ii congresso de crimes eletrônicos e formas de proteção – 27 09-2010 – apresentação de...
DESCRIPTION
TRANSCRIPT
Where law, technology, and human error collide
Fernando M. Pinguelo, Esq.
Norris McLaughlin & Marcus, P.A.
New York | New Jersey | Pennsylvania
Virtual Crimes – Real DamagesChallenges Posed By Electronic
Crimes In The United States
Email Questions
“Cybercrime”
Criminal activity conducted through the Internet
A brief history
1967 “number-cropping operation” by a New York bank employee.
1970s rare and isolated:
MIT student used university computer to generate tones needed to access phone service.
John Draper discovers whistle in Cap'n Crunchcereal boxes and reproduces a 2600Hz tone.
A brief history
1980s computer crimes grow:
Ian “Captain Zap” Murphy - first felon convicted of computer crime. Murphy hacked AT&T’s computers and changed billing clock so as to provide discounted rates during business hours.
U.S. Comprehensive Crime Control Act gives Secret Service jurisdiction over computer fraud.
War Games introduces public to the phenomenon of hacking (i.e., war-dialing).
A brief history
After break-ins into gov’t and corporate computers, Congress passes Computer Fraud and Abuse Act, making it a crime. The law does not cover juveniles.
Computer Emergency Response Team (CERT) created.
First large-scale computer extortion case is investigated (under the pretence of a quiz on the AIDS virus, users download program which threatens to destroy all their computer data unless they pay $500 into a foreign account).
A brief history
1990s 16-year-old student (“Data Stream”) arrested by UK
police for penetrating computers at the Korean Atomic Research Institute, NASA and several U.S. government agencies.
CIA Director John Deutsh testifies foreign organized crime groups behind hacker attacks against U.S. private sector.
U.S. Communications Decency Act makes it illegal to transmit indecent/obscene material over Internet.
A brief history
2000s: Hackers break into Microsoft's corporate network and
access source code for the latest versions of Windows and Office software.
Cyberattacks have grown more frequent and destructive in recent years.
TODAY (Literally): September 27, 2010
“U.S. Wants to Make It Easier to Wiretap Internet”Federal law enforcement and national security officials are
preparing to seek sweeping new regulations for the Internet.
Traditional Investigations
• Fingerprints
• Blood
• Fibers
• DNA
• Soil, fluids, debris
• Etc.
Digital Investigations
• Emails
• Documents, spreadsheets, data bases, images, etc.
• File attributes (i.e., metadata)
• Internet activity
• File transfer and copying
• More…
Forensics
Electronically Stored Information - EVERYWHERE
•Laptops/Desktops
•Servers
•Phone Systems (VoIP)
•Printers & Copiers
•PDA’s/Cell phones
•CDs/DVDs
•USB Thumb Drive
Statistics
INTERNET CRIME COMPLAINT CENTER 2009
Received 336,655 complaints
22.3% increase from 2008
Total dollar loss: $559.7M USD
In 2008 amount was $264.6M USD
Companies pay $3.8M USD annually
Statistics
Most Popular Cybercrime Targets
Financial sector
Hospitality industry
Statistics
Most Common Complaints FBI Scam
Non-Delivery Merchandise Payment
Advance Fee Fraud
Identity Theft
Overpayment Fraud
Miscellaneous Scam & Fraud
Credit Card Fraud
Auction
Cybercriminal Profile
American consumers & businesses?
Cybercriminal Profile
Male from the
United States
Data Security Risk
Type of Data
Credit Card #
Social Security #
“Secret Sauce”
Personal Information X
D.O.B. X
Drivers License X
Customer Information
Case Examples
..
Cybercrimes causing concern
U.S. government and businesses:
1. Corporate or Foreign Espionage
2. Malicious Insiders
3. E-mail Extraction Programs & Spamming
4. Hacking
Cyber Insurance Protection
Protection for Internet and network exposures 1. Liability: privacy and confidentiality
2. Copyright, trademark, defamation
3. Malicious code and viruses
4. Business interruption: network outages, computer failures
5. Attacks, unauthorized access, theft, website defacement and cyber extortion
6. Technology errors & omissions
7. Intellectual property infringement Marsh: http://global.marsh.com/risk/ecommerce/
Chubb: http://www.chubb.com/businesses/csi/chubb822.html
Corporate or Foreign Espionage
Regardless of how large a cyber defense budget is, it is difficult to protect from covert activity of cyber spies
Malicious Insiders
Proactive:
Watch historical patterns, which may help catch employee who, for example, regularly accessed sensitive corporate information when others within the company did not
Train employees so as to raise staff awareness about insider threats
Implement effective security policies
Email Extraction & Spamming
Sending email to thousands of people in effort to sell a product or for data collection purposes.
