European Review of Organised Crime :)

Tym razem post w trochę innym tonie – artykuł mojego autorstwa został opublikowany w wydaniu specjalnym European Review of Organised Crime poświęconym w całości zjawisku cyberprzestępczości. Do lektury zarówno mojego artykułu (zatytułowanego Dealer, Hacker, Lawyer, Spy. Modern Techniques and Legal Boundaries of Counter-cybercrime Operations) jak i pozostałych prac serdecznie zapraszam.

Wydawnictwo dostępne jest pod adresem


This time something a bit different – I had a pleasure of contributing an article to the special issue of European Review of Organised Crime dedicated entirely to the phenomenon of cybercrime. Therefore I invite everyone to to read my article (titled Dealer, Hacker, Lawyer, Spy. Modern Techniques and Legal Boundaries of Counter-cybercrime Operations) as well as other contribution included in this issue.

European Review of Organised Crime is available at

Target card data breach – CEO issues statement, conspiracy theories arise

As some of you probably know, or perhaps even have been affected, American retail giant suffered massive security breach as much as 40 millions might have suffered form their credit and debit card data stolen. As reported by KrebsOnSecurity, hackers gained access to company’s data infrastructure. What’s worth of interest is that theft did not affect online shopping, but actual in store operations as data from magnetic strips  – if attackers managed to also intercept pin numbers they might be able to recreate cards and siphon money straight from ATM’s. Yesterday the official statement has been issued by company’s CEO Gregg Steinhafel.

Continue reading “Target card data breach – CEO issues statement, conspiracy theories arise”

EP directive 2013/40 on attacks against information systems – metasploit legal (somewhat)

Recent EP directive which replaced Council Framework Decision 2005/222/JHA at first glance doesn’t seem too differ much than retired document – specifically it attempts to push the law into territory of more sophisticated attacks without tinkering too much with already set guidelines and nomen omen framework. Most significant is probably mention of botnets. Approach to up-to-date network security problems gives hope of reasonable and professional law.  Unfortunately, the directive copies many troubling solutions that were part of the original document.

Some attention should be paid to preamble, which in most cases is – and let’s face it – padding. Here however, it is important to get a grasp of thought process behind the law, as unfortunately its purpose is not always obvious. First of all, lot of pressure is directed towards larger scale, more economically damaging attacks, including mentioned botnets. It seems that current trend of cybercrime prevention will be set more to protect enterprise targets rather than individual, ‘private’ networks. Even though it might seem almost cliche – big corporation gets more from law than common citizens, it is hard not to agree with the assessment. Attacks on single computers are common and almost impossible to trace most of the time. Furthermore in purely quantitative terms, damages to economy are certainly more significant when companies are affected. It is almost needles to say that in modern times, with increasing reliance on digital services a successful breach can disable smaller company. Second, as usual with EP directives, need of harmonization is emphasized. Again, it is quite obviously fair point, especially because of borderless nature of cybercrimes. Perhaps more important point is underlining importance of providing adequate training for law enforcement and judiciary. In Poland problem of lack of qualifications becomes especially visible when dealing with lesser crimes. These are reported to local police stations, where common officers does not even know how to approach the subject. Observing current situation it becomes obvious that significant shift in policy is required – it is no longer possible to afford not to train every policeman in at least basics of cybercrime. Finally, compared to earlier act, part about respecting privacy and protecting fundamental rights has been extended. To what degree is it reaction to NSA leaks remains open case.

Continue reading “EP directive 2013/40 on attacks against information systems – metasploit legal (somewhat)”