Friday, January 20, 2006
The FBI released its 2005 Computer Crime Survey on Jan. 18, 2006 (here). The Survey compiles the responses form over 2000 public and private organizations in four states, and contains the following "key findings":
- Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year's time; 20% of them indicated they had experienced 20 or more attacks.
- Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.
- Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.
- Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.
- Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.
- Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing.
(ph -- thanks to Vernon McCandlish for alerting me to the Survey)
Thursday, January 19, 2006
The United States Attorney's Office for the Eastern District of Michigan announced the first conviction under the CAN-SPAM Act [Controlling the Assault of Non-Solicited Pornography and Marketing] Act of 2003. The criminal provision, 18 U.S.C. Sec. 1037, prohibits anyone from knowingly doing the following:
(1) accesses a protected computer without authorization, and intentionally initiates the transmission of multiple commercial electronic mail messages from or through such computer,
(2) uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages,
(3) materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages,
(4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, or
(5) falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses . . . .
A press release issued by the USAO (here) states:
The information presented to the court at the time of the plea showed that between January 2004 and August 2004, Daniel Lin and others developed a business to market and sell certain products, including weight loss patches, so called "generic" viagra and cialis pills, and other products through the use of "spam" or bulk commercial electronic mail. Lin caused hundreds of thousands of email messages advertising these products to be sent containing falsified header information, or by routing the messages through other computers without authorization. In carrying out this scheme, Lin and others caused the introduction into the United States of prescription medications from India, in packages that did not declare their true contents, and sold these drugs in the United States without a prescription as required by the Food and Drug Administration.
A small step, but at least it's a start. Now, if someone could figure out how to stop those e-mails soliciting my help in arranging the transfer of large amounts of money from overseas banks. (ph)
Tuesday, September 27, 2005
You may want to leave your camcorder at home if you plan on going to a movie. And if you do decide to bring it with you, well think about keeping it off. And even if you do have it turned on, whatever you do - don't record the movie - and worse yet, don't sell it. And if you are employed by the movie theater then clearly you would be expected to know better then to record it and then sell it.
So its not surprising to see a plea agreement when someone is accused of such conduct.
The United States Attorney's Office for the Northern District of California issued a press release here reporting on a plea being entered by a 19 year old for "two charges under the recently enacted Family Entertainment Copyright Act." As part of "Operation Copycat" an employee of a movie theater who worked in the box office and as a cashier in the concessions decided to hook up a camcorder to obtain two movies being shown in St. Louis, Missouri. The press release states:
"The count relating to camcording in a movie theater involves one of the provisions of the ‘Family Entertainment and Copyright Act of 2005,’ which President Bush signed into law on April 27, 2005. The camcording activity concerns a violation of the ART Act (‘Artists’ Rights and Theft Prevention Act of 2005') provision, which criminalized the use of recording equipment to make copies of movies in movie theaters. The statute also prohibits making a commercially distributed movie available on a computer network accessible to members of the public, when the individual knew or should have known that the work was intended for commercial distribution. The prosecution represents the first use of these provisions of the ART Act by federal prosecutors."
The press release notes that "Operation Copycat is the local and largest part of the coordinated international law enforcement action known as Operation Site Down, which is targeting online piracy."
Friday, September 16, 2005
William Shea was a program manager for a debt collection company who was having some problems at work. Shortly after being placed on a "performance improvement plan" -- a sure sign of potential trouble -- Shea reacted by using his computer skills to wreak havoc on the company's financial records. Shea was convicted for violating the federal computer crime statute, 18 U.S.C. Sec. 1030, as described in a press release (here) issued by the U.S. Attorney's Office for the Northern District of California:
Evidence presented at the six-day trial showed that Mr. Shea was hired around August 2001 as a programmer and manager of the company’s specialized financial software computer network. In this position, Mr. Shea had administrative level access to and familiarity with the company’s computer systems, including the database server. After Mr. Shea was advised of adverse employment issues near the end of 2002, he was placed on a performance improvement plan on January 6, 2003. The evidence showed that a “time bomb” was placed onto the company’s network around that time. When the defendant failed to show up at work without any prior notice on January 17, 2003, he was terminated. Company officials did not know at the time that he had placed malicious code on the computer network that was set to delete and modify data at the end of the month.
