A five-month national investigation into password theft, fraud and attacks on dozens of Websites and ISPs is nearing its conclusion--and will provide the meat for a campaign for computer crime laws to be enacted by the new Parliament.
Although recent attacks on the Auckland-based Ihug have been the most visible, attacks have been directed at many local sites, including Wanganui Polytech, Voyager and Xtra. A password theft from Voyager resulted in several thousand dollars' worth of fraud.
"We're talking about a known, relatively small group of people doing this--basically pretty stupid people following textbook recipes," says Internet consultant Daniel Ayers, who has been working with the police. "The problem for us at the moment is a lack of precedents--there have never really been any prosecutions of this kind before."
Ayers admits the investigation may not even procure a prosecution, and he is strongly in favour of new laws to cover the current rash of offences. Others likely to press for legislation include Christchurch detective Mike Chappell, National Party ministerial staffer David Farrar--who challenged former Ihug customer Andrew Hooper over his use of information contained in a stolen password file--and Ihug managers Tim and Nick Wood.
"We're looking at something to protect us and other people," says Tim Wood. "Andrew Hooper has publicly said he has received stolen property--one of our password files--and there's nothing we can do about it. There's no law covering the theft of information."
Chappell admits theft of password files--sometimes by departing ISP employees--is another difficult area for the police: "There's no offence in taking a password--we have to rely on fraud, where use gets charged to someone else's account. I'd be keen to see something a bit more relevant than Trevor Rogers' bill, which was really just a vote-getter. I want to see the MPs do something because we're absolutely hamstrung. We can't do anything.
"I attended a seminar in May where we were briefed on Australian computer crime laws, which have introduced the concept of computer trespass--making it an offence just to break into someone's computer.”
Ironically, as the incidence of such offences seems to be swelling, budgetary constraints mean that ISPs suffering attacks are having to fund and even conduct their own investigations. Chappell's computer analysis unit was recently disbanded, leaving him without a PC at work.
Chappell attracted the ire of some hackers earlier this year, during an investigation of password-stealing by a short-term employee at Voyager. The employee obtained and shared passwords, leading in one case to a fraudulent bill of $3500 being run up. Chappell's investigation led to a string of abusive phone calls, which served, he says "to confirm my view that the people doing this are socially inept idiots. I pointed out to them that I could trace their calls and they dried up very quickly."
Apart from budgetary constraints, Chappell sees the fractiousness of the ISP sector and the lack of contemporary computer legislation as obstacles to progress. Computerworld has traced one of Ihug's attackers to an account with Christchurch ISP NetAcess, an ISPANZ member.
"I really think ISPANZ has to address this and get all its members to agree that when these people are thrown off one system, the others won't have them back."