Cyberlaw and Computer Crimes

• Surprisingly it wasn’t until 1986 that we had any

laws at all (in the US) regarding prosecution of

computer crimes

– even once legislature was being passed, it was unclear

what jurisdiction the FBI had in tracking down

computer criminals, nor did the FBI have expertise in

tracking down computer criminals

Crackers/Hackers

• Early crimes were committed by computer programmers

who were pushing the boundaries of what could be done

on a computer

– generally, hackers are thought of as benevolent criminals – just trying things out, possibly even for positive purposes (alerting a company of their security holes)

– crackers are those who perform illegal access for criminal purposes

• See the site regarding black and white hat crackers and

the wikipedia site on black hat and white hat crackers

– http://www.itsecurity.com/features/top-10-famous-hackers-042 407/

– http://en.wikipedia.org/wiki/Black_Hat

– http://en.wikipedia.org/wiki/White_hat

Phreaking

• Early hackers targeted the telephone network

– John Draper (known as Captain Crunch) discovered

through a blind friend that the whistle found in

Captain Crunch cereal could be modified to emit the

frequency that was used by AT&T to indicate that a

long distance phone line was available

• this caused one side of the line to enter “operator mode” • with proper hardware, he was able to then specify

frequencies equivalent to tones for dialing a number and thus received free long distance

• he placed the whistle and other devices into a blue box

More Approaches

• Another approach was used by Kevin Poulsen

who actually broke into telephone switching

boxes to reroute lines

– he used this to win a porsche from a radio station

• Red Boxes

– Another approach is to mimic the sound of coins

dropping into a pay phone

– Actually, what you mimic is the frequency of sound

made when a quarter goes through the slot

• a Radio Shack tone dialer could be used, and this

Telephones and Computer Attacks

• Phreaking is not really related to computer crime as these

sorts of crimes were done largely without computers

• However, it has led to some innovations

– consider a computer system that permits dial-up access – the OS will keep track of failed log in attempts and then

disallow further attempts from the given telephone caller ID after some number of failures (say 5)

– however, it is possible, using a computer, to either mask or alter the caller ID so that more attempts can be tried

– and therefore, a program which attempts to log in by trying all possible passwords may still succeed because the computer will mask or alter the caller ID value so that the OS does not block out further attempts!

• more information on phreaking and telephone attacks can be found at

A Definition of Computer Crime

• One author states that a computer crime is:

– unauthorized access of a computer, creating or releasing a malicious computer program, or harassment and stalking in cyberspace

• Notice that this definition does not claim that

embezzlement or fraud, accomplished by using a

computer, is a crime

– this is because embezzlement and fraud are already crimes, and all that has changed is the mechanism by which the

crime was committed

A Different Definition

• A computer crime is any illegal act, the commission of

which (in whole or in part):

– targets computer hardware or software as its focal point, or

– utilizes computer hardware or software to accomplish or assist in accomplishing the act, or

– involves or uses computer hardware or software to store, preserve, assimilate, or secrete any evidence or any fruits of the act, or

– unlawfully accesses, invades or violates computer hardware or software integrity in accomplishing or in attempting to perform the act

Active vs Passive Computer Crimes

• An active crime is considered one in which the

crime itself was committed using a computer

– for instance, illegally accessing a bank account and

altering the data for profit or illegally accessing some

file server to steal software being developed

– a majority of computer crimes are active

• A passive crime is one in which the computer was

used in support of the crime itself

– for instance, illegally accessing a building’s

schematics so that one can break into the building and

physically steal something, or using the Internet to

monitor communications in preparation for a

Federal and State Legislature

• The federal government has issued a number of

laws but primarily leaves the legislature up to

each individual state

– States have three different approaches

• Modifying existing laws by incorporating new concepts

– such as adding computer-based fraud to the dealing with fraud – this is what Ohio has largely done

• Setting up new definitions and offenses to handle the new crimes as they are discovered

– California state legislature meets often to examine and update their computer crime legislature

• Nothing at all

Federal Legislature

• Title 18, Chapter 47, Law 1030

– Fraud and related activity in connection with computers – Whoever having knowingly accessed a computer without

authorization or exceeding authorized access …

• obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure

• or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or

transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted

• obtains information contained in a financial record of a financial

institution, information from any department or agency of the United States, or information from any protected computer if the conduct involved an interstate or foreign communication

1030 Continued

– knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer, recklessly causes

damage

– caused loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value

– the modification or impairment, or potential modification or

impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals

– physical injury to any person, or a threat to public health or safety or damage affecting a computer system used by or for a government

entity in furtherance of the administration of justice, national defense, or national security

– with intent to extort from any person any money or other thing of

value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer

• The punishment for an offense is

Other Federal Legislature

• There is a related law that deals with

– fraud related to activities with access devices

• e.g., telephone system devices, credit card authorization devices, device making instruments, scanner receiver (as used in wire transfers)

