New rules cut hackers less slack

[InfoSec News <isn () c4i org>]

http://www.denverpost.com/Stories/0,1413,36~33~1739529,00.html

By Jennifer Beauprez
Denver Post Business Writer
November 03, 2003 

As attacks on computers get more sophisticated, more dangerous and
more costly, the bad guys responsible rarely do hard time.

Most people convicted of unleashing malicious code or hacking into
computers receive sentences of one to three years, or they get
probation and a warning to stay away from computers.

"It's frustrating," said Eric Smith, who chased down cybercriminals
for three years as an investigator for the Air Force.

"There were cases that lasted two to three years and nothing ever
happened to these people," Smith said. "It seems like it's always
probation. They always slap their wrists."

New federal rules might change that.

On Saturday, federal rules took effect that beef up penalties for
computer crimes. A person who uses computers to cause death or bodily
harm - by taking down a power grid or air traffic control towers, for
instance - could get 20 years to life in prison, under a section of
the 2002 Homeland Security Act.

"These are for the cyberterrorist, not for the teen hackers," said
Mark Allenbaugh, former staff attorney for the U.S. Sentencing
Commission, which makes sentencing rules.

What might make a bigger impact on cybercrime punishment, he said, is
another law passed in April that may limit a judge's ability to
"depart," or hand down sentences that are lower than federal
guidelines.

"It's going to be much harder for hackers to get less serious
sentences," Allenbaugh said. "Probation may not be an option."

For instance, Allenbaugh said he expects a harsher penalty for the
author of one of the Blaster worms if he is convicted, instead of
simply probation or a short jail sentence.

Jeffrey Lee Parsons, 18, is accused of unleashing a version of the
Blaster computer worm, which spread around the world in six minutes
using network connections, slowed Internet activity dramatically and
disrupted business for numerous companies.

"Now, because of the amendment, he is going to get a rather
significant additional bump, which probably will translate into an
extra few years," Allenbaugh said.

Many computer crime cases never even make it to a jury, Smith said. In
some cases, foreign authorities won't extradite suspects and in others
the technology is too complex for prosecutors win.

"Prosecutors, they don't always understand the case and don't think
they could convince a jury and judge it was a significant crime,"  
Smith said.

Smith said he thinks judges give more leniency to younger people with
hopes they can put their computer skills and brains toward something
good.

"They think, well, it's some misguided kid," he said. "It doesn't
always work. The kid thinks, 'Wow, I got off."'

Since 2000, 11 people convicted of breaking into computers or
unleashing malicious code got probation.

Nineteen were sentenced to one to three years in prison. And just four
were sentenced to more than four years in prison, according to the
Department of Justice.

Some of the ex-cons, such as notorious hacker Kevin Mitnick, became
security consultants upon release or got jobs hacking into companies'
computers and alerting them to vulnerabilities.

"The fact that you can break the law and then capitalize on it -
that's the norm, unfortunately, in the computer security field," said
Drew Fahey, a computer security expert who works with Smith at
E-Fense, an Alexandria, Va.-based computer security consulting firm
with offices in Englewood.

Meanwhile, consumers, businesses and government agencies are losing
out.

Identity theft - sometimes the result of personal information stolen
from computer databases - is the nation's fastest growing crime.

And corporations are spending billions of dollars fighting of a
growing number of computer attacks. Each day, five new malicious code
attacks are unleashed, according to the FBI.

One market research firm, Computer Economics Inc., estimates that the
recent SoBig virus cost businesses $1 billion. The firms estimates all
viruses this year have cost companies $13 billion.

As a result, the computer crime caseload at the FBI has grown
significantly, said Ken McGuire, a computer crimes investigator for
the FBI.

"Over the past five years, we've gone from 10 to 20 complaints a month
to 10 to 20 a week," he said.

Yet not everyone believes stiffer prison sentences will ease
cybercrime.

"For every bad guy we get rid of, there will be more bad guys," said
Rick Dakin, president of Coalfire Systems Inc., a Superior computer
security consulting firm.

Dakin said companies must be more diligent about protecting their
systems, deploying network monitoring tools, regularly changing
passwords and performing risk-assessment tests.

A federal bill could force that to happen.

The bill, introduced this summer by Sen. Dianne Feinstein, D-Calif.,
requires businesses or government agencies to notify individuals if a
database has been broken into and personal data has been compromised,
including Social Security numbers, driver's licenses and credit cards.

A hearing on the legislation will be held Tuesday in a Senate
judiciary subcommittee.

Under the proposed federal law, the Federal Trade Commission could
impose fines of up to $5,000 per violation or up to $25,000 per day
while the violation persists. State attorneys general also may file
suit to enforce the statute.

A similar California law makes it a criminal offense to not disclose
such security breaches.

"Over the past year, there have been more cases in which hackers have
broken into databases," said Scott Gerber, spokesman for Feinstein.  
"This is a fair and tough enforcement giving Americans more control
and confidence about the safety of their personal information."

If the law passes, businesses may be reluctant to tell anyone they've
been hacked. Business executives don't want the bad press, which can
affect their stock prices, their customers' trust or their ability to
attract employees.

Just one-third of companies hacked last year reported the attacks to
law enforcement, according to a survey by the Computer Security
Institute.

"This law says 'you protect it or you tell us,"' said Dakin of
Coalfire. "What a wicked responsibility. But I don't know another way
you will force change without going that way."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.