In early July, users of AlphaBay, one of the largest darknet marketplaces, panicked when their go-to supplier of illegal drugs, weapons, and other illicit items unexpectedly vanished from the internet. As is often the case when darknet marketplaces go down, many were wary that the moderators may have purposefully closed the site and made off with shoppers’ money. Though AlphaBay’s moderators quickly took to Reddit to assure users that they were working to restore the site, the internet panic left many wondering more about the mysterious “dark web” and its contents. What is this hidden side of the internet really about? And can any good be found in the dark? Read on to find out.

Deep Web vs. Dark Web

When you go online to browse social media, read the news, or look up directions, you’re using what’s called the “surface web.” While most of us stick to the surface web for our daily use, the truth is that it’s just a sliver of what’s available on the internet.

The deep web, which experts estimate makes up about 90 percent of the internet’s content, is comprised of all the web pages that aren’t accessible through public search engines. Library search engines, government databases, and your personal email account are all examples of pages on the deep web.

Many internet users confuse the deep web with the dark web, but the dark web is actually a tiny subsection of the deep web. It is comprised of all the hidden content existing on darknets, or encrypted networks that require use of specific software or tools to access. Darknets are specially designed to provide anonymity to users, making user presence on the dark web undetectable.

The dark web is best known to the public as a safe haven for salacious and criminal enterprises–the drug and weapons trades, child pornography, and the sale of stolen personal information, like bank accounts. But there are individuals on the dark web with nobler intentions, like whistleblowing. Wikileaks, for example, is a notorious dark web site that allows whistleblowers to anonymously upload classified information to the site. Civilians may also use darknet software to access social media in countries where sites like Facebook and Twitter are banned, or to spread news in times of censorship and political unrest.

How to Use the Dark Web

The most common way to access the dark web is using a free software called Tor, originally short for “The Onion Router,” which allows users to anonymize their web pages and their presence on the internet.

Tor was originally created by U.S. Naval Research Laboratory employees in the mid 1990s, and receives 60 percent of its funding from the U.S. government. It hides users’ IP addresses (the unique code that attaches your internet activity to your computer) by sending traffic from their computer and server to other, random points, “like anonymous bagmen trading briefcases in a parking garage,” according to Wired.

Users of Tor can access the surface web as normal, but can also browse websites that run Tor themselves–that’s where the hidden side of the internet exists. Tor websites don’t have a normal URL like Facebook.com, but instead consist of a jumble of seemingly random letters followed by “.onion,” like wlupld3ptjvsgwqw.onion for Wikileaks. This means that to access a Tor website, you most often need to know the exact web address.

Tor is working on developing its anonymity capabilities even further, Wired reported in January. Tor Project co-founder Nick Mathewson told the tech magazine that software released later this year will allow users to keep their sites completely secret, even from other Tor users.

“Someone can create a hidden service just for you that only you would know about, and the presence of that particular hidden service would be non-discoverable,” Mathewson told Wired. “As a building block, that would provide a much stronger basis for relatively secure and private systems than we’ve had before.”

Who Uses the Dark Web?

Criminals

The anonymous sale and exchange of illegal substances is responsible for most of the dark web’s notoriety. One of the most famous darknet marketplaces is the Silk Road, which was shut down in 2013, only to re-appear in various iterations. Most sites use bitcoin, rather than PayPal or credit cards, for transactions, since the e-currency allows customers to maintain their anonymity.

In June, Interpol launched a digital forensics course for wildlife crime investigators, to crack down on use of the dark web for the illegal trade of ivory and exotic animals.

Hackers have also been known to sell personal information, like login details for bank accounts or email accounts. In March 2015, thousands of active Uber account usernames and passwords were being sold for as little as $1-$5 on darknet marketplaces AlphaBay and ThinkingForward.

Dozens of hitmen are also available for hire on the dark web, but many sites, like BesaMafia, have been proven to be scams, or set up by law enforcement to catch people plotting murder.

“Normal” People

If you are unfamiliar with the dark web, you may be surprised to learn that many of its users are “Average Joes” (i.e. not internet-based arms dealers), who are interested in maintaining their internet privacy for less malicious reasons.

Politicians conducting secret deals, internet stalking victims wishing to keep their location private, and law enforcement officials investigating crimes are a large portion of the dark web’s user population. In a 2016 post on TurboFuture, blogger Dean Walsh noted the absurdity of these various populations interacting with terrorists, cybercriminals, and hackers.

“The fact that so many of the dark web’s users are enemies also leads to a strange dynamic,” Walsh writes. “I was tickled to see website security experts and criminal hackers sharing the same forums to discuss their common interests in computer security whilst hardly recognizing that they are nemeses.”

Activists and Journalists

The anonymity provided by dark web sites can also be a force for justice. Activists have been able to shed light on dire situations while avoiding detection in countries where oppressive regimes prevent civilians from using social media, or otherwise censor content posted on the internet.

