crimes.ppt 135KB Jun 23 2011 10:20:18 AM
Cyberlaw and Computer Crimes
• Surprisingly it wasn’t until 1986 that we had any
laws at all (in the US) regarding prosecution of
computer crimes
– even once legislature was being passed, it was unclear
what jurisdiction the FBI had in tracking down
computer criminals, nor did the FBI have expertise in
tracking down computer criminals
• What is the status today of cyberlaw? What
constitutes a computer crime? What does law
enforcement do about it?
Crackers/Hackers
• Early crimes were committed by computer programmers
who were pushing the boundaries of what could be done
on a computer
– generally, hackers are thought of as benevolent criminals – just
trying things out, possibly even for positive purposes (alerting
a company of their security holes)
– crackers are those who perform illegal access for criminal
purposes
• See the site regarding black and white hat crackers and
the wikipedia site on black hat and white hat crackers
– http://www.itsecurity.com/features/top-10-famous-hackers-042
407/
– http://en.wikipedia.org/wiki/Black_Hat
– http://en.wikipedia.org/wiki/White_hat
Phreaking
• Early hackers targeted the telephone network
– John Draper (known as Captain Crunch) discovered
through a blind friend that the whistle found in
Captain Crunch cereal could be modified to emit the
frequency that was used by AT&T to indicate that a
long distance phone line was available
• this caused one side of the line to enter “operator mode”
• with proper hardware, he was able to then specify
frequencies equivalent to tones for dialing a number and
thus received free long distance
• he placed the whistle and other devices into a blue box
• he and Steve Wozniak used this technique to call the Pope!
• Draper was arrested in 1972 for phone fraud
More Approaches
• Another approach was used by Kevin Poulsen
who actually broke into telephone switching
boxes to reroute lines
– he used this to win a porsche from a radio station
• Red Boxes
– Another approach is to mimic the sound of coins
dropping into a pay phone
– Actually, what you mimic is the frequency of sound
made when a quarter goes through the slot
• a Radio Shack tone dialer could be used, and this
manipulated version was called a red box, a black market
appeared in society dealing with the crystals needed to
modulate the proper frequency
Telephones and Computer Attacks
• Phreaking is not really related to computer crime as these
sorts of crimes were done largely without computers
• However, it has led to some innovations
– consider a computer system that permits dial-up access
– the OS will keep track of failed log in attempts and then
disallow further attempts from the given telephone caller ID
after some number of failures (say 5)
– however, it is possible, using a computer, to either mask or alter
the caller ID so that more attempts can be tried
– and therefore, a program which attempts to log in by trying all
possible passwords may still succeed because the computer will
mask or alter the caller ID value so that the OS does not block
out further attempts!
• more information on phreaking and telephone attacks can be found at
http://www.robson.org/gary/writing/phreaking.html
A Definition of Computer Crime
• One author states that a computer crime is:
– unauthorized access of a computer, creating or releasing a
malicious computer program, or harassment and stalking in
cyberspace
• Notice that this definition does not claim that
embezzlement or fraud, accomplished by using a
computer, is a crime
– this is because embezzlement and fraud are already crimes,
and all that has changed is the mechanism by which the
crime was committed
• Is it sufficient to define computer crimes as listed
above or do we have to also include a list of all
crimes that can be committed by computer?
A Different Definition
• A computer crime is any illegal act, the commission of
which (in whole or in part):
– targets computer hardware or software as its focal point, or
– utilizes computer hardware or software to accomplish or assist
in accomplishing the act, or
– involves or uses computer hardware or software to store,
preserve, assimilate, or secrete any evidence or any fruits of
the act, or
– unlawfully accesses, invades or violates computer hardware or
software integrity in accomplishing or in attempting to perform
the act
• notice by this definition, that a murder committed by bashing
someone’s head with a computer monitor would be considered a
computer crime!
Active vs Passive Computer Crimes
• An active crime is considered one in which the
crime itself was committed using a computer
– for instance, illegally accessing a bank account and
altering the data for profit or illegally accessing some
file server to steal software being developed
– a majority of computer crimes are active
• A passive crime is one in which the computer was
used in support of the crime itself
– for instance, illegally accessing a building’s
schematics so that one can break into the building and
physically steal something, or using the Internet to
monitor communications in preparation for a
kidnapping or assassination attempt
Federal and State Legislature
• The federal government has issued a number of
laws but primarily leaves the legislature up to
each individual state
– States have three different approaches
• Modifying existing laws by incorporating new concepts
– such as adding computer-based fraud to the dealing with fraud
– this is what Ohio has largely done
• Setting up new definitions and offenses to handle the new
crimes as they are discovered
– California state legislature meets often to examine and update their
computer crime legislature
• Nothing at all
– Kentucky for instance has some state laws against computer crime
(namely, unauthorized access), but lacks complete legislature
Federal Legislature
• Title 18, Chapter 47, Law 1030
– Fraud and related activity in connection with computers
– Whoever having knowingly accessed a computer without
authorization or exceeding authorized access …
• obtained information that has been determined by the United States
Government pursuant to an Executive order or statute to require
protection against unauthorized disclosure
• or to the advantage of any foreign nation willfully communicates,
delivers, transmits, or causes to be communicated, delivered, or
transmitted, or attempts to communicate, deliver, transmit or cause to be
communicated, delivered, or transmitted
• obtains information contained in a financial record of a financial
institution, information from any department or agency of the United
States, or information from any protected computer if the conduct
involved an interstate or foreign communication
• knowingly and with intent to defraud
1030 Continued
– knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage
without authorization, to a protected computer, recklessly causes
damage
– caused loss to 1 or more persons during any 1-year period aggregating
at least $5,000 in value
– the modification or impairment, or potential modification or
impairment, of the medical examination, diagnosis, treatment, or care
of 1 or more individuals
– physical injury to any person, or a threat to public health or safety or
damage affecting a computer system used by or for a government
entity in furtherance of the administration of justice, national defense,
or national security
– with intent to extort from any person any money or other thing of
value, transmits in interstate or foreign commerce any communication
containing any threat to cause damage to a protected computer
• The punishment for an offense is
– a fine under this title or imprisonment for not more than twenty years,
or both
Other Federal Legislature
• There is a related law that deals with
– fraud related to activities with access devices
• e.g., telephone system devices, credit card authorization devices, device
making instruments, scanner receiver (as used in wire transfers)
– fraud related to electronic mail (spam)
• this includes fraudulent claims in the email, or the quantity of emails
transmitted
• this law limits the volume of electronic mail messages transmitted to
under 2,500 during any 24-hour period, 25,000 during any 30-day
period, or 250,000 during any 1-year period
– wire, television, radio fraud
• these pertain to transmission media more than computers
– the law on criminal infringement of copyrighted material has
been modified to include electronic means of copying and
distribution
Electronics Communication Privacy Act
• Approved in 1986, this act:
– protects against unlawful access to stored communications
– protects against voluntary disclosure of customer
communications or records
– protects against wrongful disclosure of video tape rental or sale
records
– requires disclosure of customer communications or records
– requires backup preservation
• It also has clauses
– that allow customers to examine and modify their personal
records
– that require publication of the types of records that companies
keep
– for counterintelligence access to telephone toll and
transactional records
States With Computer Laws
•
•
•
•
•
•
•
•
•
•
•
•
•
Alabama
Alaska
Arizona
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
•
•
•
•
•
•
•
•
•
•
•
•
•
Iowa
Maryland
Minnesota
New Jersey
New Mexico
New York
North Carolina
Oregon
Texas
Virginia
Washington
West Virginia
Wisconsin
Kentucky Legislature
• 434.845 Unlawful access to a computer in the first degree.
• (1) A person is guilty of unlawful access to a computer in the
first degree when he or she, without the effective consent of
the owner, knowingly and willfully, directly or indirectly
accesses, causes to be accessed, or attempts to access any
computer software, computer program, data, computer,
computer system, computer network, or any part thereof, for
the purpose of:
– (a) Devising or executing any scheme or artifice to defraud; or
– (b) Obtaining money, property, or services for themselves or another by
means of false or fraudulent pretenses, representations, or promises.
• (2) Unlawful access to a computer in the first degree is a Class
C felony.
• Effective: July 15, 2002
Continued
• 434.850 Unlawful access to a computer in the
second degree.
• (1) A person is guilty of unlawful access to a
computer in the second degree when he or she,
without the effective consent of the owner, knowingly
and willfully, directly or indirectly accesses, causes to
be accessed, or attempts to access any computer
software, computer program, data, computer,
computer system, computer network, or any part
thereof, which results in the loss or damage of three
hundred dollars ($300) or more.
• (2) Unlawful access to a computer in the second
degree is a Class D felony.
• Effective: July 15, 2002
Continued
• 434.851 Unlawful access in the third degree.
• (1) A person is guilty of unlawful access in the third
degree when he or she, without the effective consent
of the owner, knowingly and willfully, directly or
indirectly accesses, causes to be accessed, or attempts
to access any computer software, computer program,
data, computer, computer system, computer network,
or any part thereof, which results in the loss or
damage of less than three hundred dollars ($300).
• (2) Unlawful access to a computer in the third degree
is a Class A misdemeanor.
• Effective: July 15, 2002
Continued
• 434.853 Unlawful access in the fourth degree.
• (1) A person is guilty of unlawful access in the fourth
degree when he or she, without the effective consent
of the owner, knowingly and willfully, directly or
indirectly accesses, causes to be accessed, or attempts
to access any computer software, computer program,
data, computer, computer system, computer network,
or any part thereof, which does not result in loss or
damage.
• (2) Unlawful access to a computer in the fourth
degree is a Class B misdemeanor.
• Effective: July 15, 2002
Continued
• 434.855 Misuse of computer information.
• (1) A person is guilty of misuse of computer
information when he or she:
• (a) Receives, conceals, or uses, or aids another in
doing so, any proceeds of a violation of KRS
434.845; or
• (b) Receives, conceals, or uses or aids another in
doing so, any books, records, documents, property,
financial instrument, computer software, computer
program, or other material, property, or objects,
knowing the same to have been used in or obtained
from a violation of KRS 434.845.
• (2) Misuse of computer information is a Class C
felony.
• Effective: July 15, 2002
Continued
• 434.860 Venue.
• For the purpose of venue under the provisions of KRS 434.845,
434.850, 434.851, 434.853, or 434.855, any violation of KRS
434.845, 434.850, 434.851, 434.853, or 434.855 shall be
considered to have been committed: in any county in which any
act was performed in furtherance of any transaction violating KRS
434.845, 434.850, 434.851, 434.853, or 434.855; in any county in
which any violator had control or possession of any proceeds of
said violation or of any books, records, documents, property,
financial instrument, computer software, computer program or
other material, objects, or items which were used in furtherance of
said violation; and in any county from which, to which or through
which any access to a computer, computer system, or computer
network was made whether by wires, electromagnetic waves,
microwaves, or any other means of communication.
• Effective: July 15, 2002
UK Computer Misue Act (1990)
• 1(1) A person is guilty of an offence if:
– a) He causes a computer to perform any function with intent to secure
access to any program or data held in a computer;
– b) the access he intends to secure is unauthorized; and
– c) he knows at the time when he causes the computer to perform the
function that this is the case.
• 1(2) the intent a person has to commit an offence under this
section need not be directed at
– a) any particular program or data
– b) a program or data of any particular kind; or
– c) a program or data held in any particular computer.