Friday, August 26, 2005
DOJ has decided to stop individuals who are spamming - especially ones that send out unwanted pornographic emails. In a press release here DOJ tells of its recent indictment of three individuals for a violation of the CAN-SPAM Act of 2003 and "[a] fourth defendant involved in the conspiracy outlined in the indictment has pleaded guilty to related charges, marking the first conviction related to the transmission of obscene spam e-mails."
Prosecuting cases related to computers and the internet pose unusual difficulties for law enforcement. One of the major issues often faced by law enforcement is discerning who in fact committed the crime. This appears to be an issue in this case as well, as the DOJ press release states that:
"the spam e-mails were sent in a manner that would impair the ability of recipients, Internet service providers processing the e-mails on behalf of recipients, and law enforcement agencies to identify, locate, or respond to the senders. This deception was accomplished in a number of ways, including the following: sending the spam e-mails from Internet Protocol addresses registered in the Netherlands and domain names registered in Mauritius; falsifying the “From:” line in the e-mails; installing the computers sending the e-mails and related equipment in the Netherlands; and remotely controlling these computers from the United States."
Monday, August 1, 2005
USA for the District of Colorado announced in a press release here that an individual from "Caracas, Venezuela, pled guilty before U.S. District Court Judge Walker D. Miller to intentionally damaging a protected Department of Defense computer." The press release states that the individual pleading guilty "was a member of 'World of Hell,' a group of people who assisted each other with, and communicated regarding intrusions they made into government, business and corporate computers." What was particularly frightening about this case is that according to the DOJ press release:
"On or about June 10, 2001, the defendant caused the transmission of a code or command to a protected computer that was exclusively used by the United States Department of Defense, Defense Information Systems Agency (“DISA”), which is responsible for computer based training for the United States Air Force and other military personnel. The defendant perpetrated a web-page defacement on DISA web-based computers by altering the web-page to display a World of Hell message. The defendant also deleted logging information from the DISA computers to intentionally impair the availability of computer logging data."
Sunday, July 31, 2005
DOJ reports in a press release here that the first indictments have been issued in "Operations FastLink and Site Down - the two largest and most aggressive international enforcement actions against criminal organizations involved in the illegal online distribution of copyrighted material."
The press release, in part, states:
"Operations FastLink and Site Down resulted in a total of more than 200 search warrants executed in 15 countries; the confiscation of hundreds of computers and illegal online distribution hubs; and the removal of more than 100 million dollars worth of illegally-copied copyrighted software, games, movies, and music from illicit distribution channels. Countries participating in these U.S.-led operations included: France, Canada, Sweden, Denmark, the Netherlands, the United Kingdom, Portugal, Hungary, Israel, Spain, Australia, Singapore, Belgium, and Germany. . . .
"The defendants charged today were leading members in the illegal software, game, movie, and music trade online, commonly referred to as the 'warez scene.' They acted as leaders, crackers, suppliers, distribution site hosts or site administrators. All were affiliated with organized warez groups that acted as 'first-providers' of copyrighted works to the Internet - the so-called “release” groups that are the original sources for a majority of the pirated works distributed and downloaded via the Internet. Once a warez release group prepares a stolen work for distribution, the material is distributed in minutes to secure, top-level warez servers throughout the world. From there, within a matter of hours, the pirated works are distributed globally, filtering down to peer-to-peer and other public file sharing networks accessible to anyone with Internet access."
The cases that come from this investigation are important to follow as they may assist in interpreting statutes in this new techno world.
