Professional Issues in IT

Spring 2018
Computers and Crime
Ms. Saba Rasheed Malik, Ms. Atifa Sarwar
National University of Computer & Emerging Sciences-FAST,
Islamabad Campus
• Spoofing
• Spamming
• Virus/Worms/Malware/Trojan Horses
• Cyber Squatting
• Cyber Vandalism
• Hacking
• Phishing
• DoS
• E-forgery
• Identity/Data Theft
• Copyright Infringement
• IP Rights Violation
• Privacy Violation
• Cyber stalking
• Data damage

2
• Fraud
• Burglary
• Money laundering
• Blackmail
• High jacking
• Defamation

3
 Computers and Crime

• Crime:
• It is defined as an act disobedience of the law forbidden under pain of
punishment.
• Why Crimes?
• Willie Sutton was asked why he robbed banks, he replied:
“Because that’s where the money is.”

• Computer Crime:
• Crime committed using computers.
• Computer Technology impacts on criminal law in two ways:
• Facilitates the commissioning of existing crimes e.g. fraud, theft etc.
• Has also given birth to a new range of activities e.g. hacking, viruses etc.
• Computer Forensics - the practice of collecting, analysing and reporting on
digital data in a way that is legally admissible. It can be used in the detection and
prevention of crime and in any dispute where evidence is stored digitally.
4
 Computers and Crime
• Computer Crime (Contd.):
• Major Computer Criminal Activities:
• Computer Fraud
• Manipulating a computer dishonestly in order to obtain money, property,
or services.
• Examples: Placing fictitious employee on the payroll, setting up false
supplier account, creating fake invoices etc.
• Hacking (Attacks)
• Gaining unauthorized access or attempting to gain unauthorized access
to a computer.
• Damage to Programs and Data
• Altering / destroying programs or data
• Examples: Spreading a virus, Encrypting the company’s data files and
demanding a ransom for revealing the key for decryption, Concealed /
Hidden redirection of browser home pages etc.
• Impairing / Weakening / Spoiling Access to Data
• Denial of Service Attacks
5
 Computers and Crime
• Computer Crime (Contd.):
• Types of Attacks:
• Military and Intelligence Attacks
• Business Attacks
• Boeing vs. Airbus (Tapping phone calls to get secret information)
• Financial Attacks
• Grudge Attacks
• Not for seeking information, simply to cause damage and destruction
• Fun Attacks
• Intellectual challenges without any profit motives
• Criminal Automation
• Criminals automating their operations
• Extremist groups, Drug dealers
• Vulnerabilities:
• Hardware, Software, Data, Communications

6
 Computers and Crime
• Computer Crime (Contd.):
• Associated Issues (Liabilities under Civil Law):
• Intellectual Property Rights / Piracy
• Copyright Infringement?
• Breach of Confidence?
• Data Protection / Privacy
• Unauthorized Access?
• Internet Issues - Pornography etc.
• Types of Offenders:
• Crackers (main motive to access a system)
• Criminals (main motive to gain something)
• Vandals (main motive to damage)
• Legislation in Pakistan:
• Electronic Transactions Ordinance, 2002
• Prevention of Electronic Crimes Ordinance, 2007
• Cyber Crime Bill, 2015

7
 Prevention of Electronic Crimes Ordinance, 2007

• Electronic Transactions Ordinance, 2002

• First IT relevant legislation created by national lawmakers
• First step to legal sanctity and protection for Pak e-commerce
• Laid foundations for legal infrastructure
• Heavily taken from foreign law related to cyber crime
• Pre-ETO
• No recognition of e-documents, e-records, evidential basis of both
• Failure to authenticate digital /electronic signatures or
authentication
• No online transaction can be legally binding
• E-data and forensic evidence not covered

8
• Important sections:
• Violation of privacy – imprisonment 7 years, fine 1 million
• Damage to Information Systems, punishment as above
• Post ETO:
• E-documents and record recognized
• Electronic and digital forms of authentication and identification
given legal sanctity
• Messages through email, fax, mobile phones, plastic cards,
online recognized

9
 Computers and Crime
• Internet Issues:
• Internet - Tremendous Benefits
• Easier access to information
• Easier and Cheaper communication (Individual and Group basis)
• Easier and Speedy commercial transactions
• Benefits to everyone, not only privileged class
• …
• Internet – Certain Problems / Issues (Social, Cultural, Legal)
• Pornography
• Child Pornography
• Defamation
• Material that makes unwelcome allegations about people / organizations
• Making statements that will damage someone’s reputation, bring them into
contempt, make them disliked, and so on.
• Spam

