Ch7 Computer Crime

12/3/08 CSC309 Miller 1

Good Security Web Site

http://www.sans.org/ The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization.

I like “NewsBites” and the access to on line articles. Great place to learn how to be a spy.

9/28/08 CSC309 Miller 2

Crime not always about money

SANS NewsBites Vol. 10 Num. 94--MySpace Suicide Case Verdict: Three Misdemeanor Convictions 11/26/08

The perpetrator of an Internet hoax that prompted a 13-year old neighbor to kill herself, was convicted of three misdemeanor offenses (max each of year in prison/ fine of $100,000) of accessing computers without authorization. She was tried under the US Computer Fraud and Abuse Act for violating the MySpace terms of agreement by establishing a phony identity and harassing another MySpace member.

12/3/08 CSC309 Miller 3

Threats to Computer Systems

1. Environmental: This is a major threat but we tend to not give it a lot of attention.

2. Accidental: It turns out that the good guys are going to give us more problems than the bad guys.

3. Computer crime: More fun to talk about than power surges or programmer errors and it does turn out that protection against criminal activities often provides protection against the impact of environmental or accidental threats.

2/28/01 CSC309 Miller 4

Threats to Computer Systems

1. Power surges (a spike is less than a millionth of a second in duration) 2. Fire (where do you put the computer room?) 3. Water (floods, hurricanes, sprinklers, air conditioner related, etc.) 4. Chemical (chlorine gas, acid in Tec206, etc.)

9/28/08 CSC309 Miller 5

Threats to Computer Systems

5. Static electricity (the need for dress codes, static prevention floors and waxes) 6. Strange (molten steel, four truck loads of concrete, explosions) 7. Bah Humbug (spill drink on keyboard) 8. Rage (drop, hit, shoot, blowup)

9/28/08 CSC309 Miller 6

Accidental

1. Programming errors 2. Improper labeling of data 3. Destruction of data during processing 4. Procedures that lead to disaster 5. Dumb moves (not thinking through backup)

3/2/01 CSC309 Miller 7

Nigerian Scam

Not sure I want to push this as computer crime because in the early 1980s this scam was alive and well and used US mail (envelope always looked like it was made from a paper grocery bag).

Examples at:

ht tp://www.quatloos.com/cm-niger/ nigerian_scam_letter_museum.htm

Comic relief at:

http://www.quatloos.com/brad-c/elvis.htm

2/11/09 CSC309 Miller 8

419

"419" is a reference to the section of the Nigerian criminal code that outlaws this business. "419 is just a game; you are the loser, I am the winner," sings pop crooner Uzodinma Okpechi, whose single "I Go Chop Your Dollar" was a hit across Africa and was adopted by 419ers as their theme song. It celebrates the gullibility essential for this scam.

2/11/09 CSC309 Miller 9

Computer Crime

Computer crime comes in all shapes and sizes and includes the very simple (print account numbers on deposit slips left in lobby of bank) to the complex (Insurance fraud). They can be of the "I never would have thought of that variety" (kidnapping, routing scam). They can be senseless acts of vandalism (virus) or leave an environment exactly as it found it.

Typical problems on a college campus ...

As an expert witness ...

2/28/01 CSC309 Miller 10

Computer Abuse

The willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.

1/19/02 CSC309 Miller 11

How Bad?

In 1983 (when the world was just starting to really get interested in this topic) the following figures appeared in ComputerWorld.

$100,000,000 July 11 $100,000,000 to $3,000,000,000 October 31 $1,500,000,000 to $3,000,000,000 November 21 A "fraction" of $40,000,000,000 December 12 $70,000,000,000 December 26

10/31/01 CSC309 Miller 12

Profile of a bad guy

1. Typically there is no criminal history.

2. Hackers (computer criminals/abusers, etc.) often portrayed as "bright, Inquisitive young people (always male) who explore computer systems for fun and intellectual challenge."

3/3/01 CSC309 Miller 13

Profile of a bad guy

3. Usually an employee and usually in some type of managerial position.

4. Basically the same as an embezzler: an individual with needs (sick child, nagging spouse, living beyond means, gambling debts, etc.) who is presented with an opportunity to take company resources.

