If you are having trouble viewing this email,
click here to view this online  |
|
VOLUME 52 |
ISSUE 52 |
26 November 2015 | |
| | Article of the Month | | | | Around the World | |
The Budapest Cyber Crime
Convention and its impacts
| |
On September 1, 2015, the
Council of Europe Convention on Cybercrime (ETS 185 of 2001), often referred
to as the �Budapest Cybercrime Convention�, or �Cybercrime Convention� in
short, entered into force in Sri Lanka. This is a historic achievement,
because Sri Lanka becomes the first country in South Asia (and only the
second Asian country, after Japan) to become a state party to this
Convention. Philippines and Singapore are yet to complete the accession
procedure, although they attend the Convention Committee as observer and
ad-hoc observers, respectively.

The Budapest Cybercrime Convention is the only available global treaty which
addresses Internet and computer crime, harmonises national laws, adopts
improved investigative techniques based on international standards and
enhances criminal justice cooperation among nation states to effectively
combat the threat from cybercrime. To understand its significance and
impact, it is worth considering two recent cases (one from Sri Lanka and the
other from UK).
Sri Lanka
In a sextortion case reported
last week to the Sri Lanka Police �High Tech Crime Unit�, a suspect used a
fake facebook account to add many women as �friends�. The suspect then
altered the �friends� photos and sought to extort money from these victims,
threatening to post the photos of victims on the fake account if monies were
not paid. Investigators eventually managed to uncover the genuine facebook
account of the suspect and arrested him when he came to a hotel to collect a
ransom. The case is now pending formal prosecution.
A recent data breach case, reported in the UK, saw personal and banking
details of up to four million customers of the UK based phone/broadband
services provider �Talk Talk� being accessed unlawfully by hackers. In some
cases, alleged hackers had directly contacted customers, who eventually
reported a loss of money. This prompted policy makers to call for stronger
cybercrime measures stating that cybercrime is the �biggest threat to UK�s
economy�. Many countries have estimated that the global economic loss from
cybercrime has reached a staggering US$ 70 billion per year.
In both of the above-mentioned cases, investigators require information
pertaining to Internet Protocol addresses (IP addresses), details of
networks and communication systems in other countries. Such information and
access to data would enhance the ability of such investigators to identify
perpetrators of cybercrime and ensure safer internet environment for bona
fide users. Cybercrime offences are transnational and multi-jurisdictional
in nature. Therefore, the effective fight against cybercrime requires any
country to obtain evidence stored on computer systems and networks in other
countries.
In this context, the Budapest Cybercrime Convention is the only
International Treaty that facilitates international cooperation and gives
countries the ability to obtain electronic evidence stored on computer
systems and networks in another country. The Convention greatly enhances the
gathering of electronic evidence, as well as the investigation of cyber
laundering and other serious crimes. Accession to this Convention
significantly enhances the ability of Sri Lanka to carry out successful
investigations of cybercrime offences, by gathering electronic evidence from
state parties to the Convention. It will also help in law enforcement and
judicial cooperation at international level, while ensuring adherence to
human rights safeguards in the investigation process, a hallmark of this
convention, made applicable amongst all parties to this Treaty.
Sri Lanka�s accession to this Convention was the fastest in the Council of
Europe. This was possible due to the provisions contained in the Computer
Crimes Act No. 24 of 2007 and several policies adopted in recent times,
aligned with the Convention. Prior to Sri Lanka�s accession, there was an
assessment of our country�s cybercrime legislative framework. The
assessments carried out by the Council of Europe focused on the manner in
which Computer Crimes offences were investigated (especially under the
Computer Crimes Act and applicable procedural law). One key assessment was
the adequacy of safeguards to match the Council of Europe standards. Sri
Lanka was found to have safeguards consistent with the Convention standards
and the �unanimous approval� of all state parties was obtained before Sri
Lanka could be invited to Accede to the Convention.
| | | | | |

Warrantless wiretapping
The Budapest
Cybercrime Convention is a Criminal Justice Convention and therefore is a
criminal justice response to cybercrime offences. The Convention does not
deal with Internal Security and Intelligence matters, which in most
countries (including Sri Lanka) are dealt with under other laws. Internal
Security and Intelligence laws deal with prevention, etc whereas cybercrime
laws deal with investigations after an offence is committed and a complaint
is formally lodged.
Some concerns have been raised whether �warrantless wiretapping� would be
legitimised or enhanced. However, a close review of the Computer Crimes Act
of Sri Lanka shows that it is the exception rather than the rule. Under the
provisions of the Computer Crimes Act, a Magistrate�s Court order is a �sine
quo non� for such interceptions, thus, meeting the standards prescribed by
the Budapest Cybercrime Convention.Finally, an advantage of Sri Lanka
joining this Convention is that it would be under regular review, both in
terms of compliance with the Convention and use of its provisions, through
the work of the Cybercrime Convention Committee.
Accession to the Convention has created a paradigm shift in the manner in
which investigation of Cybercrime offences are carried out and also set the
stage for Data Protection and Privacy legislation, drawing on European best
practices thus, enabling Sri Lanka to meet the �adequacy standards� for
smooth cross border flow of data.
Jayantha
Fernando
Mr. Jayantha Fernando is
an Attorney with a specialised LLM degree in IT and Telecommunications Law
from the University of London. He spearheaded ICT legal reforms, including
Sri Lanka�s recent accession to the Budapest Cybercrime Convention and the
UN Electronic Communications Convention. He is Programme Director/ Legal
Advisor at the ICTA.
References | |
1 Statistics on the Internet growth in Sri Lanka | |
http://www.trc.gov.lk/images/pdf/ | |
statis_sep_2012.doc | |
2.The Dragon Research Group (DRG) | | |
http://www.dragonresearchgroup.org/ |
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC | |
https://www.jpcert.or.jp/english/tsubame/ | |
4.Shadowserver Foundation | | | | | | | | | |
http://www.shadowserver.org/wiki/ | |
5. Team Cymru | |
http://www.team-cymru.com | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | |
| |  | | | |
 | |  |
Special News | | |

'From September 23rd onwards Bank CSIRT
of Sri Lanka will be known as FIN_CSIRT. The name change was done by the
Steering Committee (of which Sri Lanka CERT|CC is a member) in order to
accommodate other registered Finance Companies. | | | | | |  |
THE RISE OF THE INTERNET-ADDICTION INDUSTRY | |
|
 '...Recovery
starts with detox and support groups. Or with workers in hazmat suits
sealing away your electronic devices in containers marked �biohazard.�
Or with a trip to a remote stretch of desert, where you�ll learn the
skills needed to survive in the wild. ....' | | | | |  |
US FEARS UNDERWATER INTERNET CABLES COULD BE
NEXT TARGET IN TECH WARFARE | | | |
 | |
| |
'....Underlying the internet, often literally lying under the sea, is a
surprisingly vulnerable array of cables that keep the world connected.
When we talk about modern tech warfare, we�re usually focused on nuclear
reactors, water pumps, or transportation systems. We might think of the
super-virus deployed by the United States and Israel to slow down Iran�s
nuclear program in 2010. We don�t typically consider the miles of undersea
cables that, according to the US Federal Reserve,carry $10 trillion in
transactions every day.....' | |  |
Android Tablets with Pre-Installed Trojan
Sold on Amazon | | |
 | | |
'....A nasty Trojan that allows malicious actors to remotely control
infected devices has been pre-loaded on many types of Android tablets
sold on Amazon and other online stores, Cheetah Mobile has warned......' | | | | |  |
Google Pushes Mandatory Full-Disk Encryption in
Android 6.0 | | |
 | | | | | | |
'...Google has stepped up the security of its Android operating system
with the release of Android 6.0 Marshmallow by requiring manufacturers
to enable full-disk encryption out-of-the-box for new devices.
Previously, Google announced that full-device encryption was recommended
for all devices that could meet certain performance levels, but it has
since made the security measure mandatory in the most recent Android
Compatibility Definition Document. Google also requires that AES with a
key of 128-bit or higher be used, and that the key be stored on the
device only if AES encrypted...' | |
|
| Month in Brief | | Facebook Incidents Reported to Sri Lanka CERT|CC in
October 2015 | |
 | | | | | | | | |
Statistics - Sri Lanka CERT|CC | | |
| |  |
2016 Predictions: The Fine Line Between
Business and Personal | |
| |

| |
'...Like any other year, 2015 had its mix of ups and downs in the world of
security. A fine line exists between the threats that we face and the
solutions we have at our disposal; any slip-up on the part of defenders
can make an existing problem that much worse....' | | |  |
BYOD vs. CYOD: What's Right For Your Business? | |
 | |
'...The last few years have been all about BYOD�or bring your own
device�an IT revolution that freed employees from the shackles of dated
or unsuitable hardware in favor of, well, whatever they wanted to use.
The benefits are obvious: most employees have their own computers at
home and know how to use them, so they can spend more time getting down
to business and less time trying to work out why this application
doesn�t have that feature.....' |  |
Hack to cost UK's TalkTalk up to $53 million | |
 | |
'...This was how we learned that Ashley Madison users were being targeted
for extortion online. While looking into the leaked files, we identified
several dozen profiles on the controversial site that used email addresses
that belonged to Trend Micro honeypots. The profiles themselves were quite
complete: all the required fields such as gender, weight, height, eye
color, hair color, body type, relationship status, and dating
preferences were there. The country and city specified matched the IP
address�s longitude/latitude information. Almost half (43%) of the
profiles even have a written profile caption in the home language of
their supposed countries....' |
| | | |
| | Notice Board | | | Training and Awareness Programmes
- November 2015 | | | | | | | | | Date | Event | | Venue | | | | | | - |
2015-11-15- 2015-11-19 |
Sri Lanka Visit of the officials
of the Gwanju Metropolitan of Education | |
Visit Gamini M.M.V Nuwaraeliya,
Mahinda Rajapakshe Vidyalaya Homagama, National Institute of Education and
Ministry of Education | | - |
2015-11-28 to 2015-12-01
|
Workshop on the Progress
Review (2015), Presentation of identified areas for year 2016 plans and
leadership Personality, Attitudes and skills Development | |
Uva- Kuda
oya Commando Regiment Training School | | - |
2015-10-31 to 2015-11-06
|
Education leadership
Development Center - Meepe | |
A/L syllabus Training for A/L
ICT teachers | - |
2015-11-14 to 2015-11-20 |
Education leadership
Development Center - Meepe | |
IA/L syllabus Training for A/L
ICT teachers |
|
| | | | | Brought to you by: | | |  | |
| |