Monday, April 26, 2010

Recomendations


A report, entitled "Unsecured Economies: Protecting Vital Information" which was released January 21, 2009 at the World Economic Forum annual meeting in Davos, Switzerland; found that “developing countries spend more money on protecting intellectual property than companies in Western countries.” Why is that?
To achieve a more secure environment for computers there should be some type of true regulation established that holds companies accountable for “polluting” the Internet with vulnerable computer systems that can be compromised. Software companies should be forced to produce more secure programs and there should be regulation that encourages software companies to write more secure code and receive in turn financial incentives. It might even be good practice to make software companies libel for vulnerabilities in their software. Even with the few bills currently in place here in the US the private sector is still basically self regulated. According to a Washington post article dated February 24, 2010 (Nakashima, Ellen Federal Regulation urged on cybersecurity) “The federal government must become more aggressive in getting industry to protect computer networks because self-regulation is not working, leading cybersecurity experts told Congress.” Also from that article: said James A. Lewis, a technology expert at the Center for Strategic and International Studies said: "The government needs to give the market a kick.'' He noted that “cars were not made safe until government pressure changed automakers' behavior.” I agree with this line of thinking. Self regulation never seems to work unless it is profitable for the "self-regulator"................

 Nakashima, Ellen (2010, February) Federal Regulation Urged on Cybersecurity. Washingtonpost.com Retrieved on April 26,2010 http://www.washingtonpost.com/wp-dyn/content/article/2010/02/23/AR2010022305033.html

Unsecured Economies: Protecting Vital Information, McAfee

Sunday, April 25, 2010

Conclusion


The easier computer technology is to use the greater the threats companies and governments face. In the report by Steve Kroft for 60 minutes he reports SATCOM being hacked. SATCOM is linked to this countries defense grid. Our stock markets and banking system have been robbed for over $100 million dollars in recent years and there has been an actual attack on a countries power grid. This countries power grid is constantly being probed. These are all critical points of interest for our government. And they are currently not being properly secured. The source of income for future attacks for criminals might be as hired guns for smaller countries or terrorist organizations, and without some oversight by the government on vital industries to ensure national security we may very well see in the near future an cyberattack that causes major disruption to a countries way of life (most likely ours). The realization of this eminent threat should have caused governments to intervene and regulatecybercrime. For a country like the United States this will be considered taboo but computer security may soon be looked at like an environmental concern, or how our food and drugs are processed. We may soon have a new department that enforces security standards for industries whose services keep that country running. This would be another plus for the ever growing security industry, because it would guarantee a demand for new security solutions and professionals to apply them. But, legislation like this would be met with a lot of resistance; at least in countries where companies and people have a right to civil discourse. This would change the way many companies do business, and would open the door to a new type of lobbyist in Washington D.C. In the United States there have already been attempts made to legislate security requirements for some industries. There are few federal cyber-security regulations, and the ones that exist focus on specific industries. The three main cyber-security regulations are the 1996 Health Insurance Portability and Accountability Act, the 1999 Gramm-Leach-Bliley Act and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). These three regulations mandate that health care organizations, financial institutions and federal agencies protect their systems and information. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.” But, these regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, these regulations do not specify what cyber-security measures must be implemented and require only a “reasonable” level of security. The vague language of these regulations leaves plenty of room for interpretation. Bruce Schneier, founder of Cupertino’s Counterpane Internet Security, argues that companies will not make sufficient investments in cyber-security unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts (Wikipedia). If the government cannot stop the attacks how can it mandate requirements to secure the systems of the industries they wish to regulate? In 2003 the federal government tried to improve cyber-security by assigning more resources to research and collaborating with the private-sector to write standards. In 2003, President Bush’s “National Strategy to Secure Cyberspace” made the Department of Homeland Security (DHS) responsible for security recommendations and researching national solutions. The plan calls for joint efforts between government and industry “to create an emergency response system to cyber-attacks and to reduce the nation’s vulnerability to such threats.”In 2004, Congress allocated $4.7 billion toward cyber-security and reaching the goals stated in the President’s National Strategy to Secure Cyberspace. Some industry security experts stated that President Bush’s National Strategy to Secure Cyberspace was a good first step but was still insufficient. Bruce Schneier stated that “The National Strategy to Secure Cyberspace hasn’t secured anything yet.” However, the President’s National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem. Companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions (Wikipedia.org). Once again legislation for cyber-security which only suggests good practice but did not mandate.


Kroft, Steven (2009, November) Sabotaging the System. CBSNEWS.com
Retrieved on April 23,2010  http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml

http://en.wikipedia.org/wiki/Cyber-security_regulation

Saturday, April 24, 2010

Discussion


The affect that cybercrime has had on the corporate world is that of cost and scrutiny. But it seems that the cost has come in more so in the form of losses as opposed to investment in prevention. That lack of prevention is the cause of scrutiny. The world of cybercrime has become more exotic and easier to participate in. One can decide tomorrow if they wish to be a cyber criminal. With the use of their computer and a small investment of approximately three thousand dollars (US) they can purchase user-friendly tools and an army of zombie computers to pull off various attacks and wreak havoc on companies and government; with their level of threat to companies commensurate with their skill. But it is extremely plausible that the less skilled can possibly be the most dangerous. It’s like buying weapons of mass destruction on the black market and learning how to use them as you go. We saw earlier that the first documented worm was allegedly an accident. In the videos posted below a tech news show from BBC world news called Click demonstrates how easy it can be to purchase a Botnet and how simple it is to launch two types of attacks A huge spam mailing and a Distributed Denial of Service attack.


Part 1





Part 2














Stefan Hammond, (2005,November) Busting the Botnet-herders. Techworld.com

Retrieved on April 22, 2010 http://features.techworld.com/security/1926/busting-the-botnet-herders/

Friday, April 23, 2010

Analysis


       In our previous post we saw that over time we have had a steady increase of in the occurrence of cybercrime. The impact of these attacks has costs companies worldwide an estimated 1 trillion dollars (US) in damages. On the other side this epidemic has spawned new departments in government devoted to security, new companies who produce counter measures for cybercrime, and an army of specialist to develop and practice strategies to help protect companies and government. There are now whole fields of study that utilize what we have learned from the hacking community. In actuality the “hackers” are the front line for detecting vulnerabilities in software and proprietary hardware. Although it is commonly believed that some vulnerability are not made public until they have enjoyed them for some time. Good security professionals make it their business to attend at least 1 major hacker convention a year, to stay abreast of the latest techniques and targets of the hacker community. The hacker culture has always been one of experimentation to test the boundaries of the technologies they had access to. William H. Gates III in his youth was a “hacker”. But as the possibility for profit and less need for actual skill to be a “hacker” (Script Kiddies) became more popular, cybercrime inevitably exploded. Now in our present day security professionals have a virtual war to fight with two fronts. They have to defend against criminals who would extort and steal from companies and they have to defend against enemy governments who would attack another countries infrastructure. Take for example the video below from a sixty minutes episode on cyberterrorism. In it Steve Kroft describes a possible attack on Brazil in 2007 which brought down their power grid and had a few cities without power for 2 days. There is also mention of an attack on the US defense department where several terabytes of data was stolen and even our most “secure” computer system SATCOM was hacked by a foreign country in 2007. The video below summarizes the dangers faced by cyberattack and how unprepared we currently are.



Judging from this report it seems that our infrastructure which is for the most part under the control of private companies are targets for foreign countries. Private companies are driven by profit and if setting up proper protections will affect profitability it is less likely to be done. Although these potential targets are under the control of private companies their vulnerability pose a threat to national security. The diverging interests of the two entities seem to have put them into conflict over security. The power industry was recently caught lying to congress about steps taken to secure the power grid. 
 

