Chapter 16 - Cyberspace Junk - Nailing Net Nasties

From NetHistory

Jump to: navigation, search

Anyone who tries to create an Alsatia state would find themselves in breach of international law with the sanctions of the rest of the world ganged up against them bringing a sense of security to our domestic society for international electronic commerce. Justice David Baragwanath, 1999.1

The digital environment … is often referred to as “cyberspace” … It is a workplace, a business arena, a social sphere for meeting new people and developing relationships, and a place for entertainment. However, it is a place where perpetrators of electronic crime can victimise the unsuspecting, and an environment which can facilitate anti-social behaviour like bullying and harassment. Schools are fostering wonderful Internet learning skills in children but must also include in that education the practical skills needed to negotiate all aspects of cyberspace safely. Internet Safety Group report, 2003.2

In White Friars, England until the end of the 17th century, there was a ‘safe place’ known as Alsatia, where criminals and those seeking sanctuary could live outside the law. Many believed once unleashed from US military control, the Internet – outside of any one jurisdiction – became the embodiment of anarchy, a cyber version of Alsatia.

When the boffins and geeks ruled, the Internet was self-policing. Coteries of like-minded individuals gathered in specialist huddles, newsgroups, and chat rooms where their esoteric secrets were shared. Gamers, film buffs, sci-fi fans, musicologists, genealogists, and computer nerds felt safe sharing intimate details or their hobbies and habits. Among them were the coders who loved the challenge of proving they were smarter than the software developers, often exercising their prowess by cracking and hacking their way into allegedly safe systems, or liberating games and commercial software from the passwords and encoded protections their creators had put in place to ensure commercial success.

Advances in technology continued to outpace New Zealand’s legal framework for well over a decade after the country gained a direct feed into the international Internet backbone; its laws, more suited to the 1960s, were stretched to the limit grappling with hacking, cracking, piracy, privacy, copyright, trademark, and e-commerce-related issues. The legal fraternity and the politicians they depended on to keep the law current were ill equipped to understand, let alone prepare for the digital tsunami ahead. One farsighted attempt to gear up for the inevitable on-line crime wave was the formulation of hacking provisions, as part of proposed 1988 Crimes Act Amendment Bill, which provided for the criminalisation of computer vandalism. The Bill was shelved.

In the political mind there wasn’t sufficient evidence of a threat, and besides, this newfangled computing fad wasn’t likely to catch on outside serious business use or hobbyists. The cliched images of pimply teenage coders cracking into systems; or gamers determined to get to the next level, up for days on end in a zombie like state, pizza boxes and Coke cans littering the room, seemed too surreal to take seriously. This wasn’t anything lawmakers or politicians need concern themselves with.

It takes all types to make a community and the Internet was no different, with its eccentrics, graffiti artists, scammers, spammers, digital downloaders, cyber pirates, and pornographers. Police precincts and jurisdictions became irrelevant when criminals engaged in cross-border activities. The old guard had been taken off guard, bobbies on the beat were not quick enough to apprehend cyber criminals. New tools, disciplines, and expertise was needed, and even then, unless the legal definitions were rapidly amended to cover cyber crime, the charges were unlikely to stick.

Within a decade though there was serious evidence that what had been unleashed was indeed a serious and pervasive threat, and at the same time a challenge that would transform government and industry and the way people communicated for the foreseeable future. You could legislate for three-dimensional objects made of atoms, but zeroes and ones zipping along our telephone lines were far too elusive. Certainly the archaic definitions in our laws that could barely cope with the era of photocopiers and fax machines needed a serious overhaul.

LAWS LAG COMPUTER CRIME The fear was that without local and international legislation covering computer crime, a new breed of criminals could set up a base in New Zealand using the Internet to literally operate outside the law. Hacking, fraud, industrial espionage, the release of viruses, or cyber terrorism could bring down a business or a nation. In the United States more than US$10 billion worth of data was being stolen by thieves operating through computers every year. In 1995 alone banks and corporations lost US$800 million to hackers. New Zealand law was described as ‘grossly inadequate’ to cope with computer crime while international law was non-existent.

Shocking stories of what was happening around the world soon rallied the troops in New Zealand to try to plug the gaps in our digital defences. Paedophiles and pornographers using the Internet were the first group to be officially targeted by government agencies from 1996. The police, already stretched on terra firma, were perplexed in their efforts to patrol cyberspace and had to call in help from overseas experts.

Internal Affairs sought co-operation from ISPs in a sweep during 1997, which resulted in a heap of trashy sites and newsgroups being shut down. Between July 1996 and the end of 1997 the department had made 27 prosecutions relating directly to child pornography on the Internet. Internal Affairs national manager of censorship Steve O’Brien believed his department had been instrumental in helping clean up the Internet locally through monitoring Internet relay chat sites, such as ‘pre-teen sex pics’ and working closely with Interpol and the Australian Government. Specialised software had helped automate the process.

Other government agencies were keen to catch tax cheats and rip-off artists. For example it was logical some of the estimated $10 billion, cash-under-the-table black market the IRD was concerned about was being transacted over the Internet. It commissioned a report in 1997 on the implications of e-commerce on its tax-gathering abilities. The trouble was large portions of the report became redundant when reports from the OECD, the United States, and Australia were released. The IRD began rewriting those recommendations for New Zealand. In the meantime – unless the Internet was declared a tax-free zone – responsibility fell to vendors to figure out where their customers were and to pay the appropriate tax.

In October 1997 New Zealand participated in a 30-nation international crack down, looking for get-rich-quick schemes. Over two days working the search engines 1000 web sites were found ‘that might be illegal.’ None were local. A standard letter was sent out and a follow-up showed 174 had ‘disappeared or changed.’ Ministry of Consumer Affairs general manager Keith Manch said the sting was really a test run. Now the 30 nations were confident they could quickly mount similar campaigns to look after each other’s interests.3

People like David Overend, who posted underskirt images from his shoe camera on the Internet, and the exploits of pornographers and paedophiles, had given the Internet a bad name. Many saw it as a den of iniquity, a place where the dark side of life was displayed for all to see. There was no way their kids were going on-line. The law, despite the difficulty with definitions, sent a warning to such characters. Overend had after all committed a crime by ‘distributing objectionable material.’ He was subsequently sentenced to 21 months in prison and banned from access to computers or cameras. In 1998 Dustin Arthur Barrett of Christchurch was sentenced to a year in prison on similar charges.

Between 1997 and mid-2000, Department of Internal Affairs inspectors successfully prosecuted 49 cases involving the distribution and possession of objectionable material via the Internet. Manager of the Internal Affairs Censorship Compliance Unit, Steve O’Brien, said the unit was catching a New Zealand offender every three to five days. There were 40 cases pending. “Our unit is unusual in that it proactively pursues offenders rather that acting on tip-offs or on information gained during other inquiries. We work closely with overseas enforcement agencies and have already provided over 100 suspects for their further investigation.” Most prosecuted offenders received large fines and suffered forfeiture of their computers and periodic detention. “The scary thing is that despite the publicity surrounding cases offenders are still willing to risk prosecution by trading this type of material,” said O’Brien.4

Early in 1998 the NZ Police imported a UK expert to help establish a unit to get a handle on computer crime. John Thackray, a renowned computer forensics specialist, was on secondment from the South Yorkshire Police. Thackray, who headed the New Zealand Electronic Crime Unit, returned home in June 1988 to receive the Churchill Fellowship Medallion from British Prime Minister John Major for his efforts in computer crime research. His worldwide research in 1996, including time with the Federal Bureau of Investigation (FBI) and secret service working on electronic evidence gathering, brought together conventional and electronic forensic techniques that were now being used around the world. It resulted in a global family of computer crime investigators able to track cross-border fraud, working together to similar standards, so evidence gathered in one country was acceptable in the other.

