Another wrongdoer, 18-year-old Exeter University student Joseph McElroy, was lucky to receive a 200-hour community service sentence this February for hacking into 17 computer systems at the US Department of Energy's Fermi National Accelerator Laboratory. Once again, close cooperation between Department of Energy security officials and Computer Crime Unit police in Britain secured the conviction.
Based in an office block on Buckingham Gate, London (just a few hundred yards from Buckingham Palace), the unit is highly focused on specific categories of computer crime. Mostly, the cases referred to it involve hacking, virus writing and distributed denial-of-service attacks, says Detective Inspector Chris Simpson, who heads the force. "We arrest a network hacker once a fortnight," he says. Nor are these "mild" network attacks: "If someone has considered it dangerous enough to report to us, it's usually pretty serious," Simpson adds, pointing to the unit's role in catching McElroy and Vallor. Simpson says that - as of last year - the unit was managing 18 ongoing cases, plus providing forensic investigation support to other specialist crime units in 60 other cases, with high-end cases involving as much as 500 gigabytes of data. Simpson explains that his unit is one of five computer-oriented groups within Scotland Yard's Specialist Operation Command and Specialist Crime Directorate; the others mainly supply forensic services to police investigating crimes involving vice, gaming, paedophilia and antiterrorism. "We're all part of the same overall team, and reinforce other units in times of high demand," says Simpson.
Even within its own national borders, the unit operates in an increasingly complex regulatory and organizational arena. For most crimes, the Metropolitan Police's jurisdiction normally extends only as far as London's borders; computer crime, however, is one of a small number of offences where the Met's reach is national and occasionally international. A growing number of local forces around the United Kingdom, though, are developing their own computer crime capabilities, and the Computer Crime Unit cooperates both with these as well as with the United Kingdom's National Hi-Tech Crime Squad, created by the British government in April 2001 as an umbrella organization in the fight against electronic crime. For international cooperation, as in the above-cited cases involving US entities, Simpson's group relies on communication through all necessary means - including not only fax, phone and e-mail, but also videoconferencing. The key conduit for connecting with the United States is through the Legal Attache office in the US embassy in London.
Simpson notes that all the communication in the world wouldn't pay off without the necessary skills and dedication of his nine-strong team - many of whom have worked hard to gain qualifications in their own time and at their own expense. The government pays for technical coursework but not academic coursework. Yet Simpson's own degree in mathematics and computing, he adds, merely qualifies him as the tyro of the unit. "Most of the members of the unit either have a Master's degree in information technology security, or are completing one," he says. "In addition, nearly all are certified information systems security professionals, or are certified to CISSP instructor standard. We think we've probably got one of the highest technically qualified teams in Europe."
And the unit will need every ounce of that expertise to combat the efforts of a new generation of cybercriminals. Says Simpson: "We're increasingly seeing people who aren't looking at hacking as a leisure activity, or for the intellectual challenge it affords them, but are doing it because it provides them with an opportunity to make money. And to do so anonymously. But in that, they're mistaken. Every computer has an IP address, and leaves big clues about who has been using it, and for what." And as Simon Vallor and James McElroy found to their cost, those clues lead to convictions.
The European Electronic Crimes Task Force:
Information-sharing across borders
Fighting cybercrime on a pan-European basis is quite a challenge - even without the criminals to contend with. Europe may be a single continent, but its 25 member countries rarely act as one. Even where a pan-European approach exists, some countries deliberately retain particular powers from Brussels, while other activities and responsibilities remain largely national by intention.
And in the absence of a single European police force, Europe's fighters against cybercrime have to wage their war from within their national police forces. There's cooperation, of course, but not yet full communication. For example, when Microsoft received some information that it realized could lead to the author of the Sasser virus, the FBI and CIA had to liaise with police in Northern Germany to apprehend an 18-year-old high school student known as Sven J in April 2004.