Nima Fatemi, an Iranian activist and contributor to the Tor Project, taught friends and family how to use the service during a series of riots and protests in Tehran in 2009. Fatemi told Rolling Stone that Tor allowed him and others to post information about what was actually happening, while state television was “just showing photos of flowers and stuff.” “I found Tor and thought, ‘This is the tool.’ It was peace of mind,” Fatemi told Rolling Stone. “I felt it a duty because so many people outside of Iran had no idea that we were protesting.”

Organizations like the Electronic Frontier Foundation encourage protesters and journalists to use Tor networks to protect their identity. The non-profit news organization ProPublica recently launched a Tor version of its website, which means readers can safely read the publication’s articles undetected. A ProPublica spokesman told Wired that the development will make the website safe for users in locations like China, where heavy government censorship can affect internet content. Facebook also has a Tor version, which it says many of its users access on the regular.

“Wikileaks” Courtesy of Sean MacEntee : License (CC BY 2.0)

Terrorists?

While there is some evidence of ISIS militants and supporters using the dark web and other Tor-protected services to recruit and fund their efforts, researchers at King’s College London found relatively “little militant, extremist presence” on the dark web. Thomas Rid, one of the researchers who co-authored the paper Cryptopolitik and the Darknet, told Quartz that dark web sites are not very useful for quickly and effectively spreading propaganda.

“Hidden services are sometimes slow, and not as stable as you might hope,” Rid said. “So ease of use is not as great as it could be. There are better alternatives.”

Conclusion

When dark web activities make headlines, it’s usually for something nefarious. This criminal side will continue to be newsworthy as the NSA and FBI crack down on illegal darknet marketplaces like the Silk Road, and stolen consumer data on dark web sites. But beyond the child pornography, drug sales, and hitmen for hire, there are activists, journalists, and everyday internet users making use of the dark web. As sites like ProPublica and Facebook turn to Tor for security purposes, the lighter side of the dark web could have its moment in the sun.

Avery Anapol

Avery Anapol is a blogger and freelancer for Law Street Media. She holds a BA in journalism and mass communication from the George Washington University. When she’s not writing, Avery enjoys traveling, reading fiction, cooking, and waking up early. Contact Avery at Staff@LawStreetMedia.com.

The post Unraveling the Dark Web appeared first on Law Street.

Hacking attacks are estimated to cost the global economy a whopping $400 billion each year. With recent attacks on Sony and U.S. Central Command, it seems like nothing online is completely safe. The United States is scrambling to improve cybersecurity and prevent attacks that could otherwise have major impacts on national security, the economy, and personal safety. Here’s what you need to know about cybersecurity policy, government efforts, and what to expect in the future.

What is cybersecurity?

In the increasingly digital world with an ever-growing e-commerce sector, cybersecurity is of vital importance. Cybersecurity is a broad concept that resists a precise definition; it involves protecting computers, networks, programs, and data from cyber threats. Cybersecurity can help protect privacy and prevent unauthorized surveillance and use of electronic data. Examples of cyberattacks include worms, viruses, Trojan horses, phishing, stealing confidential information, and control system attacks. Because of it loose definition, it is hard for the government to regulate how businesses should protect their systems and information. A number of different measures are used to ensure at least a basic level of cybersecurity.

How does cybersecurity work?

Cybersecurity helps to prevent against the risks associated with any cyber attack, which depend on three factors:

1. Removing the threat source. Determining who is attacking can indicate what kind of information or advantage they are seeking to gain. Cyberattacks may be carried out by criminals, spies, hackers, or terrorists, all of whom may do it for different reasons.
2. Addressing vulnerabilities through improving software and employee training. How people are attacking is important in trying to set up the best cybersecurity possible. This can be likened to an arms race between the attackers and defenders. Both try to outsmart the other as the attackers probe for weaknesses in their target. Examples of vulnerabilities include intentional malicious acts by company insiders or supply chain vulnerabilities that can insert malicious software. Previously unknown, “zero day” vulnerabilities are particularly worrisome because they are unknown to the victim. Since they have no known fix and are exploited before the vendor even becomes aware of the problem, they can be very difficult to defend against.
3. Mitigating the damage of an attack. A successful attack may compromise confidentiality, integrity, and even the availability of a system. Cybertheft and cyberespionage might result in the loss of financial or personal information. Often the victims will not even be aware the attack has happened or that  their information has been compromised. Denial-of-service attacks can prevent legitimate users from accessing a server or network resource by interrupting the services. Other attacks such as those on industrial control systems can result in destruction of the equipment they control, such as pumps or generators.