Thackray’s New Zealand electronic crime-fighting unit hugely improved the country’s ability to investigate electronic evidence, put cases before court, and relieve the stress on those who had been found innocent. Previously much of his caseload would have ended up in the too-difficult pile, as every electronic breach needed to relate back the Computer Crimes Act 1989, which had been sitting in parliament waiting for an update for several years. Laws such as ‘theft as a servant’ or ‘use of a document’ had to apply. An electronic document, according to New Zealand law, was not a document. While the United Kkingdom, United States, and Australia had generic laws that related to the misuse of computers, hacking was not against the law here.

Thackray discovered a group of technical university students in a suburban New Zealand town had staged a competition to see how many Unix servers they could shut down. They crashed more than a dozen businesses. Because nothing was stolen, little could be done under the Crimes Act. There wasn’t even an easy way to prosecute those who made ‘denial of service attacks’ by bombarding and blocking a mail server at an ISP or business. “What do you charge them with?” asked Thackray. The police still had to prove intent and use traditional methods regardless of whether it applied to computers, CDs, floppy disks, removable drives, or servers. The Telecommunications Act had, however, allowed Telecom to get successful prosecutions, including one case where a hacker had obtained $80,000 in fraud.

ELECTRONIC CREDIT NOT REAL In October 1998 the inadequacies of our laws were further exposed when charges were dropped against a North Shore businessman, who had been convicted of ten charges of obtaining credit by false pretences. A legal loophole saw the Court of Appeal overturn some of Wayne Wilkinson’s convictions, handed down by the Auckland District Court, because credit obtained by electronic transfer did not amount to property that could be stolen. The court’s decision included the statement that new laws to cover now common methods of financial transactions ‘may well be desirable.’6

Less than a month later another example of how the law wasn’t up to the crime was illustrated when an Auckland teenager, hacking into the offshore Web hosting server of Ihug, effectively destroyed more than 4500 web sites. Because local law didn’t recognise his crime, Ihug was looking for some legal precedent to have the youth sent to the United States to face charges. Ihug director Tim Wood said the Web server was based in San Francisco and New Zealand law was inadequate for dealing with cyber vandalism. It was described as the worst case of computer vandalism to hit the country.

A Mt Albert youth admitted the hacking and appeared on the Holmes Show with his face disguised and using the name Spazrat, claiming he was 15 years old. The NZ Herald, however, claimed it had evidence the boy was in fact 19 and had used the name Sharkdog. The youth claimed he had been targeting the ISP, not the people who lost their Web pages. His defence was that Ihug had cut off a number of his friends’ accounts ‘for no apparent reason’ and he was just showing them they were hackable and ‘should follow the rules and be nice.’

Ihug said the boy had been bragging about his exploits on chat groups, claiming he was too young to be charged. A Law Commission researcher said if he had done nothing illegal under New Zealand criminal law, it would be difficult to argue in an extradition hearing that he should be exported to the United States for punishment. The hacker had accessed the system via ‘a security hole in a CGI script’ – a small program on a Web page – and then damaged the disk drive and emergency back up on the computer server. “When basic services were restored we found we had lost a large proportion of customers’ directories; 4586 were unrecoverable,” said Ihug. About 500 commercial sites were affected.

The identity of the cyber vandal was later exposed on a web site. He was Morehu ‘Maxx’ Whyte, who called himself Sharkdogg. His actions added to growing calls for the government to increase security and tighten the law as it related to hacking and electronic vandalism. The news of the attack on Ihug’s site also forced disclosure of further acts against ISPs. Telecom for example was beefing up its safeguards against hackers who had compromised the security of its accounts. It learned a hacker had acquired passwords to hundreds of its customers using ‘sniffer’ software, which meant offenders could log on to a legitimate account and use their bandwidth, which at the time was an expensive commodity at around $3 an hour.

In a comment piece in the same issue of the NZ Herald, journalist Chris Barton warned that New Zealand’s laws were in dire need of an update to cope with electronic crime and vandalism. At best it seemed the hacker could only be charged with wilful damage to property under the Summary Offences Act, or for the offense of ‘disturbing’ use of a telephone under the Telecommunications Act, both of which had maximum penalties of $2000 fines or three months in prison. The latter was unlikely to proceed because there was no recipient of the phone call. A proposed change to the Crimes Act, which would have given provision for computer-related offences such as hacking, was still at the first reading stage and hadn’t been considered a high priority by successive governments.7

There remained considerable confusion over whether current laws were strong enough to achieve prosecutions for hacking, or as the Internet Society correctly defined it, ‘cracking.’ Minister of Justice Doug Graham considered section 298 (4) of the Crimes Act, which covered damage to ‘property not otherwise covered in the Crimes Act,’ should be used to prosecute ‘crackers.’ However according to ISOCNZ it had become clear over the previous decade that the Act was woefully short on sanctions against such activities. The society was consulting with the wider Internet community to establish the specifics needed for any new legislation. One suggestion was for the government to resurrect the ‘hacking’ provisions of the 1988 Crimes Act Amendment Bill. “Unfortunately the bill was shelved at the time and New Zealand was still without sanctions to protect the public against this type of activity,” said ISOC chairman, Jim Higgins.

He warned New Zealanders not to take a kneejerk reaction to the recent spate of cracking and vandalism and attacks on ISPs, which needed to be put into perspective. “While vandalism of computers is a serious problem, there is no reason for people to assume that there is a widespread problem with the Internet in New Zealand. It is possible for Internet site operators to provide a high level of security and to protect themselves by taking sensible backup.” And while it was true that no organisation could guarantee 100 percent invincible computer security, it was possible to make life difficult enough for crackers that the risk was greatly reduced.

“We must remember that no bank is immune from being robbed, but this doesn’t mean we should worry about using banks. In terms of electronic commerce we have never heard a report of credit card details being stolen from a secure Internet server – even if this should happen it is the credit card company, not the customer, who carries the risk and burden of proof of purchase. Any new laws must be robust enough to keep pace with the increasingly innovative technology we have, and a bad law can be worse than no law at all,” said Higgins.8

AMENDING CRIMES ACT In April 1999 Higgins was more strident in welcoming the so-called e-crime bill, saying ISOCNZ had been asking for a law to protect Internet providers and everyday users. “The existing laws are quite inadequate to deal with the increasing number and complexity of computer crimes. The alleged creator of the Melissa virus had been charged in the US with offences which would probably carry a jail term of up to 40 years. In New Zealand he would probably get off scot-free because of our antiquated laws.” Despite his identity being known, no charges had been laid against the person responsible for deleting 4586 Web pages hosted by Ihug. Meanwhile the long-awaited Crimes Amendment Bill (No 6) introduced to parliament on 7 August would have to wait until after the 1999 elections when Labour took power.

Justice Minister Tony Ryall said the bill would redefine ‘property’ to clearly include the balance of a bank account and extend the definition of ‘document’ to include electronic files. “Our Court of Appeal demonstrated last October that New Zealand suffers because our law knows nothing about the theft of electronic credits,” said Law Commission President Justice David Baragwanath. A man who fraudulently obtained cash through direct transfer was let off the hook. While the Bill now in progress plugged that hole, there were still no real sanctions available to deter those who ‘abuse our systems.’ However the idea of New Zealand or any other nation becoming a territory where computer crime could go unpunished was abhorrent to the New Zealand Law Commission. Its members believed harmonising the laws of each nation to allow criminals to be charged under either local or international law would give new credibility to the evolving world of e-commerce.

