--------------------------------------------------------------
This story was printed from ZDNet UK,
located at http://news.zdnet.co.uk/
--------------------------------------------------------------
Location: http://news.zdnet.co.uk/story/0,,t269-s2110168,00.html
Law enforcement losing the war on cybercrime
Law enforcement losing the war on cybercrime
Greg Sandoval, CNET News.com <mailto:[log in to unmask]>
The nightmare for Ecount, an online gift certificate service, began last
year when a hacker broke in to the company's system and stole personal
information belonging to its customers.

Nine months later, the criminal is still at large. The thief has brazenly
taunted executives with repeated emails while staying ahead of
investigators, deftly wiping away his electronic fingerprints and
covering his tracks at every turn.

"We're sick to death of hearing from him," Ecount chief executive Matt
Gillin said of the intruder, who has offered to return the information
for a fee.

Although law enforcement agencies are quick to trumpet their occasional
victories against cybercriminals, they are rarely able to track down
hackers sophisticated enough to pull off such complicated heists. Few
hackers of this caliber are arrested, and fewer still spend time behind
bars.

The resulting frustration for investigators, companies and consumer
victims raises a question that has persisted for years: why are hackers
able to elude capture so easily? The answer, according to security
analysts and fraud investigators, is that the Internet has bred an elite
class of criminals who are organised, well funded and far more
technologically sophisticated than most law enforcement officials.

"It's a world-class business," said Richard Power, editorial director of
the Computer Security Institute, a private research firm that tracks
electronic crime. "Al-Qaida and serious narcotic terrorists are using
credit card fraud to finance their groups."

Fraud cost e-tailers $700m in lost merchandise last year, says Avivah
Litan, a financial analyst for research firm Gartner. Some large Internet
retailers have software that screens transactions and refuses to sell to
customers who appear suspicious. Litan estimates that this costs Web
stores between 5 percent and 8 percent of sales.

A Gartner study also shows that 5.2 percent of online shoppers have been
victimised by credit card fraud and 1.9 percent by identity theft.

"These are huge numbers. This is scary stuff," Litan said. "The Internet
has got an albatross around its neck."

Skilled hackers shake off investigators by shuttling between multiple
servers before launching an attack. After fleeing a targeted site with
credit card numbers or other bounty, the intruders immediately begin
deleting the log files of each server they have passed through,
eliminating any record that they were there.

It is the equivalent of "vacuuming up the crime scene," said independent
fraud investigator Dan Clements, who runs a Web site devoted to catching
hackers called CardCops.com. Only about 10 percent of active hackers are
savvy enough to work this way consistently, he said, but they are almost
always successful.

Having grown up with the breakneck pace of "Internet time," hackers of
this digital generation use speed as a primary weapon. As with all
criminal investigations, pursuing online suspects means time-consuming
records searches that often require subpoenas -- a process that can give
hackers an insurmountable advantage.

FBI agents can swiftly get subpoenas from the courts but often lose
critical time trying to serve them. Agents can spend days sorting through
digital smoke screens created by multiple servers, requiring agents to
obtain and serve multiple subpoenas.

In the meantime, valuable evidence is often lost, and by then, hackers
are long gone.

The federal government is taking steps to improve its fight against
criminal activity online. FBI director Robert S. Mueller created a new
cybercrime unit in December, and the Bush administration has added 50 new
federal prosecutors to address the problem nationwide.

Unsolved hacks
Still, few believe that these measures will eradicate a problem that's
become so deeply entrenched. The FBI confirmed, for example, that no
arrests have been made in any of six recent high-profile cases:

* Playboy.com: An intruder slipped past the Web site security systems of
the adult entertainment company last November and obtained the personal
information of an undisclosed number of customers of the site's
e-commerce store. The hacker notified customers that he or she had
pilfered the information and, as proof, gave them their credit card
numbers.

* Ecount: Last summer, a hacker circumvented the Internet defences of the
Philadelphia-based company's gift certificate service and notified
customers of the breach in an email that included their home addresses.
The hacker then demanded $45,000 from the company to keep him from
exposing the personal information of 350,000 customers.