• 1(3) a person guilty of an offence under this section shall be
liable on summary conviction to imprisonment for a term not
exceeding six Months or to a fine not exceeding level 5, on the
standard scale or both.
Continued
• 2(1) a person is guilty of an offence under this section if he
commits an offence under section 1 above ("the unauthorized
access offence") With intent
– a) to commit an offence to which this section applies; or
– b) to facilitate the commission of such an offence (whether by himself or by
any other person) and the offence he intends to commit or facilitate is
referred to below in this section as the further offence.
• 2(2) this section applies to offences
– a) for which the sentence is fixed by law; or
– b) for which a person of twenty one years of age or over (not previously
convicted) may be sentenced to imprisonment for a term of five years (or in
England and Wales might be so sentenced but for the restrictions imposed
by section 33 of the Magistrates Courts Act 1980).
• 2(5) a person guilty of an offence under this section shall be liable
– a) on summary conviction, to imprisonment for a term not exceeding six
months or to a fine not exceeding the statutory maximum or both; and
– b) on conviction on indictment, to imprisonment for a term not exceeding
five years, or to a fine, or both.
Continued
• 3(1) A person is guilty of an offence if
– a) he does any act which causes the unauthorized modification of the contents
of any computer; and
– b) at the time when he does the act he has the requisite intent and the requisite
knowledge.
• 3(2) for the purposes of subsection 3(1)b above the requisite intent
is an intent to cause a modification of the contents of any computer
and by so doing
– a) to impair the operation of any computer;
– b) to prevent or hinder access to any program or data held in any computer; or
– c) to impair the operation of any such program or the reliability of any such
data.
• 3(3) the intent need not be directed at
– a) any particular computer;
– b) any particular program or data or a program or data of any particular kind;
or
– c) any particular modification or a modification of any particular kind.
Continued
• 3(4) For the purpose of subsection 1b above, the
requisite knowledge is knowledge that any
modification he intends to cause is unauthorized. 3(5)
it is immaterial for the purposes of this section
whether an unauthorized modification or any
intended effect of it of a kind mentioned in subsection
(2) above is, or is intended to be, permanent or
merely temporary.
• The bill’s critics charging that it was introduced
hastily and was poorly thought out.
– intention is difficult to prove
– the bill inadequately differentiates “joyriding” crackers
from serious computer criminals
• The Act has become a model upon which several
other countries have drawn such as Canada, Ireland
Types of Computer Crimes
• Computer as the target
– theft of intellectual property, blackmail of information gained
through electronic files
• Computer as the instrument
– fraud (credit card fraud, fraudulent use of ATM accounts, stock
market transfers, telecommunications fraud), theft of
(electronic) money
• Computer incidental to the crime
– computers used in support, e.g., money laundering, record
keeping, tracking of targets, etc
• Computer associated with the prevalence of the crime
– software piracy/counterfeiting, copyright violation of software,
counterfeit hardware, black market sales of hardware and
software, theft of equipment and new technologies
Specific Crimes
• Denial of service (which might be performed for
extortion or sabotage)
• Fraud, which encompasses many possible actions
– employees altering data, making false entries
– unauthorized access that leads to altering, destroying,
suppressing, or stealing data or output
– altering or misusing existing system tools or software packages
– or altering or writing code for fraudulent purposes
– manipulating banking systems to make unauthorized identity
theft.
•
•
•
•
•
Harassment by computer (cyberstalking, defamation)
Pornography
Copyright infringement
Larceny (theft) of software or data
Malicious software (viruses, trojan horses, worms, logic
bombs, spyware, backdoors)
History of Viruses
• Early 1970s – creeper virus detected on ARPANET
– a virus was implemented called Reaper to seek out and kill
creeper
• 1974 – Rabbit virus (named because of how quickly
it spread) appears
• 1975 – Pervading Animal, a game implemented on
the UNIVAC
– unknown whether this was the first Trojan Horse program
or a program with unintentional bugs
• 1980 – Masters thesis regarding self-replication of
programs
• 1982 – Elk Cloner introduced, virus that affected
Apple II computers, first to spread by floppy disk
• 1983 – term virus first coined, renamed computer
virus in 1984
Continued
• 1986 – Brain boot sector virus released, first known
virus targeting IBM PC computers
• 1986 – Virdem model of programs introduced
– programs that could replicate by placing their own
executable code into DOS .com files
• 1987 – Cascade, first self-encrypting virus
• 1987 – Jerusalem virus unleashed
– in 1988 would become a world-wide epidemic
•
•
•
•
1988 – Morris Internet worm
1988 – first antiviral software released
1990 – polymorphic viruses introduced
1992 – Michelangelo virus
– was discovered before it could do worldwide damage and
was minimized
Continued
• 1995 – Concept virus (first macro virus)
• 1999 – Melissa Worm released targeting MS Outlook
• 2000 – Loveletter (ILOVEYOU) worm released
– as of 2004, this has been the most costly worm released
• 2001 – Ramen Worm
– like Morris Worm but affects Linux Redhat systems
• 2001 – Sadmind worm affects Sun workstations and
Microsoft Internet Information Services both
• 2001 – Code Red, Code Red II, Nimda, Klez worms
• 2003 – SQL Slammer Worm attacks MS SQL servers
• 2003-2004 – also saw Blaster worm, Sobig worm,
MyDoom (fastest spreading worm ever)
Phishing
• Illegally attempting to gain sensitive information from
people for the purpose of computer-based fraud, these
attempts can include
– social engineering
– password cracking
– packet sniffing
• listening over a network for sensitive information (e.g., someone
emailing a password), wireless networks have been especially
susceptible in the past
– link manipulation for website spoofing
• sending an email with a phony link, causing the unsuspecting person to
go to a phony website rather than the intended website
– website forgery
• in addition to website spoofing, javascript code can do such things as
change the address bar to make the website look legitimate
– phone phishing
• getting someone to dial-up your computer and thus gain sensitive
information
Kevin Mitnick
• Started off forging bus punch cards with his own card
puncher
• He then moved into phreaking
– in 1979 broke into DEC system when a friend gave him their
dial-up phone number, was convicted
• Later, would change his identity by obtaining birth
certificates of children who died by the time they were 3
years old
• He continued to break into people’s computer systems
but was ultimately caught when he hacked into the
system of Tsutomu Shimomura, who tracked him down
– supporters of Mitnick have claimed that many of the charges
against him were fraudulent!
