Cyber crime aftermath: Beyond the indictmentData breaches that expose more than a million records used to be headline stories, but sadly they are now so commonplace they no longer make the evening news. However, they can still generate headlines in trade papers, like the recent news from Subject: Poker that personal information belonging to 3.5 million members of the poker website Ultimate Bet (UB) had been made public, “after the dormant site suffered a data breach this past weekend.” (Exposed data included full name, phone number, email and postal addresses, date of birth and IP address.)
You may remember Ultimate Bet from another cyber crime story involving its parent company Absolute Poker. As my colleague Aryeh Goretsky put it in his article Online Poker, Real Fraud: “The United States Attorney Office for the Southern District of New York received a flurry of attention in April, 2011 when they unsealed an indictment against the three largest internet poker companies in the United States – Absolute Poker, Full Tilt Poker and PokerStars – for fraud, gambling and money laundering.”
The charges were based, in part, on the Illegal Gambling Business Act of 1955 and the Unlawful internet Gambling Enforcement Act of 2006. The indictment was a big deal in many ways, and not just because it sought at least $3 billion, yes that's three billion, “in civil money laundering penalties and forfeiture from various defendants.” These included several parties who processed payment transactions for the poker sites. The District Court also issued an order “restraining approximately 76 bank accounts in 14 countries containing the proceeds of the charged offenses” and seized five internet domain names “used by the Poker Companies to operate their illegal online businesses in the United States.” (See this poker news site and the indictment itself for more details.)
Which brings us back to the aftermath. Today, you won't find a website at ultimatebet.com or ub.com, but someone found their data, which suggests the data was not well protected, which could be a consequence of the company hosting the data being involved in very expensive legal proceedings. However, an artful attorney might argue that the protection of that data became the responsibility of the courts the day that the indictment was unsealed.
Which brings us to what is potentially an even trickier aftermath issue: What should I, one of the good guys, do about all the zombie computers in a botnet if, in the course of my fight against cyber crime, I take over a botnet's command-and-control center? That has not happened too many times yet, but what has been happening with increasing frequency is internet service providers and anti-malware software vendors discovering that a customer's computer is part of a botnet. All of these scenarios raise the question: What is the right thing to do? Do we remotely remove the botnet software from the infected system, which might cause the system to crash. If we simply tell the system owner, will we have to help them remediate their machine? If we tell them we know they are infected, will we have to disclose how we know?
Fortunately, all of these questions are being discussed by the good guys, and you can get involved in the discussion. A good place to start is the “Comments received in Response to Federal Register Notice 110829543–1541–01,” which are posted under this illustrious title: Models To Advance Voluntary Corporate Notification to Consumers Regarding the Illicit Use of Computer Equipment by Botnets and Related Malware. You will find thoughtful input from entities as diverse as SANS, Symantec, Verizon, Microsoft, MAAWG, NCSA, AT&T, Microsoft, and the Electronic Frontier Foundation.
As you work your way through that material, you might also give some thought to the aftermath issue of domain name blocking and DNS. As you may recall, the FBI scored a major cyber crime victory last month when it took down an internet fraud ring that had infected some 4 million computers around the world with DNSChanger malware. The FBI took over the fraudulent DNS servers that were part of this criminal operation, but judged it best not to take them down because that could potentially disrupt internet access on millions of computers. But that's not the only reason law enforcement's powers to change the DNS for websites alleged to be engaged in illegal activity has been in the news lately.
Proposed legislation, known as SOPA and PIPA, envisions changing DNS to hide websites thought to be distributing pirated music, movies, books and software. After recent hearings in D.C., a rising tide of anti-SOPA sentiment has been washing over Silicon Valley where the legislation is perceived as both risky (to the operation of DNS) and ineffective. The latter point might get some support from the fact that Ultimate Bet's ub.com was apparently taken down, but ub.net still seems to be working. And those compromised betting customer records? Apparently they live on in Google Cache. It looks like solving crimes and charging criminals is only part of the cyber crime-fighting story.