Kroft, Steven (2009, November) Sabotaging the System. CBSNEWS.com
Retrieved on April 23,2010  http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml

Monday, April 19, 2010

Research findings

The Impact of all these threats





             According to the Microsoft & National Broadcasting Corporation (MSNBC) article from March 2005, Cyber Attacks on Corporations are Rising; Despite Stronger Defenses, Companies are Still Vulnerable. The article states, “The threat to corporate computer systems from worms, viruses and cyber­borne attacks is getting worse, despite stronger corporate defenses. The data shows that while corporate America isn’t losing the war against computer hackers, it certainly isn’t winning it” (MSNBC March, 2005). It explains that, the United States corporate world has the need to create and implement more aggressive and evolving security tools and mechanisms to be able to prevent and respond to incidents of computer attacks.
          The private sector, along with the United States government, is facing big challenges in trying to fulfill the duties of protecting the nation’s computer system infrastructure. To further illustrate the magnitude of the problem, I have conducted a review of existing available literature to analyze the computer crime problem in the United States.
            According to the Internet Crime complaint Center (IC3) 2009 Annual Report, the agency received 336,655 complaints from January 1, 2009 to December 31, 2009. This was a 22.3% increase as compared to 2008 when 275,284 complaints were received. ( Internet Crime Complaint Center Report, 2009). This upward trend of attack poses a special concern for any business organization’s web based economic activities. The vast majority of referred cases contained elements of fraud and involved a financial loss by the complainant. The total dollar loss from all referred cases was $559.7 million with a median dollar loss of $575. This is up from $264.6 million in total reported losses in 2008.
   In the In the year 2000 it was stated by John Serabian (CIA), in his report to the Joint Economic Committee, “a major challenge in the next decade will be to defend the computer infrastructure and protect our commerce while maintaining an open society” (Cyber Threats and the U.S. Economy, CIA Website, 2000). Serabian further points out on the same report that, “many of the countries whose cyber warfare programs we follow are the same ones that realize that, in a conventional military confrontation with the United States, they will not prevail. These countries perceive that cyber attacks, launched from within or outside the U.S., against public and private computer systems in the U.S., represent the kind of asymmetric option they will need to level the playing field during an armed crisis against the United States” (Cyber Threats and the U.S. Economy, CIA Website, 2000). This report explains how other countries do not abide by the same rules as the United States’ system, and consider many techniques as fair game regardless of the status of the target they intend to attack, whether a civilian or military target. It also reinforces the theory that any effort must be jointly accomplished by the state and non­state stakeholders to achieve the maximum benefit from any computer security effort.  
As we can see by the two graphs below that for this decade his statement accurate. It has been a major challenge defending our computer infrastructure and we have seen a steady rise in cybercrime even with the public and private sectors best efforts to fight. There was a slight drop off in 2006 and 2007 but this data is only based on reported incidents.












            In a Cable News Network (CNN) online article named, Experts: Cyber­ crime Bigger Threat than Cyber-terror, David Perry (interviewee and director of education for the international computer security company Trend Micro) says, “although the threat of cyber­terrorism exists, the greatest risk to Internet communication, commerce and security is from cyber­crime motivated by profit” (Technology, CNN Website). The Internet as a global connecting tool serves an important purpose in the realm of Corporate America and its global commercial activities. This article, in particular, that
addresses the original perceptions after the September 11 , 2001 attacks when most people believed cyber­terror (attack with a terrorist purpose) was our main threat, but recent incidents have prompted many experts in the matter to reconsider their position in favor of cyber crime for profit.
          To defend against attacks companies have developed security policies to harden their computer systems against cyber attacks. Although computer crime is on a steady rise the majority of companies in the US have a security budget that makes up only 5-10 percent of the companies IT budget. 
         The computer security industry has flourished because of the increased rate of computer crimes against corporations and government. Antivirus software, network security tools, Intrusion detection hardware and software, penetration testing tools, and computer forensic tools are being sold by startup companies that are becoming fortune 500 corporations. Security professionals are in high demand. In larger companies it is common to have whole departments dedicated to information security. Some companies outsource their security support or hire consultants. There is now a gambit of different types of security certifications. All of these are by-products of the dramatic rise of our dependence on computers and the surge of crimes committed against companies who depend on computer systems. 


