- Email: [email protected]
NIPC worried about DoS
news
Cybercrime laws need overhaul Less than one in five countries has amended their laws to include even half of the cybercrimes which must be addressed, says a report by McConnell International. The study, Cybercrime... And Punishment? Archaic Laws Threaten Global Information, covers 52 countries worldwide and analyses the efficiency of the legislation that they have, or are changing, to cover computer crime. It criticises the approach of reliance upon, “standard terrestrial law to prosecute cybercrime”. Most countries, “do not clearly prohibit cybercrime”, as was discovered by Philippine authorities when they tried to prosecute the author of the May 2000 Love Bug. The report also highlights confusion within countries. It cites the example of the state of South Australia, which was criticised by the Australian Democratic Party for failing to update its laws to keep up with national policy, causing it to become a crime haven.
The patchwork effect of all the different types of legislation today makes things still more complicated. “In the networked world, an island is not an island,” because cybercrime can be committed without physically being in the country in question. Even when laws are enforced, the penalties imposed may not be sufficient. “Mauritius, the Phillipines and the US have stronger penalties than many other countries.” But even so, “The weak penalties in most updated criminal statutes provide limited deterrence for crimes that have large scale economic and social effects.” While the 33 countries — see Figure 1 — who have not updated at all are getting their act together, the report recommends the drawing up of a model criminal code because, “few have the legal and technical resources necessary to address the complexities of adapting terrestrial criminal statutes to cyberspace.” For the moment, the main plan of action is to protect oneself with appropriate security technologies and management practices.
Fully Updated
Partially Updated
Australia Canada Estonia India Japan Mauritius Peru Phillipines Turkey US
Brazil Chile China Czech Republic Denmark Malasia Poland Spain UK
Figure 1 : Above are the countries who have changed, or are in the process of changing their laws. There are a further 33 countries who have not updated their laws to deal with cybercrime. (Source: www.McConnellInternational.com.)
See www.mcconnellinternational.com for the report and excerpts from relevant statutes.
GOVERNMENT NEWS
NIPC worried about DoS Fears of a frenzied series of denial-of-service attacks over the festive season seem to have been unfounded. However, the highest echelons of power in the US were worried enough to issue a warning on 28 December 2000. The National Infrastructure Protection Centre (NIPC) issued the New Year’s DDOS Advisory which was, “based on FBI investigations and other information”. It outlined steps to minimize the risks of a network being used in a distributed denial-of-service attack. These included checking for Trojans such as SubSeven, “Trin00, Tribal Flood Net, TFN2K, Mstream, Stacheldraht and Trinity v3”. Also mentioned were checking firewall configuration, applying patches and ensuring anti-virus programs were up-to-date. All of this is good practice anyway, but the report warns darkly that, “Companies should also consider having a contingency plan (including a point of contact with the Internet service provider) and a response team prepared in case of attack.” Analyst, Matt Tomlinson of MIS Corporate Defence Solutions said that the risk was, “hyped and has not come to fruition.” Even so, just because zombies have not yet been activated, this does not mean that they do not exist.
In Brief • Korean hacking has increased by almost 300% from 572 cases during 1999 to around 2000 last year, say figures from the Korea Information Security Agency. • A Norwegian railway was finally hit by the Y2K bug on 31 December 2000. All of the new trains refused to start until their clocks were reset. The problem was easily rectified. However, the Y2K analysts who cleared the trains as compliant must not have anticipated a problem with the last day of 2000. • The first virus warning of 2001 from Computer Associates concerns an Outlook worm called VBS/Tqll-A. The E-mail has the subject “New Year” and the body “Wow Happy New Year!”. • Janet Reno wrote a Christmas Day letter regarding the threat posed to civilisation by intellectual property (IP) theft. The letter is in response to December's interagency international Crime Threat Assessment report. Read Reno's comments at www. cybercrime.gov/AGdigital theft. htm. • eBay has issued a warning to its customers after they found out about a bogus E-mail supposedly from them requesting credit card data and other personal information. It is not known how many clients got the mailshot, or if any gave out the information. • A new version of the Navidad virus, 32/Navidad-B with the attachment, EMMANUEL. EXE, has been reported by Sophos. The original accounted for 15% of infections in November according to Sophos' helpdesk statistics.
