A 23-year-old Slovenian hacker known as Iserdo was arrested in Slovenia for creating malicious computer code that infected up to 12 million computers worldwide. The lengthy investigation was conducted by Slovenian police along with the FBI and Spanish authorities. Breaking into business information systems is considered a typical act of corporate espionage. Companies are often overconfident about their cybersecurity and vulnerable to internal hacking by employees.
1. CAUGHT WITH HANDS IN
E-MARMELADE
mag. Dejan Jasnič, LL.M.
19th November, 2015Cyber risk conference, Ljubljana 1
2. Iserdo…sounds familiar?
(AP)WASHINGTON - International authorities have arrested a
computer hacker believed responsible for creating the malicious
computer code that infected as many as 12 million computers,
invading major banks and corporations around the world, FBI
officials told The Associated Press on Tuesday.
A 23-year-old Slovenian known as Iserdo was snagged in
Maribor, Slovenia, after a lengthy investigation by Slovenian
Criminal Police there along with FBI and Spanish authorities.
19th November, 2015Cyber risk conference, Ljubljana 2
3. In 2013 the UK Cabinet Officehas estimatedthat the cost of
cyber crime to the economyis £27bn annually
Since the first cyberpolicy was written in the late 1990s, insurers have
been unwilling to provide coverage for all losses. Most firms are
reluctant to offer policies for property damage resulting from hacking
because there’s almost no data available to determine costs.
To quantify potential property damage from a cyber-attack, Lloyd’s of
London and Cambridge University modelled a scenario that blacked
out parts of the north-eastern U.S. for several weeks. The study. found
$1 trillion in property damage, higher death rates and crippled
infrastructure.
S&P Report, June 2014: Target Corp.’s policy covered about $90
million, which left the retailer with $162 million of uninsured legal,
business-interruption and network-restoration costs from a 2013
breach.
19th November, 2015Cyber risk conference, Ljubljana 3
4. Violation of Secrecyof Means of Communication
may be committed only during transmission
139. člen
…
(2) Z denarno kaznijo ali zaporom do enega leta se kaznuje:
…
2) kdor se z uporabo tehničnih sredstev neupravičeno seznani s
sporočilom, ki se prenaša po telefonu ali s kakšnim drugim
elektronskim komunikacijskim sredstvom;
…
(3) Enako kot v prejšnjem odstavku se kaznuje, kdor s katerim od
dejanj, ki so navedena v prvem in drugem odstavku tega člena,
omogoči drugemu, da se neposredno seznani z vsebino sporočila ali
pošiljke.
…
(5) Če stori dejanje iz prejšnjih odstavkov tega člena uradna oseba z
zlorabo uradnega položaja ali uradnih pravic, poštni ali drug
delavec, ki mu je zaupano prevzemanje, prenos ali predaja tujih
pisem, tujih brzojavk ali kakšnih drugih pisanj ali pošiljk, se kaznuje z
zaporom od treh mesecev do petih let.
(6) Pregon za dejanja iz prvega do četrtega odstavka tega člena se
začne na predlog.
Article 139
…
(2) The following shall be punished by a fine or by imprisonment for
not more than one year:
…
2) whoever, by use of technical instruments, learns of the content
of a message transmitted by telephone or any other means of
electronic telecommunication;
…
(3) Whoever, by committing any of the offences under paragraphs 1
and 2 of this Article, allows a third person to be informed of the
content of a consignment or message shall be punished in
accordance with the preceding paragraph.
…
(5) lf any of offences under the above paragraphs of this Article
have been committed by an official through the abuse of office or
official authority, or by a postal worker or other official authorised
to accept, transport or deliver letters, telegrams or other pieces of
writing or consignments, he shall be sentenced to imprisonment for
not less than three months and not more than five years.
(6) The prosecution of the offences under paragraphs 1 to 4 of this
Article shall be initiated upon a complaint.
19th November, 2015Cyber risk conference, Ljubljana 4
5. The intention of hacking does not have to be
in gaining proceeds
Zloraba osebnih podatkov
143. člen
…
(2) Enako se kaznuje, kdor vdre ali nepooblaščeno vstopi v računalniško vodeno
zbirko podatkov z namenom, da bi sebi ali komu drugemu pridobil kakšen osebni
podatek.
(3) Kdor na svetovnem medmrežju ali drugače javno objavi ali omogoči drugemu
objavo osebnih podatkov žrtev kaznivih dejanj, žrtev kršitev pravic ali svoboščin,
zaščitenih prič, ki se nahajajo v sodnih spisih sodnih postopkov, kjer po zakonu ali
po odločitvi sodišča ni dovoljena prisotnost javnosti ali identifikacija žrtev ali
zaščitenih prič ter osebnih zapisov o njih v zvezi s sodnim postopkom, na podlagi
katerih se te osebe lahko določi ali so določljive, se kaznuje z zaporom do treh let.
