Vulnerabilities / Threats // Advanced Threats
7/16/2014
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Senate Hearing Calls For Changes To Cybercrime Law

In the wake of Microsoft's seizure of No-IP servers and domains, private and public sector representatives met to discuss what can be done to address the problem of botnets.

Panelists on a Senate Judicial Commitee hearing yesterday called for changes to the Computer Fraud and Abuse Act (CFAA) and other legislation that addresses cybercrime. The hearing, titled "Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks," was organized in the wake of Microsoft's botnet takedown that also took down some non-criminal customers of No-IP.

The conversation was about fighting botnets in general -- No-IP itself was never mentioned by name. It was, however, briefly implied by panelist Craig D. Spiezle, executive director and founder of the Online Trust Alliance:

Botnet take-downs and related efforts need to be taken with care and respect to three major considerations: the risk of collateral damage to innocent third parties, errors in identifying targets for mitigation, and respecting users’ privacy. For example, taking down an entire web hoster because they have a handful of bad customers may be an example of unacceptable collateral damage. At the same time hosters and ISPs cannot hide behind bad actors and must take reasonable steps to help prevent the harboring of criminals and enabling cybercrime activity.

The panel also included Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit, which led the seizure of No-IP servers and domains.

"Microsoft’s philosophy to fighting botnets is simple. We aim for their wallets," he said. "We disrupt botnets by undermining cyber criminals’ ability to profit from malicious attacks."

However, going after "their wallets," is not always easy. Security professionals (in tandem with law enforcement) can use technological means to disrupt criminal infrastructure, but when it comes to prosecuting the perpetrators at the center of that black market, the law can fall short.

Therefore, Domingues Boscovich expressed support for some of the law amendments proposed by panelist Leslie Caldwell, assistant attorney general of the US Department of Justice's Criminal Division.

One of Caldwell's suggestions: Add a piece to the CFAA -- which has not been amended since 2008 -- that directly criminalizes the trafficking of botnets. That way the people selling the botnets for other people to use could also be held accountable for their role in the criminal infrastructure.

Another suggestion was to amend the Access Device Fraud statute. The statute currently allows prosecutors to bring charges against the perpetrators of phishing and credit card fraud schemes if they're based in the United States, but does not apply to offenders in foreign countries. Caldwell recommends that the overseas sale of stolen US financial information be criminalized.

Another suggestion is to amend the CFAA to eliminate the requirement to prove intent to defraud. As Caldwell explained, "Such intent is often difficult -- if not impossible -- to prove because the traffickers of unauthorized access to computers often have a wrongful purpose other than the commission of fraud. Indeed, sometimes they may not know or care why their customers are seeking unauthorized access to other people’s computers."

Any suggestion to remove the need to prove intent, however, gets tricky.

Other elements of the CFAA do not require prosecution to prove a defendant's intent to do harm. This is particularly dangerous for security researchers -- web researchers in particular -- because some of their work can be considered criminal, punishable by jail time, if they don't have consent to access the property (the servers) of others.

That raises another question: What does "access" mean? The panelists discussed this as well. Common law that defines words like "access" and "trespass" was created centuries ago, far before the Internet or botnets were thought of. The panelists said that common law needs to be updated for the 21st century so that it can prosecute (or not prosecute, as the case may be) those people who break cybercrime laws.

Another snag: The Internet is borderless, but laws have many borders. This is one reason international cooperation among law enforcement agencies is so essential to taking down botnets and other cyber criminals.

"One factor has harmed our relationships with foreign law enforcement agencies, however," said Caldwell, "our inability to rapidly respond to foreign requests for electronic evidence located in the United States. Our capacity to do so simply has not kept up with the demand."

She said the DoJ needs more staff and more training to adequately keep up with that demand.

US Senator Sheldon Whitehouse (D-RI) led the panel. He asked the panel of private sector representatives whether or not private sector litigators could use civil measures to complement the government's efforts to bring criminal suits against perpetrators. The panelists were not enthusiastic about the idea.

Yet there are other measures the private sector can take to address cybercrime -- ones that don't require the law at all.

