Brazil Becomes a Cybercrime Lab

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Mon, 27 Oct 2003 12:33:03 -0800
From: Dewayne Hendricks <dewayne () warpspeed com>

[Note:  I think the statement below about U.S. hackers not being disposed 
to share information is a bit off the mark.  That being said, here is yet 
another good example as to how developing countries are racing of the 
developed world in one of the oldest professions, crime!  DLH]

Brazil Becomes a Cybercrime Lab
By TONY SMITH
<<http://www.nytimes.com/2003/10/27/technology/27hack.html>http://www.nytimes.com/2003/10/27/technology/27hack.html>

SAN PAULO, Brazil, Oct. 26 - With a told-you-so grin, Marcos Flvio Assuno
reads out four digits - an Internet banking password - that he has just
intercepted as a reporter communicates via laptop with a bank's supposedly
secure Web site.

"It wouldn't matter if you were on the other side of the world in
Malaysia," said Mr. Assuno, a confident 22-year-old. "I could still steal
your password."

While impressive, Mr. Assuno's hacking talents are hardly unique in
Brazil, where organized crime is rife and laws to prevent digital crime
are few and largely ineffective. The country is becoming a laboratory for
cybercrime, with hackers - able to collaborate with relative impunity -
specializing in identity and data theft, credit card fraud and piracy, as
well as online vandalism.

"Most of us are hackers, not crackers; good guys just doing it for the
challenge, not criminals," Mr. Assuno said. He insisted that he had never
put his talents to criminal use, although he acknowledged that at age 14
he once took down an Internet service provider for a weekend after arguing
with its owner.

Across the globe, hackers like to classify themselves as white hats (the
good guys) or black hats (the bad guys), said one Brazilian expert,
Alessio Fon Melozo, the editorial director of Digerati, which publishes a
hacker magazine, H4ck3r: The Magazine of the Digital Underworld. "Here in
Brazil, though, there are just various shades of gray," Mr. Melozo said.

Mr. Assuno has created a security software program for his employer,
Defnet, a small Internet consultant in So Paulo.

The software uses a honey-pot system that can lure and monitor intruders
in real time. It also uses techniques to foil "man in the middle"
imposters who try to disguise their computers as those of banks or other
secure sites. So far, Mr. Assuno has been unable to get an appointment
with his target customers: security executives at major banks.

"They say they have their own security and prefer to turn a blind eye," he
said. "But Brazilian hackers are known for our creativity. If things go on
like this, there'll be no more bank holdups with guns. All robberies will
be done over the Net."

For the last two years at least, Brazil has been the most active base for
Internet ne'er-do-wells, according to mi2g Intelligence Unit, a digital
risk consulting firm in London.

Last year, the world's 10 most active groups of Internet vandals and
criminals were Brazilian, according to mi2g, and included syndicates with
names like Breaking Your Security, Virtual Hell and Rooting Your Admin. So
far this year, nearly 96,000 overt Internet attacks - ones that are
reported, validated or witnessed - have been traced to Brazil. That was
more than six times the number of attacks traced to the runner-up, Turkey,
mi2g reported last month.

Already overburdened in their fight to contain violent crime in cities
like So Paulo, Rio de Janeiro and Braslia, police officials are finding it
difficult to keep pace with hacker syndicates.

The 20 officers working for the electronic crime division of the So Paulo
police catch about 40 cybercrooks a month. But those criminals account for
but a fraction of the "notorious and ever increasing" number of
cybercrimes in So Paulo, Brazil's economic capital, said Ronaldo
Tossunian, the department's deputy commissioner.

The So Paulo department's effort is not helped by vague legislation dating
back to 1988, well before most Brazilians had even heard of the Internet.
Under that law, police officers cannot arrest a hacker merely for breaking
into a site, or even distributing a software virus, unless they can prove
the action resulted in the commission of a crime.

So even after police investigators identified an 18-year-old hacker in Rio
de Janeiro, they had to track him for seven months and find evidence that
he had actually stolen money from several credit card companies before
they could pounce.

"We don't have the specific legislation for these crimes like they do in
America and Europe," Mr. Tossunian said. "Just breaking in isn't enough to
make an arrest, which means there's no deterrent."

In addition, analysts say many businesses, including banks, have been slow
to grasp, or refuse to acknowledge, how serious the problem is. Banco Ita,
one of Brazil's largest private banks and the institution from whose site
Mr. Assuno filched the password during his demonstration, declined to make
someone available to comment.

Fabrcio Martins, the chief security officer at Nexxy Capital Group, a top
provider of Web sites for e-commerce companies, said, "Most businesses
here don't take precautions until something bad happens that obliges them
to take action."

Mr. Martins, for example, first reinforced Nexxy's security software after
e-mail addresses of online clients were stolen two years ago. Now his is
one of 20 software programs for credit card clearing approved by Visa
International in Brazil.

Why are Brazil's hackers so strong and resourceful? Because they have
little to fear legally, Mr. Assuno said, adding that hackers here are
sociable and share more information than hackers in developed countries.
"It's a cultural thing," he said. "I don't see American hackers as willing
to share information among themselves."

Though the expense of owning a computer is prohibitive for most people in
this country, where the average wage is less than $300 a month, getting
information about hacking is simple. H4ck3r magazine, available at
newsstands across the country, sells about 20,000 copies a month.

Mr. Melozo, the editorial director, rejects any suggestion that H4ck3r
teaches Brazilians to commit cybercrime.

"It is a very fine line, I know," he said. "But what guides us is the
principle of informing, educating our readers in a responsible way."

Archives at: <http://Wireless.Com/Dewayne-Net>
Weblog at: <http://weblog.warpspeed.com>

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/