Saturday, July 16, 2005
Eric Carlson was angry about how poorly the Phillies were playing -- no great shock with Larry Bowa as the manager. While Carlson no doubt acted like others fans by booing vociferously at games (including Santa Claus and the Easter Bunny), he also decided to hack into computers to send a large volume of e-mails protesting the team's dismal performance. Earlier this year he was convicted on 79 counts of computer fraud and identity theft, and received a four year term of imprisonment. According to a press release issued by the U.S. Attorney's Office for the Eastern District of Pennsylvania (here):
Carlson was a dissatisfied Philadelphia Phillies fan and to convey his dissatisfaction to the world, hacked into computers belonging to many individuals and from them launched hundreds of thousands of spam e-mails complaining about the Phillies. When he launched these e-mails, he faked, or “spoofed,” the “From” line of the e-mail, using the e-mail addresses of writers at the Philadelphia Daily News and the Philadelphia Inquirer. He also used e-mail addresses belonging to the Philadelphia Phillies and writers at The Sporting News, Fox Sports, ESPN, and officials at Knight Ridder, the parent company of the Inquirer and Daily News. This made it appear as if the e-mails had come from these writers. The testimony at the trial showed that because many of the e-mail addresses that Carlson sent his messages to were no longer valid, tens of thousands of e-mails were “returned” to the e-mail boxes of the persons whose addresses were spoofed.
Fours years is a substantial sentence for a white collar crime. Carlson might be able to take some small solace in the fact that the Phillies have been playing better lately, although any true fan will tell you that it won't last. Just ask Gene Mauch. (ph)
Wednesday, June 15, 2005
A University of Texas student was convicted for computer hacking into his school's system. A press release for the U.S. Attorney's Office for the Western District of Texas states:
"After deliberating for approximately five hours beginning this afternoon, the jury found that in January, February and April 2002, Phillips attempted to breach the security of hundreds of computer systems including the University of Texas’ web-based computer system. University officials and others detected Phillips’ actions and University officials subsequently warned him not to further attempt to breach any computer security system. On January 30, 2003, Phillips created a new computer program to breach the security of or "hack into" a protected University of Texas computer system that he did not have authorized access to in order to discover the names and social security numbers of individuals in the UT computer system. He subsequently used this computer program to steal over 37,000 names and social security numbers of individuals in the University of Texas computers via the TXCLASS system. In doing this, he caused massive failures that shut down the TXCLASS computer system as well as the UT system’s web-based server and all of its applications. Previously, in 2002, Phillips was successful in stealing approximately 8,000 names and Social Security numbers from the University’s system. As a result of these damages, the University suffered losses of approximately $122,000 and another $60,000 in losses was incurred by UT to warn individuals whose names and social security numbers were stolen by Phillips about potential identity theft."
An article in the Chronicle of Higher Education here (subscription required) paints a somewhat different picture in noting that the student stated,
"It just wasn't in my mind-set that this kind of thing was going to have this sweeping effect. I was just doing my programming."
Mens rea was also an issue in the first appellate reported computer crimes case. Although not a hacking case, the case of United States v. Morris had the issue of whether the intent element was met when the accused did not intend to cause damage. The Second Circuit interpreted the statute finding the defendant criminally liable.
Students need to be made aware of the ramifications of using their computer skills in ways that violate the law. Perhaps the best punishment that could be issued here would be to have this individual lecture on college campuses on what can happen when you fail to follow the law in using your computer.
Thursday, June 2, 2005
A Press Release here of the Department of Justice (DOJ) tells of the final defendant pleading guilty in what has been called Operation Gridlock. This investigation "targeted illegal file-sharing of copyrighted materials over Direct Connect peer-to-peer networks that belonged to an online group of hubs known as The Underground Network. These networks required their users to share large quantities of computer files with other network users, all of whom could download each others’ shared files." The press release notes that "[t]hese pleas constituted the first federal felony convictions for copyright piracy using peer-to-peer networks..."
This is not a situation of one or two movies being improperly downloaded. The press release states that the defendant:
"owned, maintained, operated, and moderated a Direct Connect hub named "Silent Echoes." According to court documents, the defendant’s hub offered movies, computer software, computer games, and music in digital format. During the investigation, government agents downloaded numerous copyrighted works worth approximately $7,371 from Tanner’s hub. Agents estimated that on any one day, Tanner’s hub shared an average of 6.72 terabytes of files, which is roughly equivalent in storage space to well over 6,000 movies in digital format."
