Learning Center
Plans & pricing Sign in
Sign Out

Computer Businesses


Computer Businesses document sample

More Info
									Computer Crime

We suspect an unauthorized transaction on your account.
To ensure that your account is not compromised,
please click the link below and confirm your identity.

During our regular verification of accounts, we couldn’t verify your information.
Please click here to update and verify your information.
• Computer crime: an introduction?
• Hacking
• Online scams
• Fraud, embezzlement, sabotage,
  information theft, and forgery
• Crime fighting vs. Privacy and Civil
Introduction (or reality check?)
• Fact: Computers are tools
  – They assist us in our work.
  – They provide leverage that helps expand the range of
    our thoughts and ideas.
  – They provide entertainment.
• Fact: Computers are used to commit crimes.
  – There are at least three challenges with respect to
    computer crime.
     • Prevention
     • Detection
     • Prosecution
Hacking: Decline of a great term
Defining “Hacking”: Phase one
• The early years
• 1960s and 1970s, universities
• Originally term referred to a creative programmer who
  wrote clever code.
• New Hacker’s Dictionary: a hacker is a person who enjoys exploring
  the details of programmable systems and how to stretch their
  capabilities.. One who programs enthusiastically (even obsessively)
• First OSes and computer games were written by such
• Was a positive term (even a compliment)
• Hackers were usually – but not always – high-school and
  college students.
• There are still hackers who circumvent the limits.
Defining “Hacking”: Phase two
• The term began to collect negative overtones in the 1970s through
• Popular authors and media caused this use of term:
   – Described someone who used computers, without authorization.
   – Sometimes used these techniques to commit crimes.
• Early computer crimes were launched against business and
  government computers. “trophy hacking”
• Fooling people into disclosing passwords, sniffers
   – Worms: Cornell student Robert T Morris spread and jammed computers (1988)
   – other “malware”

• Adult criminals began using computers to commit their crimes.
   – “White collar” crime
   – Organized crime
Defining “Hacking”: phase three
•   The web era (mid 90s)
•   Increased use of Internet for school, work, business transactions &
     – Such an environment became attractive to criminals with basic computer skills.
•   Crimes included the release of malicious code
     – Viruses
     – Worms: Cornell student Robert T Morris spread and jammed computers (1988)
     – other “malware”
•   Unprotected computers are especially vulnerable
     – Unsuspecting users may have their computers utilized to take part in a DDoS or
       fraud (distributed denial of service attack)
•   Minimal computer skills needed to create havoc
     – “Script kiddies” find programs on the web
     – Attackers who use tools / code written by others
•   Extortion payments demanded.
•   Virus spreads to computers called zombies which then do DOS attacks, etc.
•   Hacking by enemy governments and terrorists
Is it ethical?
The Robert T. Morris case:

Do hackers do a public service to find and
 expose security weaknesses?
• Use of technical expertise to promote a political cause.
• The degree of activity can range from mild to destructive
   – Defacing websites
   – Destroying data
   – Denial of service
• Some consider hacktivism to be modern-age form of civil
• Many do not think so:
   – They believe that this denies others their own freedom of
   – They also believe this violates property rights.
• Must be careful:
   – Some hacktivist reject web-site defacing as legitimate activity.
   – An advocacy site:
Environmentalists add an environmental warning to a
Real estate developer’s website.
Is this ethical?
The Law (US)
• Computer Fraud and Abuse Act (CFAA)
   – First passed in 1986
        • Made it a crime to access, alter, damage, or destroy information on
          a computer without authorization
   – Amended in 1996:
        • Punishes anyone who “intentionally accesses a computer without
          authorization or exceeds authorized access and thereby obtains
          information from any protected computer.”
• Computers protected under this legislation:
   –   Federal government computers
   –   Financial systems (i.e., those under federal regulation)
   –   Medical systems
   –   Interstate commerce
   –   Any computer on the Internet
The Law (Canada)
• Computer crime: (RCMP) “any criminal activity involving the copying
  of, use of, removal of, interference with, access to or manipulation of
  computer systems, computer functions, data or computer programs.”

• Categories of computer crime:

    – Unauthorized gain (theft) equipment, scams, services
    – Unauthorized destruction (includes remote access, viruses, worms, and
      damage by employees
    – Unauthorized manipulation (hacking)
    – Unauthorized intrusion (spam, eavesdropping)
    – Ilegal images (porno)
    – Illegal speech (hate)
The Law (Canada)
• First, we focus on

   – Unauthorized destruction (includes remote access, viruses, worms, and
     damage by employees
   – Unauthorized manipulation (hacking)
The Law (Canada)
• Existing law has been used and amended to deal with criminal
  misuse of IT
• Computer Sabotage
   –   Destruction of hardware and other tangible items (“corporeal”)
   –   Erasure, destruction or alteration of data itself.
   –   Defined as “mischief”.
   –   Offence covered by Criminal Code 430(1)
• Note:
   – Before 1985 the Criminal Code’s treatment of “mischief” did not include
     effect on data. (physical view of property--someone could not be
     deprived of property)
• Other examples of sabotage:
   – Logic bombs
   – If mischief more serious, 430(5.1) deals with such acts as may cause
     actual danger to life.
The Law (Canada)
• “Colour of right”
    – Refers to a belief that the act is lawful…
    – … although that belief may be based on ignorance or mistake of fact.
    – Also includes ignorance of any matter of law than the actual Criminal
      Code sections under which one is charged.
• “Mens rea”
    – “Guilty mind”
    – Notion of “criminal intent” or “moral turptitude”
• Law is quite clear that:
    – No person can be convicted of mischief if he or she “acted with legal
      justification… excuse or… colour of right”.
• Such distinctions will be helpful when thinking about other
  questions. Sometimes difficult to discern guilty mind, for computer
The Law (Canada):
Mischief with respect to data (Section 430)
• (1.1)Everyone commits mischief who wilfully
   –   Destroys or alters data
   –   Renders data meaningless, useless or ineffective
   –   Obstructs, interrupts, or interferes with the lawful use of data
   –   Obsructgs, interrupts with any perosn in the lawful use of data or
       denies access to data to any person who is entitled to access.
• (5.5) does an act or wilfully omits to do an act that it is
  his duty to do
• If likely to consitute mischief causing actual danger to life
  or mischief in relation to property or data
The Law (Canada):
Mischief with respect to data (Section
   Creating and disseminating computer viruses.
   – There exists no law prohibiting the creation or dissemination of
     computer viruses.
   – The offence occurs when such viruses are used to cause
     mischief to data under 430(1.1).
   – Distribution of a virus might constitute an offence under 430(5.1)
   – This is so even if the virus has yet to be activated!
• Should the law go further in its treatment of viruses?
   – Huge number of policy issues.
   – Malware in general (i.e., what is a “virus”?)
   – Must tread carefully.
Overview of Statutes
 – Section 342 Unauthorized gain (theft) equipment, scams, services
    • makes possessing unauthorized credit data and trafficking in credit
      card passwords an offence.
     • Section 342.1 is particularly used for computer crimes:

 – Section 430 Mischief with respect to data destruction (discussed last

 – Section 326 Theft of telecommunication services

 – Section 327 Possession of device to obtain telecommunication facility
   or service.
 – Section 321 : Fraud
Fraud in Canada
• Canadian Courts:
   – Have held that anything that can be considered property can be
     the object of theft or fraud.
   – This includes credit in a bank account.
• Section 321-Fraud statute
   – States that forgery offences also apply to computer documents.
• “Fraud” need not require a form of relationship between
  fraudster and victim
Unauthorized entry (Canada)
• Unauthorized entry into or use of computers
• There exists much debate on whether hacking
  into a system, with an intent just to browse,
  should be a criminal offence.
• Problems of definition:
  – Breaking and entering?
     • Criminal code: Entry occurs, in part, as soon as “any part of
       his body or any part of an instrument that he uses is within
       any thing that is being entered.”
     • These terms do not apply to computer systems.
  – Violations of Privacy? Stealing time?
     • How is this quantified?
     • Theft of electricity!!?
The Law (Canada)
•   Unauthorized entry (contd)
•   Some established offences apply, however when there is.
     Fraud (section 380): Where a person falsely represents themselves as having the
        authority to access an account.
     Or Personation (section 403): Where a person falsely assumes the identity of a
        lawful user.
     – Computer Abuse (342.1) (1985)
          • Dishonest acquisition of computer services (Paragraph 342.1(1)): If services are
            acquired fraudulently and without a colour of right, directly or indirectly, then a crime
            is committed.
          • Theft of computer services, trade in passwords, cracking of encryption systems
          • Intention to commit mischief to data
•   Should we criminalize unauthorized use?
     – Pro: Helps prevent more serious harm.
     – Con: Difficult to create safeguards to ensure criminal sanctions are applied only
       to those situations involving “moral turpitude”.
•   Regardless of the answer….
     – Criminal liability should not attached to persons who are:
          • acting innocently and
          • honestly believe they have authority to use a computer.
• Trafficking in passwords, digital signatures,
  encryption keys
   – Some criminals use websites to store this kind of
   – RCMP in the past has identified bulletin boards with
     complete password and account information,
     accessible to criminals.
• Forums promoting this information exchange are
  often clearly oriented to criminals.
The Law (USA)
• USA Patriot Act (USAPA, 2001)
   – Amended the CFAA
   – Allows for recovery of losses due to:
       • responding to a hacker attack
       • assessing damages
       • restoring systems
   – Higher penalties may now be levied if hacking is into:
       • computers belong to criminal justice system
       • computers belong to the military
• The US government can monitor online activity of its
  citizens without a court order.
• Provisions of the Patriot Act are still very controversial
Back to Hackers: catching them
• Onerous requirement:
   – Law enforcement must recognize and respond to many different
     kinds of hacking attacks
• Computer Forensic tools:
   –   Undercover agents
   –   Honeypots
   –   Archives on online-message boards
   –   Tools for recovering deleted or coded information
   –   Invisible information in files (e.g.Microsoft word)
• Computer Forensics agencies and services:
   – Computer Emergency Response Team (CERT)
   – US National Infrastructure Protection Centre (NIPC)
   – RCMP IT Security Branch (
Penalties: Questions
• Intent:
   – Should hackers who did not intend damage or harm
     be punished differently than those with criminal
• Age:
   – Should underage hackers receive a different penalty
     than adult hackers?
• Damage done
   – Should the penalty correspond to the actual damage
     done or the potential for damage?
How severe is the problem?
• Big challenge: gathering stats
   – Data usually collected by police agencies
   – Definitions of cybercrime often differ (or perhaps not even exists)
       • Example: RCMP distinguishes between “computer crime” and
         “computer-assisted crime”
       • Example: Ontario PP did not have a formal definition of cybercrime
         as of 2002.
           – A crime is “computer crime” if it falls under Section 342.1 of Canadian
             Criminal Code
   – Uniform reporting is therefore not yet widespread
• Note: Many police forces do have specialized computer-
  crime units.
   – Difficulty is in gathering stats, not law enforcement.
Security weaknesses
• Many hackers say that “searching for
  weaknesses” is their motivation.
• Such weaknesses can be found in the computer
  systems used by:
  – businesses
  – government (classified and unclassified)
  – personal computers
• Causes of security weakness:
  –   characteristics of the Internet and the Web
  –   human nature
  –   inherent complexity of computer systems
  –   poorly-understood tradeoffs (security vs. cost)
Improving security
• How to accomplish this?
  – Awareness, awareness, awareness!
  – Ongoing education and training to recognize the risks

  – Better (i.e., clearer, simpler, more verifiable) system
  – Use of security tools and systems,
     •   greater security budget, consultants
     •   Firewalls that monitor incoming communications
     •   Intrusion detection systems
     •   Knowledgeable systems administrators Biometircs

  – Challenging “others” to find flaws in systems.
  – Writing and enforcing laws that don’t stymie research
    and advancement.
Online Scams: Auctions
• Selling and buying goods has become popular.
   – Many buy and sell on eBay because of its relatively good reputation.
   – But this is still not the best guarantee
• However, human nature still seeks out the “best deal”
• Problems:
   –   Sellers do not send goods
   –   Sellers send inferior goods
   –   Price is driven up by shill bidding
   –   Illegal goods sold.
• Solutions:
   –   Educate customers
   –   Use an auction system with seller “reviews”
   –   Use third-party escrow
   –   Beware of haste and greed.
Fraud: Some causes
• Credit Card
  – Stolen receipts, mailed notices, and cards
  – Interception of online transaction or weak e-
    commerce security
  – Careless handling by card owner
  – Stolen account numbers and PINs
  – Insider knowledge.
  – A counterfeit ATM
• Telecommunications
  – Stolen long-distance PINs
  – Cloned phones.
Fraud: Defenses
• Credit card:
  – Instant credit-card check.
  – Analysis of buying patterns.
  – Analysis of credit-card applications (to detect identify
  – Verify user with Caller ID
  – Redesigned ATMs
  – Limited withdrawal
• Telecommunications
  – Match phone “signature” with serial number
  – Identify phone without broadcasting serial number
Embezzlement & Sabotage
• Some causes:
  –   Insider information
  –   Poor security
  –   Complex financial transactions
  –   Anonymity of computer users
  –   Faulty culture
• Some defenses
  –   Rotate employee responsibility
  –   Require use of employee ID and password
  –   Implement audit trails
  –   Careful screening and background checks of
Identity Theft
• Binational working group Canada-US 2004
• Report on Identity theft

• “alll crime in which someone wrongfully obtains and uses
  another person’s identifying info for the purpose of fraud
  or other criminal activity, typically for economic gain.
• 2002--3 (one year) losses totalled US$53 billion
• In Canada, 2.5 Billion CAN
• 214,000 complaints in the US in 2003
Identity Theft
• Methods include mail theft, theft from residences and
  businesses, phishing.
• Victims all ages, mostly with good credit reatings
• 300million hours spent to resolve problems

• Likely to grow
• Most involve credit cards or false applications for them
• 10% involve ordering cell phone service
• 10 million persons in the US discovered they were
  victims of identity theft.
• 29% between 18-29, all ages.
Identity Theft
• Perpetrators:
Organized crime
Terrorists (e.g. al Qaida in spain used stolen credit cards)
Individual terrorists

How committed?
Physical methods
Electronic methods
Identity Theft
• Electronic methods

• Skimmers: read data on credit cards’ magnetic stripe
  when someone swipes card through it.
• installed on outside of legitimate ATMS
Identity Theft
• Electronic methods

• Skimmers: read data on credit cards’ magnetic stripe when
  someone swipes card through it.
• installed on outside of legitimate ATMS
• Phishing, spoofing and pretexting
   – Luring techniques used by identity thefts to fish for personal info in a
     pond of unsuspecting Internet users.
   – Huge increase
   – Use legitimate names of businesses
   – Examples: Royal bank, citibank (readings)
• Identities stolen from company database
Phishing: what to do
 •Recognize it, do not reply
 •Report it to local police and bank or credit
 card co. Report it to RECOL
 •Stop it: become familiar with practices of your
 financial company
Impact of Identity Theft
• Financial loss--fraud
• Credit ratings and reputations damaged, taking months
  to repair
• Victims are sometimes mistaken by police as the
  criminals, arrested and detained
Combating id theft
• Public reporting mechanisms
   – Identify theft clearing house FTC 1999
   – Suspicious activity reports required to be filed by financial institutions
     with the US Treasury
   – Internet Crime Complaint Center (IC3) (2000)
       • Joint venture with FBI and National White Collar Crime Center
   – RECOL RCMP Reporting Economic Crime Online
       • Web based initiative for law enforcement agencies and private commercial
         org. that have legitimate investigative interest in receiving copy of complaints
         of economic crime, also consumer info and education
   – Phonebusters National Call Center--Canadian Anti fraud call centre
     Ontario PP and RCMP --originally for telemarketing fraud,
       • Extradition to the US, education of the public,

   Bi-national coordination, conferences, working group
Combating id theft
 – public education, where to report, better security for id
   documents, passports, etc.
 – Better security for private companies’ collection and retention of
Identity Theft
• Some causes of Identity Theft
   – Insecure and inappropriate use of Social Security, Social Insurance
   – Careless handling of personally identifiable information.
   – Weak security of stored records.
   – Insufficient assistance to identity theft victims (or its equivalent:
     insufficient funding of law-enforcement devoted to identity theft)
• Some defenses for Identity Theft
   – Limit use of personally identifiable information
   – Increase security of information stored by businesses and government
   – Improve methods to accurately identify a person.
   – Educate consumers.
   – Check credit-report on a regular basis.
• Some causes:
  – Powerful computers and digital manipulation
  – High-quality printers, copiers and scanners.
• Some defenses:
  –   Education consumers and employees.
  –   Use anti-counterfeiting techniques during production.
  –   Use counterfeit detection methods.
  –   Create legal and procedural incentives to improve
Crime Fighting vs. Civil Liberties
• Scams:
  – Crime Fighting approach  Automated surveillance
     • Looks for suspicious Web activity (recall “Dataveillance”)
  – Privacy and Civil Liberties  No search warrant
    without proof of probable cause
• Biometrics
  – Crime Fighting approach  Exact match of biological
    characteristics to a unique person.
  – Privacy and Civil Liberties  Easy to build complete
    dossier on people.
Crime Fighting vs. Civil Liberties
• Search and Seizure of Computers:
  – Crime Fighting approach  Needs to obtain evidence
    of a crime.
  – Privacy and Civil Liberties  Day-to-day business
    ceases; non-criminal contact with others ends
• The Council of Europe’s Cybercrime Treaty
  – Canada and US are also signatories
  – Crime Fighting approach  These countries agree to
    cooperate with each other’s investigations.
  – Privacy and Civil Liberties  Potential for government
    spying is great.

To top