New Zealand was working fast to ensure its laws met the challenges of the digital world, but the United Kingdom, Canada, Australia, and Singapore had already enacted legislation. Borders had become increasingly irrelevant and the main attention had been on civil law, which failed to deal with the fact “rogues, vagabonds, shysters and criminals were now using the latest technology,” said Justice Baragwanath. He was keen to see new mercantile and criminal law, spanning a borderless world to allow unhindered e-commerce, and opening the way for proper reciprocal extradition treaties. He wanted to see computer hacking as a crime transcending state systems. He quoted from an essay in the Criminal Law Review, which suggested the power of the International Criminal Court should ensure civil governments abide by international law, and the exercise of the whole range of economic, political, and military sanctions remain open to end ‘the culture of impunity.’ “Anyone who tries to create an Alsatia state would find themselves in breach of international law with the sanctions of the rest of the world ganged up against them, bringing a sense of security to our domestic society for international electronic commerce.”9

Meanwhile Telecom’s fraud management programme had alerted 10,000 customers to suspicious calling patterns since its establishment in June 1997. Programme manager Colin Yates said the Hewlett-Packard fraud detection system identified anomalies in the calling patterns of 300 businesses, which had since confirmed this, preventing them from suffering loss. The system, he said, had reduced annual fraud among its customers from $50,000–$80,000 to $700–$1000 a year. Telecom recorded $27 million in bad debt for the year ending 31 March 1999; around 60 percent of that came from telephone fraud. It was not unusual, he said, for some customers to receive bills with an extra $50,000–$80,000 for calls they had not made. In most cases these would be routed through an insecure PABX. While most of the high-cost fraud originated offshore, he said local fraudsters often opened phone accounts under false names. The Internet meant New Zealanders were now as vulnerable to telephone fraud as any country. Fraudsters here knew about new techniques from the United States in minutes.10

In July 1999 a computer ‘phreaker’ who made more than 21,000 phone calls received a 12-month suspended prison sentence and six months’ periodic detention, when he appeared in the Auckland District Court. Borislav Misic became the first phreaker or telephone network hacker to be convicted in this country. The 23-year-old had arrived in Auckland from Yugoslavia in April 1998, seeking refugee status. By late May he had made 21,192 calls to Spain and Tonga from five telephone lines in his central city apartment. After his lines were bugged, Telecom staff concluded he was using a ‘blue box’ computer program to send signals down the phone lines which prevented the calls from being billed.11

Computer crime had escalated from the domain of geeks proving how clever they were to their peer group, to an all-out crime spree and billions of dollars were being lost through virus invasion, industrial espionage, and hack attacks. At the core of the knowledge economy was intellectual property; important files and documents about businesses and their clients, confidential data, trade secrets, and transaction histories – often saved to computer disks, tapes, or storage silos. With the increasing sophistication of computer-based crime, companies had to rethink everything, and start with the assumption that their IT systems and information assets were vulnerable. Every step possible needed to be taken to establish ironclad security that could regularly be strengthened or updated, to cope with the latest threats.

According to the Internet Security Survey sponsored by eSolutions, Telecom, and Xtra, poor security put the reputation of New Zealand businesses seriously at risk. The survey found 58 percent of businesses considered the information held on their computer systems was extremely sensitive and confidential but 82 percent did not have intrusion detection tools in place. In other words they wouldn’t know whether they had been hacked into or not, resulting in the low number (8 percent) of known intrusions.

The Internet had become a riskier place for businesses since the terrorist attacks of September 11, and things weren’t likely to improve any time soon, according to Internet Security Systems (ISS) in its security incident report for the first quarter of 2002. It warned overall Internet security had been hampered by a steady tide of DoS attacks, as well as the rise of hybrid attacks, including the propagation of worms such as Code Red and Nimda, which spread through the Web and email via file sharing and instant messaging. “Attacks are now global in scope and round-the-clock in incidence. There’s no such thing as a low-level threat on the Internet. If you’re going to connect to it, you better have a suit of armor,” warned Dennis Treece, director of the X-Force Special Operations Group at ISS in Atlanta. The company compiled its data from more than 350 high-volume intrusion-detection sensors it managed around the world, saying the vast majority of attacks – nearly 70 percent – were being launched on server port 80, the same port that Web traffic flowed on.

Port scanning was a common activity before an attack was launched, and a way of discovering details and vulnerabilities about networks. Experts predicted there would be many more such worms and nasties released to attack corporate computer systems. The threat would grow for emerging areas of computing such as broadband, wireless, and instant messaging. Firewalls alone could not prevent this kind of unauthorised access, additional intrusion, and defence technology was needed. Hackers and crackers were constantly on the look-out for security vulnerabilities in new or existing software, where the developer hadn’t yet come up with a patch, or where the company had failed to download a fix to eliminate vulnerabilities.

INFRASTRUCTURE UNIT FORMED The owners of storage and processing systems were being warned to take very specific steps to protect their assets and monitor their networks. Clear company policies were needed to state how information should be stored and protected, and who should have access to it. Without such policies, along with the now essential firewalls, antivirus scanners, and intrusion detectors, businesses might not even know their systems had been attacked and corporate secrets compromised.12

An important step in protecting the rapidly emerging electronic environment was put in place in August 2001, with the creation of a specialised government unit that would watch over the security of essential public and private sector infrastructure. Various governments had previously dismissed attempts to create an independent early warning system along the lines of the US-based Computer Emergency Response Team. Now Cabinet had approved the Centre for Critical Infrastructure Protection to be housed in the Government Communication Security Bureau (GSB). It would essentially watch over infrastructure considered essential to maintaining the political, social, or economic life of the country, including energy and telecommunications systems, transport, finance, and law and order. While owners of infrastructure would remain responsible for the security of their own systems, the centre would provide co-ordination, support, and advice on the ways in which the country could maintain and improve its security. The centre would provide a 24-hour ‘watch and warn’ advice about threats from viruses to hacking attempts.13

Cabinet papers obtained by the Weekend Herald, backgrounding the special unit, indicated one of the country’s most critical infrastructure companies had been under attack for months from cyber-terrorists. The briefing papers said the risks were increasing dramatically. The State Services Commission admitted a large telecommunications company had been under sustained attack for several months but no one would confirm who that was. The general view was that it was Telecom, which had shut down its Netgate international Internet link in January 2001 after intrusion problems.14

Amendments to the Crimes Bill were still being debated in September 2001 amidst claims that New Zealand had become a staging post for cyber criminals, including credit card thieves who stored their data locally, believing it would not be traced. There were also allegations of a high incidence of electronic fraud. The lack of specific laws making hacking and computer crime illegal didn’t help dispel the growing perception of New Zealand as a digital backwater. Some still wondered whether the proposed law changes went far enough while others were concerned they went too far. The Crimes Act drawn up in 1987 allowed police to tap voice messages only; the new one opened the way for scrutiny of email and other electronic messaging. It would make hacking and computer snooping illegal, except when carried out by police, the Security Intelligence Service (SIS) or the GCSB. Police would still, however, need to seek a warrant to gain access to a telecommunications network. Carriers would have to ensure their networks were compatible with official snooping requirements, and allow specialised hardware and software to be used.

The bill was attempting to strike a balance between individual privacy and the interests of state. InternetNZ and others believed the terminology was too broad. For example ISPs often had to deny service to customers if they themselves were facing a DoS attack. Would that make them liable under the proposed changes? The software, specialist tools, virus code, or data that could be used to commit a crime might also be used by those trying to prevent such a crime, or as a matter of course by a network manager, or IT specialist to administer or test security in a network. Would they be breaking the law by doing their job?

Concerns had also been raised that the law abiding or the simply curious might get caught in the e-crime net. Would you be breaking the law when researching cyber terrorism or if documents about hacking were found on your hard drive? Or if you had certain web sites bookmarked, making available or discussing programs that could be used for hacking? IT Minister Paul Swain reacted swiftly to detractors with a ‘let’s not be silly’ stance, saying the keywords were ‘intentionally and recklessly.’ Legal interpretation might, however, be required before deciding who was a criminal. He insisted the new law would not criminalise the legitimate use of IT security software. A salesperson marketing a package as being useful for committing crime could be committing an offence. However the law did not intend to trap those who innocently or accidentally sent out an infected email which replicated itself through email address books. “Criminal recklessness requires that someone deliberately and unreasonably takes a risk knowing the possible outcome.”

