Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

September 17 2012

Das BKA, die Cyberkriminalität und die Propaganda

Überall beglückt man uns heute mit der Überschrift

“BKA: Bedrohung durch Internetkriminalität nimmt zu”

Auch Heise und das Deutschlandradio lassen sich zur Übernahme dieser irreführenden Überschrift, die wohl von der dpa stammt, hinreißen. Wirft man einen Blick auf die Zahlen, die der ohnehin fragwürdigen Polizeilichen Kriminalstatisitik entnommen wurden, dann stellt man zunächst einen Rückgang der Delikte um einige hundert Fälle fest. Von Zunahme keine Spur. Wie kommt das BKA also zu dieser eher fragwürdigen These? Angeblich sei der – natürlich geschätzte – Schaden im Vergleich zum Vorjahr um 16 Prozent gestiegen. Gibt es für eine solche Schätzung zumindest in tatsächlicher Hinsicht ausreichend Anhaltspunkte? Das Papier des BKA erläutert hierzu:

Die Tatsache, dass zu lediglich zwei Deliktsbereichen eine statistische Schadenserfassung erfolgt, lässt zwar keine belastbaren Aussagen zum tatsächlichen monetären Schaden im Bereich Cybercrime zu, reicht aber nach hiesiger Einschätzung aus, um mittel- und langfristig zumindest Entwicklungstendenzen darzustellen.

Das spricht finde ich für sich und muss nicht weiter kommentiert werden.

Wir haben in diesem Bereich in Wirklichkeit vielmehr ein massives Problem mit einer Berichterstattung, die vom BKA eingefärbte Aussagen unkritisch übernimmt.

Um es ganz deutlich zu sagen: Im Bereich des Cybercrime ist weder ein Anstieg der Deliktszahlen noch der Schäden festzustellen. Jedenfalls aus dem vom BKA vorgelegten “Cybercrime Bundeslagebericht 2011” ergibt sich beides bei näherer Betrachtung nämlich nicht. Das BKA macht alle Jahre wieder Stimmung und die Qualitätsmedien machen wie gewohnt mit.

April 27 2012

Passage of CISPA in the U.S. House highlights need for viable cybersecurity legislation

To paraphrase Ben Franklin, he who sacrifices online freedom for the sake of cybersecurity deserves neither. Last night, the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523) through the United States House of Representatives was sent to a vote a day earlier than scheduled. CISPA passed the House by a vote of 250-180, defying a threatened veto from the White House. The passage of CISPA now sets up a fierce debate in the Senate, where Senate Majority Leader Harry Reid (D-NV) has indicated that he wishes to bring cybersecurity legislation forward for a vote in May.

The votes on H.R. 3523 broke down along largely partisan lines, although dozens of both Democrats and Republicans voted for or against CISPA it in the finally tally. CISPA was introduced last November and approved by the House Intelligence Committee by a 17-1 vote before the end of 2011, which meant that the public has had months to view and comment upon the bill. The bill has 112 cosponsors and received no significant opposition from major U.S. corporations, including the social networking giants and telecommunications companies who would be subject to its contents.

In fact, as an analysis of campaign donations by Maplight showed, over the past two years interest groups that support CISPA have outspent those that oppose it by 12 to 1, ranging from defense contractors, cable and satellite TV providers, software makers, cellular companies and online computer services.

While the version of CISPA that passed shifted before the final vote, ProPublica's explainer on CISPA remains a useful resource for people who wish to understand its contents. Declan McCullagh, CNET's tech policy reporter, has also been following the bill closely since it was introduced and he has published an excellent FAQ explaining how CISPA would affect you.

As TechDirt observed last night, the final version of CISPA — available as a PDF from docs.house.gov contained more scope on the information types collected in the name of security. Specifically, CISPA now would allow the federal government to use information for the purpose of investigation and prosecution of cybersecurity crimes, protection of individuals, and the protection of children. In this context, a "cybersecurity crime" would be defined as any crime that involves network disruption or "hacking."

Civil libertarians, from the Electronic Frontier Foundation (EFF) to the American Civil Liberties Union, have been fiercely resisting CISPA for months. "CISPA goes too far for little reason," said Michelle Richardson, the ACLU legislative counsel, in a statement on Thursday. "Cybersecurity does not have to mean abdication of Americans' online privacy. As we've seen repeatedly, once the government gets expansive national security authorities, there's no going back. We encourage the Senate to let this horrible bill fade into obscurity."

Today, there is widespread alarm online over the passage of CISPA, from David Gewirtz calling it heinous at ZDNet to Alexander Furnas exploring its troubling aspects to it being called a direct threat to Internet privacy over at WebProNews.

The Center for Democracy and Technology issued a statement that it was:

"... disappointed that House leadership chose to block amendments on two core issues we had long identified — the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity. Reps. Thompson, Schakowsky, and Lofgren wrote amendments to address those issues, but the leadership did not allow votes on those amendments. Such momentous issues deserved a vote of the full House. We intend to press these issues when the Senate takes up its cybersecurity legislation."

Alexander Furnas included a warning in his nuanced exploration of the bill at The Atlantic:

"CISPA supporters — a list that surprisingly includes SOPA opponent Congressman Darrell Issa — are quick to point out that the bill does not obligate disclosure of any kind. Participation is 'totally voluntary.' They are right, of course, there is no obligation for a private company to participate in CISPA information sharing. However, this misses the point. The cost of this information sharing — in terms of privacy lost and civil liberties violated — is borne by individual customers and Internet users. For them, nothing about CISPA is voluntary and for them there is no recourse. CISPA leaves the protection of peoples' privacy in the hands of companies who don't have a strong incentive to care. Sure, transparency might lead to market pressure on these companies to act in good conscience; but CISPA ensures that no such transparency exists. Without correctly aligned incentives, where control over the data being gathered and shared (or at least knowledge of that sharing) is subject to public accountability and respectful of individual right to privacy, CISPA will inevitably lead to an eco-system that tends towards disclosure and abuse."

The context that already exists around digital technology, civil rights and national security must also be acknowledged for the purposes of public debate. As the EFF's Trevor Timm emphasized earlier this week, once national security is invoked, both civilian and law enforcement wield enormous powers to track and log information about citizens' lives without their knowledge nor practical ability to gain access to the records involved.

On that count, CISPA provoked significant concerns from the open government community, with the Sunlight Foundation's John Wonderlich calling the bill terrible for transparency because it proposes to limit public oversight of the work of information collection and sharing within the federal government.

"The FOIA is, in many ways, the fundamental safeguard for public oversight of government's activities," wrote Wonderlich. "CISPA dismisses it entirely, for the core activities of the newly proposed powers under the bill. If this level of disregard for public accountability exists throughout the other provisions, then CISPA is a mess. Even if it isn't, creating a whole new FOIA exemption for information that is poorly defined and doesn't even exist yet is irresponsible, and should be opposed."

What's the way forward?

The good news, for those concerned about what passage of the bill will mean for the Internet and online privacy, is that now the legislative process turns to the Senate. The open government community's triumphalism around the passage of the DATA Act and the gathering gloom and doom around CISPA all meet the same reality in this respect: checks and balances in the other chamber of Congress and a threatened veto from the White House.

Well done, founding fathers.

On the latter count, the White House has made it clear that the administration views CISPA as a huge overreach on privacy, driving a truck through existing privacy protections. The Obama administration has stated (PDF) that CISPA:

"... effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres. The Administration believes that a civilian agency — the Department of Homeland Security — must have a central role in domestic cybersecurity, including for conducting and overseeing the exchange of cybersecurity information with the private sector and with sector-specific Federal agencies."

At a news conference yesterday in Washington, the Republican leadership of the House characterized the administration's position differently. "The White House believes the government ought to control the Internet, government ought to set standards, and government ought to take care of everything that's needed for cybersecurity," said Speaker of the House John Boehner (R-Ohio), who voted for CISPA. "They're in a camp all by themselves."

Representative Mike Rogers (R-Michigan) -- the primary sponsor of the bill, along with Representative Dutch Ruppersberger (D-Maryland) -- accused opponents of "obfuscation" on the House floor yesterday.

While there are people who are not comfortable with the Department of Homeland Security (DHS) holding the keys to the nation's "cyberdefense" — particularly given the expertise and capabilities that rest in the military and intelligence communities — the prospect of military surveillance of citizens within the domestic United States is not likely to be one that the founding fathers would support, particularly without significant oversight from the Congress.

CISPA does not, however, formally grant either the National Security Agency or DHS any more powers than they already hold under existing legislation, such as the Patriot Act. It would, however, enable more information sharing between private companies and government agencies, including threat information pertinent to legitimate national security concerns.

It's crucial to recognize that cybersecurity legislation has been percolating in the Senate for years now without passage. That issue of civilian oversight is a key issue in the Senate wrangling, where major bills have been circulating for years now without passage, from proposals from Senator Lieberman's office on cybersecurity to the ICE Act from Senator Carper to Senator McCain's proposals.