Examples of common cybersecurity features include:

• Firewall: a network security system to control incoming and outgoing network traffic. It acts as a wall or barrier between trusted networks and other untrusted networks.
• Anti-virus software: used to detect and prevent computer threats from malicious software.
• Intrusion Prevention System: examines network traffic flows to prevent vulnerability exploits. It sits behind the firewall to provide a complementary layer of analysis.
• Encryption: involves coding information in such a way that only authorized viewers can read it. This involves encrypting a message using a somewhat random algorithm to generate text that can only be read if decrypted. Encryption is still seen as the best defense to protect data. Specifically, multi-factor authentication involving a two-step verification, used by Gmail and other services, is most secure. These measures (at least for the time being) are near impossible to crack, even for the NSA.

Watch the video for a basic overview of cybersecurity.

What is the role of the federal government in cybersecurity?

Most agree the federal role should include protecting federal cyber systems and assisting in protecting non-federal systems. Most civilians want to know online shopping and banking is secure, and the government has tried to help create a secure cyber environment. According to the Congressional Research Service, federal agencies on average spend more than 10 percent of their annual IT budget on cybersecurity measures.

There are more than 50 statutes that address various issues of cybersecurity. While much legislation has been debated in recent years, no bills have been enacted. The most recent and significant cybersecurity legislation came in 2002 with the passage of the Federal Information Security Management Act (FISMA), which requires each federal agency to implement and report on cybersecurity policies.

Over the past several years, experts and policymakers have shown increasing concern over protecting systems from cyberattacks, which are expected to increase in both severity and frequency in the coming years. Most proposed legislation and executive branch action with regard to cybersecurity focus on immediate needs, such as preventing espionage and reducing the impact of successful attacks. Historically there has been an imbalance between the development of offensive versus defensive capabilities. Coupled with slow adoption of encryption technologies, many programs were vulnerable to attack. While the cybersecurity landscape has improved, needs still exist with regard to long-term challenges relating to design, incentives, and the environment. Overcoming these obstacles in cybersecurity remains a challenge.

Design

Developers of software or networks are typically more focused on features than the security of their product. Focusing primarily on the product’s features makes sense from an economic standpoint; however, shifting the focus away from security makes these products more vulnerable to cyberattacks.

Incentives

The distorted incentives of cybercrime make it hard to prevent. Cybercrime is typically cheap, profitable, and relatively safe for criminals. In contrast, cybersecurity is expensive, often imperfect, and companies can never be certain of the returns on the investments they make in cybersecurity.

Environment

Cybersecurity is a fast-growing technology. Constantly-emerging properties and new threats complicate the cybersecurity environment. It is very difficult for the government or private companies to keep up with the pace of changing technology used in cyberattacks. What laws and policies do exist are almost always out of date given the rapid pace of change in cybersecurity.

Watch the video below for an overview of the difficulties of cybersecurity policy.

Has President Obama taken any action on cybersecurity?

With recent attacks and data breaches at Sony, Target, Home Depot, and the Pentagon’s Central Command, the need for toughened cybersecurity laws has been highlighted. Cybersecurity is an issue where both sides of the political aisle see the need to work together. It is clear that a comprehensive policy playbook is needed to guide the government’s response to such serious cyberattacks.

On January 13, 2015, President Obama announced a new cybersecurity legislative proposal, which consists of three parts:

1. Enabling cybersecurity information sharing: The proposal enhances collaboration and cybersecurity information within the private sector and between the private sector and the government. The proposal calls for the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Sharing information about cyber threats with the NCCIC would shield companies from liability. The bill would require the Department of Homeland Security to share threat information as quickly as possible with other agencies like the FBI or NSA. The proposal would also require private entities to comply with privacy restrictions like removing unnecessary personal information and taking measures to protect any personal information that must be shared.
2. Modernizing law enforcement authorities to fight cybercrime: This ensures that law enforcement has the proper tools to investigate and prosecute cybercrime. These provisions would criminalize the sale of stolen U.S. financial data, expand authority to deter selling of spyware, and shutdown programs engaged in denial-of-service attacks. Other components criminalize various cybercrimes.
3. National data breach reporting: Many state laws require businesses that have suffered from breaches of consumer information to notify consumers. The proposed legislation would simplify and standardize these existing state laws. The proposal would also put in place a timely notice requirement to ensure companies notify their customers about security breaches.

Watch the following video for an outline of President Obama’s plan.

On January 16, 2015, President Obama and British Prime Minister David Cameron promised to cooperate with regard to cybersecurity. Cameron expressed concerns about encryption technologies that might make it easier for would-be terrorists to avoid detection. Cameron hopes to outlaw certain forms of encryption. President Obama did not as easily dismiss privacy concerns, but did state that he believes the government can do a better job of balancing both privacy and security.

Why is it hard to implement effective cybersecurity policy?

Congress has tried for years to pass legislation encouraging companies to share information from cyberattacks with the government and with each other; however, liability issues and privacy concerns stopped such laws from passing. Many privacy advocates are speaking out against President Obama’s proposed legislation for the same reasons. They fear that such information-sharing legislation could further the government’s surveillance powers. Some groups caution that substantial National Security Agency reform should come before considering any information-sharing bill. Privacy concerns such as these have made it difficult to pass cybersecurity packages in Congress in the past; however, the recent Sony attack may prove to be a game changer in passing new cybersecurity bills.