Certainly, the new law would make it much easier for the police to become involved. Maarten Kleintjes, head of the Police Electronic Crimes Unit, told the NZ Herald the bill would give police a much better handle on the new channels criminals used. “Currently it’s a bit like police only being allowed to breath-test people driving white cars, while people in coloured cars get away.”15

Meanwhile the long-delayed Electronic Transactions Bill was due to pass into law in October 2002, giving electronic transactions broadly the same status in law as transactions concluded on paper. While the Labour Party had been accused by the IT industry in particular of failing to give the Bill the priority it needed, it had the potential to open the way for growth in e-business, remove legislative barriers to on-line trade and reduce compliance and transaction costs. IT bodies such as ITANZ and InternetNZ insisted this and the Crimes Amendment No 6 Bill, which criminalised ‘hacking,’ were important for the progress of e-business.

The Crimes Amendment Bill at the time was still sitting at the number 37 position on the parliamentary order paper.16 While IT Minister Paul Swain applauded the passing of the Bill on 10 October, there was still some way to go. The Electronic Transactions Act 2002 was delayed by the need to pass regulations to clarify grey areas on how the act should affect other legislation. A discussion paper was released on 11 April 2003 and submissions on the proposed regulations closed on 1 May 2003. The Act finally came into force on 21 November 2003.17

Then the Crimes Amendment Bill passed into law on 4 July 2003, introducing the most significant changes to property related crimes since the Crimes Act was first enacted in 1961, according to Police National Crime Manager Detective Superintendent Rob Pope. “The changes are intended to bring property-related offences into the modern era in recognition of the use of advanced computer technology for criminal purposes.” Important changes were also made to police interception powers, expanding the coverage and nature of warrants in the fight to combat organised crime.

Theft-related crimes were now extended to cover intangible property, a series of new computer-related crimes were created to cover such events as hacking, the term ‘breaking and entering’ was replaced with ‘entering without authority’ for burglary, and fraud offences became ‘obtaining by deception.’ It was now illegal for unauthorised people to intercept emails and faxes not intended for them.

“Increasingly police are receiving complaints involving the use of computers to commit property related crimes, many of which are not addressed by the current law. These amendments will better equip police to respond more effectively to property related complaints,” said Pope. The new law came into effect on 1 October 2003.18

Specific offences included:

Penalties ranged from two years at the lower end, to ten years for cases where someone intentionally or recklessly destroyed, damaged, or altered a computer system, knowing that danger to life was likely to result.

SECURITY BECOMES PRIORITY A more holistic and manageable approach to network security was being demanded by businesses as they faced a plague of viruses, spam, and increasingly sophisticated attacks from hackers and crackers in 2004. The pressure was on for companies to review vulnerable code and security policies, and for vendors to move to intelligent, multi-layered security systems that tightly integrated with network management. “People are moving beyond simple firewall and antivirus applications to a solutions approach where hardware, software and management of security is viewed as a whole, often embracing areas outside IT, including surveillance,” said IDC New Zealand security research specialist Jane McPherson.

An annual survey of chief information officers in Australia and New Zealand saw IT security move from 17th position to number four. McPherson said many companies seemed to have a lax attitude towards policies and procedures, and little understanding about new government initiatives to protect consumer data, electronic transactions, and privacy law changes, for example, in the Crimes Amendment Bill. “Many companies are more liable than they realise if consumer data gets into the wrong hands. Once they become aware of the risk this will become a major driver of security spending.”

The proliferation of ‘malware’ – malicious software, ranging from unexpected code to viruses, Trojan horses, worms, and even spam – was a major contributor to increased security spending. According to TrendMicro, PC viruses cost businesses approximately US$55 billion in damages in 2003 – about double the damage of 2002, and more than four times that of 2001. The need to keep on top of, not only antivirus updates but also operating system and software patches, was embarrassingly evident by the fact that across all products, Microsoft released 51 security advisories in 2003, 30 of them affecting its Windows XP operating system.

A Gartner report in May 2004 suggested 90 percent of mobile devices lacked protection to ward off hackers and many users weren’t taking proper precautions. John Girard, research vice president at Gartner, said wireless mobility was the greatest change to occur in corporate data collection and distribution in the past decade, presenting new threats which required sound management policies to protect information assets and contain costs. Gartner recommended moving all PDAs and phones into the PC support group, installing PDA firewalls, implementing cost controls, and purchasing mobile management tools.

Peter Benson, managing director of Security-Assessment.com, believed securing badly written Web and system applications was becoming more important than securing the perimeter. “There is no such thing as a perimeter these days. It’s gone. Organisations connect to partners; they have remote dial-up and VPNs; they’ve become virtual enterprises.” He said security products were just products, not security. “If you build systems right in the first place firewalls, antivirus and intrusion detection should be the backstop not the first point of alert.” Penetration testing a couple of times a year was not enough. Continuous auditing was necessary as part of vulnerability management.

Leanne Buer, Telecom Advanced Services (TAS) security business manager, believed businesses should have a security audit, including penetration testing, before outsourcing, or moving into any major development. A first step might be securing the perimeter and consolidating all access points to the network, including wi-fi and remote access. “Every customer has a duty to understand their vulnerabilities before developing policies and figuring out what the acceptable levels of risk are.” She said security was about defence and depth. “Perimeter security is fine but you also need to secure remote technologies so the business can operate where and when it wants.”

Security was becoming a 24x7 concern. “The average IT department in New Zealand is two people – keeping up with vulnerabilities in hardware and software is difficult. That’s why you need a specialist, because that’s all they do. One of our customers, before they came onto our system, was getting any virus going and had a little hit squad of IT people going up and down the country rebuilding Web and file servers.”

ISPs were increasingly seen as business partners and needed to have high levels of security. Iconz, for example, had two permanent security officers and every quarter bought in a specialist to conduct a security audit of its Unix and Microsoft environment, right down to the IP level. Iconz CEO Sean Weekes believed it was important to have an independent audit, and for ISPs in particular to segregate the hosting and local environment. “If you stand still the environment goes backwards. You must keep proactive. Those companies that can’t afford to have someone monitor their networks should be outsourcing,” he advised.

While many vendors were integrating antivirus, firewall, and anti-spam products, the speed at which viruses proliferated left users wide open to attack. Vendors could typically release a patch file within two to four hours of a new threat being released into the wild, however, the Slammer worm was able to hit 5.5 million hosts in about 11 minutes.

“Two hours doesn’t cut it anymore. The whole approach of looking for a virus signature and then blocking it means someone has to get the virus first,” said Cisco systems engineer Arron Scott. Cisco had come up with the concept of the self-defending network which detected unacceptable behaviour. “Why would your SQL database try to probe thousands of hosts per second? Why would an application want to format its own hard drive?”25

Ken Low, senior security manager of 3Com Asia Pacific, claimed in March 2006 than an average of 33 dot.nz web sites were being hacked every month. From December 2000 to March 2006, 2123 dot.nz web sites were hacked. Of these, 1641 had a dot.co.nz address, but dot.net.nz, dot.org.nz, dot.govt.nz and others had also been hit. New Zealand had mid to low level per-month hack rate compared with other OECD-countries. Australia was much worse off, with nearly 200 government web sites hacked over a couple of years. In New Zealand it was closer to 15.

“Apart from the fact that Australia has a bigger population, there are also political and religious reasons behind a lot of attacks, whereas New Zealand in general was seen as a neutral country,” according to Low. Of the top ten hackers targeting New Zealand, four were most likely local. The rest were internationally known criminals. He warned the problem wasn’t going to go away any time soon and traditional intrusion solutions, including antivirus software and firewalls, were too slow. What was needed was intrusion prevention, not intrusion detection.26

DELICATE DIGITAL EVIDENCE Nabbing those responsible for e-crime was a complex business, fraught with technical and administrative issues. There was the risk of contaminating digital evidence through improper checking by police, which could cause problems with prosecutions. Auckland-based Crown prosecutor Marc Corlett, speaking at the NetSafe Cyber Security Symposium in July 2006, said evidence had to be carefully presented to 12 jurors who were variously ignorant of computers.

