Cyber-Crime and the Uphill Battle faced by the Business World

Abstract
As the Internet has become a needed tool at home and in businesses it has also become a tool and target for crime. The anonymity of the Internet allows for all sorts of illegal activity to take place without many repercussions. Until recently, law enforcement has seen cyber-crime as insignificant and not worth their time. Due to companies reliance on the Internet and their networks the losses sustained are often large and potentially catastrophic. This paper will introduce the different types of cyber-crime and also describe why the fight against cyber-crime has been so difficult for both companies and law enforcement.

Introduction
Technology has always provided new ways of solving old problems as well as distributing information. The Internet has made all types of information readily available. This wealth of information has opened up a whole new world of problems. These problems deal with the security of computer networks. As the general public has gotten more technologically advanced so too has the criminal. The reliance on the Internet for information has also allowed criminals to find ways of obtaining the most private of data. The Internet is also proving to be a tough place to police. This inability to find and prosecute criminals has become a costly problem to society, and more specifically to the business world. Internet crime is a big problem but by no means the only problem. There are many other criminal acts being committed with the aid of computers and networks. It is important for current and future members of the business world to understand these crimes, the motivations for such crimes and what can be done to find and stop such criminals.

Defining Cyber-Crime
There are many different definitions of cyber-crime depending upon whose text is read. This fact has confused lawmakers and law enforcement officials alike. The most accepted definition comes from the book Digital Evidence and Computer Crime. This book defines cyber-crime as: any crime that involves computers and networks, including crimes that do not rely heavily on computers. [1] This definition appears in several online encyclopedias and is widely accepted. This definition allows any criminal activity involving a computer to be defined as a cyber-crime. To illustrate the broadness of the cyber-crime spectrum lets look at the two extremes. On one hand a cyber-crime could be as basic as sending someone an offensive email. This email would be seen by the

recipient as harassment and thus is a cyber-crime since a computer was used. The computer wasnt needed to carry out the crime, but was used anyway. On the other hand would be a complex crime in which a hacker breaks into a companys database to steal or destroy customer information. This illustrates the great amount of area between these two crimes. That area represents the entire spectrum of cyber-crime. Now that the entire scope can be seen, it is time to explain the many different types of cyber-crime. Classifying Cyber-Crime Cyber-crime can happen essentially on two levels. The crime can be done against a person or against a company and property. For the purposes of this document the crimes against companies and property will be given more attention. According to the book Computer Forensics and Cyber Crime, by Marjie Britz there are four classes by which cyber-crimes can be grouped. These classes are: phreaking, internet scams, neotraditional crimes, and other web related crime. The first classification is phreaking, which is a precursor to hacking. The goal of phreaking is to break into a secure system and then brag about it. Most of the time such intruders cause little to no damage and seem very innocent. In those cases where damage did occur the intruders believed that they were providing a valuable service. They felt they were helping the Internet community by pointing out flaws in security so they could be fixed at a later date. [1] The term phreaking is not a new one to the world of technology. Phreaking was originally the term used for people breaking into telephone systems to get free long distance calls. Among the tools for doing so was a whistle found in a box of Capn Crunch cereal. This whistle created the proper tone to cause the operator to hang up allowing for free calls to be made from the other end of the line. Other phone crimes involved hacking into the phone switches in order to make pay phones operate like regular phones. A crime that was detrimental to law enforcement was also executed via phone switches. The switches contain whether or not there is a wiretap on someones phone. Some phreakers compromised the system and then called people whose line was tapped to inform them of the lack of privacy on their line. [2] The second classification is internet scams. Included in these scams are phishing, web cramming and ISP jacking. Phishing is an Internet scam where an individual receives an email that appears to be from a legitimate source. This source could be a financial institution, credit card company, or an online auction site such as Ebay. In fact, Ebay and their escrow services are the places that scammers are most likely to pretend they are representing. The email they send usually expresses some concern with their own sites security and requests the recipient to click a link where they will be asked to enter in their username and password. The link is not the valid site that the email claims to be. The site is simply a place for a criminal to obtain usernames and passwords. Web Cramming is a crime in which criminals develop new web pages for small business and non-profit groups for little or no expense. While advertising their services as free, these criminals actually engage in unauthorized phone charges on their victims account. [1] Lastly is ISP Jacking, which involves disconnecting individual users from their selected Internet