Even if President Obama and Congress can implement the above changes, it will still be difficult for the government to enact more effective policy changes. Technology can easily mask the identity or location of those organizing cyberattacks. This can make identifying and prosecuting those responsible near impossible. Justifying an appropriate response to attacks is even harder.

Legislatures and citizens also tend to be kept in the dark due to extreme security regarding a country’s cyber capabilities. Edward Snowden’s revelations about the NSA sparked public interest in cybersecurity and in the extent of the government’s capabilities. But still, information regarding the U.S.’ cyber policies remains classified and not open to general discussion. Without transparency, it is hard to exercise oversight or explain to the public the government’s cybersecurity activities.

Critics also contend that President Obama’s proposal leaves large gaps in cybersecurity policy. The policy fails to establish ground rules for responding to cyber attacks once they have occurred and it remains unclear how the United States might respond to cyberattacks against government networks or even private sector entities like Sony. While attacks may be criminalized, prosecuting these cases with limited evidence is difficult.

A recently uncovered 2009 U.S. cybersecurity report warned that the government was being left vulnerable to online attacks because encryption technologies were not being implemented fast enough. While the country has come a long way since 2009 there is still much room for improvement. A 2015 review of the Department of Homeland Security stated that:

DHS spends more than $700 million annually to lead the federal government’s efforts on cybersecurity, but struggles to protect itself and cannot protect federal and civilian networks from the most serious cyber attacks.

Conclusion

More needs to be done in the realm of cybersecurity to prevent against cyberattacks. While less legislation may have worked in the past, the scale of recent cyberattacks shows the vast potential for damage to the government, companies, and individuals. President Obama’s recent proposal may be a good start, but more long-term policies are needed to protect citizens from serious cyberattacks. No cybersecurity solution is permanent, so public policy must constantly evolve to suit the needs of its citizens in the cyber realm.

Resources

Primary

Department of Homeland Security: Federal Information Security Management Act

White House: Securing Our Cyberspace: President Obama’s New Steps

Homeland Security and Governmental Affairs Committee: A Review of Missions and Performance

Additional

Congressional Research Service: Cybersecurity Issues and Challenges

National Journal: Obama’s New Cybersecurity Proposal Facing Skepticism

UMUC: Cybersecurity Primer

Forbes: Why a Global Security Playbook is Critical Post-Sony

Guardian: Secret U.S. Cybersecurity Report

Reuters: Obama Seeks Enhanced Cybersecurity Laws to Fight Hackers

NPR: Obama, Cameron Promise to Cooperate on Cybersecurity

Yahoo: Obama Says Hacks Show Need for Cybersecurity Law

Huffington Post: What’s Wrong with America’s Cybersecurity Policy?

Alexandra Stembaugh

Alexandra Stembaugh graduated from the University of Notre Dame studying Economics and English. She plans to go on to law school in the future. Her interests include economic policy, criminal justice, and political dramas. Contact Alexandra at staff@LawStreetMedia.com.

The post Cybersecurity: Will We Ever Be Safe? appeared first on Law Street.

An international operation led by the United States caught a group of cyber criminals spearheading the largest cyber crime ring yet, one that infected approximately 500,000 to one million PCs globally. The group of cyber criminals, allegedly led by Russian national Evgeniy Mikhaylovich Bogachev who went by the aliases “lucky12345” and “slavic,” stole approximately $100 million from individuals and businesses worldwide starting in 2007. The botnet, which is a group of infected computers under the control of someone other than their owners, went by the name GOZ, short for Gameover Zeus, and mainly targeted bank accounts and credentials. A couple of notable targeted by GOZ are Bank of Georgetown and Capital One.

Their main goal was to monetize the investment they made into getting into your machine, they were absolutely after dollars, pounds and euros.

-Dell Employee Don Smith

How did Gameover Zeus do it?

Generally, the GOZ hackers ensnared targets and obtained secure information by using infected emails via a process known as “phishing.” Computer users would receive legitimate-looking email messages claiming to be from a trusted bank stating that there was a problem with one of their prior financial transactions. Once the computer owner unknowingly downloaded the malware after opening the email and clicking a link, it began a targeted search for financial information stored on the machine. The Gameover Zeus virus was initially spread by one of the largest botnets known called Cutwail, which popped up on the cybercrime scene in 2007 and is mostly involved with sending email messages containing viruses. In 2009, the Cutwail botnet contained the largest known number of infected machines.

The cyber crime ring also distributed malware called CryptoLocker, a form of what is known as ransomware, which makes data of a computer inaccessible to its user, claiming to only unlock their machine after receiving payment of as much as $700. The GOZ botnet in particular was so tricky to take down due to various components- namely, its advanced ability to hide the location of its servers via data encryption.