“All they hear is a policeman has come in and changed data; all the defence has to prove is reasonable doubt and if the jury is sufficiently confused by the information, there is reasonable doubt.” He said prosecutors needed to find ways to translate digital evidence into a presentation that juries would find interesting. The traditional oral testimony approach was unlikely to succeed where juries had limited understanding of technology.

Sheer volumes of digital evidence could also prove problematic. Corlett said he was prosecuting a case involving hacking into on-line bank accounts where there was a huge amount of material that needed to be carefully managed to avoid confusion. New Zealand had moved beyond the first, and second, generation of computer offending, where technically skilled people did it to show how clever they were, to a the third generation of e-offending involving organised crime. “As prosecutors we’re increasingly seeing this more sinister involvement (of) increasingly sophisticated e-offending.”27

The harshest ever sentence for Internet fraud in New Zealand was handed down to 19-year-old Mark Hayes in May 2006, when he was sentenced to 2 years and 11 months after accessing TradeMe members’ bank accounts. Between Christmas and New Year 2004 the Auckland teenager hacked into bank accounts and email addresses, then used the email details to access those accounts and purchase items before the bank found out and began reversing payments. Seven people had their identities stolen and it was only when sellers began asking TradeMe why their payments were reversed that TradeMe began investigating. TradeMe spokesman Mike O’Donnell said fraudsters left deep footprints on the site and the company was committed to prosecuting them.28

Further evidence that Internet crime was escalating to a more serious level came from a report from Internet security firm McAfee in December 2006, which alleged gangs were adopting ‘KGB-style’ tactics to recruit accomplished computer students to help them commit on-line offences. In its annual report on cybercrime, McAfee claimed criminals were targeting universities, computer clubs and on-line forums to find suitable undergraduates. Some gangs had sponsored promising students from other disciplines to attend computer courses before planting them in businesses as ‘sleepers.’ The students would be asked to write viruses, commit identity theft, and launder money in a multi-billion dollar industry that was more lucrative than the drugs trade.

The report said the tactics were similar to those of Russian agents who sought out experts at trade conferences or universities during the Cold War. McAfee said its study was based partly on FBI and European intelligence which pinpointed Eastern Europe as a prime target for cyber crime recruits because of high unemployment and low wages. Hackers were paid to write viruses that could infect millions of machines, to obtain confidential information such as credit card information or send unwanted spam emails.29

The spectre of cracking was raised again in 2007 when the notorious Turkish hacker Iskorpitx got into a US-based server and defaced the web sites of about 600 New Zealand companies. The affected web site owners were former customers of Internet company Quik.co.nz, which Ihug had acquired in 2006. It took over a week for one of the victims, Auckland-based Just Hardwood Floors, to restore its site. It cost thousands of dollars to fix all the sites. Its operations manager Jonathon Cooke was concerned by claims each company needed to back up its own site. He was using an on-line program to upload text and pictures into a template designed and hosted by Quik, the former New Zealand franchise of US-based ISP Quik.com. However it didn’t allow the customer to make a back-up at their end.

The company lost Web development work hosted at the site which Quik had also failed to back up. Gillian Richardson from Automotive Security Systems said she’d lost 80 percent of her business through the company web site being offline. She relied on an Ihug competitor to help her get back on-line and changed ISPs after Ihug admitted there was nothing it could do and that it was working with the Web development side of Quik in the United States, which it did not own. Ihug offered a month of free Web hosting and promised to move all former Quik customers to its own secure servers where regular back-ups were done.

OUDATED AND INSECURE Rival Web hosting company PrimeHost warned many ISPs were running insecure and outdated systems. Operations director Dale McIsaac said many companies were still using vastly outdated systems to host commercial customer web sites. “Many successful hacking attempts are due to Internet providers running outdated software on their servers, and customer installed-applications such as bulletin boards, forum software and mailing lists are commonly exploited by Internet hackers.”30

Nearly three months later another Turkish hacker, this time going by the name ‘crackers_child,’ struck around 20 sites hosted by Digital Network, attacking programs, files, and folders that had insecure permissions. The hacker overwrote existing content on the sites, leaving an obscene message taunting the owners about security. A URL leading to a Turkish language security forum was also posted by the hacker. According to security web site Zone-H, crackers_child was responsible for more than 20,000 attacks in April alone.

Digital Network manager Warren Sanders said the sites were restored from back-ups and the clients affected would be contacted. He claimed the hack “was a minor incident” and Digital Network had taken advice from security specialists in the United States on updating servers and improving security. There was a fine line around how far a Web hosting company could control users and offer standard Web hosting at the same time. In August 2006 another Turkish hacker hit Wellington Web hosting company iServe, causing widespread damage. ACT MP Rodney Hide was among those whose web site was defaced.31

In mid-July 2007 a split verdict was delivered in the long-running trial of computer hacker Andrew Garrett, who was found guilty on four charges of reproducing a document with intent to defraud and one count of threatening to damage property. The fraud charges related to Garrett’s obtaining Internet access passwords from computers remotely, using the Back Orifice Trojan virus. The final charge on which he was found guilty was threatening to damage property. This related to a message Garrett sent to an Xtra account holder telling the user to change their ISP or have information on their hard drive deleted.32

A report from security company Sophos in July 2007 said the number of infected Web pages had soared nearly six-fold since the beginning of the year, evidence of how widespread Web attacks had become. In June, it detected an average of almost 30,000 newly infected pages a day, a huge increase on the 5000 daily average recorded earlier in the year. About 80 percent of all Web-based malware was hosted on legitimate, innocent, but compromised sites. The June attacks, for example, were launched from more than 10,000 legitimate web sites mostly hosted in Italy.33

Armed with an exploit tool kit, attackers launched massive attacks in Europe from the compromised sites, with infections spreading worldwide. Analysts reported the large-scale attack was based on the multi-exploit hacker kit dubbed ‘Mpack,’ which redirected visitors to a server hosting the professional, Russian-made collection of exploits which then worked against that country’s domains. Infected computers were fed a diet of malicious code, largely keyloggers that obtain user names and passwords for valuable accounts such as on-line banking sites.34

In its second ‘Internet Threat Report for 2007’ antivirus vendor Symantec agreed cyber crime had gone professional. Criminals were making complex, highly targeted attacks and selling easy-to-use on-line hacking tools to recruit a new generation of fraudsters.

Symantec found 95 percent of such attacks were on home users and that phishing attacks had increased 54 percent in the first half of 2007, when the company blocked more than 2.3 billion such messages – up 54 percent. A multi-billion economy was being fuelled through these attacks in conjunction with stolen credit cards sold on the Internet for a couple of dollars each.

Symantec consumer spokesperson Trudie Wood said the whole notion of privacy and security was changing. “We’re living in an era of more collaboration and on-line interactions, with social networking, wikis, podcasts, blogs, and RSS syndication feeds opening users up to a variety of potential security risks. It is no longer about protecting computers and other devices but protecting the interactions of Internet users. Today’s bad guys don’t need to pick your locks or break your windows; they attack you and your family over the Internet.”

MALWARE HERE TO STAY Attackers were increasingly turning to end-user systems as a way around the antivirus and firewall systems that were blocking access to traditional attack routes. Software developed and deployed by Wellington’s Victoria University that helped track Web-based security attacks as part of the international Honeynet Project revealed that even seemingly safe Web addresses were rife with attack code aimed at vulnerable clients.

According to the researchers in the Unites States, Germany, and New Zealand, “The ‘black hats’ are turning to easier, unprotected attack paths to place their malware onto the end-user’s machine.” The authors of the ‘Know your enemy: Malicious Web Servers’ study released in August 2007 used a ‘high-interaction’ client honeypot, called Capture-HPC, developed by Victoria University, to analyse more than 300,000 addresses from around 150,000 hosts. It looked at various site categories, including adult, music, news, ‘warez’45, spam, and addresses designed to grab traffic from users who mistype common Web addresses. While some categories were more likely to contain malicious addresses than others, all contained malicious addresses, the report said. “As in real life, some ‘neighbourhoods’ are more risky than others, but even users that stay clear of these areas can be victimised,” it said.