Enter the European Electronic Crimes Task Force (EECTF): a bold attempt to circumvent national strictures and put cybercrime investigators directly in touch with their international counterparts. The EECTF is, according to its Security Adviser Dario Forte, "a union of European law enforcement and academic forensic practitioners". Forte, a Milan-based former Italian police investigator who worked in the narcotics and organized crime sectors, is president of the European chapter of the Hi-Tech Crime Investigators' Association, and teaches classes on security and forensics on both sides of the Atlantic. In addition to currently teaching digital forensics at the University of Milan at Crema, Forte also recently served as an intrusion instructor for the US Department of Homeland Security's Internet forensics training program.
The task force is not an association or formal law enforcement organization, stresses Forte. Instead, it's an online "trusted community" (or Listserv), where duly accredited people from European law enforcement agencies, military forces and academic institutions can come together to pool knowledge and discuss cybercrime threats. Inside a secure portal, members can browse the library, locate contacts, chat, and contribute opinions and information on a series of topics stretching from hacking to network forensics.
Individuals from private industry can join too, as long as they are sponsored by an existing member. Disseminating commercial information is barred, as is discussing classified information. Riding herd on the group is a special agent of the US Secret Service's Milan office; the Secret Service supports the task force, explains Forte, and helps to provide a communication conduit for members to discuss sensitive or confidential information that's barred from online transmission.
The intention, he says, is that the task force should focus on helping its members do their jobs better, without getting tangled up in national - or even pan-European - bureaucracies. In theory, members could all board an aircraft and meet physically. Instead, in the spirit of the electronic age, they log in for virtual discussions from the convenience of their desktops. "Our members are very technically skilled. We don't talk about policy matters; we talk about technical news and real threats," he says. "We're a non-government initiative, and nor do we want to provide a substitute for any European Union initiatives."
As the Sasser virus case showed, Europe's cybercriminals are today still being apprehended by national police forces. The cybercriminals of tomorrow may still have their handcuffs put on by local police, but underpinning their arrests could be a chain of communication that stretches across Europe. Already, says Forte, cases are pending where the task force has played a part. While the EECTF isn't a law enforcement body per se, evidence is starting to mount that it provides an effective model for sharing information outside of formal, structured relationships.
The Bad Guys
Cybercriminals worldwide demonstrate a broad array of motives and methods in their search for thrills and profits
It is, they say, a wired world. And that being the case, you might imagine that cybercrime would be fairly ubiquitous, with viruses and intrusion attempts as likely to come from Bilbao as from Bangkok. But while it's true that there's hardly a country in the world that doesn't emanate some sort of electronic threat, certain parts of the world definitely tend to attract particular kinds of electronic crime.
Why? Some countries or regions have poor laws. Others have ample resources of talented criminals for whom a computer is today's tool of choice - just as their fathers might have favoured a jemmy. In some countries, cybercrime as it's defined in the United States turns out to be legal.
And that's before we get into the politics of cybercrime. Is a hacker who hacks into an oil company's network to create damage a cybercriminal or ecowarrior? A European Marxist launches distributed denial-of-service attacks on several major US financial institutions: cybercriminal or political zealot? And when do soft, blurred labels such as "ecowarrior" and "political zealot" become "terrorist"?
It's a heady mix. Roll it all together and it's no wonder that cybercrime - while pervasive - is unevenly spread around the globe. Throw in the wide disparities in access to computing resources and bandwidth, and significant language barriers, and the picture becomes even murkier. In a country where electronic hijinks either aren't illegal or law enforcement agencies don't care, someone who doesn't speak English and lacks bandwidth may be better off robbing banks the old-fashioned way.
So, here's a look at three places around the globe where cyberthreats originate, and how the motives and methods behind those crimes can differ greatly from location to location.
In the West:
Wealth, plenty of technology and variable laws
The world's richest countries also have more than their fair share of cybercriminals. For one thing, they are countries whose citizens are early (and lavish) adopters of new technology. And improvements in technology arguably make perpetrating a cybercrime easier, not more difficult, says Sarah Gordon, a senior research fellow for Symantec Security Response of Santa Monica, California, who has studied the psychology of virus writers for almost 20 years.
