Nailing Net Nasties
Anyone who tries to create an Alsatia state would find themselves in breach of international law with the sanctions of the rest of the world ganged up against them bringing a sense of security to our domestic society for international electronic commerce. Justice David Baragwanath, 1999.[1]
The digital environment … is often referred to as “cyberspace” … It is a workplace, a business arena, a social sphere for meeting new people and developing relationships, and a place for entertainment. However, it is a place where perpetrators of electronic crime can victimise the unsuspecting, and an environment which can facilitate anti-social behaviour like bullying and harassment. Schools are fostering wonderful Internet learning skills in children but must also include in that education the practical skills needed to negotiate all aspects of cyberspace safely. Internet Safety Group report, 2003.[2]
In White Friars, England until the end of the 17th century, there was a ‘safe place’ known as Alsatia, where criminals and those seeking sanctuary could live outside the law. Many believed once unleashed from US military control, the Internet – outside of any one jurisdiction – became the embodiment of anarchy, a cyber version of Alsatia.
When the boffins and geeks ruled, the Internet was self-policing. Coteries of like-minded individuals gathered in specialist huddles, newsgroups, and chat rooms where their esoteric secrets were shared. Gamers, film buffs, sci-fi fans, musicologists, genealogists, and computer nerds felt safe sharing intimate details or their hobbies and habits. Among them were the coders who loved the challenge of proving they were smarter than the software developers, often exercising their prowess by cracking and hacking their way into allegedly safe systems, or liberating games and commercial software from the passwords and encoded protections their creators had put in place to ensure commercial success.
Advances in technology continued to outpace New Zealand’s legal framework for well over a decade after the country gained a direct feed into the international Internet backbone; its laws, more suited to the 1960s, were stretched to the limit grappling with hacking, cracking, piracy, privacy, copyright, trademark, and e-commerce-related issues. The legal fraternity and the politicians they depended on to keep the law current were ill equipped to understand, let alone prepare for the digital tsunami ahead. One farsighted attempt to gear up for the inevitable on-line crime wave was the formulation of hacking provisions, as part of proposed 1988 Crimes Act Amendment Bill, which provided for the criminalisation of computer vandalism. The Bill was shelved. essays
In the political mind there wasn’t sufficient evidence of a threat, and besides, this newfangled computing fad wasn’t likely to catch on outside serious business use or hobbyists. The cliched images of pimply teenage coders cracking into systems; or gamers determined to get to the next level, up for days on end in a zombie like state, pizza boxes and Coke cans littering the room, seemed too surreal to take seriously. This wasn’t anything lawmakers or politicians need concern themselves with.
It takes all types to make a community and the Internet was no different, with its eccentrics, graffiti artists, scammers, spammers, digital downloaders, cyber pirates, and pornographers. Police precincts and jurisdictions became irrelevant when criminals engaged in cross-border activities. The old guard had been taken off guard, bobbies on the beat were not quick enough to apprehend cyber criminals. New tools, disciplines, and expertise was needed, and even then, unless the legal definitions were rapidly amended to cover cyber crime, the charges were unlikely to stick.
Within a decade though there was serious evidence that what had been unleashed was indeed a serious and pervasive threat, and at the same time a challenge that would transform government and industry and the way people communicated for the foreseeable future. You could legislate for three-dimensional objects made of atoms, but zeroes and ones zipping along our telephone lines were far too elusive. Certainly the archaic definitions in our laws that could barely cope with the era of photocopiers and fax machines needed a serious overhaul.
Laws lag computer crime
The fear was that without local and international legislation covering computer crime, a new breed of criminals could set up a base in New Zealand using the Internet to literally operate outside the law. Hacking, fraud, industrial espionage, the release of viruses, or cyber terrorism could bring down a business or a nation. In the United States more than US$10 billion worth of data was being stolen by thieves operating through computers every year. In 1995 alone banks and corporations lost US$800 million to hackers. New Zealand law was described as ‘grossly inadequate’ to cope with computer crime while international law was non-existent.
Shocking stories of what was happening around the world soon rallied the troops in New Zealand to try to plug the gaps in our digital defences. Paedophiles and pornographers using the Internet were the first group to be officially targeted by government agencies from 1996. The police, already stretched on terra firma, were perplexed in their efforts to patrol cyberspace and had to call in help from overseas experts.
Internal Affairs sought co-operation from ISPs in a sweep during 1997, which resulted in a heap of trashy sites and newsgroups being shut down. Between July 1996 and the end of 1997 the department had made 27 prosecutions relating directly to child pornography on the Internet. Internal Affairs national manager of censorship Steve O’Brien believed his department had been instrumental in helping clean up the Internet locally through monitoring Internet relay chat sites, such as ‘pre-teen sex pics’ and working closely with Interpol and the Australian Government. Specialised software had helped automate the process.
Other government agencies were keen to catch tax cheats and rip-off artists. For example it was logical some of the estimated $10 billion, cash-under-the-table black market the IRD was concerned about was being transacted over the Internet. It commissioned a report in 1997 on the implications of e-commerce on its tax-gathering abilities. The trouble was large portions of the report became redundant when reports from the OECD, the United States, and Australia were released. The IRD began rewriting those recommendations for New Zealand. In the meantime – unless the Internet was declared a tax-free zone – responsibility fell to vendors to figure out where their customers were and to pay the appropriate tax.
In October 1997 New Zealand participated in a 30-nation international crack down, looking for get-rich-quick schemes. Over two days working the search engines 1000 web sites were found ‘that might be illegal.’ None were local. A standard letter was sent out and a follow-up showed 174 had ‘disappeared or changed.’ Ministry of Consumer Affairs general manager Keith Manch said the sting was really a test run. Now the 30 nations were confident they could quickly mount similar campaigns to look after each other’s interests.[3]
People like David Overend, who posted underskirt images from his shoe camera on the Internet, and the exploits of pornographers and paedophiles, had given the Internet a bad name. Many saw it as a den of iniquity, a place where the dark side of life was displayed for all to see. There was no way their kids were going on-line. The law, despite the difficulty with definitions, sent a warning to such characters. Overend had after all committed a crime by ‘distributing objectionable material.’ He was subsequently sentenced to 21 months in prison and banned from access to computers or cameras. In 1998 Dustin Arthur Barrett of Christchurch was sentenced to a year in prison on similar charges.