10
 Computers and Crime
• Internet Issues (Contd.):
• Every country has own laws and different levels of acceptance
• Roles and responsibilities of ISPs are a central element in the way
these issues are addressed
• Internet Jurisdiction
• Suppose a person X commits a criminal offence in country A and then
moves to country B.
• Can country A ask that X be arrested in country B and sent back to A
so that he/she can be put on trial?
• Yes, if agreement between countries exist (Extradition Treaty) and that
act is offence in both the countries
• Can X be prosecuted in country B for the offence committed in
country A?
• Generally No
• Yes, subject to Extraterritorial Jurisdiction claims (USA vs. Pakistan)

11
 Computer Security

• Is reactive.
• First Virus in 1981 and the a commercial specific antivirus
program, Brain Virus was released 7 years later.
• In 1991 that Symantec released the first version of Norton
AntiVirus.
• Failure to think proactively hampers computer-security
efforts today, and it makes the tasks of computer
criminals just a bit easier.

12
 Techniques & Resources

• Identity Theft
• Fraud Techniques
• Auction Frauds
• Investment Offer
• Hacking Techniques

13
 Identity Theft Techniques
• Studying the enemy is good for any conflict.
• Identity Theft
• Identity theft and identity fraud are terms used to refer to all types of crime in
which someone wrongfully obtains and uses another person’s personal data in
some way that involves fraud or deception, typically for economic advantage.
• Purpose is to gather enough information about an individual that the perpetrator
can successfully pretend to be that individual.
• Wants access to bank accounts, credit cards, financial goal.
• If the perpetrator obtains a credit card in someone else’s name, then he
can purchase products and the victim of this fraud is left with debts he or
she was not aware of and did not authorize.
• In the case of getting a driver’s license in the victim’s name, this fraud
might be attempted to shield the perpetrator from the consequences of
his or her own poor driving record. For example, a person might steal
your personal information to create a license with his or her own picture.
Perhaps the criminal in this case has a very bad driving record and even
warrants out for immediate arrest.

14
• The advent of the Internet has made the process of
stealing a person’s identity much easier.
• Many states now have court records and motor-vehicle
records online.
• People actually post a great deal of information about
themselves on social networking sites such as Facebook
and MySpace.
• It is not a difficult task to trick people into giving up
personal information. This can include credit-card
numbers, account numbers, usernames, and even bank
passwords

15
 Hacking Techniques
• Foot-printing
• Password Cracking
• Website Hacking
• Man in the Middle Attack

16
 Hacking – Foot-printing
• Steps like a serious burglar, ‘case’ the target
• Search websites, local news, social media
• Technical infrastructure, employees, software bought
• E.g news related to Windows Server 2008, vendor selected, contract given
• General Search for flaws in hardware/software
• Search computer boards with discussions from technical employees
• Use it for social engineering
• Get the login/password and use spyware to get all the others!

17
 Hacking – Foot-printing
• Whois to fetch web domain’s and email’s server’s IP address
• Physical address if target hosts its own email and web servers
or they are hosted by a company.
• Run the web domain through netcraft.com
• What web server, what OS, how long it has been rebooted
• Port Scan, which open on firewall
• If 110 open, POP3 accepted, likely a mail server
• If 137, 138, 139, NetBIOS traffic, likely a windows server
• See the archives to see HR, IT infrastructure changes, etc
• Network analysis tool like Microsoft Baseline Security
• Help network admins to assess their systems.

18
• Network analysis tool like Microsoft Baseline Security
• Windows administrative vulnerabilities
• Weak passwords
• IIS administrative vulnerabilities
• SQL administrative vulnerabilities

19
 Hacking - Password Cracking
• Brute-force
• A brute-force attack is literally when the software
tool you are using simply tries every single
permutation of letters, numbers, and symbols
possible to crack the password. This will often
show up in server logs as a number of failed login
attempts in a short period of time.
• Dictionary
• Because the majority of passwords are usually
simplistic, running a dictionary attack is often
successful at cracking passwords.

