note7 -- version: Sat Apr  3 18:13:14 EDT 2010

COMPUTERS AND CRIME   (pp. 201-224) 



* Criminal activities: Background events

1970s, 1980s -- launching viruses,
                breaking into government & financial institutions

          Often seen as 'pranks'.
          Robin Hood activities?
          David vs. Goliath? 

1990s -- (internet becomes common), 
         digital piracy (e.g. music/movies), cyberstalking, 
         cyberporn, internet pedophilia

2000s -- (crimes expanding)
         cyberbullying, sexting, phishing, ...

New attitude: "no types of activities leading to unauthorizes access should be tolerated" 

What has caused the change?

Increased dependence in computers & networks! 
Increase in the seriousness of the activities?
Scale & scope again. 

Dependence often in strange and quite unanticipated ways...

2008 - A Heart Device Is Found Vulnerable to Hacker Attacks 

   ...a team of computer security researchers plans to report
   Wednesday that it had been able to gain wireless access to a
   combination heart defibrillator and pacemaker.

   They were able to reprogram it to shut down and to deliver jolts of
   electricity that would potentially be fatal - if the device had
   been in a person. In this case, the researchers were hacking into a
   device in a laboratory.

   The researchers said they had also been able to glean personal
   patient data by eavesdropping on signals from the tiny wireless
   radio that Medtronic, the device's maker, had embedded in the
   implant as a way to let doctors monitor and adjust it without

Two major categories of computer crimes:

computer fraud - "deliberate misrepresentation or alteration of
                    data in order to get something of value"

computer abuse - "willful or negligent unauthorized activity
                    that affects the availability, confidentiality, 
                    or integrity of computer resources"

2006 Computer Security Institute's and FBI's joint Cybercrime report: 
       - 52% of companies reported unauthorized use of computer
         systems in the prior 12 months.

2009 Computer Security Institute's Crime and Security Survey:

       - Respondents reported big jumps in incidence of password
         sniffing, financial fraud, and malware infection. 

       - One-third of respondents' organizations were fraudulently
         represented as the sender of a phishing message. 

       - Average losses due to security incidents are down again this
         year ... though they are still above 2006 figures. 

Are all cybercrimes reported? 
If not, why? 

-- embarrassment to organization/person

-- negative repercussions 

           Bank with us! 
           We're the bank where other people get your 
           money before the government does!

-- loss of customer confidence

* A typical Cybercriminal

Who are the cybercriminals? 