According to the U.S. Attorney’s Office, nearly every college and university in the U.S. was impacted by this scheme. Schools spent significant funds to repair damage and implement preventive measures.
Hacking
Hackers break into government or business networks for profit, for the pure thrill, or for bragging rights.
While off-site hacking once required expertise in computer programming, hackers can now retrieve attack scripts and protocols from the Internet and use them against victim websites.
Hacking
Some of our U.S.’s most popular websites are vulnerable to hacking.
September 21, 2010 Twitter ravaged with posts that took advantage of a programming weakness to play pranks, distribute pornography, and spread worms to victim-users.
Hacking
One of the victims was the wife of the former British Prime Minister Gordon Brown as a link on her Twitter page sent visitors to a hard-core porn site.
GoDaddy sites Hacked: myblindstudioinfoonline.com and Hilary KneberPosted on September 17, 2010
U.S. Federal & State Action to Combat Cybercrime
What are federal & state governments doing to protect the U.S. from cyber attacks?
Federal: Executive, Legislative & Judicial Action
State: Most proactive states - VA & FL
U.S. Federal Government –Executive Branch
U.S. Federal Government –Executive Branch
Executive Action
January 2008
President Bush issues Presidential Directive establishing the Comprehensive National Cybersecurity Initiative (CNCI)
U.S. Federal Government –Executive Branch
CNCI directive established twelve cyber defense projects, identifying lead agencies for each.
Department of Homeland Security (DHS) becomes lead agency to protect U.S. computer-reliant critical infrastructure.
Report reveals deficiencies in key responsibilities since 2005: Cyber analysis and warning capabilities, cybersecurity
infrastructure, recovery from internet disruption, secure internal information systems, organizational inefficiencies.
U.S. Federal Government –Executive Branch
President Obama
February 2009 - Orders review of cybersecurity plans and programs throughout federal government (May 2009 report & recommendations)
April 2009 - Creates high-level Federal CIO Coordinate efforts to combat hackers and
cybercriminals June 2010 - Proposes National Cyber Identity law September 2010 - Seeks sweeping new regulations
for the Internet
U.S. Federal Government –Executive Branch
2009 Report
Significant weakness and vulnerability in security controls
23 of the 24 major federal agencies report problems
Problems include reauthentication of users, encryption, monitor for security-related events
U.S. Federal Government –Executive Branch
Projects include Trusted Internet Connections Einstein 2, Einstein 3 Research & Development Efforts Cyber Counterintelligence Plan Security of Classified Networks Expand Education Leap-Ahead Technology Deterrence Strategies and Programs Global Supply Chain Risk Management, and Public/Private Partnerships
U.S. Federal Government –Executive Branch
Despite these efforts, executive branch fell victim to successful cyber attack in July 2009, when coordinated assault over several days targeted websites of several government agencies, causing major disruptions.
Much work still to be undertaken, but proactive measures are being employed and progress continues to be made.
Recent attacks led to proposed legislation to empower President to disconnect any federal or U.S. critical infrastructure info system or network for national security.
U.S. Federal Government Agencies with Cyber Crime Efforts
Department of Justice and FBI lead the effort to investigate and prosecute
Secret Service
Immigration & Customs Enforcement Agency
Postal Inspection Service
Bureau of Alcohol Tobacco & Firearms
FBI Mission on Cyber Crime
o The FBI's cyber mission is four-fold:
o Stop those behind the most serious computer intrusions and the spread of malicious code.
o Identify & thwart online sexual predators who exploit children & circulate child pornography.
o Counteract operations that target U.S. intellectual property, endangering national security and competitiveness.
o Dismantle national and transnational organized criminal enterprises engaging in Internet fraud.
U.S. Federal Government Legislative Cyber Crime Efforts
February 2010 House of Representatives passed (pending) the Cybersecurity Enhancement Act of 2010. Assist federal government efforts in developing skilled
personnel for its cybersecurity team
Organize and prioritize various aspects of government’s cybersecurity research and development
Improve the shifting of cybersecurity technologies to the marketplace, and
Strengthen role of the National Institute of Standards & Technology in developing and implementing cybersecurity public awareness and education programs to promote best practices.