3
news However, whether spurious or not, the denial-of-service hype is certainly not as bad as last year’s effort with Y2K… The advisory is available at www.npic.gov/warnings/advisories/2000/00-063.htm.
Indian teens to police Net India’s National Cyber Cop Committee has chosen to be advised by 19 hackers aged between 14 and 19. President of the National Association of Software and Service Companies, Dewang Mehta told a New Delhi news conference, “If you want to catch a hacker, you need the brains of a hacker.” He boasted that the teenagers had told him they could crack the Indian defence ministry website in a matter of five minutes. “They will tell us where our soft spots are — where Government and industry websites are most vulnerable, thus helping us strengthen our E-security,” said Mehta. Although too young to have a thorough grounding in engineering, the teenagers are said to be technically adept, bright and creative individuals. None of them has a criminal record. The youths will advise the panel who will in turn teach police and the authorities how to differentiate between various forms of cyber-attacks. The committee will also devise ways of protecting government websites from hackers. Mehta said, “Hacking, spreading viruses are much bigger criminal offenses in cyber-terrorism than pornography.” The youths were recruited after several of them came
4
forward to report security holes in Government systems. They will not be paid for their services, but will be recommended for security jobs when they have finished their education. The youngest, 14, is still at school.
STANDARDS NEWS
Security on scale of 1 to 10 A new security group, the Center for Internet Security (CIS), is starting out by developing a benchmarking system to rate systems security on a scale of one to ten. A rating of ten means your servers are impermeable while a rating of one means they are an open invitation to the unscrupulous. Alan Paller from CIS — as well as director of research at SANS — explained, “Our members are just saying that they would like to see global benchmarks.” The ratings are due out in March 2001 and will cover Windows 2000, Linux and Solaris. But there has been early criticism from some pundits. Weld Pond from @stake warns, “It finds only well known problems in the most mainstream of software”. He explains that the idea is analogous to that used for assessing the security of safes — a number representing the number of hours it would take an expert cracker to break in — but is unsuitable for the complexities of computer security. However, Weld Pond believes that the consciousness raising resulting from the standard can only be a good thing. Paller commented that the government and banks are
keen to adopt such a benchmarking system and so, “The centre’s work is a guide that people will use.” Applications for the CIS ratings include governments proscribing standards to financial institutions, or insurance firms assessments when providing insurance against cybercrime. The CIS was formed on 1 November and its membership, 71 institutions, are very impressive. They include the Department of Defense, National Institute of Standards and Technology, AT&T, Visa and Intel. System vendors have not been invited to become involved because of fears that they might “hijack the process,” according to Paller. Visit the CIS website at www.cisecurity.org.
FTC investigates wireless privacy Wireless devices are under the spotlight as Federal Trade Commission (FTC) are now trying to determine the personal privacy implications of the technology. The FTC held a workshop in December with the aim of learning about the privacy, security and consumer protection issues raised by M-commerce. A major bone of contention is the ability of wireless devices to gather location specific information in great detail. “There are huge, looming privacy issues in the wireless space because of the collection and aggregation of new information,” said Alan Davidson of privacy group, the Center for Democracy and Technology.
There is wrangling over whether disclosure of location information should be ‘opt-in’ — you must specify that you want the information to be given out — or ‘opt-out’, data will be given out unless you say otherwise. A spokesman from privacy group, the Electronic Privacy Information Center said, “We seem to be moving toward an agreement...that the standard should be ‘opt-in’.” This seems to be in the public interest. The FTC agree that there should be some standard, but made it clear that they “are very big fans of self-regulation...it makes our lives easier,” said Joel Winston from the FTC’s consumer protection arm. Sobel argued that in the past regulation has not “worked all that well”, and that there should be imposed standards. On the other hand, marketers raised the point that if users choose to utilize a personalized, targeted service they should be able to do that. They warned that without appropriate information, there is a risk of spamming. The newly formed Wireless Location Industry Association said, “A consumer simply isn’t going to use a system or a service that they can’t trust.” They argue that this gives businesses the incentive to protect privacy. Consumers do tend to use services without weighing up the privacy implications. Interestingly, federal law now requires 95% of handsets to be capable of broadcasting location by December 2005. This rule is to enable ‘911’ callers to be easily found by the emergency services.
