Document Sample
crimes Powered By Docstoc
					   Cyberlaw and Computer Crimes
• Surprisingly it wasn’t until 1986 that we had any
  laws at all (in the US) regarding prosecution of
  computer crimes
  – even once legislature was being passed, it was unclear
    what jurisdiction the FBI had in tracking down
    computer criminals, nor did the FBI have expertise in
    tracking down computer criminals
• What is the status today of cyberlaw? What
  constitutes a computer crime? What does law
  enforcement do about it?
• Early crimes were committed by computer programmers
  who were pushing the boundaries of what could be done
  on a computer
   – generally, hackers are thought of as benevolent criminals – just
     trying things out, possibly even for positive purposes (alerting
     a company of their security holes)
   – crackers are those who perform illegal access for criminal
• See the site regarding black and white hat crackers and
  the wikipedia site on black hat and white hat crackers
   – early on, many hackers’ goals was phreaking
• Early hackers targeted the telephone network
  – John Draper (known as Captain Crunch) discovered
    through a blind friend that the whistle found in
    Captain Crunch cereal could be modified to emit the
    frequency that was used by AT&T to indicate that a
    long distance phone line was available
     • this caused one side of the line to enter “operator mode”
     • with proper hardware, he was able to then specify
       frequencies equivalent to tones for dialing a number and
       thus received free long distance
     • he placed the whistle and other devices into a blue box
     • he and Steve Wozniak used this technique to call the Pope!
     • Draper was arrested in 1972 for phone fraud
               More Approaches
• Another approach was used by Kevin Poulsen
  who actually broke into telephone switching
  boxes to reroute lines
  – he used this to win a porsche from a radio station
• Red Boxes
  – Another approach is to mimic the sound of coins
    dropping into a pay phone
  – Actually, what you mimic is the frequency of sound
    made when a quarter goes through the slot
     • a Radio Shack tone dialer could be used, and this
       manipulated version was called a red box, a black market
       appeared in society dealing with the crystals needed to
       modulate the proper frequency
  Telephones and Computer Attacks
• Phreaking is not really related to computer crime as these
  sorts of crimes were done largely without computers
• However, it has led to some innovations
   – consider a computer system that permits dial-up access
   – the OS will keep track of failed log in attempts and then
     disallow further attempts from the given telephone caller ID
     after some number of failures (say 5)
   – however, it is possible, using a computer, to either mask or alter
     the caller ID so that more attempts can be tried
   – and therefore, a program which attempts to log in by trying all
     possible passwords may still succeed because the computer will
     mask or alter the caller ID value so that the OS does not block
     out further attempts!
      • more information on phreaking and telephone attacks can be found at
  A Definition of Computer Crime
• One author states that a computer crime is:
   – unauthorized access of a computer, creating or releasing a
     malicious computer program, or harassment and stalking in
• Notice that this definition does not claim that
  embezzlement or fraud, accomplished by using a
  computer, is a crime
   – this is because embezzlement and fraud are already crimes,
     and all that has changed is the mechanism by which the
     crime was committed
• Is it sufficient to define computer crimes as listed
  above or do we have to also include a list of all
  crimes that can be committed by computer?
             A Different Definition
• A computer crime is any illegal act, the commission of
  which (in whole or in part):
   – targets computer hardware or software as its focal point, or
   – utilizes computer hardware or software to accomplish or assist
     in accomplishing the act, or
   – involves or uses computer hardware or software to store,
     preserve, assimilate, or secrete any evidence or any fruits of the
     act, or
   – unlawfully accesses, invades or violates computer hardware or
     software integrity in accomplishing or in attempting to perform
     the act
      • notice by this definition, that a murder committed by bashing someone’s
        head with a computer monitor would be considered a computer crime!