11/28/01 CSC309 Miller 14

Profile of a Bad Guy Could be Changing

In a 1997 study conducted by San Francisco’s Computer Security Institute (CSI) in cooperation with the FBI, 43% of the respondents reported one to five attacks from the inside while 47% were reporting the same number of attacks from outside. WorldCom’s 3.8 billion insider problem will skew the dollar loss figures.

6/27/02 CSC309 Miller 15

What's Different?

1. We anticipate errors.

Union Dime Savings Bank chief teller steals $30,000 per day. 2. Things of value are not obvious/labeled.

Million dollar software package stolen at trade show.

3. Major increase in computational power.

Salami schemes. Duplicate set of books.

3/2/01 CSC309 Miller 16

What's Different?

4. Centralization of function.

Protection offered by separation of duties lost.

5. Centralization of information.

Everything now kept in one location.

6. Teleprocessing/Remote data entry.

Jerry Schneider and the telephone company.

3/2/01 CSC309 Miller 17

What's Different?

7. Circumvention of controls.

Error correcting routines are a major weak spot in system security but imagine how systems would work without them. (This has been tried.) 8. Question of ownership.

Who owns the code? " ... and he stole the code and rode into the mountains and the posse (on horses of course) followed."

10/31/01 CSC309 Miller 18

What's Different?

9. Lack of visible records/ Data compression.

What’s on a flash drive?

10. Anonymity Things can be done remotely without exposing ones identity.

11. User friendly/Computer literacy Gone is protection offered by the paucity of people with computer skills.

1/17/09 CSC309 Miller 19

What's Different?

12. Things can be "taken" but still be there (a produce packing house in California).

13. Lack of established code of ethics.

(But we are trying.)

3/2/01 CSC309 Miller 20

Terminology/Jargon

A computer

virus

is a program that attaches itself to an executable program and reproduces itself to spread from file to file.

A

worm

is a program which reproduces itself but unlike a virus does not need to be attached to an executable program to reproduce.

A

Trojan horse

is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

1/19/02 CSC309 Miller 21

Terminology/Jargon

A Logic bomb is a destructive action taken by a program when it detects that a certain set of conditions has been met. A Time bomb is a logic bomb which is triggered by time/date information.

6/1/02 A disgruntled (former) employee planted a logic bomb in his company's computer system when he was demoted; it detonated months after he resigned, destroying part of the program supporting the sales force's hand held computers.

The company went after the employee, and he has been sentenced to two years in prison and ordered to pay restitution of $200,000.

http://www.cio.com/archive/060102/doom_content.html

6/20/02 CSC309 Miller 22

Terminology/Jargon

A

SYN Attack

is an attack against a computer that provides service to customers over the Internet. SYN (Synchronize) refers to the type of message that is used between computers when a connection is made. It jams the service of the victim computer. Also called a

Denial-of-Service

attack.

Denial-of-Service

attacks include those that disable equipment, flood communication networks, and/or degrade service.

6/27/02 CSC309 Miller 23

Terminology/Jargon

(1/28/09) Ongoing

distributed denial-of-service

(DDoS) attacks against Kyrgyzstan's two largest Internet ISPs have bumped most computers in the country offline. The attacks began on January 18, and are believed to be controlled by a Russian "cybermilitia." The group behind the attacks appears to be the same one that orchestrated similar attacks against the Republic of Georgia last summer. The issue could be Russia's demand that Kyrgyzstan "oust" foreign air forces before it will lend the country US $300 million and invest an additional US $1.7 billion in energy.

1/31/09 CSC309 Miller 24

Kyrgyzstan

(2/4/09) Kyrgyzstan's government submitted a draft bill to parliament Wednesday that would close a U.S. base that is key to the American military campaign in Afghanistan. The base, which is located with the Manas civilian airport near Kyrgyzstan's capital, is an important air mobility facility, home to tanker planes that refuel warplanes flying over Afghanistan. It also supports airlifts and medical evacuation operations and houses troops heading into and out of Afghanistan.

(No mention of DDoS attacks.)

2/4/09 CSC309 Miller 25

Terminology/Jargon

A

Sniffer

program intercepts and reads your e-mail at one of the computers it is being routed through. Name/password combinations are a prime target.

