This action might not be possible to undo. Are you sure you want to continue?
Rodolfo Noel S. Quimbo Resource Person Information, Communication and Space Technology Division UNESCAP
Two Part Presentation
• Internet and Security Concepts • Incidents/Attacks • Improving Security
• Statutes, Laws, and Policies – Challenges to enforcers • Substantive and Procedural Law • Efforts to Combat Cyber-crime
Part I Cyber-crime
An attempt was made to use the network to access computers in the US to copy information from them.Internet and Security Concepts The Internet and Its Vulnerabilities • When it started as a project of the Advanced Research Project of the US Defense Department in 1969. the system was designed for openness and flexibility. the network had its first automated network security incident courtesy of a worm program . • In 1988. not security • The first publicized international security incident was identified in 1986.
Internet and Security Concepts The Internet and Its Vulnerabilities • As a response to the worm threat. easy. However. to be quick. a computer emergency response team was created (now the CERT Coordination Center) • In 1989. inexpensive and often times difficult to detect or trace . the ARPANET Project officially became the Internet. for most part retained its inherent openness • The Internet being inherently open. it has. in general. extremely dynamic allows attacks.
this is the most important attribute in service oriented businesses .Important Security Concepts • Confidentiality of Information Confidentiality is lost when someone without authority is able to read or copy information • Integrity of Information Modifying information in unexpected ways makes it lose its integrity • Availability of Information The erasure of information makes it unavailable when needed. Often.
Elements of a Secured Network Environment Authentication • “I am who I Say I am” Authorization • “I am allowed to read the file” Non-repudiation • “Yes. I sent the e-mail” .
Attack Trends vis a vis Internet Growth Trend 1 – Automation. speed of Attack Tools • Scanning for Potential Victims • Compromising vulnerable systems • Propagate the Attack • Coordinated Management of Attack Tools .
Attack Trends (cont’d.) Trend 2 – Increasing Sophistication of Attack Tools • Anti-forensics • Dynamic behavior • Modularity of attack tools .
) Trend 3 – Faster Discovery of vulnerabilities Year 1995 1996 1997 1998 1999 Vulnerabilities 171 345 311 262 417 .Attack Trends (cont’d.
990 8.090 2001 2.064 Total Vulnerabilities reported (1995-Q2.437 2002 4. 2006): 30.780 5.784 2004 2005 2006 3.780 .) Trend 3 – Faster Discovery of vulnerabilities Year Vulne rabilit ies 2000 1.Attack Trends (cont’d.129 2003 3.
Attack Trends (cont’d.Increasing Asymmetric Threat .) Trend 4 – Increasing Permeability of Firewalls Trend 5.
Worms .) Trend 6 – Increasing Threat from Infrastructure Attacks • Attack 1 – Distributed Denial of Service • Attack 2 .Attack Trends (cont’d.
) Trend 6 – Increasing Threat from Infrastructure Attacks • Attack 3 – Attacks on the Internet Domain Name System (DNS) Cache Poisoning Compromised Data Denial of Service Domain Hijacking .Attack Trends (cont’d.
Attack Trends (cont’d.) Trend 6 – Increasing Threat from Infrastructure Attacks • Attack 4 – Attacks against or using routers Routers as attack platforms Denial of Service Exploitation of Trust relationship between routers .
Firewall. Break – in Transaction interception Internal LAN sniffing Trojans Access behind firewalls Back connection to public Internet 3 . LAN Internet Sniffers. Trojans Message modification.Sources of Incidents/Threats Vulnerabilities PC Cable Modem. viruses. hackers External Interception Spoofing. Trojans Server Transaction trapping. back door Viruses.
Kinds of Incidents Probe • Attempts to gain access into a system Scan • Large number of probes Account Compromise • Unauthorized use of an account by someone other than the owner Root Compromise • An account compromise where the account has special privileges on the system .
Kinds of Incidents Packet Sniffer • A program that captures data as packets travel through the network Denial of Service • Preventing authorized users from using the system Exploitation of Trust • Forging of identity in order to gain unauthorized access .
when executed. cause undesired results such as loss of data. denial of service .Kinds of Incidents Malicious Code • Programs that. downtime.
Kinds of Incidents Internet Infrastructure Attacks • Rare but serious attacks on key components of the Internet structure such as network name servers and large archive sites .
One time passwords are preferred. fixes and patches • Regularly check for security alerts . • Use cryptography • Use secure programming techniques when writing software • Regularly check for updates.Improving Security Recommended Security Practices that can minimize network intrusions: • Ensure all accounts have passwords that are difficult to guess.
