Professional Documents
Culture Documents
Abstract
As the Internet has become a needed tool at home and in businesses it has also become a tool and target for crime. The anonymity of the Internet allows for all sorts of illegal activity to take place without many repercussions. Until recently, law enforcement has seen cyber-crime as insignificant and not worth their time. Due to companies reliance on the Internet and their networks the losses sustained are often large and potentially catastrophic. This paper will introduce the different types of cyber-crime and also describe why the fight against cyber-crime has been so difficult for both companies and law enforcement.
Introduction
Technology has always provided new ways of solving old problems as well as distributing information. The Internet has made all types of information readily available. This wealth of information has opened up a whole new world of problems. These problems deal with the security of computer networks. As the general public has gotten more technologically advanced so too has the criminal. The reliance on the Internet for information has also allowed criminals to find ways of obtaining the most private of data. The Internet is also proving to be a tough place to police. This inability to find and prosecute criminals has become a costly problem to society, and more specifically to the business world. Internet crime is a big problem but by no means the only problem. There are many other criminal acts being committed with the aid of computers and networks. It is important for current and future members of the business world to understand these crimes, the motivations for such crimes and what can be done to find and stop such criminals.
Defining Cyber-Crime
There are many different definitions of cyber-crime depending upon whose text is read. This fact has confused lawmakers and law enforcement officials alike. The most accepted definition comes from the book Digital Evidence and Computer Crime. This book defines cyber-crime as: any crime that involves computers and networks, including crimes that do not rely heavily on computers. [1] This definition appears in several online encyclopedias and is widely accepted. This definition allows any criminal activity involving a computer to be defined as a cyber-crime. To illustrate the broadness of the cyber-crime spectrum lets look at the two extremes. On one hand a cyber-crime could be as basic as sending someone an offensive email. This email would be seen by the recipient as harassment and thus is a cyber-crime since a computer was used. The computer wasnt needed to carry out the crime, but was used anyway. On the other hand would be a complex crime in which a
hacker breaks into a companys database to steal or destroy customer information. This illustrates the great amount of area between these two crimes. That area represents the entire spectrum of cyber-crime. Now that the entire scope can be seen, it is time to explain the many different types of cyber-crime. Classifying Cyber-Crime Cyber-crime can happen essentially on two levels. The crime can be done against a person or against a company and property. For the purposes of this document the crimes against companies and property will be given more attention. According to the book Computer Forensics and Cyber Crime, by Marjie Britz there are four classes by which cyber-crimes can be grouped. These classes are: phreaking, internet scams, neo-traditional crimes, and other web related crime. The first classification is phreaking, which is a precursor to hacking. The goal of phreaking is to break into a secure system and then brag about it. Most of the time such intruders cause little to no damage and seem very innocent. In those cases where damage did occur the intruders believed that they were providing a valuable service. They felt they were helping the Internet community by pointing out flaws in security so they could be fixed at a later date. [1] The term phreaking is not a new one to the world of technology. Phreaking was originally the term used for people breaking into telephone systems to get free long distance calls. Among the tools for doing so was a whistle found in a box of Capn Crunch cereal. This whistle created the proper tone to cause the operator to hang up allowing for free calls to be made from the other end of the line. Other phone crimes involved hacking into the phone switches in order to make pay phones operate like regular phones. A crime that was detrimental to law enforcement was also executed via phone switches. The switches contain whether or not there is a wiretap on someones phone. Some phreakers compromised the system and then called people whose line was tapped to inform them of the lack of privacy on their line. [2] The second classification is internet scams. Included in these scams are phishing, web cramming and ISP jacking. Phishing is an Internet scam where an individual receives an email that appears to be from a legitimate source. This source could be a financial institution, credit card company, or an online auction site such as Ebay. In fact, Ebay and their escrow services are the places that scammers are most likely to pretend they are representing. The email they send usually expresses some concern with their own sites security and requests the recipient to click a link where they will be asked to enter in their username and password. The link is not the valid site that the email claims to be. The site is simply a place for a criminal to obtain usernames and passwords. Web Cramming is a crime in which criminals develop new web pages for small business and non-profit groups for little or no expense. While advertising their services as free, these criminals actually engage in unauthorized phone charges on their victims account. [1] Lastly is ISP Jacking, which involves disconnecting individual users from their selected Internet Service Provider and redirecting them to illegitimate servers.[1] This form of crime requires the user to have downloaded some software that actually contains a hidden program. This