Service Provider and redirecting them to illegitimate servers.[1] This form of crime requires the user to have downloaded some software that actually contains a hidden program. This program disconnects them from their ISP and reconnects them to a new server somewhere half way around the world. This all occurs without the victims knowledge and leads to some very hefty long distance phone charges. The third classification is that of neo-traditional crimes. This is a type of crime where a computer is not needed to perform the criminal activity but the use of a computer has opened up new avenues for performing such crimes. Any form of fraud attempted with the use of a computer is a neo-traditional crime. This is still fraud but since a computer is used it is further defined as computer fraud. Another similar crime is IP spoofing. This is the act of altering packet headers to conceal the identity of a criminal by changing the IP address. Perhaps the most famous neo-traditional crime is the salami technique, thanks to the movie Office Space. The salami technique is the redirection of the rounded off portions of dollars from one account into another account where it will accumulate over time. It is known as the salami technique since only small slices, or the equivalent of hundredths of a cent are moved per transaction. [1] The last classification encompasses the wide array of crimes not covered in the previous three categories. This is the category where hacking is generally placed. While it is true that hacking generally leads to other cyber-crimes, it is simply too broad to be covered solely by any of the other classifications. Hacking is, the process by which individuals gain unauthorized access to computer systems for the purpose of stealing and corrupting data. [5] In terms of stealing data criminals may choose to perform the crime of identity theft. This is becoming the fastest growing type of cyber crime since most sites that sell things online dont do any background checks in order to ensure the purchaser is who they claim to be. Hackers also steal data in order to hurt either a former employer or a large organization that they despise. Corrupting data is also a favorite pastime of hackers and can be accomplished via several tools. These tools include worms, viruses, distributed denial of service (DDOS) attacks and Trojan horses. These tools have evolved with the ever-changing technology and enable hackers of all skill levels to wreak havoc on computer systems. This class of crime also has newfound potential since the September 11th 2001 terrorist attacks. Cyber-terrorism is yet another avenue for hackers to cause damage for political instead of personal reasons. Cyber-terrorism is defined as, a deliberate, politically or religiously motivated attack against data compilations, computer programs, and/or information systems which is intended to disrupt and/or deny service or acquire information which disrupts the social, physical or political infrastructure of the target. [5]

Assessing the Damages of Cyber Crime

Criminals have educated themselves in the world of technology in recent years in hopes of cashing in on a big payday. The payday is more realistic now than ever since information private to companies has become available on the Internet. In 2004, cyber criminals were responsible for more than ten billion dollars of damages to corporations.

This number varies depending upon the source, with some websites claiming the number to be near one hundred billion dollars. This discrepancy is caused by the fact that very few companies actually report these crimes. Why are companies reluctant to report their systems were compromised? First of all Internet commerce is built upon the notion that all information on the web can only be seen by the eyes that are meant to see it. For example only John Smith can see the website for his bank. As nice as it sounds, this is entirely unlikely since hackers find ways into the server or database and not into an individuals computer. If a company reports that vital information was stolen or damaged by hackers it will cause several problems. The first problem is it may cause customers, especially those whose information was used to commit a fraudulent crime, to stop doing business with the company. The next problem is that the companys stock prices would drop due to the error making losses twofold. Many companies feel the repercussions of covering up such a security breach will ultimately be cheaper than admitting the mistake. Admission of a mistake will more than likely cause panic where as a cover-up follows the old notion, what they dont know cant hurt them. [3] In a 2002 survey conducted by the FBI it was reported that ninety percent of organizations responding had detected breaches in security within the past year. The survey also reported that eighty percent of organizations had lost money due to the security breaches. Lastly only thirty four percent of companies reported these attacks to law enforcement officials. As this survey shows the reason cyber crime is so prevalent is due to the fact that companies are unwilling to admit their security is not as good as it should be. [5]