Cobb, Jerry (2005, March) Cyber attacks on corporations are rising. MSNBC.com
Retrieved on April 18, 2010 http://www.msnbc.msn.com/id/7257289/

internet Crime Complaint center annual report 2009

Coren, Micheal (2005, January) Cyber-crime bigger threat than cyber-terror CNN.com

Thursday, April 15, 2010

Key Research Issues/ Questions


  For this research project, the main goal is examine cybercrime and its impact on the corporate world. The question we want to answer is how does cybercrime effect a company fiscally and how does this crime against corporations affect corporate culture. We also will see how cybercrimes has created new industries. While discussing this objective we present data that proves the thesis that cybercrime is on an upward trend in the United States’ business environment, despite the current measures taken by the law enforcement community. We will see data and video that substantiates and gives example to the claims of the effects of cybercrime. We will explore and better understand the evolution of the concept of Internet as it relates to the issues of Cyber-terrorism and computer crime and its possible affects on the United States economy.

Wednesday, April 14, 2010

Survey of Issues

Where did it all begin?
The first recorded cyber crime took place in the year 1820! That is not surprising considering the fact that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era of modern computers, however, began with the analytical engine of Charles Babbage."
    " In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology. This is the first recorded cyber crime!


   In actuality the first modern Cybercrime recorded was a SPAM e-mail (definition www.wikipedia.org)sent in 1978 over the ARPAnet, which was the Defense Department network that was precursor to what we now know as the Internet, by a Digital Equipment Corp. marketing executive named Gary Thuerk to advertise a new computer. Although spamming was not illegal at the time the reaction from recipients on ARPAnet were negative. The sender received many responses of annoyance and was reminded of the proper use of ARPAnet which did not include advertising. Currently Spamming can be illegal, for example in 2005 the first spammer convicted for felony spamming Jeremy Jaynes was sentenced to 9 years in jail.
 
    During the late 1970’s/ early 80’s “hackers” started developing Rootkits to hide traces of intruders on networked computers. Then there was the creation and release of various computer viruses. One of the first viruses documented was the Elk Cloner virus written for the Apple 2 computers by a high school student by the name of Rich Skrenta. It spread when users used an infected disk to boot up their system. It had a poem that appeared every 50 boot attempts. This was vandalism, but there were many more malicious viruses’ that soon followed.
    The next progression was Breaking and entering: The first Major intrusion occurred in 1982 when a hacker group known as the 414’s broke into systems at several institutions including Sloan-Kettering Cancer Center. Those intrusions provoked the US government to pass several laws regarding computer security.

   The first Computer Worm was created in 1988 a graduate student at Cornell University created software that would automatically reproduce itself on computers connected to the government's ARPAnet. His name is Robert T Moris Jr. and he is now a professor at MIT. He claimed he was attempting to measure the size of the Internet. The worm he created quite possibly infected thousands of government computers and caused anywhere from $10-$100 million in damage, according to the U.S. General Accounting Office. He was convicted of violating the 1986 Computer Fraud and Abuse Act and was sentenced to three years' probation, 400 hours of community service, and a fine of $10,050.
    The Trojan-horse. In 1989, a diskette proclaiming to be a database of AIDS information was mailed to thousands of AIDS researchers and subscribers to a U.K. computer magazine. The disk contained Trojan software that rendered the computers useless and demanded that a payment of $378 be sent to PC Cyborg Corporation at a post office box in Panama. Here we see a progression from malicious attacks to the pursuit of money
   The Man In the Middle Attack. First recognized as an attack in 1998 by the National Security Agency, the most well-known attacks occurred in October 2005 and July 2006, when large European and U.S. banks with one time password (OTP) scratch cards and tokens were targeted with man-in-the-middle attacks. Subsequently, Amazon.com was also attacked, according to a report by security vendor Tricipher. Security experts believe that criminal software developers now have created the equivalent of Microsoft Office for man-in-the-middle exploits: a software package for sale on the Internet that even non-experienced computer users commonly referred to as “Script Kiddies” can set up to carry out attacks.
Denial of service
   February, 2000. In the first documented and one of the biggest Denial Of Service attacks recorded, a Canadian hacker named MafiaBoy launched a Distributed Denial-of-Service attack that took down several high-profile Web sites, including Amazon, CNN and Yahoo!. DDoS attacks are commonly used for extortion, in which a criminal will threaten an attack unless a website owner pays him. It is common for the site owners to pay because the ransom is usually a fraction of a percentage of what they would lose for their site being down for a few hours.
  It is estimated that today one million PCs are under the control of hackers worldwide, according to Trend Micro. In early 2005, German security analysts at Aachen University reported that they identified more than 100 Botnets in a three-month period. The Botnets comprised of a few hundred compromised PCs to 50,000 machines. A Botnet is a networked group of compromised computers—or “zombies”—that are controlled by people known as "Botherders". Using an assortment of Internet communications methods, most popularly Internet Relay Chat, hackers can "wake up" tens of thousands of compromised computers (zombies) and direct them to deliver crimeware, phishing attacks and sometimes spam.