The Demise of the Crime Ring

Members of several organizations worldwide including the U.S. Department of Homeland Security, Intel Corp, Carnegie Mellon University and Microsoft Corp had been tracking the activity of GOZ since it first appeared on the scene in 2007, well before they were able to take action and put an end to their criminal operations. The monitoring of the cybercrime ring was completely secretive until they commenced “Operation Tovar,” which shut down the operations of the computers involved in spreading the viruses. United States organizations, mainly the FBI and the aforementioned companies, collaborated with Europol and the UK’s National Crime Agency to initiate a virtual ambush on Gameover Zeus. Authorities ended the cybercrime ring’s operations by shutting down the servers they were using to control the computers infected with its viruses.

Bogachev, believed to be the ringleader of the GOZ operation, is thought to be residing in Russia and has been added to the FBI’s Cyber Most Wanted List. Various publications including the International Business Times warned residents of the UK that despite the ending of the operations of the cybercrime ring, they may be able to regroup within two weeks and begin infecting machines once again. To keep their machines safe from future cyber attacks, experts urge computer users to install or update their security software and change passwords on important accounts.

—

Marisa Mostek (@MarisaJ44) loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

Featured Image Courtesy of [geralt via Pixabay]

Marisa Mostek

Marisa Mostek loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

The post World’s Largest Cyber Crime Ring Disbanded appeared first on Law Street.

The Internet Crime Complaint Center (IC3) recently released a report with a stunning conclusion: people are losing more money to internet scammers than ever before. In its 14th year of operation, the IC3 released the 2013 Internet Crime Report, which shows a “48.8 percent increase in reported losses since 2012.”

What are these crimes, who are they targeting, and what is causing the sudden surge in reported losses?

What is the IC3?

The IC3 is a partnership between the  Federal Bureau of Investigation and the National White Collar Crime Center (NWC3). It acts as a reporting mechanism for victims of online crime as well as a resource for law enforcement at many levels. Each year it releases a detailed annual report on cybercrime.

In the 2013 report the IC3 stated, “criminals continue to use a variety of scams to defraud Internet users,” making it clear that the online crime picture is a diverse one. It’s important to analyze precisely for this reason. There were 262,813 complaints received, of which roughly half of the victims reported financial loss. These losses totaled almost $800 million.

What are the Cybercrimes?

The 2013 report breaks down the different types and methods of cybercrimes. Vehicle fraud, for example, is one of the most prevalent forms. Trying to buy cars from scammers has cost over 1,400 people an average of $3,640 per incident. Perpetrators who pose as FBI agents have cost victims $6,348,881 in total. Cybercriminals can also defraud victims by pretending to sell real estate, producing ransomware or scareware, and even threatening to carry out jobs as hit men.

Surprisingly, romance scamming has caused the highest average losses for its victims. These scams involve a falsified online romantic relationship and cost the average victim about $12,756. By professing love and enticing victims to send financial assistance, romance scammers generally target “people aged 40 years and older, divorced, widowed, disabled, and often elderly,” the report said.

The targets of cybercrimes are primarily middle-aged. For years now the largest demographic has been the 40-59 year old age group, consistently making up over 40 percent of victims of online crime. The extreme age demographics, those under 20 and over 60, are both affected much less, as they make up just over 3 percent and just over 15 percent of victims, respectively. One possible explanation is that those who have grown up with the internet navigate its criminal spaces more carefully, while many of the elderly are simply not online.

What has been happening with Cybercrime?

Although each demographics’ share of cybercrime victims has remained relatively stable, the reported losses have been far from static. An increase of almost 50 percent from 2012 to 2013 demonstrates a wildly changing environment for online crime. While this spike may suggest that the IC3 has been receiving more complaints, its reports indicate otherwise. Each listed demographic actually reported fewer complaints in the previous year. Financial losses per complaint must be rising.

While there was nearly a 22 percent decrease from the number of complaints in 2009 to 2013, the IC3’s reported losses rose from $559.7 million in 2009 to over $781.8 million in 2013. Among those who reported any financial loss, the average loss increased from about $5,500 to well over $6,000 between 2009 and 2013. It seems as though the increased reported losses do not reflect a greater public knowledge of the IC3 and an increased number of reports. Instead, the decrease in actual complaints coupled with the increase in average reported losses suggests that internet scamming may be more lucrative than it has ever been.

As are all sources of criminal information, the IC3 is limited. It relies on the victim filing a complaint through the IC3, and as with all crimes, many cases will go unreported. Unfortunately, it stands alone in its domain. Other data collection systems like the Uniform Crime Reports aggregate data from law enforcement agencies, not from the victims themselves. The National Crime Victimization Survey (NCVS) uses surveys to determine victimization, but does not focus on internet crime. It asks young people about cyber bullying and has compiled a report specifically on identity theft. Aside from these questions, it appears that the NCVS fails to collect information about cybercrime. However if, cybercrime is paying more, then the IC3 and similar programs should be supported as much as possible.