– fraud related to electronic mail (spam)

• this includes fraudulent claims in the email, or the quantity of emails transmitted

• this law limits the volume of electronic mail messages transmitted to under 2,500 during any 24-hour period, 25,000 during any 30-day period, or 250,000 during any 1-year period

– wire, television, radio fraud

• these pertain to transmission media more than computers

Electronics Communication Privacy Act

• Approved in 1986, this act:

– protects against unlawful access to stored communications – protects against voluntary disclosure of customer

communications or records

– protects against wrongful disclosure of video tape rental or sale records

– requires disclosure of customer communications or records – requires backup preservation

• It also has clauses

– that allow customers to examine and modify their personal records

– that require publication of the types of records that companies keep

States With Computer Laws

• Alabama • Alaska • Arizona • California • Colorado • Connecticut • Delaware • Florida • Georgia • Hawaii • Idaho • Illinois • Indiana • Iowa • Maryland • Minnesota • New Jersey • New Mexico • New York

• North Carolina • Oregon

• Texas • Virginia

Kentucky Legislature

• _{434.845 Unlawful access to a computer in the first degree.} • (1) A person is guilty of unlawful access to a computer in the

first degree when he or she, without the effective consent of the owner, knowingly and willfully, directly or indirectly accesses, causes to be accessed, or attempts to access any computer software, computer program, data, computer,

computer system, computer network, or any part thereof, for the purpose of:

– (a) Devising or executing any scheme or artifice to defraud; or

– (b) Obtaining money, property, or services for themselves or another by means of false or fraudulent pretenses, representations, or promises.

• (2) Unlawful access to a computer in the first degree is a Class C felony.

Continued

•

434.850 Unlawful access to a computer in the

second degree.

• (1) A person is guilty of unlawful access to a

computer in the second degree when he or she,

without the effective consent of the owner, knowingly

and willfully, directly or indirectly accesses, causes to

be accessed, or attempts to access any computer

software, computer program, data, computer,

computer system, computer network, or any part

thereof, which results in the loss or damage of three

hundred dollars ($300) or more.

• (2) Unlawful access to a computer in the second

degree is a Class D felony.

Continued

•

434.851 Unlawful access in the third degree.

• (1) A person is guilty of unlawful access in the third

degree when he or she, without the effective consent

of the owner, knowingly and willfully, directly or

indirectly accesses, causes to be accessed, or attempts

to access any computer software, computer program,

data, computer, computer system, computer network,

or any part thereof, which results in the loss or

damage of less than three hundred dollars ($300).

• (2) Unlawful access to a computer in the third degree

is a Class A misdemeanor.

Continued

•

434.853 Unlawful access in the fourth degree.

• (1) A person is guilty of unlawful access in the fourth

degree when he or she, without the effective consent

of the owner, knowingly and willfully, directly or

indirectly accesses, causes to be accessed, or attempts

to access any computer software, computer program,

data, computer, computer system, computer network,

or any part thereof, which does not result in loss or

damage.

• (2) Unlawful access to a computer in the fourth

degree is a Class B misdemeanor.

Continued

•

434.855 Misuse of computer information.

• (1) A person is guilty of misuse of computer

information when he or she:

• (a) Receives, conceals, or uses, or aids another in

doing so, any proceeds of a violation of KRS

434.845; or

• (b) Receives, conceals, or uses or aids another in

doing so, any books, records, documents, property,

financial instrument, computer software, computer

program, or other material, property, or objects,

knowing the same to have been used in or obtained

from a violation of KRS 434.845.

• (2) Misuse of computer information is a Class C

felony.

Continued

• _{434.860 Venue.}

• For the purpose of venue under the provisions of KRS 434.845, 434.850, 434.851, 434.853, or 434.855, any violation of KRS 434.845, 434.850, 434.851, 434.853, or 434.855 shall be

considered to have been committed: in any county in which any act was performed in furtherance of any transaction violating KRS 434.845, 434.850, 434.851, 434.853, or 434.855; in any county in which any violator had control or possession of any proceeds of said violation or of any books, records, documents, property, financial instrument, computer software, computer program or

other material, objects, or items which were used in furtherance of said violation; and in any county from which, to which or through which any access to a computer, computer system, or computer network was made whether by wires, electromagnetic waves, microwaves, or any other means of communication.

UK Computer Misue Act (1990)

• 1(1) A person is guilty of an offence if:

– a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;

– b) the access he intends to secure is unauthorized; and

– c) he knows at the time when he causes the computer to perform the function that this is the case.

• 1(2) the intent a person has to commit an offence under this section need not be directed at

– a) any particular program or data

– b) a program or data of any particular kind; or

– c) a program or data held in any particular computer.

