CYBERCRIME AND CLOUD COMPUTING

As reported by the Sydney Morning Herald criminals are hitting ordinary websites and  criminal organisations engaging in widespread identity theft according to the Australian Crime Commission.

Personally identifiable information is being scraped from websites and used to perpetrate various forms of cyber crime. The level of detail posted on social networking sites within an individual profile is easily sufficient for a criminal to compile an identity for the purpose of fraudulently obtaining credit.  Coupled with other simple techniques such as using Instant Messenger and chat facilities, criminal organisations can obtain inordinate amounts of information on individuals seemingly oblivious to the fact that their data could be used to commit fraud.

Part of the problem according to the Chief Executive of the Australian Crime Commission Mr John Lawler is the lack of co-operation by companies such as Facebook and ebay in providing assistance to law enforcement agencies undertaking investigations.   Victims of online fraud don’t usually report crimes at all according to a recent report on the profile of victims of online crime, and when they do, they report it to ebay and Facebook  rather than organisations such as the Australian High Tech Computer Crime unit and other specialist law enforcement agencies.

Another factor highlighted by law enforcement agencies as contributing to the difficulties is that they are ill equipped to deal with intrusions into cloud computing services.  Hackers have been exploiting those utilising virtualisation and cloud computing and web based applications to store sensitive financial and other data via web based intrusion attacks. Whilst using cloud based technology does drive down the cost for many organisations and result in increase productivity, less than careful thought is being given to compliance issues.  Organisations are ultimately responsible for the security and privacy of data stored in utility platforms.

Police operatives report being  hampered by the inability to access data  hosted on remote computers or in command centres physically resident in overseas jurisdictions in environments such as cloud or grid computing.

In cloud computing platforms traffic is gathered at centralised locations enabling cyber criminals to affect massive numbers of organisations and individuals with one strike.  Common cloud applications clearly pose increased security risks at many levels.

There are security, privacy and system vulnerabilities which have the potential to affect large numbers of businesses and individuals as cloud computer systems are more easily infiltrated by cyber criminals.  Social networking and smart phones also pose great security hazards.

There have been three major reports released by Australia, the United States and the United Kingdom on cyber crime recently, highlighting the importance being attached to tackling cyber crime.

Australia recently released the Report of Inquiry into cyber crime, prepared by the House of Representatives Standing Committee on Communications,  the United Kingdom The Digital Britain Final Report (June 2009) followed by the ‘Cyber Security Strategy of the United Kingdom‘.  The UK have established an Office of Cyber Security and a Cyber Security Operations Centre to provide information and education about the risks to business and individuals posed by cyber crime.

Meanwhile in the United Stated the National Security Strategy also recognised the need for education on cyber crime and cyber security measures. In  2009 a Cyber Security Chief was appointed.

The recurring theme in all Governments’ strategies and recommendation is the importance of awareness and education in persuading computer users to secure their data, identities and privacy online.

From what the Executive of the Australian Crime Commission appears to be saying, it doesn’t appear that end users can always be expected to come forward and report matters or that the onus can solely place on individuals to protect themselves from online threats without assistance.

The use of botnets is one of the greatest security threats, and many computer users are simply unaware that their computer has been zombied and is being used as part of a botnet ring to perpetrate acts of cybercrime. There seems to be an unwillingness of individuals to even contact law enforcement agencies such as the Australian High Tech Computer Crime Centre when confronted with fraud.

Cyber crime is a very broad concept ranging from issues affecting young children and their online behaviour, to identity theft and fraud.  Transgressions go beyond what many would consider ordinary criminal offences. However the broader effects of certain acts for example the installation of spyware or malware, a breach of the Trade Practices Act 1974, can have criminal ramifications.

Phishing, botnets, malware, spam, hacking, internet scams, money laundering and identity fraud and theft are all encompassed within the definition of cyber crime and all to some extend overlap and are interrelated.

What is clear is that cyber cirme is a rapidly expanding phenomenon occurring on a global scale. A co-ordinated and concerted response is necessary to combat cybercrime which, by necessity, involves consumers and businesses being more prepared to report incidents of cyber crime to authorities such as the Australian High Tech Crime Centre.

The Committee’s report recommended that the Department of Broadband Communications and the Digital Economy be given the responsibility of developing a national education strategy to deal with cyber crime.  Other recommendations made by the Committee’s report include greater co-operation between the IT industry and government and other agencies.

An eSecurity Code  of Practice has been suggested which would place the onus on Internet Service Providers to inform end users when their IP address had been linked to an infected computer and implement policies and a restricted access scheme until the infected computer was no longer compromised.

This eSecurity Code of Practice would be registered under the Telecommunications Act 1977,  giving the Australian Communications and Media Authority the requisite power to compel adherence by subscribers and take enforcement action where necessary.

The Committee recommended as a matter of priority that Australia accede to the Council of Europe Convention on Cybercrime (the convention),  to promote uniformity between nations’ laws on cyber crime enhancing international co-operation.  By and large, Australia’s domestic laws are aligned with the convention.

The gaps are in the critical areas of data access and sharing to enable Australian authorities to exchange data with overseas authorities. Amendments would be required to the Telecommunications (Interception and Access) Act 1979 in order to enable authorities to capture,  transmit and share data.  Accession to the Convention in full is also believed to be of great symbolic value in making Australia a positive example in the Asia pacific region.

The report indicates that Australia is taking a fresh approach to tackling cyber crime reflecting the duty to tackled cyber crime as an important responsibility, a responsibility which has also been recognised in other international initiatives.

However it remains to be seen how Internet Service Providers will respond to the changes, given the new obligations which are placed upon them if the eSecurity Code of Practice is implemented.

Internet Service Providers have shown varying degrees of willingness to compromise their end users’ services and privacy and have often been caught in the middle of some epic copyright infringement battles.

No related posts.

This entry was posted in Cybercime and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *