CAUCE and cyber crime


Joseph Menn recently wrote a follow up article to his book Fatal System Error.  The book tells the story of an individual in the security industry who made the mistake of working with the local police, investigating cyber crime over in Russia.  In response, the individual’s daughter was kidnapped and the investigator was told that if he dropped the case, his other children might be alright.

Recently, due to the publicity because of the book, the man’s daughter was returned to him where she had been imprisoned in Kazahkstan as long as he agreed not to look into certain of the gang’s activities.  The girl had been sexually assaulted and fed narcotics for several years.  The point Menn is making is that cyber crime is not just about spamming and making money, some of the the individuals behind these criminal gangs are absolutely ruthless and will resort to very unethical and immoral acts to send messages to others.  We usually think of this type of activity as reserved for drug trafficking, organized fraud and racketeering, but cyber crime is crossing that boundary and doing the same.

Neil Schwartzman and J.D. Falk, over at CAUCE, have posted an article asserting that cyber crime does not get the attention it deserves but it is a conduit for other types of crime like kidnapping and sexual assault.  While many in law enforcement see spamming as “just getting annoying email in your inbox” and a low priority for investigation, the reality is that spamming, malware, etc, is big money.  The people behind it will go to extreme measures to protect their businesses just as other organized crime families will use the same tactics.  Thus, the excuse “it’s just annoying email” is a naive point of view because when the money gets big, it becomes more difficult to stop.  Better to nip it in the bud now because sooner or later, it will get out of hand and become nearly impossible to contain.

From their article:

When someone is mugged, harassed, kidnapped or raped on a sidewalk, we don’t call it "sidewalk crime" and call for new laws to regulate sidewalks. It is crime, and those who commit crimes are subject to the full force of the law.

For too long, people have referred to spam in dismissive terms: just hit delete, some say, or let the filters take care of it. Others — most of us, in fact — refer to phishing, which is the first step in theft of real money from real people and institutions, as "cyber crime." It’s time for that to stop…  It is high time that governments and law enforcement stop thinking of computer crime as that perpetrated by teenagers in their parent’s basement. It is the Russian Mob and other organized criminals that are doing this.

David Black, manager of the RCMP’s cyber infrastructure protection section recently said to CAUCE Executive Director Neil Schwartzman “we don’t do spam”. OK, but why not? Spam is no longer, and hasn’t been for some time, about simply sending unwanted emails. Spam is now a delivery mechanism for malware, which in turn threatens infrastructure, and facilitates theft. We have seen precious few cases filed using existing Federal computer intrusions laws in Canada, and none, to our knowledge have been filed under the renovated anti-phishing law, S-4, passed in September 2009.

Governments and law enforcement agencies need to begin to treat online theft with the same seriousness as they do other physical crimes. It is time to bring this up to the diplomatic level, or seriously consider refusing packets from places that treat the Internet, and innocent victims, as their personal ATM.

Cyber criminals consider cyber crime to be a virtually riskless offense; they’re unlikely to be identified; if identified, they’re unlikely to be investigated; if investigated, they’re unlikely to be charged and prosecuted; if prosecuted, they’re unlikely to be convicted; if convicted, they’re unlikely to do jail time.

The courts need to make it clear that that’s wrong in all respects. If you commit cyber crimes, you will be identified, investigated, charged, prosecuted, convicted and sentenced to serious time and we will seize your assets.

This will not happen so long as crime, which involves the Internet, is dismissed as "cybercrime" and either scoffed at, or used to justify ever-increasing cyberwarfare budgets.

I think that Menn’s book is a good starting point for raising awareness in law enforcement and government that cyber crime is not new, it is another avenue of breaking the law.  If someone steals from you at your bank at gun point, it is armed robbery.  If someone phishes your account and steals from you, it is still robbery and needs to be prosecuted as such.

Part of the problem, as I see it, is that the perception of cyber crime is still hanging over from the 1980s and 1990s.  Curious teenagers breaking into companies’ and wreaking some havoc although not causing any damage.  While this is still true, it is not representative of the trends that have been taking place during the past decade.  Malware is big business and some of the people who organize this stuff, particularly in the former eastern bloc in Europe, have taken over and will resort to extreme measure to protect their business, as Menn’s article points out.

On the flip side, I also think that the reason the perception of cyber crime is not as important as other types of crime is because it is difficult to draw the link between spam and kidnapping.  Spammers hide behind proxies, have affiliate marketers, purchase spam kits from malware writers or rent out botnets, host their sites on a wide array of international sites, and then send money to themselves using money mules.  It is difficult to tie all of these ends together.  It requires a certain degree of technical expertise.  This means that law enforcement must either recruit people who have extensive experience fighting cyber crime (and most of us are in private industry building solutions for spam filtering or anti-malware engines), or they must train people to become investigators.  This means that the cyber investigators must be good at general police work and have advanced computer knowledge.  Prosecutors must have the same.  These types of skills are not easy to come by.

Still, that’s why we have experts in the industry to provide expert testimony.  Indeed, Microsoft has shown with its Waledac takedown that private enterprise can collaborate with the legal system to take action against malicious actors.  Perhaps more public/private partnership is required in this regard.

Comments (1)

  1. Benjamin Wright says:

    Terry: On the SANS Institute's forensics blog, I have published new methods for preserving and authenticating evidence in a cyber investigation. http://goo.gl/ramnu  What is your opinion?  –Ben

Skip to main content