   Active vs Passive Computer Crimes
• An active crime is considered one in which the
  crime itself was committed using a computer
  – for instance, illegally accessing a bank account and
    altering the data for profit or illegally accessing some
    file server to steal software being developed
  – a majority of computer crimes are active
• A passive crime is one in which the computer was
  used in support of the crime itself
  – for instance, illegally accessing a building’s
    schematics so that one can break into the building and
    physically steal something, or using the Internet to
    monitor communications in preparation for a
    kidnapping or assassination attempt
     Federal and State Legislature
• The federal government has issued a number of
  laws but primarily leaves the legislature up to
  each individual state
  – States have three different approaches
     • Modifying existing laws by incorporating new concepts
        – such as adding computer-based fraud to the dealing with fraud
        – this is what Ohio has largely done
     • Setting up new definitions and offenses to handle the new
       crimes as they are discovered
        – California state legislature meets often to examine and update their
          computer crime legislature
     • Nothing at all
        – Kentucky for instance has some state laws against computer crime
          (namely, unauthorized access), but lacks complete legislature
                 Federal Legislature
• Title 18, Chapter 47, Law 1030
   – Fraud and related activity in connection with computers
   – Whoever having knowingly accessed a computer without
     authorization or exceeding authorized access …
      • obtained information that has been determined by the United States
        Government pursuant to an Executive order or statute to require
        protection against unauthorized disclosure
      • or to the advantage of any foreign nation willfully communicates,
        delivers, transmits, or causes to be communicated, delivered, or
        transmitted, or attempts to communicate, deliver, transmit or cause to be
        communicated, delivered, or transmitted
      • obtains information contained in a financial record of a financial
        institution, information from any department or agency of the United
        States, or information from any protected computer if the conduct
        involved an interstate or foreign communication
      • knowingly and with intent to defraud
                    1030 Continued
   – knowingly causes the transmission of a program, information, code, or
     command, and as a result of such conduct, intentionally causes damage
     without authorization, to a protected computer, recklessly causes
   – caused loss to 1 or more persons during any 1-year period aggregating
     at least $5,000 in value
   – the modification or impairment, or potential modification or
     impairment, of the medical examination, diagnosis, treatment, or care
     of 1 or more individuals
   – physical injury to any person, or a threat to public health or safety or
     damage affecting a computer system used by or for a government entity
     in furtherance of the administration of justice, national defense, or
     national security
   – with intent to extort from any person any money or other thing of
     value, transmits in interstate or foreign commerce any communication
     containing any threat to cause damage to a protected computer
• The punishment for an offense is
   – a fine under this title or imprisonment for not more than twenty years,
     or both
          Other Federal Legislature
• There is a related law that deals with
   – fraud related to activities with access devices
      • e.g., telephone system devices, credit card authorization devices, device
        making instruments, scanner receiver (as used in wire transfers)
   – fraud related to electronic mail (spam)
      • this includes fraudulent claims in the email, or the quantity of emails
      • this law limits the volume of electronic mail messages transmitted to
        under 2,500 during any 24-hour period, 25,000 during any 30-day
        period, or 250,000 during any 1-year period
   – wire, television, radio fraud
      • these pertain to transmission media more than computers
   – the law on criminal infringement of copyrighted material has
     been modified to include electronic means of copying and
 Electronics Communication Privacy Act
• Approved in 1986, this act:
   – protects against unlawful access to stored communications
   – protects against voluntary disclosure of customer
     communications or records
   – protects against wrongful disclosure of video tape rental or sale
   – requires disclosure of customer communications or records
   – requires backup preservation
• It also has clauses
   – that allow customers to examine and modify their personal
   – that require publication of the types of records that companies
   – for counterintelligence access to telephone toll and
     transactional records
       States With Computer Laws
•   Alabama         •   Iowa
•   Alaska          •   Maryland
•   Arizona         •   Minnesota
•   California      •   New Jersey
•   Colorado        •   New Mexico
•   Connecticut     •   New York
•   Delaware        •   North Carolina
•   Florida         •   Oregon
•   Georgia         •   Texas
•   Hawaii          •   Virginia
•   Idaho           •   Washington
•   Illinois        •   West Virginia
•   Indiana         •   Wisconsin
              Kentucky Legislature
• 434.845 Unlawful access to a computer in the first degree.
• (1) A person is guilty of unlawful access to a computer in the
  first degree when he or she, without the effective consent of
  the owner, knowingly and willfully, directly or indirectly
  accesses, causes to be accessed, or attempts to access any
  computer software, computer program, data, computer,
  computer system, computer network, or any part thereof, for
  the purpose of:
   – (a) Devising or executing any scheme or artifice to defraud; or
   – (b) Obtaining money, property, or services for themselves or another by
     means of false or fraudulent pretenses, representations, or promises.
• (2) Unlawful access to a computer in the first degree is a Class
  C felony.
• Effective: July 15, 2002
• 434.850 Unlawful access to a computer in the
  second degree.
• (1) A person is guilty of unlawful access to a
  computer in the second degree when he or she,
  without the effective consent of the owner, knowingly
  and willfully, directly or indirectly accesses, causes to
  be accessed, or attempts to access any computer
  software, computer program, data, computer,
  computer system, computer network, or any part
  thereof, which results in the loss or damage of three
  hundred dollars ($300) or more.
• (2) Unlawful access to a computer in the second
  degree is a Class D felony.
• Effective: July 15, 2002
• 434.851 Unlawful access in the third degree.
• (1) A person is guilty of unlawful access in the third
  degree when he or she, without the effective consent
  of the owner, knowingly and willfully, directly or
  indirectly accesses, causes to be accessed, or attempts
  to access any computer software, computer program,
  data, computer, computer system, computer network,
  or any part thereof, which results in the loss or
  damage of less than three hundred dollars ($300).
• (2) Unlawful access to a computer in the third degree
  is a Class A misdemeanor.
• Effective: July 15, 2002
• 434.853 Unlawful access in the fourth degree.
• (1) A person is guilty of unlawful access in the fourth
  degree when he or she, without the effective consent
  of the owner, knowingly and willfully, directly or
  indirectly accesses, causes to be accessed, or attempts
  to access any computer software, computer program,
  data, computer, computer system, computer network,
  or any part thereof, which does not result in loss or
• (2) Unlawful access to a computer in the fourth
  degree is a Class B misdemeanor.
• Effective: July 15, 2002
• 434.855 Misuse of computer information.
• (1) A person is guilty of misuse of computer
  information when he or she:
• (a) Receives, conceals, or uses, or aids another in
  doing so, any proceeds of a violation of KRS
  434.845; or
• (b) Receives, conceals, or uses or aids another in
  doing so, any books, records, documents, property,
  financial instrument, computer software, computer
  program, or other material, property, or objects,
  knowing the same to have been used in or obtained
  from a violation of KRS 434.845.
• (2) Misuse of computer information is a Class C
• Effective: July 15, 2002
• 434.860 Venue.
• For the purpose of venue under the provisions of KRS 434.845,
  434.850, 434.851, 434.853, or 434.855, any violation of KRS
  434.845, 434.850, 434.851, 434.853, or 434.855 shall be
  considered to have been committed: in any county in which any
  act was performed in furtherance of any transaction violating KRS
  434.845, 434.850, 434.851, 434.853, or 434.855; in any county in
  which any violator had control or possession of any proceeds of
  said violation or of any books, records, documents, property,
  financial instrument, computer software, computer program or
  other material, objects, or items which were used in furtherance of
  said violation; and in any county from which, to which or through
  which any access to a computer, computer system, or computer
  network was made whether by wires, electromagnetic waves,
  microwaves, or any other means of communication.
• Effective: July 15, 2002
   UK Computer Misue Act (1990)
• 1(1) A person is guilty of an offence if:
   – a) He causes a computer to perform any function with intent to secure
     access to any program or data held in a computer;
   – b) the access he intends to secure is unauthorized; and
   – c) he knows at the time when he causes the computer to perform the
     function that this is the case.
• 1(2) the intent a person has to commit an offence under this
  section need not be directed at
   – a) any particular program or data
   – b) a program or data of any particular kind; or
   – c) a program or data held in any particular computer.