Paul Vixie, CEO of Farsight Security (and Internet pioneer), was also on the panel, and he went after the fact that the technology industry is pushing products out to market before they're truly ready.

"We would need to somehow address the lack of testing," he said. "We have got to test the way the bad guys do." Vixie also recommended retiring the use of some outdated programming languages and possibly using underwriters to enforce testing standards; he does not see underwriting as a government role.

Despite discussions of expanding the ability of both public and private sector entities to take down criminals, No-IP's CEO and founder, Dan Durrer, was pleased with yesterday's hearing:

The legislative process around these issues has been in discussion for months, and it was never meant to be about No-IP getting its name in the lights. We feel the hearing went extremely well, and we believe our customers’ pain from the recent experience was well understood by the influencers present. Our hope is that the government, law enforcement, and private companies can work together in a collaborative manner to develop new legislation and processes for dealing with cybercrime, with protections that limit the potential collateral damage to innocent Internet users. Many of the laws governing this area were, literally, written before the invention of electricity. It is clearly time for an update.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 9:28:35 AM
Re: Obama
I tend to agree with this sentiment.  I am seeing many foreign companies balk at hosting their data on cloud servers hosted withing the United States as a direct result of the Snowden leaks.  While the US government may not be actually snooping every file in the cloud the perception is that they can.  Until that changes we will have a hard time being the information security leaders of the world.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/21/2014 | 10:00:57 AM
Re: Going after bad guys
@Dr. T  Great point. No matter how secure our software is, the bad guys will always come up with new ways to compromise it. On the other hand, there are certain things that we should be able to get right; certain kinds of hacks that are 5 or 10 years old and we should be able to keep those vulnerabilities out of our code.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/21/2014 | 9:46:56 AM
Re: New World, New Laws.....Congress Get With IT
@Technocrati  Well hopefully this won't be one of those things that becomes a divisive issue that the two parties refuse to agree upon. Maybe that would give it a better chance of being reformed.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/18/2014 | 9:25:05 AM
Re: Obama
Obviously all the countries are doing Wire Tapping. However it does hurt US companies providing solutions to oversees more than the other way around in my view.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/18/2014 | 9:21:59 AM
Re: New World, New Laws.....Congress Get With IT
Most likely not much progress, as article mentioned it actually goes beyond US congress, it is borderless environment.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/18/2014 | 9:19:12 AM
Going after bad guys
 

Good article, enjoyed reading it. Going after guys is the problem. Obviously bad guys always succeed, the question has to be what we do so we are ahead of them. That is actually practically possible, we simply need to be smarter than them. Also, it is less about testing more about innovating new ways of hacking.
Technocrati
50%
50%
Technocrati,
User Rank: Black Belt
7/17/2014 | 8:49:44 PM
Re: Obama
For the record, Wire Tapping was going on long before he ever entered office.  Did you have a problem with it then ?    Considering most of these botnets are formed outside of the U.S., those hosting these botnets might have some ethical standards to consider as well. 

Oh, this is not happening ?   No surprise and neither is wire tapping.
Technocrati
50%
50%
Technocrati,
User Rank: Black Belt
7/17/2014 | 8:41:22 PM
New World, New Laws.....Congress Get With IT
Not I understand who No-IP is, but I agree with their aim of updating legistation to address the new world we have been living in for quite some time now.  I am not sure how much progress will be made in Congress though, they don't seem to be too intent on passing any meaningful legisaltion.  Something citizens should make this a topic for their congressman or woman to remember.

It is painful to write this as I know my words are sadly true.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
7/17/2014 | 10:07:48 AM
Obama
I think if President Obama didn't insist on continuing to support warrantless phone and wire tapping of its citizens and foreigners, then the world at large would be much more keen to help US companies crack down on botnets.

As it stands, sharing any information with the US can cause real problems with your customers' confidence in you. 
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
7/16/2014 | 8:51:56 PM
How was Microsoft able to take down this service?
I thought I understood DNS, sort of, but I'm not following how Microsoft was able to take out this site in the first place. Was Microsoft hosting the infrastructure as an upstream provider or reseling domanins through No-IP?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.