– he now runs his own computer security firm and is a highly
sought public speaker
Morris Worm
• Robert Morris, a Professor at MIT, is notable for
releasing a WORM on the Internet in 1988
– his idea, as a graduate student at Cornell, was to demonstrate
the security holes in Unix and also gauge the size of the Internet
at the time
– he claims that he had no idea that the WORM would spread so
far or rapidly or affect as many computers as it did
– the WORM would attempt to gain access to an Internet host by
•
•
•
•
overflowing the finger utility’s buffer
overflowing the sendmail buffer
try simple or no passwords to break into accounts
use rsh to access computers of the same server
– once it was able to access the host computer, it would attempt
to make copies of itself on all computers accessible via this
host’s host table
Jonathon James
• The first juvenile to be convicted of computer crimes (at
16 years old)
• His crimes all revolve around unauthorized access
– he used the free Nmap security scanning system to scan host
computers for flaws in Sun’s remote procedure call services
– he hacked into Bell-South, Miami-Dade school system, and
NASA (Huntsville)
• through his NASA break-in, he stole international space station
software
– he hacked into a DoD server and installed a backdoor and a
sniffer from which he intercepted thousands of messages
including user names/passwords
• he was thus able to hack into the DoD’s Defense Threat Reduction
Agency system
Two More Computer Criminals
• Adam Botbyl
– In the 90s was able to gain access to national-wide computer
system used by Lowe’s hardware by finding an open wireless
LAN point at Lowe’s in Michigan
• He and some friends eventually used their access to capture credit card
information (the government claims that the crime caused more than
$2.5M in damages)
• Dennis Moran
– Known as Coolio, was responsible for a number of denial of
service attacks in 2000
• he used a Smurf attack (spoofed ping messages) to generate over 1
gigabit per second message traffice
– He followed these up by defacing various websites and
unauthorized access to the US army and airforce computer
systems
LOD/MOD
• In the 1980s, a group of hackers formed the Legion of
Doom
– although they were hackers, some were white hackers and they
tried to contribute to society through the publication of
technical journals
• through which they shared their combined knowledge of hacking
– some members left the LOD to form the Masters of Deception
• this group was far more underground and often communicated through
“hijacked” phone and Internet lines
• unlike the LOD, they did not share their expertise with the outside
communities
– in 1990-91, a MOD member shut down a bulletin board of the
LOD which led to the Great Hacker War between the two
groups (and included other hackers as well)
• the result was the eventual destruction of the LOD as the MOD shut
down the LOD methods of communication
– for instance by taking control of all TCP/IP entry points in Texas where
much of the LOD lived
Cyberterrorism
• Cyberterrorism can be defined as the use of information
technology by terrorist groups and individuals to further
their agenda
– this can include use of information technology to organize and
execute attacks against networks, computer systems and
telecommunications infrastructures, or for exchanging
information or making threats electronically
• Examples include
–
–
–
–
–
hacking into computer systems
introducing viruses to vulnerable networks
web site defacing
denial-of-service attacks
terrorist threats made via electronic communication
• Information warfare occurs when these actions are
performed by one entity in order to gain a competitive
advantage over another entity
Cyberstalking
• Law enforcement agencies estimate that
electronic communications are a factor in from
20 percent to 40 percent of all stalking cases
• Forty-four states now have laws that explicitly
include electronic forms of communication
within stalking or harassment laws
• State laws that do not include specific
references to electronic communication may
still apply to those who threaten or harass
others online, but specific language can make
the laws easier to enforce
Prevalence of Computer Crimes
• It is expected that as the computer is more
prevalent in society, so are computer crimes
– interestingly, computer crimes are often committed by
people who do not have expertise in software or
computer technology
• crimes are often committed by people who can use the
technology because it is so user friendly!
• Some cite the increasing number of computer
crimes as an epidemic
• In many cases, the law enforcement agencies are
not set up to handle the crimes
– they do not have the expertise
Training Law Enforcement
• One expert recommends the following, immediate:
– introduction to computer evidence awareness
– identification, collection, transportation and preservation of
electronic evidence and related components
– where to find data recovery experts
• In addition, computer technology skills must be taught
to at least some subset of the law enforcement
community including
– operating system technologies, information management
skills, data collection and organization, database design,
statistical analysis, data protection and encryption, and how
computers are used to commit computer crimes
The Patriot Act (HR 3162)
• Signed by President Bush on October 26
• Adds terrorism offenses, computer fraud, and abuse offenses to the
list of predicates for obtaining Title III wiretaps
• Also permits roving wiretaps under the Foreign Intelligence
Surveillance Act of 1978 (FISA) in the same manner as they are
permitted under Title III wiretaps
• Intelligence information obtained from wiretaps may be shared
with law enforcement, intelligence, immigration, or national
security personnel
• Recipients can use the information only in the conduct of their
duties and are subject to the limitations in current law of
unauthorized disclosure of wiretap information.