(4) Kdor prevzame identiteto druge osebe ali z obdelavo njenih osebnih podatkov
izkorišča njene pravice, si na njen račun pridobiva premoženjsko ali
nepremoženjsko korist ali prizadene njeno osebno dostojanstvo, se kaznuje z
zaporom od treh mesecev do treh let.
…
(6) Če stori dejanje iz prejšnjih odstavkov tega člena uradna oseba z zlorabo
uradnega položaja ali uradnih pravic, se kaznuje z zaporom do petih let.
(7) Pregon iz četrtega odstavka tega člena se začne na predlog.
Abuse of Personal Data
Article 143
…
(2) Whoever breaks or enters into a computer or database without authorization
in order to acquire personal data for his or a third person's use shall be punished in
accordance with the preceding paragraph.
(3) Whoever publishes on the World Wide Web or otherwise or enables another
person to publish personal data of victims of criminal offences, victims of violation
of rights and liberties, protected witnesses, which are contained in judicial records
of court proceedings, in which the presence of the public or witness identification
or protected witnesses and personal records thereof related to the court
proceeding was not allowed according to the law or court decision, on the basis of
which these persons may be identified or are identifiable, shall be sentenced to
imprisonment for not more than three years.
(4) Whoever assumes the identity of another person and under its name exploits
their rights, gains property benefits or damages their personal dignity shall be
sentenced to imprisonment between three months and three years.
…
(6) If any offence from the preceding paragraphs of this Article is committed by an
official through the abuse of office or official authority, such an official shall be
sentenced to imprisonment for not more than five years.
(7) The prosecution under paragraph 4 of this Article shall be initiated upon a
complaint.
19th November, 2015Cyber risk conference, Ljubljana 5
6. Hacking just for fun is illegal, as well
Napad na informacijski sistem
221. člen
(1) Kdor neupravičeno vstopi ali vdre v informacijski
sistem ali kdor neupravičeno prestreže podatek ob
nejavnem prenosu v informacijski sistem ali iz njega, se
kaznuje z zaporom do enega leta.
(2) Kdor podatke v informacijskem sistemu neupravičeno
uporabi, spremeni, preslika, prenaša, uniči ali v
informacijski sistem neupravičeno vnese kakšen podatek,
ovira prenos podatkov ali delovanje informacijskega
sistema, se kaznuje za zaporom do dveh let.
(3) Poskus dejanja iz prejšnjega odstavka je kazniv.
(4) Če je z dejanjem iz drugega odstavka tega člena
povzročena velika škoda, se storilec kaznuje z zaporom
od treh mesecev do petih let.
Attack on Information Systems
Article 221
(1) Whoever enters without authorization or breaks into
an information system, or illegally intercepts data during
a non-public transmission into or from the information
system, shall be sentenced to imprisonment for not
more than one year.
(2) Whoever makes an illegal use of data in an
information system, or changes, copies, transmits,
destroys, or illegally imports data in an information
system, or obstructs data transmission or information
system operation, shall be sentenced to imprisonment
for not more than two years.
(3) Any attempt to commit such an offence referred to in
the preceding paragraph shall be punishable.
(3) If the damages incurred by the committing of the
offence under paragraph 2 of this Article are
considerable, the perpetrator shall be sentenced to
imprisonment for not less than three months and not
more than five years.
19th November, 2015Cyber risk conference, Ljubljana 6
7. Breaking into Business IS is a typical act of
corporate espionage
Zloraba informacijskega sistema
237. člen
(1) Kdor pri gospodarskem poslovanju neupravičeno
vstopi ali vdre v informacijski sistem ali ga neupravičeno
uporablja tako, da uporabi, spremeni, preslika, prenaša,
uniči ali v informacijski sistem vnese kakšen podatek,
ovira prenos podatkov ali delovanje informacijskega
sistema ali neupravičeno prestreže podatek ob nejavnem
prenosu v informacijski sistem, da bi sebi ali komu
drugemu pridobil protipravno premoženjsko korist ali
drugemu povzročil premoženjsko škodo, se kaznuje z
zaporom do treh let.
(2) Če je bila z dejanjem iz prejšnjega odstavka
pridobljena velika premoženjska korist ali povzročena
velika premoženjska škoda in je storilec hotel sebi ali
komu drugemu pridobiti tako premoženjsko korist ali
drugemu povzročiti tako premoženjsko škodo, se kaznuje
z zaporom do petih let.
Breaking into Business Information Systems
Article 237
(1) Whoever, in the performance of business operations,
enters without authorization or breaks into an
information system, or makes an illegal use of data by
using, altering, copying, transmitting, destroying or
entering into an information system any data, or
obstructs data transmission or information system
operation, or illegally intercepts data during a non-public
transmission into the information system, in order either
to procure an unlawful property proceeds for himself or
a third person or to cause damage to the property of
another, shall be sentenced to imprisonment for not
more than three years.