program disconnects them from their ISP and reconnects them to a new server somewhere half way around the world. This all occurs without the victims knowledge and leads to some very hefty long distance phone charges. The third classification is that of neo-traditional crimes. This is a type of crime where a computer is not needed to perform the criminal activity but the use of a computer has opened up new avenues for performing such crimes. Any form of fraud attempted with the use of a computer is a neo-traditional crime. This is still fraud but since a computer is used it is further defined as computer fraud. Another similar crime is IP spoofing. This is the act of altering packet headers to conceal the identity of a criminal by changing the IP address. Perhaps the most famous neo-traditional crime is the salami technique, thanks to the movie Office Space. The salami technique is the redirection of the rounded off portions of dollars from one account into another account where it will accumulate over time. It is known as the salami technique since only small slices, or the equivalent of hundredths of a cent are moved per transaction. [1] The last classification encompasses the wide array of crimes not covered in the previous three categories. This is the category where hacking is generally placed. While it is true that hacking generally leads to other cyber-crimes, it is simply too broad to be covered solely by any of the other classifications. Hacking is, the process by which individuals gain unauthorized access to computer systems for the purpose of stealing and corrupting data. [5] In terms of stealing data criminals may choose to perform the crime of identity theft. This is becoming the fastest growing type of cyber crime since most sites that sell things online dont do any background checks in order to ensure the purchaser is who they claim to be. Hackers also steal data in order to hurt either a former employer or a large organization that they despise. Corrupting data is also a favorite pastime of hackers and can be accomplished via several tools. These tools include worms, viruses, distributed denial of service (DDOS) attacks and Trojan horses. These tools have evolved with the everchanging technology and enable hackers of all skill levels to wreak havoc on computer systems. This class of crime also has newfound potential since the September 11th 2001 terrorist attacks. Cyber-terrorism is yet another avenue for hackers to cause damage for political instead of personal reasons. Cyber-terrorism is defined as, a deliberate, politically or religiously motivated attack against data compilations, computer programs, and/or information systems which is intended to disrupt and/or deny service or acquire information which disrupts the social, physical or political infrastructure of the target. [5]
Why are companies reluctant to report their systems were compromised? First of all Internet commerce is built upon the notion that all information on the web can only be seen by the eyes that are meant to see it. For example only John Smith can see the website for his bank. As nice as it sounds, this is entirely unlikely since hackers find ways into the server or database and not into an individuals computer. If a company reports that vital information was stolen or damaged by hackers it will cause several problems. The first problem is it may cause customers, especially those whose information was used to commit a fraudulent crime, to stop doing business with the company. The next problem is that the companys stock prices would drop due to the error making losses twofold. Many companies feel the repercussions of covering up such a security breach will ultimately be cheaper than admitting the mistake. Admission of a mistake will more than likely cause panic where as a cover-up follows the old notion, what they dont know cant hurt them. [3] In a 2002 survey conducted by the FBI it was reported that ninety percent of organizations responding had detected breaches in security within the past year. The survey also reported that eighty percent of organizations had lost money due to the security breaches. Lastly only thirty four percent of companies reported these attacks to law enforcement officials. As this survey shows the reason cyber crime is so prevalent is due to the fact that companies are unwilling to admit their security is not as good as it should be. [5]
Understanding Hackers
Conventional wisdom tells IT professionals and law enforcement that in order to stop a cyber criminal one must first understand their motives and actions. Steven Branigan writes in his book, High-Tech Crimes Revealed, that there are seven steps to hacking. [2] The first step is choosing a target to attack. Criminals will choose a target based upon what they want. If the criminal is interested in money they will choose something like a credit card database. If the criminal is looking to impress others then they will instead choose to hack something along the lines of a high profile web server. The second step is to find the computers that are accessible via the Internet. There are many free pieces of software designed to do just that, so even inexperienced hackers can gain access to these computers. The third step is to discover vulnerable computer systems that contain the data being sought. This is similar to how a burglar will check the place they intend to rob for unlocked doors before breaking a window. Step four is to break into the computer system; there are many hacking tools for this. The fifth step is to elevate access privileges to the maximum allowed. This is known as rooting a box and allows the hacker to find anything that is on that computer. To relate this to a real world crime, it is making a forge of someones employee pass to gain total access into a building. The sixth step is to monitor what other computer users are doing. This step serves two purposes. The first purpose is to find more vulnerable systems by watching where other people go. The second purpose is to see if anyone is knowledgeable of the security breach. The final step is to install backdoors allowing the hacker to re-enter the computer at any point in the future if the security
weakness has been repaired. Steps six and seven are unique to high tech crimes. These steps make high tech crimes more difficult to detect and defend against. [2] Now that the process of hacking itself is understood, the reasons people would cause destruction must be investigated. There are two types of hackers: the internal hacker and the external hacker. The internal hacker is someone who is currently or was previously employed by the company and has easy access to the computer system. The external hacker is more commonly called the professional hacker. Both types of hackers do so for some of the same reasons. The four reasons hackers hack are: revenge, profit, glory, and to aid in showing security flaws. Revenge is a motivator only to the internal hacker, they could be angry about getting laid-off or being passed over for a promotion. Both internal and external hackers can be enticed by profit. Hacking into a system and using information to commit other crimes can be very profitable. Glory and aiding in showing security flaws is unique to the external hacker. Some hackers break into systems simply for bragging rights but this is very rare. Also rare are hackers who hack in order help find security flaws. These hackers are becoming more abundant though due to companies wanting to use hackers to test system security. The belief is that there is nobody more qualified to test system security than someone who has been arrested for breaking into computer systems. Like most other criminal acts, the almighty dollar seems to be the driving force in the majority of cases. [2]