Continued

• 2(1) a person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorized access offence") With intent

– a) to commit an offence to which this section applies; or

– b) to facilitate the commission of such an offence (whether by himself or by any other person) and the offence he intends to commit or facilitate is

referred to below in this section as the further offence.

• 2(2) this section applies to offences

– a) for which the sentence is fixed by law; or

– b) for which a person of twenty one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or in England and Wales might be so sentenced but for the restrictions imposed by section 33 of the Magistrates Courts Act 1980).

• 2(5) a person guilty of an offence under this section shall be liable

– a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or both; and

Continued

• 3(1) A person is guilty of an offence if

– a) he does any act which causes the unauthorized modification of the contents of any computer; and

– b) at the time when he does the act he has the requisite intent and the requisite knowledge.

• 3(2) for the purposes of subsection 3(1)b above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing

– a) to impair the operation of any computer;

– b) to prevent or hinder access to any program or data held in any computer; or – c) to impair the operation of any such program or the reliability of any such

data.

• 3(3) the intent need not be directed at

– a) any particular computer;

– b) any particular program or data or a program or data of any particular kind; or

Continued

• 3(4) For the purpose of subsection 1b above, the

requisite knowledge is knowledge that any

modification he intends to cause is unauthorized. 3(5)

it is immaterial for the purposes of this section

whether an unauthorized modification or any

intended effect of it of a kind mentioned in subsection

(2) above is, or is intended to be, permanent or

merely temporary.

• The bill’s critics charging that it was introduced

hastily and was poorly thought out.

– intention is difficult to prove

– the bill inadequately differentiates “joyriding” crackers from serious computer criminals

Types of Computer Crimes

• Computer as the target

– theft of intellectual property, blackmail of information gained through electronic files

• Computer as the instrument

– fraud (credit card fraud, fraudulent use of ATM accounts, stock market transfers, telecommunications fraud), theft of

(electronic) money

• Computer incidental to the crime

– computers used in support, e.g., money laundering, record keeping, tracking of targets, etc

• Computer associated with the prevalence of the crime

– software piracy/counterfeiting, copyright violation of software, counterfeit hardware, black market sales of hardware and

Specific Crimes

• Denial of service (which might be performed for

extortion or sabotage)

• Fraud, which encompasses many possible actions

– employees altering data, making false entries

– unauthorized access that leads to altering, destroying, suppressing, or stealing data or output

– altering or misusing existing system tools or software packages – or altering or writing code for fraudulent purposes

– manipulating banking systems to make unauthorized identity theft.

• Harassment by computer (cyberstalking, defamation)

• Pornography

• Copyright infringement

• Larceny (theft) of software or data

History of Viruses

• Early 1970s – creeper virus detected on ARPANET

– a virus was implemented called Reaper to seek out and kill creeper

• 1974 – Rabbit virus (named because of how quickly

it spread) appears

• 1975 – Pervading Animal, a game implemented on

the UNIVAC

– unknown whether this was the first Trojan Horse program or a program with unintentional bugs

• 1980 – Masters thesis regarding self-replication of

programs

• 1982 – Elk Cloner introduced, virus that affected

Apple II computers, first to spread by floppy disk

• 1983 – term virus first coined, renamed computer

Continued

• 1986 – Brain boot sector virus released, first known

virus targeting IBM PC computers

• 1986 – Virdem model of programs introduced

– programs that could replicate by placing their own executable code into DOS .com files

• 1987 – Cascade, first self-encrypting virus

• 1987 – Jerusalem virus unleashed

– in 1988 would become a world-wide epidemic

• 1988 – Morris Internet worm

• 1988 – first antiviral software released

• 1990 – polymorphic viruses introduced

• 1992 – Michelangelo virus

Continued

• 1995 – Concept virus (first macro virus)

• 1999 – Melissa Worm released targeting MS Outlook

• 2000 – Loveletter (ILOVEYOU) worm released

– as of 2004, this has been the most costly worm released

• 2001 – Ramen Worm

– like Morris Worm but affects Linux Redhat systems

• 2001 – Sadmind worm affects Sun workstations and

Microsoft Internet Information Services both

• 2001 – Code Red, Code Red II, Nimda, Klez worms

• 2003 – SQL Slammer Worm attacks MS SQL servers

• 2003-2004 – also saw Blaster worm, Sobig worm,

Phishing

• Illegally attempting to gain sensitive information from

people for the purpose of computer-based fraud, these

attempts can include

– social engineering – password cracking – packet sniffing

• listening over a network for sensitive information (e.g., someone emailing a password), wireless networks have been especially susceptible in the past

– link manipulation for website spoofing

• sending an email with a phony link, causing the unsuspecting person to go to a phony website rather than the intended website

– website forgery

• in addition to website spoofing, javascript code can do such things as change the address bar to make the website look legitimate

– phone phishing

Kevin Mitnick

• Started off forging bus punch cards with his own card

puncher

• He then moved into phreaking

– in 1979 broke into DEC system when a friend gave him their dial-up phone number, was convicted

• Later, would change his identity by obtaining birth

certificates of children who died by the time they were 3

years old

• He continued to break into people’s computer systems

but was ultimately caught when he hacked into the

system of Tsutomu Shimomura, who tracked him down

– supporters of Mitnick have claimed that many of the charges against him were fraudulent!