• 1(3) a person guilty of an offence under this section shall be
  liable on summary conviction to imprisonment for a term not
  exceeding six Months or to a fine not exceeding level 5, on the
  standard scale or both.
• 2(1) a person is guilty of an offence under this section if he
  commits an offence under section 1 above ("the unauthorized
  access offence") With intent
   – a) to commit an offence to which this section applies; or
   – b) to facilitate the commission of such an offence (whether by himself or by
     any other person) and the offence he intends to commit or facilitate is
     referred to below in this section as the further offence.
• 2(2) this section applies to offences
   – a) for which the sentence is fixed by law; or
   – b) for which a person of twenty one years of age or over (not previously
     convicted) may be sentenced to imprisonment for a term of five years (or in
     England and Wales might be so sentenced but for the restrictions imposed
     by section 33 of the Magistrates Courts Act 1980).
• 2(5) a person guilty of an offence under this section shall be liable
   – a) on summary conviction, to imprisonment for a term not exceeding six
     months or to a fine not exceeding the statutory maximum or both; and
   – b) on conviction on indictment, to imprisonment for a term not exceeding
     five years, or to a fine, or both.
• 3(1) A person is guilty of an offence if
   – a) he does any act which causes the unauthorized modification of the contents
     of any computer; and
   – b) at the time when he does the act he has the requisite intent and the requisite
• 3(2) for the purposes of subsection 3(1)b above the requisite intent
  is an intent to cause a modification of the contents of any computer
  and by so doing
   – a) to impair the operation of any computer;
   – b) to prevent or hinder access to any program or data held in any computer; or
   – c) to impair the operation of any such program or the reliability of any such
• 3(3) the intent need not be directed at
   – a) any particular computer;
   – b) any particular program or data or a program or data of any particular kind;
   – c) any particular modification or a modification of any particular kind.
• 3(4) For the purpose of subsection 1b above, the
  requisite knowledge is knowledge that any
  modification he intends to cause is unauthorized. 3(5)
  it is immaterial for the purposes of this section
  whether an unauthorized modification or any
  intended effect of it of a kind mentioned in subsection
  (2) above is, or is intended to be, permanent or
  merely temporary.
• The bill’s critics charging that it was introduced
  hastily and was poorly thought out.
   – intention is difficult to prove
   – the bill inadequately differentiates “joyriding” crackers
     from serious computer criminals
• The Act has become a model upon which several
  other countries have drawn such as Canada, Ireland
         Types of Computer Crimes
• Computer as the target
   – theft of intellectual property, blackmail of information gained
     through electronic files
• Computer as the instrument
   – fraud (credit card fraud, fraudulent use of ATM accounts, stock
     market transfers, telecommunications fraud), theft of
     (electronic) money
• Computer incidental to the crime
   – computers used in support, e.g., money laundering, record
     keeping, tracking of targets, etc
• Computer associated with the prevalence of the crime
   – software piracy/counterfeiting, copyright violation of software,
     counterfeit hardware, black market sales of hardware and
     software, theft of equipment and new technologies
                   Specific Crimes
• Denial of service (which might be performed for
  extortion or sabotage)
• Fraud, which encompasses many possible actions
    – employees altering data, making false entries
    – unauthorized access that leads to altering, destroying,
      suppressing, or stealing data or output
    – altering or misusing existing system tools or software packages
    – or altering or writing code for fraudulent purposes
    – manipulating banking systems to make unauthorized identity
•   Harassment by computer (cyberstalking, defamation)
•   Pornography
•   Copyright infringement
•   Larceny (theft) of software or data
•   Malicious software (viruses, trojan horses, worms, logic
    bombs, spyware, backdoors)
               History of Viruses
• Early 1970s – creeper virus detected on ARPANET
   – a virus was implemented called Reaper to seek out and kill
• 1974 – Rabbit virus (named because of how quickly
  it spread) appears
• 1975 – Pervading Animal, a game implemented on
  the UNIVAC
   – unknown whether this was the first Trojan Horse program
     or a program with unintentional bugs
