ILG CERT Presentation Final
Transcript of ILG CERT Presentation Final
Using Civil Litigation to Fight Cyber Threats:
How Corporate America Can Stop Enabling Cyber Crime
May 2, 2008
Jon Praed Internet Law Group
jon.praed(at)i-lawgroup.com
2
What ILG Does• Target major Internet fraudsters attacking multiple
corporate victims• Capture “fingerprints” tied to Internet fraud• Aggregate “fingerprints”• Use investigative and legal process to identity fraudsters,
their assets & their enablers• Formulate strategic solutions against fraudsters• Leverage information across client base• Current lawsuit focusing on pharmacy spam
3
The Real Scope of Cyber Crime• Illegal Business (willing buyer and seller)
– Counterfeit and pirated goods– CP & obscenity
– Fake IDs, passports & identity papers– $ almost always changes hands
• Fraudulent Business (regretful buyer/seller)– Scams, phishing, malware injection– $ usually changes hands (eventually)
• Traditional Economic Crimes (unwilling single party)– Extortion, blackmail (HD encryption & physical threats)– $ typically changes hands
• Terrorism & Acts of War (unwilling multiple parties)– Estonia DDoS– $ rarely changes hands
4
Cyber Crime Looks Like Normal Business
• Communications• Movement of hard goods• Movement of money
5
Defining the Strategy Against Cyber Crime
• DHS Secretary Chertoff, RSA Conf. April 2008• “Large-scale cyber attack might result in
consequences comparable to the Sept. 11, 2001, attack on the World Trade Center buildings in New York”
• Calls for Cyber “Manhattan Project”• US Gov’t to reduce Internet access points from
4,000 to 50
6
Cyber Manhattan Project = Wrong Analogy
• Manhattan Project’s Objective– Build a small number of working nuclear
bombs to be deployed offensively– “Silver Bullet” to force Japan’s surrender
• Today’s Cyber Crime Objective?– Defensive, not offensive– No unitary enemy to surrender to us– “Silver bullet” solutions seem unlikely
7
Characteristics of Cyber Crime Problem
• Massive initial data set
• Most individual acts are trivial standing alone
• Architecture inherently insecure
• Bad actors cover spectrum of dedication/sophistication– Most actors are juveniles, newbies, part-timers
– But most harm caused by sophisticated, full-time experts
• “Innocents” populate the battle space
• Government LE resources overwhelmed
• Private sector resources inefficiently directed
• Victims feel powerless and prefer to free ride
9
Five Proven Strategies To Fight Physical Riots*
1. Establish the ground rules in advance2. Monitor events3. Intimidate en masse4. Stop the leaders5. Disperse the crowd
*http://people.howstuffworks.com/riot-control.htm
10
Even Simple Monitoring Shows:
It’s a Small World – in Cyberspace
paypal-security.com
WhoIs Registrant Fingerprint:
xiaowen,
No.12 chang'an road, 100001
Phish
11
It’s a Small World – in Cyberspace
200soft.com
paypal-security.com
WhoIs Registrant Fingerprint:
xiaowen,
No.12 chang'an road, 100001
PhishPirated
Software
12
It’s a Small World – in Cyberspace
200soft.com elitezmed.com
paypal-security.com
WhoIs Registrant Fingerprint:
xiaowen,
No.12 chang'an road, 100001
PiratedSoftware
PhishCounterfeit
Drugs
13
It’s a Small World – in Cyberspace
200soft.com elitezmed.com
paypal-security.com
WhoIs Registrant Fingerprint:
xiaowen,
No.12 chang'an road, 100001
Over 600 Domains in 1Q 2007
14
Deeper Monitoring Shows Real Aggregation around Enablers:
Illegal Online Pharmacies Case Study
• 30,000+ domain names over 18 months– 90% tied to <200 OLP “Brands”– All have credit card merchant accounts– Most tied to just a few credit card acquiring banks (Russia & St. Kitts)– All have consumer credit cards/bank accounts– All have access to call centers (many toll free)– Most have access to known drug manufacturers in Asia– Must are using handful of Chinese Registrars to acquire domains– Limited number of emails in WhoIs registrations and email hosts– Spam-sending IP’s in 7 figures; BUT harvesting IP’s only ~20,000
• ~12 Gangs responsible for >80% of activity
• Highly diversified into phish, pirated software, other cyber crimes
• Identity of gangs is contained in collective filing cabinet of Corporate America
15
Bad Guys Seek Enablers
"The Capitalists will sell us the rope with which we will hang them."– Vladimir Lenin
16
Bad Guys Reward Enablers
"The Capitalists will sell us the rope with which we will hang them."– Vladimir Lenin
“The last Capitalist we hang shall be the one who sold us the rope.”– Karl Marx
17
Why Cyber Criminals Seek Enablers…
• Essential Services– Financial services– Shipping– Communications
• False or no identity• Poor reputation systems• Slow Discovery (hidden
behind strong, unitary privacy policies)
• Dispersed “fingerprints”
18
The Enabler in the Mirror• We nearly all sell rope to bad guys• We are nearly all victims too
• Stages of Enablement– Innocent– Negligent– Reckless
– Knowing– Intentional
19
Putting a Stop to Enablement
• We must use carrots & sticks against those who sell rope to bad guys
• Key to Success: Intelligent Cost Shifting– Shift micro costs first, then macro costs
