cybercrime
Latest
EU toughens penalties for internet-based crimes
Virtual crime can lead to very real damage, and the European Parliament knows this well enough to have just issued a draft directive toughening up the EU's penalties for internet-based violations. Get caught running a botnet and you'll face a minimum of three years in prison; dare to attack critical infrastructure and you may spend five years behind bars. Don't think of hiring someone for corporate espionage, either -- the directive makes whole companies liable for online offenses committed in their name. EU nations will have two years to adopt the directive as law, although an existing, unofficial agreement suggests that at least some countries won't wait that long to enforce the new rules.
US military will spend $23 billion on cyber defense, create its own secure 4G network
The US Department of Defense told a Washington thinktank yesterday that it would spend $23 billion in the next four years to kick its cyber defenses up a gear. That'll include building out a "secure 4G wireless network that will get iPads, iPhones and Android devices online by mid-2014," according to Joint Chiefs of Staff Chairman Martin Dempsey. The DoD recently approved Blackberry 10, iOS and Samsung Galaxy devices with Knox, and General Dempsey himself was packing a smartphone he said would "make Batman and James Bond jealous." While there were no details about how such a mobile network would be locked down, he did say that all 15,000 of the Department's computer networks would be consolidated into an enterprise cloud system to increase security. All that is to combat a "17-fold" cyber warfare increase in just over two years -- no doubt including recent Chinese hacking that the White House took the rare step of recently highlighting.
Pentagon report: Chinese hackers accessed F-35B and other advanced US weapons systems
Many of the Pentagon's most advanced weapon systems -- including the F-35 Joint Strike Fighter and PAC-3 Patriot missile system -- were compromised by Chinese hackers, according to a classified document obtained by the Washington Post. The list of weapons was part of an earlier DoD report condemning Chinese cyber-espionage activities, but had been confidential until now. Other systems hacked are said to include the Terminal High Altitude Area Defense (THAAD), the Navy's Aegis ballistic-missile defense system, the F/A-18 fighter, V-22 Osprey and the Littoral Combat Ship used for shore patrol. Many of these form the foundation of defense systems from Europe to the Persian Gulf -- and their breach goes a long way toward explaining Washington's unprecedented dressing-down of China.
Pentagon report marks first direct accusations of Chinese cyber-espionage
The US Department of Defense has taken the unusual step of singling out China's cyber-spying activities in its annual report. Though the government has tacitly chided such deeds before and even threatened sanctions, yesterday's document marks the DoD's first direct allegation of Chinese espionage. It said that hacks directed toward government and business "appear to be attributable directly to the Chinese government and military" for the purpose of "exfiltrating information" to benefit its defense and industry. The paper also highlighted China's "lack of transparency" with regard to its military, saying that expenditures on cyber-military operations and other defense spending were likely far in excess of the $114 billion it reported. Meanwhile, China denied the accusations, saying it was equally the victim of similar breaches, and suggested that the two nations work together to resolve the problem.
AMD, Intel and RSA team up, form the Cyber Security Research Alliance
Sure, it's not the first elite cybercrime-fighting team we've heard of, it's also not everyday you hear the likes of Intel, Lockheed Martin and AMD buddying up on research. The companies are looking to address the "complex problems" in cyber security, with the private, non-profit group (which also includes Honeywell and RSA/EMC) aiming to work somewhere between government-funded security research and commercial products already out there. The Cyber Security Research Alliance is already in talks with NIST, and plans to launch a security research symposium early next year. The CSRA will also start tracking cyber security R&D, "prioritize" those aforementioned challenges, and hopefully come together for the greater good.
Google searches for criminals in bid to reduce global crime
Google's pretty much aced searching for your latest whim, so now it's turning its efforts to criminals. Working with the Council on Foreign Relations, the internet giant has been exploring ways of using its technology for the greater good. Yahoo reports that Google Ideas will meet with the CFR (and other groups) this week to develop global crime fighting strategies. Other attendees include Juan Pablo Escobar (son of Pablo,) assistant US defense secretary Andrew Weber and the DEA director of counter-terrorism Brian Dodd. Look out for the Google+ most wanted hangouts coming soon.
Hacker spites Symantec, puts pcAnywhere's source code out in the open
Symantec said that folks running its pcAnywhere utility were at an "increased risk" when it revealed that the company had been hacked and its source codes pilfered, and advised customers to stop using pcAnywhere for the time being. Sage advice, as a hacker with the handle YamaTough -- who's affiliated with Anonymous -- helped do the deed and has now published the code for all the world to see. Apparently, the hacker and hackee had attempted to broker a deal for $50,000 to keep the code private, but neither side negotiated in good faith -- YamaTough always intended to release the code, and law enforcement was doing the talking for Symantec to catch him and his hacking cohorts. The good news is, Symantec has released several patches to protect pcAnywhere users going forward. As for the stolen code for Norton Antivirus, Internet Security and other Symantec software? Well, the company's expecting it to be disclosed, too, but because the code is from 2006, customers with current versions can rest easy.
