IAC 2024 - IA Fast Track to Search Focused AI Solutions
Ii congresso de crimes eletrônicos e formas de proteção – 27 09-2010 – apresentação de fernando pinguelo
1. www.eLLblog.com
info@eLLblog.com
Where law, technology, and human error collide
Fernando M. Pinguelo, Esq.
Norris McLaughlin & Marcus, P.A.
New York | New Jersey | Pennsylvania
fmp@nmmlaw.com
Virtual Crimes – Real Damages
Challenges Posed By Electronic
Crimes In The United States
5. www.eLLblog.com
info@eLLblog.com
A brief history
1967 “number-cropping operation” by a
New York bank employee.
1970s rare and isolated:
MIT student used university computer to
generate tones needed to access phone service.
John Draper discovers whistle in Cap'n Crunch
cereal boxes and reproduces a 2600Hz tone.
6. www.eLLblog.com
info@eLLblog.com
A brief history
1980s computer crimes grow:
Ian “Captain Zap” Murphy - first felon convicted of
computer crime. Murphy hacked AT&T’s
computers and changed billing clock so as to
provide discounted rates during business hours.
U.S. Comprehensive Crime Control Act gives
Secret Service jurisdiction over computer fraud.
War Games introduces public to the phenomenon
of hacking (i.e., war-dialing).
7. www.eLLblog.com
info@eLLblog.com
A brief history
After break-ins into gov’t and corporate
computers, Congress passes Computer Fraud
and Abuse Act, making it a crime. The law does
not cover juveniles.
Computer Emergency Response Team (CERT)
created.
First large-scale computer extortion case is
investigated (under the pretence of a quiz on
the AIDS virus, users download program which
threatens to destroy all their computer data
unless they pay $500 into a foreign account).
8. www.eLLblog.com
info@eLLblog.com
A brief history
1990s
16-year-old student (“Data Stream”) arrested by UK
police for penetrating computers at the Korean
Atomic Research Institute, NASA and several U.S.
government agencies.
CIA Director John Deutsh testifies foreign organized
crime groups behind hacker attacks against U.S.
private sector.
U.S. Communications Decency Act makes it illegal to
transmit indecent/obscene material over Internet.
9. www.eLLblog.com
info@eLLblog.com
A brief history
2000s:
Hackers break into Microsoft's corporate network and
access source code for the latest versions of
Windows and Office software.
Cyberattacks have grown more frequent and
destructive in recent years.
TODAY (Literally): September 27, 2010
“U.S. Wants to Make It Easier to Wiretap Internet”
Federal law enforcement and national security officials are
preparing to seek sweeping new regulations for the Internet.
10. www.eLLblog.com
info@eLLblog.com
Traditional Investigations
• Fingerprints
• Blood
• Fibers
• DNA
• Soil, fluids, debris
• Etc.
Digital Investigations
• Emails
• Documents, spreadsheets, data
bases, images, etc.
• File attributes (i.e., metadata)
• Internet activity
• File transfer and copying
• More…
Forensics
23. www.eLLblog.com
info@eLLblog.com
Malicious Insiders
Proactive:
Watch historical patterns, which may help
catch employee who, for example, regularly
accessed sensitive corporate information
when others within the company did not
Train employees so as to raise staff
awareness about insider threats
Implement effective security policies
24. www.eLLblog.com
info@eLLblog.com
Email Extraction & Spamming
Sending email to thousands of people in
effort to sell a product or for data
collection purposes.
According to the U.S. Attorney’s Office,
nearly every college and university in the
U.S. was impacted by this scheme. Schools
spent significant funds to repair damage
and implement preventive measures.
25. www.eLLblog.com
info@eLLblog.com
Hacking
Hackers break into government or
business networks for profit, for the pure
thrill, or for bragging rights.
While off-site hacking once required
expertise in computer programming,
hackers can now retrieve attack scripts
and protocols from the Internet and use
them against victim websites.
26. www.eLLblog.com
info@eLLblog.com
Hacking
Some of our U.S.’s most popular
websites are vulnerable to hacking.
