What's To Be Done?
The Secret Service's New York Electronic Crimes Task Force made one of its biggest busts in 2002 when it charged former Prudential Insurance database administrator Donald McNeese with identity theft, credit card fraud, and money laundering. McNeese stole records from a Prudential database that contained information on about 60,000 employees. When he tried to sell the stolen info over the Web, Bill Moylan, a 25-year veteran of Long Island's Nassau County Police Department who was working undercover for the task force, spotted it and contacted him. McNeese sent Moylan about 20 of the employees' identities and encouraged him to use the stolen records to create fraudulent credit cards, with a portion of the proceeds to be sent to McNeese's home in Florida. McNeese was ultimately sentenced to three years probation and ordered to pay $3,000 in restitution.

The Secret Service is the federal agency primarily responsible for investigating cybercrime, and it continues to make progress against the hacker economy. In 2004, agents arrested a group of hackers running a site called Shadowcrew.com, and the following year six of those men pleaded guilty in federal court to trafficking in stolen credit and bank card numbers and identity information. Last March the Secret Service announced the arrests of seven suspects, for a total of 21 in three months, as part of Operation Rolling Stone, an investigation of identity theft and online fraud "through criminal Web forums."

Despite these successes, the hacker economy continues to flourish. At the RSA Security Conference in San Francisco last week, RSA president Art Coviello told the audience that the market for stolen identities has reached $1 billion, according to IDC research, and that malware has risen by a factor of 10 in the last five years, according to the Yankee Group.

"The fundamental issue is that we have a law enforcement model that's geographically based, but there's no geography on the Internet," says Dan Kaminsky, a security researcher with DoxPara Research. Says RSnake: "They can't do wiretaps overseas or raid someone's house in Romania without local cooperation. There just isn't enough talent in our federal agencies to keep on top of this efficiently."

As a result, law enforcement has come to rely heavily on cooperation from the private sector, such as financial institutions, Internet service providers, and telcos. Also, there are about a dozen electronic crime task forces operating in local law enforcement agencies around the country, many of which have access to FBI InfraGard, an information sharing system between the FBI and the private sector. InfraGard began in the FBI's Cleveland field office in 1996 as a local effort to gain support from IT pros and academia for the FBI's cyber-related investigations.

Vendors must take some responsibility for opening the door to the mercenary market for malicious code and stolen data by shipping software with security flaws. IBM's ISS reported that last year a total of 7,247 software security vulnerabilities were reported, up nearly 40% from 2005, with Microsoft, Oracle, and Apple the biggest offenders.

Businesses and end users must shoulder some of the responsibility as well for lax security measures and for simply storing too much data. In the case of TJX, it turned out the retailer was storing credit-card data contrary to Visa's rules. "It just feels wrong to people to throw away data," says DoxPara's Kaminsky.

Companies need to give careful thought to the data they're managing and realistically assess their ability to protect it. If they don't, they just might see it show up on a black market site.

Photograph by Stan Watts

Continue to the sidebar:
A Security Researcher Gets Offered The Big Score