Cyber Law and Policy

This blog is full of posts about cyber-crimes; I thought it is a good idea to cover the reaction of governments and other relevant authorities.

The increase in our interaction with the web across the globe has caused more and more criminal activities to take place as hackers look for ways to exploit this growth of users. This has led to several new attempts to curb these attacks and provide solutions to online problems that arise. National laws continue to address cyber-crime issues, but further and greater cooperation between states is the best way to decrease and solve crimes that cross national borders.

Internet Governance is an umbrella term that groups state, private, and technical solutions that are provided for online crimes. An increasing number of Governments have started to take the trend of virtual life seriously and are beginning to consider such users as ‘online citizens’. In fact, in a changing and increasingly virtual world, governments are reconnecting with the citizens directly to their homes. With a growing portion of our time spent online the concept of the cyber-citizen is now established and recognized by business, government, and society.

However, we are still learning and figuring out how to recognize and identify this concept lawfully. For now we only have a broad idea about how online behaviour will be governed by a network of national laws and how the breach of the latter will be punished.

(Fake) anti-virus applications!

Funnily enough, at the same time I was thinking about a topic for my next (last) blog post something popped up on my laptop screen. It looked like a very sophisticated and reliable anti-virus application that says that particular programs on my computer were infected with worms. Before I could even react to the message, dozens of error messages started to pop-up continuously, stopping me from doing anything else. I tried to end the program using Task Manager but was unsuccessful in doing so. I, then, used another computer to research about it.

“Security Tool” is in fact a FAKE anti-virus application that keeps your computer hostage until you pay them an amount of money. It keeps throwing you messages to prevent you from doing anything to remove it. It also disables Task Manager. And the worst is that it blocks you from running malware removal tools.

SecurityToolI was really worried that my computer was infected just before exams and immediately looked out for help on forums. Almost all of them advice you to download and run SUPERAntiSpyware and Malwarebytes scan after making the virus sleep for a while suing different techniques. However, none of them worked for me. Every time I restarted my computer, Security Tool gets created automatically.

Following my friend’s advice I did a much simpleer task to get rid of it – I just deleted the Security Tool executable file and it seems to have done the job, at least for now. Malwares such as Security Tool is another way cyber criminals use to collect money from victims.

Therefore, before trusting any such applications (they might look sophisticated, trustworthy) please carefully research about them first.