September 21, 2010 Twitter ravaged
with posts that took advantage of a
programming weakness to play pranks,
distribute pornography, and spread
worms to victim-users.
29. www.eLLblog.com
info@eLLblog.com
U.S. Federal & State Action to
Combat Cybercrime
What are federal & state governments doing
to protect the U.S. from cyber attacks?
Federal: Executive, Legislative & Judicial
Action
State: Most proactive states - VA & FL
32. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government –
Executive Branch
CNCI directive established twelve cyber defense
projects, identifying lead agencies for each.
Department of Homeland Security (DHS) becomes lead
agency to protect U.S. computer-reliant critical
infrastructure.
Report reveals deficiencies in key responsibilities since
2005:
Cyber analysis and warning capabilities, cybersecurity
infrastructure, recovery from internet disruption, secure
internal information systems, organizational inefficiencies.
33. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government –
Executive Branch
President Obama
February 2009 - Orders review of cybersecurity
plans and programs throughout federal
government (May 2009 report &
recommendations)
April 2009 - Creates high-level Federal CIO
Coordinate efforts to combat hackers and
cybercriminals
June 2010 - Proposes National Cyber Identity law
September 2010 - Seeks sweeping new regulations
for the Internet
34. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government –
Executive Branch
2009 Report
Significant weakness and
vulnerability in security controls
23 of the 24 major federal agencies
report problems
Problems include reauthentication of
users, encryption, monitor for
security-related events
35. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government –
Executive Branch
Projects include
Trusted Internet Connections
Einstein 2, Einstein 3
Research & Development Efforts
Cyber Counterintelligence Plan
Security of Classified Networks
Expand Education
Leap-Ahead Technology
Deterrence Strategies and Programs
Global Supply Chain Risk Management, and
Public/Private Partnerships
36. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government –
Executive Branch
Despite these efforts, executive branch fell victim to
successful cyber attack in July 2009, when
coordinated assault over several days targeted
websites of several government agencies, causing
major disruptions.
Much work still to be undertaken, but proactive
measures are being employed and progress
continues to be made.
Recent attacks led to proposed legislation to
empower President to disconnect any federal or U.S.
critical infrastructure info system or network for
national security.
37. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government
Agencies with Cyber Crime Efforts
Department of Justice and FBI lead
the effort to investigate and prosecute
Secret Service
Immigration & Customs Enforcement
Agency
Postal Inspection Service
Bureau of Alcohol Tobacco &
Firearms
38. www.eLLblog.com
info@eLLblog.com
FBI Mission on Cyber Crime
o The FBI's cyber mission is four-fold:
o Stop those behind the most serious computer
intrusions and the spread of malicious code.
o Identify & thwart online sexual predators who
exploit children & circulate child pornography.
o Counteract operations that target U.S.
intellectual property, endangering national
security and competitiveness.
o Dismantle national and transnational organized
criminal enterprises engaging in Internet fraud.
39. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government
Legislative Cyber Crime Efforts
February 2010 House of Representatives passed
(pending) the Cybersecurity Enhancement Act of 2010.
Assist federal government efforts in developing skilled
personnel for its cybersecurity team
Organize and prioritize various aspects of government’s
cybersecurity research and development
Improve the shifting of cybersecurity technologies to the
marketplace, and
Strengthen role of the National Institute of Standards &
Technology in developing and implementing cybersecurity
public awareness and education programs to promote best
practices.
40. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government
Legislative Cyber Crime Efforts
The Senate’s cybersecurity proposed legislation
(March 2010): Cybersecurity Act of 2009
Authorize grants to enhance cybersecurity
through research and workforce development
Impose intergovernmental and private sector
mandates on owner/operator of info systems
designated by president as U.S.-critical
infrastructure
i.e., financial networks, electric providers, petro
industry
U.S.-critical infrastructure “threat alerts”
Expands DHS authority
41. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government
Legislative Cyber Crime Efforts
The Senate’s cybersecurity proposed legislation
(March 2010): Cybersecurity Act of 2009
Problems:
Industry opposition
Upcoming election makes it unlikely that
comprehensive reform will pass this year
Cost approximately $1.4 billion from 2011 to
2015
42. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government
Legislative Efforts
Computer Fraud and Abuse Act (CFAA):
Fraud and related activity in connection with computers
Internet Fraud:
Unfair or deceptive acts or practices; false advertising
Mail, wire, and bank fraud
Internet Sale of Alcohol or Firearms:
Firearms, Liquor traffic, and Shipments into states for
possession or sale
Online Child Pornography, Child Luring, and
Related Activities:
Sexual exploitation and other abuse of children; Transportation
for illegal sexual activity
CAN-SPAM Act 2003:
Delineates between unlawful spam and legal commercial email;
preempts states
43. www.eLLblog.com
info@eLLblog.com
Software Piracy and Intellectual Property
Theft:
Criminal copyright infringement
Frauds and swindles
Protection of trade secrets
Internet Sale of Prescription Drugs and Controlled Substances :
Unfair or deceptive acts or practices; false advertising
Smuggling goods into the United States
Mail, wire, and bank fraud
Federal Food, Drug, and Cosmetic Act
Drug Abuse Prevention and Control
Commonly Applied Federal
Laws
44. www.eLLblog.com
info@eLLblog.com
U.S. Federal Government
Existing Legislative Efforts
•SOX - Sarbanes Oxley Act
•HIPAA – Health Insurance Portability &
Accountability Act
•FACTA - Fair and Accurate Credit
Transaction Act of 2003
•GLB – Gramm-Leach-Bliley Act
•FCRA – Fair Credit Reporting Act
•RFR - “Red Flags Rule”
•FRCP – Amended Federal Rules of Civil
Procedure “eDiscovery”
•Related Industry Regulations
45. www.eLLblog.com
info@eLLblog.com
State Government –
Legislative Efforts
Play key role in security
Suffer from problems experienced
by federal and private sectors
Budget crisis
Delicate balance between security
and constitutional rights
Faulty & Conflicting laws
46. www.eLLblog.com
info@eLLblog.com
State Government – Virginia Model
Legislative Efforts
Virginia Computer Crimes Act
(“VCCA”)
Takes a multifaceted approach to
cybersecurity that includes:
Virginia anti-spam statute
Virginia Cyber Strike Force works with
the U.S. Attorney’s Office, State Police,
and FBI to fight cybercrime
47. www.eLLblog.com
info@eLLblog.com
State Government – Virginia Model
Legislative Efforts
VCCA criminalizes use of
computer/computer network
with intent to falsify/forge electronic mail
transmission info or other routing info
in any manner in connection with
transmission of spam through or into
computer network of an electronic mail
service provider or its subscribers.
48. www.eLLblog.com
info@eLLblog.com
State Government – Virginia Model
Enforcement Efforts
Virginia Computer Crimes Unit
Formed July 1999
Works in cooperation with the U.S.
Attorney’s Office, State Police, and FBI
Investigates & Prosecutes under VCCA
Illegal spamming
Child pornography: production,
distribution & possession
Online enticement of children
Identity theft
49. www.eLLblog.com
info@eLLblog.com
State Government – Virginia Model
Enforcement Efforts
VCCA penalties
Violation of a portion of the statute is a misdemeanor, but it
may be upgraded to a felony if either
the volume of spam transmitted exceeds a number of
recipients or revenue generated from a specific transmission
of spam exceeds an amount.
Makes it a misdemeanor to knowingly sell, give, or otherwise
distribute or possess with the intent to sell, give, or distribute
software that
primarily designed for purpose of facilitating falsification of
transmission info or other routing info of spam;
has only limited commercially significant purpose or use; or
is marketed in facilitating or enabling the falsification of the
transmission information or other routing information of spam
50. www.eLLblog.com
info@eLLblog.com
Conclusion
Crime is a problem that is impossible to solve.
Statutes and law enforcement measures have been one
step behind the criminals in the cyber realm.
Nevertheless, our government and the nation’s
businesses must take whatever steps possible to
combat cybercrime.
Tools for deterrence: Awareness & Education
Cybercrime is NOT a technology issue, it’s a
business issue