Social Engineering

is when someone is able to pass himself off as someone authorized to receive from legitimate sources user passwords and access rights. [A trivial example comes by exploiting the process for getting a password when you forget your own. On the phone you can be anybody.]

6/27/02 CSC309 Miller 26

Terminology/Jargon

A

Salami Scheme

is a scheme in which a small amount is stolen from a large number of people or accounts. Usually the amount is small enough that even if noticed it will not be reported.

Early versions had the computer moving fractions of cents resulting from interest calculations to a hidden account.

11/28/01 CSC309 Miller 27

Terminology/Jargon

Spoofing

is pretending to be someone else.

Masquerading

,

Mimicking

, and

Impersonation

are forms of Spoofing. In an attack known as

IP Spoofing

, attackers run a software tool that creates Internet messages that appear to come from a computer trusted by the victim.

Dumpster Diving

: Look through the trash.

(Surprisingly effective and still a major way folks get our data.)

1/17/09 CSC309 Miller 28

Terminology/Jargon

A

Tiger Team

is a Government or industry – sponsored team of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes.

A Sneaker is an individual hired to break into places in order to test their security; analogous to tiger team.

1/18/02 CSC309 Miller 29

Terminology/Jargon

Phishing scams use e-mail to try and trick users into revealing sensitive information. The scammers provide links to phony Web pages that look like legitimate e-commerce sites, where they ask a user to enter his personal data. However, the scammer, not the e-commerce site, is getting that information.

1/11/05 CSC309 Miller 30

Terminology/Jargon

Clickjacking

is a term coined to describe a series of flaws that allow attackers to trick users into clicking on potentially malicious links.

10/18/08 CSC309 Miller 31

Terminology/Jargon

--Store Owner Draws 33-Month Sentence for Card Skimming (January 16, 2009) A store owner has been sentenced to 33-months in prison for using a card skimmer in his shop to steal information from more than 300 customers. He then used the stolen information to make fraudulent transactions totaling approximately US $300,000. He was also ordered to pay more than US $214,000 in restitution.

SANS NewsBites Vol. 11 Num. 5 1/21/09 CSC309 Miller 32

Terminology/Jargon

Swatting is a refinement of the false alarm ploy.

Computers are used to place 911 calls reporting situations where calling out the swat team is Appropriate. Typically a home owner gets to deal with an armed swat team that assumes the home owner is the bad guy. Money and resources wasted, and this can be dangerous.

2/3/09 CSC309 Miller 33

Fraud

Fraud

: intentional perversion of the truth in order to induce another to part with something of value or to surrender a legal right. 6/26/02 WorldCom disclosed last night that it had perpetrated a $3.9 billion accounting fraud. The chief financial officer apparently had inflated earnings by reporting expenses as capital expenditures. 17,000 to be fired. Stock dropped to 35 cents per share. Arthur Anderson was the auditor during the period in question.

6/27/02 CSC309 Miller 34

More Terms

Computer Fraud

: is computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value.

Embezzlement

is "fraudulent appropriation of property by a person to whom it has been entrusted."

6/2702 CSC309 Miller 35

Hackers/Crackers

1.

There was a time when “Hacker” was a positive term designating a programmer who would take on difficult projects just for the challenge. Good example is the folks that gave us C and UNIX.

2. When “Hacker” began to be used to describe folks who broke into computers, a new term “Cracker”was introduced primarily to protect the good name of true Hackers.

1/19/09 CSC309 Miller 36

New Problem

--Jurors Admit to Accessing Internet to Research Cases (March 18, 2009) The pervasiveness of connectivity through Blackberrys, iPhones and other devices is causing problems in court cases around the country. A judge in a federal drug trial in Florida was forced to declare a mistrial after nine of the jurors admitted they had been researching the case on the Internet.

3/22/09 CSC309 Miller 37

Passwords

1. A program was used to check for “breakable” passwords on a shared computer housed in the computer science department. 40% of the passwords were cracked.

