This Week in Cybercrime: U.S. House Passes Bill Allowing Firms to Share Customer Info With the Government

Plus: Small companies under attack; sophisticated UK malware; phishy IRS e-mails

4 min read

Willie Jones covers transportation for IEEE Spectrum, and the history of technology for The Institute.

This Week in Cybercrime: U.S. House Passes Bill Allowing Firms to Share Customer Info With the Government

U.S. House Votes to Immunize Companies Against Privacy Lawsuits

The U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) on Thursday by a margin of 288 to 127, despite warnings that President Barack Obama would likely veto the controversial bill if passes the Senate and makes it to his desk. The bill, which was reintroduced in February after being voted down last year, would make it impossible for consumers to sue the government or businesses for breaching the consumer's privacy by sharing data with each other.

The legal shield that CISPA provides would cover the entity divulging the information as long as the company or agency says that doing so was part of its effort to help fight cyber threats. During a House floor debate on the measure on Wednesday, Dutch Ruppersberger (D-Md.), one of the bill’s co-authors, focused on dollars and cents, claiming that trade secrets worth US $400 billion to U.S. companies are stolen each year. Opponents of the bill acknowledged the economic toll that cybercrime takes on U.S. businesses and consumers, but argued that the bill, though modified from a version that passed the House last year, still doesn’t, in the words of House Minority leader Nancy Pelosi (D-Calif.), strike a “crucial balance between security and liberty.” Pelosi added that, “Unfortunately, it offers no policies and did not allow any amendments or real solution that upholds Americans' right to privacy.”

A coalition of critics lined up against the bill. Among them was online advocacy group Fight For the Future, whose co-founder, Holmes Wilson, told the UK Guardian that, "It would have been so easy to fix this bill and require sites to strip out personal information before passing them to the government." Kurt Opsahl, senior staff attorney for The Electronic Frontier Foundation, which also came out against CISPA, had urged the House to include an amendment allowing companies to enter into privacy contracts with their customers. The legislators’ decision not to add the change to the bill’s language leaves a “gaping exception to bedrock privacy law,” Opsahl told The Guardian.

Several influential industry groups, including the wireless group CTIA, the U.S. Chamber of Commerce and TechNet, which represents large internet and technology companies, have lobbied for the measure.

Small Companies in Cyberattackers’ Crosshairs

According to a report from Symantec released on Tuesday, companies with 250 or fewer employees were the targets of 31 percent of reported cyberattacks in 2012. The report notes that the number of attacks visited upon small businesses, whose online defenses are often less sophisticated than those of their larger counterparts, rose dramatically, from 18 percent in 2011. “While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyberdefenses," says the report. In other words, there’s less fruit available, but it hangs much lower. Firms with more than 2500 employees still faced the greatest share of attacks—50 percent in 2012. Small companies, which, more often than not, go out of business after a serious attack, find themselves in increasing peril because, according to the Internet Security Threat Report 2013, the overall number of cyberattacks in 2012 was 42 percent greater than in 2011.

“Magic” Espionage Malware Attacks Computers in UK

Thousands of computers in the UK have been infected by malware that uses a novel method for communicating with its command and control servers, says Israeli security company Seculert. The malicious program always opens up communication with the string, “some_magic_code1,” which serves as an authenticator. After that initial connection, a custom protocol comes into play, sending additional instructions to infected machines. Seculert CTO Aviv Raff told Kaspersky Lab’s Threatpost that in one case, the malware was told to open a backdoor on an infected machine by adding a new user—with login and password information supplied by the attacker. The program also conducts espionage in the form of stealing data and hijacking Web browsing sessions, Raff told Threatpost. Raff noted that what security experts have seen so far might be just the tip of the iceberg. “We have seen several indications of features which are not yet implemented,” Raff said. Among them is the ability to open a browser on a compromised machine via an remote desktop protocol session. Worst still from a security standpoint: Experts still don’t know how the virus is transmitted. “This ‘magic malware’—as we’ve dubbed it—is active, persistent and had remained undetected on the targeted machines for the past 11 months,” Raff wrote in a blog post on Seculert’s website.

The Tax Man Cometh, With the Spammer Not Far Behind

That e-mail purporting to be from the U.S. Internal Revenue Service, was likely as genuine as any of the ones you’ve received from a member of the Abacha family. According to an online traffic survey conducted by messaging security firm Agari, 95 percent of messages supposedly coming from are simply scams aimed at gleaning the information necessary to reroute refund proceeds to bank accounts controlled by organized crime rings or to steal taxpayers’ identities for future fraudulent filings. "Like the sun rises in east and sets in the west, every year, come April, phishers who specialize in tax fraud come out to try to get you," Agari CEO Patrick Peterson told USA Today. Security experts warn that official-looking e-mail messages will continue to hit inboxes right through May and June. “They'll send e-mail confirming they've received your tax return and need more information,” Limor Kessem, cybercrime and online fraud specialist at RSA's anti-fraud command center in Tel Aviv, Israel, told USA Today. “That's an e-mail you should delete immediately.” The e-mail messages usually ask the target to fill out a form requiring login information. In other cases, the targets become victims after opening attachments laced with malware or clicking on links to Web pages that inject machines with malicious code.

Also of interest…

Local police at a loss when it comes to investigating cybercrimes

U.S. Army weak on mobile devices security

The Conversation (0)