Users could be led to malicious sites via links, typing in an address manually, mistyping an address, or following search results. The results only served to confirm what security researchers had been saying all along. Regularly updated blacklists and regular patching helped; however there was a prevalence of attacks against plug-ins and non-browser applications. “Attacks also target applications that one might not think about patching, such as Winzip,” the study said.46

In the first week of December the Weekend Herald broke the story of a $26 million computer fraud perpetrated on over a million computers by an 18-year-old from Whitianga. Owen Wilson described as a ‘brilliant’ loner who got himself into a computer scam for a bit of fun, was tracked down by the FBI, the US Secret Service, Dutch authorities, and police in New Zealand and had his equipment seized. It was alleged he had control over a vast ‘botnet’ network of computers that cyber-criminals paid to use. Wilson, who had used the name AKill and the alias Snow White, was tracked down after an 18-month investigation and was believed to be part of ‘an elite international botnet coding group.’ The FBI said his activities went beyond malicious and that he was also behind an attack in February 2006 that brought the computer network at the University of Pennsylvania to a halt denying access to 4000 students and staff and infecting 50,000 computers with a virus that was undetectable to anti-viral programs. He was also allegedly head of a team involved in an illegal adware scheme which infected 1.3 million computers, that Dutch authorities were investigating.

World-respected Kiwi security expert Peter Gutmann saw no end to the proliferation of hacking and malware, and plenty of work ahead for anyone wanting to get involved in the security industry. While systems had become a lot more secure since the 1990s, the attacks had also become smarter. “They are now being run as a commercial software business; for example by Eastern European organised crime rings who put a huge amount of money into their efforts. The bad guys are now hiring extremely skilled programmers, and because there are now good spam filters in place, they’re paying people with PhDs in linguistics to work around them, which is outrageous. These are serious opponents with better experts than the good guys.” The industry was no longer dealing with teenagers sitting in a basement cracking code and out for a joyride, but “seriously huge organisations” that produced well-written, bug-free code which is tested across multiple machines and platforms, said Gutmann.

In the mid-1980s, at the age of 14, Peter Gutmann designed and built his own computers. He first got involved in the bulletin board community through a school friend who ran one from his Auckland basement. He would chat on-line, exchange information, and hang out with ‘a random cross-section of people who you would never otherwise have got to meet.’ At Auckland University he focused on computer science, obtaining a master’s degree with a thesis on data compression. On realising he could only ever hope to achieve ‘half a percentage of improvement’ he shifted his studies to the equally arcane field of security, studying for a PhD for his work on the design and analysis of security techniques and systems. His early achievements included the creation of full-strength encryption systems. He said a good dose of paranoia was important in figuring out all the possible attacks and the security problems.

There were enough people breaking into systems, so Gutmann took on the role of defender. “I was always interested in looking at all the ways someone might attack a system. I like thinking up weird attacks and setting up counter measures.” In those early days, he said, there was a relatively small hacker community in New Zealand, compared to what was happening in the United States or Europe. “The people I knew were mostly doing it for a joyride – ‘Look at me. I’m really cool’ and that was it. Mostly they found girlfriends, got married, had kids and settled down. That’s the best cure for teenage hackers; they get a life and stop doing it.”

Over the years he claimed to have broken the password, file encryption, and security systems of a number of Microsoft, Netscape, and Norton products soon after release. He took credit for breaking the code for the Yellow Bus Company smart cards by creating a $50 test card that was accepted by the bus readers, before he informed the company of the security problem. With the growth in e-commerce and increasing transfer of sensitive information, his skills were increasingly sought after.

Gutmann was regularly called on to address international security gatherings. He moderated several Internet security and encryption newsgroups and contributed to the development of world security standards, including international public key encryption. He developed the open source Cryptlib security tool kit and security library, which attracted a lot of public attention. He was prevented from legally selling it because of its military-grade nature, so he gave it away. Users included a number of hospitals, medical laboratories, and doctors throughout New Zealand. He also contributed to PGP (Pretty Good Privacy) version 2, and devised the ‘Gutmann method’ of secure erasure of data from magnetic media.

In the early 1990s, after a period of employment with Orion Systems health software firm, he became more deeply involved in security work through his own company Digital Data Security. His controversial white paper ‘Cost Analysis of Windows Vista Content Protection’ described the content protection specification in Microsoft’s new operating system as “the longest suicide note in history.”

In the end, he said, there was little anyone could do to keep safe on-line other than ensuring security and antivirus software is up to date. As far as legislation goes, is like asking what the government can do to stop people getting sick. “There are so many facets; you deal with one and another hundred appear. There is no silver bullet.” Besides, most of the attacks and the malware came from overseas, and even tracking down the source is almost impossible. “Most of it is done through hijacking PCs from a third party. They might be using your granny’s computer which is infected with a hundred types of spyware.”

His only suggestion was for legislation to prevent software being sold here with insecure configurations that make a PC open to attack or infection by a third party over the Internet. However most software came from the United States, so anything the government did here was not going to have much effect, Gutmann said.47

New Zealand Police were adding new tools to their artillery to clean up on-line crime. There had been a rapid evolution of electronic crime both in New Zealand and overseas, and while there are close links with Australia and other jurisdictions, since 2002 the police were ramping up their own e-crime strategy. “Crime is being increasingly committed in what is effectively the cyberspace Wild West, a borderless environment where traditional policing methods are often no longer effective. This is the high end of new electronic crime: anonymous, borderless, fast, dynamic and incorporating ever-changing and sophisticated technologies,” said Police Commissioner Howard Broad.

The new Police Electronic Crime Laboratory in central Wellington now employed 14 staff using state-of-the-art equipment to crack down on criminals using the Internet. Over five years the e-crime lab would align with a National Cyber Crime Centre (NC3) for a single reporting point for e-crime targeting and electronically patrolling places where crime occurs, with a strong focus on organised crime, violence, and child exploitation.

Commissioner Broad cited the police partnership with NetSafe, the charitable organisation aimed at keeping children safe on the Internet, as the way of the future in developing a combined-agency approach to e-crime. “We cannot effectively address these sorts of issues alone. The problem is too big, too complex and we don’t have the technical resources necessary to respond to what is rapidly becoming a significant problem without joining up with other agencies.”

As part of the strategy, Project Eve (Environment for Virtualised Evidence) was set up to make it easier to process electronic evidence; for example, converting computer hard drives into virtual images, allowing detectives to access evidence at their desktops rather than waiting for forensic investigators. Expected to cost several million dollars, it aimed to bring an end to investigations and court cases which could sometimes last as long as a year. “The amount of work has increased and completely overwhelmed us and we have been in the position where we have not been able to deliver the evidence in a timely manner and that is why we are making those changes now,” said national e-crime laboratory manager Maarten Kleintjes.48

Software piracy, hacking, and cracking continued to escalate, and the Internet made traditional crimes such as drug trafficking, paedophilia, and fraud much easier. The law could only do so much. With cyber criminals becoming smarter, and new kinds of net nasties proliferating, the responsibility increasingly sat with the on-line community to ensure their systems and personal information were protected while remaining alert to any signs of unusual activity that might suggest criminal activity was in progress. Co-operation was clearly the key with schools and parents, members of social networking communities warning each other about potential threats, and governments working together to eliminate spammers, terrorists, and child molesters.

TAKING OUT THE GARBAGE Spam is annoying not only because much of it is offensive but because of the time wasted sorting through the junk in search of the genuine.