Between 1997 and mid-2000, Department of Internal Affairs inspectors successfully prosecuted 49 cases involving the distribution and possession of objectionable material via the Internet. Manager of the Internal Affairs Censorship Compliance Unit, Steve O’Brien, said the unit was catching a New Zealand offender every three to five days. There were 40 cases pending. “Our unit is unusual in that it proactively pursues offenders rather that acting on tip-offs or on information gained during other inquiries. We work closely with overseas enforcement agencies and have already provided over 100 suspects for their further investigation.” Most prosecuted offenders received large fines and suffered forfeiture of their computers and periodic detention. “The scary thing is that despite the publicity surrounding cases offenders are still willing to risk prosecution by trading this type of material,” said O’Brien.[4]
Early in 1998 the NZ Police imported a UK expert to help establish a unit to get a handle on computer crime. John Thackray, a renowned computer forensics specialist, was on secondment from the South Yorkshire Police. Thackray, who headed the New Zealand Electronic Crime Unit, returned home in June 1998 to receive the Churchill Fellowship Medallion from British Prime Minister John Major for his efforts in computer crime research. His worldwide research in 1996, including time with the Federal Bureau of Investigation (FBI) and secret service working on electronic evidence gathering, brought together conventional and electronic forensic techniques that were now being used around the world. It resulted in a global family of computer crime investigators able to track cross-border fraud, working together to similar standards, so evidence gathered in one country was acceptable in the other.
Thackray’s New Zealand electronic crime-fighting unit hugely improved the country’s ability to investigate electronic evidence, put cases before court, and relieve the stress on those who had been found innocent. Previously much of his caseload would have ended up in the too-difficult pile, as every electronic breach needed to relate back the Computer Crimes Act 1989, which had been sitting in parliament waiting for an update for several years. Laws such as ‘theft as a servant’ or ‘use of a document’ had to apply. An electronic document, according to New Zealand law, was not a document. While the United Kkingdom, United States, and Australia had generic laws that related to the misuse of computers, hacking was not against the law here.
Thackray discovered a group of technical university students in a suburban New Zealand town had staged a competition to see how many Unix servers they could shut down. They crashed more than a dozen businesses. Because nothing was stolen, little could be done under the Crimes Act. There wasn’t even an easy way to prosecute those who made ‘denial of service attacks’ by bombarding and blocking a mail server at an ISP or business. “What do you charge them with?” asked Thackray. The police still had to prove intent and use traditional methods regardless of whether it applied to computers, CDs, floppy disks, removable drives, or servers. The Telecommunications Act had, however, allowed Telecom to get successful prosecutions, including one case where a hacker had obtained $80,000 in fraud.
Electronic credit not real
In October 1998 the inadequacies of our laws were further exposed when charges were dropped against a North Shore businessman, who had been convicted of ten charges of obtaining credit by false pretences. A legal loophole saw the Court of Appeal overturn some of Wayne Wilkinson’s convictions, handed down by the Auckland District Court, because credit obtained by electronic transfer did not amount to property that could be stolen. The court’s decision included the statement that new laws to cover now common methods of financial transactions ‘may well be desirable.’[5]
Less than a month later another example of how the law wasn’t up to the crime was illustrated when an Auckland teenager, hacking into the offshore Web hosting server of Ihug, effectively destroyed more than 4500 web sites. Because local law didn’t recognise his crime, Ihug was looking for some legal precedent to have the youth sent to the United States to face charges. Ihug director Tim Wood said the Web server was based in San Francisco and New Zealand law was inadequate for dealing with cyber vandalism. It was described as the worst case of computer vandalism to hit the country.
A Mt Albert youth admitted the hacking and appeared on the Holmes Show with his face disguised and using the name Spazrat, claiming he was 15 years old. The NZ Herald, however, claimed it had evidence the boy was in fact 19 and had used the name Sharkdog. The youth claimed he had been targeting the ISP, not the people who lost their Web pages. His defence was that Ihug had cut off a number of his friends’ accounts ‘for no apparent reason’ and he was just showing them they were hackable and ‘should follow the rules and be nice.’
Ihug said the boy had been bragging about his exploits on chat groups, claiming he was too young to be charged. A Law Commission researcher said if he had done nothing illegal under New Zealand criminal law, it would be difficult to argue in an extradition hearing that he should be exported to the United States for punishment. The hacker had accessed the system via ‘a security hole in a CGI script’ – a small program on a Web page – and then damaged the disk drive and emergency back up on the computer server. “When basic services were restored we found we had lost a large proportion of customers’ directories; 4586 were unrecoverable,” said Ihug. About 500 commercial sites were affected.
The identity of the cyber vandal was later exposed on a web site. He was Morehu ‘Maxx’ Whyte, who called himself Sharkdogg. His actions added to growing calls for the government to increase security and tighten the law as it related to hacking and electronic vandalism. The news of the attack on Ihug’s site also forced disclosure of further acts against ISPs. Telecom for example was beefing up its safeguards against hackers who had compromised the security of its accounts. It learned a hacker had acquired passwords to hundreds of its customers using ‘sniffer’ software, which meant offenders could log on to a legitimate account and use their bandwidth, which at the time was an expensive commodity at around $3 an hour.
In a comment piece in the same issue of the NZ Herald, journalist Chris Barton warned that New Zealand’s laws were in dire need of an update to cope with electronic crime and vandalism. At best it seemed the hacker could only be charged with wilful damage to property under the Summary Offences Act, or for the offense of ‘disturbing’ use of a telephone under the Telecommunications Act, both of which had maximum penalties of $2000 fines or three months in prison. The latter was unlikely to proceed because there was no recipient of the phone call. A proposed change to the Crimes Act, which would have given provision for computer-related offences such as hacking, was still at the first reading stage and hadn’t been considered a high priority by successive governments.[6]
There remained considerable confusion over whether current laws were strong enough to achieve prosecutions for hacking, or as the Internet Society correctly defined it, ‘cracking.’ Minister of Justice Doug Graham considered section 298 (4) of the Crimes Act, which covered damage to ‘property not otherwise covered in the Crimes Act,’ should be used to prosecute ‘crackers.’ However according to ISOCNZ it had become clear over the previous decade that the Act was woefully short on sanctions against such activities. The society was consulting with the wider Internet community to establish the specifics needed for any new legislation. One suggestion was for the government to resurrect the ‘hacking’ provisions of the 1988 Crimes Act Amendment Bill. “Unfortunately the bill was shelved at the time and New Zealand was still without sanctions to protect the public against this type of activity,” said ISOC chairman, Jim Higgins.