(2) If the offence under the above paragraph has
resulted in a large property benefit or a large loss of
property and if the perpetrator intended to cause such
loss of property or to gain such property benefit, he shall
be sentenced to imprisonment for not more than five
years.
19th November, 2015Cyber risk conference, Ljubljana 7
8. “Asopposedtoarrestingtheguywhobrokeintoyourhome,we've
arrestedtheguythatgavehimthecrowbar,themapandthebest
housesintheneighbourhood”(cit.fromtheIserdocase)
Izdelovanje in pridobivanje orožja in
pripomočkov, namenjenih za kaznivo
dejanje
306. člen
…
(3) Enako kot v prejšnjem odstavku
se kaznuje, kdor z namenom storitve
kaznivega dejanja poseduje, izdeluje,
prodaja, daje v uporabo, uvaža,
izvaža ali kako drugače zagotavlja
pripomočke za vdor ali neupravičen
vstop v informacijski sistem.
Manufacture and Acquisition of
Weapons and Instruments Intended
for Committing a Criminal Offence
Article 306
…
(3) The punishment under the above
paragraph shall be imposed on
whoever possesses, manufactures,
sales, puts to use, imports, exports,
or makes available in any other
manner, with the intention of
committing a criminal offence,
instruments intended for the
breaking or unauthorized entry into
an information system.
19th November, 2015Cyber risk conference, Ljubljana 8
10. Companies are most often overconfident
19th November, 2015Cyber risk conference, Ljubljana 10
11. Exposure to internal hacking may be greater
than one would expect
19th November, 2015Cyber risk conference, Ljubljana 11
Which data would you take with you from the company?
12. These risks should be relatively easy to
manage. Is this so in practice?
19th November, 2015Cyber risk conference, Ljubljana 12
What media would you use?
13. THANK YOU FOR YOUR
ATTENTION
dejan.jasnic@abctransparency.com
+41 805 3278
+386 41 327 864
19th November, 2015Cyber risk conference, Ljubljana 13
Notas del editor
His arrest comes about five months after Spanish police broke up the massive cyber scam, arresting three of the alleged ringleaders who operated the so-called Mariposa botnet, stealing credit cards and online banking credentials. The botnet -- a network of infected computers -- appeared in December 2008 and infected more than half of the Fortune 1,000 companies and at least 40 major banks.
Sentence for para 2: fine or prison up to 1 yr.
Ni nujno, da je sistem zaščiten (bilo včasih, po starem KZ).
Uporaba, manipulacija podatkov, oviranje delovanja sistema – kaznovano strožje.
Dejanje po 2. odstavku lahko storjeno tudi z eventualnim naklepom (npr. prepošiljanje z virusom okužene pošte).
Pri tem kaznivem dejanju storilec ne zasleduje pridobivanje premoženjske koristi ali premičnin.
(vdor na račun preko e-bančništva in prenakazilo denarja pomeni vlomno tatvino – grand larceny)
V 2. odstavku vključena določila Konvencije Sveta Evrope o kaznivih dejanjih v kibernetskem prostoru – inkriminacija oviranja prenosa podatkov ali delovanja sistema.
Sentence: up to 1 yr
Vsebinsko gre za pripravljalno dejanje, ki pa je opredeljeno kot samostojno kaznivo dejanje.
Problemi pri pregonu kaznivih dejanj:
- mnogo dejanj neprijavljenih
- from the couch
- težko izslediti kraj storitve dejanja in identiteto storilca – se lahko prikrije z orodji
posebna znanja storilcev
Cyber masterminds behind the biggest botnets aren't often taken down largely because it is easy for experienced hackers to hide their identities by disguising the source of their Internet traffic. Usually the computer resources they use are stolen. And the investigations are complex and technical, often spanning dozens of countries with conflicting or even non-existing cyber crime laws.
How exposed is the other third?
Organizations need to assume they will be breached and monitor the pathway attackers take. However, it’s what can be done to stop attackers once inside the network that business and IT leaders should be thinking about.
Attackers will always find a way past the perimeter. Security strategies must assume this and focus on limiting attacker movement once they infect an endpoint or trick an employee into clicking a malicious link. In particular, business leaders need to understand the damage that can be done with hijacked privileged credentials
Once a cyber attacker steals and exploits privileged credentials, not only is it difficult to dislodge them, it’s incredibly difficult to even detect them. Attackers that exploit privileged accounts can delete logs and history, install malware and backdoors, and easily evade detection by hiding in plain sight as normal business traffic.
Industry reports highlight that attackers are on a targeted network an average of 200 days prior to detection