[ISN] Brazil Becomes a Cybercrime Lab

From: InfoSec News (isn@private)
Date: Sun Oct 26 2003 - 23:55:39 PST

  • Next message: InfoSec News: "[ISN] NSA Buys License for Certicom's Encryption Technology"

    Forwarded from: William Knowles <wk@private>
    October 27, 2003
    SÃO PAULO, Brazil, Oct. 26 - With a told-you-so grin, Marcos Flávio 
    Assunção reads out four digits - an Internet banking password - that 
    he has just intercepted as a reporter communicates via laptop with a 
    bank's supposedly secure Web site. 
    "It wouldn't matter if you were on the other side of the world in 
    Malaysia," said Mr. Assunção, a confident 22-year-old. "I could still 
    steal your password."
    While impressive, Mr. Assunção's hacking talents are hardly unique in 
    Brazil, where organized crime is rife and laws to prevent digital 
    crime are few and largely ineffective. The country is becoming a 
    laboratory for cybercrime, with hackers - able to collaborate with 
    relative impunity - specializing in identity and data theft, credit 
    card fraud and piracy, as well as online vandalism.
    "Most of us are hackers, not crackers; good guys just doing it for the 
    challenge, not criminals," Mr. Assunção said. He insisted that he had 
    never put his talents to criminal use, although he acknowledged that 
    at age 14 he once took down an Internet service provider for a weekend 
    after arguing with its owner.
    Across the globe, hackers like to classify themselves as white hats 
    (the good guys) or black hats (the bad guys), said one Brazilian 
    expert, Alessio Fon Melozo, the editorial director of Digerati, which 
    publishes a hacker magazine, H4ck3r: The Magazine of the Digital 
    Underworld. "Here in Brazil, though, there are just various shades of 
    gray," Mr. Melozo said.
    Mr. Assunção has created a security software program for his employer, 
    Defnet, a small Internet consultant in São Paulo.
    The software uses a honey-pot system that can lure and monitor 
    intruders in real time. It also uses techniques to foil "man in the 
    middle" imposters who try to disguise their computers as those of 
    banks or other secure sites. So far, Mr. Assunção has been unable to 
    get an appointment with his target customers: security executives at 
    major banks.
    "They say they have their own security and prefer to turn a blind 
    eye," he said. "But Brazilian hackers are known for our creativity. If 
    things go on like this, there'll be no more bank holdups with guns. 
    All robberies will be done over the Net."
    For the last two years at least, Brazil has been the most active base 
    for Internet ne'er-do-wells, according to mi2g Intelligence Unit, a 
    digital risk consulting firm in London. 
    Last year, the world's 10 most active groups of Internet vandals and 
    criminals were Brazilian, according to mi2g, and included syndicates 
    with names like Breaking Your Security, Virtual Hell and Rooting Your 
    Admin. So far this year, nearly 96,000 overt Internet attacks - ones 
    that are reported, validated or witnessed - have been traced to 
    Brazil. That was more than six times the number of attacks traced to 
    the runner-up, Turkey, mi2g reported last month. 
    Already overburdened in their fight to contain violent crime in cities 
    like São Paulo, Rio de Janeiro and Brasília, police officials are 
    finding it difficult to keep pace with hacker syndicates.
    The 20 officers working for the electronic crime division of the São 
    Paulo police catch about 40 cybercrooks a month. But those criminals 
    account for but a fraction of the "notorious and ever increasing" 
    number of cybercrimes in São Paulo, Brazil's economic capital, said 
    Ronaldo Tossunian, the department's deputy commissioner.
    The São Paulo department's effort is not helped by vague legislation 
    dating back to 1988, well before most Brazilians had even heard of the 
    Internet. Under that law, police officers cannot arrest a hacker 
    merely for breaking into a site, or even distributing a software 
    virus, unless they can prove the action resulted in the commission of 
    a crime. 
    So even after police investigators identified an 18-year-old hacker in 
    Rio de Janeiro, they had to track him for seven months and find 
    evidence that he had actually stolen money from several credit card 
    companies before they could pounce.
    "We don't have the specific legislation for these crimes like they do 
    in America and Europe," Mr. Tossunian said. "Just breaking in isn't 
    enough to make an arrest, which means there's no deterrent."
    In addition, analysts say many businesses, including banks, have been 
    slow to grasp, or refuse to acknowledge, how serious the problem is. 
    Banco Itaú, one of Brazil's largest private banks and the institution 
    from whose site Mr. Assunção filched the password during his 
    demonstration, declined to make someone available to comment. 
    Fabrício Martins, the chief security officer at Nexxy Capital Group, a 
    top provider of Web sites for e-commerce companies, said, "Most 
    businesses here don't take precautions until something bad happens 
    that obliges them to take action."
    Mr. Martins, for example, first reinforced Nexxy's security software 
    after e-mail addresses of online clients were stolen two years ago. 
    Now his is one of 20 software programs for credit card clearing 
    approved by Visa International in Brazil.
    Why are Brazil's hackers so strong and resourceful? Because they have 
    little to fear legally, Mr. Assunção said, adding that hackers here 
    are sociable and share more information than hackers in developed 
    countries. "It's a cultural thing," he said. "I don't see American 
    hackers as willing to share information among themselves."
    Though the expense of owning a computer is prohibitive for most people 
    in this country, where the average wage is less than $300 a month, 
    getting information about hacking is simple. H4ck3r magazine, 
    available at newsstands across the country, sells about 20,000 copies 
    a month.
    Mr. Melozo, the editorial director, rejects any suggestion that H4ck3r 
    teaches Brazilians to commit cybercrime.
    "It is a very fine line, I know," he said. "But what guides us is the 
    principle of informing, educating our readers in a responsible way."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 27 2003 - 03:05:21 PST