Hii! This is Pc Hackers Guru Know Many about Hacking
Though law enforcement has come a long way in fighting e-crime, its efforts are still only scratching the surface and businesses are learning they must build cases against culprits themselves, says Ron Condon.
One big attraction for anyone getting into cyber crime is the slim chance of getting caught or punished. Many big companies that fall victim, notably the banks, often choose to sweep the event under the carpet rather than face the shame of admitting they have been hacked.
If they catch the culprit, they are likely to let him go free in exchange for keeping his mouth shut. If crimes are reported to the police, they have little chance of being successfully prosecuted. Law enforcement has much higher priorities, and its resources for chasing computer crime are limited.
John Lyons, formerly of the UK's National Hi-Tech Crime Unit, and now a security consultant, says: "Law enforcement is only able to take on the top three per cent or four per cent of the most serious crimes." And with jurisdiction limited by national borders, their ability to pursue overseas criminals often depends on personal contacts in foreign police forces, rather than any formalised system for sharing information.
But with organised criminal gangs making greater use of the internet to commit offences and launder the proceeds, there is a growing recognition that if we do not take action against them, they will make the internet unusable for legitimate users.
In a paper delivered in March last year to the United Nations Congress on Crime Prevention and Criminal Justice, Scott Charney, Microsoft's head of trustworthy computing, outlined the argument for a joint response from law enforcement and private industry.
The problem for traditional law enforcement in tackling cyber crime is, Charney said, the sheer scale and international nature of the task. "The government cannot be primarily responsible for defending against attacks in the virtual world," he said. "The potential avenues for abuse and the number of potential attackers are simply too many and too hard to identify."
On the other hand, private companies do not have the authority to act alone. He therefore proposed a joint approach with both sides playing an active role and co-operating at a number of levels.
The Botnet Task Force, which held its fourth meeting in Lyon, France, this month is a good example of the joint approach. Initiated by Microsoft in 2004, it now has the support of Interpol and acts as a means of building awareness and providing training for law enforcement.
The private-public approach to law enforcement is already taking hold at grassroots levels too, as companies realise they must take prime responsibility for gathering evidence.
Dave Jevans, who heads the US-based Anti-Phishing Working Group, says: "The main glimmer of hope is that the banks have realised they need to do something. Most successful prosecutions result from a large company putting in its own resources - for instance, a team of lawyers and IT guys and investigators - who liaise with law enforcement to make it happen. They find the names and addresses, and they track where the money goes, and they present the evidence to make a case. But there is only a handful of companies that can afford to do something like that."
Lyons says any company suspecting it is the victim of cyber crime should contact the police and work with them to agree a way forward. The police can advise on what evidence to gather and then the company can use its own investigators. "In this way, the police take an advisory role and you do the legwork yourself," he says.
Private investigation companies have the advantage of working across national boundaries, which can be useful, for instance, when following money stolen in phishing scams.
Alan Brill, managing director of Kroll Technology Services, says his agents work closely with local law enforcement and follow the same standards of evidence as the police themselves. "The police do a great job with limited resources and budget but they can only handle the really serious criminal activity," he says. "But with the FBI, state and local police involved, it can take weeks or months before they can handle the evidence you've assembled."
He counsels getting trained forensic investigators involved immediately, so they can take an image of infected machines. "You don't get a second chance to take a first look," says Brill, adding that he has had cases of lawyers powering up a machine and losing vital evidence. "You need to get the data imaged, and then you can start making decisions, and give yourself more options."
In another current case being handled by Verisign Security services on behalf of a UK bank, the company had to investigate fraudulent transactions carried out by workers at the bank's offshore call centre. A company spokesperson explains: "We did the forensics, all the process diagrams and put together the case material. We showed what went wrong, we got the money back and changed processes to make sure it didn't happen again." The evidence is now with local police for prosecution.
And yet, despite this activity, we still seem to be scratching the surface of internet crime. Earlier this month, the US Federal Trade Commission joined forces with 30 other countries in the OECD to propose international efforts to combat spam. This advocates greater co-operation between countries in investigations and prosecution.
How they hope to make that work is less clear. The US CAN-Spam Act has been roundly condemned as being ineffective and even encouraging the growth of spam, while EU legislation requires consumers to opt-in before they can receive direct email.
