FC: Update on Echelon, cybercrime treaty, FBI's Operation Cyber Loss

[Declan McCullagh <declan () well com>]

**********

From: "Phil Cain" <phil () headstar com>
To: <declan () well com>
Subject: FYI: E-Legality Bulletin, June 2001
Date: Mon, 4 Jun 2001 17:51:46 +0100

Hi Declan

I though you and your list might be interested
to hear of E-Legality Bulletin.

The analysis piece on Echelon may be of particular
interest.

Kind regards

Phil Cain
editor, E-Legality Bulletin
t: +44 1273 231 291

-------------------------------
To subscribe email subs () e-legality org
To unsubscribe email unsubs () e-legality org

Searchable archive of old issues available at:
http://www.e-legality.org
This issue will be archived at the end of the month

E-Legality Bulletin
-Tracking law makers and breakers

Issue 3, June 2001

*CONTENTS

News:
     90 Charged in FBI operation
     CoE to table cybercrime treaty
     US to rethink IT security plan
     Peekabooty poised to launch
     EC launches safety site

Resources
Conference diary

In-depth:
     Analysis: US frustrates EU Echelon investigation
     Feature: Hackers waive the rules

*NEWS:

News: 90 CHARGED IN FBI OPERATION

An FBI crackdown on online crime called 'Operation Cyber Loss' has led to
charges being brought against 90 people who are alleged to have cost 56,000
victims over $117m.

Some of the schemes were uncovered thanks to the Internet Fraud Complaint
Centre (http://www.ifccfbi.gov), a partnership between the FBI and the
National White Collar Crime Centre.

The partners said, "The accomplishments of this operation are a direct
result of the close working relationship law enforcement has developed with
the private sector and e-commerce companies." E-Money company Pay Pal
(http://www.paypal.com) and financial information provider Motley Fool
(http://www.fool.com) were picked as useful informants.

The charges brought include wire fraud, mail fraud, bank fraud, money
laundering and intellectual property violations resulting from evidence of
online auction fraud, non-delivery of items, credit card fraud, bank fraud
and pyramid schemes.

*An Internet Fraud Complaint Centre report released in parallel with the
announcement of the results of Operation Cyber Loss said that Internet
auctions accounted for 64% of all Internet fraud reported.
See: http://www.ifccfbi.gov/strategy/AuctionFraudReport.pdf

News: CoE TO TABLE CYBERCRIME TREATY

A draft convention on cybercrime is due to be handed on to the European
Committee on Crime Problems in mid-June, the final stage before being
submitted to the Council of Ministers for adoption.

The proposed convention, now in its 27th draft, is said to be the first
document of its kind. Signatories agree to a list of undertakings meant to
ensure they meet minimum and compatible standards of cybercrime law
enforcement.

Among the draft's proposals are that signatory countries agree to adopt
legislative measures to allow its authorities to: search and seize stored
computer data, collect or force service providers to collect data in real
time; and agree to assist one another.

Critics are concerned that there is no equivalent treaty to counterbalance
enforcement undertakings with human rights and privacy undertakings.

The draft report can be downloaded from:
http://conventions.coe.int/treaty/EN/cadreprojets.htm

News: US TO RETHINK IT SECURTY PLAN

President George W Bush announced plans to rethink the National Plan for
Cyberspace Security on 9 May, shortly after the publication of a damning
108-page General Accounting Office report.

The GAO report, entitled 'Critical Infrastructure Protection: Significant
Challenges in Developing National Capabilities' [ref: see below], took a
particularly dim view of the FBI's National Infrastructure Protection Centre
(NIPC), recipient of $60m since it was established in 1998.

Among the criticisms were: that the definition of what constitutes a cyber
attack threatening national security is ill-defined; that NIPC hacker
warnings have come too late to prevent significant damage; that there is a
lack of communication between it and other relevant departments; and that
there is insufficient private sector involvement.

The presidential statement indicated that the new cybersecurity plan will
have a greater input from the private sector input and from other government
departments. The planning is being coordinated by the Department of
Commerce's Critical Infrastructure Assurance Office (http://www.ciao.gov).

*The GAO report (ref: GAO-01-323) was released on 25 April and came into the
public domain on 22 May. It can be downloaded from: http://www.gao.gov

News: PEEKABOOTY POISED TO LAUNCH

In July, high-profile hacking fraternity Cult of the Dead Cow will launch
Peekabooty, a browser that allows users to download encrypted files from a
peer-to-peer network similar to Napster's.

According to Cult of the Dead Cow (CDC), Peekabooty will protect users from
political persecution, but the browser could also be used by criminals to
escape detection.

Security company Baltimore was quick to seize the opportunity to promote its
products.
Jonathan Tait said Peekabooty downloads can be prevented because, "The
browser has to point at a server or URL to work, and these addresses will be
listed somewhere."

News: EC LAUNCHES SAFETY SITE

Saferinternet, an European Commission funded web site, went online this
month with the aim of providing a forum to exchange awareness about illegal
and harmful Internet content.

The site (http://www.saferinternet.org) contains links to Internet safety
news, debate and resources for the consumer and information about the
commission's Internet Action Plan, of which the site is a part. The site
also gives organisations a way to solicit partnerships and details of EC
grants to develop filtering software.

The Eu210,000 a year platform was built by Brussels-based ECOTEC which was
formed in December last year following the takeover of NEI Kolpron, based in
Rotterdam, by Birmingham-based ECOTEC Research & Consulting.

Resources:
NET INVESTIGATION: The Coalition for the Prevention of Economic Crime (CPEC)
has published a new guide to using the Internet in investigation and
research.
http://www.ncpec.org/whats_new/cpec_datasheet.pdf
INFORMATION WARFARE: An Australian-based team is calling for papers on
information warfare for a journal due out in September 2001.
http://www.mindsystems.com.au/autt.nsf/pages/infowarfare
MONEY LAUNDERING DATABASE: Moneylaundering.com, launched a searchable
archive of money laundering articles dating back to 1993. To try it out
visit:
http://www.moneylaundering.com/MLAdatabase.htm

Conference diary:
5-6 June - INET 2001: The Internet Society's annual conference covering the
technology, uses, and governance of the Internet. Topics include
intellectual property, peer-to-peer networks and censorship.
See: http://www.isoc.org/inet2001/
6 June - GREEN/EFA RESEARCH FORUM: European Parliament. Preliminary
programme includes a presentation on Infowar by R. Bendrath of Free
University of Berlin and T. Bunyan of Statewatch (UK).
Contact: lvandewalle () europarl eu int
19-20 June: THE INFORMATION SOCIETY: Review of regulatory and public policy
aspects of information society.
See: http://www.emf.be/regul/regul_presentation.htm
2-6 July - CYBERLAW 'SUMMER CAMP': The Berkman Center for Internet and
Society is hosting Internet Law Program covering copyright protection, the
digital distribution of music, free speech and privacy online.
See: http://cyber.law.harvard.edu/ilaw


*IN-DEPTH

Analysis: US FRUSTRATES EU ECHELON INVESTIGATION
By Phil Cain  philcain () e-legality org

The EU team investigating Echelon, an international electronic communication
interception system headed by the US National Security Agency, cut short its
visit to the US this month because it was denied planned meetings with
representatives of the US Advocacy Centre.

The Advocacy Centre was set up by the Department of Commerce in 1993 to help
US firms to win foreign public contracts. Some believe the centre could have
helped pass on economic information picked up by the Echelon network to US
corporations. Proving such exchanges took place is crucial to proving the EU
's contention that Echelon may have significantly damaged EU economies.

Denial of access to the Advocacy Centre meant the investigation team, led by
'rapporteur' Gerhard Schmidt, was unable to verify or discount documents
which suggested the CIA is involved in the Centre's work. Nor could it find
out the identity of five of the 19 agencies the Centre says it works with
but does not name.

US intelligence officials admit to state-sponsored industrial espionage
justifying it by saying it is simply a way to uncover foreign corruption
which put US companies at an unfair disadvantage. In answer reports
published by the EU investigative team this month (see below) say: "It
should be pointed out to the Americans that all EU Member States have
properly functioning criminal justice systems. If there is evidence that
crimes have been committed, the US must leave the task of law enforcement to
the host countries."

The reports, released shortly after the investigation team's untimely return
from the US, said the balance of evidence suggests that the Echelon system
does exist. But it also did not rule out the possibility that France and
Russia may operate similar global surveillance operations but concluded that
there was "insufficient evidence to draw a firm conclusion".

The new documents emphasise the limits technology imposes on the capacity of
any such signal interception system. In particular they pointed out the way
the Internet transmits data means: "Echelon states have access to only a
very limited proportion of Internet communication transmitted by cable."
Satellite and radio transmissions were reckoned to be more likely sources of
Echelon's raw material.

Whatever the medium monitored by the system, the reports conclude the
restricted capacity of computer keyword-matching and the limited number of
intelligence analysts meant the number of messages that could be scanned by
the system would by no means be comprehensive. By way of example the report
pointed out that a comparable German signals intelligence system monitors
only 10% of messages.

The reports also note that a filtering system would be put under significant
extra strain if required to pick up economic key words as well as ones
relating to national security.

The EU reports suggests that participants in the putative Echelon
surveillance network - the US, UK, Canada, Australia and New Zealand - may
have contravened certain international laws, including EC law. Though the EC
Treaty, which sets out the ground rules for the EU, does not cover state
security operations and law and order it does not allow members to spy on
other member's companies.