He warned New Zealanders not to take a kneejerk reaction to the recent spate of cracking and vandalism and attacks on ISPs, which needed to be put into perspective. “While vandalism of computers is a serious problem, there is no reason for people to assume that there is a widespread problem with the Internet in New Zealand. It is possible for Internet site operators to provide a high level of security and to protect themselves by taking sensible backup.” And while it was true that no organisation could guarantee 100 percent invincible computer security, it was possible to make life difficult enough for crackers that the risk was greatly reduced.
“We must remember that no bank is immune from being robbed, but this doesn’t mean we should worry about using banks. In terms of electronic commerce we have never heard a report of credit card details being stolen from a secure Internet server – even if this should happen it is the credit card company, not the customer, who carries the risk and burden of proof of purchase. Any new laws must be robust enough to keep pace with the increasingly innovative technology we have, and a bad law can be worse than no law at all,” said Higgins.[7]
Amending Crimes Act
In April 1999 Higgins was more strident in welcoming the so-called e-crime bill, saying ISOCNZ had been asking for a law to protect Internet providers and everyday users. “The existing laws are quite inadequate to deal with the increasing number and complexity of computer crimes. The alleged creator of the Melissa virus had been charged in the US with offences which would probably carry a jail term of up to 40 years. In New Zealand he would probably get off scot-free because of our antiquated laws.” Despite his identity being known, no charges had been laid against the person responsible for deleting 4586 Web pages hosted by Ihug. Meanwhile the long-awaited Crimes Amendment Bill (No 6) introduced to parliament on 7 August would have to wait until after the 1999 elections when Labour took power.
Justice Minister Tony Ryall said the bill would redefine ‘property’ to clearly include the balance of a bank account and extend the definition of ‘document’ to include electronic files. “Our Court of Appeal demonstrated last October that New Zealand suffers because our law knows nothing about the theft of electronic credits,” said Law Commission President Justice David Baragwanath. A man who fraudulently obtained cash through direct transfer was let off the hook. While the Bill now in progress plugged that hole, there were still no real sanctions available to deter those who ‘abuse our systems.’ However the idea of New Zealand or any other nation becoming a territory where computer crime could go unpunished was abhorrent to the New Zealand Law Commission. Its members believed harmonising the laws of each nation to allow criminals to be charged under either local or international law would give new credibility to the evolving world of e-commerce.
New Zealand was working fast to ensure its laws met the challenges of the digital world, but the United Kingdom, Canada, Australia, and Singapore had already enacted legislation. Borders had become increasingly irrelevant and the main attention had been on civil law, which failed to deal with the fact “rogues, vagabonds, shysters and criminals were now using the latest technology,” said Justice Baragwanath. He was keen to see new mercantile and criminal law, spanning a borderless world to allow unhindered e-commerce, and opening the way for proper reciprocal extradition treaties. He wanted to see computer hacking as a crime transcending state systems. He quoted from an essay in the Criminal Law Review, which suggested the power of the International Criminal Court should ensure civil governments abide by international law, and the exercise of the whole range of economic, political, and military sanctions remain open to end ‘the culture of impunity.’ “Anyone who tries to create an Alsatia state would find themselves in breach of international law with the sanctions of the rest of the world ganged up against them, bringing a sense of security to our domestic society for international electronic commerce.”[8]
Meanwhile Telecom’s fraud management programme had alerted 10,000 customers to suspicious calling patterns since its establishment in June 1997. Programme manager Colin Yates said the Hewlett-Packard fraud detection system identified anomalies in the calling patterns of 300 businesses, which had since confirmed this, preventing them from suffering loss. The system, he said, had reduced annual fraud among its customers from $50,000–$80,000 to $700–$1000 a year. Telecom recorded $27 million in bad debt for the year ending 31 March 1999; around 60 percent of that came from telephone fraud. It was not unusual, he said, for some customers to receive bills with an extra $50,000–$80,000 for calls they had not made. In most cases these would be routed through an insecure PABX. While most of the high-cost fraud originated offshore, he said local fraudsters often opened phone accounts under false names. The Internet meant New Zealanders were now as vulnerable to telephone fraud as any country. Fraudsters here knew about new techniques from the United States in minutes.[9]
In July 1999 a computer ‘phreaker’ who made more than 21,000 phone calls received a 12-month suspended prison sentence and six months’ periodic detention, when he appeared in the Auckland District Court. Borislav Misic became the first phreaker or telephone network hacker to be convicted in this country. The 23-year-old had arrived in Auckland from Yugoslavia in April 1998, seeking refugee status. By late May he had made 21,192 calls to Spain and Tonga from five telephone lines in his central city apartment. After his lines were bugged, Telecom staff concluded he was using a ‘blue box’ computer program to send signals down the phone lines which prevented the calls from being billed.[10]
Computer crime had escalated from the domain of geeks proving how clever they were to their peer group, to an all-out crime spree and billions of dollars were being lost through virus invasion, industrial espionage, and hack attacks. At the core of the knowledge economy was intellectual property; important files and documents about businesses and their clients, confidential data, trade secrets, and transaction histories – often saved to computer disks, tapes, or storage silos. With the increasing sophistication of computer-based crime, companies had to rethink everything, and start with the assumption that their IT systems and information assets were vulnerable. Every step possible needed to be taken to establish ironclad security that could regularly be strengthened or updated, to cope with the latest threats.
According to the Internet Security Survey sponsored by eSolutions, Telecom, and Xtra, poor security put the reputation of New Zealand businesses seriously at risk. The survey found 58 percent of businesses considered the information held on their computer systems was extremely sensitive and confidential but 82 percent did not have intrusion detection tools in place. In other words they wouldn’t know whether they had been hacked into or not, resulting in the low number (8 percent) of known intrusions.
The Internet had become a riskier place for businesses since the terrorist attacks of September 11, and things weren’t likely to improve any time soon, according to Internet Security Systems (ISS) in its security incident report for the first quarter of 2002. It warned overall Internet security had been hampered by a steady tide of DoS attacks, as well as the rise of hybrid attacks, including the propagation of worms such as Code Red and Nimda, which spread through the Web and email via file sharing and instant messaging. “Attacks are now global in scope and round-the-clock in incidence. There’s no such thing as a low-level threat on the Internet. If you’re going to connect to it, you better have a suit of armor,” warned Dennis Treece, director of the X-Force Special Operations Group at ISS in Atlanta. The company compiled its data from more than 350 high-volume intrusion-detection sensors it managed around the world, saying the vast majority of attacks – nearly 70 percent – were being launched on server port 80, the same port that Web traffic flowed on.