• Purpose of cost-shifting is to clear middle of the room of innocents (& reduce risk of collateral damage)
20
Carrots• Data sharing• Cooperative enforcement actions
• Reduced costs arising from security & trust• Identify castle walls and make life better inside the
walls than outside the walls
21
Sticks• Challenge others
– to act on their own data– to share their own data– to identify and seek missing data
• Impose obligation to act via legal notices• Pursue legal liability for failure to seek, share and act on data
– Contractual liability (direct and third party beneficiary)– Regulations (e.g., Bank Secrecy Act)– Common law tort liability
• Focus first on co-conspirators• Focus second on cheapest cost avoiders• Watch for decision in Tiffany v. eBay (SDNY, #04-4607)
22
The “Death Spiral”• Cost-shifting is a tactic, NOT a strategy• Non-strategic plaintiffs lawyers
– Do not monitor anonymous problems– Do monitor deep pockets, waiting to pounce– seek low-lying fruit
• Non-strategic actions hurt– merely shift costs between victims– deprive us of resources for strategic actions– Lead to Death Spiral
23
Avoiding the Death Spiral
• Anticipate legal notices and lawsuit threats• Data mine inbound notices & subpoenas that seek
information from you• Share data with co-victims voluntarily• Seek missing data proactively• Challenge other enablers to act• Ensure your privacy policy distinguishes between abusive
and valued customers• Surcharge for abusive practices of customers• If you profit from steady state abuse, raise your prices and
isolate your acts of enablement until abuse falls
24
Value of Strategic Civil Actions• Private sector already has all the information• Self-defense is an intuitive right (legal “safe harbors” are everywhere)• Seamless information gathering across borders• Joint prosecution agreements enable voluntary data sharing• Strong legal privileges protect cooperating parties
– Attorney work product privilege– Attorney-client communications privilege
• Subpoena power compels reluctant enablers to share data • Unlike LE, victims can receive immediate feedback from civil discovery• Empowers self-help and technical improvements (what borders do you see?)• Average costs per action are lower than criminal actions• Encourages development of best practices among enabler communities• Establishes and preserves evidence of intentional enablement• No right to court appointed defense counsel - costs of defense are significant and immediate• Fifth Amendment rights are limited and are penalized in civil arena• Civil laws permit discovery under seal, John Doe discovery, pre-judgment seizure of assets,
repatriation based on citizenship• Participants are inoculated against Death Spiral• Judiciary and LE retain control over conflicting civil and criminal actions• Leverage LE resources
26
Cyber Crime = Online Riot*
1. Establish the ground rules in advance
2. Monitor events
3. Intimidate en masse
4. Stop the leaders
5. Disperse the crowd*http://people.howstuffworks.com/riot-control.htm
27
Cyber Crime = Riot
1) Establish the ground rules in advance
- Internet acceptable use policies
- State and federal laws
- International law / cooperation
28
Cyber Crime = Riot
2) Monitor events- Collect samples
- Capture Internet fingerprints- Systematically identify “Hot Spots”- Obtain feedback from “Hot Spots”- Penetrate financial systems through undercover
buys- Share information within enforcement community
29
Cyber Crime = Riot
3) Intimidate en masse– Legal Notices to “Hot Spots” Providing Material
Support• Preserve Information• Investigate• Enforce AUP• Report on Outcome of Investigation & Identity
– Subpoena Non-Cooperative “Hot Spots” via strategic John Doe civil lawsuits
30
Cyber Crime = Riot
4) Stop the leaders
– Target the top offenders for investigative focus
– Civil lawsuits/asset seizures
– Criminal referrals
– Extra-legal actions
– Technical responses
31
Cyber Crime = Riot
5) Disperse the crowd
– Encourage marginal actors to exit the business
– Force committed criminals to:
• consolidate around “black hat” enablers, or
• disperse across “white hat” enablers
32
Consolidation or Dispersion: Do We Care?
• Consolidation around black hats– Simplifies cost-shifting– Enables blunt enforcement tools– Creates borders
• Dispersion around white hats– Leverages our resources– Increases reporting opportunities– Enables immediate enforcement actions
33
Cyber Crime = Riot
Numerous Early-Stage Actors Receive Light Touches
Top Surviving Targets Receive Heavy Touches
34
Opportunities For Progress?• Online pharmacies
– Huge profits from counterfeiting fund illegal enterprises– Patent protections at risk (yet another Death Spiral)
• Money laundering mechanisms– Highly regulated and jurisdictionally divided– Bad guys already consolidated around a few enablers
• Registrars (.flag)– Must get beyond privacy v. security debate– Privacy rights should be subject to forfeiture and financial penalties in cases of
abuse– Technology must distinguish between registrars & .flags
• Botnets– Focus on botnet customers/lessees
• Telco call centers• Other areas where technology & law can create & defend borders?