he fight against cyber-crime Kevin A O'Brien Copyright 2000 Jane's Information Group Limited,All Rights Reserved Jane's Intelligence Review December 1, 2000 While governments and international bodies attempt to confront the problems of cyber-crime through new legislation and techniques, they are fighting a losing battle. The Internet has made transactions across frontiers alarmingly easy and governments have been unable to keep up with the technological advances that allow criminals to abuse the system. CYBER-CRIME is criminal activity that requires a certain knowledge of computers, allowing criminals to hack (or 'crack') into a computer to alter or destroy files or to gain information for personal benefit, or to use the Internet to conduct illegal activities. This is distinct from other types of computer and networking criminal activity, such as computer-related crime, where computers are used as tools but knowledge of them is not necessary for success. Overall, the US Federal Bureau of Investigation (FBI) estimates worldwide cyber-crime losses to be up to US$10 billion a year. Online attacks such as the August Egg.com bank fraud are not 'computer crimes', but rather more traditional crimes carried out using computing and networking technology. In both categories, however, traditional criminal concepts, such as trespassing, theft and destruction of property are relevant. Both types of criminal activity are of equal concern and can be classified as cyber-crime. Crime and cyber-crime The majority of cyber-crimes are carried out by internal sources, including company employees. Some estimates suggest that up to 90% of cyber-crime is attributable to insiders. Other actors include hackers/crackers, virus-writers, narcotics traffickers, paedophiles, fraudsters, organised criminal groups, terrorists and foreign intelligence services. A recent report by the Center for Strategic and International Studies stated that 'a new breed of transnational criminals with high-tech methodologies has made its debut. They are recruiting top- drawer computer skills for their global operations that know no borders. Law enforcement, on the other hand, is stymied by frontiers that are not even lines on the map in cyberspace'. Law-enforcement agencies, according to the study, are five to 10 years behind the cyber-criminals in acquiring technology. Transnational organised crime is becoming more involved in cyber- theft every month. In September 1999 the 'Phonemaster', an international group of criminals which penetrated the computer systems of MCI, Sprint, AT&T, Equifax and even the US National Crime Information Center, was convicted of theft, possession of unauthorised access devices and unauthorised access to a federal computer. Even a number of transnational terrorist groups, such as the Peruvian Sendero Luminoso, are becoming more involved in cyber-crime to fund their activities and, like the Russian mafiya, are moving away from drugs into the more profitable business of computers. Types of cyber-crime There is a wide variety of cyber-crimes; most mirror similar activities in the 'real' world. Computer and networking crimes The US National White Collar Crime Center has divided these into computer network break-ins, industrial espionage, software piracy, child pornography, distributed denial of service (DDOS) attacks, password sniffers, spoofing and credit card fraud. With about 80% of a company's intellectual property now in digital form, spending on Internet security software has increased markedly. Last year companies in the USA spent $4.4 billion on such purchases. This is not surprising, given that the 'I Love You' virus that crashed millions of computers worldwide in May this year caused an estimated $10 billion in damage; similarly, the Melissa virus in March 1999 caused an estimated $80 million in damage. Perhaps one of the most debilitating recent 'attacks' was the cracking on 25 October of Microsoft's internal data-sharing networks. Over a 12-day period, cyber-intruders used a Trojan virus sent by e-mail to plant a common cracker's tool called QAZ Trojan onto an employee's computer, which then transmitted employee- passwords back to an e-mail account based in St Petersburg, Russia. Crackers then used these passwords to enter the internal Microsoft network, posing as employees working from home, and downloaded Windows code. Microsoft had already taken legal action in August against 7,500 websites based in 33 countries for selling counterfeit copies of its programmes. DDOS attacks are particularly concerning as they are not technically illegal in most countries. This was shown when 'Yahoo!' was taken down on 6 February, followed by retailers Buy.com, eBay, Amazon.com, E*Trade and CNN. The software to conduct these attacks is simple to use and readily available at underground hacker sites throughout the Internet, with an estimated 1,900 websites offering digital tools to crash computers, hijack control of a machine or retrieve a copy of every keystroke. Cyber-fraud and e-crime As e-commerce continues to grow, the Internet provides a seemingly helpful tool for investors due to its convenience and the inexpensive cost of researching investment opportunities. Unfortunately, it has also become an excellent tool for perpetrators of fraud. Attempts at cracking stock market and banking financial assets have increased. For example, Russian organised criminals tried to use crackers to steal $10 million from Citibank. Online investment fraud is also increasing. In the USA, the Securities and Exchange Commission (SEC) receives around 250 complaints per day of suspected cyber-fraud, totalling over 54,000 a year. Attempts to apprehend violators is difficult, with few obvious results. This may partly be because