Category Archives: CFAA

System Administrator Crashes ISP’s Network

pexels-photo-1148820

Dariusz J. Prugar, A former system administrator at a network service provider called PA online, used his old account to access the company’s servers and created backdoors to maintain his unauthorized access to the servers. Prugar had some issues with his employer and got fire just a couple of days before his unauthorized access. To hide his activity, he installed scripts that delete his login records from the server logs. An error in the scripts led to the deleting of important files required for the company network to work. As a result, the company network crashed and the service was shut down for many customers and businesses.

After field attempts from The IT team to fix the sudden damage that crashed the network, they contacted Prugar since he was the one who built most of the company network. Suspiciously, Prugar asked his employer to pay him for the scripts he wrote for the company, the same scripts that weren’t working because of the attack. PA Online management sent a request to the FBI to investigate the case and find out if Prugar was involved.

The company service was shut down for a whole week affecting many customers and costing the company a lot of money and its reputation. The FBI investigation showed that Prugar was involved in the incident. He sentenced to two years in prison and a fine of $26,000 for computer hacking and wire fraud.

Written by Mohammed Alhamadah

Sources:

https://www.justice.gov/usao-mdpa/pr/new-york-man-sentenced-computer-hacking-shut-down-internet-service-provider

https://www.bleepingcomputer.com/news/security/sysadmin-gets-two-years-in-prison-for-sabotaging-isp/

The CFaA law and Cybersecurity students

Cybersecurity professionals are currently in demand. This demand is inspiring more students to pursue a Cybersecurity major and with some companies not enforcing that every hire must have a college degree, more people are using other resources to educate themselves in order to be a professional in that area. Due to the nature of cyber security, there are other resources that some students use to acquire some more experience or maybe just challenge themselves and put their knowledge to practice. Capture the flag and bug bounties are some of the most popular ways to do so, but users of those resources could face criminal charges according to the CFAA law.

What is the CFAA and what it means for cybersecurity students?

“The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” means.”

https://www.nacdl.org/Landing/ComputerFraudandAbuseAct

Cybersecurity students are usually curious and want to explore the internet and discover what things they could do with access to the internet. With resources nowadays like capture the flag and bug bounties, the CFAA law by being essentially vague could limit access or even get people who just want to expand their knowledge in trouble, like the case of Morris. Robert Morris was a student who discovered some vulnerabilities on a network and created a worm to explore and show the consequences of said vulnerabilities. His actions were motivated by his eagerness to learn, he was granted access to the computers he used and he didn’t mean any harm on his research, yet he was still found guilty of breaking the CFAA laws.
People are currently pushing for Aaron’s law, inspired by the case of Aaron Swartz, which would then be essential to define crucial points of the CFAA, reducing its vagueness and protect people from being charged with multiple accusations over a single crime. 

Sources:
https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf
https://www.cybersecuritymastersdegree.org/what-is-aarons-law/
https://www.congress.gov/bill/99th-congress/house-bill/4718

A CONTEMPORARY Case Involving the CFAA – United States vs. Van Buren

I stumbled upon an interesting case that involved a violation of the CFAA. The crimes occurred in 2015, but the trial finally happened in 2019 and is called United States vs. Van Buren . Van Buren was a sergeant for Cumming, Georgia, Police Department. While an officer, he forged a relationship with a shady character named Albo. Van Buren’s finical situation wasn’t the greatest and he saw a chance to improve his finical situation through Albo. Van Buren approached Albo asking him for a loan, but unbeknownst to Van Buren, Albo recorded their conversations and report Van Buren to the local county Sheriff’s Office. This act tipped off the FBI and they wanted to see how far Van Buren out go to achieve the money. They gave Albo a fake license plate number and Albo contacted Van Buren to ask if the license plate belongs to an undercover cop who was trying to bust Albo for prostitution. In exchange for money, Van Buren would run the license plates and report back to Albo.

Albo paid Van Buren to use a sensitive police database to run the plates. This act immediately violates CFAA and Van Buren has commited computer fraud. The police data base is only supposed to be used for law enforcement purposes only. Officers are trained with proper and improper use of the system and this action falls onto the improper use category. The jury found Van Buren guilty without a reasonable doubt for committing computer fraud for finical gain. Van Buren was sentenced to prison for a year and six months followed by two years of supervised release.

I believe the CFAA did an effective job of punishing the criminal in this case. In class we discussed United States vs. Swartz, a case where I believe the CFAA failed to enforce reasonable a punishment on a criminal. Swartz faced a million dollars in fines and up to 35 years in prison for illegally downloading academic documents from a database, while Van Buren faces a lesser punishment for committing an arguably worse crime. In this case, the CFAA does a good job and I would like to see this trend continue in future cases regarding the CFAA.