Port scanning was a common activity before an attack was launched, and a way of discovering details and vulnerabilities about networks. Experts predicted there would be many more such worms and nasties released to attack corporate computer systems. The threat would grow for emerging areas of computing such as broadband, wireless, and instant messaging. Firewalls alone could not prevent this kind of unauthorised access, additional intrusion, and defence technology was needed. Hackers and crackers were constantly on the look-out for security vulnerabilities in new or existing software, where the developer hadn’t yet come up with a patch, or where the company had failed to download a fix to eliminate vulnerabilities.
Infrastructure unit formed
The owners of storage and processing systems were being warned to take very specific steps to protect their assets and monitor their networks. Clear company policies were needed to state how information should be stored and protected, and who should have access to it. Without such policies, along with the now essential firewalls, antivirus scanners, and intrusion detectors, businesses might not even know their systems had been attacked and corporate secrets compromised.[11]
An important step in protecting the rapidly emerging electronic environment was put in place in August 2001, with the creation of a specialised government unit that would watch over the security of essential public and private sector infrastructure. Various governments had previously dismissed attempts to create an independent early warning system along the lines of the US-based Computer Emergency Response Team. Now Cabinet had approved the Centre for Critical Infrastructure Protection to be housed in the Government Communication Security Bureau (GSB). It would essentially watch over infrastructure considered essential to maintaining the political, social, or economic life of the country, including energy and telecommunications systems, transport, finance, and law and order. While owners of infrastructure would remain responsible for the security of their own systems, the centre would provide co-ordination, support, and advice on the ways in which the country could maintain and improve its security. The centre would provide a 24-hour ‘watch and warn’ advice about threats from viruses to hacking attempts.[12]
Cabinet papers obtained by the Weekend Herald, backgrounding the special unit, indicated one of the country’s most critical infrastructure companies had been under attack for months from cyber-terrorists. The briefing papers said the risks were increasing dramatically. The State Services Commission admitted a large telecommunications company had been under sustained attack for several months but no one would confirm who that was. The general view was that it was Telecom, which had shut down its Netgate international Internet link in January 2001 after intrusion problems.[13]
Amendments to the Crimes Bill were still being debated in September 2001 amidst claims that New Zealand had become a staging post for cyber criminals, including credit card thieves who stored their data locally, believing it would not be traced. There were also allegations of a high incidence of electronic fraud. The lack of specific laws making hacking and computer crime illegal didn’t help dispel the growing perception of New Zealand as a digital backwater. Some still wondered whether the proposed law changes went far enough while others were concerned they went too far. The Crimes Act drawn up in 1987 allowed police to tap voice messages only; the new one opened the way for scrutiny of email and other electronic messaging. It would make hacking and computer snooping illegal, except when carried out by police, the Security Intelligence Service (SIS) or the GCSB. Police would still, however, need to seek a warrant to gain access to a telecommunications network. Carriers would have to ensure their networks were compatible with official snooping requirements, and allow specialised hardware and software to be used.
The bill was attempting to strike a balance between individual privacy and the interests of state. InternetNZ and others believed the terminology was too broad. For example ISPs often had to deny service to customers if they themselves were facing a DoS attack. Would that make them liable under the proposed changes? The software, specialist tools, virus code, or data that could be used to commit a crime might also be used by those trying to prevent such a crime, or as a matter of course by a network manager, or IT specialist to administer or test security in a network. Would they be breaking the law by doing their job?
Concerns had also been raised that the law abiding or the simply curious might get caught in the e-crime net. Would you be breaking the law when researching cyber terrorism or if documents about hacking were found on your hard drive? Or if you had certain web sites bookmarked, making available or discussing programs that could be used for hacking? IT Minister Paul Swain reacted swiftly to detractors with a ‘let’s not be silly’ stance, saying the keywords were ‘intentionally and recklessly.’ Legal interpretation might, however, be required before deciding who was a criminal. He insisted the new law would not criminalise the legitimate use of IT security software. A salesperson marketing a package as being useful for committing crime could be committing an offence. However the law did not intend to trap those who innocently or accidentally sent out an infected email which replicated itself through email address books. “Criminal recklessness requires that someone deliberately and unreasonably takes a risk knowing the possible outcome.”
Certainly, the new law would make it much easier for the police to become involved. Maarten Kleintjes, head of the Police Electronic Crimes Unit, told the NZ Herald the bill would give police a much better handle on the new channels criminals used. “Currently it’s a bit like police only being allowed to breath-test people driving white cars, while people in coloured cars get away.”[14]
Meanwhile the long-delayed Electronic Transactions Bill was due to pass into law in October 2002, giving electronic transactions broadly the same status in law as transactions concluded on paper. While the Labour Party had been accused by the IT industry in particular of failing to give the Bill the priority it needed, it had the potential to open the way for growth in e-business, remove legislative barriers to on-line trade and reduce compliance and transaction costs. IT bodies such as ITANZ and InternetNZ insisted this and the Crimes Amendment No 6 Bill, which criminalised ‘hacking,’ were important for the progress of e-business.
The Crimes Amendment Bill at the time was still sitting at the number 37 position on the parliamentary order paper.16 While IT Minister Paul Swain applauded the passing of the Bill on 10 October, there was still some way to go. The Electronic Transactions Act 2002 was delayed by the need to pass regulations to clarify grey areas on how the act should affect other legislation. A discussion paper was released on 11 April 2003 and submissions on the proposed regulations closed on 1 May 2003. The Act finally came into force on 21 November 2003.[15]
Then the Crimes Amendment Bill passed into law on 4 July 2003, introducing the most significant changes to property related crimes since the Crimes Act was first enacted in 1961, according to Police National Crime Manager Detective Superintendent Rob Pope. “The changes are intended to bring property-related offences into the modern era in recognition of the use of advanced computer technology for criminal purposes.” Important changes were also made to police interception powers, expanding the coverage and nature of warrants in the fight to combat organised crime.