Understanding Hackers
Conventional wisdom tells IT professionals and law enforcement that in order to stop a cyber criminal one must first understand their motives and actions. Steven Branigan writes in his book, High-Tech Crimes Revealed, that there are seven steps to hacking. [2] The first step is choosing a target to attack. Criminals will choose a target based upon what they want. If the criminal is interested in money they will choose something like a credit card database. If the criminal is looking to impress others then they will instead choose to hack something along the lines of a high profile web server. The second step is to find the computers that are accessible via the Internet. There are many free pieces of software designed to do just that, so even inexperienced hackers can gain access to these computers. The third step is to discover vulnerable computer systems that contain the data being sought. This is similar to how a burglar will check the place they intend to rob for unlocked doors before breaking a window. Step four is to break into the computer system; there are many hacking tools for this. The fifth step is to elevate access privileges to the maximum allowed. This is known as rooting a box and allows the hacker to find anything that is on that computer. To relate this to a real world crime, it is making a forge of someones employee pass to gain total access into a building. The sixth step is to monitor what other computer users are doing. This step serves two purposes. The first

purpose is to find more vulnerable systems by watching where other people go. The second purpose is to see if anyone is knowledgeable of the security breach. The final step is to install backdoors allowing the hacker to re-enter the computer at any point in the future if the security weakness has been repaired. Steps six and seven are unique to high tech crimes. These steps make high tech crimes more difficult to detect and defend against. [2] Now that the process of hacking itself is understood, the reasons people would cause destruction must be investigated. There are two types of hackers: the internal hacker and the external hacker. The internal hacker is someone who is currently or was previously employed by the company and has easy access to the computer system. The external hacker is more commonly called the professional hacker. Both types of hackers do so for some of the same reasons. The four reasons hackers hack are: revenge, profit, glory, and to aid in showing security flaws. Revenge is a motivator only to the internal hacker, they could be angry about getting laid-off or being passed over for a promotion. Both internal and external hackers can be enticed by profit. Hacking into a system and using information to commit other crimes can be very profitable. Glory and aiding in showing security flaws is unique to the external hacker. Some hackers break into systems simply for bragging rights but this is very rare. Also rare are hackers who hack in order help find security flaws. These hackers are becoming more abundant though due to companies wanting to use hackers to test system security. The belief is that there is nobody more qualified to test system security than someone who has been arrested for breaking into computer systems. Like most other criminal acts, the almighty dollar seems to be the driving force in the majority of cases. [2]

How Companies Protect and Fight Back

The war against cyber-crime will be a long and painful one. There are several things though that can be done in order to protect the computer systems and detect unauthorized users. The first line of defense for any companys information is a firewall. A firewall is a filter that will block certain traffic while allowing other traffic through. This can be looked at as the border patrol. Only those people with citizenship or access are allowed in, while everyone else is turned away. A firewall also keeps log files to remember who has tried to gain access from the outside. The drawback to a firewall is that as a companys network grows the firewall becomes more difficult to configure. It is also important to remember that a firewall is to protect from attacks by people on the outside not to keep information from behind the firewall from leaving. Believing otherwise creates a false sense of security. Once the company has a firewall installed they must test it to make sure that their sensitive data is safe. Another way to check and make sure the firewall is secure and a companys computer system is safe is to use sneakers. Sneakers are hackers who are hired to test the security of a companys network by trying to violate the system. [2] As mentioned above the thought process of this is that there is no one better at checking for security flaws than someone whose profession is breaking into computer systems.

