The arm of the law *can* be long when it comes to nabbing computer criminals and sending them to jail for their crimes. A few examples of how computer crime does not pay when you’re caught were reported in the past few days.
Example 1:
The U.S. Department of Justice reported, "Operator of Massive For-Profit Software Piracy Website Sentenced to 6 Yrs; Defendant Made Over $4.1 Million in Illegal Revenue." The criminal must also
"pay restitution of more than $4.1 million, and perform 50 hours of community service. The ordered forfeiture involves a wide array of assets, including numerous airplanes, a helicopter, boats, and cars, which Ferrer had purchased with the profits from his illegal enterprise. In particular, Ferrer forfeited a Cessna 152; a Cessna 172RG; a Model TS-11 ISKRA aircraft; a RotorWay International helicopter; a 1992 Lamborghini; a 2005 Hummer; a 2002 Chevrolet Corvette; two 2005 Chevrolet Corvettes; a 2005 Lincoln Navigator; an IGATE G500 LE Flight Simulator; a 1984 twenty-eight-foot Marinette hardtop express boat; and an ambulance. Ferrer has also agreed to surrender the proceeds of sales of two fire trucks that were also bought with his illegal proceeds."
It’s amazing how many people make guys like this multi-millionaires.
"Beginning in late 2002 and continuing until its shutdown by the FBI on Oct. 19, 2005, Ferrer and his co-conspirators operated the www.BUYSUSA.com website, which sold copies of software products that were copyrighted by companies such as Adobe Systems Inc., Autodesk, and Macromedia Inc. at prices substantially below the suggested retail price. The software products purchased on the website were reproduced on CDs and distributed through the mail. The operation included a serial number that allowed the purchaser to activate and use the product. Further investigation established that, during the time of its operation, www.BUYSUSA.com illegally sold more than $4.1 million of copyrighted software. These sales resulted in losses to the owners of the underlying copyrighted products of nearly $20 million. After receiving complaints from copyright holders about Ferrer’s website, an undercover FBI agent made a number of purchases of business and utility software from the site, which were delivered by mail to addresses in the Eastern District of Virginia. Ferrer pleaded guilty before Judge Ellis on June 15, 2006, to one count of conspiracy and one count of criminal copyright infringement for selling pirated software through the mail."
Back in the early 1990’s I did some software audits at some companies, one of which had only one legitimate software package amongst around 500 different software packages. Many of the other companies I reviewed were not that much better. That was at a time when illegal software copying was running rampant among many (perhaps most) businesses who were trying to save money and didn’t really understand the concept of software licensing and copyright compliance. At that time the Software Publisher’s Association (SPA) was becoming very active in fighting illegal software licensing.
The Business Software Alliance (BSA) was key to the investigation in this particular case. I wonder how many businesses were customers of this guy? I believe most businesses now try to be compliant with software licensing requirements, but I can see how small and medium sized businesses (SMBs) could have purchased from this guy in an effort to try and save money not realizing they were purchasing illegal software. Wonder how long it will take the BSA to contact all his customers to tell them to destroy their software and purchase legitimate copies?
Example 2:
The New Jersey Attorney General’s office reported, "Michigan Man Gets 30 Months for Conspiracy to Order Destructive Computer Attacks on Business Competitors" on August 25, 2006. His co-conspirator got sentenced to 5 years in prison.
"U.S. District Judge Joseph E. Irenas also ordered Jason Salah Arabo, 19, of Southfield, Michigan, to make restitution of $504,495 to his victims – the websites he targeted as well as an Internet hosting company. Arabo pleaded guilty today before Judge Irenas on April 12, to a one-count Information charging him with conspiracy to cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer. In pleading guilty, Arabo acknowledged that in 2004, he ran two web-based companies, www.customleader.com and www.jerseydomain.com, that sold sports apparel, including reproductions of sports uniforms, popularly known as “retro” or “throwback” jerseys."
Arabo was 16 when these attacks occurred. So young…where were the people who should have been modeling good ethical behavior for him? This really points out a need to incorporate information security and ethical computer use within our school systems as well as within our homes whenever and however possible. This is not a new issue; in 1994, a National Computer Ethics and Responsibilities Campaign (NCERC) was launched to create an "electronic repository of information resources, training materials and sample ethics codes" that would be available on the Internet for IS managers and educators. The National Computer Security Association (NCSA) and the Computer Ethics Institute co-sponsored NCERC. The NCERC Guide to Computer Ethics was developed to support the campaign. However, it appears now that it is only available via hard copy by postal mail request. Too bad it is not available online to make it easier to raise awareness and educate everyone about computer use and the ethical impacts.
"According to Assistant U.S. Attorney Eric H. Jaso, who prosecuted the case, Arabo admitted that in online “instant message” conversations he met a New Jersey resident, Jasmine Singh, who communicated using the online name “Pherk.” Arabo learned that Singh had covertly infected some two thousand personal computers with programs that enabled him to remotely control them. Singh demonstrated to Arabo online that he could command these computers to conduct attacks, known as distributed denial of service, or “DDOS” attacks, on computer servers and disable websites supported by those servers. Arabo admitted that he asked Singh to take down the websites and online sales operations of certain of his competitors. Arabo promised to compensate Singh for the attacks with merchandise, including designer sneakers. In August 2005 Singh, who was 16 at the time of the attacks, pleaded guilty as an adult to two counts of computer theft in New Jersey State Superior court. He has since been sentenced to five years in prison and ordered to pay $35,000 in restitution for damage caused by the attacks."
Example 3:
On August 25, 2006 Christopher Maxwell, 21, of Vacaville, California was sentenced to three years in prison "for launching a computer attack that hit tens of thousands of computers, including some belonging to the Department of Defense, a Seattle hospital and a California school district. Maxwell was also sentenced to three years of supervised release. He pleaded guilty in May to federal charges of conspiracy to intentionally cause damage to a protected computer and conspiracy to commit computer fraud. U.S. District Judge Marsha J. Pechman said the crime showed "incredible self-centeredness" with little regard for the impact on others. She said the prison time was needed as "deterrence for all those youth out there who are squirreled away in their basements hacking.""
"Maxwell and two juvenile co-conspirators were accused of using "botnet" attacks — programs that let hackers infect and control a computer network — to install unwanted internet advertising software, a job that earned them about $100,000. Three victims testified at Maxwell’s sentencing: a representative of Seattle’s Northwest Hospital, damaged in February 2005; a representative of the U.S. Defense Department, which reported damage to hundreds of computers worldwide in 2004 and 2005; and a former system administrator for the Colton Unified School District in California, where more than 1,000 computers were damaged over several months in 2005."
The US Dept of Justice site indicates the estimated dollar loss of the businesses victims of Maxwell’s crimes were $252,000. I imagine based upon the length of time over whih the attacks occurred and the number of computers impacted it was likely much more costly when factoring in human hours of lost time, time to hire someone to clean up the damage, and the cost of legal counsel.
The press release from May when the charges were made indicated "Further investigation revealed MAXWELL’s computer intrusions also did more than $135,000 of damage to military computers in the United States and overseas."
Causing downtime and computer problems at hospitals could also have a very real threat to patient health.
These are just three examples, but good representations of the need for a strong information security program that addresses the risks for, and within, each particular organization. Security must be applied not only to meet the compliance requirements of laws and regulations, but in ways that address the existing threats, risks and vulnerabilities of each organization’s unique environment.
Technorati Tags
information security
IT compliance
computer crime
software pirating
regulatory compliance
policies and procedures
awareness and training
privacy