ISPs who don’t have anti-spam filters on their systems risk losing business as customers seethed with frustration at the daily dose of junk email. While ISPs and PC users are stacking on the anti-spam technology in an effort to clean up their daily intake, New Zealand remained one of the last OECD countries to enact an anti-spam law.

San Francisco–based anti-spam company Brightmail claimed spam penetration was 8 percent in 2001, but by September 2003 this had rocketed to 54 percent of all email. By 2007 it was estimated more than 80 percent of all email was junk. Individual spammers could broadcast hundreds of millions of email messages daily and all it took was a few responses to make them profitable.

Dominant spam in 2003 ranged from penis enlargement pills to get-rich schemes for the gullible, including appeals from allegedly dispossessed but wealthy people in South Africa or Nigeria wanting bank account details in order to relocate millions of dollars. Then there were the legitimate but annoying pitches for everything from herbal remedies to spy cameras, remote-controlled cars and, ironically, spam removal products.

There was also a stream of advertisements trying to entice the weak willed into the Web’s red light districts. In fact porn had become a modern-day plague on the Internet, growing 1800 percent over five years. According to N2H2, pornography-related pages grew from 14 million in 1998 to roughly 260 million in 2003. This came hot on the heels of news that Microsoft was closing down its chat rooms in 28 countries in an attempt to reduce access by sexual predators to children using the sites.35

SPAM ENLARGEMENT The sale of its domain name management company Domainz in 2003 had freed up InternetNZ to tackle the bigger issues including spam, with initial attention focused on Christchurch-based spammer Shane Atkinson. It had referred the case to the Commerce Commission, the Ministry of Health and the privacy commissioner. His activities included selling pills claiming to enlarge penises. Atkinson told both the NZ Herald and The Press he was unrepentant about his activities and that anyone who didn’t want to receive spam should “[not] connect to the Internet, or don’t have an email address.” The Press claimed Atkinson had earned over $300,000 a year but in response to the threat of action he closed his business.36

Some outbreaks of spam or virus attacks had been significant enough to slow the delivery of email. While ISP filters were able to sift out 95 percent of the rubbish, it was up to the user to deal with the rest. In 2004 New Zealand’s largest ISP Xtra reported it was catching around 60 million spam messages a month, or about 50–60 percent of all inbound email. During the global outbreak of the Zafi.B virus in June, Xtra identified 85 percent of incoming mail as either worms or spam. A paper outlining a proposed anti-spam bill went to Cabinet in early November 2004 but soon slipped down the priorities list. The bill took an ‘opt-in’ approach for commercial messages, similar to the Australian legislation. In other words there had to be some pre-existing relationship between the sender and receiver before commercial messages could be sent.

It was claimed Australian spam levels had halved since the introduction of the Spam Act there – not surprising, with penalties of up to A$44,000 a day for individuals, $220,000 a day for organisations and $1.1 million for persistent spammers. According to Internet security firm Sophos Australia had previously been among the top 12 spam-producing countries. Locally the flood continued to rise. It was even suggested some spammers had moved to New Zealand or at least were using hijacked computers here to spread their trash.

Symantec had acquired Brightmail in June 2004 and was scanning close to 100 billion emails to obtain its research information. In September it said 24 percent of the annoying clutter worldwide was trying to sell products, 16 percent was adult-related material, 17 percent related to financial offerings; health and scams totalled 8 percent each, and fraud 6 percent. The balance related to Internet, political, spiritual and leisure. In Asia-Pacific the mix was similar except for the higher incidence of scams.37

In early 2006 global spam volumes continued to increase, and surveys indicated 80 percent of all email was now spam. Spam had also become more dangerous, with many messages secretly containing viruses or other hidden programs that could turn ordinary Internet users with broadband connections into large-scale spammers. The culprits had moved way beyond traditional unsolicited email, hitting millions of blog sites with what had become known as ‘splog.’ Internet telephony was facing a growing spam problem referred to as ‘spit,’ and phishing emails, which deceptively send users to phony web sites to extract personal information, were blamed for hundreds of incidents of identity theft. By mid-December 2006 customers of Xtra and no doubt many other ISPs were getting fed up the decline in email service. There were even threats of legal action against the country’s largest ISP. Customers complained that email delays and non-deliveries were severely affecting their businesses. Telecom said the problems arose from the huge amounts of spam flooding the network. In September it claimed to have filtered a record 226 million spam items, compared with 65 million for the same time in 2005.

ISPs INUNDATED Consumers’ Institute head David Russell said home users could claim compensation for email delays if they had suffered ‘a real measurable loss’ while non-commercial customers were covered by the Consumer Guarantees Act, which said services paid for had to be of a ‘reasonable quality.’ Telecom did not generally offer compensation for email delays but in ‘exceptional circumstances’ would consider it.

Telecom general manager of consumer marketing Kevin Bowler said the company was spending tens of millions of dollars on anti-spam measures. Ihug had also invested a ‘significant amount’ on spam filtering after its email network was crippled in late October. At TelstraClear a three-level system to fight spam was proving effective but the battle against spam was almost like waging ‘a cold war.’38

By March 2007 it was alleged that pornographic spam had dropped to an all-time low as spammers concentrated on health-related products and other general product pitches. According to the Symantec report, porno spam comprised just 3 percent of what was arriving in people’s email boxes, the lowest ever recorded. About 70 percent of all email messages monitored over the period were spam, half originating from computers in North America. Improved blocking and filtering methods had driven spammers to use new techniques. About 38 percent of the spam email received in February 2006 was contained in images, making it more difficult for security software to detect. They were also using text at upward- or downward-slanted angles to hamper optical character recognition technology, which tries to read the text within images, Symantec said.39

InternetNZ had waged a protracted battle against spam, working with other industry groups towards regulation, education, and a code of practice for ISPs. The Unsolicited Electronic Messages Bill it had worked on with other industry groups had a slow passage but finally made it to parliament in the form of the Unsolicited Electronic Messages Act, which passed into law at the end of February 2007.

The Act applied not just to email but instant messaging and texting, and would come into force after a six-month amnesty, to allow businesses time to adjust their mailing practices. It was expected to have the greatest impact on local spammers but also enabled the Department of Internal Affairs to co-operate with global agencies, to help stop spam at its source.

The Act aimed to prevent New Zealand becoming a haven for spammers by prohibiting unsolicited commercial electronic messages. It required senders of commercial messages to include accurate sender information and a functional unsubscribe facility. “This legislation enables Kiwis to join the global fight against spam. International co-operation to identify, shut down or block the sources of spam is an important part of our anti-spam strategy,” said Communications and IT Minister David Cunliffe. Under the Act, those sending messages were prohibited from using address-harvesting software or a harvested address list to send unsolicited electronic messages.40

Under the new law, which aligned with Australian regulations, unsolicited commercial messages were banned, along with any message that used a link to hide its content. An opt-in permissions environment applied; messages could only be sent at no cost and only if you explicitly agree to accept them. If someone chose to unsubscribe it had to be acted on within five days. There were significant penalties for offenders, and strong powers to assist the Department of International Affairs (DIA), including search and seizure provisions. The DIA would operate a central email address for reporting spam and sex-related material. Penalties for breaching the Act ranged from formal warnings to infringement notices and court actions, with a maximum fine of $500,000 for an organisation or $200,000 for an individual. Spammers could also be ordered to pay the victim’s compensation up to the amount of loss suffered and/or damages up to the amount of profit that was made as a result of sending the spam.

The anti-spam law, however, attracted its critics, who claimed it would do little to combat the millions of unwanted messages sent to inboxes each year, as most of the junkmail came from offshore. ACT leader Rodney Hide said the law was well meaning but would place extra costs on small businesses wishing to market their services. ACT’s two MPs were the only ones to vote against it. Hide said the law would also fail to stop spam which could be better combated through filtering. National MP Chris Auchinvole said although National supported the legislation as part of international efforts to tackle spam, it would achieve very little in the near future. “It’s more virtual than real and in reality it does virtually nothing.”