  The various attacks listed above showcase the historical progression of the tools used to commit cybercrimes. There some more exotic types of attacks and variations of those listed. In modern times these tools are combined to attack companies and even government networks to either steal information to sell or block information to extort. Sometimes the motivation is perceived to be politically motivated. In the most recent years we have seen an increase in politically driven attacks. Where governments have hired or even trained teams of hackers to attack foreign government infrastructure.

Koch, Christopher. (2007, June). A Brief History of Malware and Cybercrime. CIO.Com. Retrieved on April 9, 2010 from http://www.cio.com/article/116250/A_Brief_History_of_Malware_and_Cybercrime_?page=1&taxonomyId=3089


Quote: "the first CyberCrime"
http://cybercrime.planetindia.net/intro.htm
 


Chance, Mathew (2009, June) Cybercrime in Russia. CNN.com. Retrieved on April 9, 2010
http://www.cnn.com/video/#/video/crime/2009/06/24/chance.russia.cyber.crimes.cnn

Sunday, April 11, 2010

Introduction


    Crime has always been a part of society from as long as there have been written words there have been rules or laws that exist in that society; and there have been people who broke those laws. Some say that crimes are committed just because people want to, but a more conventional train of thought believes that the reason for crime include, economic gain, power, greed, anger, jealousy, passion, boredom, opportunity, vandalism, or even politics and these can all be found as reasons given for committing a cyber crime.
Computers have become interwoven into the fabric of modern society. They manage our communications, our power grid, and our financial markets and are a part of almost every aspect of our lives. As the technology of computers becomes more advanced so have the crimes. The two entities that have borne the brunt of these crimes are corporations and govt. The purpose of this blog is to examine the impact of cybercrime on corporations both financially and culturally. According to a study from McAfee, in 2008 data theft and breaches from cyber crime may have cost businesses as much as $1 trillion globally. McAfee made the projection based on responses to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai.
The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breaches, McAfee said.
The Purpose of this blog is to look at the industry that is cybercrime and analyze its impact on the corporate world. Although it is a negative action, I would dare to say it actually a necessity of our global economy. Many innovations and a whole business industry has been born out of it. The side affect of cybercrime is the generating of money, both illegally and illegally. We will look at this. I will also like to demonstrate how the complexity of cybercrimes directly reflects the advances in computer technology. I believe that Moore’s law can be applied to cybercrime conceptually. There has yet to be an advance in the computer world that hasn’t had the potential to be exploited for misuse and criminal activity.
I plan to look at several cases of cybercrime ranging from the inception of the Internet all the way to the present day and to explore how the corporate world reacted to those attacks. I will also look at the proactive measures were and will potentially be taken as well as the new technologies that have been created in response.

Gonzales, Randy () A Classical View - Why Do People Commit Crimes? ezineArticles.com
Retrieved oon march 29, 2010 from http://EzineArticles.com/?expert=Randy_Gonzalez 

Mills, Eleanor. (2009, January). Study: Cybercrime cost firms $1 trillion globally. CNet News.Com.