If the fight over CISPA is "just beginning", as Andy Greenberg wrote in Forbes today, it's important for everyone that's getting involved because of concerns over civil liberties or privacy recognizes that CISPA is not like SOPA, as Brian Fung wrote in the American Prospect, particularly after provisions regarding intellectual property were dropped:

"At some point, privacy groups will have to come to an agreement with Congress over Internet legislation or risk being tarred as obstructionists. That, combined with the fact that most ordinary Americans lack the means to distinguish among the vagaries of different bills, suggests that Congress is likely to win out over the objections of EFF and the ACLU sooner rather than later. Thinking of CISPA as just another SOPA not only prolongs the inevitable — it's a poor analogy that obscures more than it reveals."

That doesn't mean that those objections aren't important or necessary. It does mean, however, that anyone who wishes to join the debate must recognize that genuine security threats do exist, even though massive hype about a potential "Cyber 9/11" perpetuated by contractors that stand to benefit from spending continues to pervade the media. There are legitimate concerns regarding the theft of industrial secrets, "crimesourcing" by organized crime and the reality of digital agents from the Chinese, Iranian and Russian governments — along with non-state actors — exploring the IT infrastructure of the United States.

The simple reality is that in Washington, national security trumps everything. It's not like intellectual property or energy or education or healthcare. What anyone who wishes to get involved in this debate will need to do is to support an affirmative vision for what roles the federal government and the private sector should play in securing the nation's critical infrastructure against electronic attacks. And the relationship of business and government complicates cybersecurity quite a bit, as "Inside Cyber Warfare" author Jeffrey Carr explained here at Radar in February:

"Due to the dependence of the U.S. government upon private contractors, the insecurity of one impacts the security of the other. The fact is that there are an unlimited number of ways that an attacker can compromise a person, organization or government agency due to the interdependencies and connectedness that exist between both."

The good news today is that increased awareness of the issue will drive more public debate about what's to be done. During the week the Web changed Washington in January, the world saw how the Internet can act as a platform for collective action against a bill.

Civil liberties groups have vowed to continue advocating against the passage of any vaguely drafted bill in the Senate.

On Monday, more than 60 distinguished IT security professionals, academics and engineers published an open letter to Congress urging opposition to any "'cybersecurity' initiative that does not explicitly include appropriate methods to ensure the protection of users’ civil liberties."

The open question now, as with intellectual property, is whether major broadcast and print media outlets in the United States will take their role of educating citizens seriously enough for the nation to meaningfully participate in legislative action.

This is a debate that will balance the freedoms that the nation has fought hard to achieve and defend throughout its history against the dangers we collectively face in a century when digital technologies have become interwoven into the everyday lives of citizens. We live in a networked age, with new attendant risks and rewards.

Citizens should hold their legislators accountable for supporting bills that balance civil liberties, public oversight and privacy protections with improvements to how the public and private sector monitors, mitigates and shares information about network security threats in the 21st century.

December 19 2011

Big crime meets big data

Marc Goodman (@futurecrimes) is a former Los Angeles police officer who started that department's first Internet crime unit in the mid-1990s. After two decades spent working with Interpol, the United Nations, and NATO, Goodman founded the Future Crimes Institute to track how criminals use technology.

Malicious types of software, like viruses, worms, and trojans, are the main tools used to harvest personal data. Cyber criminals also use social engineering techniques, such as phishing emails populated with data gleaned from social networks, to trick people into providing further details. In the interview below, Goodman outlines some of the other ways organized criminals and terrorists are harnessing data for nefarious ends.

What motivates data criminals?

Marc GoodmanMarc Goodman: Anything that would motivate someone to join a startup would motivate a criminal. They want money, shares in the business, a challenge. They don't want a 9-to-5 environment. They also want the respect of their peers. They have an us-against-them attitude; they're highly innovative and adaptive, and they never take the head-on approach. They always find clever and imaginative ways to go about something that a good person would never have considered.

What type of personal data is most valuable to criminals?

Marc Goodman: The best value is a bank account takeover. A standard credit card might cost a criminal only $10, but for $700 they could buy details of a bank account with $50,000 in it, money that could be stolen in just one transaction.

European credit cards tend to cost more than American credit cards since Europeans are much better at guarding their data. There's also a universal identifier for Americans — the social security number — but the same thing doesn't exist from a pan-European perspective.

How is data crime more scalable than traditional crime?