• Also expands the use of traditional pen register or trap and trace
devices (captures the telephone numbers of incoming callers) so
that they apply not just to telephones, but also to Internet
communications so long as they exclude "content"
• Surprisingly it wasn’t until 1986 that we had any
laws at all (in the US) regarding prosecution of
computer crimes
– even once legislature was being passed, it was unclear
what jurisdiction the FBI had in tracking down
computer criminals, nor did the FBI have expertise in
tracking down computer criminals
• What is the status today of cyberlaw? What
constitutes a computer crime? What does law
enforcement do about it?
Crackers/Hackers
• Early crimes were committed by computer programmers
who were pushing the boundaries of what could be done
on a computer
– generally, hackers are thought of as benevolent criminals – just
trying things out, possibly even for positive purposes (alerting
a company of their security holes)
– crackers are those who perform illegal access for criminal
purposes
• See the site regarding black and white hat crackers and
the wikipedia site on black hat and white hat crackers
– http://www.itsecurity.com/features/top-10-famous-hackers-042
407/
– http://en.wikipedia.org/wiki/Black_Hat
– http://en.wikipedia.org/wiki/White_hat
Phreaking
• Early hackers targeted the telephone network
– John Draper (known as Captain Crunch) discovered
through a blind friend that the whistle found in
Captain Crunch cereal could be modified to emit the
frequency that was used by AT&T to indicate that a
long distance phone line was available
• this caused one side of the line to enter “operator mode”
• with proper hardware, he was able to then specify
frequencies equivalent to tones for dialing a number and
thus received free long distance
• he placed the whistle and other devices into a blue box
• he and Steve Wozniak used this technique to call the Pope!
• Draper was arrested in 1972 for phone fraud
More Approaches
• Another approach was used by Kevin Poulsen
who actually broke into telephone switching
boxes to reroute lines
– he used this to win a porsche from a radio station
• Red Boxes
– Another approach is to mimic the sound of coins
dropping into a pay phone
– Actually, what you mimic is the frequency of sound
made when a quarter goes through the slot
• a Radio Shack tone dialer could be used, and this
manipulated version was called a red box, a black market
appeared in society dealing with the crystals needed to
modulate the proper frequency
Telephones and Computer Attacks
• Phreaking is not really related to computer crime as these
sorts of crimes were done largely without computers
• However, it has led to some innovations
– consider a computer system that permits dial-up access
– the OS will keep track of failed log in attempts and then
disallow further attempts from the given telephone caller ID
after some number of failures (say 5)
– however, it is possible, using a computer, to either mask or alter
the caller ID so that more attempts can be tried
– and therefore, a program which attempts to log in by trying all
possible passwords may still succeed because the computer will
mask or alter the caller ID value so that the OS does not block
out further attempts!
• more information on phreaking and telephone attacks can be found at
http://www.robson.org/gary/writing/phreaking.html
A Definition of Computer Crime
• One author states that a computer crime is:
– unauthorized access of a computer, creating or releasing a
malicious computer program, or harassment and stalking in
cyberspace
• Notice that this definition does not claim that
embezzlement or fraud, accomplished by using a
computer, is a crime
– this is because embezzlement and fraud are already crimes,
and all that has changed is the mechanism by which the
crime was committed
• Is it sufficient to define computer crimes as listed
above or do we have to also include a list of all
crimes that can be committed by computer?
A Different Definition
• A computer crime is any illegal act, the commission of
which (in whole or in part):
– targets computer hardware or software as its focal point, or
– utilizes computer hardware or software to accomplish or assist
in accomplishing the act, or
– involves or uses computer hardware or software to store,
preserve, assimilate, or secrete any evidence or any fruits of
the act, or
– unlawfully accesses, invades or violates computer hardware or
software integrity in accomplishing or in attempting to perform
the act
• notice by this definition, that a murder committed by bashing
someone’s head with a computer monitor would be considered a
computer crime!
Active vs Passive Computer Crimes
• An active crime is considered one in which the
crime itself was committed using a computer
– for instance, illegally accessing a bank account and
altering the data for profit or illegally accessing some
file server to steal software being developed
– a majority of computer crimes are active
• A passive crime is one in which the computer was
used in support of the crime itself
– for instance, illegally accessing a building’s
schematics so that one can break into the building and
physically steal something, or using the Internet to
monitor communications in preparation for a
kidnapping or assassination attempt
Federal and State Legislature
• The federal government has issued a number of
laws but primarily leaves the legislature up to
each individual state
– States have three different approaches
• Modifying existing laws by incorporating new concepts
– such as adding computer-based fraud to the dealing with fraud
– this is what Ohio has largely done
• Setting up new definitions and offenses to handle the new
crimes as they are discovered
– California state legislature meets often to examine and update their
computer crime legislature
• Nothing at all
– Kentucky for instance has some state laws against computer crime
(namely, unauthorized access), but lacks complete legislature
Federal Legislature
• Title 18, Chapter 47, Law 1030
– Fraud and related activity in connection with computers
– Whoever having knowingly accessed a computer without
authorization or exceeding authorized access …
• obtained information that has been determined by the United States
Government pursuant to an Executive order or statute to require
protection against unauthorized disclosure
• or to the advantage of any foreign nation willfully communicates,
delivers, transmits, or causes to be communicated, delivered, or
transmitted, or attempts to communicate, deliver, transmit or cause to be
communicated, delivered, or transmitted
• obtains information contained in a financial record of a financial
institution, information from any department or agency of the United
States, or information from any protected computer if the conduct
involved an interstate or foreign communication
• knowingly and with intent to defraud
1030 Continued
– knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage
without authorization, to a protected computer, recklessly causes
damage
– caused loss to 1 or more persons during any 1-year period aggregating
at least $5,000 in value
– the modification or impairment, or potential modification or
impairment, of the medical examination, diagnosis, treatment, or care
of 1 or more individuals
– physical injury to any person, or a threat to public health or safety or
damage affecting a computer system used by or for a government
entity in furtherance of the administration of justice, national defense,
or national security
– with intent to extort from any person any money or other thing of
value, transmits in interstate or foreign commerce any communication
containing any threat to cause damage to a protected computer
• The punishment for an offense is
– a fine under this title or imprisonment for not more than twenty years,
or both
Other Federal Legislature
• There is a related law that deals with
– fraud related to activities with access devices
• e.g., telephone system devices, credit card authorization devices, device
making instruments, scanner receiver (as used in wire transfers)
– fraud related to electronic mail (spam)
• this includes fraudulent claims in the email, or the quantity of emails
transmitted
• this law limits the volume of electronic mail messages transmitted to
under 2,500 during any 24-hour period, 25,000 during any 30-day
period, or 250,000 during any 1-year period
– wire, television, radio fraud
• these pertain to transmission media more than computers
– the law on criminal infringement of copyrighted material has
been modified to include electronic means of copying and
distribution
Electronics Communication Privacy Act
• Approved in 1986, this act:
– protects against unlawful access to stored communications
– protects against voluntary disclosure of customer
communications or records
– protects against wrongful disclosure of video tape rental or sale
records
– requires disclosure of customer communications or records
– requires backup preservation
• It also has clauses
– that allow customers to examine and modify their personal
records
– that require publication of the types of records that companies
keep
– for counterintelligence access to telephone toll and
transactional records
States With Computer Laws
•
•
•
•
•
•
•
•
•
•
•
•
•
Alabama
Alaska
Arizona
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
•
•
•
•
•
•
•
•
•
•
•
•
•
Iowa
Maryland
Minnesota
New Jersey
New Mexico
New York
North Carolina
Oregon
Texas
Virginia
Washington
West Virginia
Wisconsin
Kentucky Legislature
• 434.845 Unlawful access to a computer in the first degree.
• (1) A person is guilty of unlawful access to a computer in the
first degree when he or she, without the effective consent of
the owner, knowingly and willfully, directly or indirectly
accesses, causes to be accessed, or attempts to access any
computer software, computer program, data, computer,
computer system, computer network, or any part thereof, for
the purpose of:
– (a) Devising or executing any scheme or artifice to defraud; or
– (b) Obtaining money, property, or services for themselves or another by
means of false or fraudulent pretenses, representations, or promises.
• (2) Unlawful access to a computer in the first degree is a Class
C felony.
• Effective: July 15, 2002
Continued
• 434.850 Unlawful access to a computer in the
second degree.
• (1) A person is guilty of unlawful access to a
computer in the second degree when he or she,
without the effective consent of the owner, knowingly
and willfully, directly or indirectly accesses, causes to
be accessed, or attempts to access any computer
software, computer program, data, computer,
computer system, computer network, or any part
thereof, which results in the loss or damage of three
hundred dollars ($300) or more.
• (2) Unlawful access to a computer in the second
degree is a Class D felony.
• Effective: July 15, 2002
Continued
• 434.851 Unlawful access in the third degree.
• (1) A person is guilty of unlawful access in the third
degree when he or she, without the effective consent
of the owner, knowingly and willfully, directly or
indirectly accesses, causes to be accessed, or attempts
to access any computer software, computer program,
data, computer, computer system, computer network,
or any part thereof, which results in the loss or
damage of less than three hundred dollars ($300).
• (2) Unlawful access to a computer in the third degree
is a Class A misdemeanor.
• Effective: July 15, 2002
Continued
• 434.853 Unlawful access in the fourth degree.
• (1) A person is guilty of unlawful access in the fourth
degree when he or she, without the effective consent
of the owner, knowingly and willfully, directly or
indirectly accesses, causes to be accessed, or attempts
to access any computer software, computer program,
data, computer, computer system, computer network,
or any part thereof, which does not result in loss or
damage.
• (2) Unlawful access to a computer in the fourth
degree is a Class B misdemeanor.
• Effective: July 15, 2002
Continued
• 434.855 Misuse of computer information.
• (1) A person is guilty of misuse of computer
information when he or she:
• (a) Receives, conceals, or uses, or aids another in
doing so, any proceeds of a violation of KRS
434.845; or
• (b) Receives, conceals, or uses or aids another in
doing so, any books, records, documents, property,
financial instrument, computer software, computer
program, or other material, property, or objects,
knowing the same to have been used in or obtained
from a violation of KRS 434.845.
• (2) Misuse of computer information is a Class C
felony.
• Effective: July 15, 2002
Continued
• 434.860 Venue.
• For the purpose of venue under the provisions of KRS 434.845,
434.850, 434.851, 434.853, or 434.855, any violation of KRS
434.845, 434.850, 434.851, 434.853, or 434.855 shall be
considered to have been committed: in any county in which any
act was performed in furtherance of any transaction violating KRS
434.845, 434.850, 434.851, 434.853, or 434.855; in any county in
which any violator had control or possession of any proceeds of
said violation or of any books, records, documents, property,
financial instrument, computer software, computer program or
other material, objects, or items which were used in furtherance of
said violation; and in any county from which, to which or through
which any access to a computer, computer system, or computer
network was made whether by wires, electromagnetic waves,
microwaves, or any other means of communication.
• Effective: July 15, 2002
UK Computer Misue Act (1990)
• 1(1) A person is guilty of an offence if:
– a) He causes a computer to perform any function with intent to secure
access to any program or data held in a computer;
– b) the access he intends to secure is unauthorized; and
– c) he knows at the time when he causes the computer to perform the
function that this is the case.
• 1(2) the intent a person has to commit an offence under this
section need not be directed at
– a) any particular program or data
– b) a program or data of any particular kind; or
– c) a program or data held in any particular computer.