Author: Daniel Perrelli

Sources:

  1. https://www.eff.org/document/amicus-brief-van-buren-v-united-states
  2. https://law.justia.com/cases/federal/appellate-courts/ca11/18-12024/18-12024-2019-10-10.html

United States v. Anastasio N. Laoutaris

The United States v. Anastasio N. Laoutaris Case was filed on the 29th of January, 2018. The trial lasted seven-days, where the defendant Anastasio N. Laoutaris was found guilty by a jury of his peers. Laoutaris was found guilty on two counts of computer intrusion that caused damages to the intruded systems, and in violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i). The United States Fifth Circuit Court of Appeals affirmed the verdict presented by the jury, that found Laoutaris to be guilty.

Laoutaris was an Information Technology (IT) Engineer for Locke Lord LLP before his termination in August of 2011 from the Texas Law Firm. Upon termination from the law firm, Laoutaris initiated an attack on the company in December of 2011 which

accessed the firm’s computer network without authorization…issued instructions and commands that caused significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts.

In regards to his conviction, Laoutaris claims that there is an insufficient amount of evidence presented against him; the evidence provided isn’t enough to connect him to the infiltration of the law firm’s network. Although, a substantial amount of circumstantial evidence was submitted that proved Laoutaris to be the intruder. Logs automatically created by the servers on the Locke Lord LLP network showed the intruder connecting to the network via LogMeIn, which has an installation on the HOBK01 backup server located in Houston, and accessing the network using a Windows “master services account”. Additional IP addresses were found to have linked Laoutaris to the attack. Due to the attack occurring after Laoutaris’s termination, it can be seen that the access was without authorization.

The final sentencing stated Laoutaris was to serve 115 months in prison and pay $1.7 million in restitution. Laoutaris challenged all charges; stating false statements were and miscalculation in the increase of base-level offenses were made. However,

The finding for the lost revenue based on calculations by Locke’s forensic accountant, who also testified at sentencing. The accountant;s extensive calculations present, at the very least, a reasonable estimate of the amount of lost revenue based on available information.

which the same can be said in regards to all other contested charges. The evidence was thoroughly analyzed and charges properly brought forth.

 

Sources:

By Small and Simple Things Are Great Damages Avoided

https://www.justice.gov/usao-ndtx/pr/former-law-firm-it-engineer-convicted-computer-intrusion-case-sentenced-115-months

Case 16-10516: United States of America v. Anastasio N. Laoutaris

 

Written by Killiaun Blatche

Alleged Vault 7 leaker Up for Trial

Joshua Schulte, a former member of the CIA, is going to trial this week. Schulte is accused of providing Wikileaks, the controversial whistle blowing website, with the infamous Vault 7 materials. These materials spelled out in great detail the tools and abilities that the Central Intelligence agency has at it’s disposal for conducting electronic surveillance and cyber espionage. The 24 part release has become “the single biggest leak in the history of the CIA,” according to Assistant US Attorney David Denton.

Publishing Logo for the Vault 7 Leaks
Credit: Wikimedia Commons

Of the 11 charges against Schulte, seven are connected to his alleged place in the leak. Of these seven, three stem from the CFAA: Unauthorized access to a computer to obtain classified information, Unauthorized access of a computer to obtain information from a department or agency of the United states, and Causing transmission of a harmful computer program, information, code, or command. As for the other four, Schultes has three espionage charges and one charge of theft of government property. The remaining allegations include breaking the terms of his bail agreement by accessing the internet, making false statements (twice), and smuggling cellphones into his Manhattan jail cell. Schulte was indicted on child pornography charges back in 2017, but these are part of a separate trial.

On all charges Schulte has pleaded not guilty, alleging that the CIA’s networks are so insecure that the investigators will be unable to prove if Schulte or another actor took the documents. His attorney claims that DEVLAN, the CIA’s network, has so many insecurities and so little oversight that there is no way to determine whether Schulte accessed those files or if it was another agency employee or government contractor that leaked the files.

The prosecution disagrees, and points to the alleged rocky relationship he had with the agency at the time. According to them, Schulte had been in a months long workplace feud with other devlopers, had been reported multiple times for racist behavior, and had stormed into meetings between managers and a contractor taken on to preform some of his duties.

Henry Ballentine

Sources
https://www.justice.gov/usao-sdny/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other
https://www.npr.org/2020/02/03/802269834/ex-cia-employee-accused-of-leaking-documents-to-wikileaks-goes-on-trial
https://www.cyberscoop.com/vault-7-trial-joshua-schulte-opening-arguments/
https://www.documentcloud.org/documents/5026631-vault7-superseding-indictment.html