Theft-related crimes were now extended to cover intangible property, a series of new computer-related crimes were created to cover such events as hacking, the term ‘breaking and entering’ was replaced with ‘entering without authority’ for burglary, and fraud offences became ‘obtaining by deception.’ It was now illegal for unauthorised people to intercept emails and faxes not intended for them.
“Increasingly police are receiving complaints involving the use of computers to commit property related crimes, many of which are not addressed by the current law. These amendments will better equip police to respond more effectively to property related complaints,” said Pope. The new law came into effect on 1 October 2003.[16]
Specific offences included:
Penalties ranged from two years at the lower end, to ten years for cases where someone intentionally or recklessly destroyed, damaged, or altered a computer system, knowing that danger to life was likely to result.
Security becomes priority
A more holistic and manageable approach to network security was being demanded by businesses as they faced a plague of viruses, spam, and increasingly sophisticated attacks from hackers and crackers in 2004. The pressure was on for companies to review vulnerable code and security policies, and for vendors to move to intelligent, multi-layered security systems that tightly integrated with network management. “People are moving beyond simple firewall and antivirus applications to a solutions approach where hardware, software and management of security is viewed as a whole, often embracing areas outside IT, including surveillance,” said IDC New Zealand security research specialist Jane McPherson.
An annual survey of chief information officers in Australia and New Zealand saw IT security move from 17th position to number four. McPherson said many companies seemed to have a lax attitude towards policies and procedures, and little understanding about new government initiatives to protect consumer data, electronic transactions, and privacy law changes, for example, in the Crimes Amendment Bill. “Many companies are more liable than they realise if consumer data gets into the wrong hands. Once they become aware of the risk this will become a major driver of security spending.”
The proliferation of ‘malware’ – malicious software, ranging from unexpected code to viruses, Trojan horses, worms, and even spam – was a major contributor to increased security spending. According to TrendMicro, PC viruses cost businesses approximately US$55 billion in damages in 2003 – about double the damage of 2002, and more than four times that of 2001. The need to keep on top of, not only antivirus updates but also operating system and software patches, was embarrassingly evident by the fact that across all products, Microsoft released 51 security advisories in 2003, 30 of them affecting its Windows XP operating system.
A Gartner report in May 2004 suggested 90 percent of mobile devices lacked protection to ward off hackers and many users weren’t taking proper precautions. John Girard, research vice president at Gartner, said wireless mobility was the greatest change to occur in corporate data collection and distribution in the past decade, presenting new threats which required sound management policies to protect information assets and contain costs. Gartner recommended moving all PDAs and phones into the PC support group, installing PDA firewalls, implementing cost controls, and purchasing mobile management tools.
Peter Benson, managing director of Security-Assessment.com, believed securing badly written Web and system applications was becoming more important than securing the perimeter. “There is no such thing as a perimeter these days. It’s gone. Organisations connect to partners; they have remote dial-up and VPNs; they’ve become virtual enterprises.” He said security products were just products, not security. “If you build systems right in the first place firewalls, antivirus and intrusion detection should be the backstop not the first point of alert.” Penetration testing a couple of times a year was not enough. Continuous auditing was necessary as part of vulnerability management.
Leanne Buer, Telecom Advanced Services (TAS) security business manager, believed businesses should have a security audit, including penetration testing, before outsourcing, or moving into any major development. A first step might be securing the perimeter and consolidating all access points to the network, including wi-fi and remote access. “Every customer has a duty to understand their vulnerabilities before developing policies and figuring out what the acceptable levels of risk are.” She said security was about defence and depth. “Perimeter security is fine but you also need to secure remote technologies so the business can operate where and when it wants.”
Security was becoming a 24x7 concern. “The average IT department in New Zealand is two people – keeping up with vulnerabilities in hardware and software is difficult. That’s why you need a specialist, because that’s all they do. One of our customers, before they came onto our system, was getting any virus going and had a little hit squad of IT people going up and down the country rebuilding Web and file servers.”
ISPs were increasingly seen as business partners and needed to have high levels of security. Iconz, for example, had two permanent security officers and every quarter bought in a specialist to conduct a security audit of its Unix and Microsoft environment, right down to the IP level. Iconz CEO Sean Weekes believed it was important to have an independent audit, and for ISPs in particular to segregate the hosting and local environment. “If you stand still the environment goes backwards. You must keep proactive. Those companies that can’t afford to have someone monitor their networks should be outsourcing,” he advised.
While many vendors were integrating antivirus, firewall, and anti-spam products, the speed at which viruses proliferated left users wide open to attack. Vendors could typically release a patch file within two to four hours of a new threat being released into the wild, however, the Slammer worm was able to hit 5.5 million hosts in about 11 minutes.
“Two hours doesn’t cut it anymore. The whole approach of looking for a virus signature and then blocking it means someone has to get the virus first,” said Cisco systems engineer Arron Scott. Cisco had come up with the concept of the self-defending network which detected unacceptable behaviour. “Why would your SQL database try to probe thousands of hosts per second? Why would an application want to format its own hard drive?”[17]
Ken Low, senior security manager of 3Com Asia Pacific, claimed in March 2006 than an average of 33 dot.nz web sites were being hacked every month. From December 2000 to March 2006, 2123 dot.nz web sites were hacked. Of these, 1641 had a dot.co.nz address, but dot.net.nz, dot.org.nz, dot.govt.nz and others had also been hit. New Zealand had mid to low level per-month hack rate compared with other OECD-countries. Australia was much worse off, with nearly 200 government web sites hacked over a couple of years. In New Zealand it was closer to 15.
“Apart from the fact that Australia has a bigger population, there are also political and religious reasons behind a lot of attacks, whereas New Zealand in general was seen as a neutral country,” according to Low. Of the top ten hackers targeting New Zealand, four were most likely local. The rest were internationally known criminals. He warned the problem wasn’t going to go away any time soon and traditional intrusion solutions, including antivirus software and firewalls, were too slow. What was needed was intrusion prevention, not intrusion detection.[18]
Delicate digital evidence
Nabbing those responsible for e-crime was a complex business, fraught with technical and administrative issues. There was the risk of contaminating digital evidence through improper checking by police, which could cause problems with prosecutions. Auckland-based Crown prosecutor Marc Corlett, speaking at the NetSafe Cyber Security Symposium in July 2006, said evidence had to be carefully presented to 12 jurors who were variously ignorant of computers.
