Tag Archives: www.crimefiles.net

US appeals court: Anti-hacking law applies to password sharing case

The 9th Circuit Court of Appeals ruling expands the scope of the already-broad Computer Fraud and Abuse Act.

cybersecurity_image www.intelagencies.com

A US appeals court on Tuesday ruled that the Computer Fraud and Abuse Act, a broad anti-hacking law passed in 2005, applies to a case in which a former executive gained access to his former employer’s confidential client data through a password that was voluntarily shared with him.

In a two-to-one ruling, a three-judge panel on the 9th Circuit Court of Appeals upheld the conviction of David Nosal, who used the information from his former employer — Korn/Ferry International — to start a new firm. He gained access to the data after his former secretary shared her password with him.

The ruling expands the already-sweeping scope of the CFAA, which imposes criminal penalties on anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and bymeans of such conduct furthers the intended fraud and obtains anything of value.”

The Nosal case focused specifically on the question of whether he acted “without authorization”. The panel concluded that “‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission”.

The court panel also upheld Nosal’s conviction for trade secret theft under the Economic Espionage Act.

In his dissent, the court summary of the ruling notes, Judge Stephen Reinhardt “wrote that this case is about password sharing, and that in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”.

The practice of sharing passwords isn’t uncommon, according to a SailPoint survey released earlier this year. It polled 1,000 office workers across six nations and found nearly one in three are willing to share passwords with their co-workers.

The CFAA — opposed by the Electronic Frontier Foundation for its scope — was also used to convict former Reuters editor Matthew Keys of helping Anonymous to deface the LA Times in 2010. Keys, who denied the charges against him, was sentenced to two years in prison.

UPDATE: This article was corrected to note that Keys was sentenced to two years in prison; he is not serving two years in prison.




Henry Sapiecha


Cybercrime kingpins are winning the online security arms race

Cybercrime is getting larger and more team driven. It’s time to cast away the idea of the lone-wolf attacker.

shady-hooded-hacker-at-the-computer image www.intelagencies.com

Online attackers do not look like this anymore.

The cliché of the hacker-in-a-hoodie lone wolf is out of date. Cybercrime gangs are now almost as sophisticated as the big businesses they are trying to steal from, leading to a new security arms race that companies are losing.

The increasing threat from organized cyber-criminals and state-sponsored cyber espionage means companies need to forget about the idea of a lone hacker, think through the credible threats to their systems, and deal with them in order to disrupt their attackers’ business models.

“It’s time to think differently about cyber risk, ditching the talk of hackers, and recognising that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources — intent on fraud, extortion, or theft of hard-won intellectual property,” said Paul Taylor, UK head of cyber security at KPMG.

According to research by KMPG and BT, 97 percent of companies surveyed said they had been the victims of digital attacks, but only 22 percent were fully prepared to deal with future attacks.

Executives said they were hampered by regulation (49 percent), legacy IT systems (46 percent) and a lack of the right skills and people (45 percent).

“The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft. The 21st century cyber criminal is a ruthless and efficient entrepreneur,” said Mark Hughes, CEO of BT’s security division.

“We’re up against quite sophisticated organized criminality. Well structured, real businesses, very efficient, very effective,” said David Ferbrache, technical director of cyber security at KPMG.

According to Ferbrache, the last two years have seen some shifts in the patterns of organized cyber criminality, with fraudsters targeting top executives and trying to trick them into making bogus transfers that can cost companies millions.

“CEO frauds now have become a massive issue across many of our clients,” he said.

****A school in Estonia has started a pilot project to teach the basics of cyber security to teenagers.

“Organized crime is spending more time looking at targeting information available on social media. The phishing lures are much better crafted and tailored now, and they can pretend to be senior officers of the company when they know the chief executive is oversees at a conference,” Ferbrache warned.

According to the research, over 90 percent of companies said staff could be open to blackmail and bribery — but less than half have a strategy in place to deal with the threat.

“When you start moving into the big cash-outs, the longer-term operations — that’s the point you see insiders coming into the picture, because you want information on the fraud control measures. Sometimes the way the systems are configured helps the operation along,” said Ferbrache.

IT staff, as well as those with knowledge of finance, could be targeted: “Systems administrators, privileged users — anybody with access credentials, anybody able to initiate financial transactions, anyone who might have an understanding of the fraud control systems and the way they are configured too — they’re all useful,” he warned.

“We have traditionally thought of insiders and outsiders as two separate categories as you move up the tiers in organized crime. That’s not the case. It blurs.”

Crime groups tend to have a loose, federated business model. The heart of each gang will be the kingpin with the idea and the targets, but the organization around them will be a loose collection of different skills. That might include people developing vulnerabilities and exploits to attack services such as DDoS by the hour. Others will be experts in recruiting money mules to launder the cash, or they might be people who specialize in selling stolen information on the black market.

“The way you have to look at these organised crime groups is that most are running a portfolio of operations,” said Ferbrache.




Henry Sapiecha