• 1980 – Masters thesis regarding self-replication of
• 1982 – Elk Cloner introduced, virus that affected
  Apple II computers, first to spread by floppy disk
• 1983 – term virus first coined, renamed computer
  virus in 1984
• 1986 – Brain boot sector virus released, first known
  virus targeting IBM PC computers
• 1986 – Virdem model of programs introduced
    – programs that could replicate by placing their own
      executable code into DOS .com files
• 1987 – Cascade, first self-encrypting virus
• 1987 – Jerusalem virus unleashed
    – in 1988 would become a world-wide epidemic
•   1988 – Morris Internet worm
•   1988 – first antiviral software released
•   1990 – polymorphic viruses introduced
•   1992 – Michelangelo virus
    – was discovered before it could do worldwide damage and
      was minimized
• 1995 – Concept virus (first macro virus)
• 1999 – Melissa Worm released targeting MS Outlook
• 2000 – Loveletter (ILOVEYOU) worm released
  – as of 2004, this has been the most costly worm released
• 2001 – Ramen Worm
  – like Morris Worm but affects Linux Redhat systems
• 2001 – Sadmind worm affects Sun workstations and
  Microsoft Internet Information Services both
• 2001 – Code Red, Code Red II, Nimda, Klez worms
• 2003 – SQL Slammer Worm attacks MS SQL servers
• 2003-2004 – also saw Blaster worm, Sobig worm,
  MyDoom (fastest spreading worm ever)
• Illegally attempting to gain sensitive information from
  people for the purpose of computer-based fraud, these
  attempts can include
   – social engineering
   – password cracking
   – packet sniffing
      • listening over a network for sensitive information (e.g., someone
        emailing a password), wireless networks have been especially
        susceptible in the past
   – link manipulation for website spoofing
      • sending an email with a phony link, causing the unsuspecting person to
        go to a phony website rather than the intended website
   – website forgery
      • in addition to website spoofing, javascript code can do such things as
        change the address bar to make the website look legitimate
   – phone phishing
      • getting someone to dial-up your computer and thus gain sensitive
                   Kevin Mitnick
• Started off forging bus punch cards with his own card
• He then moved into phreaking
   – in 1979 broke into DEC system when a friend gave him their
     dial-up phone number, was convicted
• Later, would change his identity by obtaining birth
  certificates of children who died by the time they were 3
  years old
• He continued to break into people’s computer systems
  but was ultimately caught when he hacked into the
  system of Tsutomu Shimomura, who tracked him down
   – supporters of Mitnick have claimed that many of the charges
     against him were fraudulent!
   – he now runs his own computer security firm and is a highly
     sought public speaker
                         Morris Worm
• Robert Morris, a Professor at MIT, is notable for
  releasing a WORM on the Internet in 1988
   – his idea, as a graduate student at Cornell, was to demonstrate
     the security holes in Unix and also gauge the size of the Internet
     at the time
   – he claims that he had no idea that the WORM would spread so
     far or rapidly or affect as many computers as it did
   – the WORM would attempt to gain access to an Internet host by
      •   overflowing the finger utility’s buffer
      •   overflowing the sendmail buffer
      •   try simple or no passwords to break into accounts
      •   use rsh to access computers of the same server
   – once it was able to access the host computer, it would attempt to
     make copies of itself on all computers accessible via this host’s
     host table
                     Jonathon James
• The first juvenile to be convicted of computer crimes (at
  16 years old)
• His crimes all revolve around unauthorized access
   – he used the free Nmap security scanning system to scan host
     computers for flaws in Sun’s remote procedure call services
   – he hacked into Bell-South, Miami-Dade school system, and
     NASA (Huntsville)
      • through his NASA break-in, he stole international space station
   – he hacked into a DoD server and installed a backdoor and a
     sniffer from which he intercepted thousands of messages
     including user names/passwords
      • he was thus able to hack into the DoD’s Defense Threat Reduction
        Agency system
    Two More Computer Criminals
• Adam Botbyl
  – In the 90s was able to gain access to national-wide computer
    system used by Lowe’s hardware by finding an open wireless
    LAN point at Lowe’s in Michigan
     • He and some friends eventually used their access to capture credit card