who accesses it. Any person accessing this server is unauthorized since there is no connection between this server and anything useful. The log files on the firewall of the honey pot will be useful in identifying hackers. There are no laws at the moment about the legality of honey pots. The idea of a honey pot brings up some serious ethical questions. One such question is whether a hackers curiosity is prosecutable. The hacker hasnt committed a crime by looking at the honey pot but they are hacking and are probably doing damage to a system somewhere. Another question is should a company employing a honey pot be required to share the log files of hacker IP addresses with other companies and law enforcement. As mentioned before, looking isnt a crime but these people are potentially dangerous. Due to the lack of laws and the ethical dilemma, honey pots are rare. [6]
The Secret Services Electronic Crimes Task Force The Secret Service was the first law enforcement agency to rely heavily on the idea of a task force. They felt that by forging new relationships with private sector entities and scholars, the task force opens itself up to a wealth of information and communication lines with limitless potential. [8] After the September 11th attacks President Bush signed into law the Patriot Act of 2001. This act calls for dozens of regional task forces scattered across the country. Each task force was to be modeled after the first, the New York Electronic Crime Task Force (NYECTF) that was established in 1995. What was once a task force of a few dedicated individuals is currently an organization of over 500 people throughout many major cities. The major cities where these task forces reside include: Chicago, Cleveland, Boston, Dallas and Washington D.C. [8]
conducted by the FBI reported attacks on their systems to law enforcement. [5] There are several reasons why a company would neglect to report an attack to law enforcement. The government and its agencies have addressed most of the reasons since the September 11th attacks. However many companies had one common reason that cannot be addressed. Many companies would have liked to report such crimes but do not do so because of both economic and a psychological impact such news would have on both the shareholders confidence and the overall name of the company. Lack of customer confidence is a competitors advantage and it may spell financial ruin to the company. Some companies are reluctant to report any form of computer attacks on their systems in fear that others, including shareholders, will perceive company management as weak with poor security policies. [3] Law enforcement must gain the confidence of these companies in order to catch and prosecute these criminals. Corporate interference is another shortcoming in the fight against cyber crime. The companies that do report their attacks to law enforcement often want to start the investigation themselves. The problem with this is that evidence must be collected and handled by experts in order to preserve the right to prosecute. Many times when a company collects data the evidence cannot be used. The reason such evidence cant be admitted into a court of law is because the collection methods werent as in depth and complete as those established by the courts for law enforcement. Another major problem with companies trying to join the investigation with law enforcement is the difference in goals of the two organizations. The company often has to worry about the publics perception of them and thus try to limit the types of information gathered by law enforcement. Agencies like the FBI need complete cooperation in order to be successful, and as illustrated before, very few companies are willing to do so. [2]
Conclusion
The amount of crime being conducted on the Internet is astonishing. U.S. businesses and individuals lose over ten billion dollars annually. These losses include money garnered through phishing, identity theft, and theft of corporate data such as customer databases. There have been many steps forward in the fight against cyber crime. Companies have learned to increase their security through the many unfortunate incidents of the past decade. Companies and law enforcement must find ways to work with one another better to further succeed in the fight against cyber criminals. Global standards and communication around the world must also be implemented in order to protect not only U.S. citizens and companies but also the entire population of the world. The Internet has become a dark place where anyone may hide in the shadows. It is time to make the internet the trustworthy marketplace for ideas that it was intended to be.
References
1. Marjie T. Britz. (2004). Computer Forensics and Cyber Crime. New Jersey: Pearson Education Inc.
2. Steven Branigan. (2005). High-Tech Crimes Revealed: Cyberwar Stories From The Digital Front. Boston: Pearson Education Inc. 3. Joseph Migga Kizza. (2002). Computer Network Security and Cyber Ethics. North Carolina: McFarland & Company Inc. 4. Brenner, S. (2001) Cyber Crimes. Retrieved February 5, 2005, from The University Of Dayton Law School Web Site: http://cybercrimes.net 5. Investigative Programs Cyber Investigations. Retrieved January 11, 2005, from the Federal Bureau of Investigation Web Site: ww.fbi.gov/cyberinvest/cyberhome.htm 6. Martin, William H. (2001) Honey Pots and Honey Nets - Security through Deception. Retrieved January 23, 2005. http://www.sans.org/rr/whitepapers/attacking/41.php 7. United States Computer Emergency Readiness Team. Retrieved January 15, 2005. http://www.us-cert.gov/ 8. Regional Locations. Retrieved January 11, 2005 from the United States Secret Service Electronic Crimes Taskforce Web Site: http://www.ectaskforce.org/Regional_Locations.htm