This week, the world was introduced to its newest hacker! Authorities apprehended the vicious criminal and she now faces possible time in prison. Her name is Hayastan Shakarian and she is responsible for single handedly taking down 90% of the internet access for the entire country of Armenia. The service was down for about 12 hours before it could be restored.
Reader, when I read this, I thought “Good, let Hayastan rot in prison for a while.” I, along with most victims of web attacks, harbor a strong distaste for spammers, people who create/spread viruses, identity thieves, and other cybercriminals! So, when I heard about this incident, I hoped for the worst of punishments.
Now, before we all agree to stone this our dastardly hacker, Mrs. Shakarian, I think I should tell you that she is a 75 year old Georgian (the country not the US state) who has never heard of the internet until her inaugural introduction into the world of “hacking”. While many modern hackers would recommend using a protected home computer for their work, Shakarian used a gardening spade. That’s right! The women severed the internet connection to Armenia while searching for underground copper.
When provided with the later information, it seems kind of harsh to send this woman to prison. However, it got me wondering what the punishments for common cybercrimes are. After some research, it appears that the common cybercriminal does not normally get more than 5 years in the clink. In some cases a 10 year sentence can be issued. At the end of this blog you can review a quick summary that detail these kinds of laws and punishment procured from www.spamlaws.com.
I think this is a joke! These kinds of punishments are not effective. How do we put a stop to this kind of activity? Would harsher penalties help? I see ads that advise against pirating data such as music and movies, and these crimes have significant penalties. Still it has not stopped people from downloading illegal media. Maybe cyber crime is an activity that cannot be contained. Maybe we as users will be subject to their threats forever.
On a brighter and final note… a HUGE bust just took place in the global cyber criminal world. It is referred to as the restock botnet takedown. It is a large ring of botnet systems that were sending information to criminals to enable them to steal information and steal money from several US companies. Hundreds of thousands of dollars were stolen. 1.8 million Computers were infected. 13 people who were associated with the criminal activity were apprehended and are looking at a “civil complaint” for engaging in wire fraud, bank fraud and illegal interception of electronic communications. What punishment will these people receive? What should they receive? Please see http://www.foxnews.com/scitech/2011/04/13/government-targets-ring-infecting-23-million-computers/ for more information and review the below information on cyber crime. Thanks for reading.
-MJ
http://www.spamlaws.com reports the following:
The penalty for illegally accessing a computer system ranges from 6 months to 5 years. The penalty for the unofficial modification on a computer ranges from 5 to 10 years. Other penalties are listed below:
Telecommunication service theft: The theft of telecommunication services is a very common theft and is punished with a heavy fine and imprisonment.
Communications intercept crime: This is a Class-D crime which is followed by a severe punishment of 1 to 5 years of imprisonment with a fine. Other cyber crimes like telecommunication piracy, offensive material dissemination, and other cyber frauds also belong to this category.
Information Technology Act-2000: According to this act, different penalties are available for different crimes. Some of the penalties are as follows:
Computer source document tampering: The person who changes the source code on the website or any computer program will get a punishment up to 3 years of imprisonment or fine.
Computer hacking: The individual who hacks the computer or computer devices will get an imprisonment up to 3 years or a fine.
Government protected system: An act of trying to gain access to a system which is a protected system by the government, will result in imprisonment for 10 years and a heavy fine.
The introduction of such penalties have lead to a drastic reduction in the cybercrime rates as more and more criminals are becoming aware of the penalties related to them. Spreading the word about the penalties of cybercrime can serve as a deterrent against such crime.
Penalties relating to cybercrime will vary depending on the country and legislation in place.
Summarized websites
http://www.spamlaws.com/cyber-crime-punishment.html
http://www.bbc.co.uk/news/business-13158351
http://www.foxnews.com/scitech/2011/04/13/government-targets-ring-infecting-23-million-computers/
Sunday, April 24, 2011
Sunday, April 17, 2011
CIS 608 Content Coincides with CISSP
I am taking classes through Bellevue University to farther my career in Information Security. I have also been working toward certifications that I know will make me more marketable in this field. I recently read an article on ClearanceJobs.com that listed the top 10 certifications held by Cleared Professionals. The top 5 of that list were Security +, Network +, A+, ITIL, and CISSP. This list got me thinking about what I need to do to make myself more marketable and what others can do as well.
These certifications listed are important and I think many companies and contractors like to see these certifications. The process for these certifications can be quite involved and it takes a lot of work to achieve these certifications and stay on top in the Information Security world. I am currently certified in Security +, Network +, and ITIL. The next big certification I would like to get is CISSP (Certified Information Systems Security Professional). This certification is a long and involved process. You must have five years of professional experience to be considered for the certification. There is also a code of ethics and ongoing education that you must adhere to keep “in good standing” and keep the certification current. The most difficult part of the certification process is obviously the test itself.
The test covers ten main points. These main points include:
1. Access Control
2. Application Development Security
3. Business Continuity and Disaster Recovery Planning
4. Cryptography
5. Information Security Governance and Risk Management
6. Legal, Regulations, Investigations and Compliance
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security
For six hours you are rigorously questioned with 250-question test on your knowledge of the above-mentioned topics. Even after passing the exam you must maintain the certification with accruing 120 credits toward continuing education every three years and also pay a maintenance fee yearly.