Without more agreement by the legislators, it looks as if the private efforts of organisations such as Spamhaus and the legal muscle of big ISPs are more likely to make a dent in the activities of the cyber criminals than the work of law enforcement.
Though law enforcement has come a long way in fighting e-crime, its efforts are still only scratching the surface and businesses are learning they must build cases against culprits themselves, says Ron Condon.
One big attraction for anyone getting into cyber crime is the slim chance of getting caught or punished. Many big companies that fall victim, notably the banks, often choose to sweep the event under the carpet rather than face the shame of admitting they have been hacked.
If they catch the culprit, they are likely to let him go free in exchange for keeping his mouth shut. If crimes are reported to the police, they have little chance of being successfully prosecuted. Law enforcement has much higher priorities, and its resources for chasing computer crime are limited.
Most successful prosecutions result from a large company putting in its own resources.
But with organised criminal gangs making greater use of the internet to commit offences and launder the proceeds, there is a growing recognition that if we do not take action against them, they will make the internet unusable for legitimate users.
In a paper delivered in March last year to the United Nations Congress on Crime Prevention and Criminal Justice, Scott Charney, Microsoft's head of trustworthy computing, outlined the argument for a joint response from law enforcement and private industry.
The problem for traditional law enforcement in tackling cyber crime is, Charney said, the sheer scale and international nature of the task. "The government cannot be primarily responsible for defending against attacks in the virtual world," he said. "The potential avenues for abuse and the number of potential attackers are simply too many and too hard to identify."
On the other hand, private companies do not have the authority to act alone. He therefore proposed a joint approach with both sides playing an active role and co-operating at a number of levels.
The Botnet Task Force, which held its fourth meeting in Lyon, France, this month is a good example of the joint approach. Initiated by Microsoft in 2004, it now has the support of Interpol and acts as a means of building awareness and providing training for law enforcement.
The private-public approach to law enforcement is already taking hold at grassroots levels too, as companies realise they must take prime responsibility for gathering evidence.
Dave Jevans, who heads the US-based Anti-Phishing Working Group, says: "The main glimmer of hope is that the banks have realised they need to do something. Most successful prosecutions result from a large company putting in its own resources - for instance, a team of lawyers and IT guys and investigators - who liaise with law enforcement to make it happen. They find the names and addresses, and they track where the money goes, and they present the evidence to make a case. But there is only a handful of companies that can afford to do something like that."
Lyons says any company suspecting it is the victim of cyber crime should contact the police and work with them to agree a way forward. The police can advise on what evidence to gather and then the company can use its own investigators. "In this way, the police take an advisory role and you do the legwork yourself," he says.
Private investigation companies have the advantage of working across national boundaries, which can be useful, for instance, when following money stolen in phishing scams.
Alan Brill, managing director of Kroll Technology Services, says his agents work closely with local law enforcement and follow the same standards of evidence as the police themselves. "The police do a great job with limited resources and budget but they can only handle the really serious criminal activity," he says. "But with the FBI, state and local police involved, it can take weeks or months before they can handle the evidence you've assembled."
He counsels getting trained forensic investigators involved immediately, so they can take an image of infected machines. "You don't get a second chance to take a first look," says Brill, adding that he has had cases of lawyers powering up a machine and losing vital evidence. "You need to get the data imaged, and then you can start making decisions, and give yourself more options."
In another current case being handled by Verisign Security services on behalf of a UK bank, the company had to investigate fraudulent transactions carried out by workers at the bank's offshore call centre. A company spokesperson explains: "We did the forensics, all the process diagrams and put together the case material. We showed what went wrong, we got the money back and changed processes to make sure it didn't happen again." The evidence is now with local police for prosecution.
And yet, despite this activity, we still seem to be scratching the surface of internet crime. Earlier this month, the US Federal Trade Commission joined forces with 30 other countries in the OECD to propose international efforts to combat spam. This advocates greater co-operation between countries in investigations and prosecution.
How they hope to make that work is less clear. The US CAN-Spam Act has been roundly condemned as being ineffective and even encouraging the growth of spam, while EU legislation requires consumers to opt-in before they can receive direct email.
Without more agreement by the legislators, it looks as if the private efforts of organisations such as Spamhaus and the legal muscle of big ISPs are more likely to make a dent in the activities of the cyber criminals than the work of law enforcement.
0 comments:
Post a Comment