From the war between QQ and 360

As my last blog mentioned, it come out to be a frame-up that 360 Company pointed QQ for Cyber Espionage in Sep, but this was not the settlement, but just a beginning.
The war started here. When the public was struck in a panic and concerned about their privacy security after the invention of 360 privacy protector, 360 company soon designed (which is thought premeditated) another software named Koukou BaoBiao(QQ Guard) intended to take charge of QQ IM software, namely to blocks off the advertisement of QQ, speed up QQ, shut off some automatic service such as QQ music, QQ Show and so on. These advertisement and services are the main way to earn profits from its users for Tencent. Of course, Tencent Company was unhappy about this so-called QQ Guard and here comes the highlight of this war!
On 3 Nov, QQ pops out a window to all the users, announcing that they have made a very difficult decision: in case QQ users’ desktop become the campaign field between 360 and Tencent, QQ will automatically stop running on computers installed with 360’s software. This announcement soon became the hottest topic and almost everyone on Internet was talking about it. This is in China because up to 70% of computers are installed with both 360 and QQ. Soon afterwards, other big companies involved in to help compromise or to get a share from the chaos. The complaints from the public were so unbearable that authority had to take action to involve it, and finally these two companies reached a compromise that QQ will live with 360 unless 360 withdraw QQ Guard software. Until then did the war come to a gentle stop, but no one can predict whether it is an ending or just the silence before another war breaking out.
From all this, it is difficult to definitely distinguish the two companies from the bad or good. Each company reacts to this commercial event for the sake of his own benefit, no matter how just or rightful it might appear to be. The motive of this event is hidden deeply and there are various implications from the public. For instance, because of the cooperating relationship between 360 and Microsoft, it is guessed that this entire event is a conspiracy to trap QQ so as to benefit MSN. This sounds reasonable as the moment QQ claimed to be incompatible with 360, a large number of QQ users got annoyed and signed up MSN, saying that they can still communicate without QQ. On the contrary, 360 claims highly that what it did is all for justice, for the security of personal computer. Since it is impossible to mention all history about these two companies, what I will talk about in the following is the reaction and influence to the public.
Not everyone is graduated from Information System, nor take the Module IS1103. So the majority is not quite aware of the commercial or technological aspects, nor can they tell the truth of this event. Therefore people conceive the event by their own benefits and at some degree, by intuition or their own preference. As we can see, the first time when QQ was suspected of cyber spying, the majority supported 360 and felt disappointed to QQ. Other Internet Companies take this opportunity to get a share or as a revenge. Then when it is found to be a frame-up some become hesitated and did not know who to believe.
Subsequently when QQ pops out windows, claiming incompatibility with 360, the public got angry and felt that QQ was actually threaten the users that if you want to use QQ, then there is no way for you to install 360’s software. This is really controversial and raised a lot of comments from both unknown and IS experts. Here the public got annoyed.
“It’s ridiculous! Have you ever heard that Maldonado refuse to sell food to those who has eaten KFC? Have you heard that iphone will shut down automatically if it found any Nokia mobile phone nearby?” Some joked in the format of QQ’s announcement: “The Water Supply General Company has made a difficult decision: in case the users’ house become the water pool with electricity, Water Company refuse to supply water to those who uses electricity from State Electric Power Corporation.”
Some experts stood out, stating that it was the absence of the law that made such a war happening. To some extent the action of QQ is illegal because it violates the rights of consumers to choose.
Latter, when it is said that the motive of 360 might be to bring profits to MSN, the public start to again hesitate and realize both the two companies are not worthy of trust. But it is argued that each of the two companies hired writers to write for their own benefits.
Now reflecting on the whole event, 360 benefits while QQ suffers by losing trust and support from the public. This is mainly because 360 managed to take advantage of public opinions and meet the need of users successfully. From the beginning, 360 claims to be pass justice, and latter, it actively put out QQ guard in the name of protecting computer security. On the contrary, QQ is the underdog and react passively. At first, when it is suspicious of committing cyber spying, it did not counter or explain quickly confidently but appear to be guilty. (Maybe it is really guilty. Who knows?) Then for the QQ guard, when QQ’s benefit was at stake, Tencent Company did not think about the users’ benefits at first place. Instead it violated the users’ rights for its own benefit by disability of compatibility. This is the main reason why it lost the war. To consider the users’ benefit at first place is the lesson to learn.
Well, despite the losses for each company, this war has positive influence on the public and the whole internet environment in China. The status of Tencent is being doubted. Although it is still the largest company, there is no way for it to make a monopoly and no way to violate the rights of user. In addition, as a result of the involvement of authority, the law is on the way to be carried out so that it would be clearer about what is illegal and the environment of ICT will be more harmonious.

“CONGRATULATIONS: YOU HAVE WON …. “ to be continued

In my previous post about the threats of  mass mails, I’ve mentioned about the risk of revealing your personal data when replying to mass mails. More specifically, it could be a mail from an organization stating that you have won their lottery game and you should be awarded. It could be a mail from your bank stating about the recent problems with your account and asking for your personal data so that they could have proper resolution … There are so many types of tricks to steal your personal data. However, they share the main goal, which is to reach your resources. This is considered as identity theft and I would like to extend my previous post through discussing more about identity theft.

Identity theft, also known as ID theft is a crime in which a criminal obtains key pieces of personal information, such as Social Security or driver’s license numbers, to obtain credit, merchandise, and services using the victims’ name. Identity theft is not a new crime. It has simply mutated to include new technology such as ATMs and transactions on the World Wide Web. The automation of both credit card and banking transactions has made it easier to steal a person’s identity. A credit card is almost always used nowadays as part of a way to verify a person’s identity.  If another person has it in his or her possession and can display it to pretend that he or she is you, then your identity is successfully stolen. This also enables the criminal to steal money by opening up new credit card accounts and running up charges on them.

