note7 -- version: Sat Apr 3 18:13:14 EDT 2010
COMPUTERS AND CRIME (pp. 201-224)
-------------------------------------------------------------------
** CYBERCRIMES AND CYBERCRIMINALS
* Criminal activities: Background events
1970s, 1980s -- launching viruses,
breaking into government & financial institutions
Attitude:
Often seen as 'pranks'.
Robin Hood activities?
David vs. Goliath?
1990s -- (internet becomes common),
digital piracy (e.g. music/movies), cyberstalking,
cyberporn, internet pedophilia
2000s -- (crimes expanding)
cyberbullying, sexting, phishing, ...
New attitude: "no types of activities leading to unauthorizes access should be tolerated"
What has caused the change?
Increased dependence in computers & networks!
Increase in the seriousness of the activities?
Scale & scope again.
Dependence often in strange and quite unanticipated ways...
2008 - A Heart Device Is Found Vulnerable to Hacker Attacks
...a team of computer security researchers plans to report
Wednesday that it had been able to gain wireless access to a
combination heart defibrillator and pacemaker.
They were able to reprogram it to shut down and to deliver jolts of
electricity that would potentially be fatal - if the device had
been in a person. In this case, the researchers were hacking into a
device in a laboratory.
The researchers said they had also been able to glean personal
patient data by eavesdropping on signals from the tiny wireless
radio that Medtronic, the device's maker, had embedded in the
implant as a way to let doctors monitor and adjust it without
surgery.
Two major categories of computer crimes:
computer fraud - "deliberate misrepresentation or alteration of
data in order to get something of value"
computer abuse - "willful or negligent unauthorized activity
that affects the availability, confidentiality,
or integrity of computer resources"
2006 Computer Security Institute's and FBI's joint Cybercrime report:
- 52% of companies reported unauthorized use of computer
systems in the prior 12 months.
2009 Computer Security Institute's Crime and Security Survey:
- Respondents reported big jumps in incidence of password
sniffing, financial fraud, and malware infection.
- One-third of respondents' organizations were fraudulently
represented as the sender of a phishing message.
- Average losses due to security incidents are down again this
year ... though they are still above 2006 figures.
Are all cybercrimes reported?
If not, why?
-- embarrassment to organization/person
-- negative repercussions
Bank with us!
We're the bank where other people get your
money before the government does!
-- loss of customer confidence
* A typical Cybercriminal
Who are the cybercriminals?
Or...
- Disgruntled employee.
- Teenagers.
- Political Hacktivist.
- Professional Hackers.
- Business Rival.
- Ex-Boyfriend, Ex-Husband.
- Foreign national
What is the profile of a 'typical' cybercriminal?
All cybercriminals...
-- bright, socially inept
-- have technical expertise
-- male
-- teenager
-- are never violent
-- aren't "real" criminals
-- fit the profile
Responses:
- "Script kiddie"
"Dumpster diving" & "Shoulder surfing"
- About 20-30% of CS professionals are women
About a third of all crimes are committed by women
But most cybercriminals are still male
- Typical cybercriminals are 19-30
- Some cybercrime causes or can lead to violence
- There are profiles of cybercriminals!
But not quite the one above.
e.g., some technical ability, distain for the law, active fantasy
life, risk taker / thrill seeker, control freak, strong motivations
** HACKING VS CRACKING - A LEGAL DISTINCTION?
Hacking = to program enthusiastically !
= an ethical duty to share expertise
Cracker - One who breaks security on a system
(The Hacker Jargon File)
White hat hacking = ethical hacker
Black hat hacking = cracker = cybercriminal
* Active Defense Hacking (Hacking Back)
Active Defense Hacking = Counter Hacking = hacking back against hackers
Is it ethical?
reactive vs. pre-emptive ?
Is pre-emptive hacking defense?
" The scholar Abraham D. Sofaer identifies four key elements for justification of preemption:
1. The nature and magnitude of the threat involved;
2. The likelihood that the threat will be realized unless preemptive action is taken;
3. The availability and exhaustion of alternatives to using force; and
4. Whether using preemptive force is consistent with the terms and
purposes of the U.N. Charter and other applicable international agreements."
[http://en.wikipedia.org/wiki/Preemptive_war]
Can Counter Hacking hurt innocent individuals?
If hacking is illegal, then why isn't counter-hacking?
* Hackers and the Law
Viewed as a form of trespass
Entry on land without lawful authority
Property owners and their agents may
only use reasonable force to protect their property.
Entering to steal vs. entering to look
-- different punishments in the real world
Trying to enter vs. entering
-- different punishments in the real world
But in the cyberspace?
