An alleged breach in Digital River's data stream brings to light the harsh world of improperly conducted security updates as well as complex cyber-ethical legal issues.
Where is the responsibility for the sale of data acquired in the cloud when it changes hands and is clouded as to which party legally acquired it? What happens when the evidence of a data breach merely points to a well-crafted search query with no substantial forensic connection between the alleged data thief and the alleged victim?
The data in question happens to be about 200,000 records worth of consumer data apparently data-mined using Digital River's proprietary methods.
The defendant in this case is 19-year old Eric Porat, who attempted to sell the Digital River data for a half million bucks to rival Media Breakaway. They promptly ratted out Porat, who, when asked about how he got the data during his voluntary six-hour deposition, invoked his Fifth Amendment rights.
While using the Fifth may sound like a guilty party's ploy, it is the single smartest thing a cybercrime defendant can do, and has recently been upheld to include disclosure of encryption passwords. Once a topic is breached voluntarily, it cannot be later defended by the Fifth Amendment.
Testimony of others, however, can definitely build a case – particularly when relaying what was said to them by the defendant:
Scott Richter, CEO of Media Breakaway, said in a court filing, that Porat claimed to be offering the DirectTrack data to the highest bidder. He said Porat told him that he got the data from a former consultant for Digital River, who captured it during an enhancement of the DirectTrack data system when security systems were taken down temporarily.
Clearly the missing pieces look ominous. A large question the Fifth shrouds is how the data was obtained. If the case involved stateside parties, a simple subpoena and deposition would be used.
But,the trail leads to India.
“Gary Olden, vice president of product management at Digital River Marketing, said in a court filing that an internal investigation found that the stolen data was accessed Jan. 27 from four different computers linked to a DirectTrack customer in New Delhi named VCommission, or Vaxat iTech Pvt. Ltd. He said the data was downloaded using a 'highly unusual' search command.”
Looking at this from the defense investigative standpoint, it's hard to say whether a well-crafted search query constitutes intentional data breach since they were a paying customer. After all, Digital River previously stated their security systems were down, which opens up an entirely new avenue of defense. Proof of a ‘highly unusual search command' is grasping at straws and may gain a Grand Jury indictment, but becomes a high risk tactic.
“Olden said he could find only one other instance where that type of command was used to access DirectTrack data. It took place six hours after the command was issued in India, and it came from another customer, Clickbooth/IntegraClick, a marketing firm in Sarasota, Fla. In that case, though, the user only accessed Clickbooth/IntegraClick's own data, he said.”
I haven't discovered whether Clickbooth/IntegraClick is disavowing that they ran the specialized query, and the New Delhi-located business is out of reach of the court.
The results were sent halfway across the world, where a 19-year-old ends up with them, trying to sell them to the business contacts he has who smell something fishy and contact the Feds.
So here's the dilemma – without being able to compel testimony from a party who likely breached the Digital River Terms of Service, the prosecutor and Digital River face an uphill battle. In fact, the prosecution always faces an uphill battle with technology crimes, and the public image of a teen hacker, like actor Matthew Broderick in the movie War Games, isn't going to be shattered by this teenage defendant. More to the point of statistics to back up the hacker image, a recent ESET study concluded:
The stereotypical “movie villain” computer hacker is a pervasive image among adults: 63 percent think that cyber criminals are mainly individual computer hackers, while only 21 percent see organized crime as primarily responsible for cybercrime. This finding of a “dark ages” mentality supports what other pros in the field have been saying: we are not winning the battle against cybercrime because our mindset is stuck in the 20th century.
For a 19-year old, Eric Porat's best defense strategy is founded in a 223-year-old document called the Constitution. He keeps his mouth shut, and there really isn't much that can be done. He may lose his half-million dollars worth of data because Digital River should be able to prove a side-by-side comparison of data indicating that what Porat has is a derivative work, but he'll probably never serve time. In fact, I'm sure within five years he'll be writing books and making the rounds on the speaker's circuit if his probation officer will let him.
For Digital River, clearly a review of how their security update procedure operates would be in line. The attribution does not directly lead back to an attacker who is standing trial. Rather, it leads to their own customer base and gets hazy afterwards. Besides, compelling your customer's testimony is never good for business.