Arguably, the most common identity theft is phishing scam. In a phishing scam, a company or individual creates an email that appears to be from a respected financial institution – your bank or a website where you might have an account. Phishing scams began in the mid-1990s not to obtain bank or credit card information, but to get free online access. In those days, ISPs like AOL charged by the minute. Phishers would try to obtain AOL members login user id and passwords by sending e-mails appearing to come from AOL’s member services department.  The fake email would ask recipients to verify their user names and passwords. The scammers would then log on, using the victims’ accounts, and run up a bill. Phishers target a variety of customers: from CitiBank (which is currently used in 54 per cent of phishing messages) to AOL, Amazon.com, Ebay, PayPal and others.

At first glance, phishing emails and the associated websites may appear completely legitimate. One recent phishing attempt in the U.S. used the names of the Federal Deposit Insurance Corporation (FDIC) and two of its officials, as well as the Department of Homeland Security. What Internet users may not realize is that criminals can easily copy logos and other information from legitimate businesses’ websites and place them in phishing emails or bogus websites. Additionally, if the recipient of a phishing email clicks on a link it contains, the window of the Internet browser that opens may contain what looks like the true Internet address of a legitimate business or financial institution. Unfortunately, some phishing schemes have exploited a vulnerability in the Internet Explorer browser that allows phishers to set up a fake website at one place on the Internet, which will make it appear as if the Internet user is accessing a legitimate website at another place on the Internet. Most phishing emails include false statements intended to create the impression that there is an immediate threat or risk to the bank, credit card or financial account of the recipient. The phony FDIC emails mentioned above falsely claimed that the Secretary of Homeland Security had advised the FDIC to suspend all federal deposit insurance on the recipients’ bank accounts. Other recent phishing emails have falsely claimed that the recipients’ credit card was being used by another person or that a recent credit card transaction had been declined. As another example, a mass email circulated in the summer of 2004 advising customers of a leading Canadian financial institution, which had experienced information technology problems, that they needed to enter their client card numbers in order to access their accounts. In fact, the email was not sent or authorized by that financial institution. In some cases, phishing emails have promised the recipients a prize or other special benefit.

Although the message sounds attractive rather than threatening, the objective is the same: to trick recipients into disclosing their financial and personal data. People who receive phishing emails are also likely to realize that the senders may have used spamming techniques (mass emailing) to send the message to thousands of people. Many of the people who receive that spammed email do not have an account or customer relationship with the legitimate business or financial services company that is purportedly the originator of the email. The people who create phishing emails count on the fact that some recipients of those emails will have an account or customer relationship with the legitimate business, and may be more likely to believe that the email has come from a trusted source. Ultimately, people who respond to phishing emails may be putting their accounts and financial status at risk in three significant ways. Firstly, phishers can use the data to access existing accounts to withdraw money or purchase expensive merchandise or services. Secondly, phishers can use the data to open new bank or credit card accounts in the victim’s name, but use addresses other than that of the victim. Finally, the Internet users may not realize that they have become victims of identity theft.

The Federal Trade Commission has provided a great deal of information about spamming scams, how to recognize them, stop them, report spam, and protect our identity. Though this phenomenon has been mentioned from times to times growing problem, so many people still naively click links inside emails and give away their account information. We can go along way toward protecting our identity by using some common sense right now.

Reference

http://www.ftc.gov/bcp/edu/microsites/spam/consumer.htm

http://www.ftc.gov/spam/

Cloud Computing and Cyber Crime

The previous article highlighted the threats that social networking websites are exposed to in this Web2.0 era. In fact, another such Web2.0 area is Cloud Computing. It is widely defined as a style of computing that uses Internet technology to offer scalable and elastic IT-enabled capabilities as a service to customers. This ranges from routine tasks of communicating over the internet (e.g. Gmail), to sophisticated work such as Customer Relationship Management (CRM) that are operated and maintained in the “cloud” by providers.

Cloud computing benefits companies and individuals by saving time, money and resources compared to traditional on-premises computing. However, with the burgeoning amount of benefits in cloud computing comes several critical issues that have been viewed as drawbacks to this emerging technology and growing popularity of virtualization among companies could lead them to being the next possible target of cyber criminals.