20
 Hacking – Website Hacking
• Website hacking
• Web pages are, by definition, open to public access, and they also get a lot
of traffic. This makes them the easiest target for hacking and the logical
place for any intruder to start. There are many ways to try and hack in
through a Web site, but we will examine just a few of the most commonly
used.
• SQL Injection
• SQL is an acronym for Structured Query Language. It is the language used by all
relational databases. If a target Web site communicates with any database, it is
using SQL to do so. Clever hackers use this fact and attempt to exploit it to gain
access to the system. SQL injection is a process whereby hackers enter SQL
code directly into Web forms such as login fields or an address bar in the
browser. The goal is to trick the Web page into submitting that SQL code to the
database, thus executing that code. To make this work, the hacker must have an
in-depth understanding of SQL. This is an effective attack, and it can also be
quite devastating. Let’s look at an example. Perhaps the hacker wishes to log on
to a Web site. If the Web site is not very well written, then the hacker can use a
feature of SQL to force the site to log him in. Here is a simple SQL statement
that is often found in login screens to verify the login:
21
• SELECT * FROM USERS WHERE USERNAME =
'usernameentered' AND PASSWORD =
'passwordentered‘

• SELECT * FROM USERS WHERE USERNAME =

'usernameentered' AND PASSWORD =
'passwordentered‘ or 1 = 1.

22
• Cross-site scripting
• XSS, is another popular technique that hackers commonly
use against Web sites. This type of attack is harder to
prevent than SQL injections and is becoming increasingly
popular. Many well-known sites have been victims of XSS,
including Google, MySpace, and even Microsoft.
• XSS functions by embedding JavaScript into hyperlinks to
manipulate a Web site. This gives an intruder the power to
take control of individual sessions, Website
advertisements, and personal information.
• A worst-case scenario involves a hacker gaining access to
account details and taking over the entire Web site.

23
• Session Hacking
• Act of taking control of a user session after successfully obtaining or
generating an authentication session ID. This type of attack requires
a relatively high degree of skill and is therefore less common.
Session hijacking involves an attacker literally taking over a
particular session. A session is a valid communication established
between a client and a server. When you log in to your LAN, you
have established a session. These can be hijacked because every
session is identified by a session ID. If you can get that ID, you can
take over the session. There are three primary techniques for
hijacking sessions:
• Brute force: The attacker tries multiple IDs until one is
successful.
• Calculate: In many cases, IDs are generated in a non-
random manner and can be calculated
• Steal: Using different types of techniques, the attacker
can acquire the session ID.

24
 Hacking–Man in the Middle Attack
• intercepts a communication session between two systems. For example,
in an http transaction, the man-in-the-middle attack attempts to hijack
the TCP connection between client and server. Using different
techniques, the attacker splits the original TCP connection into two new
connections: one between the client and the attacker and the other
between the attacker and the server. Once the TCP connection is
intercepted, the attacker acts as a proxy and is able to read, insert, and
modify the data in the intercepted communication. Like the session-
hijacking attack, this is an advanced technique that requires a high
degree of skill on the part of the hacker.

25
 Tools
• Sniffers
• A sniffer is a program and/or device that monitors all information
passing through a computer network. It sniffs the data passing
through the network off the wire and determines where the data
is going, where it’s coming from, and what it is. In addition to
these basic functions, sniffers might have extra features that
enable them to filter a certain type of data, capture passwords,
and more. Some sniffers (for example, the FBI’s controversial
mass-monitoring tool Carnivore) can even rebuild files sent
across a network, such as an e-mail or Web page. One common
(and free) packet sniffer is the tool WireShark. Any packet sniffer
will provide details about the packets it intercepts. More
importantly, it does not prevent the packet from going through
to its destination; it merely copies the content, thereby making it
particularly hard to detect.

26
 Tools

• Password Crackers
• a tool that attempts to automate the process of breaking
passwords. It might use a dictionary attack, a brute-force attack,
or a combination of both. Regardless of the methodology
employed, it will certainly make cracking passwords much easier
for the hacker.

27
PI-Spring 2016 (NUCES, Islamabad Campus) 28
Pakistan Electronic Crimes Act 2015
• Given exclusive powers to FIA to investigate and charge cases.
• Empowers PTA to block content – religious, political, security
• Criminalized political criticism, political expression – blogs,
cartoons, caricatures
• Person who tests security system shall be offender
• Obscene/immoral messages are offences
• Offence to share picture of a natural person without consent
• Spamming can cause you fine
• Sending an email or message without the recipient’s
permission will become an offence.
• Hacking – 1 million or 3 years

29