"As a more diverse population has access to information technology, and as that technology becomes more regularly adopted for use in everyday life, there are more opportunities for exploitation by folks who are not the traditional virus writer or hacker, but by those who are simply using technology to achieve some goal," she says. "They are operating from an external motivation - the tool just happens to be the computer."
And while the world's richest countries share at least one characteristic - wealth - their approach to lawmaking varies widely. Ask anyone who's driven on Germany's autobahns ("Speed limit? What speed limit?"), or bought freely available marijuana in Amsterdam's famous smoke houses. It's the same with cybercrime: One country's cybercrime is often another country's legitimate economic activity.
Take pornography. In some jurisdictions in Britain, for example, censorship laws prohibit photographs of actual sexual intercourse or erect male genitalia. So, the sort of images routinely found in adult magazines on news-stands across the United States (or in much of continental Europe, for that matter) are illegal in some parts of Britain. The same goes for many of the images found on adult Web sites. British police can't stop people from looking at such sites, but can possibly prosecute if they find evidence that the material has been downloaded onto computers in Britain, has been created in Britain, or might be evidence of offences either -committed in Britain or by British citizens travelling abroad.
In reality, unless the images are of children or are otherwise objectionable, overstretched police forces often have bigger problems on their plate. "Pornography is a social issue, and is a social crime rather than a high-tech crime," concedes John Regnault, Ipswich, UK-based head of security technologies at BT, Britain's largest telco and the country's biggest ISP. In the strange world of cybercrime enforcement: "The high-tech crime is probably subverting hosts and using illegally obtained resources to send the e-mails that attract people to the pornography sites in the first place," says Regnault.
The world's richest countries are also home to a surprising number of dilettante hackers. "Sure, we see attacks coming from places like Brazil, Hong Kong and Taiwan, but we see more determined attacks from countries like Canada, France, Germany and Italy," says Ron Miller, CSO and cofounder of Austin, Texas-based Mirage Networks, and a former cybercrime consultant to the FBI and the Texas Rangers' Department of Public Safety.
Many countries pose "noise- and nuisance-level" threats, he says, but it's a list of countries that roughly corresponds to the G7, where the threats are most severe and most frequent. (The so-called G7 richest economies of the world - the G8 countries, minus Russia which joined the G7 in 1994 - are the United States, Canada, Britain, Japan, Germany, France and Italy.) It's not that Russian citizens are law-abiding saints; what makes it a G7 threat - and not a G8 threat - is that Russian cybercrime is characterized more by profit motive.
And it's the general absence of a profit motive, rather than the hackers' level of sophistication and training, that merits the "dilettante" tag. The cybercriminals in question range from teenage boys (think of the German teenager recently identified as the author of the Sasser worm, which closed down tens of thousands of computers worldwide when it emerged last May) to seasoned information security professionals who strayed from the straight and narrow.
While the news that serious hacking comes from just a handful of countries is welcome, there is a stinger in the tail. The G7 aren't just any old countries; their economies are highly developed, and their citizens have high levels of disposable incomes, affording them the leisure time as well as the fancy computers and bandwidth required for a successful hacking operation. Security experts have already identified Britain's 4 million broadband-connected computers - many of which are left on 24 hours a day - as a growing factor in virus propagation. Those same computers can almost as readily be harnessed to more harmful tasks. So if economic prosperity indicates a predisposition to posing a sophisticated threat, then don't forget that there's quite a queue of would-be economic powerhouses waiting in the wings.
Criminal gangs with a distinct profit motive
According to Ajoy Ghosh, a consultant and lecturer in cybercrime at the law faculty of the University of Technology in Sydney, high-tech crime carried out for gain flourishes in places sharing three characteristics: good mathematical skills, good programming skills and a propensity for underemployment.
And catching high-tech criminals is especially difficult, says James Lewis, director of the Technology and Public Policy Program at the Washington, DC-based Center for Strategic & International Studies, in particular countries or regions with weak or poor lawmaking. Theft, extortion and malicious damage are pretty much illegal everywhere. But when the means of committing the crime are electronic, the technicalities of detecting, proving and framing the charge can make prosecution impossible.