[IC3 Report]

—

Jake Ephros (@JakeEphros)

Featured image courtesy of [EP Technology via Flickr]

Jake Ephros

Jake Ephros is a native of Montclair, New Jersey where he volunteered for political campaigns from a young age. He studies Political Science, Economics, and Philosophy at American University and looks forward to a career built around political activism, through journalism, organizing, or the government. Contact Jake at staff@LawStreetMedia.com.

The post Who Said (Cyber)crime Doesn’t Pay? appeared first on Law Street.

The recent attack on the New York Times by a group of Chinese Hackers has once again brought the issue of cybercrimes to the forefront of the nation’s consciousness, serving as a forceful reminder to the United States Government that computer-based crime is something that they can no longer afford to ignore.

Just last year, the Internet Crime Complaint Center (IC3) received 262,813 complaints from consumers who collectively lost more than $781 million in losses. This number represents a 48.8 percent increase in losses from 2012, and while the data is not yet available for 2014, it seems apparent that cybercrime is a very real problem for thousands of Americans, and it is not going anywhere anytime soon.

In fact, the United States leads the world in the number of complaints related to internet crime, monopolizing a whopping 90.63 percent of all complaints worldwide. Despite this not-so-prestigious position, legislation has not been able to keep pace alongside the rapid advance of technology, and there is a great deal of ambiguity on just how the perpetrators of cybercrimes should be punished.

Some people argue that the sentences for cybercrimes are far too lenient, often allowing for criminals to profit from their crimes and failing to deter other criminals from committing similar offenses. For example, Albert Gonzalez, the perpetrator of the infamous hacking of TJX Companies, was only sentenced to serve two concurrent 20 year sentences in prison. This means that despite the fact that he had stolen credit and debit card numbers from approximately 45.6 million people, he could be out of prison by 2025 if he is on his best behavior.

Had Gonzalez committed the equivalent of this crime in the real world (for example, robbing a bank for the money he stole, or physically stealing 45.6 million credit/debit cards from their rightful owners) he would most likely be in prison for the rest of his life. Yet despite the fact that the damage done inestimably larger than if he had committed his crime in the real world, the punishment is somehow less severe even though his actions quite literally affected the lives of millions.

Perhaps these discrepancies are what led the push for harsher maximum sentences for cybercrimes, or maybe it was a direct response to a flawed report released from  MacAfee stating that cybercrime costs the United States economy about $1 trillion a year (though that number was later amended to somewhere around $140 billion). Whatever the reason, there is now the fear that the government has gone too far in light of recent reforms meant to intimidate cybercriminals.

The Electronic Frontier Foundation (EFF) is a San-Francisco based group that believes that legislation such as the Computer Fraud and Abuse Act (CFAA) is too broad and vague to be fair, imposing harsh maximums on relatively harmless crimes. They advocate for changes in the legislation, stating that more precise language is needed in order to protect relatively harmless offenders from harsh and lengthy prison sentences and fines.

For example, the recently deceased Aaron Swartz faced 13 felony counts of hacking and wire fraud at the age of 26 simply because he used MIT’S computer network to download millions of articles from JSTOR without permission. Despite the fact that the crime was non-violent and relatively harmless, Swartz faced both the possibility of decades of jail time and backbreaking fines for those illegal downloads, a sharp contrast to violent crimes that carry much lighter sentences.

It seems inherently illogical that in today’s society that illegal downloads should carry a higher maximum sentence than violent crimes such as rape. Yet it also seems impractical that someone who steals millions of dollars from credit and debit cards should be in jail for less time than if they had gone through the trouble to physically rob a bank.

To say the least, cybercrime sentencing is an issue that needs a lot more exploration than it has currently been given. Current laws may even require new sentencing guidelines made specifically to accommodate internet crime. Cybercrimes fail to be contained within traditional modes of sentencing and punishment, and often the sentences given seem to be too harsh or too lenient to fit the crime.

Donald R. Mason, a professor at the University Of Mississippi School Of Law, suggests that more attention needs to be focused on post-conviction matters such as sentencing and victim impact, as well as alternative resolutions that are tailored to meet the complex issues raised by the complex nature of these crimes.

For example, if the motivations for cybercriminals are radically different from the motivations of traditional criminals, the existing models may no longer serve as effective deterrents to crime. Along those same lines, if the scope of internet victimization is hard to measure or not detectable until long after the incident occurs, traditional models of measuring harm may no longer be applicable or effective either.

Though much attention has been given up to this point on the subject of detecting, apprehending, and prosecuting cybercriminals, more attention needs to be paid to what happens next. Doing so is the only way to ensure that the punishment truly does fit the cybercrime, and that the victims of these offenses receive the justice they deserve.