** DEFINING CYBERCRIME
stealing a computer
vs.
stealing with a computer (e.g., laptop used to smash a window)
vs.
stealing using the resources provided by computer technology
* Preliminary Definition of Cybercrime
A criminal act in which a computer is used as the principal tool
A crime that involves a computer as a central component
* Definition of Cybercrime
Must encapsulate new forms of crime!
A crime in which the criminal act can be carried out only through
the use of cybertechnology and can take place only in the cyberrealm
** THREE CATEGORIES OF CYBERCRIME
Cyberpiracy - using cybertechnology in unauthorized ways to:
- reproduce copies of proprietary information
- distribute proprietary information across a computer network
Cybertrespass - using cybertechnology in gain unauthorized access to:
- an individual's or organization's computer system
- a password-protected web site
Cybervandalism - using cybertechnology to unleash programs that:
- disrupt the transmission of electronic information across a computer network
- destroy data resident in a computer
- damage a computer system's resources
Examples of each category?
What about spamming?
What about phishing?
The above are Cybercrimes: i.e., cyberspecific
What's left....?
** CYBER-RELATED CRIMES
Cyber-related - Cyberassisted
- Cyberexacerbated
Cyberexacerbated - cyberstalking
- cyberbullying
- internet pedophilia
- internet pornography
Significant increases in scope and scale of these categories of existing crimes
Cyberassisted - online tax fraud
- physical assault with a computer
- property damage using a computer
Ordinary crimes that happen to use a computer
* Identity Theft
"a crime in which an imposter obtains key pieces of personal
information, such as social security or drivers license numbers,
in order to impersonate someone else"
uses - obtain credit, merchandise or services
- provide thief with false credentials
can be done from credit cards
can be done with Cybertrespass (i.e., from databases)
what's the value of a laptop?
what's the value of a laptop containing a database of personal information?
Identity theft scams via email?
Phishing incidents increasing at about 56% per month (2001)
* Corporate Espionage
cell phones
email
Cyberpiracy
Economic Espionage Act
(1) steals, or without authorization appropriates, takes,
carries away, or conceals, or by fraud, artifice, or deception
obtains a trade secret;
(2) without authorization copies, duplicates, sketches, draws,
photographs, downloads, uploads, alters, destroys, photocopies,
replicates, transmits, delivers, sends, mails, communicates, or
conveys a trade secret;
(3) receives, buys, or possesses a trade secret, knowing the same
to have been stolen or appropriated, obtained, or converted
without authorization;
http://www.economicespionage.com/EEA.html
-- one part concerns aiding a foreign power
-- one part concerns intent to injure owner of trade secret
Penalties are up to 15 years prison and $10M
** TECHNOLOGIES & TOOLS FOR COMBATING CYBERCRIME
Computerized record matching -- what are the problems?
Encryption Technologies
the good news - data exchange over networks is safer
the bad news - law enforcement can't easily carry out legal wiretaps
Is weak encryption better than no encryption?
Who knows which it is?
Clipper Chip - 1994
"In the area of communications encryption, the U. S. Government
has developed a microcircuit that not only provides privacy
through encryption that is substantially more robust than the
current government standard, but also permits escrowing of the
keys needed to unlock the encryption. The system for the
escrowing of keys will allow the government to gain access to
encrypted information only with appropriate legal
authorization."
http://epic.org/crypto/clipper/white_house_factsheet.html
"Dear Mr. President,
We are writing to you regarding the 'Clipper' escrowed
encryption proposal now under consideration by the White House.
We wish to express our concern about this plan and similar
technical standards that may be proposed for the nation's
communications infrastructure.
The current proposal was developed in secret by federal
agencies primarily concerned about electronic surveillance, not
privacy protection. Critical aspects of the plan remain
classified and thus beyond public review.
The private sector and the public have expressed nearly
unanimous opposition to Clipper. In the formal request for
comments conducted by the Department of Commerce last year,
less than a handful of respondents supported the plan. Several
hundred opposed it.
..."
http://epic.org/crypto/clipper/crypto_experts_letter_1_94.html
U.S. Public Policy Committee of ACM (USACM) says
"The USACM recommends that any encryption standard adopted by
the U.S. government not place U.S. manufacturers at a
disadvantage in the global market or adversely affect
technological development within the United States. Few other
nations are likely to adopt a standard that includes a
classified algorithm and keys escrowed with the
U.S. government."
http://usacm.acm.org/usacm/crypto/encrypt.html
Another big concern was with:
"The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and seizures".
This only applies to government actions.
Government dropped its support for Clipper Chip in 2000.
What's the tradeoff here?