Marc Goodman: Data crime can be scripted and automated. If you were to take a gun or a knife and stand on a street corner, there are only so many people you can rob. You have to do the crime, run away from the scene, worry about the police, etc. You can't walk into Wembley Stadium with a gun and say, "Everybody, put your hands up," but you can do the equivalent from a cyber-crime perspective.

One of the reasons why cyber crime thrives is that it's totally international whereas law enforcement is totally national. Now, the person attacking you can be sitting in New York or Tokyo or Botswana. The ability to conduct business without getting on a plane is an awesome advantage for international organized crime.

Strata 2012 — The 2012 Strata Conference, being held Feb. 28-March 1 in Santa Clara, Calif., will offer three full days of hands-on data training and information-rich sessions. Strata brings together the people, tools, and technologies you need to make data work.

Save 20% on registration with the code RADAR20

How has cyber crime evolved?

Marc Goodman: In the 1970s, you had to be a clever hacker and create your own scripts. Now all of that stuff can be bought off the shelf. You can buy a package of crimeware and put in the email addresses or the domain that you want to attack via a nice user interface. It's really plug-and-play criminality.

You claim that the 2008 Mumbai attackers used real-time data gathering from social networks and other media. How do terrorists use data?

Marc Goodman: Since the Internet arrived, terrorists have been advertising, doing PR, recruiting, and fundraising, all online. But this was the first time that we had seen terrorists use technology to the full extent that this group did during the incident. They had mobile phones and satellite phones. The terrorist war room they set up to monitor the media and feed back information in real time to the attackers was a really significant innovation.

They re-engineered the attack mid-incident to kill more people. They were constantly looking for new hostages. Organizations like the BBC and CNN were tweeting to ask people on the ground in Mumbai to contact a producer. People trapped in hotels called the TV stations. All of that information was being tracked by the terrorist war room. There was an Indian minister who was doing a live interview on the Indian Broadcast Network (IBN) while hiding in the kitchen of the ballroom of the Taj Mahal hotel. The war room picked this up and directed the attackers to that part of the hotel where they could find the minister.

What can be done to combat cyber crime?

Marc Goodman: The terrorism problem is very different from the cyber crime problem. Most terrorism tends to have a basis in the real world whereas cyber crime tends to be purely online. Governments are pretty good at tracking the terrorists in their own countries, and there is decent international cooperation on terrorism.

What is making things more difficult for governments is that, in the old days, if you tapped somebody's home phone, you had a good picture of what was going on. Now you don't know where to look. Are they communicating on Facebook, on Twitter, or having a meeting in World of Warcraft?

Law enforcement needs to develop better systems to deal with the madness of social media in terrorist attacks. The public is getting involved in ways that are, frankly, unhealthy. There was a hostage situation in the U.S. a couple of months ago where a man took a hostage and was sexually assaulting her. He was trapped in a hotel room with guns and was posting live on Facebook and Twitter. Then the public started to interact with the hostage-taker, tweeting things like, "You wouldn't kill her. You are not brave enough to do it." In the past, police could close off several blocks, put up yellow crime scene tape, close the airspace over the scene, and bring in a trained negotiator. How does law enforcement intervene when there can be a completely disintermediated conversation between the criminal or terrorist and the general public?


Marc Goodman discussed the business of illegal data at Strata New York 2011. His full presentation is available in the following video:

This interview was edited and condensed.

Related:

November 28 2011

Four short links: 28 November 2011

  1. Twine (Kickstarter) -- modular sensors with connectivity, programmable in If This Then That style. (via TechCrunch)
  2. Small Sample Sizes Lead to High Margins of Error -- a reminder that all the stats in the world won't help you when you don't have enough data to meaningfully analyse.
  3. Yahoo! Cocktails -- somehow I missed this announcement of a Javascript front-and-back-end dev environment from Yahoo!, which they say will be open sourced 1Q2012. Until then it's PRware, but I like that people are continuing to find new ways to improve the experience of building web applications. A Jobsian sense of elegance, ease, and perfection does not underly the current web development experience.
  4. UK Govt To Help Businesses Fight Cybercrime (Guardian) -- I view this as a good thing, even though the conspiracy nut in me says that it's a step along the path that ends with the spy agency committing cybercrime to assist businesses.

December 11 2010

Sind DDoS-Attacken strafbar?