Thursday, May 19, 2005
When it comes to computer crimes such as theft of computer data, one question that can be presented to prosecutors is - where to charge a computer crime? A second issue likely to arise is - what happens when the accused is not aware that what they were doing was really illegal?
The Washington Post reports here the latest on the investigation into an alleged theft of data from LexisNexis, Inc. Federal agents executed search warrants of computers across the country. Exactly what, if anything, they found remains to be seen.
But if they did find evidence that implicates individuals, it is likely that these two issues will arise.
1. Do you charge a computer crime where the keystroke occurs, where the theft of a password may have occurred, the place where the computer message was sent through, the location of the Internet Service Provider (ISP), or the location of the ultimate harm. Oftentimes, prosecutors will have their choice, a choice that may not be present except in cases such as conspiracy or RICO.
2. And what happens when the government seizes a computer and the individual may say they have no clue that what they were doing was illegal. Is ignorance of the law an excuse when the crime is a complicated computer offense?
It will be interesting to follow the investigation surrounding LexisNexis to see if these two issues become the hot issues of any potential cases that might come from this investigation.
Monday, May 9, 2005
The U.S. Attorney's Office for the Eastern District of Virginia (Alexandria) announced that Raymond Steigerwalt, a 21-year old former member of an international hacking group, received a 21-month sentence for conspiracy to commit computer fraud and possession of child pornography. According to a press release (here), Steigerwalt engaged in the following conduct:
Between October 2002 to March 2003 Steigerwalt was a member of the Thr34t Krew (TK), an Internet group devoted to hacking. TK conspirators created a computer worm to spread across the Internet and install Trojan software, i.e. software that masqueraded as legitimate software, but allowed Steigerwalt and other co-conspirators to remotely control infected computers. The TK created the worm to self-propagate and would use computers connected to the Internet to command and control the computers infected by the worm with the Trojan software. At least two computers belonging to the Department of Defense were infected and damaged by the worm. Between October 2002 and March 7, 2003, the TK commanded computers infected by the worm to disconnect other computers that were connected to the Internet. Furthermore, Steigerwalt was found in knowing possession of computer image files which contained a visual depiction of a minor engaging in sexually explicit conduct.
Friday, April 8, 2005
The headline is correct! A court just sentenced a spammer to nine years in "the U.S.'s first felony prosecution for sending junk e-mail." But the defendant is not quite headed off to jail. The court is allowing him to stay outside the prison system pending the appeal. See more in the Wall Street Jrl. here, New York Times here. (both AP stories).
Wednesday, March 23, 2005
Anthony Greco, who is 18, entered a guilty plea today in Los Angeles to making extortionate threats against an internet instant messaging company, MySpace.com, if it did not give him "exclusive" rights to send commercial e-mails to users of the company's instant messaging service. According to a press release issued by the U.S. Attorney for the Central District of California, Greco made his demand after sending spam e-mail to accounts at the company:
* * * Greco admitted that he wrote a computer program that was later used to create thousands of fraudulent accounts at instant messaging service MySpace.com in October and November 2004. The program automatically sent more than 1.5 million spam messages containing advertising for mortgage refinancing and pornography to MySpace.com users. MySpace.com is an online community with instant messaging services. MySpace.com spent more than $20,000 to delete nearly 1.5 million unopened "spam" messages from its servers and to take protective measures against additional attacks.
Eighteen years old and facing a term of imprisonment is no way to celebrate graduating from high school.(ph)
Saturday, March 19, 2005
The U.S. Attorney for New Jersey filed a criminal complaint alleging that Jason Arabo, who owns an online sportswear company specializing in throwback sports jerseys, hired a New Jersey juvenile (who was not identified by name) to undertake a computer attack on the websites of competitors. According to a press release issued by the USAO, the computer attack ended up affecting servers in both North America and Europe, disrupting internet service for banks and pharmaceutical companies in addition to the competitors Arabo targeted. The press release states:
From his Michigan home, Arabo ran two web-based companies, www.customleader.com and www.jerseydomain.com, that sold sports apparel, including historic sports uniform reproductions, popularly known as "retro" or "throwback" jerseys. The complaint alleges that Arabo recruited and paid the New Jersey juvenile to conduct computer attacks, known as distributed denial of service, or "DDOS for hire" attacks, on the computer servers supporting the websites and online sales operations of his competitors. According to the complaint, Arabo compensated the juvenile for the attacks with sports apparel, including designer sneakers.