One of the utmost concerns with cloud computing has always been the issue of data privacy and security. When a client decides to employ the use of cloud computing, the data no longer belongs to the client alone. The vendor, or the service provider, stores the user’s data on its own virtualized server and as such, vendors gain full access to the information available, confidential or not. Further, the servers are moved outside the traditional security perimeter making it easy for the reach of cyber criminals. This is a growing concern particularly when cloud computing stores sensitive data about customers.
Also, Cloud computing is often referred to as virtual, dynamic and borderless. These features of the cloud build a new layer of risk on the uncertainty over where sensitive data resides. The risk includes the wide distribution of information across different jurisdictions, each having different legal frameworks regarding data security and privacy. This makes it even more difficult to govern and regulate the information.

According to sources, cyber criminals can either manipulate the connection to the cloud or attack the data centre and cloud itself. However, there are no global standards or laws that regulate cloud computing against cyber criminals, yet. Governments and regulatory organizations need to recognize the potentials in cloud computing and take initiatives to create cloud specific laws and standards in order to make the cloud a safe and secure place for transactions.

Koobface? Facebook?

I have recently been surfing about “The Social Network” (by the way, watch it if you haven’t yet, great movie) and Facebook when I came across the term “Koobface”, an anagram of “Facebook”. Like many of us, the term was unfamiliar to me and so I decided to write a blog post about it.

Internet and Web 2.0 have contributed a lot to the way we do things; be it how we socialize (social network websites), communicate (e-mail), do business (online shopping) or gather information (Wikipedia) and so on. But this is not always for the general good. With the emergence of Web 2.0, new threats break through as well. One such threat is Koobface.

It is no surprise that cyber-criminals have now chosen social networking websites as their new mean to propagate malware. Koobface is one of the first malwares that has successfully and continuously spread around using social network as its medium of propagation.

Usually, a Koobface attack is initiated with a spam sent through social networking websites such as Facebook, Twitter or MySpace. The spam has a catchy message with a video link. It can also send messages to the inbox of the user’s friend from the same social network. Once the user clicks on the link, he is redirected to a look-alike Youtube website which requires the user to install an executable (.EXE) file in order to watch the video. The downloaded file is malicious and infects the computer.

Koobface makes clever use of the link-sharing behaviour that is often seen among social-networking site users. Moreover, Koobface is very modular and, thus, a simple addition of propagation component can make it target other social networks. A real threat indeed since the propagation of the malware to other social networks is very easy and quick to implement.

It has been about one year since its “launch” and Koobface is still successfully extending its reach across networks. It is looked upon as a role model for a new generation of malware.

Cyber Espionage: chatting tools contain spying software?

What if you come to know that msn or facebook is packed with malicious software, and is now spying your computer without your knowledge or consent, just like what ghost net did? Well, I’m not just scaring you! QQ, The most popular social networking software in China is now suspected of committing cyber espionage!

Things started with a new software called 360 Privacy Protecter, designed by 360 Company. This software aims to check the security of private documents on personal computer, namely whether documents on this computer are being spied, by what kind of software. What astonished all is that as soon as this software was out in market, a large number of users claimed that QQ is involved and badly suspected of spying their personal documents such as Office documents, chatting record documents etc.

360vsQQ

QQ is the most widely-used chatting software, designed by Tencent Company. Till 2010, it enjoyed quite a large number of customers (more than one billion, even larger than that of MSN), thus making Tencent the largest Internet Company In China. It’s not an exaggeration to say that where there is Internet, there is QQ. It has almost become part of Chinese’s daily life, just like MSN to English-speaking countries. However, 360 is a relatively small company, aiming to provide free software such as 360 Security Manager, 360 anti-virus software, to protect security of PC.

As soon as 360 pointed out QQ’s cyber spying, it became a headline new related to  internet issues and the fierce war between these two companies broke out. QQ responded that 360 mistook the legal function of scanning as spying, and only picked holes in QQ on purpose, out of its jealousy to the large number of QQ’s comsumers; while 360 claimed that QQ’s cyber espionage action disappointed all the users and would sooner or later lose the trust of the public. A lot of evidence seems to provide support to 360’s accusation, such as many users receive 2~3 spam mails every month, as some QQ users stated.

As the war went further, the fact seems to be a deliberate frame-up because 360 Privacy Protector will take any program named QQ as spying software. However, this war is far more than a funny joke. What is alarming to us is not laughter but deep concern about the security of our privacy.