Improving Security Available technologies • One time passwords • Firewalls • Monitoring Tools • Security Analysis Tools • Cryptography .
PART II: Cyberlaw
Countries with Cybercrime Statutes
Country ARMENIA AUSTRALIA AUSTRIA BANGLADESH BELGIUM BRAZIL CANADA CHILE PEOPLES REPUBLIC OF CHINA Law Criminal Code (2003) CRIMES ACT 1914 (PART VIA), Sections 76B, 76D Privacy Act 2000 (effective as of January 1, 2000) Office of Law Commission approved the Law on IT Belgian Parliament in November 2000 adopted new articles in Criminal Code (effective from February 13, 2001) Article 550(b) Law no. 9,983 of July 14, 2000 Art. 313-A & B Canadian Criminal Code Section 342.1 Law on Automated Data Processing Crimes no. 19.223, published June 7, 1993 Decree No. 147 of State Council of the Peoples Republic of China, February 18, 1994. Computer Information Network and Internet Security, Protection and Management Regulations, (approved by State Council December 11, 1997, and published December 30, 1997) Telecommunication Ordinance
Countries with Cybercrime Statutes
Country DENMARK ESTONIA FINLAND FRANCE GERMANY GREECE HUNGARY IRELAND ICELAND INDIA ISRAEL ITALY JAPAN Law Penal Code (Section 263) Estonian Criminal Code (Sections 269 to 273) Penal Code Chapter 38 (Section 8) New Penal Code, in effect since March 1, 1993 Chapter III (Articles 323-1 to 323-4) Penal Code Section 202a, 303a, Section 303b Criminal Code Article 370C§2 Penal Code (Section 300 C) Criminal Damage Act, 1991 Penal Code (§ 228 Section 1) Information Technology Act 2000 (No. 21 of 2000) The Computer Law of 1995, Penal Code (Article 615) Unauthorized Computer Access Law Law No. 128 of 1999 (in effect from February 3, 2000)
18 of 1998) Penal Code (Section 369A) Penal Code Part 9 (Chapter II) Criminal Code (Article 138a) Crimes Amendment (No 6) Bill is introduced (Section 305ZE & 305ZF) Penal Code (§ 145. 151 b. § 261 & § 291) Electronic Transactions Ordinance 2002 . relating to the reinforcement of the fight against financial crime and computer crime Computer Crimes Act 1997 ELECTRONIC COMMERCE ACT (Sections 337 (C) (1) to 337 (F) (1) The Information Technology (Miscellaneous Provision) Act 1998 (Act No.Countries with Cybercrime Statutes Country LATVIA LUXEMBOURG MALAYSIA MALTA MAURITSIUS MEXICO THE NETHERLANDS NEW ZEALAND NORWAY PAKISTAN Law The Criminal Law (Section 241) The Act of July 15th. 1993.
South African Law Commission published a Discussion Paper on Computer-related crime. October 30. 2001) . 1991 Republic Act No. The Data Act of 1973 (amendments in 1986 and 1990) Penal Code (Article 143bis) Penal Code (Section 525/a) Computer Misuse Act 1990 Federal legislation (updated April 15.8792 or the E-commerce Law Computer misuse Act.Countries with Cybercrime Statutes Country POLAND PORTUGAL PHILIPPINES SINGAPORE SOUTH AFRICA SWEDEN SWITZERLAND TURKEY UNITED KINGDOM UNITED STATES VENEZUELA Law The Penal Code (Article 267 to 269) Criminal Information Law of August 17. 2002) US CODE: TITLE 18 SPECIAL STATUTE AGAINST COMPUTER RELATED CRIMES (Published in Official Gazette of Bolivarian republic of Venezuela.
Challenges to Cyberlaw Enforcers Technological Challenges • Technology allows for near absolute anonymity of culprits Legal Challenges • Laws lag behind the changes in technology Resource Challenges • Lack of sufficient experts/budget .
Substantive Aspects of the Proposed Cybercrime Prevention Act Drafting Comprehensive Laws to Combat Cybercrime .
and there is no matter here. We believe that from ethics. movement. without fear of being coerced into silence or conformity. identity. Our identities have no bodies.” John Perry Barlow Declaration of Independence of Cyberspace . arrayed like a standing wave in the web of our communications. unlike you. no matter how singular. Your legal concepts of property. so. and thought itself. We hope we will be able to build our particular solutions on that basis. expression. but it is not where bodies live. relationships. enlightened self-interest. Ours is a world that is both everywhere and nowhere. we cannot obtain order by physical coercion. But we cannot accept the solutions you are attempting to impose. and the commonweal. and context do not apply to us. Our identities may be distributed across many of your jurisdictions. anywhere may express his or her beliefs. The only law that all our constituent cultures would generally recognize is the Golden Rule. They are all based on matter.“Cyberspace consists of transactions. We are creating a world where anyone. our governance will emerge.