The report said US privacy law and the EU Charter of Human Rights could not
be used against Echelon, but it noted Article 8 of the European Court of
Human Rights (ECHR) could offer redress to parties injured by Echelon. The
article requires signatory governments to monitor foreign intelligence
services on their territory. The report raises the question about how
diligently the UK and Germany have monitored US intelligence activities on
their territory in the past.

Consequently, the reports states that there is good reason "to call on
Germany and the UK to take their obligations under the ECHR seriously and to
make the authorisation of further intelligence activities by the National
Security Agency on their territory contingent on compliance with the ECHR."

*Sources:
Shortly after the EU investigative team's return a document said to be a
92-page draft report on Echelon written before the US visit was posted on
the Internet.
See: http://cryptome.org/Echelon-ep.htm
And, not long after that an updated 113-page draft was officially released.
See: http://www.fas.org/irp/program/process/prEchelon_en.pdf


Feature: HACKERS WAIVE THE RULES
By Derek Parkinson  derek () e-legality org

Although hacking activity predated the Internet, it is the emergence of the
Internet as a mass-market technology that pumped up the profile of hackers
as a new social menace. But according to some they are certainly not all
bad.

Jeff Taylor, for example, who worked for GEC Marconi on the flight control
software of the Boeing 777 and on UBS Warburg's Microsoft SMS system, says:
"The hacking community is a much needed part of the Internet world. Without
these individuals continually probing the edges of our security, we'd never
know there were holes open to the nastier parts of the community."

Broadly, hackers fall into three groups: so-called 'white hats', the sort
that gain qualified respect from IT professionals; 'black hats' or 'crackers
', who aim not just to identify security holes but to exploit them for a
variety of reasons, among the most common being politics, status, or for
financial gain. The last, largest, and least respected group are the 'script
kiddie', who rely on kits published on the web to build their viruses and
tools.

"There's been an explosion of website defacements, due mainly to script
kiddies picking things up from bulletin boards. They don't know what they're
doing, they're looking for kudos," says Gunter Ollman, principal security
analyst with Internet Security Systems.
In Ollman's view, it's difficult to gauge how much hacking activity has a
criminal purpose: "There's very little information on this but it's clearly
the intent in many attacks such as theft of information, credit card
details, for example."

Despite the lack of hard data, there is growing apprehension that tools and
expertise developed by crackers, published on bulletin boards and eagerly
grabbed by script kiddies, can just as easily fall into the hands of
organized crime. Rumours of well funded and trained East European and
Russian cracker gangs continue to swirl around the Internet.

---New technologies create more targets---

Hackers will have a greater variety of targets to pick from. We can expect
to see more attacks on wireless LANs, often touted as a convenient
alternative to cable networks: "Drive-by hacking is possible now - all you
need is a laptop with a wireless LAN card, which costs you about £80," says
Ollman.

He also picks out home PCs as a likely new target: "The home PC is becoming
a more valuable target because applications like home banking mean that
confidential information like passwords are stored on the hard disk," he
says. Home PCs will also be used by hackers to store 'warez' - pirated
software - without being caught in possession. According to Ollman, trojans
and scanners that seek vulnerable programming interfaces have already been
developed for home PCs, and with the spread of DSL 'always on' connections,
attacks are certain to follow.

Mass attacks are also likely to increase according to Ollman, with
intelligent agents developed to deface sites and multiply, searching for and
installing themselves on vulnerable servers.

Taylor agrees: "Hackers will start to employ artificial intelligence in
their attempts at breaking in. Bots will become the modern version of the
war-dialler of old. They'll be programmed to target specific sites, knocking
continuously to find a way in," he says.

It seems likely that as software agents like bots become more sophisticated,
so they will become more difficult to detect. The signs aren't promising -
according to Chris Roberts, head of IT security at Imperial College London,
we are already losing ground in the fight against viruses: "Traditional
anti-viral software has two stages - fingerprinting and deletion, but
viruses can outsmart fingerprinting by being modified slightly. The only way
of dealing with this is fuzzy matching, but that's not very well developed
at the moment," he says.

---Counter measures---

Whether over-hyped or under-reported, hacking is an issue that cannot be
ignored, but security and law - the two most obvious countermeasures - are
woefully unprepared. According to Professor Roger Needham, MD Microsoft
Research, it is partly a question of attitude: "When people are developing
software, security is not the thing you first think of. Security is a
nuisance - you want to have it but you don't want to pay for it," he says.

Richard Boothroyd, a security consultant with ICL, claims current laws fail
to offer adequate protection: "For example, in the UK, hacking does not
carry strong enough penalties - it's still seen as white-collar crime," he
says. Boothroyd was also downbeat on the prospects for international
collaboration: "Apparently, getting an international law of the sea took 40
years of negotiation."

It is an uncomfortable analogy for those who imagine hackers will one day be
eliminated: The seas were plagued by pirates fore hundreds of years before
maritime law was established, and are certainly not absent from shipping
lanes even today.




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------