Nicole Roberts

Nicole Roberts a student at American University majoring in Justice, Law, and Society with a minor in Mandarin Chinese. She has a strong interest in law and policymaking, and is active in homeless rights advocacy as well as several other social justice movements. Contact Nicole at staff@LawStreetMedia.com.

The post Cybercrimes: Does the Punishment Actually Fit the Crime? appeared first on Law Street.

Citizens of the UK have just two weeks to protect themselves from a dangerous computer virus that could potentially give hackers access to their personal information and cost the country billions of pounds. The National Crime Agency (NCA) said in a statement that they urge citizens to protect themselves from any malicious software by updating their anti-virus software and running frequent scans on their computers. UK based internet awareness group Get Safe Online said, “This warning is not intended to give you panic, but we cannot over-stress the importance of taking these steps immediately.”

The announcement comes after the FBI successfully stopped a group of hackers who were holding peoples personal information hostage, but the disruption is only temporary. The viruses are known as GOZeuS and CryptoLocker, and each is incredibly harmful and can invade your email, bank accounts, and other personal information.

GOZeuS hides itself within email attachments, and when opened can give hackers access to your computer. CryptoLocker is a secondary virus that activates if no valuable information is detected. This virus locks the computer from the user and does not give back access until a ransom is paid. If the victims do not pay on time, they lose the ability to do so and risk having their data permanently encrypted.

Hackers usually demand $300 to $700, typically requested in bitcoins. Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit, said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.”

Cybercrime is often overlooked and seen as a laughable crime to be affected by, but its seriousness is very real. According to the Internet Crime Complaint Center (IC3) there were 262,813 reports of cybercrime last year, resulting in the losses over $781 million.

The IC3 became aware of the malicious CryptoLock in October of 2013 and have since become more knowledgeable of the malware and how it operates. The virus is so intricately designed that it is nearly impossible to completely wipe out.

Whether you find online security complicated, boring, or useless, now is the time to take action as cybercrimes are prevalent and could cost you immensely. There are numerous places where you can find cyber security help if you don’t know where to start.

Get Safe Online is a UK based website that focuses on providing information on online safety. According to its website it is “a unique resource providing practical advice on how to protect yourself, your computers, and mobile devices against fraud, identity theft, viruses and many other problems encountered online.” There are plenty of similar resources like Get Safe Online in America as well. US-Cert stands for United States Computer Emergency Readiness Team, which deals with major incidents, analyze threats, and exchange critical cyber security information with other trusted outlets.

The criminals committing cybercrimes are much smarter than your average criminal and are highly skilled in the art of staying anonymous. To keep you and your personal information safe, it is vital that you update your security software as often as possible and think twice before clicking on links or attachments from strange emails.

[Get Safe Online]

—

Trevor Smith

Featured image courtesy of [Don Hankins via Flickr]

Trevor Smith

Trevor Smith is a homegrown DMVer studying Journalism and Graphic Design at American University. Upon graduating he has hopes to work for the US State Department so that he can travel, learn, and make money at the same time. Contact Trevor at staff@LawStreetMedia.com.

The post UK Citizens Face Massive Online Threat appeared first on Law Street.

Security breaches among major companies such as Target, eBay, and Neiman Marcus dominated news headlines this past year and led many to wonder about the safety of the information stored with organizations throughout the United States. The statistics from the May 2014 US State of Cybercrime Survey are far from reassuring.

The survey, a combined effort of PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the US Secret Service, states that the number of cybercrime incidents and the fiscal losses they incur are rapidly rising. The findings reveal that this is mainly because the companies could not adequately defend themselves from cyber-attacks. According to the 2014 survey, the top five methods for cyber-attacks involve malware, phishing (the attempt to acquire sensitive information such as usernames or passwords), network interruption, spyware, and denial-of-services attacks.

The report covered information from 500 different corporations and government agencies, including law enforcement, and stated that “three out of four had had some kind of security breach just in the last year, and the average number of incidents per organization was 135.”

Fourteen percent of those surveyed reported that monetary losses attributed to cybercrime have increased in the past year. The actual costs are generally not known, as the majority of those who reported a cyber attack were unable to estimate the associated financial costs. Of the few survey respondents that could, the average yearly loss was around $415,000. Businesses are beginning to feel that cyber security is an issue that is out of their control and that cyber attacks are costing them an increasing amount of money.

 Why the Rising Rate?

One of the major problems associated with the rising rate of cybercrime is that few companies, only 38% according to the survey, are adequately prepared to combat cybercrime. These rising rates are not simply due to inadequate defenses, but also increasingly sophisticated techniques used by cyber criminals. According to an article on Time.com, the most pertinent threats to cyber security in the United States come from Syria, Iran, China and Russia.

There are two kinds of big companies in the United States: those who’ve been hacked by the Chinese and those who don’t yet know that they’ve been hacked by the Chinese.