2. Studies have found that even on highly secure systems there usually is at least one weak password.

3. Some security experts feel we would be more secure if we stopped using passwords.

3/3/01 CSC309 Miller 38

Make Passwords Hard to Break (and easy to remember)

A basic four-character password containing only numbers offers only 10,000 variations. If we use only lower-case letters that increases to 456,976 variations. A four-character password that can contain numbers and both upper and lower case letters can provide 14,776,336 variations. If we add special characters to the mix then we are looking at 84,934,656 possibilities. An eight digit password with one digit, one special character, and upper and lower case letters yields approximately 354,289,330,000,000 choices.

6/26/02 CSC309 Miller 39

Electronic Crime 2000

Given the popularity of auction sites such as ebay, which attracts 16 million users per month, it’s not surprising that 87 percent of online fraud cases in 2000 were estimated to be related to such auctions.

Most victims were in the 20 to 40 age range.

Average loss was approximately $600.

Internet traffic projected to increase by a factor of 1000 every three years. (2000+)

10/12/01 CSC309 Miller 40

Identity Theft

1. In 2000 there were 700,000 Americans who had their identities stolen and the early estimate for 2001 is 750,000.

2. In 2001 Identity Theft was called this nations fastest-growing crime.

3. Losses were in the billions with much related to credit card abuse.

4. 1999 is the year that the IRS stopped putting Social Security numbers on mailing labels.

10/21/01 CSC309 Miller 41

Identity Theft

5. More than 20% of victims take more than two years to learn they have a problem. 6. The average discovery time is 15 months.

7. This is a white collar crime that is low priority with most law enforcement agencies.

8. Remember it is not just your credit rating that is at risk when your identity is stolen. Thieves have used identity theft to avoid traffic tickets, arrests, and to hide terrorist activities.

10/21/01 CSC309 Miller 42

Identity Theft

The federal Trade Commission, in a survey conducted in March and April of 2003, estimated that over the past five years there have been 27.3 million victims of identity theft, with 9.9 million American victims in 2002. 2002 losses were 5 million for individuals and 48 million for businesses.

http://www.ftc.gov

9/4/03 CSC309 Miller 43

Identity Theft

The Federal Trade Commission, has reported that, 1 in 6 Americans will be a victim of identity theft in 2009. In 2008 9.93 million people had some type of identity theft crime committed against them. “Victims spend on average $1,200 in out-of-pocket expenses and an average of 175 hours in your efforts to resolve the many problems caused by identity thieves.

http://www.ftc.gov

1/17/09 CSC309 Miller 44

Identity Theft

1.

Don’t carry your Social Security number.

2. Shred receipts, etc. (

every household needs a Shredder)

3. Check your credit report yearly.

TransUnion, Experian, and Equifax are The three you should check:

annualcreditreport.com

4.

Call on bills that don’t arrive on time. 5. Provide no personal information over the phone.

1/17/09 CSC309 Miller 45

Identity Theft

--17 December 2002 Another Phony eBay Site Tries to Gather Personal Data For the third time in recent weeks, eBay customers have been targeted by a fraudulent site asking them to verify their account information; the operators of the sites harvest eBay usernames and passwords as well as credit card, banking, drivers’ license and social security numbers. An eBay spokesman says the company never asks members for their passwords.

http://www.vnunet.com/News/1137643

9/17/03 CSC309 Miller 46

Identity Theft

--16 September 2003 (Computerworld) Banks in UK, Canada hit with e-mail scam.

Story by Linda Rosencrance Fraudsters sent an e-mail message purporting to be from the bank with a link to what appeared to be the bank's Web site. It was, in fact, a spoof site where customers were prompted to enter personal information such as passwords and personal identification numbers, which could be used to withdraw cash or transfer funds to other accounts. 400 customers reported being contacted.

9/22/03 CSC309 Miller 47

Identity Theft

In Canada, e-mails told consumers to click on a URL that would take them to the banks' Web site -- where they could enter to win $500. The link actually took viewers to a cloned Web site, where they were asked to enter bank account numbers and passwords. The-mails also contained a Trojan horse, which was activated when consumers clicked on the link. It enabled the hackers to take control of users' computers and steal information. After the spoofed site was shut down, the hackers sent out another e-mail to customers saying the hackers had been caught but in the process their personal information might have been deleted, ….

