The October 2022 issue of IEEE Spectrum is here!

Close bar

This Week in Cybercrime: You Can Be Convicted of Hacking Even If You’re Not a Hacker

Plus: Critical infrastructure left unguarded, and cyberthieves hunt from up close

3 min read
This Week in Cybercrime: You Can Be Convicted of Hacking Even If You’re Not a Hacker

Hacking the Meaning of Hacking

It’s happened before: someone is convicted for robbery who never set foot inside the store that was held up, or serves a long prison stretch for murder, but is later exonerated when DNA evidence reveals that they and the perpetrator are not one and the same. But you rarely associate computer crimes with such miscarriages of justice. Nevertheless, in a California courtroom this week, David Nosal was convicted of six counts, including violating the federal Computer Fraud and Abuse Act—which went on the books in 1984 as part of an effort to make it easier for prosecutors to take down hackers bent on stealing data or in some way vandalizing the machines they infiltrate. The problem: There is no question about the fact that he did not hack into the system from which he acquired proprietary information. The jury came back with a guilty verdict despite having heard evidence that Nosal managed to convince—mostly through bribery—his former colleagues who were still employed at Korn/Ferry International, an executive search firm, to access the company’s database and turn over trade secrets. And get this: Those folks, who actually accessed the Korn/Ferry database with malicious intent, were not charged with any criminal wrongdoing.

But Nosal likely won’t don prison stripes anytime soon. If the pattern of this case holds, the verdict is, for the accused, merely a setback in a long and winding journey. The judges of the Ninth Circuit Court of Appeals in San Francisco have banged their gavels on this case on two separate occasions, and legal observers say they’re likely to see it again. Last year, the Ninth Circuit jurists decided that bringing charges against an employee for what amounts to a violation of his or her employer’s computer use policy is a bridge too far. That saved the bacon of Nosal’s aforementioned accomplices and got some charges against him related to data thefts back when he was a still a Korn/Ferry employee dropped. Furthermore, chances are good that a final decision on Nosal’s fate won’t be made until the Supreme Court weighs in. Stay tuned.

Your Friendly Neighborhood C&C Server

Though it would immediately strike me as odd if I, a U.S. resident, had a random message in my inbox from a sender in, say, Croatia, it might not raise an eyebrow for someone in neighboring Slovenia. It’s that thinking that underlies the ratcheting up of cybercriminals’ efforts to evade detection by dispersing their command and control servers so that they are in the same country as the machines they are set up to target. That’s one of the takeaways from a new FireEye report, “The Advanced Cyber Attack Landscape,” released on Tuesday. The report, based on analysis of roughly 12 million messages transmitted between compromised machines and command and control servers, revealed that C&C servers are now located in 184 countries, up from 130 in 2010. But the attackers and victims mostly remained the same. Eleven countries—China, South Korea, India, Japan, Hong Kong, Russia, Romania, Poland, Ukraine, Kazakhstan, and Latvia—are home bases for the machines that conduct 46 percent of cybercrimes. A nearly equal share of C&C servers (44 percent) are located in North America—all the better to take advantage of the fact that, as Kaspersky Lab’s Threatpost puts it, “the U.S. corporate landscape, particularly its wealth of high technology firms, is densely packed with valuable intellectual property, and therefore attackers continue targeting companies based there.”

Servers Give Everyone Network Access

According to a Computerworld article, security firm Rapid7 found more than 114 000 separate instances of network access servers configured in a way that leaves computer systems used to manage critical infrastructure such as traffic lights and fuel pumps vulnerable to tampering. Rapid7 says that most of the vulnerable servers are connected to the Internet with cellular wireless connections and 3G network cards, links that are difficult to shore up. In more than 13 000 cases, “the terminal servers provided a way for anyone on the Internet to gain some form of administrative control of the attached device,” H.D. Moore, Rapid7’s chief research officer, told Computerworld. Moore, who is the author of the study, called “Serial Offenders: Widespread Flaws in Serial Port Servers,” says poorly configured network access servers compromised the security of corporate VPNs, payment information systems, and even a system responsible for monitoring humidity and temperature in oil pipelines.

In Other Cybercrime News…

Oracle is reportedly delaying the release of Java 8 so it can make the fixes needed to rub the tarnish off the software’s reputation and get people told by security experts to disable the vulnerability-plagued code to trust it again. On his personal blog, Mark Reinhold, chief architect of the Java Platform Group, said: “Looking ahead, Oracle is committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features. This work will require more engineer hours than we can free up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage.”

The American Civil Liberties Union has asked the U.S. Federal Trade Commission to light a fire under wireless service providers. The ACLU is upset that Android phone users are unnecessarily left vulnerable to attack from hackers because the wireless companies are lax when it comes to distributing fixes for known security flaws.

Photo: Andrejs Zemdega/iStockphoto

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less