Honey Pots are a new method that some organizations have tried to utilize to detect and monitor security breaches. A honey pot is essentially a bogus server that someone sets up and fills with useless information. This server is then under constant surveillance to watch who accesses it. Any person accessing this server is unauthorized since there is no connection between this server and anything useful. The log files on the firewall of the honey pot will be useful in identifying hackers. There are no laws at the moment about the legality of honey pots. The idea of a honey pot brings up some serious ethical questions. One such question is whether a hackers curiosity is prosecutable. The hacker hasnt committed a crime by looking at the honey pot but they are hacking and are probably doing damage to a system somewhere. Another question is should a company employing a honey pot be required to share the log files of hacker IP addresses with other companies and law enforcement. As mentioned before, looking isnt a crime but these people are potentially dangerous. Due to the lack of laws and the ethical dilemma, honey pots are rare. [6]

Law Enforcement Agencies Fighting Cyber-Crime

Once a hacker is detected law enforcement should be contacted. Law Enforcement agencies are the final line of defense against cyber crime. Law enforcement has more resources available and more expertise in ensuring the case is prosecutable. They have the ability to track down and bring these criminals to justice. There are several different agencies that can be contacted in the event that a cyber criminal is detected. US-Cert The first place that should be contacted is the United States Computer Emergency Readiness Team (US-CERT). US-CERT is a part of the Department of Homeland Security. US-CERT is charged with protecting our nations Internet infrastructure by coordinating defense against and response to cyber attacks. [7] The job of US-CERT is to allow people and businesses to communicate directly with the U.S. government about Internet security. They interact with all other government agencies as well, thus alerting the FBI and Secret Service about the problems. The FBIs Cyber Division The FBIs Cyber Division is perhaps the largest organization designed to fight cyber crime. The Cyber Division plays two distinct roles in cyberspace. Its first role is the lead law enforcement agency in the protection against cyber attacks by terrorists and foreign enemies. The second role the Cyber Division plays is preventing criminals from using the Internet to steal from, defraud, and otherwise victimize citizens, businesses and communities. [5] They coordinated Operation Web Snare which has been the most successful cyber sting operation to date. Operation Web Snare includes more than 150

investigations, in which more than 870,000 victims lost more than 210 million dollars. Through these investigations more than 300 subjects were targeted, resulting in 100 arrests/convictions, 116 indictments, and the execution of more than 130 search/seizure warrants. [5] It has been so successful due to the cooperation between law enforcement and the business sector. This a much needed first step against cyber crime. The Secret Services Electronic Crimes Task Force The Secret Service was the first law enforcement agency to rely heavily on the idea of a task force. They felt that by forging new relationships with private sector entities and scholars, the task force opens itself up to a wealth of information and communication lines with limitless potential. [8] After the September 11th attacks President Bush signed into law the Patriot Act of 2001. This act calls for dozens of regional task forces scattered across the country. Each task force was to be modeled after the first, the New York Electronic Crime Task Force (NYECTF) that was established in 1995. What was once a task force of a few dedicated individuals is currently an organization of over 500 people throughout many major cities. The major cities where these task forces reside include: Chicago, Cleveland, Boston, Dallas and Washington D.C. [8]

Roadblocks on the Road to Success

The fight against cyber criminals is very young and has many well-known obstacles to overcome. The first such obstacle is the intelligence of cyber criminals. Like any other form of crime the cyber criminal is advancing their knowledge and finding new ways of committing and getting away with criminal acts. The main problem with cyber crime is that it is often some of the best and brightest computer minds committing these crimes. As computers have become a fixture of everyday life the population has had to educate itself on how to use computers. The major weakness is that the general population knows how to use the computer for simple functions but doesnt realize the dangers that are out in cyberspace lurking for a nave user. The general population, including the vast majority of business people, does not have the education on how computers can be used as weapons as well as a useful business tool. [3] Another obstacle in the fight against cyber criminals is jurisdiction problems. What is to happen to a Japanese man who hacks the database of a U.S. company? Are the Japanese to prosecute, or is law enforcement in the United States to handle those duties? This is a simple example of how jurisdiction becomes cloudy through the Internet. The problem arises because the Internet is not a physical space. Also there are problems determining where the crime is committed. In the above example, did the crime take place in Japan because that is where the computer used to commit the crime is located, or did it take place in the United States since that was where the server with the information stolen was located? Many times jurisdiction problems can be worked out but it is a time consuming event, which slows the process of bringing the criminal to justice. These delays due to law enforcement have made cyber crime cases less attractive to prosecutors since there is

