Cybersecurity Legislation Fails: Persistence is Key; Ignorance is Bliss
Most people are familiar with the news that surrounded the major FBI raid on file-sharing site Megaupload. This was probably one of the biggest take-down stories of the year as the site had over one hundred and eighty million (180,000,000) registered members that visited over fifty million (50,000,000) times per day before it was shut down on January 19 2012.
The sites founder, dubbed a file-sharing kingpin, Kim Dotcom, was indicted and charged with criminal copyright fraud and racketeering by the U.S. Department of Justice.
The case against Dotcom, a resident of New Zealand, has been the subject of significant controversy over its legality and could even be dismissed entirely as Megaupload, a Hong Kong corporation, had no physical presence in the United States. Defense attorneys claim that as such, it should be subject only to its laws of jurisdiction.
Footage of the actual raid taken by helicopter has been released by New Zealand news agency 3News and is below. The video details the seriousness and aggressive action taken by authorities in apprehending DotCom as well as statements from the court hearings, Kim Dotcom’s deposition along with that of one of the police officers who was on the scene.
In retaliation of the raid, arrest and destruction of the service, Anonymous Hackers posted a message where the group claimed responsibility for attacking numerous web sites including the DOJ, Universal Music, MPAA, RIAA and others. Anonymous doesn’t seem to be finished with their fight either. The torrent site Demonoid was shut down last week by authorities, and the hacker organization wants to take revenge on those responsible in that incident as well. The organization launched serious Distributed Denial of Service (DDOS) attacks against several websites operated on behalf of the Ukrainian government. Anonymous has vowed to revive Demonoid, in an effort codenamed #OpDemonoid by asking members to host limitless mirror sites around the web.
With the amount of serious security problems so far this year, many organizations haven’t caught up with technology yet; even security firms themselves have been hacked and made examples of. February’s leaked phone conversation between the FBI and Scotland Yard also became
widely read news and serves as an additional case-in-point.
Unfortunately, these issues create difficult situations when policymakers (individuals in power who often misunderstand technology), try to fix things by scrambling to pass new quickly thrown-together laws, in what is mostly a genuine effort to protect consumers. This is what happened with both the SOPA and PIPA debacles where legislation was quickly crafted only to be struck down when major forces from the Internet community like Google and Facebook wouldn’t openly support them as they failed to protect fundamental principles which keep the Internet free, fair and open; SOPA and PIPA both failed to attract the support needed for passage. Most recently, on August 2, 2012 Congress failed again to reach a consensus on the “Cybersecurity Act of 2012”, which the administration called “a profound disappointment.”
However, support for other evolving laws seems likely as there will be no shortage of hacks and no shortage of media attention to occurrences of them until something which gives more control to ISP’s and authorities is finally passed. For instance, “cyber weapons” are becoming a very hot topic. A search for Flame (Malware identified in May 2012) Stuxnet (Computer worm discovered in June 2010) Gauss (Malware discovered on August 2012) and Duqu (Computer worm discovered in September 2011) will return thousands upon thousands of results. Controversy and buzz is heating up over these issues in the mainstream media. Even general news focused outlets are starting to carry these stories as such reports are no longer confined to technology related media. No matter how many times legislation is killed, it will keep coming back. The only difference will be that threats will get louder and louder until enough support is obtained. Persistence is key.
But Is It All for Good Reason??
Some say, yes, it is. A computer worm called Ramnit (first detected in 2010), was developed specifically to infect Microsoft Windows computers and steal your log-in credentials. Security researchers from the Seculert group, an Israeli security company, found a botnet command-and-control server that apparently had 45,000 individual sets of Facebook credentials. In July they had said on their blog that “Up to now Seculert has identified more than 70,000 Facebook users that are infected with the Facebook worm”. Over 800,000 Windows PCs were estimated to be effected with some form of Ramnit between September and December 2011.
With the recent demise of legislation time and time again, the majority of security breaches don’t have powerful enough political ramifications, however, as there has been no shortage of news on these incidents this year. Hackers struck Zappos.com in January, and collected information on not thousands, but millions of customers, as much as 24 million. The organization saw email addresses, billing and shipping addresses, phone numbers and the last four digits from credit cards swiped, but said entire credit card numbers were not obtained. Naturally, the popular shopping site automatically updated customers passwords and warned that similar passwords across the web shouldn’t be shared from site to site.
In February, a hacker group called Swagg Security broke into Foxconn’s servers. Located in Taiwan, Foxconn manufactures hardware for Apple, Dell, Microsoft, Cisco, Hewlett-Packard, Samsung, Sony, IBM, Nokia, Panasonic, Motorola and others. Swagg posted log-in credentials that would permit individuals to place fraudulent orders under the names of well-known technology companies. This was said to be in response to the media outrage over the reportedly horrific working conditions at Foxconn but the hacking group denied that in a somewhat unusual looking post. Swagg Security also went after Warner Bros for what they called “its ignorance” of security vulnerabilities.
Also in February, The University of Florida announced that there were over 700 Social Security numbers improperly stored on a state website server. The University of North Carolina at Charlotte released a statement with proactive measures after they had discovered that approximately 350,000 social security numbers were included among a data breach that left files containing sensitive data “stored in a manner that left them open to the Internet” between 1997 and February 2012.
The above examples are just a few of this year’s security nightmares – there are plenty more as vulnerabilities and breaches are speeding up and becoming even more common and frequent with attacks now aimed at multiple browsers. For years, Microsoft Internet Explorer was the most used browser in the world claiming a peak usage of about 95% of the browser market share during 2002 and 2003. This resulted in the majority of viruses and phishing attempts to be targeted at Internet Explorer users alone. As of lately, new and even more sinister financial scammers are targeting users of all browsers including Internet Explorer, Mozilla Firefox, Google Chrome and others leaving no browser immune. In the past, avoiding trouble meant not using IE, having Norton Internet Security, McAfee Anti-Virus or installing other firewalls and virus protection software but today’s hackers are developing clever ways not only to get hold of your computer, but to avoid detection once inside.
Regardless of what responses these attacks cause, one thing is for sure; the best way to stop being a victim of cybercrime is by securing your individual machine as best you can and to follow available announcements of data breaches as they become available. Users can do a lot to plug up their own security holes by knowing what to look for and staying informed. While most are powerless to some extent, you can at least try to take precautions. By keeping yourself in-the-loop of what’s out there, you can help prevent those who are trying to get access to you or your bank account from getting the best of you, and your money.