Cybercrime laws need overhaul Less than one in five countries has amended their laws to include even half of the cybercrimes which must be addressed, says a report by McConnell International. The study, Cybercrime... And Punishment? Archaic Laws Threaten Global Information, covers 52 countries worldwide and analyses the efficiency of the legislation that they have, or are changing, to cover computer crime. It criticises the approach of reliance upon, “standard terrestrial law to prosecute cybercrime”. Most countries, “do not clearly prohibit cybercrime”, as was discovered by Philippine authorities when they tried to prosecute the author of the May 2000 Love Bug. The report also highlights confusion within countries. It cites the example of the state of South Australia, which was criticised by the Australian Democratic Party for failing to update its laws to keep up with national policy, causing it to become a crime haven.
The patchwork effect of all the different types of legislation today makes things still more complicated. “In the networked world, an island is not an island,” because cybercrime can be committed without physically being in the country in question. Even when laws are enforced, the penalties imposed may not be sufficient. “Mauritius, the Phillipines and the US have stronger penalties than many other countries.” But even so, “The weak penalties in most updated criminal statutes provide limited deterrence for crimes that have large scale economic and social effects.” While the 33 countries — see Figure 1 — who have not updated at all are getting their act together, the report recommends the drawing up of a model criminal code because, “few have the legal and technical resources necessary to address the complexities of adapting terrestrial criminal statutes to cyberspace.” For the moment, the main plan of action is to protect oneself with appropriate security technologies and management practices.
Fully Updated
Partially Updated
Australia Canada Estonia India Japan Mauritius Peru Phillipines Turkey US
Brazil Chile China Czech Republic Denmark Malasia Poland Spain UK
Figure 1 : Above are the countries who have changed, or are in the process of changing their laws. There are a further 33 countries who have not updated their laws to deal with cybercrime. (Source: www.McConnellInternational.com.)
See www.mcconnellinternational.com for the report and excerpts from relevant statutes.
GOVERNMENT NEWS
NIPC worried about DoS Fears of a frenzied series of denial-of-service attacks over the festive season seem to have been unfounded. However, the highest echelons of power in the US were worried enough to issue a warning on 28 December 2000. The National Infrastructure Protection Centre (NIPC) issued the New Year’s DDOS Advisory which was, “based on FBI investigations and other information”. It outlined steps to minimize the risks of a network being used in a distributed denial-of-service attack. These included checking for Trojans such as SubSeven, “Trin00, Tribal Flood Net, TFN2K, Mstream, Stacheldraht and Trinity v3”. Also mentioned were checking firewall configuration, applying patches and ensuring anti-virus programs were up-to-date. All of this is good practice anyway, but the report warns darkly that, “Companies should also consider having a contingency plan (including a point of contact with the Internet service provider) and a response team prepared in case of attack.” Analyst, Matt Tomlinson of MIS Corporate Defence Solutions said that the risk was, “hyped and has not come to fruition.” Even so, just because zombies have not yet been activated, this does not mean that they do not exist.
In Brief • Korean hacking has increased by almost 300% from 572 cases during 1999 to around 2000 last year, say figures from the Korea Information Security Agency. • A Norwegian railway was finally hit by the Y2K bug on 31 December 2000. All of the new trains refused to start until their clocks were reset. The problem was easily rectified. However, the Y2K analysts who cleared the trains as compliant must not have anticipated a problem with the last day of 2000. • The first virus warning of 2001 from Computer Associates concerns an Outlook worm called VBS/Tqll-A. The E-mail has the subject “New Year” and the body “Wow Happy New Year!”. • Janet Reno wrote a Christmas Day letter regarding the threat posed to civilisation by intellectual property (IP) theft. The letter is in response to December's interagency international Crime Threat Assessment report. Read Reno's comments at www. cybercrime.gov/AGdigital theft. htm. • eBay has issued a warning to its customers after they found out about a bogus E-mail supposedly from them requesting credit card data and other personal information. It is not known how many clients got the mailshot, or if any gave out the information. • A new version of the Navidad virus, 32/Navidad-B with the attachment, EMMANUEL. EXE, has been reported by Sophos. The original accounted for 15% of infections in November according to Sophos' helpdesk statistics.