no guarantee that a foreign country will allow prosecution. In many foreign countries there are no laws against cyber crime so those being hacked have little to no recourse for action. [2] Failure to report is yet another roadblock along the road to success in the fight against cyber crime. As mentioned earlier only 34% of all companies responding to a 2001 survey conducted by the FBI reported attacks on their systems to law enforcement. [5] There are several reasons why a company would neglect to report an attack to law enforcement. The government and its agencies have addressed most of the reasons since the September 11th attacks. However many companies had one common reason that cannot be addressed. Many companies would have liked to report such crimes but do not do so because of both economic and a psychological impact such news would have on both the shareholders confidence and the overall name of the company. Lack of customer confidence is a competitors advantage and it may spell financial ruin to the company. Some companies are reluctant to report any form of computer attacks on their systems in fear that others, including shareholders, will perceive company management as weak with poor security policies. [3] Law enforcement must gain the confidence of these companies in order to catch and prosecute these criminals. Corporate interference is another shortcoming in the fight against cyber crime. The companies that do report their attacks to law enforcement often want to start the investigation themselves. The problem with this is that evidence must be collected and handled by experts in order to preserve the right to prosecute. Many times when a company collects data the evidence cannot be used. The reason such evidence cant be admitted into a court of law is because the collection methods werent as in depth and complete as those established by the courts for law enforcement. Another major problem with companies trying to join the investigation with law enforcement is the difference in goals of the two organizations. The company often has to worry about the publics perception of them and thus try to limit the types of information gathered by law enforcement. Agencies like the FBI need complete cooperation in order to be successful, and as illustrated before, very few companies are willing to do so. [2]

Conclusion
The amount of crime being conducted on the Internet is astonishing. U.S. businesses and individuals lose over ten billion dollars annually. These losses include money garnered through phishing, identity theft, and theft of corporate data such as customer databases. There have been many steps forward in the fight against cyber crime. Companies have learned to increase their security through the many unfortunate incidents of the past decade. Companies and law enforcement must find ways to work with one another better to further succeed in the fight against cyber criminals. Global standards and communication around the world must also be implemented in order to protect not only U.S. citizens and companies but also the entire population of the world. The Internet has become a dark place where anyone may hide in the shadows. It is time to make the internet the trustworthy marketplace for ideas that it was intended to be.

References
1. Marjie T. Britz. (2004). Computer Forensics and Cyber Crime. New Jersey: Pearson Education Inc. 2. Steven Branigan. (2005). High-Tech Crimes Revealed: Cyberwar Stories From The Digital Front. Boston: Pearson Education Inc. 3. Joseph Migga Kizza. (2002). Computer Network Security and Cyber Ethics. North Carolina: McFarland & Company Inc. 4. Brenner, S. (2001) Cyber Crimes. Retrieved February 5, 2005, from The University Of Dayton Law School Web Site: http://cybercrimes.net 5. Investigative Programs Cyber Investigations. Retrieved January 11, 2005, from the Federal Bureau of Investigation Web Site: ww.fbi.gov/cyberinvest/cyberhome.htm 6. Martin, William H. (2001) Honey Pots and Honey Nets - Security through Deception. Retrieved January 23, 2005. http://www.sans.org/rr/whitepapers/attacking/41.php 7. United States Computer Emergency Readiness Team. Retrieved January 15, 2005. http://www.us-cert.gov/ 8. Regional Locations. Retrieved January 11, 2005 from the United States Secret Service Electronic Crimes Taskforce Web Site: http://www.ectaskforce.org/Regional_Locations.htm