Eine neue Form des Payback-Systems haben Wikileaks-Unterstützer in den letzten Tagen praktiziert. Mittels sog. (Distributed) Denial Of Service Attacken hatte ein vermutlich loser und spontaner Verbund von Aktivisten, die sich “Anonymous” nennen, die Webserver von Unternehmen wie VISA, Mastercard, PayPal oder Moneybookers lahmgelegt bzw. dies versucht. Diese Unternehmen haben ihre Geschäftsbeziehung zu Wikileaks fristlos beendet, offenbar mit dem Ziel, die Zahlungsströme zu Wikileaks zu blockieren. Dass dies auf unmittelbaren oder mittelbaren Druck der US-Regierung geschehen ist, liegt nahe.

Ich bin in den letzten Tagen in diesem Zusammenhang immer wieder gefragt worden, ob solche DDoS-Attacken denn strafbar sind. Bis vor einigen Jahren war diese Frage äußerst umstritten. Das OLG Frankfurt hat dann im Jahre 2006 entschieden, dass der öffentliche Aufruf dazu, zu einem bestimmten Zeitpunkt auf die Website der Lufthansa zuzugreifen, mit dem Ziel den Server lahmzulegen, keine Straftat darstellt.

Ob das auch für DDoS-Angriffe gilt, die softwaregestützt ablaufen, hatte das OLG Frankfurt allerdings nicht zu entscheiden. Außerdem wurde kurze Zeit später das Computerstrafrecht verschärft. Die 2007 in Kraft getretene Vorschrift des § 303 b Abs. 1 Nr. 2 StGB stellt mittlerweile auch das bloße Eingeben oder Übermitteln von Daten in Nachteilszufügungsabsicht unter Strafe. Damit sollte nach der Gesetzesbegründung ganz ausdrücklich die Strafbarkeit von DDoS-Attacken begründet werden. Allerdings ist hier nach wie vor umstritten, ob davon auch die manuelle Dateneingabe erfasst wird, zumal sich in den Fällen des “Online-Protests” immer auch die Frage nach Art. 5 GG stellt. Die Vorschrift ist auch deshalb kritisiert worden, weil der Wortlaut eine enorme Ausdehnung der Strafbarkeit auf möglicherweise sozial-adäquate Verhaltensweisen ermöglicht. Da die Norm eine Umsetzung von Art. 5 der Cybercrime-Convention darstellt, existiert in anderen EU-Staaten eine vergleichbare gesetzliche Regelung.

November 13 2010

Braucht die Polizei den Ermittlungsansatz IP-Adresse?

Habe gerade an einem Workshop des Netzpolitischen Kongresses der Grünen teilgenommen zum Thema “Die dunkle Seite des Netzes”, in dem es um Internetkriminalität ging.

Der Vertreter des BKA hat sehr anschaulich dargestellt, mit welcher Art von Fällen er in der Praxis zu tun hat, insbesondere das Phänomen des Identitätsdiebstahls wurde von ihm skizziert. Sein Kurzvortrag endete mit dem pessimistischen Ausblick, dass bald das Licht ausgehen würde, weil der Polizei der Ermittlungsansatz IP-Adresse nicht (mehr) zur Verfügung  steht.

Das führte zu deutlichem Widerspruch u.a. durch den Datenschutzbeauftragten des Landes Mecklenburg-Vorpommern Karsten Neumann, der auch darauf hingewiesen hat, dass er die Ansicht seines Kollegen Schaar – zur Vorratsdatenspeicherung – nicht teilt.

Dass die Polizeibehörden mithilfe der Vorratsdatenspeicherung ein paar Betrugsfälle mehr aufklären können, mag sein. Primäre Fragestellung sollte aber nicht sein, was technisch möglich ist, sondern was wir rechtsstaatlich und rechtspolitisch für akzeptabel halten. Ist es gerechtfertigt, anlassunabhängig TK-Daten aller Bürger auf Vorrat zu speichern, nur weil man vielleicht einen Betrug aufklären kann, der drei Monate zurück liegt?

Nachdem die Vorratsdatenspeicherung vom Verfassungsgericht kassiert worden ist, stellen sich die damit zusammenhängenden Fragen neu. Der politische Prozess hat erneut begonnen. Und er sollte nicht primär von den Wünschen der Ermittler dominiert werden, sondern von bürgerrechtlichen Aspekten. Und am Ende muss keineswegs ein neues Gesetz zur Vorratsdatenspeicherung stehen, das die Vorgaben des Bundesverfassungsgerichts gerade so einhält. Der Moderator Jerzy Montag beendete den Workshop mit den Worten, dass das Licht noch nicht ausgeht.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl