Computer Crime We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity. During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information. Topics • Computer crime: an introduction? • Hacking • Online scams • Fraud, embezzlement, sabotage, information theft, and forgery • Crime fighting vs. Privacy and Civil Liberties Introduction (or reality check?) • Fact: Computers are tools – They assist us in our work. – They provide leverage that helps expand the range of our thoughts and ideas. – They provide entertainment. • Fact: Computers are used to commit crimes. – There are at least three challenges with respect to computer crime. • Prevention • Detection • Prosecution Hacking: Decline of a great term Defining “Hacking”: Phase one • The early years • 1960s and 1970s, universities • Originally term referred to a creative programmer who wrote clever code. • New Hacker’s Dictionary: a hacker is a person who enjoys exploring the details of programmable systems and how to stretch their capabilities.. One who programs enthusiastically (even obsessively) (1993) • First OSes and computer games were written by such hackers. • Was a positive term (even a compliment) • Hackers were usually – but not always – high-school and college students. • There are still hackers who circumvent the limits. Defining “Hacking”: Phase two • The term began to collect negative overtones in the 1970s through 90s • Popular authors and media caused this use of term: – Described someone who used computers, without authorization. – Sometimes used these techniques to commit crimes. • Early computer crimes were launched against business and government computers. “trophy hacking” • Fooling people into disclosing passwords, sniffers – Worms: Cornell student Robert T Morris spread and jammed computers (1988) – other “malware” • Adult criminals began using computers to commit their crimes. – “White collar” crime – Organized crime Defining “Hacking”: phase three • The web era (mid 90s) • Increased use of Internet for school, work, business transactions & recreation – Such an environment became attractive to criminals with basic computer skills. • Crimes included the release of malicious code – Viruses – Worms: Cornell student Robert T Morris spread and jammed computers (1988) – other “malware” • Unprotected computers are especially vulnerable – Unsuspecting users may have their computers utilized to take part in a DDoS or fraud (distributed denial of service attack) • Minimal computer skills needed to create havoc – “Script kiddies” find programs on the web – Attackers who use tools / code written by others • Extortion payments demanded. • Virus spreads to computers called zombies which then do DOS attacks, etc. • Hacking by enemy governments and terrorists Is it ethical? The Robert T. Morris case: Do hackers do a public service to find and expose security weaknesses? Hacktivism • Use of technical expertise to promote a political cause. • The degree of activity can range from mild to destructive – Defacing websites – Destroying data – Denial of service • Some consider hacktivism to be modern-age form of civil disobedience • Many do not think so: – They believe that this denies others their own freedom of speech. – They also believe this violates property rights. • Must be careful: – Some hacktivist reject web-site defacing as legitimate activity. – An advocacy site: http://www.hacktivist.net/ Hacktivism Environmentalists add an environmental warning to a Real estate developer’s website. Is this ethical? The Law (US) • Computer Fraud and Abuse Act (CFAA) – First passed in 1986 • Made it a crime to access, alter, damage, or destroy information on a computer without authorization – Amended in 1996: • Punishes anyone who “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information from any protected computer.” • Computers protected under this legislation: – Federal government computers – Financial systems (i.e., those under federal regulation) – Medical systems – Interstate commerce – Any computer on the Internet The Law (Canada) • Computer crime: (RCMP) “any criminal activity involving the copying of, use of, removal of, interference with, access to or manipulation of computer systems, computer functions, data or computer programs.” • Categories of computer crime: – Unauthorized gain (theft) equipment, scams, services – Unauthorized destruction (includes remote access, viruses, worms, and damage by employees – Unauthorized manipulation (hacking) – Unauthorized intrusion (spam, eavesdropping) – Ilegal images (porno) – Illegal speech (hate) The Law (Canada) • First, we focus on – Unauthorized destruction (includes remote access, viruses, worms, and damage by employees – Unauthorized manipulation (hacking) The Law (Canada) • Existing law has been used and amended to deal with criminal misuse of IT • Computer Sabotage – Destruction of hardware and other tangible items (“corporeal”) – Erasure, destruction or alteration of data itself. – Defined as “mischief”. – Offence covered by Criminal Code 430(1) • Note: – Before 1985 the Criminal Code’s treatment of “mischief” did not include effect on data. (physical view of property--someone could not be deprived of property) • Other examples of sabotage: – Logic bombs – If mischief more serious, 430(5.1) deals with such acts as may cause actual danger to life. The Law (Canada) • “Colour of right” – Refers to a belief that the act is lawful… – … although that belief may be based on ignorance or mistake of fact. – Also includes ignorance of any matter of law than the actual Criminal Code sections under which one is charged. • “Mens rea” – “Guilty mind” – Notion of “criminal intent” or “moral turptitude” • Law is quite clear that: – No person can be convicted of mischief if he or she “acted with legal justification… excuse or… colour of right”. • Such distinctions will be helpful when thinking about other questions. Sometimes difficult to discern guilty mind, for computer crime The Law (Canada): Mischief with respect to data (Section 430) • (1.1)Everyone commits mischief who wilfully – Destroys or alters data – Renders data meaningless, useless or ineffective – Obstructs, interrupts, or interferes with the lawful use of data – Obsructgs, interrupts with any perosn in the lawful use of data or denies access to data to any person who is entitled to access. • (5.5) does an act or wilfully omits to do an act that it is his duty to do • If likely to consitute mischief causing actual danger to life or mischief in relation to property or data The Law (Canada): Mischief with respect to data (Section 430) Creating and disseminating computer viruses. – There exists no law prohibiting the creation or dissemination of computer viruses. – The offence occurs when such viruses are used to cause mischief to data under 430(1.1). – Distribution of a virus might constitute an offence under 430(5.1) – This is so even if the virus has yet to be activated! • Should the law go further in its treatment of viruses? – Huge number of policy issues. – Malware in general (i.e., what is a “virus”?) – Must tread carefully. Overview of Statutes (Canada) – Section 342 Unauthorized gain (theft) equipment, scams, services • makes possessing unauthorized credit data and trafficking in credit card passwords an offence. • Section 342.1 is particularly used for computer crimes: – Section 430 Mischief with respect to data destruction (discussed last time) – Section 326 Theft of telecommunication services – Section 327 Possession of device to obtain telecommunication facility or service. – Section 321 : Fraud Fraud in Canada • Canadian Courts: – Have held that anything that can be considered property can be the object of theft or fraud. – This includes credit in a bank account. • Section 321-Fraud statute – States that forgery offences also apply to computer documents. • “Fraud” need not require a form of relationship between fraudster and victim Unauthorized entry (Canada) • Unauthorized entry into or use of computers • There exists much debate on whether hacking into a system, with an intent just to browse, should be a criminal offence. • Problems of definition: – Breaking and entering? • Criminal code: Entry occurs, in part, as soon as “any part of his body or any part of an instrument that he uses is within any thing that is being entered.” • These terms do not apply to computer systems. – Violations of Privacy? Stealing time? • How is this quantified? • Theft of electricity!!? The Law (Canada) • Unauthorized entry (contd) • Some established offences apply, however when there is. Fraud (section 380): Where a person falsely represents themselves as having the authority to access an account. Or Personation (section 403): Where a person falsely assumes the identity of a lawful user. – Computer Abuse (342.1) (1985) • Dishonest acquisition of computer services (Paragraph 342.1(1)): If services are acquired fraudulently and without a colour of right, directly or indirectly, then a crime is committed. • Theft of computer services, trade in passwords, cracking of encryption systems • Intention to commit mischief to data • Should we criminalize unauthorized use? – Pro: Helps prevent more serious harm. – Con: Difficult to create safeguards to ensure criminal sanctions are applied only to those situations involving “moral turpitude”. • Regardless of the answer…. – Criminal liability should not attached to persons who are: • acting innocently and • honestly believe they have authority to use a computer. Trafficking • Trafficking in passwords, digital signatures, encryption keys – Some criminals use websites to store this kind of information. – RCMP in the past has identified bulletin boards with complete password and account information, accessible to criminals. • Forums promoting this information exchange are often clearly oriented to criminals. The Law (USA) • USA Patriot Act (USAPA, 2001) – Amended the CFAA – Allows for recovery of losses due to: • responding to a hacker attack • assessing damages • restoring systems – Higher penalties may now be levied if hacking is into: • computers belong to criminal justice system • computers belong to the military • The US government can monitor online activity of its citizens without a court order. • Provisions of the Patriot Act are still very controversial Back to Hackers: catching them • Onerous requirement: – Law enforcement must recognize and respond to many different kinds of hacking attacks • Computer Forensic tools: – Undercover agents – Honeypots – Archives on online-message boards – Tools for recovering deleted or coded information – Invisible information in files (e.g.Microsoft word) • Computer Forensics agencies and services: – Computer Emergency Response Team (CERT) – US National Infrastructure Protection Centre (NIPC) – RCMP IT Security Branch (http://www.rcmp-grc.gc.ca/tsb/) Penalties: Questions • Intent: – Should hackers who did not intend damage or harm be punished differently than those with criminal intentions? • Age: – Should underage hackers receive a different penalty than adult hackers? • Damage done – Should the penalty correspond to the actual damage done or the potential for damage? How severe is the problem? • Big challenge: gathering stats – Data usually collected by police agencies – Definitions of cybercrime often differ (or perhaps not even exists) • Example: RCMP distinguishes between “computer crime” and “computer-assisted crime” • Example: Ontario PP did not have a formal definition of cybercrime as of 2002. – A crime is “computer crime” if it falls under Section 342.1 of Canadian Criminal Code – Uniform reporting is therefore not yet widespread • Note: Many police forces do have specialized computer- crime units. – Difficulty is in gathering stats, not law enforcement. Security weaknesses • Many hackers say that “searching for weaknesses” is their motivation. • Such weaknesses can be found in the computer systems used by: – businesses – government (classified and unclassified) – personal computers • Causes of security weakness: – characteristics of the Internet and the Web – human nature – inherent complexity of computer systems – poorly-understood tradeoffs (security vs. cost) Improving security • How to accomplish this? – Awareness, awareness, awareness! – Ongoing education and training to recognize the risks – Better (i.e., clearer, simpler, more verifiable) system design. – Use of security tools and systems, • greater security budget, consultants • Firewalls that monitor incoming communications • Intrusion detection systems • Knowledgeable systems administrators Biometircs – Challenging “others” to find flaws in systems. – Writing and enforcing laws that don’t stymie research and advancement. Online Scams: Auctions • Selling and buying goods has become popular. – Many buy and sell on eBay because of its relatively good reputation. – But this is still not the best guarantee • However, human nature still seeks out the “best deal” • Problems: – Sellers do not send goods – Sellers send inferior goods – Price is driven up by shill bidding – Illegal goods sold. • Solutions: – Educate customers – Use an auction system with seller “reviews” – Use third-party escrow – Beware of haste and greed. Fraud: Some causes • Credit Card – Stolen receipts, mailed notices, and cards – Interception of online transaction or weak e- commerce security – Careless handling by card owner • ATM – Stolen account numbers and PINs – Insider knowledge. – A counterfeit ATM • Telecommunications – Stolen long-distance PINs – Cloned phones. Fraud: Defenses • Credit card: – Instant credit-card check. – Analysis of buying patterns. – Analysis of credit-card applications (to detect identify theft) – Verify user with Caller ID • ATM – Redesigned ATMs – Limited withdrawal • Telecommunications – Match phone “signature” with serial number – Identify phone without broadcasting serial number Embezzlement & Sabotage • Some causes: – Insider information – Poor security – Complex financial transactions – Anonymity of computer users – Faulty culture • Some defenses – Rotate employee responsibility – Require use of employee ID and password – Implement audit trails – Careful screening and background checks of employees Identity Theft • Binational working group Canada-US 2004 • Report on Identity theft • “alll crime in which someone wrongfully obtains and uses another person’s identifying info for the purpose of fraud or other criminal activity, typically for economic gain. • 2002--3 (one year) losses totalled US$53 billion • In Canada, 2.5 Billion CAN • 214,000 complaints in the US in 2003 Identity Theft • Methods include mail theft, theft from residences and businesses, phishing. • Victims all ages, mostly with good credit reatings • 300million hours spent to resolve problems • Likely to grow • Most involve credit cards or false applications for them • 10% involve ordering cell phone service • 10 million persons in the US discovered they were victims of identity theft. • 29% between 18-29, all ages. Identity Theft • Perpetrators: Organized crime Terrorists (e.g. al Qaida in spain used stolen credit cards) Individual terrorists How committed? Physical methods Electronic methods Identity Theft • Electronic methods • Skimmers: read data on credit cards’ magnetic stripe when someone swipes card through it. • installed on outside of legitimate ATMS Identity Theft • Electronic methods • Skimmers: read data on credit cards’ magnetic stripe when someone swipes card through it. • installed on outside of legitimate ATMS • Phishing, spoofing and pretexting – Luring techniques used by identity thefts to fish for personal info in a pond of unsuspecting Internet users. – Huge increase – Use legitimate names of businesses – Examples: Royal bank, citibank (readings) • Identities stolen from company database Phishing: what to do •Recognize it, do not reply •Report it to local police and bank or credit card co. Report it to RECOL •Stop it: become familiar with practices of your financial company Impact of Identity Theft • Financial loss--fraud • Credit ratings and reputations damaged, taking months to repair • Victims are sometimes mistaken by police as the criminals, arrested and detained Combating id theft • Public reporting mechanisms – Identify theft clearing house FTC 1999 – Suspicious activity reports required to be filed by financial institutions with the US Treasury – Internet Crime Complaint Center (IC3) (2000) • Joint venture with FBI and National White Collar Crime Center – RECOL RCMP Reporting Economic Crime Online • Web based initiative for law enforcement agencies and private commercial org. that have legitimate investigative interest in receiving copy of complaints of economic crime, also consumer info and education – Phonebusters National Call Center--Canadian Anti fraud call centre Ontario PP and RCMP --originally for telemarketing fraud, • Extradition to the US, education of the public, Bi-national coordination, conferences, working group Combating id theft Challenges: – public education, where to report, better security for id documents, passports, etc. – Better security for private companies’ collection and retention of daaa Identity Theft • Some causes of Identity Theft – Insecure and inappropriate use of Social Security, Social Insurance numbers – Careless handling of personally identifiable information. – Weak security of stored records. – Insufficient assistance to identity theft victims (or its equivalent: insufficient funding of law-enforcement devoted to identity theft) • Some defenses for Identity Theft – Limit use of personally identifiable information – Increase security of information stored by businesses and government agencies. – Improve methods to accurately identify a person. – Educate consumers. – Check credit-report on a regular basis. Forgery • Some causes: – Powerful computers and digital manipulation software. – High-quality printers, copiers and scanners. • Some defenses: – Education consumers and employees. – Use anti-counterfeiting techniques during production. – Use counterfeit detection methods. – Create legal and procedural incentives to improve security. Crime Fighting vs. Civil Liberties • Scams: – Crime Fighting approach Automated surveillance software • Looks for suspicious Web activity (recall “Dataveillance”) – Privacy and Civil Liberties No search warrant without proof of probable cause • Biometrics – Crime Fighting approach Exact match of biological characteristics to a unique person. – Privacy and Civil Liberties Easy to build complete dossier on people. Crime Fighting vs. Civil Liberties • Search and Seizure of Computers: – Crime Fighting approach Needs to obtain evidence of a crime. – Privacy and Civil Liberties Day-to-day business ceases; non-criminal contact with others ends • The Council of Europe’s Cybercrime Treaty – Canada and US are also signatories – Crime Fighting approach These countries agree to cooperate with each other’s investigations. – Privacy and Civil Liberties Potential for government spying is great.
Pages to are hidden for
"Computer Businesses"Please download to view full document