As you can see, CISSP requires you to jump through a lot of hoops. Not only must you prove your knowledge on the test and show that you have a working knowledge of the information by your work experience; you must maintain the certification through continuing education. I think that this is a good time for me to try to obtain the CISSP certification. The topics on the test are also being covered in the classes that I am currently enrolled in at Bellevue University. In Information Security Management 608, we have already discussed disaster recovery plans and security policies that are covered in the CISSP under topics bullet 3 and 6. Ahead in the book will be developing the security program and risk management and analysis. I think that these classes will really help me to prepare for the certification and have other resources for the studying process. I am also hoping that the classes I am enrolled in will count toward the continuing education credits that you must attain. The website is not very specific about the requirements for this. The website states that after certification, you will receive information about the maintenance of the certification.
To others who are also in pursuit of advancing their career in information security, I hope that you have found this information helpful. Thanks for reading and good luck on the tasks ahead!
References:
ClearanceJobs.com
https://www.isc2.org/cissp/Default.aspx
These certifications listed are important and I think many companies and contractors like to see these certifications. The process for these certifications can be quite involved and it takes a lot of work to achieve these certifications and stay on top in the Information Security world. I am currently certified in Security +, Network +, and ITIL. The next big certification I would like to get is CISSP (Certified Information Systems Security Professional). This certification is a long and involved process. You must have five years of professional experience to be considered for the certification. There is also a code of ethics and ongoing education that you must adhere to keep “in good standing” and keep the certification current. The most difficult part of the certification process is obviously the test itself.
The test covers ten main points. These main points include:
1. Access Control
2. Application Development Security
3. Business Continuity and Disaster Recovery Planning
4. Cryptography
5. Information Security Governance and Risk Management
6. Legal, Regulations, Investigations and Compliance
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security
For six hours you are rigorously questioned with 250-question test on your knowledge of the above-mentioned topics. Even after passing the exam you must maintain the certification with accruing 120 credits toward continuing education every three years and also pay a maintenance fee yearly.
As you can see, CISSP requires you to jump through a lot of hoops. Not only must you prove your knowledge on the test and show that you have a working knowledge of the information by your work experience; you must maintain the certification through continuing education. I think that this is a good time for me to try to obtain the CISSP certification. The topics on the test are also being covered in the classes that I am currently enrolled in at Bellevue University. In Information Security Management 608, we have already discussed disaster recovery plans and security policies that are covered in the CISSP under topics bullet 3 and 6. Ahead in the book will be developing the security program and risk management and analysis. I think that these classes will really help me to prepare for the certification and have other resources for the studying process. I am also hoping that the classes I am enrolled in will count toward the continuing education credits that you must attain. The website is not very specific about the requirements for this. The website states that after certification, you will receive information about the maintenance of the certification.
To others who are also in pursuit of advancing their career in information security, I hope that you have found this information helpful. Thanks for reading and good luck on the tasks ahead!
References:
ClearanceJobs.com
https://www.isc2.org/cissp/Default.aspx
Sunday, April 3, 2011
Government ignores Government mandates
April 15th is just around the corner and many will go to IRS.gov to e-file your taxes this year. You see that if you made less than 58,000 dollars in 2010, you can e-file for free from a website of your choice that is listed on the IRS website. You chose one, follow the link, and begin to enter all of you personal information. You complete the form online and submit. Another year of taxes complete, right? As uit turns out, this year you did not really file taxes, what you did was give all of your personal information to a hacker. You were redirected to a fake website during your search on IRS.com, this cache poisoning attack, or Kaminsky-style attack, is not new. In fact, in 2008 it was mandated that by December 31st, 2009 all .gov websites deploy security against just such an attack. DSN Security Extensions, or DSNSEC, prevents the redirecting of web users to other spoof websites. However, as of January 2011, only 51% of government websites have deployed such standards of protection. (Marsan, 2011)
Of the tested .gov websites, the state department leads, being 100% up to date and the department of labor on its heels at 90%. So, kudos to those departments for meeting the new standard, however, the rest of the story does not look good. The Treasury Department only signs one of its sub domains, the good news is there usually isn’t any important information that is entered into the Treasury Department. No one enters important information into the Treasury Department website to see if they qualify for loans, grants or other financial aide. It makes me wonder what the government is doing with the large portion of my paycheck that it keeps each month. You would think that the US government with all of its departments, resources, and officials would at least be able to run a secure website.
The private sector is not ahead of the government on this either. Many .com, .org, and .edu sites are now just starting to support DNSSEC in their domain. VeriSign has signed on to incorporate DNSEC in their operations. This is huge, since VeriSign is the Internet’s largest .com domain. This .com leader is spending $100 Million to support DNSSEC and upgrade to IPv6. Many other domains, do not know of, or are just learning of this DNSSEC. Another issue that goes with this security is that it takes up a lot of resources. It slows the server and can take a lot of financial resources to update. I think that these companies, however, owe it to their clients to ensure that their websites are secure and that client information will be secure and remain at that company’s official site.
I know that many of us who utilize the web for it’s resources and convenience have adopted this sense of security when dealing with the our personal sites. Sites like the one we use for online banking, or the site ran by our educational institution, or even one operated by the government. This is wrong. Nobody is ever 100% safe. These are the same people who encounter several attacks every year. What can a person do to ensure that this does not happen to you, you wonder. I will attempt address that in future blogs. For now, knowing what we got ourselves into is the first step. Thanks for reading.
Reference:
Marsan, Carolyn Duffy. (January, 27, 2011.). Half of federal Web sites fail DSN security test http://www.networkworld.com/news/2011/012711-dns-security-test.html?page=1.
Subscribe to:
Comments (Atom)