Outline Why a New Cybercrime Bill? Salient Substantive Features of Cybercrime Bill Punishable Acts Liabilities and Penalties .
Why a New Cybercrime Legislation? New ways of committing cybercrimes crop up every moment Need to factor in international efforts to combat cyber-crimes Most laws lack framework that takes into account the “international facet” of cyber-crimes .
S. and the European Union. Budapest Convention on Cyber-crime 2. Philippine E-Commerce Act .The Proposed Cybercrime Prevention Act Aims at harmonizing existing penal laws/measures & pending cyber-crime bills with the current cyber-crime measures in the U. US Computer Fraud & Abuse Act of 1986 3. Models: 1.
Computer as the instrumentality of the Crime Credit card fraud. Carter – 1979) 1. theft 3. child pornography 4. software piracy. data theft. money laundering.What is Cybercrime? Criminal Justice Cybercrime Categories (Professor David L. Computer as Incidental to other Crimes Drug trafficking. technovandalism / trespass 2. Computer as the Target Computer intrusion. Crimes associated with the Prevalence of Computers Copyright violation. telecommunications fraud. component theft .
Budapest Convention . proposed bill) Punishable Acts Unauthorized access to a computer system/network for the purpose of obtaining or using a computer data or program or in pursuit of a dishonest intent.1. computer trespass Source: Art. Example: Hacking/cracking.The Computer as Target Illegal access (§4. 2.
Budapest Convention . from. or within a computer system or network Exception: Interception deemed necessary for the maintenance/protection of facilities of service providers (i.2.The Computer as Target Illegal interception (§4..e. 3. service observing or random monitoring for mechanical or service control quality checks) Example: Using electronic eavesdropping devices in obtaining data Source: Art. proposed bill) Punishable act: Unauthorized interception through technical means of any nonpublic transmission of computer data to.
including the introduction or transmission of viruses. also known as computer sabotage Example: Virus dissemination. Budapest Convention .4. 5. proposed bill) Punishable acts: Intentional & unlawful hindering with the proper functioning of a computer system or network by using or influencing computer data/program. electronic document or data message.The Computer as Target System interference (§4. denial-of-service attacks Source: Art.
or electronic data message. Budapest Convention . alteration or suppression of computer data. such as viruses. proposed bill) Punishable acts: Intentional & unauthorized damaging. electronic document. deletion. deterioration. including the introduction or transmission of viruses Example: Inputting malicious codes. 4.3. resulting in modification of data Source: Art.The Computer as Target Data interference (§4.
importation. or possession of any of the following: 1. proposed bill) Punishable acts: Use. production. and (d) system interference. Device primarily designed/adapted primarily for committing the crimes of (a) illegal access. . or making available. distribution. 2. Computer password. defined under the Act. procurement.5. access code. (b) illegal interception. without right. (c) data interference. sale.The Computer as Instrumentality of the Crime Misuse of devices (§4. or similar data by which a whole or part of a computer system or network is capable of being accessed.
and (d) system interference.The Computer as Instrumentality of the Crime Possession of any of the foregoing items with intent to use them for the purpose of committing the crimes of (a) illegal access. . defined under the Act. (b) illegal interception. (c) data interference.
program. or network 2. Production/creation of any of the devices is for purely academic purposes Note: In both instances. prior consent is obtained from the owner of the computer system or network on which the device is to be used. 6. Source: Art.The Computer as Instrumentality of the Crime Exceptions: 1. Budapest Convention . used for authorized testing of a computer system. Device.
erasure or suppression of computer data/program or electronic document in a manner that would constitute the offense of forgery 2.6. Knowingly using a computer or electronic data which are products of computer forgery for purposes of perpetuating fraudulent design. Input. alteration. proposed bill) Punishable acts: 1. Budapest Convention .The Computer as Instrumentality of the Crime Computer forgery (§4. 7. Source: Art. suppression.