U.S. Federal Government Legislative Cyber Crime Efforts
The Senate’s cybersecurity proposed legislation (March 2010): Cybersecurity Act of 2009
Authorize grants to enhance cybersecurity through research and workforce development
Impose intergovernmental and private sector mandates on owner/operator of info systems designated by president as U.S.-critical infrastructure
i.e., financial networks, electric providers, petro industry
U.S.-critical infrastructure “threat alerts”
Expands DHS authority
U.S. Federal Government Legislative Cyber Crime Efforts
The Senate’s cybersecurity proposed legislation (March 2010): Cybersecurity Act of 2009
Problems:
Industry opposition
Upcoming election makes it unlikely that comprehensive reform will pass this year
Cost approximately $1.4 billion from 2011 to 2015
U.S. Federal Government Legislative Efforts
Computer Fraud and Abuse Act (CFAA):Fraud and related activity in connection with computers
Internet Fraud:Unfair or deceptive acts or practices; false advertising Mail, wire, and bank fraud
Internet Sale of Alcohol or Firearms:Firearms, Liquor traffic, and Shipments into states for possession or sale
Online Child Pornography, Child Luring, and Related Activities:Sexual exploitation and other abuse of children; Transportation for illegal sexual activity
CAN-SPAM Act 2003: Delineates between unlawful spam and legal commercial email; preempts states
Software Piracy and Intellectual Property Theft:Criminal copyright infringement Frauds and swindlesProtection of trade secrets
Internet Sale of Prescription Drugs and Controlled Substances :Unfair or deceptive acts or practices; false advertising Smuggling goods into the United States Mail, wire, and bank fraud Federal Food, Drug, and Cosmetic Act Drug Abuse Prevention and Control
Commonly Applied Federal Laws
U.S. Federal Government Existing Legislative Efforts
•SOX - Sarbanes Oxley Act •HIPAA – Health Insurance Portability & Accountability Act•FACTA - Fair and Accurate Credit Transaction Act of 2003•GLB – Gramm-Leach-Bliley Act•FCRA – Fair Credit Reporting Act•RFR - “Red Flags Rule” •FRCP – Amended Federal Rules of Civil Procedure “eDiscovery”•Related Industry Regulations
State Government –Legislative Efforts
Play key role in security
Suffer from problems experienced by federal and private sectors
Budget crisis
Delicate balance between security and constitutional rights
Faulty & Conflicting laws
State Government – Virginia Model
Legislative Efforts
Virginia Computer Crimes Act (“VCCA”)
Takes a multifaceted approach to cybersecurity that includes:
Virginia anti-spam statute
Virginia Cyber Strike Force works with the U.S. Attorney’s Office, State Police, and FBI to fight cybercrime
State Government – Virginia Model
Legislative Efforts
VCCA criminalizes use of
computer/computer network
with intent to falsify/forge electronic mail transmission info or other routing info
in any manner in connection with transmission of spam through or into computer network of an electronic mail service provider or its subscribers.
State Government – Virginia Model
Enforcement Efforts
Virginia Computer Crimes Unit
Formed July 1999
Works in cooperation with the U.S. Attorney’s Office, State Police, and FBI
Investigates & Prosecutes under VCCA
Illegal spamming
Child pornography: production, distribution & possession
Online enticement of children
Identity theft
State Government – Virginia Model
Enforcement Efforts
VCCA penalties Violation of a portion of the statute is a misdemeanor, but it
may be upgraded to a felony if either the volume of spam transmitted exceeds a number of
recipients or revenue generated from a specific transmission of spam exceeds an amount.
Makes it a misdemeanor to knowingly sell, give, or otherwise distribute or possess with the intent to sell, give, or distribute software that primarily designed for purpose of facilitating falsification of
transmission info or other routing info of spam; has only limited commercially significant purpose or use; or is marketed in facilitating or enabling the falsification of the
transmission information or other routing information of spam
Conclusion
Crime is a problem that is impossible to solve.
Statutes and law enforcement measures have been one step behind the criminals in the cyber realm.
Nevertheless, our government and the nation’s businesses must take whatever steps possible to combat cybercrime.
Tools for deterrence: Awareness & Education
Cybercrime is NOT a technology issue, it’s a business issue
Thank You for your attention!
Any Questions?
Fernando M. Pinguelo, Esq.
[email protected]@ellblog_dot_comwww.eLLblog.com 721 Route 202-206
Bridgewater, NJ 08807-5933
908-252-4128
Contact Information