  • Disgruntled employee.
  • Teenagers.
  • Political Hacktivist.
  • Professional Hackers.
  • Business Rival.
  • Ex-Boyfriend, Ex-Husband.
  • Foreign national
What is the profile of a 'typical' cybercriminal? All cybercriminals... -- bright, socially inept -- have technical expertise -- male -- teenager -- are never violent -- aren't "real" criminals -- fit the profile Responses: - "Script kiddie" "Dumpster diving" & "Shoulder surfing" - About 20-30% of CS professionals are women About a third of all crimes are committed by women But most cybercriminals are still male - Typical cybercriminals are 19-30 - Some cybercrime causes or can lead to violence - There are profiles of cybercriminals! But not quite the one above. e.g., some technical ability, distain for the law, active fantasy life, risk taker / thrill seeker, control freak, strong motivations ** HACKING VS CRACKING - A LEGAL DISTINCTION? Hacking = to program enthusiastically ! = an ethical duty to share expertise Cracker - One who breaks security on a system (The Hacker Jargon File) White hat hacking = ethical hacker Black hat hacking = cracker = cybercriminal * Active Defense Hacking (Hacking Back) Active Defense Hacking = Counter Hacking = hacking back against hackers Is it ethical? reactive vs. pre-emptive ? Is pre-emptive hacking defense? " The scholar Abraham D. Sofaer identifies four key elements for justification of preemption: 1. The nature and magnitude of the threat involved; 2. The likelihood that the threat will be realized unless preemptive action is taken; 3. The availability and exhaustion of alternatives to using force; and 4. Whether using preemptive force is consistent with the terms and purposes of the U.N. Charter and other applicable international agreements." [] Can Counter Hacking hurt innocent individuals? If hacking is illegal, then why isn't counter-hacking? * Hackers and the Law Viewed as a form of trespass Entry on land without lawful authority Property owners and their agents may only use reasonable force to protect their property. Entering to steal vs. entering to look -- different punishments in the real world Trying to enter vs. entering -- different punishments in the real world But in the cyberspace? ** DEFINING CYBERCRIME stealing a computer vs. stealing with a computer (e.g., laptop used to smash a window) vs. stealing using the resources provided by computer technology * Preliminary Definition of Cybercrime A criminal act in which a computer is used as the principal tool A crime that involves a computer as a central component * Definition of Cybercrime Must encapsulate new forms of crime! A crime in which the criminal act can be carried out only through the use of cybertechnology and can take place only in the cyberrealm ** THREE CATEGORIES OF CYBERCRIME Cyberpiracy - using cybertechnology in unauthorized ways to: - reproduce copies of proprietary information - distribute proprietary information across a computer network Cybertrespass - using cybertechnology in gain unauthorized access to: - an individual's or organization's computer system - a password-protected web site Cybervandalism - using cybertechnology to unleash programs that: - disrupt the transmission of electronic information across a computer network - destroy data resident in a computer - damage a computer system's resources Examples of each category? What about spamming? What about phishing? The above are Cybercrimes: i.e., cyberspecific What's left....? ** CYBER-RELATED CRIMES Cyber-related - Cyberassisted - Cyberexacerbated Cyberexacerbated - cyberstalking - cyberbullying - internet pedophilia - internet pornography Significant increases in scope and scale of these categories of existing crimes Cyberassisted - online tax fraud - physical assault with a computer - property damage using a computer Ordinary crimes that happen to use a computer * Identity Theft "a crime in which an imposter obtains key pieces of personal information, such as social security or drivers license numbers, in order to impersonate someone else" uses - obtain credit, merchandise or services - provide thief with false credentials can be done from credit cards can be done with Cybertrespass (i.e., from databases) what's the value of a laptop? what's the value of a laptop containing a database of personal information? Identity theft scams via email? Phishing incidents increasing at about 56% per month (2001) * Corporate Espionage cell phones email Cyberpiracy Economic Espionage Act (1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret; (2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret; (3) receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, obtained, or converted without authorization; -- one part concerns aiding a foreign power -- one part concerns intent to injure owner of trade secret Penalties are up to 15 years prison and $10M ** TECHNOLOGIES & TOOLS FOR COMBATING CYBERCRIME Computerized record matching -- what are the problems? Encryption Technologies the good news - data exchange over networks is safer the bad news - law enforcement can't easily carry out legal wiretaps Is weak encryption better than no encryption? Who knows which it is? Clipper Chip - 1994 "In the area of communications encryption, the U. S. Government has developed a microcircuit that not only provides privacy through encryption that is substantially more robust than the current government standard, but also permits escrowing of the keys needed to unlock the encryption. The system for the escrowing of keys will allow the government to gain access to encrypted information only with appropriate legal authorization." "Dear Mr. President, We are writing to you regarding the 'Clipper' escrowed encryption proposal now under consideration by the White House. We wish to express our concern about this plan and similar technical standards that may be proposed for the nation's communications infrastructure. The current proposal was developed in secret by federal agencies primarily concerned about electronic surveillance, not privacy protection. Critical