The Computer as Instrumentality of the Crime Computer fraud (§4. One of the punishable acts committed. Damage is caused thereby . proposed bill) Punishable acts: 1. Interference in the functioning of computer system or network. 2. Elements 1.7. Intentional/unauthorized input. etc. or for the perpetuation of a fraudulent activity 3. suppression. alteration. of computer data/programs or electronic document or data message. or 2. Act is committed with intent of procuring economic benefit for one self or for another.
8. Budapest Convention .The Computer as Instrumentality of the Crime Examples: Credit card fraud. identity theft/fraud Source: Art.
The Computer as Instrumentality of the Crime Offenses related to child pornography (§5. proposed bill) Child pornography .materials which visually depict a minor engaged in a sexually explicit conduct or a person appearing to be a minor engaged in sexually explicit conduct Punishable Acts Producing child pornography for distribution Offering/making available child pornography Distributing/transmitting child pornography all through the medium of a computer system or network .
9. Exploitation and Discrimination Laws Source: Art. Budapest Convention .The Computer as Instrumentality of the Crime .Criminal liability is without prejudice to prosecution under Anti-Trafficking in Persons Laws & Special Protection of Children Against Child Abuse.
proposed bill) . aided by. Philippine E-Commerce Act . or other existing penal laws be committed “through the use of.Source: §33(c). said act shall be punishable and prosecuted under those laws . or involving computer systems or networks or through transactions covered by or using electronic documents or electronic data messages”.Should an act punishable under the Criminal Code.Purpose: Fill in the gaps in existing penal laws & eradicate preconceived notions that our existing laws only punishes crimes committed in real world.The Computer as an Incident to the Commission of the Crime Violations of Penal Codes or rules & other existing penal laws (§7. . . the Consumer Protection Act.
distribution. as defined in the Intellectual Property Code Source: Art.Crimes Associated with the Prevalence of Computers Infringement of Intellectual Property Rights (§6. without the knowledge and consent of the owners thereof for his or another person’s benefit Liability without prejudice to prosecution under the Intellectual Property Code Exception: Fair use. dissemination. or making available online by means of a computer system or network Of protected works (e. Budapest Convention . reproduction. computer programs.g.. proposed bill) Punishable acts: Intentional copying. systems and designs).10.
sell.Crimes Associated with the Prevalence of Computers Unsolicited commercial communications (§4. or offer for sale products and services Example: Spam e-mail . proposed bill) Punishable acts: Unconsented transmission of voice or data messages which seek to advertise.8.
Liabilities and Penalties Prosecution under the proposed bill does not bar prosecution under: Criminal Code Consumer Protection Laws Other Relevant Laws .
proposed bill) Persons who aid/abet in the commission of any of the punishable acts (§11. proposed bill) .Liabilities and Penalties Who are liable: Persons who directly committed any of the punishable acts (§8. proposed bill) Co-conspirator(s) in the commission of any of the punishable acts (§10.
& employee(s) who directly participated or knowingly authorized the commission of the unlawful act in behalf & for the benefit of the juridical entity b. Officers & board members if the commission of the offense was due to lack of supervision control. either willfully or through gross negligence . Officers. proposed bill) a. board members.Liabilities and Penalties Who are liable: In case of juridical entities (§9.
$ 12000. or both fine & imprisonment . Civil liabilities for loss or damage .Offenses related to child pornography: 6 years & 1 day to 12 years imprisonment or a $ 4000 .Liabilities and Penalties Imposable penalties (§8. proposed bill) .Subsidiary penalty of imprisonment in case the offender does not have enough property to satisfy the fine. or both fine & imprisonment .Jail sentence of between 6 months & 1 day to 6 years or a fine ranging from $ 2000 .$ 16000 fine.
Procedural Aspects of the Proposed Cybercrime Prevention Act Drafting Comprehensive Laws to Combat Cybercrime .
Outline Jurisdiction Joint Cybercrime Investigation Unit • Functions • Composition • Powers Enforcement and Implementation • Collection of Computer Data • Search and Seizure of Computer Data International Cooperation Remedies Some Issues .
the proper Court in the Territory shall have jurisdiction. 21. or to a natural or juridical person who. and by such commission any damage is caused to a computer system or network situated within the territory. at the time the offense was committed.Extra-Territorial Application of the Proposed Cybercrime Prevention Act Jurisdiction . proposed bill: “The Competent Court shall have jurisdiction over any violation of the provisions of this Act committed within the territory.Sec. In case any of the offenses herein defined is committed outside the territorial limits. is in the territory.” .