• 1(3) a person guilty of an offence under this section shall be
liable on summary conviction to imprisonment for a term not
exceeding six Months or to a fine not exceeding level 5, on the
standard scale or both.
Continued
• 2(1) a person is guilty of an offence under this section if he
commits an offence under section 1 above ("the unauthorized
access offence") With intent
– a) to commit an offence to which this section applies; or
– b) to facilitate the commission of such an offence (whether by himself or by
any other person) and the offence he intends to commit or facilitate is
referred to below in this section as the further offence.
• 2(2) this section applies to offences
– a) for which the sentence is fixed by law; or
– b) for which a person of twenty one years of age or over (not previously
convicted) may be sentenced to imprisonment for a term of five years (or in
England and Wales might be so sentenced but for the restrictions imposed
by section 33 of the Magistrates Courts Act 1980).
• 2(5) a person guilty of an offence under this section shall be liable
– a) on summary conviction, to imprisonment for a term not exceeding six
months or to a fine not exceeding the statutory maximum or both; and
– b) on conviction on indictment, to imprisonment for a term not exceeding
five years, or to a fine, or both.
Continued
• 3(1) A person is guilty of an offence if
– a) he does any act which causes the unauthorized modification of the contents
of any computer; and
– b) at the time when he does the act he has the requisite intent and the requisite
knowledge.
• 3(2) for the purposes of subsection 3(1)b above the requisite intent
is an intent to cause a modification of the contents of any computer
and by so doing
– a) to impair the operation of any computer;
– b) to prevent or hinder access to any program or data held in any computer; or
– c) to impair the operation of any such program or the reliability of any such
data.
• 3(3) the intent need not be directed at
– a) any particular computer;
– b) any particular program or data or a program or data of any particular kind;
or
– c) any particular modification or a modification of any particular kind.
Continued
• 3(4) For the purpose of subsection 1b above, the
requisite knowledge is knowledge that any
modification he intends to cause is unauthorized. 3(5)
it is immaterial for the purposes of this section
whether an unauthorized modification or any
intended effect of it of a kind mentioned in subsection
(2) above is, or is intended to be, permanent or
merely temporary.
• The bill’s critics charging that it was introduced
hastily and was poorly thought out.
– intention is difficult to prove
– the bill inadequately differentiates “joyriding” crackers
from serious computer criminals
• The Act has become a model upon which several
other countries have drawn such as Canada, Ireland
Types of Computer Crimes
• Computer as the target
– theft of intellectual property, blackmail of information gained
through electronic files
• Computer as the instrument
– fraud (credit card fraud, fraudulent use of ATM accounts, stock
market transfers, telecommunications fraud), theft of
(electronic) money
• Computer incidental to the crime
– computers used in support, e.g., money laundering, record
keeping, tracking of targets, etc
• Computer associated with the prevalence of the crime
– software piracy/counterfeiting, copyright violation of software,
counterfeit hardware, black market sales of hardware and
software, theft of equipment and new technologies
Specific Crimes
• Denial of service (which might be performed for
extortion or sabotage)
• Fraud, which encompasses many possible actions
– employees altering data, making false entries
– unauthorized access that leads to altering, destroying,
suppressing, or stealing data or output
– altering or misusing existing system tools or software packages
– or altering or writing code for fraudulent purposes
– manipulating banking systems to make unauthorized identity
theft.
•
•
•
•
•
Harassment by computer (cyberstalking, defamation)
Pornography
Copyright infringement
Larceny (theft) of software or data
Malicious software (viruses, trojan horses, worms, logic
bombs, spyware, backdoors)
History of Viruses
• Early 1970s – creeper virus detected on ARPANET
– a virus was implemented called Reaper to seek out and kill
creeper
• 1974 – Rabbit virus (named because of how quickly
it spread) appears
• 1975 – Pervading Animal, a game implemented on
the UNIVAC
– unknown whether this was the first Trojan Horse program
or a program with unintentional bugs
• 1980 – Masters thesis regarding self-replication of
programs
• 1982 – Elk Cloner introduced, virus that affected
Apple II computers, first to spread by floppy disk
• 1983 – term virus first coined, renamed computer
virus in 1984
Continued
• 1986 – Brain boot sector virus released, first known
virus targeting IBM PC computers
• 1986 – Virdem model of programs introduced
– programs that could replicate by placing their own
executable code into DOS .com files
• 1987 – Cascade, first self-encrypting virus
• 1987 – Jerusalem virus unleashed
– in 1988 would become a world-wide epidemic
•
•
•
•
1988 – Morris Internet worm
1988 – first antiviral software released
1990 – polymorphic viruses introduced
1992 – Michelangelo virus
– was discovered before it could do worldwide damage and
was minimized
Continued
• 1995 – Concept virus (first macro virus)
• 1999 – Melissa Worm released targeting MS Outlook
• 2000 – Loveletter (ILOVEYOU) worm released
– as of 2004, this has been the most costly worm released
• 2001 – Ramen Worm
– like Morris Worm but affects Linux Redhat systems
• 2001 – Sadmind worm affects Sun workstations and
Microsoft Internet Information Services both
• 2001 – Code Red, Code Red II, Nimda, Klez worms
• 2003 – SQL Slammer Worm attacks MS SQL servers
• 2003-2004 – also saw Blaster worm, Sobig worm,
MyDoom (fastest spreading worm ever)
Phishing
• Illegally attempting to gain sensitive information from
people for the purpose of computer-based fraud, these
attempts can include
– social engineering
– password cracking
– packet sniffing
• listening over a network for sensitive information (e.g., someone
emailing a password), wireless networks have been especially
susceptible in the past
– link manipulation for website spoofing
• sending an email with a phony link, causing the unsuspecting person to
go to a phony website rather than the intended website
– website forgery
• in addition to website spoofing, javascript code can do such things as
change the address bar to make the website look legitimate
– phone phishing
• getting someone to dial-up your computer and thus gain sensitive
information
Kevin Mitnick
• Started off forging bus punch cards with his own card
puncher
• He then moved into phreaking
– in 1979 broke into DEC system when a friend gave him their
dial-up phone number, was convicted
• Later, would change his identity by obtaining birth
certificates of children who died by the time they were 3
years old
• He continued to break into people’s computer systems
but was ultimately caught when he hacked into the
system of Tsutomu Shimomura, who tracked him down
– supporters of Mitnick have claimed that many of the charges
against him were fraudulent!