* Egghead.com: A hacker infiltrated the e-tailer's system in December
2000. After three weeks of investigation, the company said the intruder
did not obtain the personal information of its 3.7 million customers, but
many banks said they spent millions of dollars to issue new credit cards
in the meantime.

* Creditcards.com: Also in December 2000, a hacker broke in to systems
maintained by the company, which enables merchants to accept payments
online, and made off with about 55,000 credit card numbers. The hacker
tried to extort the company and, when executives refused to pay, exposed
the numbers by posting them on the Web.

* Western Union: In September 2000, a hacker exploited an opening in the
Web site of the financial services company and got away with more than
15,000 credit card numbers. Human error left "performance management
files" open on the site during routine maintenance, allowing the hacker
access.

* CD Universe: About 350,000 credit card numbers were stolen from the
online music company in January 2000, one of the first large-scale
hackings of its kind. The thief, identified only as "Maxus," held the
card numbers hostage and demanded a $100,000 ransom. When the company
refused, the hacker posted the numbers on a Web site.

Without commenting on these specific cases, law enforcement officials say
many online merchants may be partly to blame for the lack of arrests
because they do not devote enough resources to prevent intrusion or
facilitate investigations in the event of a crime.

"If there is any message to get out there, it would be for companies to
upkeep their antivirus and firewall software," said Laura Bosley, a
spokeswoman for the FBI's Los Angeles field headquarters.

Jennifer Granick, litigation director at the Stanford Law School Center
for Internet and Society, said security is often neglected by companies
more interested in making a quick buck.

E-commerce companies "rushed online during the dot-com boom, and they saw
the money that was to be had and didn't give a thought to security," she
said. "They were too busy trying to capture eyeballs to secure their
sites."

Even if they have fortified their Web sites against attack, many
companies are still unaware of the importance of preserving evidence if a
crime occurs -- ignorance that can kill any hope of catching a
perpetrator, said Bruce Smith, an investigator for Pinkerton Consulting &
Investigations and a former FBI agent who worked on computer crime cases
for six years.

Frequently, Smith said, agents will scan the Web logs of a hacked company
only to find a blank record that leaves the intruder's trail stone cold.
Sometimes, he said, the shopkeeper accidentally destroys the logs,
covering the hacker's tracks with other records. More often, the online
store never turns on the logging feature to begin with because it could
slow a Web site's performance.

"You cross your fingers when you start looking at the logs," Smith said.
"Sometimes you get lucky, sometimes not."

Moreover, precious time can be lost when companies hesitate to contact
authorities immediately after an intrusion. The reason for the delay is
often rooted in business, not justice.

"Fear," Smith said. "They're reluctant to admit that they've been
victimised. You can imagine the bad press. Here's someone who's telling
clients their information is safe at the same time their site is getting
hacked."

Security experts blasted Egghead for taking weeks to investigate whether
the personal information of its customers had been compromised. A company
with good logging capability should have been able to determine the
extent of the intrusion within a few days, security specialists said,
perhaps saving banks a cost of between $5 and $25 for each new credit
card issued out of precaution.

"I think there was some things that we wished we did before the attack,"
said Jeff Sheahan, the former chief executive of Egghead. "We thought we
had a tight oversight system. We asked ourselves how we missed this. It
was just focusing on other things and not sensing that there was a big
enough risk."

The investigation was expensive for Egghead, but the intrusion exacted a
much higher price in the form of lost confidence among its customers.
"When you're an e-commerce business, trust is important. I don't think
there is any doubt that trust level took a hit to some degree," Sheahan
said.

Other online merchants would do well to learn from Egghead's mistakes,
for the number of hackings is growing. To gauge this trend, CardCops'
Clements posted fake credit card numbers on the Web and then spread the
word at sites popular with "carders" -- those who traffic in stolen
credit cards -- that a Web site had accidentally divulged the
information.

In less than a half-hour, the site had 74 visitors from 31 countries.
Within a couple of days, the number of visitors had grown to 1,600. No
one can say how many came to the site with criminal intent, but Clements
believes most did.

"There's a war raging online," he said, "and the bottom line is that law
enforcement is losing."

------------------------------------------------------------------------

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************