The complaint identified one of Arabo's targets as a New Jersey company with the initials "J.J."; another targeted competitor was a Georgia company identified in the complaint by the initials "D.R." The juvenile was identified in the complaint only by the juvenile's initials, "J.S." and by his online usernames, "Jatt" and "Pherk," which the juvenile allegedly used when communicating with Arabo via online "instant messaging." Arabo allegedly used the online usernames "CLdotcom" and "Jaytheplaya."
Wednesday, March 2, 2005
If this case goes to trial, it is unlikely that the defense will be looking for dog lovers for the jury. In Atlanta an individual has been arrested for his alleged use of the internet to get pet owners, who lost their dogs, to send money for a pet carrier so he could send their pet home to them. The problem was that there was no pet, and the allegation is that this was all a scam. The result - a defendant sits in jail with charges pending for fraud and racketeering. (See the Atlanta Jrl. Constitution for more).
Saturday, February 19, 2005
The U.S. Attorney's Office for the Northern District of California is prosecuting a case of alleged computer criminality. According to a press release of this office, the indictment charges:
"[F]ormer Information Technology Manager of Creative Explosions, Inc., a Silicon Valley software firm, was indicted today by a federal grand jury on charges that he gained unauthorized access to the computer system of his former employer, reading email of the company's president and damaging the company's computer network. Creative Explosions, Inc., is based in Scotts Valley, California."
Friday, February 4, 2005
In our post of December 22, 2004 we told of the refusal "to accept a plea agreement involving a former AOL employee who sold e-mail addresses in violation of the recently enacted Can-Spam law." But things seem to have changed. The Wall Street Journal has an article here telling about the judge's decision to now accept a plea in this case.
The case emanates from Operation Web Snare (see here). The DOJ reported that the defendant and another individual were charged initially with "conspiracy charges" "arising from their scheme to steal AOL’s entire subscriber list, and to use the list to send massive amounts of unsolicited commercial emails-- also known as "spam" -- to millions of AOL’s customers." Because it was considered "one of the first" cases under the Can-Spam law, it was closely watched.
Update: Criminal Information here (U.S. v. Smathers)
Tuesday, February 1, 2005
For everyone who has been afflicted by a computer virus, a bit of retribution was meted out to Jeffrey Parson for releasing a variant of the Blaster worm in August 2003. He was sentenced to an 18 month term of imprisonment and an as-yet undetermined amount of restitution for violating the computer crime statute (18 U.S.C. 1030). A press release issued by the U.S. Attorney's Office for the Western District of Washington states:
PARSON admitted that he created his worm by modifying the original MS Blaster worm and adding a mechanism that allowed him to have complete access to certain infected computers. PARSON then infected approximately fifty computers that he had previously hijacked with his worm. From those fifty computers, PARSON's worm spread to other individual computers. PARSON's worm then directed those infected computers to launch an attack against a Microsoft web site. Attorneys for the government calculate that more than 48,000 computers were infected by PARSON's worm.
Parson was only 18 at the time he released the worm, and likely never thought through the possible consequences of his action. (ph)
Thursday, January 20, 2005
In an article in the Atlanta Journal Constitutional this morning, titled, "If Perdue has way, spam will be felony," Governor Perdue of Georgia is trying to push for a new law that would make it a felony "to send more than 10,000 misleading e-mails during a 24-hour period, make large sums of money off those e-mails, or use juveniles to transmit the bogus correspondence." The article notes that other states have moved in this direction. There is also 18 U.S.C. 1037, the relatively new "Fraud and related activity in connection with electronic mail" statute that provides federal legislation focused on some deceptive forms of spam activity. Finally there have been civil actions that have also been focused on spam emails. The issue down the road may be whether to leave this for the civil arena or whether we want prosecutors to be spending time and resources in this area.