the number of investors trading online grew to over 5.2 million in 1999, with over 25% of all stock trading occurring over the Internet. Many of these individuals are new to online trading and thus prone to such frauds. The case of PairGain, believed to be the first instance of Internet- based stock manipulation, demonstrates this point. A former employee of PairGain Technologies directed bulletin board visitors to a false Bloomberg story that said the company was a takeover target. PairGain stock soared by 31% before dropping back down. Another recent cyber-fraud took in $6.3 million before the SEC was able to stop it. A 2000 FBI/Computer Security Institute survey noted that, of the 520 companies and institutions surveyed, over 60% reported unauthorised use of computer systems throughout 1999, up from 50% in 1997; 57% of all break-ins involved the Internet, up from 45% in 1998. Less than 15% of these cases were reported to the authorities. Information theft and financial fraud caused the most severe financial losses, at $68 million and $56 million respectively. Losses traced to DOS attacks were $77,000 in 1998, and by 1999 had risen to just $116,250. It is thought that annually $7.5 billion worth of software is illegally copied and distributed worldwide. All this may be contributing to a decreasing confidence in e- commerce. A poll conducted this year by the Information Technology Association found 61% of those surveyed said rising cyber-crime made them less likely to do business over the Internet; 62% said they did not believe enough was being done to protect consumers against cyber-crime. Cyber-violence Cyber-stalking is also a growing concern, with the majority of victims being female. Evidence can be found in Internet chat-rooms and newsgroups, as well as through e-mail. The Internet provides anonymity, enabling perpetrators to be more vicious and threatening than might be the case in person. Child pornography is even more difficult to constrain, especially with the growth of cyber-paedophilia rings. While some hacking groups have 'informally' assisted law enforcement with technical training and evidence gathering, federal law-enforcement agencies such as the FBI and customs services have established undercover units to combat child pornography on the Internet. Most cyber-crimes appear to go unpunished. In 1998, of 419 computer crime cases referred to US federal prosecutors, only 83 were prosecuted. The remainder were dismissed for lack of evidence. Up to 40% were turned down 'for lack of evidence of criminal intent, weak or insufficient evidence or no apparent violation of law'. Only 47 convictions resulted. International efforts Most Western countries have initiated some kind of anti-cyber-crime capability or legislation, but this is slow to develop. In 1997 the UK established the Internet Crime Forum, bringing together police, government, prosecutors, Internet industry officials and lawyers to discuss issues of mutual concern. Canada looks likely to follow suit in light of the May 2000 G8 meeting on cyber-crime. Also in the UK, the Department for Trade and Industry announced in October a Pds4.5 million (US$6.5 million) increase in funding to tackle cyber-crime, particularly in the retail trade, the detection of insurance fraud and the use of digital certificates in e- commerce. Many other computer crime units are being established around the world. The FBI, for example, established its C-37 unit in 1996; the Russian Federal Security Service has established a system to monitor e-mail codenamed SORM (System of Operational and Investigative Measures); and India recently proposed an Information Technology Bill, which will set up a cyber-regulations advisory committee, a controller, and adjudicating officers to regulate cyber-laws. The G8 currently has a high-tech crime group developing best practices for investigating online crime. The Council of Europe has drafted a convention on cyber-crime, which aims to enhance powers to investigate and prosecute cyber-crimes. More than 100 countries do not have the laws to deal with computer- related crime, including at least 60% of Interpol members. This has a huge impact on a country's own ability to combat cyber-crime and on its ability to assist other countries with their investigations. The hampering of the US-Philippine hunt for the perpetrator of the 'I Love You' virus was a prime example of this. Senior law-enforcement officials from around the world believe there is a clear need to establish special communication channels that should always be open to process urgent and critical cases, as well as to enhance intelligence co-operation and co-ordination worldwide. Total frauds 1996 689 1999 10,660 Type of fraud Auctions 87% (1998 - 68%, (1999) 1997 - 26%) General merchandising frauds 7% Internet access service frauds 2% Company equipment and software 1.3% frauds Work-at-home frauds 0.9% Advance-fee loans, magazines, 0.1-0.2% each adult services, travel/vacations, pyramid scheme frauds Total losses Total sales losses $3.2 million (1999) Average loss per consumer for $580 on-line purchases of computer equipment or software Average loss per consumer for $465 general merchandise sales Average loss per consumer for $293 on-line auction sales Cyber-fraud Information theft $68 million (1999) Financial fraud $56 million Losses traced to DoS attacks $116,250 (1998-$77,000) Software illegally copied and $7.5 billion distributed annually worldwide -- archive: http://theMezz.com/cybercrime/archive unsubscribe: [EMAIL PROTECTED] subscribe: [EMAIL PROTECTED] url: http://theMezz.com/alerts ___________________________________________________________ T O P I C A http://www.topica.com/t/17 Newsletters, Tips and Discussions on Your Favorite Topics