“All they hear is a policeman has come in and changed data; all the defence has to prove is reasonable doubt and if the jury is sufficiently confused by the information, there is reasonable doubt.” He said prosecutors needed to find ways to translate digital evidence into a presentation that juries would find interesting. The traditional oral testimony approach was unlikely to succeed where juries had limited understanding of technology.
Sheer volumes of digital evidence could also prove problematic. Corlett said he was prosecuting a case involving hacking into on-line bank accounts where there was a huge amount of material that needed to be carefully managed to avoid confusion. New Zealand had moved beyond the first, and second, generation of computer offending, where technically skilled people did it to show how clever they were, to a the third generation of e-offending involving organised crime. “As prosecutors we’re increasingly seeing this more sinister involvement (of) increasingly sophisticated e-offending.”[19]
The harshest ever sentence for Internet fraud in New Zealand was handed down to 19-year-old Mark Hayes in May 2006, when he was sentenced to 2 years and 11 months after accessing TradeMe members’ bank accounts. Between Christmas and New Year 2004 the Auckland teenager hacked into bank accounts and email addresses, then used the email details to access those accounts and purchase items before the bank found out and began reversing payments. Seven people had their identities stolen and it was only when sellers began asking TradeMe why their payments were reversed that TradeMe began investigating. TradeMe spokesman Mike O’Donnell said fraudsters left deep footprints on the site and the company was committed to prosecuting them.[20]
Further evidence that Internet crime was escalating to a more serious level came from a report from Internet security firm McAfee in December 2006, which alleged gangs were adopting ‘KGB-style’ tactics to recruit accomplished computer students to help them commit on-line offences. In its annual report on cybercrime, McAfee claimed criminals were targeting universities, computer clubs and on-line forums to find suitable undergraduates. Some gangs had sponsored promising students from other disciplines to attend computer courses before planting them in businesses as ‘sleepers.’ The students would be asked to write viruses, commit identity theft, and launder money in a multi-billion dollar industry that was more lucrative than the drugs trade.
The report said the tactics were similar to those of Russian agents who sought out experts at trade conferences or universities during the Cold War. McAfee said its study was based partly on FBI and European intelligence which pinpointed Eastern Europe as a prime target for cyber crime recruits because of high unemployment and low wages. Hackers were paid to write viruses that could infect millions of machines, to obtain confidential information such as credit card information or send unwanted spam emails.[21]
The spectre of cracking was raised again in 2007 when the notorious Turkish hacker Iskorpitx got into a US-based server and defaced the web sites of about 600 New Zealand companies. The affected web site owners were former customers of Internet company Quik.co.nz, which Ihug had acquired in 2006. It took over a week for one of the victims, Auckland-based Just Hardwood Floors, to restore its site. It cost thousands of dollars to fix all the sites. Its operations manager Jonathon Cooke was concerned by claims each company needed to back up its own site. He was using an on-line program to upload text and pictures into a template designed and hosted by Quik, the former New Zealand franchise of US-based ISP Quik.com. However it didn’t allow the customer to make a back-up at their end.
The company lost Web development work hosted at the site which Quik had also failed to back up. Gillian Richardson from Automotive Security Systems said she’d lost 80 percent of her business through the company web site being offline. She relied on an Ihug competitor to help her get back on-line and changed ISPs after Ihug admitted there was nothing it could do and that it was working with the Web development side of Quik in the United States, which it did not own. Ihug offered a month of free Web hosting and promised to move all former Quik customers to its own secure servers where regular back-ups were done.
Outdated and insecure
Rival Web hosting company PrimeHost warned many ISPs were running insecure and outdated systems. Operations director Dale McIsaac said many companies were still using vastly outdated systems to host commercial customer web sites. “Many successful hacking attempts are due to Internet providers running outdated software on their servers, and customer installed-applications such as bulletin boards, forum software and mailing lists are commonly exploited by Internet hackers.”[22]
Nearly three months later another Turkish hacker, this time going by the name ‘crackers_child,’ struck around 20 sites hosted by Digital Network, attacking programs, files, and folders that had insecure permissions. The hacker overwrote existing content on the sites, leaving an obscene message taunting the owners about security. A URL leading to a Turkish language security forum was also posted by the hacker. According to security web site Zone-H, crackers_child was responsible for more than 20,000 attacks in April alone.
Digital Network manager Warren Sanders said the sites were restored from back-ups and the clients affected would be contacted. He claimed the hack “was a minor incident” and Digital Network had taken advice from security specialists in the United States on updating servers and improving security. There was a fine line around how far a Web hosting company could control users and offer standard Web hosting at the same time. In August 2006 another Turkish hacker hit Wellington Web hosting company iServe, causing widespread damage. ACT MP Rodney Hide was among those whose web site was defaced.[23]
In mid-July 2007 a split verdict was delivered in the long-running trial of computer hacker Andrew Garrett, who was found guilty on four charges of reproducing a document with intent to defraud and one count of threatening to damage property. The fraud charges related to Garrett’s obtaining Internet access passwords from computers remotely, using the Back Orifice Trojan virus. The final charge on which he was found guilty was threatening to damage property. This related to a message Garrett sent to an Xtra account holder telling the user to change their ISP or have information on their hard drive deleted.[24]
A report from security company Sophos in July 2007 said the number of infected Web pages had soared nearly six-fold since the beginning of the year, evidence of how widespread Web attacks had become. In June, it detected an average of almost 30,000 newly infected pages a day, a huge increase on the 5000 daily average recorded earlier in the year. About 80 percent of all Web-based malware was hosted on legitimate, innocent, but compromised sites. The June attacks, for example, were launched from more than 10,000 legitimate web sites mostly hosted in Italy.[25]
Armed with an exploit tool kit, attackers launched massive attacks in Europe from the compromised sites, with infections spreading worldwide. Analysts reported the large-scale attack was based on the multi-exploit hacker kit dubbed ‘Mpack,’ which redirected visitors to a server hosting the professional, Russian-made collection of exploits which then worked against that country’s domains. Infected computers were fed a diet of malicious code, largely keyloggers that obtain user names and passwords for valuable accounts such as on-line banking sites.[26]
In its second ‘Internet Threat Report for 2007’ antivirus vendor Symantec agreed cyber crime had gone professional. Criminals were making complex, highly targeted attacks and selling easy-to-use on-line hacking tools to recruit a new generation of fraudsters.