The post-Soviet countries of Eastern Europe, especially Russia, fit these descriptions like a glove. Spotting an easy way to make money, organized criminals have joined forces with former intelligence officials and skilled computer programmers. Favourite tactics: defrauding consumers with fraudulent Internet purchases and corporate extortion following successful hacks.
Take Romania, where - according to a report from America's Internet Fraud Complaint Center, a body jointly run by the FBI and the National White Collar Crime Center - "some of the world's most talented computer students are exploiting their talents online, [having become] frustrated with the employment opportunities offered them". In a high-profile hack in 2003, Romanian criminals - operating from an Internet cafe in Romania's capital, Bucharest - demanded money from a South Pole research centre in Antarctica, having stolen scientific data and threatened to shut down life-support systems.
Following joint operations with the FBI, the Secret Service and a number of European police forces, over 60 Romanian criminals have been arrested in recent months. While Russia has so far set the pace, Romania, Bulgaria and Slovenia are catching up fast. And it remains to be seen whether Poland's entry into the European Union earlier this year will affect the ability of Polish law enforcement agencies to crack down on cybercrime.
Major Cities Everywhere:
Wardrivers exploit trusted connections
Wardrivers gain illicit network access by literally driving around, using a laptop with a wireless network card and an antenna to detect and enter unsecured wireless connections. It's a fast-growing phenomenon, and even has Web sites devoted to it (WarDriving.com, for example). And while it isn't tied to a particular geography, it threatens to mutate the way that cybercrime is predominantly executed. Companies sitting smugly behind a ring of Internet firewalls may find hackers more frequently attacking via trusted network connections that have been breached, wirelessly, overseas.
Wardriving's quick ramp-up is due in part to the fact that wireless networks are simple and inexpensive to install. And that means that the majority of wireless deployment is neither strategic nor carefully thought-out, says Ian Kilpatrick, chairman of Wick Hill Group, a British firm of security specialists. "Because people are used to doing it at home, they do it at work, without telling the IT department - who can't secure it, because they don't know about it," says Kilpatrick.
As a result, in major cities, and especially in the financial districts of major capital cities, there are dozens (or even hundreds) of unsecured access points. Sitting in a US airport recently, Kilpatrick accidentally found himself "hacking" the control tower. "It was openly broadcasting its address," he says. A survey by RSA Security in 2002 recorded 328 wireless access points in just seven areas in the financial district of London alone - only a third of which were operating special security technology for wireless networks. This August, three men in the United States received what's believed to be the first criminal conviction specifically on a wardriving charge, having cracked into the corporate network of Lowe's and attempted to pilfer credit card information.
Not every wardriver has evil intentions upon your data. Instead, their objective may simply be bandwidth theft: piggybacking on a free high-speed Internet connection in order to browse the Web or send e-mail. Nevertheless, such actions create risks to the company beyond simply bogging down network performance. Suppose the bandwidth is being used for illicit purposes such as child pornography or hacking onto yet another system. To investigators, it's your business that seems culpable.
But the Lowe's case illustrates the greater potential dangers presented by wardrivers. An unsecured wireless network is hackers' heaven. Frustrated by intrusion sensors and firewalls, why should hackers waste their energies banging their heads against the front door when the back door (the wireless network) has obligingly been left open for them? Lowe's is headquartered in North Carolina; the attackers used a vulnerability at a Michigan, store to access the corporate network. Once inside, they jumped around the network, installing a program on systems in several other stores, intent on capturing customers' financial data.
And so the more distributed a company's operations, the greater the risk. Loose management controls over wireless networking in a branch office in Jakarta or Johannesburg may result in security breaches on computer systems back at corporate headquarters in New York or Sydney. "Whether hackers are able to enter a company's wireless network through an unprotected access point or through a peer workstation, once they are associated with the network, they will be difficult to detect, because they may not be visible in or near the network site," warns John Pescatore, vice president and Gartner fellow. "A clever hacker will play it safe and use the company's resources quietly, and as a result, may never be found."