. then the proper court may take cognizance of the cybercrime case. Where the crime is committed 2.Extra-Territorial Application of the Proposed Cybercrime Prevention Act Jurisdiction .If the answer to any of the foregoing is the country.Two approaches in establishing jurisdiction: 1. Where the effects of the crime are felt .
under their respective laws. may properly acquire jurisdiction .This is without prejudice to the filing appropriate actions in courts/tribunals of other countries which.Extra-Territorial Application of the Proposed Cybercrime Prevention Act Jurisdiction . .
Joint Cybercrime Investigation Unit (“JCIU”) Main functions (§13. and coordinate efforts of all law enforcement agencies in combating cybercrimes and computer-related offenses . To investigate. proposed bill): 1. To combat cybercrimes and computer-related offenses 2. prosecute.
Centers for Transnational Crime 3.Joint Cybercrime Investigation Unit (“JCIU”) Composition of the JCIU §14. proposed bill: 1. . National Police – Crimes Investigation and Detection Group Headed by an Executive Director to be appointed by the respective member organizations. National Bureau of Investigation – Anti-Fraud and Computer Crimes Division 2.
§15. proposed bill: Prepare/implement measures to suppress cybercrimes Investigate & conduct info gathering activities to identify & prosecute cyberoffenders Effect searches/seizures Refer cases to proper gov’t agency for prosecution Formulate programs for int’l cooperation 6. 7. 2. Solicit/coordinate private sector participation Recommend enactment of appropriate laws & measures §29. 5. proposed bill: . 4.Formulate/implement special & continuing training course for law enforcers . 3.Joint Cybercrime Investigation Unit (“JCIU”) Powers 1.
Cooperate in the disclosure of computer data & traffic record covered by a lawful court order/writ.Enforcement & Implementation Role of service providers (§17 & 19. and to keep confidential info regarding the execution by JCIU of such court order/writ . proposed bill): 1. extendible upon JCIU’s order (reasonable belief that the computer data may have been used in committing cybercrime) 2. Preserve computer data & traffic record up to a maximum period of 6 months from date of transaction .6-month period.
proposed bill): Can only be done by virtue of a court order/writ. can require a person/service provider to submit specified computer data & subscriber info. 18. by virtue of a court order/writ. & 19. & to collect and record traffic data associated with specified communications . & Collection of Computer Data (§16. upon finding probable cause JCIU. Seizure.Enforcement & Implementation Search.
Remove/render in accessible those computer data in the accessed computer system/network . & 19. Conduct surveillance operations 2. proposed bill): .JCIU can perform/require the following by virtue of a warrant: 1. Secure computer system/network or portions thereof 3.Enforcement & Implementation Search. & Collection of Computer Data (§16. 18. Make/retain copy of computer data secured 4. Seizure. Maintain integrity of the relevant stored computer data 5.
. . proposed bill) The government may undertakes to cooperate with other nations in the detection. & prosecution of cyber-crimes & also in the collection of evidence relating thereto. proposed bill) Treaty/International Agreement (§22 to 26.International Cooperation (§22 to 26. mutual assistance or cooperation shall be based on the principle of reciprocity.Condition: Formal request for cooperation or assistance. investigation. made by a duly authorized representative of the foreign gov’t pursuant to a treaty/agreement Reciprocity In the absence of treaty/agreement.
Prior breach by the requesting government . Requesting government has previously refused similar request by requested government without justifiable reason 5. Info requested is privileged/protected under country’s laws or that which affects national security 3. Production of requested info. unreasonable 4. Offence punishable under country’s laws & courts have acquired jurisdiction over the person of the accused 2. proposed bill) Grounds for refusal to cooperate: 1.International Cooperation (§22 to 26.
- Efforts to Combat Cyber-crimes .
Innovative Practices to Combat Cybercrimes Antiphishing Japan OnGuard Online in the US Video Campaigns to educate consumers .
International Cooperation Council of Europe Convention on Cybercrime criminalizes: • Offenses against confidentiality. and • Copyright related offenses . integrity and availability of computer data • Computer related offenses like computer related forgery • Content related offenses like child pornography.
procedural and mutual assistance laws.International Cooperation The Asia Pacific Economic Cooperation endorses the following action items to combat Cyber-crime: • Immediate enactment of substantive. • Making cyber-crime laws as comprehensive as those proposed in the Council of Europe. • Security and Technical guidelines that can be used by governments and corporations vs cybercrime • Outreach programs to economies and consumers regarding cyber-security and cyber ethics . • Assistance between and among economies.
International Cooperation ASEAN Network Security Coordination Center • Early warning systems against viruses and illegal network intrusions Asia Pacific Computer Emergency Response Team .
@ Thank You .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.