Symantec found 95 percent of such attacks were on home users and that phishing attacks had increased 54 percent in the first half of 2007, when the company blocked more than 2.3 billion such messages – up 54 percent. A multi-billion economy was being fuelled through these attacks in conjunction with stolen credit cards sold on the Internet for a couple of dollars each.
Symantec consumer spokesperson Trudie Wood said the whole notion of privacy and security was changing. “We’re living in an era of more collaboration and on-line interactions, with social networking, wikis, podcasts, blogs, and RSS syndication feeds opening users up to a variety of potential security risks. It is no longer about protecting computers and other devices but protecting the interactions of Internet users. Today’s bad guys don’t need to pick your locks or break your windows; they attack you and your family over the Internet.”
Malware here to stay
Attackers were increasingly turning to end-user systems as a way around the antivirus and firewall systems that were blocking access to traditional attack routes. Software developed and deployed by Wellington’s Victoria University that helped track Web-based security attacks as part of the international Honeynet Project revealed that even seemingly safe Web addresses were rife with attack code aimed at vulnerable clients.
According to the researchers in the Unites States, Germany, and New Zealand, “The ‘black hats’ are turning to easier, unprotected attack paths to place their malware onto the end-user’s machine.” The authors of the ‘Know your enemy: Malicious Web Servers’ study released in August 2007 used a ‘high-interaction’ client honeypot, called Capture-HPC, developed by Victoria University, to analyse more than 300,000 addresses from around 150,000 hosts. It looked at various site categories, including adult, music, news, ‘warez’[27], spam, and addresses designed to grab traffic from users who mistype common Web addresses. While some categories were more likely to contain malicious addresses than others, all contained malicious addresses, the report said. “As in real life, some ‘neighbourhoods’ are more risky than others, but even users that stay clear of these areas can be victimised,” it said.
Users could be led to malicious sites via links, typing in an address manually, mistyping an address, or following search results. The results only served to confirm what security researchers had been saying all along. Regularly updated blacklists and regular patching helped; however there was a prevalence of attacks against plug-ins and non-browser applications. “Attacks also target applications that one might not think about patching, such as Winzip,” the study said.[28]
In the first week of December the Weekend Herald broke the story of a $26 million computer fraud perpetrated on over a million computers by an 18-year-old from Whitianga. Owen Wilson described as a ‘brilliant’ loner who got himself into a computer scam for a bit of fun, was tracked down by the FBI, the US Secret Service, Dutch authorities, and police in New Zealand and had his equipment seized. It was alleged he had control over a vast ‘botnet’ network of computers that cyber-criminals paid to use.
Wilson, who had used the name AKill and the alias Snow White, was tracked down after an 18-month investigation and was believed to be part of ‘an elite international botnet coding group.’ The FBI said his activities went beyond malicious and that he was also behind an attack in February 2006 that brought the computer network at the University of Pennsylvania to a halt denying access to 4000 students and staff and infecting 50,000 computers with a virus that was undetectable to anti-viral programs. He was also allegedly head of a team involved in an illegal adware scheme which infected 1.3 million computers, that Dutch authorities were investigating.
World-respected Kiwi security expert Peter Gutmann saw no end to the proliferation of hacking and malware, and plenty of work ahead for anyone wanting to get involved in the security industry. While systems had become a lot more secure since the 1990s, the attacks had also become smarter. “They are now being run as a commercial software business; for example by Eastern European organised crime rings who put a huge amount of money into their efforts. The bad guys are now hiring extremely skilled programmers, and because there are now good spam filters in place, they’re paying people with PhDs in linguistics to work around them, which is outrageous. These are serious opponents with better experts than the good guys.” The industry was no longer dealing with teenagers sitting in a basement cracking code and out for a joyride, but “seriously huge organisations” that produced well-written, bug-free code which is tested across multiple machines and platforms, said Gutmann.
In the mid-1980s, at the age of 14, Peter Gutmann designed and built his own computers. He first got involved in the bulletin board community through a school friend who ran one from his Auckland basement. He would chat on-line, exchange information, and hang out with ‘a random cross-section of people who you would never otherwise have got to meet.’ At Auckland University he focused on computer science, obtaining a master’s degree with a thesis on data compression. On realising he could only ever hope to achieve ‘half a percentage of improvement’ he shifted his studies to the equally arcane field of security, studying for a PhD for his work on the design and analysis of security techniques and systems. His early achievements included the creation of full-strength encryption systems. He said a good dose of paranoia was important in figuring out all the possible attacks and the security problems.
There were enough people breaking into systems, so Gutmann took on the role of defender. “I was always interested in looking at all the ways someone might attack a system. I like thinking up weird attacks and setting up counter measures.” In those early days, he said, there was a relatively small hacker community in New Zealand, compared to what was happening in the United States or Europe. “The people I knew were mostly doing it for a joyride – ‘Look at me. I’m really cool’ and that was it. Mostly they found girlfriends, got married, had kids and settled down. That’s the best cure for teenage hackers; they get a life and stop doing it.”
Over the years he claimed to have broken the password, file encryption, and security systems of a number of Microsoft, Netscape, and Norton products soon after release. He took credit for breaking the code for the Yellow Bus Company smart cards by creating a $50 test card that was accepted by the bus readers, before he informed the company of the security problem. With the growth in e-commerce and increasing transfer of sensitive information, his skills were increasingly sought after.
Gutmann was regularly called on to address international security gatherings. He moderated several Internet security and encryption newsgroups and contributed to the development of world security standards, including international public key encryption. He developed the open source Cryptlib security tool kit and security library, which attracted a lot of public attention. He was prevented from legally selling it because of its military-grade nature, so he gave it away. Users included a number of hospitals, medical laboratories, and doctors throughout New Zealand. He also contributed to PGP (Pretty Good Privacy) version 2, and devised the ‘Gutmann method’ of secure erasure of data from magnetic media.
In the early 1990s, after a period of employment with Orion Systems health software firm, he became more deeply involved in security work through his own company Digital Data Security. His controversial white paper ‘Cost Analysis of Windows Vista Content Protection’ described the content protection specification in Microsoft’s new operating system as “the longest suicide note in history.”