Water pump reportedly destroyed by SCADA hackers
The FBI and DHS are investigating damage to a public water system in Springfield, Illinois, which may have been the target of a foreign cyber attack. There's no threat to public safety and criminal interference has not been officially confirmed, but a security researcher called Joe Weiss has reported evidence that hackers based in Russia are to blame. He claims they accessed the water plant's SCADA online control system and used it to repeatedly switch a pump on and off, eventually causing it to burn out. Coincidentally, a water treatment facility was publicly hacked at the Black Hat conference back in August, precisely to highlight this type of vulnerability. If there are any SCADA administrators out there who haven't already replaced their '1234' and 'admin' passwords, then they might consider this a reminder.
NC State researchers team with IBM to keep cloud-stored data away from prying eyes
The man on your left is Dr. Peng Ning -- a computer science professor at NC State whose team, along with researchers from IBM, has developed an experimental new method for safely securing cloud-stored data. Their approach, known as a "Strongly Isolated Computing Environment" (SICE), would essentially allow engineers to isolate, store and process sensitive information away from a computing system's hypervisors -- programs that allow networked operating systems to operate independently of one another, but are also vulnerable to hackers. With the Trusted Computing Base (TCB) as its software foundation, Ping's technique also allows programmers to devote specific CPU cores to handling sensitive data, thereby freeing up the other cores to execute normal functions. And, because TCB consists of just 300 lines of code, it leaves a smaller "surface" for cybercriminals to attack. When put to the test, the SICE architecture used only three percent of overhead performance for workloads that didn't require direct network access -- an amount that Ping describes as a "fairly modest price to pay for the enhanced security." He acknowledges, however, that he and his team still need to find a way to speed up processes for workloads that do depend on network access, and it remains to be seen whether or not their technique will make it to the mainstream anytime soon. For now, though, you can float past the break for more details in the full PR.
Don't bring your computer viruses to Japan, because they're illegal now
Tired of getting swamped with spam and malware? Just pack your things and catch the next flight to Japan, where computer viruses are now considered illegal. Under the country's new legislation, anyone convicted of creating or distributing viruses could face up to three years in prison, or a maximum fine of ¥500,000 (about $6,200). It's all part of Japan's efforts to comply with the Convention on Cybercrime -- an international treaty that requires member governments to criminalize hacking, child pornography, and other terrible things. Privacy advocates, however, have already raised concerns over some stipulations that would allow investigators to seize data from PCs hooked up to allegedly criminal networks, and to retain any suspicious e-mail logs for up to 60 days. In an attempt to quell these fears, the Judicial Affairs Committee tacked a resolution on to the bill calling for police to exercise these powers only when they really, really need to.
Activision playing 'good cop' with Call of Duty: Black Ops pirates
When you have one of the year's most anticipated games, you'll also have people who want to get their hands on it as soon as possible -- at any price or, in some cases, any risk. Such was the case with Call of Duty: Modern Warfare 2 last year, and it's happening this year with Call of Duty: Black Ops, which is already making the rounds in bootlegged form. Contrary to its approach to Modern Warfare 2's piracy, which was to seek arrests for anyone found selling illegal copies of the game, Activision is simply asking Black Ops pirates to cut it out, and quite politely it seems. VentureBeat has posted the story of one bootleg buyer who has uploaded a series of videos detailing being tracked down by the publisher's private investigators, IP Cybercrime, on YouTube. According to the article, rather than report individuals such as him to the police, IP the firm is requesting that they "stop selling and to tell them where they got their wares," adding that "Most of the pirates were scared, surrendered their game copies and cooperated." That's not to say the investigators aren't willing to employ more serious methods in dealing with people who don't give in to the "good cop" approach. "One young pirate was being a 'wise ass' and adamantly refused to cooperate," VentureBeat reported. "So the investigators called his mother."
Symantec mobilizes Snoop Dogg's cybercrime unit
You know what? Snoop has really done more than any technology company has to bring products to new audiences. Back in fifth grade we had no idea what indo was or why anyone would ever want to combine gin and juice; 3 weeks after "Doggystyle" came out we were hooked on both. At the beginning of last year we couldn't fathom our Grandpas asking Snoop for directions in the Caddy...but it happened. So why not make the leap to, you know, hawking desktop and internet security to urban markets? Symantec's Hack is Wack campaign aims to "bring the attention level up...just try to make people aware that these [cyber] crimes are happening." Snoop invites you to "raise awareness by making a rap song about cyber crimes" and uploading a video for judgment on "originality, creativity and message." The winner gets a pair of tickets to see Snoop, a chance to meet his "mgmt/agent" and a Toshiba laptop. It's been a while since we hit the mic or had any antivirus software installed, but he's got us thinking pretty hard about throwing down some rhymes and our credit cards for a copy of Norton 360 v4.0.
