Features
Who's spying on you?
At work, where the normal laws on privacy are subject to contract and policy, employers too have begun using keyloggers to weed out illegal activity. Perhaps most controversial, however, is the security services' use of the technology. Magic Lantern, developed and used by the FBI, is one such piece of software.
THE ENEMY WITHIN
While the personal cost to an individual who suffers a malicious keylogger infection can be great, in the right hands the sheer size of the crimes made possible by the use of such software is breathtaking. Last year, for instance, detectives from the National High Tech Crime Unit thwarted a massive theft at the London offices of the Japanese-owned Sumitomo Mitsui bank. The intention had been to steal £220 million; had the gang pulled it off, this figure would have dwarfed the UK's current largest robbery of £53 million.
The Sumitomo Mitsui plan called for nearly a dozen electronic transfers of cash into separate bank accounts in different countries, but the gang first needed to gain what looked like legitimate access to the bank's network. What better way than to use legitimate user credentials? When first detected, it looked as if there had been a very clever and sophisticated breach of electronic security from the outside,
|
|
|
ADVERTISEMENT |
|
By exploiting quirks in the bank's practices and networks, the crooks, with inside help, deployed keyloggers on the bank's connection to the SWIFT network, used to perform international money transfers. Access to this meant they could freely transfer money to anywhere in the world. It would have worked, too, were it not for a suspicious employee raising the alarm. Police in Tel Aviv arrested one of the gang, Yeron Bolondi, and charged him with money laundering and deception after someone at the bank queried a suspicious transfer of £13.9 million into an Israeli bank account. This may be just the start of a new trend in high-tech bank robbery.
According to anti-spyware company Webroot (www.webroot.com), keyloggers could already infest up to 15 per cent of all corporate PCs, which is frightening enough for system administrators. But it could also mean a future filled with more opportunities such as the one exploited at Sumitomo Mitsui Bank.
Luckily, dedicated anti-spyware systems are good at detecting keyloggers. Regular updates prevent infections by new variants. After installing firewall, anti-virus and even intrusion-detection systems, anti-spyware represents a necessary fourth line of online defence.
As people depend more and more on cyberspace to run their lives, there's a clear need to keep abreast of the latest threats. Whether it is a good idea to ignore official uses of keyloggers, however, is less clear.
Key to the law The Computer Misuse Act
In the UK, the 1990 Computer Misuse Act is the law that provides for the prosecution of online criminals, but what does it say? Can you use a username and password you happen to know if it gets the job done when the owner isn't around? Can you install a keylogger on your own system to secretly track its use by others? Is it OK to do so on a system used by employees? To answer such questions, it's necessary to delve into the act's three sections.
The legislation breaks into three parts, each describing an offence more serious than the last and carrying heavier penalties. Section one covers unauthorised access to a computer. Under it, you commit an offence if you cause a computer to give you access that you would not normally have. This clearly covers hacking, but also makes it an offence to use someone else's login details without permission. The maximum penalty for a crime prosecuted under this first section is currently six months in prison and a £5,000 fine.
The second section expands on section one with the more serious offence of gaining unauthorised access to a computer with the intent of carrying out a further crime. Cases brought under this section go to the Crown Court and carry a maximum sentence of five years plus a hefty fine.
The final section concerns the making of unauthorised changes to or destruction of the data or programs stored in a computerised system itself. This is the most serious of the three offences as it undermines the integrity of the system itself. Cases brought under this section go to the Crown Court and carry a maximum sentence of five years and a fine.
In 2004, the All Party Internet Group tabled amendments to the Computer Misuse Act, including an increase in sentences and explicitly outlawing the rising tide of denial-of-service attacks. Sadly, the parliamentary session ended before amendments gained royal assent into law. In the UK, this means the process must begin again rather than picking up where it left off during the next parliamentary session.
Despite the law, prosecutions remain pitifully infrequent. During the period 1998 to 2002, Home Office figures show that prosecutions brought under sections one, two and three totalled just 33, 22 and 36 respectively. That's a total of just 91.