Morris Worm

• Robert Morris, a Professor at MIT, is notable for

releasing a WORM on the Internet in 1988

– his idea, as a graduate student at Cornell, was to demonstrate the security holes in Unix and also gauge the size of the Internet at the time

– he claims that he had no idea that the WORM would spread so far or rapidly or affect as many computers as it did

– the WORM would attempt to gain access to an Internet host by

• overflowing the finger utility’s buffer • overflowing the sendmail buffer

• try simple or no passwords to break into accounts • use rsh to access computers of the same server

Jonathon James

• The first juvenile to be convicted of computer crimes (at

16 years old)

• His crimes all revolve around unauthorized access

– he used the free Nmap security scanning system to scan host computers for flaws in Sun’s remote procedure call services – he hacked into Bell-South, Miami-Dade school system, and

NASA (Huntsville)

• through his NASA break-in, he stole international space station software

– he hacked into a DoD server and installed a backdoor and a sniffer from which he intercepted thousands of messages including user names/passwords

Two More Computer Criminals

• Adam Botbyl

– In the 90s was able to gain access to national-wide computer system used by Lowe’s hardware by finding an open wireless LAN point at Lowe’s in Michigan

• He and some friends eventually used their access to capture credit card information (the government claims that the crime caused more than $2.5M in damages)

• Dennis Moran

– Known as Coolio, was responsible for a number of denial of service attacks in 2000

• he used a Smurf attack (spoofed ping messages) to generate over 1 gigabit per second message traffice

LOD/MOD

• In the 1980s, a group of hackers formed the Legion of

Doom

– although they were hackers, some were white hackers and they tried to contribute to society through the publication of

technical journals

• through which they shared their combined knowledge of hacking

– some members left the LOD to form the Masters of Deception

• this group was far more underground and often communicated through “hijacked” phone and Internet lines

• unlike the LOD, they did not share their expertise with the outside communities

– in 1990-91, a MOD member shut down a bulletin board of the LOD which led to the Great Hacker War between the two

groups (and included other hackers as well)

• the result was the eventual destruction of the LOD as the MOD shut down the LOD methods of communication

Cyberterrorism

• Cyberterrorism can be defined as the use of information

technology by terrorist groups and individuals to further

their agenda

– this can include use of information technology to organize and execute attacks against networks, computer systems and

telecommunications infrastructures, or for exchanging information or making threats electronically

• Examples include

– hacking into computer systems

– introducing viruses to vulnerable networks – web site defacing

– denial-of-service attacks

– terrorist threats made via electronic communication

• Information warfare occurs when these actions are

performed by one entity in order to gain a

competitive

Cyberstalking

• Law enforcement agencies estimate that

electronic communications are a factor in from

20 percent to 40 percent of all stalking cases

• Forty-four states now have laws that explicitly

include electronic forms of communication

within stalking or harassment laws

• State laws that do not include specific

references to electronic communication may

still apply to those who threaten or harass

Prevalence of Computer Crimes

• It is expected that as the computer is more

prevalent in society, so are computer crimes

– interestingly, computer crimes are often committed by

people who do not have expertise in software or

computer technology

• crimes are often committed by people who can use the technology because it is so user friendly!

• Some cite the increasing number of computer

crimes as an epidemic

• In many cases, the law enforcement agencies are

not set up to handle the crimes

Training Law Enforcement

• One expert recommends the following, immediate:

– introduction to computer evidence awareness

– identification, collection, transportation and preservation of electronic evidence and related components

– where to find data recovery experts

• In addition, computer technology skills must be taught

to at least some subset of the law enforcement

community including

– operating system technologies, information management skills, data collection and organization, database design,

The Patriot Act (HR 3162)

• Signed by President Bush on October 26

• Adds terrorism offenses, computer fraud, and abuse offenses to the list of predicates for obtaining Title III wiretaps

• Also permits roving wiretaps under the Foreign Intelligence

Surveillance Act of 1978 (FISA) in the same manner as they are permitted under Title III wiretaps

• Intelligence information obtained from wiretaps may be shared with law enforcement, intelligence, immigration, or national security personnel

• Recipients can use the information only in the conduct of their duties and are subject to the limitations in current law of

unauthorized disclosure of wiretap information.

• Also expands the use of traditional pen register or trap and trace devices (captures the telephone numbers of incoming callers) so that they apply not just to telephones, but also to Internet