Biometric Technologies - "the biological identification of a person, which
includes eyes, voice, hand prints, finger prints, retina
patterns, and handwritten signatures"
How do you feel about this? It's very personal...
Stored in database
Uses?
Super Bowl = Snooper Bowl (says the BBC)
WIRED says Call It Super Bowl Face Scan I
"When tens of thousands of football fans packed into a Florida
stadium for Super Bowl XXXV, they weren't merely watching the game:
They were also being watched.
Face-recognition software surreptitiously scanned everyone passing
through turnstiles and flashed probable matches with the mugs of
known criminals on the screens of a police control room.
...
On Thursday, the American Civil Liberties Union condemned the Super
Bowl system -- provided free by its manufacturers -- as
privacy-invasive: 'We do not believe that the public understands or
accepts that they will be subjected to a computerized police lineup
as a condition of admission.'
...the ACLU believes 'this activity raises serious concerns about
the Fourth Amendment right of all citizens to be free of
unreasonable searches and seizures.'
...
Can the word 'search' in the Constitution stretch to include
matching facial characteristics against a database?
...
'There's no Fourth Amendment problem if the government is simply
observing -- or even recording -- what goes on in public,' Volokh
says. 'For constitutional purposes, that's just not a search,
because there's no legitimate expectation of privacy. Nobody thinks
that their appearance at the Super Bowl is something that is hidden
from the roving eye.'
...
'Cameras make a practical difference,' says Grosso, ... 'They make
it practically possible to monitor things that one just never had
the manpower to monitor before.'
'If we've reached the point where we can't go to a football game
without having our photos run through a database in Washington,
then we'll only have privacy when we're sitting in our living
rooms,' he says."
What's the tradeoff here?
Notes:
- the BBC reports "Among this crowd of thousands of people, it didn't actually point anyone out."
- installation in a UK town has lowered crime by 40% in one year
- Tampa Bay and Virginia Beach have installations
Keystroke-Monitoring & Packet-Sniffing
Keystroke-Monitoring - records every key struck by a user and every character of the response
Packet-Sniffing - captures data travelling across a computer network
use by law enforcement has been controversial
but can track criminal activity
what about innocent people?
** PROGRAMS & TECHNIQUES TO COMBAT CYBERCRIME IN THE USA
Entrapment & "Sting" Operations - much used for to catch those involved with
drug dealing, pornography, gambling, pedophilia, etc
The PATRIOT Act - Provide Appropriate Tools Required to Intercept and Obstruct Terrorism
October 2001
March 2006
Increased powers to track down suspected terrorists and criminals
Very comprehensive!
Works with
Foreign Intelligence Surveillance Act (FISA)
and
Electronic Communications Privacy Act (ECPA)
Gave permission to act "without having to demonstrate probable cause"
For example:
Section 206 expanded FISA to permit "roving wiretap" authority,
which allows the FBI to intercept any communications made to or by
an intelligence target without specifying the particular telephone
line, computer or other facility to be monitored. Prior law
required third parties (such as common carriers and others)
"specified in court-ordered surveillance" to provide assistance
necessary to accomplish the surveillance. Under Section 206, that
obligation has been extended to unnamed and unspecified third
parties.
Such generic orders could have a significant impact on the privacy
rights of large numbers of innocent users, particularly those who
access the Internet through public facilities such as libraries,
university computer labs and cybercafes. Upon the suspicion that an
intelligence target might use such a facility, the FBI can now
monitor all communications transmitted at the facility. The problem
is exacerbated by the fact that the recipient of the assistance
order (for instance, a library) would be prohibited from disclosing
the fact that monitoring is occurring.
Generic roving wiretap orders raise significant constitutional
issues, as they do not comport with the Fourth Amendment's
requirement that any search warrant "particularly describe the
place to be searched." That deficiency becomes even more
significant when where the private communications of law-abiding
American citizens might be intercepted incidentally.
http://epic.org/privacy/terrorism/usapatriot/sunset.html
** NATIONAL & INTERNATIONAL LAWS TO COMBAT CYBERCRIME
The problem of jurisdiction in Cyberspace - e.g., online gambling
- where is the crime happening?
- whose law to use?
- muddle: is cyberspace a place or a medium?
Enforcing Cybercrime Laws across States
e.g., Four Indicted in $25 Million Scheme Defrauding and Hacking
Ticketmaster, Tickets.com, and Other Ticket Vendors (March 1, 2010)
http://www.cybercrime.gov/wiseIndict.pdf
International enforcement is tougher!
But "digital intellectual property" cases are being handled.
More situations to come...!
i.e., policy vacuums removed.
-------------------------------
|