The May 2024 issue of IEEE Spectrum is here!

Close bar

This Week in Cybercrime: You Can Be Convicted of Hacking Even If You’re Not a Hacker

Plus: Critical infrastructure left unguarded, and cyberthieves hunt from up close

3 min read

This Week in Cybercrime: You Can Be Convicted of Hacking Even If You’re Not a Hacker

Hacking the Meaning of Hacking

It’s happened before: someone is convicted for robbery who never set foot inside the store that was held up, or serves a long prison stretch for murder, but is later exonerated when DNA evidence reveals that they and the perpetrator are not one and the same. But you rarely associate computer crimes with such miscarriages of justice. Nevertheless, in a California courtroom this week, David Nosal was convicted of six counts, including violating the federal Computer Fraud and Abuse Act—which went on the books in 1984 as part of an effort to make it easier for prosecutors to take down hackers bent on stealing data or in some way vandalizing the machines they infiltrate. The problem: There is no question about the fact that he did not hack into the system from which he acquired proprietary information. The jury came back with a guilty verdict despite having heard evidence that Nosal managed to convince—mostly through bribery—his former colleagues who were still employed at Korn/Ferry International, an executive search firm, to access the company’s database and turn over trade secrets. And get this: Those folks, who actually accessed the Korn/Ferry database with malicious intent, were not charged with any criminal wrongdoing.

But Nosal likely won’t don prison stripes anytime soon. If the pattern of this case holds, the verdict is, for the accused, merely a setback in a long and winding journey. The judges of the Ninth Circuit Court of Appeals in San Francisco have banged their gavels on this case on two separate occasions, and legal observers say they’re likely to see it again. Last year, the Ninth Circuit jurists decided that bringing charges against an employee for what amounts to a violation of his or her employer’s computer use policy is a bridge too far. That saved the bacon of Nosal’s aforementioned accomplices and got some charges against him related to data thefts back when he was a still a Korn/Ferry employee dropped. Furthermore, chances are good that a final decision on Nosal’s fate won’t be made until the Supreme Court weighs in. Stay tuned.

Your Friendly Neighborhood C&C Server

Though it would immediately strike me as odd if I, a U.S. resident, had a random message in my inbox from a sender in, say, Croatia, it might not raise an eyebrow for someone in neighboring Slovenia. It’s that thinking that underlies the ratcheting up of cybercriminals’ efforts to evade detection by dispersing their command and control servers so that they are in the same country as the machines they are set up to target. That’s one of the takeaways from a new FireEye report, “The Advanced Cyber Attack Landscape,” released on Tuesday. The report, based on analysis of roughly 12 million messages transmitted between compromised machines and command and control servers, revealed that C&C servers are now located in 184 countries, up from 130 in 2010. But the attackers and victims mostly remained the same. Eleven countries—China, South Korea, India, Japan, Hong Kong, Russia, Romania, Poland, Ukraine, Kazakhstan, and Latvia—are home bases for the machines that conduct 46 percent of cybercrimes. A nearly equal share of C&C servers (44 percent) are located in North America—all the better to take advantage of the fact that, as Kaspersky Lab’s Threatpost puts it, “the U.S. corporate landscape, particularly its wealth of high technology firms, is densely packed with valuable intellectual property, and therefore attackers continue targeting companies based there.”

Servers Give Everyone Network Access

According to a Computerworld article, security firm Rapid7 found more than 114 000 separate instances of network access servers configured in a way that leaves computer systems used to manage critical infrastructure such as traffic lights and fuel pumps vulnerable to tampering. Rapid7 says that most of the vulnerable servers are connected to the Internet with cellular wireless connections and 3G network cards, links that are difficult to shore up. In more than 13 000 cases, “the terminal servers provided a way for anyone on the Internet to gain some form of administrative control of the attached device,” H.D. Moore, Rapid7’s chief research officer, told Computerworld. Moore, who is the author of the study, called “Serial Offenders: Widespread Flaws in Serial Port Servers,” says poorly configured network access servers compromised the security of corporate VPNs, payment information systems, and even a system responsible for monitoring humidity and temperature in oil pipelines.

In Other Cybercrime News…

Oracle is reportedly delaying the release of Java 8 so it can make the fixes needed to rub the tarnish off the software’s reputation and get people told by security experts to disable the vulnerability-plagued code to trust it again. On his personal blog, Mark Reinhold, chief architect of the Java Platform Group, said: “Looking ahead, Oracle is committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features. This work will require more engineer hours than we can free up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage.”

The American Civil Liberties Union has asked the U.S. Federal Trade Commission to light a fire under wireless service providers. The ACLU is upset that Android phone users are unnecessarily left vulnerable to attack from hackers because the wireless companies are lax when it comes to distributing fixes for known security flaws.

Photo: Andrejs Zemdega/iStockphoto

The Conversation (0)