-FBI Director James Comey

The 2014 report lists major reasons why these attacks are on the rise. It claims that a few reasons are that most organizations do not spend enough on cybersecurity and do not properly understand cyber security risks. According to the survey, there is also a lack of collaboration among companies that have experienced a breach or other form of cyber attack, specifically that “82% of companies with strong protection against cybercrime collaborate with others to strengthen their defenses.” Other pertinent issues leading to increased cybercrime are insufficient security of mobile devices and lack of proper evaluation of attacks within organizations.

What can be Done to Lower the Rate of Cyber Attacks?

According to the 2014 survey, one major way for corporations and agencies to prevent cybercrime is through company-wide employee training which has been shown to be effective but is no currently used frequently enough. According to an article on CSO’s website, many organizations aren’t running information security training programs that are up to date. The 2014 survey recommends that the main focus of companies should be protecting the private financial information of their consumers. Perhaps as companies continue to strengthen the efforts of their cybersecurities, the rate of attacks from online adversaries will begin to lower, causing the 2015 report to reflect a decrease in cybercrime.

—

Marisa Mostek (@MarisaJ44) loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

Featured image courtesy of [geralt via Pixabay]

Marisa Mostek

Marisa Mostek loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

The post Criminals Availing in Cyberspace appeared first on Law Street.

In the 21st century, many people do not consider how vulnerable their high-tech gadgets are to outside hackers. Information can be stolen at the swipe of a password, and it will take some time before you notice anything is wrong. The same can be said for governments fighting to stay on top of the latest technologies — especially the type that can help defend them against various enemies. These enemies, however, are no longer those we traditionally think of (‘evil’ governments and terrorists), at least not for our elected officials. In fact, the challenge of our time according to many top feds and military officers, is defending against cybercrime.

Following the hacking onslaught against retail giant Target, the Federal Bureau of Investigation (FBI) warned that more attacks are on the way, considering the attraction for additional cyber criminals to score easy money off of unsuspecting businesses. According to a paper released by the Ponemon Institute in 2012, cybercrimes cost businesses at least $8.9 million annually , and if they do not modernize security practices soon, hackers may get away with a lot more than just someone’s credit card information.

The National Institute of Standards and Technology (NIST), a federal technology agency, released a 39-page report on Wednesday to set industry standards implementing adequate protections so that businesses do not continue to get hit with hacking attacks from all over the globe. The report itself focuses on three main points:

1. Framework Core: “A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors…that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.”
2. Framework Implementation Tiers: “Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which a organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework.”
   
3. Framework Profile: “The alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity.” 

Even though the goals are well-intentioned, the fact the report comes out of an executive order from the President could throw a wrench into the implementation within Congress, as the members are already at odds as to whether or not the President should have more freedom interpreting legislation. However, there may still be a shot at cooperation between the two branches on this front, as business executives continue to pressure lawmakers at cybercrime hearings.

And they may not have a choice but to work together, as Joint Chiefs of Staff Chairman Martin Dempsey explained at a speech in June 2013 that “strengthening our cyber defenses on military systems is critically important, but it’s not enough in order to defend the nation.” Citing an investment of $23 billion into cyberdefense, four thousand new Cyber Command recruits, and three new teams focusing on defense of the nation, battlefield commands, and global military networks, Chairman Dempsey indicated that the United States is mounting intimidating offenses but that the country has a lot of catching up to do. In another hearing in February 2012, Senator Lindsey Graham inquired of Dempsey about cyberattack threats from China, often an alleged source of hacking. In response, the Joint Chiefs Chairman replied that China’s hacking seems to target intellectual property and trade secrets more than anything else, but if they were to attack the United States’ infrastructure, they should expect a similar response.

As major nations all around the globe come to grips over the rising tide of cybercrime, the United States is most certainly ramping up its defenses. While military leaders warn that what we have in store is not enough, federal officials continue to release new indicators that they’re serious about tackling the issue. Despite all of the rhetoric, business leaders in the nation continue to experience cyber crimes, having their secrets stolen and clientele information hacked. There is still a lot of work to be done if the United States is going to be ready for a future of relentless cybercrime.

—

Dennis Futoryan (@dfutoryan) is an undergrad with an eye on a bright future in the federal government. Living in New York, he seeks to understand how to solve the problematic issues plaguing Gothamites, as well as educating the youngest generations on the most important issues of the day.

Featured image courtesy of [elhombredenegro via Flickr]

Dennis Futoryan

Dennis Futoryan is a 23-year old New York Law School student who has his sights set on constitutional and public interest law. Whenever he gets a chance to breathe from his law school work, Dennis can be found scouring social media and examining current events to educate others about what’s going on in our world. Contact Dennis at staff@LawStreetMedia.com.

The post Is America Ready to Fight Cybercrime? appeared first on Law Street.