       information (the government claims that the crime caused more than
       $2.5M in damages)
• Dennis Moran
  – Known as Coolio, was responsible for a number of denial of
    service attacks in 2000
     • he used a Smurf attack (spoofed ping messages) to generate over 1
       gigabit per second message traffice
  – He followed these up by defacing various websites and
    unauthorized access to the US army and airforce computer
• In the 1980s, a group of hackers formed the Legion of
   – although they were hackers, some were white hackers and they
     tried to contribute to society through the publication of
     technical journals
      • through which they shared their combined knowledge of hacking
   – some members left the LOD to form the Masters of Deception
      • this group was far more underground and often communicated through
        “hijacked” phone and Internet lines
      • unlike the LOD, they did not share their expertise with the outside
   – in 1990-91, a MOD member shut down a bulletin board of the
     LOD which led to the Great Hacker War between the two
     groups (and included other hackers as well)
      • the result was the eventual destruction of the LOD as the MOD shut
        down the LOD methods of communication
          – for instance by taking control of all TCP/IP entry points in Texas where
            much of the LOD lived
• Cyberterrorism can be defined as the use of information
  technology by terrorist groups and individuals to further
  their agenda
   – this can include use of information technology to organize and
     execute attacks against networks, computer systems and
     telecommunications infrastructures, or for exchanging
     information or making threats electronically
• Examples include
   –   hacking into computer systems
   –   introducing viruses to vulnerable networks
   –   web site defacing
   –   denial-of-service attacks
   –   terrorist threats made via electronic communication
• Information warfare occurs when these actions are
  performed by one entity in order to gain a competitive
  advantage over another entity
• Law enforcement agencies estimate that
  electronic communications are a factor in from
  20 percent to 40 percent of all stalking cases
• Forty-four states now have laws that explicitly
  include electronic forms of communication
  within stalking or harassment laws
• State laws that do not include specific
  references to electronic communication may
  still apply to those who threaten or harass
  others online, but specific language can make
  the laws easier to enforce
    Prevalence of Computer Crimes
• It is expected that as the computer is more
  prevalent in society, so are computer crimes
  – interestingly, computer crimes are often committed by
    people who do not have expertise in software or
    computer technology
     • crimes are often committed by people who can use the
       technology because it is so user friendly!
• Some cite the increasing number of computer
  crimes as an epidemic
• In many cases, the law enforcement agencies are
  not set up to handle the crimes
  – they do not have the expertise
        Training Law Enforcement
• One expert recommends the following, immediate:
   – introduction to computer evidence awareness
   – identification, collection, transportation and preservation of
     electronic evidence and related components
   – where to find data recovery experts
• In addition, computer technology skills must be taught
  to at least some subset of the law enforcement
  community including
   – operating system technologies, information management
     skills, data collection and organization, database design,
     statistical analysis, data protection and encryption, and how
     computers are used to commit computer crimes
          The Patriot Act (HR 3162)
• Signed by President Bush on October 26
• Adds terrorism offenses, computer fraud, and abuse offenses to
  the list of predicates for obtaining Title III wiretaps
• Also permits roving wiretaps under the Foreign Intelligence
  Surveillance Act of 1978 (FISA) in the same manner as they are
  permitted under Title III wiretaps
• Intelligence information obtained from wiretaps may be shared
  with law enforcement, intelligence, immigration, or national
  security personnel
• Recipients can use the information only in the conduct of their
  duties and are subject to the limitations in current law of
  unauthorized disclosure of wiretap information.
• Also expands the use of traditional pen register or trap and trace
  devices (captures the telephone numbers of incoming callers) so
  that they apply not just to telephones, but also to Internet
  communications so long as they exclude "content"

Shared By:
censhunay censhunay http://