But Cunliffe said the law contributed to an international crackdown on spam. It was important New Zealand was not seen as a soft touch for spammers. “This law is another important step towards greater Internet security. It will clamp down on spam of a domestic origin and provide a platform for seeking an international agreement to fight spam worldwide.” Up to 80 percent of email traffic was now spam, he said.41

CO-OPERATIVE SOLUTION The original ‘Spam Bill’ required a Spam Code of Practice but the revised version which passed into law deleted those references. “We still think it’s a useful guideline to have a best practice statement rather than a code of practice. It spells out what you can and can’t do in fairly plain English as opposed to the law which is legalese,” said InternetNZ chief executive Keith Davidson. “There’s nothing there to punish ISPs who might allow spam, but then why should there be, as the ISP industry in New Zealand has already shown zero tolerance for spam. They won’t hesitate to chop off accounts that spam.” Davidson said ISPs were already self regulating and the Code of Practice would simply give them a bit more of a guideline.

If the law had passed in its original form, ISPs would have been required to provide customers with information on complying with the act: how to minimise and report spam, install spam filters, recognise ‘false positives’ and how to lay complaints with the enforcement agency. Updateable spam filters would need to be provided either directly or indirectly by ISPs. Each ISP would be required to have a detailed acceptable use policy around email, and identify consequences for a spam breach. They would also need to co-operate with law enforcement and provide 24-hour contactability in case urgent action was needed to knock out spam. ISPs would be required to close down open relays and open proxies, and retain IP assignment information for 28 days. They would also need to provide a free formal complaint handling process and maintain an email abuse reporting address.42

The replacement approach for this high level of responsibility, the ISP Spam Code of Practice, was launched in September, outlining a strong self-regulatory model. The ‘best practices and procedures’ approach included spam complaint-handling procedures developed parallel with the Unsolicited Electronic Messages Act, and endorsed by InternetNZ, the Telecommunications Carriers Forum, the Marketing Association and ISAPNZ (the ISP Association).

Davidson said the code was a key component in the overall fight against spam, along with regulation, education and co-operation with international enforcement agencies. “As the vast majority of spam in New Zealand comes from overseas servers and is beyond the scope of the legislation, it is unlikely consumers will see any significant reduction. However it critical that New Zealand plays its part legislatively and technically to reduce the incidence of spam.”

ISPANZ president Jamie Baddeley believed it was an important step towards a more robust Internet. “It establishes a good baseline to build upon and is one of the many ways for New Zealand to say that we’re doing the right thing here.”43

Meanwhile, worldwide spam levels continued to rise, comprising around 70 percent of total email messaging by September. Spam – unwanted, unsolicited electronic junkmail – was tailing off but escalated again from mid-year. Auckland anti-spam company SMX said by August the number of spam messages hitting New Zealand email systems was 100 percent up on May and 50 percent up on the previous record set in January 2006.44

COMMON TERMS Hackers (allegedly hack only) or crackers (more criminal element): Unauthorised visitors to other people’s computers or networks. Many hackers are content with simply breaking in and leaving their mark; others maliciously crash entire computer systems, stealing or damaging confidential data, defacing Web pages, and ultimately disrupting business.

Viruses: Computer programs designed to replicate themselves and infect computers or modify or damage files. Infection can occur through shared disks or over a network, including the Internet. Virus action may often be triggered by a specific event. Some viruses are relatively benign, causing annoyance and inconvenience including slowing down systems by taking up important computer memory; while others are malicious, destroying or deleting files, or reformatting hard drives.

Trojan horse programs: Programs which are delivered by email or caught from Web pages and appear harmless until triggered. They may contain destructive code which can attach to an operating system and delete data, or exploit weaknesses in computer software, or networks and open up systems for additional attacks. Many come with their own email capabilities, to search for and mail themselves out to email address lists.

Reconnaissance or scanning attacks: Information gathering activities where hackers collect data, typically through port 80 on the computer, which can be used later to compromise networks. Usually, software tools, such as sniffers and scanners, are used to map out network resources and exploit potential weaknesses in the targeted networks, hosts, and applications.

Access attacks: Conducted to exploit vulnerabilities in authentication services and FTP functionality in order to gain entry to email accounts, databases, and other confidential information. Password attacks: A perpetrator gains unauthorised access to network passwords in order to penetrate confidential information – historically the most common type of attacks. When a hacker cracks the password of a legitimate user, he has access to that user’s network resources and typically a foot in the door for gaining access to the rest of the network.

Denial of Service (DoS): These flood applications or servers with traffic in order to deny access to legitimate users. They tie up system resources, and are usually initiated by hackers sending large amounts of jumbled or otherwise unmanageable data to machines connected to corporate networks or the Internet.

Distributed Denial of Service attacks (DDoS): Where an attacker compromises multiple machines or hosts.

Root access attacks: With root access, the hacker has full control of the system and can often collect enough information to gain access to the rest of the network and other partner networks. Spam: Unsolicited, unwanted junk email sent to a user’s mail box which can clog up the ISP mail system on a bad day or waste a user’s time sorting through what is valid and what isn’t. Phishing: Scams, often posing as a bank or a legitimate message from a trusted party, trying to convince people to disclose sensitive personal information including log-in password and other account numbers.

Internal threats: While most attempts to prevent security breaches are focused on the world outside, internal threats, particularly in the business sector, are very real. For example, choosing easy-to-use passwords makes it easier for others to break into a computer or network. Bringing in floppy disks, CDs, SD cards, or laptops from outside the business can spread viruses. Disgruntled employees can purposely steal data, infect systems, or write code that can cripple software after they have left a company.

OPPORTUNIST VS MOTIVATED HACKER The opportunist hacker looks for the easy score, exploiting known vulnerabilities and may simply be looking for recognition. He or she may deface Web pages, create a Trojan or a virus with the aim of maximising the nuisance factor so they can brag about it. Often referred to as script kiddies, warez pirates, and black hat hackers. The motivated hacker wants to get you. They are usually looking for revenge and may take the form of a disgruntled employee, ex-employee, dishonest employee, temporary employee, after-hours cleaner, or dissatisfied customer. They will take their time to discover everything they can about your organisation and use tools such as NSLOOKUP, Whois, password cracking applications, and interrogate mail headers for information. They will check your web site for error information that inadvertently gives away important security details. The motivated hacker will plan their attack down to the last detail, they are patient and meticulous and if they are successful, you may lose everything.49

NOT SO BLACK AND WHITE White-hat hackers, as they are often called, are highly paid consultants hired by the corporate industry to track down crackers and help discover security holes. Black-hat hackers are individuals who exploit security weaknesses with malicious intent.

According to the Hacker’s Jargon Dictionary, the hacker was originally someone who made furniture with an axe. The definitions for the digital hacker range from a person who enjoys exploring the details of programmable systems and how to stretch their capabilities; one who programs enthusiastically (even obsessively), to an expert or enthusiast who enjoys programming or can program quickly. They might be an expert in a particular program such as Unix. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. A hacker might also be a malicious meddler who tries to discover sensitive information by poking around; for example, password or network hackers.

The preferred term for this kind of activity is, however, cracker: one who breaks security on a system. The term was allegedly coined in 1985 in response to journalistic misuse of the term ‘hacker.’ “While it is expected that any real hacker will have done some playful cracking and knows many of the basic techniques, anyone past larval stage is expected to have outgrown the desire to do so, except for immediate, benign, practical reasons (for example, if it’s necessary to get around some security in order to get some work done). Thus, there is far less overlap between hackerdom and crackerdom than the mundane reader misled by sensationalistic journalism might expect . . . though crackers like to think of themselves as hackers, most true hackers consider them a lower form of life,” says Eric S. Raymond in his ‘How To Become A Hacker FAQ’ in the Hacker’s Jargon Dictionary.50

Retrieved from "http://www.nethistory.co.nz/index.php/Chapter_16_-_Cyberspace_Junk_-_Nailing_Net_Nasties"
Personal tools