3
news However, whether spurious or not, the denial-of-service hype is certainly not as bad as last year’s effort with Y2K… The advisory is available at www.npic.gov/warnings/advisories/2000/00-063.htm.
Indian teens to police Net India’s National Cyber Cop Committee has chosen to be advised by 19 hackers aged between 14 and 19. President of the National Association of Software and Service Companies, Dewang Mehta told a New Delhi news conference, “If you want to catch a hacker, you need the brains of a hacker.” He boasted that the teenagers had told him they could crack the Indian defence ministry website in a matter of five minutes. “They will tell us where our soft spots are — where Government and industry websites are most vulnerable, thus helping us strengthen our E-security,” said Mehta. Although too young to have a thorough grounding in engineering, the teenagers are said to be technically adept, bright and creative individuals. None of them has a criminal record. The youths will advise the panel who will in turn teach police and the authorities how to differentiate between various forms of cyber-attacks. The committee will also devise ways of protecting government websites from hackers. Mehta said, “Hacking, spreading viruses are much bigger criminal offenses in cyber-terrorism than pornography.” The youths were recruited after several of them came
4
forward to report security holes in Government systems. They will not be paid for their services, but will be recommended for security jobs when they have finished their education. The youngest, 14, is still at school.
STANDARDS NEWS
Security on scale of 1 to 10 A new security group, the Center for Internet Security (CIS), is starting out by developing a benchmarking system to rate systems security on a scale of one to ten. A rating of ten means your servers are impermeable while a rating of one means they are an open invitation to the unscrupulous. Alan Paller from CIS — as well as director of research at SANS — explained, “Our members are just saying that they would like to see global benchmarks.” The ratings are due out in March 2001 and will cover Windows 2000, Linux and Solaris. But there has been early criticism from some pundits. Weld Pond from @stake warns, “It finds only well known problems in the most mainstream of software”. He explains that the idea is analogous to that used for assessing the security of safes — a number representing the number of hours it would take an expert cracker to break in — but is unsuitable for the complexities of computer security. However, Weld Pond believes that the consciousness raising resulting from the standard can only be a good thing. Paller commented that the government and banks are
keen to adopt such a benchmarking system and so, “The centre’s work is a guide that people will use.” Applications for the CIS ratings include governments proscribing standards to financial institutions, or insurance firms assessments when providing insurance against cybercrime. The CIS was formed on 1 November and its membership, 71 institutions, are very impressive. They include the Department of Defense, National Institute of Standards and Technology, AT&T, Visa and Intel. System vendors have not been invited to become involved because of fears that they might “hijack the process,” according to Paller. Visit the CIS website at www.cisecurity.org.
FTC investigates wireless privacy Wireless devices are under the spotlight as Federal Trade Commission (FTC) are now trying to determine the personal privacy implications of the technology. The FTC held a workshop in December with the aim of learning about the privacy, security and consumer protection issues raised by M-commerce. A major bone of contention is the ability of wireless devices to gather location specific information in great detail. “There are huge, looming privacy issues in the wireless space because of the collection and aggregation of new information,” said Alan Davidson of privacy group, the Center for Democracy and Technology.
There is wrangling over whether disclosure of location information should be ‘opt-in’ — you must specify that you want the information to be given out — or ‘opt-out’, data will be given out unless you say otherwise. A spokesman from privacy group, the Electronic Privacy Information Center said, “We seem to be moving toward an agreement...that the standard should be ‘opt-in’.” This seems to be in the public interest. The FTC agree that there should be some standard, but made it clear that they “are very big fans of self-regulation...it makes our lives easier,” said Joel Winston from the FTC’s consumer protection arm. Sobel argued that in the past regulation has not “worked all that well”, and that there should be imposed standards. On the other hand, marketers raised the point that if users choose to utilize a personalized, targeted service they should be able to do that. They warned that without appropriate information, there is a risk of spamming. The newly formed Wireless Location Industry Association said, “A consumer simply isn’t going to use a system or a service that they can’t trust.” They argue that this gives businesses the incentive to protect privacy. Consumers do tend to use services without weighing up the privacy implications. Interestingly, federal law now requires 95% of handsets to be capable of broadcasting location by December 2005. This rule is to enable ‘911’ callers to be easily found by the emergency services.