Perfect Citizen: secret NSA surveillance program revealed by WSJ
Do you trust your government? Do you just support it like an obedient Britney Spears, steadfast to your faith that it will do the right thing? Your answer to those questions will almost certainly predict your response to a Wall Street Journal exposé of a classified US government program provocatively dubbed, "Perfect Citizen." Why not just call it "Big Brother," for crissake! Oh wait, according to an internal Raytheon email seen by the WSJ, "Perfect Citizen is Big Brother," adding, "The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security." Histrionics aside, according to the WSJ, the "expansive" program is meant to detect assaults on private companies and government agencies deemed critical to the national infrastructure. In other words, utilities like the electricity grid, air-traffic control networks, subway systems, nuclear power plants, and presumably MTV. A set of sensors deployed in computer networks will alert the NSA of a possible cyber attack, with Raytheon winning a classified, $100 million early stage contract for the surveillance effort. Now, before you start getting overly political, keep in mind that the program is being expanded under Obama with funding from the Bush-era Comprehensive National Cybersecurity Initiative. The WSJ also notes that companies won't be forced to install the sensors. Instead, companies might choose to opt-in because they find the additional monitoring helpful in the event of cyber attack -- think of Google's recent run-in with Chinese hackers as a potent example. Like most citizens, we have mixed emotions about this. On one hand, we cherish our civil liberties and prefer to keep the government out of our personal affairs. On the other, we can barely function when Twitter goes down, let alone the national power grid.
New privacy laws needed that entail GPS technology, hot-headed rogue cops
An expert testifying at a hearing of the House Subcommittee on the Constitution, Civil Rights and Civil Liberties said on Thursday that the government needs to update the Electronic Communications Privacy Act of 1986. Among the criticisms was the fact that it doesn't adequately address location-aware technologies. "With regard to this type of location data, ECPA's statutory framework is profoundly unsatisfying," said Marc Zwillinger of Zwillinger and Genetski, a Washington DC law firm that specializes in cybercrime. "[I]t fails to provide clear guidance for situations in which the government seeks to track an individual's precise movements, leaving the answer to the general application of Fourth Amendment principles and significant variation across jurisdictions." In other words, the wording of the law is extremely nebulous, a situation that can lead to confusion (and civil right violations). And if it weren't enough that courts and law enforcement are applying decades-old law to cutting edge technology, "the current law is overly secretive because warrants for wiretaps and other communications intercepts are often sealed for years after they are issued," writes Gautham Nagesh in The Hill. He cites U.S. Magistrate Stephen Smith of the Southern District of Texas as charging that "the brunt of that secrecy is borne by people who are never charged with a crime but have the misfortune to contact someone whose communications are being monitored." Well, we're glad that someone in Washington seems to think that the ECPA needs overhauled -- but we'll remain skeptical until we see something concrete. Regardless, we doubt that a simple change in law will keep McNulty from doing whatever he has to do to make his case. He's real police.
EU Written Declaration 29 wants you to think of the children, hand over all your search results
Oh boy, the EU's back on the crusade path again. This time, the Brussels brain trust has decided it will end pedophilia, child pornography, and other miscreant activities by simply and easily recording everyone's search results. Because, as we all know, Google searches are the central cog by which the seedy underworld operates. Here's how Declaration 29 sees it: Asks the Council and the Commission to implement Directive 2006/24/EC and extend it to search engines in order to tackle online child pornography and sex offending rapidly and effectively. Directive 2006/24/EC is also known as the Data Retention Directive, and permits (nay, compels) states to keep track of all electronic communications, including phone calls, emails and browsing sessions. Describing the stupefying invasion of privacy that its expansion represents as an "early warning system," the European Parliament is currently collecting signatures from MEPs and is nearing the majority it requires to adopt the Declaration. Guess when Google does it, it's a horrible infraction of human rights, but when the EU does it, it's some noble life-saving endeavor. Unsurprisingly, not everyone is convinced that sifting through people's search results will produce concrete crime-reducing results, and Swedish Pirate Party MEP Christian Engstrom puts together a very good explanation of what Written Declaration 29 entails and why it's such a bad idea. Give it a read, won't ya?
Microsoft gives cops COFEE: free computer forensic tools
Cops doing computer forensic work already have a ton of tools to choose from, but Microsoft is doing its part to help out as well -- the company just revealed that it's been distributing a special thumb drive to cops in 15 countries to help them identify and extract information from suspects' computers. The drive, called COFEE for Computer Online Forensic Evidence Extractor, is in use by more than 2,000 officers, including some in the States, and Microsoft is giving it away for free, saying that its doing it not for profit but to "help make ensure the Internet stays safe." COFEE contains more than 150 commands that can be used to collect information, decrypt passwords, and poke through network activity, which helps alleviate the problem of having to remove and transport a suspect's computer for evidence purposes -- officers can just plug in the drive. There's no word on when Microsoft will start widely distributing the drives, but we'd assume it'll be soon.[Thanks, Yoshi]
Virtual crucifixion punishes bad behaviour online
Punishment in virtual worlds is always a tricky topic; warning or banning players is all very well, but doesn't always get the message across. Second Life's virtual corn field gives naughty players the gift of boredom, but MMO Roma Victor has gone one further.A player convicted of ganking in this MMO, which aims for historical accuracy, will undergo the standard Roman punishment of crucifixion--he will be hung from a cross for a week in-game. The penalty also carries with it a ban. Hopefully this will dissuade other players from following suit--the public nature of the punishment serves to highlight the crime. If making an example of miscreants works well, perhaps other online games will try the idea.