For us ordinary users, when we take advantage of those so-called secure software or browsing those so-called safe sites, we are in fact not really aware of what the function of the software may be packed with, and not even informed of what the websites might do with our personal information. Moreover, many sites like Facebook, msn, gmail, renren, require our personal information to be true. When we finally let our information out, we do not even have the slightest idea about which site sold out our personal information! Under these circumstances, as an ordinary Internet user, what should we do to protect our privacy? How should we prevent it? Most of the time, it’s impossible for us to go through every privacy rule before browsing every website. And it is not convenient for us to make up too much fake information for those social networks such as facebook, which might result in a lot of inconvenience when communicating with our friends and relatives. In contrast, the disclosure of our information seems to bring no harm other than those annoying mails and other irritations. After comparison, it seems that the benefit of disclose our privacy exceeds its cost and risk. But is the cost totally inevitable? is there any possibility to  reduce the risk?

Well, in my opinion, it is the responsibility of those websites to inform the users and keep their words. On the other hand, the law should be passed to punish those who let out the users’ privacy. The most important is that for us ordinary users, try best to hold on to our own information. It’s your own choice to determine how much to share.

Internet Monitoring over Kids (to be continued) …..

The internet has become a wonderful resource for kids. They can use it to read school reports, communicate with friends and play interactive games. Internet has become more and more a linking bridge for kids with the big world outside. Unfortunately, that bridge could involve huge potential hazards. For example, an 8-year-old kid might do an online search for “Lego.” But with just one missed keystroke, the word “Legs” is entered instead, and the child may be directed to a slew of websites with a focus on legs — some of which may contain pornographic material.

What will happen to that kid in such scenario? It will obviously have bad impact on him. And who knows through time, if there is no in time prevention and action from his parents, to what extent those risks will affect his development of characteristics.

Therefore, it has become a huge phenomenon in our society nowadays that parents need to be aware the interactions of their kids on the Internet, who they meet, and what they share about themselves online. Just like any safety issue, parents take advantage of resources to protect their kids and keep a close eye on their activities. That is the reason why there are now more and more tools available especially for monitoring kids.

However, such way of protection can’t be simply the all-in-one solution for potential risks. For many teens, text messages or cell phone calls are the primary form of communication with their friends. Then how parents will monitor them? Waiting for new monitoring tools developed in the industry to keep on monitoring their kids? Well, that would be the equivalent of a parent in days past surreptitiously picking up the extension in another room to eavesdrop on a child’s conversation.

Parents should take in consideration their inability to keep up with the time in terms of technology while allowing your children to be exposed too many kinds of new technology so that children outpace them by leaps and bounds. Thus is not only doing parents a disservice – it’s doing one to their children as well. Kids may know their way around the social Web and cell phones better than their parents, but they haven’t fully developed their interpersonal and social skills in a way that allows them to handle the issues that will inevitably come up.

I believe the best way that parents could support their children is to help them learn and grow on her path to independence, which includes staying informed on all trends, both technology and otherwise. Parents who can’t be bothered to figure out what that “tweet thing” is all about or what “sexting” is should not think this is a badge of honor to wear proudly, as if it makes them more mature somehow. It should be a signal that the world has surged ahead and they’ve been left behind in its wake.

Parents should not make this a socio-economic issue, either. If they can’t afford a computer or cell phone, then neither can your child. However, he or she may have access to them at friends’ houses or at school or even access to them via your public library. Many public libraries offer free computer classes, too. The children could even take one together. Let the lack of technology comprehension guide kids to a learning experience that helps them both, instead of being an issue where their children are left unsupervised because their parents don’t know what they are doing.

Yes, in a world plenty of risks of cyber bullying, sexting and other dangerous behaviors, monitoring tools do show their efficiency in protecting kids. That claim may be true to a point, but is keeping track of each chatting passage, reading each and every text message the best way to counteract these behaviors? For that matter, should parents be spying on their kids to this extent at all? Is this level of spying the right way to parent, though? There are alternates of course: Parents could educate their children instead, do spot checks to keep them on their toes, friend them on Facebook and elsewhere across the Web, and keep the computer in a public area of the home.