– he now runs his own computer security firm and is a highly
sought public speaker
Morris Worm
• Robert Morris, a Professor at MIT, is notable for
releasing a WORM on the Internet in 1988
– his idea, as a graduate student at Cornell, was to demonstrate
the security holes in Unix and also gauge the size of the Internet
at the time
– he claims that he had no idea that the WORM would spread so
far or rapidly or affect as many computers as it did
– the WORM would attempt to gain access to an Internet host by
•
•
•
•
overflowing the finger utility’s buffer
overflowing the sendmail buffer
try simple or no passwords to break into accounts
use rsh to access computers of the same server
– once it was able to access the host computer, it would attempt
to make copies of itself on all computers accessible via this
host’s host table
Jonathon James
• The first juvenile to be convicted of computer crimes (at
16 years old)
• His crimes all revolve around unauthorized access
– he used the free Nmap security scanning system to scan host
computers for flaws in Sun’s remote procedure call services
– he hacked into Bell-South, Miami-Dade school system, and
NASA (Huntsville)
• through his NASA break-in, he stole international space station
software
– he hacked into a DoD server and installed a backdoor and a
sniffer from which he intercepted thousands of messages
including user names/passwords
• he was thus able to hack into the DoD’s Defense Threat Reduction
Agency system
Two More Computer Criminals
• Adam Botbyl
– In the 90s was able to gain access to national-wide computer
system used by Lowe’s hardware by finding an open wireless
LAN point at Lowe’s in Michigan
• He and some friends eventually used their access to capture credit card
information (the government claims that the crime caused more than
$2.5M in damages)
• Dennis Moran
– Known as Coolio, was responsible for a number of denial of
service attacks in 2000
• he used a Smurf attack (spoofed ping messages) to generate over 1
gigabit per second message traffice
– He followed these up by defacing various websites and
unauthorized access to the US army and airforce computer
systems
LOD/MOD
• In the 1980s, a group of hackers formed the Legion of
Doom
– although they were hackers, some were white hackers and they
tried to contribute to society through the publication of
technical journals
• through which they shared their combined knowledge of hacking
– some members left the LOD to form the Masters of Deception
• this group was far more underground and often communicated through
“hijacked” phone and Internet lines
• unlike the LOD, they did not share their expertise with the outside
communities
– in 1990-91, a MOD member shut down a bulletin board of the
LOD which led to the Great Hacker War between the two
groups (and included other hackers as well)
• the result was the eventual destruction of the LOD as the MOD shut
down the LOD methods of communication
– for instance by taking control of all TCP/IP entry points in Texas where
much of the LOD lived
Cyberterrorism
• Cyberterrorism can be defined as the use of information
technology by terrorist groups and individuals to further
their agenda
– this can include use of information technology to organize and
execute attacks against networks, computer systems and
telecommunications infrastructures, or for exchanging
information or making threats electronically
• Examples include
–
–
–
–
–
hacking into computer systems
introducing viruses to vulnerable networks
web site defacing
denial-of-service attacks
terrorist threats made via electronic communication
• Information warfare occurs when these actions are
performed by one entity in order to gain a competitive
advantage over another entity
Cyberstalking
• Law enforcement agencies estimate that
electronic communications are a factor in from
20 percent to 40 percent of all stalking cases
• Forty-four states now have laws that explicitly
include electronic forms of communication
within stalking or harassment laws
• State laws that do not include specific
references to electronic communication may
still apply to those who threaten or harass
others online, but specific language can make
the laws easier to enforce
Prevalence of Computer Crimes
• It is expected that as the computer is more
prevalent in society, so are computer crimes
– interestingly, computer crimes are often committed by
people who do not have expertise in software or
computer technology
• crimes are often committed by people who can use the
technology because it is so user friendly!
• Some cite the increasing number of computer
crimes as an epidemic
• In many cases, the law enforcement agencies are
not set up to handle the crimes
– they do not have the expertise
Training Law Enforcement
• One expert recommends the following, immediate:
– introduction to computer evidence awareness
– identification, collection, transportation and preservation of
electronic evidence and related components
– where to find data recovery experts
• In addition, computer technology skills must be taught
to at least some subset of the law enforcement
community including
– operating system technologies, information management
skills, data collection and organization, database design,
statistical analysis, data protection and encryption, and how
computers are used to commit computer crimes
The Patriot Act (HR 3162)
• Signed by President Bush on October 26
• Adds terrorism offenses, computer fraud, and abuse offenses to the
list of predicates for obtaining Title III wiretaps
• Also permits roving wiretaps under the Foreign Intelligence
Surveillance Act of 1978 (FISA) in the same manner as they are
permitted under Title III wiretaps
• Intelligence information obtained from wiretaps may be shared
with law enforcement, intelligence, immigration, or national
security personnel
• Recipients can use the information only in the conduct of their
duties and are subject to the limitations in current law of
unauthorized disclosure of wiretap information.
• Also expands the use of traditional pen register or trap and trace
devices (captures the telephone numbers of incoming callers) so
that they apply not just to telephones, but also to Internet
communications so long as they exclude "content"