aspects of the plan remain classified and thus beyond public review. The private sector and the public have expressed nearly unanimous opposition to Clipper. In the formal request for comments conducted by the Department of Commerce last year, less than a handful of respondents supported the plan. Several hundred opposed it. ..." U.S. Public Policy Committee of ACM (USACM) says "The USACM recommends that any encryption standard adopted by the U.S. government not place U.S. manufacturers at a disadvantage in the global market or adversely affect technological development within the United States. Few other nations are likely to adopt a standard that includes a classified algorithm and keys escrowed with the U.S. government." Another big concern was with: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures". This only applies to government actions. Government dropped its support for Clipper Chip in 2000. What's the tradeoff here? Biometric Technologies - "the biological identification of a person, which includes eyes, voice, hand prints, finger prints, retina patterns, and handwritten signatures" How do you feel about this? It's very personal... Stored in database Uses? Super Bowl = Snooper Bowl (says the BBC) WIRED says Call It Super Bowl Face Scan I "When tens of thousands of football fans packed into a Florida stadium for Super Bowl XXXV, they weren't merely watching the game: They were also being watched. Face-recognition software surreptitiously scanned everyone passing through turnstiles and flashed probable matches with the mugs of known criminals on the screens of a police control room. ... On Thursday, the American Civil Liberties Union condemned the Super Bowl system -- provided free by its manufacturers -- as privacy-invasive: 'We do not believe that the public understands or accepts that they will be subjected to a computerized police lineup as a condition of admission.' ...the ACLU believes 'this activity raises serious concerns about the Fourth Amendment right of all citizens to be free of unreasonable searches and seizures.' ... Can the word 'search' in the Constitution stretch to include matching facial characteristics against a database? ... 'There's no Fourth Amendment problem if the government is simply observing -- or even recording -- what goes on in public,' Volokh says. 'For constitutional purposes, that's just not a search, because there's no legitimate expectation of privacy. Nobody thinks that their appearance at the Super Bowl is something that is hidden from the roving eye.' ... 'Cameras make a practical difference,' says Grosso, ... 'They make it practically possible to monitor things that one just never had the manpower to monitor before.' 'If we've reached the point where we can't go to a football game without having our photos run through a database in Washington, then we'll only have privacy when we're sitting in our living rooms,' he says." What's the tradeoff here? Notes: - the BBC reports "Among this crowd of thousands of people, it didn't actually point anyone out." - installation in a UK town has lowered crime by 40% in one year - Tampa Bay and Virginia Beach have installations Keystroke-Monitoring & Packet-Sniffing Keystroke-Monitoring - records every key struck by a user and every character of the response Packet-Sniffing - captures data travelling across a computer network use by law enforcement has been controversial but can track criminal activity what about innocent people? ** PROGRAMS & TECHNIQUES TO COMBAT CYBERCRIME IN THE USA Entrapment & "Sting" Operations - much used for to catch those involved with drug dealing, pornography, gambling, pedophilia, etc The PATRIOT Act - Provide Appropriate Tools Required to Intercept and Obstruct Terrorism October 2001 March 2006 Increased powers to track down suspected terrorists and criminals Very comprehensive! Works with Foreign Intelligence Surveillance Act (FISA) and Electronic Communications Privacy Act (ECPA) Gave permission to act "without having to demonstrate probable cause" For example: Section 206 expanded FISA to permit "roving wiretap" authority, which allows the FBI to intercept any communications made to or by an intelligence target without specifying the particular telephone line, computer or other facility to be monitored. Prior law required third parties (such as common carriers and others) "specified in court-ordered surveillance" to provide assistance necessary to accomplish the surveillance. Under Section 206, that obligation has been extended to unnamed and unspecified third parties. Such generic orders could have a significant impact on the privacy rights of large numbers of innocent users, particularly those who access the Internet through public facilities such as libraries, university computer labs and cybercafes. Upon the suspicion that an intelligence target might use such a facility, the FBI can now monitor all communications transmitted at the facility. The problem is exacerbated by the fact that the recipient of the assistance order (for instance, a library) would be prohibited from disclosing the fact that monitoring is occurring. Generic roving wiretap orders raise significant constitutional issues, as they do not comport with the Fourth Amendment's requirement that any search warrant "particularly describe the place to be searched." That deficiency becomes even more significant when where the private communications of law-abiding American citizens might be intercepted incidentally. ** NATIONAL & INTERNATIONAL LAWS TO COMBAT CYBERCRIME The problem of jurisdiction in Cyberspace - e.g., online gambling - where is the crime happening? - whose law to use? - muddle: is cyberspace a place or a medium? Enforcing Cybercrime Laws across States e.g., Four Indicted in $25 Million Scheme Defrauding and Hacking Ticketmaster,, and Other Ticket Vendors (March 1, 2010) International enforcement is tougher! But "digital intellectual property" cases are being handled. More situations to come...! i.e., policy vacuums removed. -------------------------------