[ISN] New rules cut hackers less slack

From: InfoSec News (isn@private)
Date: Tue Nov 04 2003 - 02:40:55 PST

  • Next message: InfoSec News: "[ISN] NIST releases security controls proposal"

    http://www.denverpost.com/Stories/0,1413,36~33~1739529,00.html
    
    By Jennifer Beauprez
    Denver Post Business Writer
    November 03, 2003 
    
    As attacks on computers get more sophisticated, more dangerous and
    more costly, the bad guys responsible rarely do hard time.
    
    Most people convicted of unleashing malicious code or hacking into
    computers receive sentences of one to three years, or they get
    probation and a warning to stay away from computers.
    
    "It's frustrating," said Eric Smith, who chased down cybercriminals
    for three years as an investigator for the Air Force.
    
    "There were cases that lasted two to three years and nothing ever
    happened to these people," Smith said. "It seems like it's always
    probation. They always slap their wrists."
    
    New federal rules might change that.
    
    On Saturday, federal rules took effect that beef up penalties for
    computer crimes. A person who uses computers to cause death or bodily
    harm - by taking down a power grid or air traffic control towers, for
    instance - could get 20 years to life in prison, under a section of
    the 2002 Homeland Security Act.
    
    "These are for the cyberterrorist, not for the teen hackers," said
    Mark Allenbaugh, former staff attorney for the U.S. Sentencing
    Commission, which makes sentencing rules.
    
    What might make a bigger impact on cybercrime punishment, he said, is
    another law passed in April that may limit a judge's ability to
    "depart," or hand down sentences that are lower than federal
    guidelines.
    
    "It's going to be much harder for hackers to get less serious
    sentences," Allenbaugh said. "Probation may not be an option."
    
    For instance, Allenbaugh said he expects a harsher penalty for the
    author of one of the Blaster worms if he is convicted, instead of
    simply probation or a short jail sentence.
    
    Jeffrey Lee Parsons, 18, is accused of unleashing a version of the
    Blaster computer worm, which spread around the world in six minutes
    using network connections, slowed Internet activity dramatically and
    disrupted business for numerous companies.
    
    "Now, because of the amendment, he is going to get a rather
    significant additional bump, which probably will translate into an
    extra few years," Allenbaugh said.
    
    Many computer crime cases never even make it to a jury, Smith said. In
    some cases, foreign authorities won't extradite suspects and in others
    the technology is too complex for prosecutors win.
    
    "Prosecutors, they don't always understand the case and don't think
    they could convince a jury and judge it was a significant crime,"  
    Smith said.
    
    Smith said he thinks judges give more leniency to younger people with
    hopes they can put their computer skills and brains toward something
    good.
    
    "They think, well, it's some misguided kid," he said. "It doesn't
    always work. The kid thinks, 'Wow, I got off."'
    
    Since 2000, 11 people convicted of breaking into computers or
    unleashing malicious code got probation.
    
    Nineteen were sentenced to one to three years in prison. And just four
    were sentenced to more than four years in prison, according to the
    Department of Justice.
    
    Some of the ex-cons, such as notorious hacker Kevin Mitnick, became
    security consultants upon release or got jobs hacking into companies'
    computers and alerting them to vulnerabilities.
    
    "The fact that you can break the law and then capitalize on it -
    that's the norm, unfortunately, in the computer security field," said
    Drew Fahey, a computer security expert who works with Smith at
    E-Fense, an Alexandria, Va.-based computer security consulting firm
    with offices in Englewood.
    
    Meanwhile, consumers, businesses and government agencies are losing
    out.
    
    Identity theft - sometimes the result of personal information stolen
    from computer databases - is the nation's fastest growing crime.
    
    And corporations are spending billions of dollars fighting of a
    growing number of computer attacks. Each day, five new malicious code
    attacks are unleashed, according to the FBI.
    
    One market research firm, Computer Economics Inc., estimates that the
    recent SoBig virus cost businesses $1 billion. The firms estimates all
    viruses this year have cost companies $13 billion.
    
    As a result, the computer crime caseload at the FBI has grown
    significantly, said Ken McGuire, a computer crimes investigator for
    the FBI.
    
    "Over the past five years, we've gone from 10 to 20 complaints a month
    to 10 to 20 a week," he said.
    
    Yet not everyone believes stiffer prison sentences will ease
    cybercrime.
    
    "For every bad guy we get rid of, there will be more bad guys," said
    Rick Dakin, president of Coalfire Systems Inc., a Superior computer
    security consulting firm.
    
    Dakin said companies must be more diligent about protecting their
    systems, deploying network monitoring tools, regularly changing
    passwords and performing risk-assessment tests.
    
    A federal bill could force that to happen.
    
    The bill, introduced this summer by Sen. Dianne Feinstein, D-Calif.,
    requires businesses or government agencies to notify individuals if a
    database has been broken into and personal data has been compromised,
    including Social Security numbers, driver's licenses and credit cards.
    
    A hearing on the legislation will be held Tuesday in a Senate
    judiciary subcommittee.
    
    Under the proposed federal law, the Federal Trade Commission could
    impose fines of up to $5,000 per violation or up to $25,000 per day
    while the violation persists. State attorneys general also may file
    suit to enforce the statute.
    
    A similar California law makes it a criminal offense to not disclose
    such security breaches.
    
    "Over the past year, there have been more cases in which hackers have
    broken into databases," said Scott Gerber, spokesman for Feinstein.  
    "This is a fair and tough enforcement giving Americans more control
    and confidence about the safety of their personal information."
    
    If the law passes, businesses may be reluctant to tell anyone they've
    been hacked. Business executives don't want the bad press, which can
    affect their stock prices, their customers' trust or their ability to
    attract employees.
    
    Just one-third of companies hacked last year reported the attacks to
    law enforcement, according to a survey by the Computer Security
    Institute.
    
    "This law says 'you protect it or you tell us,"' said Dakin of
    Coalfire. "What a wicked responsibility. But I don't know another way
    you will force change without going that way."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 04:58:30 PST