In the end, he said, there was little anyone could do to keep safe on-line other than ensuring security and antivirus software is up to date. As far as legislation goes, is like asking what the government can do to stop people getting sick. “There are so many facets; you deal with one and another hundred appear. There is no silver bullet.” Besides, most of the attacks and the malware came from overseas, and even tracking down the source is almost impossible. “Most of it is done through hijacking PCs from a third party. They might be using your granny’s computer which is infected with a hundred types of spyware.”
His only suggestion was for legislation to prevent software being sold here with insecure configurations that make a PC open to attack or infection by a third party over the Internet. However most software came from the United States, so anything the government did here was not going to have much effect, Gutmann said.[29]
New Zealand Police were adding new tools to their artillery to clean up on-line crime. There had been a rapid evolution of electronic crime both in New Zealand and overseas, and while there are close links with Australia and other jurisdictions, since 2002 the police were ramping up their own e-crime strategy. “Crime is being increasingly committed in what is effectively the cyberspace Wild West, a borderless environment where traditional policing methods are often no longer effective. This is the high end of new electronic crime: anonymous, borderless, fast, dynamic and incorporating ever-changing and sophisticated technologies,” said Police Commissioner Howard Broad.
The new Police Electronic Crime Laboratory in central Wellington now employed 14 staff using state-of-the-art equipment to crack down on criminals using the Internet. Over five years the e-crime lab would align with a National Cyber Crime Centre (NC3) for a single reporting point for e-crime targeting and electronically patrolling places where crime occurs, with a strong focus on organised crime, violence, and child exploitation.
Commissioner Broad cited the police partnership with NetSafe, the charitable organisation aimed at keeping children safe on the Internet, as the way of the future in developing a combined-agency approach to e-crime. “We cannot effectively address these sorts of issues alone. The problem is too big, too complex and we don’t have the technical resources necessary to respond to what is rapidly becoming a significant problem without joining up with other agencies.”
As part of the strategy, Project Eve (Environment for Virtualised Evidence) was set up to make it easier to process electronic evidence; for example, converting computer hard drives into virtual images, allowing detectives to access evidence at their desktops rather than waiting for forensic investigators. Expected to cost several million dollars, it aimed to bring an end to investigations and court cases which could sometimes last as long as a year. “The amount of work has increased and completely overwhelmed us and we have been in the position where we have not been able to deliver the evidence in a timely manner and that is why we are making those changes now,” said national e-crime laboratory manager Maarten Kleintjes.[30]
Software piracy, hacking, and cracking continued to escalate, and the Internet made traditional crimes such as drug trafficking, paedophilia, and fraud much easier. The law could only do so much. With cyber criminals becoming smarter, and new kinds of net nasties proliferating, the responsibility increasingly sat with the on-line community to ensure their systems and personal information were protected while remaining alert to any signs of unusual activity that might suggest criminal activity was in progress. Co-operation was clearly the key with schools and parents, members of social networking communities warning each other about potential threats, and governments working together to eliminate spammers, terrorists, and child molesters.
Sidebars
Footnotes
[1] Keith Newman interview for NZ Herald, September 1999
[2] Internet Safety Group report, 2003, p5
[3] Keith Newman, ‘Anarchy Undermined,’ Metro, February 1998
[4] Russell Brown, ‘Internal Affairs nabs a Net porn offender every 3-5 days,’ Computerworld, 4 July 2000
[5] ‘Convictions overturned as loophole in law revealed,’ NZ Herald, 23 October 1998
[6] Chris Barton, ‘Hacker may face US law,’ NZ Herald, 21 November 1998; ‘Computer hacker destroys 4500 web sites,’ 23 November 1998: ‘web site vandalism shows law in need of shake-up,’ 24 November 1998
[7] ISOCNZ press release: ‘Hacking issues need to be put into perspective,’ December 1998
[8] Keith Newman interview for NZ Herald, September 1999
[9] ‘Telecom fraud detection system comes up trumps,’ Dominion Infotech, April 1999
[10] Paul Yandall, ‘Phreaker given PD for making 21,000 toll calls,’ NZ Herald, 23 July 1999
[11] ‘What are the main security threats?,’ iStart security feature, 2002
[12] Peter Griffin, ‘Government to patrol cyber-beat,’ NZ Herald, 8 August 2001, plus government press release
[13] James Gardiner, ‘Telco under cyber attack,’ Weekend Herald, 22–23 September 2001
[14] Keith Newman, ‘eCrime Bill Eases Burden on “old Bill”,’ TUANZ Topics, September 2001
[15] http://www.brookfields.co.nz. News items, October 2003
[16] NZ Police press release : ‘Police welcome changes to Crimes Act,’ 4 July 2003: http://www.police.govt.nz/district/southern/release/994.html
[17] Keith Newman, ‘Beyond ad hoc bolt-on solutions,’ Telecommunications Review, May 2004
[18] Ulrika Hedquist, ‘Hacked: 33 .nz web sites per month,’ Computerworld, 27 March 2006
[19] Campbell Gardiner, ‘E-crime prosecutions present challenges,’ m-net, 10 July 2006
[20] ‘Court gets tough with Internet fraud,’ NZCity, NewsTalkZB, 26 May 2006
[21] Peter Griffiths and Reuters, ‘Internet gangs hiring students for cybercrime,’ NZ Herald, 11 December, 2006
[22] Helen Twose, ‘Firms lose thousands as hacking nightmare continues,’ NZ Herald and NZPA, 16 February 2007
[23] Juha Saarinen, ‘Kiwi sites defaced in new hacking spree,’ Computerworld, 7 May 2007
[24] Jury finds half of hacking counts proven, Peter Griffin, NZ Herald, 18 July, 2007
[25] Gregg Keizer, ‘Poisoned web sites soar six-fold, Sophos says,’ Computerworld, 27 July 2007
[26] ‘Hackers compromise 10k sites, launch “phenomenal” attack,’ Computerworld US, 18 June 2007
[27] Sites offering illegal downloads of pirated software
[28] Matthew Broersma, ‘Victoria Uni tech leads Internet attack study,’ Computerworld, 27 August 2007
[29] Sources: Interviews with Peter Gutmann for the NZ Herald 18 June 1998, a further interview in June 2007, Gutmann’s own home page: http://www.cs.auckland.ac.nz/~pgut001/ and the Wikipedia article on him: en.wikipedia.org/wiki/Peter_Gutmann_%28computer_scientist%29
[30] Greg Tourelle, ‘Police tackle Internet’s “wild west”,’ Stuff.co.nz, 24 September 2007