Parental spyware, however, should be turned to as the last alternative.

Let’s fight against the “Silent digital epidemic” !

The post “Cybercrime today” ends by stating that the “first step to fight cyber attacks is to set up solid international rules and regulations […]”. On second thought, fighting against cybercrime starts at a lower level. It is not simply the duty of governments, Interpol or network administrators but the concern of all Internet users.

But do we actually act responsibly? Most of us have already been cybercrime victims in one way or another, but how many of us have reported them to relevant authorities and how many just ignored them?

A recent study revealed that 80 percent of the surveyed people (over 7,000 worldwide Internet users) do not believe in reporting cybercrime cases and think the criminals will never be brought to justice. And less than half of them don’t even bother to report the crime.

How about Singaporeans who are often described as responsible citizens? Well, a very recent Chanel News Asia article states that “70 per cent of Internet users in Singapore have fallen victim to cyber-crimes including computer viruses, online credit card fraud and identity theft. And, 71 per cent do not expect cyber-criminals to be brought to justice.”

Despite the increasing number of cybercrimes, most of the victims stay silent about it. This behaviour is considered as the “Silent Digital Epidemic” by some. Why?

Some say it takes time and costs money to report and follow a cybercrime case. Others say cybercrime evidences are difficult to collect making it almost impossible to bring the case to the court. In my opinion all these are just secondary reasons and the real reason is our tendency to ignore crimes that affect us less. The loss we suffer from a cybercrime is often considered negligible because most often we don’t even feel the loss. So what is the use of spending (in terms of time and money) more than what you have lost to report it? Also, victims or their peers do not see cybercrime the way they perceive real life crimes. Most of us are passive and unconcerned about virtual crimes compared to real life, often ignoring the fact that we can lose as much from cybercrimes as we do from real crimes.

This mind-set and behaviour increase the number of unreported cybercrime cases and make us uncooperative with authorities in fighting against cybercrimes. On a consequentialism perspective, decreasing cybercrimes will only benefit a large amount of people, therefore every action we take in fighting against cybercrimes is an ethical act. Governments have made it easier for us to report cybercrimes just like they did for real life crimes. Cybercrimes can be reported to local police or to related organizations and many other ways. For instance, in NUS, Computer Centre is doing a fine job in creating awareness about cybercrimes as well as taking actions on reported cases.

The famous philosopher Socrates once said he was “citizen of the world” and that is very suitable for today’s digital era where territorial boundaries have been removed making us citizens of the world and at the same time making crimes easier across the borders. Each Internet users should take personal responsibility for their as well as their society’s cyber wellness and security.

Banned? I can climb over it!

It is a globally acknowledged fact that Internet censorship in China is indeed strict to the extent that even some well-known and universally-recongnized social networking sites are forbidden, such as Facebook, Twitter and Youtube. Even in Baidu, the largest searching website in China, words related to so-called sensitive issues are banned in order to create a harmonious society.  What’s more, the government established the Golden Shield Project, often referred to as the Great Firewall of China (GFW),and began operations in 2003. This project is an initiative to monitor and control all the information that is supposedly “anti-government”.

However, as the Chinese proverb says “while the priest climbs a post, the devil climbs ten”., people in China still manage to access these banned websites by ‘climbing the wall’. What is ‘wall-climbing’? Well, wall-climbing is a metaphor for browsing blocked websites with the help of particular software. These software can change different proxy services and provide anonymous IP address in order to access the websites blocked in that area (e.g. Firefox autoproxy    add-on,tor, blackVPN,Freedur).

http://www.youtube.com/watch?v=n_4KNND366M

The Ultimate Proxy: Tor

But these softwares bring out not only ethical but also political issues. On one hand, with these software, some pornographic and violent websites are within reach to the public, and free accesses are provided to some illegal download. Anonymity provides convenience to Chinese citizens but also brings benefits to hackers. On the other hand, it becomes a hot topic when USA supported Falun Gong, an organization against Community party, to develop more such software because Chinese can bring profits to USA by browsing USA websites via these applications. This issue has led to a controversial relationship between China and America.

Having said all the above, if you are living in country with strict Internet censorship, will you mind ‘climbing walls’?