9/22/03 CSC309 Miller 48

Russian Crackers 7/16/01

Russian crackers are increasingly working with organized crime groups,stealing credit card and bank account numbers as well as proprietary information. They sometimes attempt extortion, either demanding money in return for repairing vulnerable systems, or threatening to release sensitive data if their demands are not met.

http://www.zdnet.com/intweek/stories/ news/0,4164,2784950,00.html

8/28/01 CSC309 Miller 49

ATM Fraud

1. A bogus ATM machine used to capture account numbers and PINs in 1993 at a mall in Connecticut.

2. Counterfeit cards made with a stolen card encoder and 7700 names and PINs taken from a bank database.

3/3/01 CSC309 Miller 50

ATM Fraud (Cont.)

3. They do take your picture so one fellow had over 20 withdrawals done in costume one morning.

4. Software bug allowed unlimited withdrawals.

5. Estimated at $60 million per year.

3/3/01 CSC309 Miller 51

Telecommunications Fraud

1. Gained first national attention due to the activities of Captain Crunch in the 70's.

2. For years airport travelers have been aware of the need to protect their long distance authorization sequence from recording devices held by people who were close by.

3/3/01 CSC309 Miller 52

Telecommunications Fraud

3. Estimated at between $1 billion and $5 billion annually.

4. Cellular phone cloning is a $400 million annual problem.

3/3/01 CSC309 Miller 53

Card Abuse Prevention

1. Profiling can be used to identify abuse.

2. Establish limits.

3. Customer awareness (don't throw the sales slip away and be aware of who is in the area).

4. Make cards harder to duplicate (use the concept of a magnetic fingerprint or holograms).

3/3/01 CSC309 Miller 54

Swindling the Customer

1. The overbilling scam is probably the computer crime that you have been caught in.

2. Grocery store automatic barcode scanner systems almost always have some prices that do not agree with posted shelf prices.

3. Hospitals remain the most obvious place for being a victim.

3/3/01 CSC309 Miller 55

Swindling the Customer

4. Ever notice that computer billing errors (and bank errors) are almost never in your favor?

5. Both Hertz and Sears have been caught for overbilling.

3/3/01 CSC309 Miller 56

Forgotten Details

1. The Xerox worm 1982 demonstrated the ability of a program to propagate through a network. While it was designed with the best of intentions it resulted in denial of services (it clogged machines).

2. In 1984 "core wars" appeared. This was a program that let two computers do battle with each other.

10/21/02 CSC309 Miller 57

Forgotten Details

3. On 11/3/1983, UCLA professor Dr. Fred Cohen conceived the first computer virus as an experiment to be presented at a weekly seminar on computer security. One week later he presented it. In 2000, the estimated year’s loss to viruses was $10.7 billion. In 2007, spam viruses losses estimated at $7 billion with 850,000 Americans forced to replace their computers. When Cohen presented his results at the 2nd IFIP International Conference on Computer Security held in Toronto, in 1984, lots of people thought he shouldn't have.

1/16/09 CSC309 Miller 58

Downadup Worm

6.5 million infections 4 days (1/13/09-1/16/09)

1/16/09 CSC309 Miller 59

Downadup Worm

The Downadup worm exploits a flaw in the Windows Serverservice used by all supported versions of Windows. The flaw was addressed in an out-of-cycle patch released in October 2008. The large number of infections is due in part to the fact that 30 percent of Windows systems have remained unpatched.

1/16/09 CSC309 Miller 60

Downadup Worm

Once implanted, the worm searches out nearby servers and executes a brute force password breaking program to get access. It also spreads itself to any shared hard drives. What ’s more, it makes a copy of itself on any device plugged into a USB port, such as any thumb drives, music players, or digital cameras. When that infected device is later plugged into another PC, it infects that machine.

2/11/09 CSC309 Miller 61

Downadup Worm

Infected PCs becomes bots and Downadup continues spreading. So far, nothing beyond that. But, at least once a day, each infected machine tries to connect sequentially with a list of 250 domains for further instructions. Each day this list of 250 domains - each one a potential command and control server changes.

2/11/09 CSC309 Miller 62

Downadup Worm

Three weeks after they became infected, IT staff at five hospitals in Sheffield, UK were still cleaning the worm from more than 800 of the hospitals' 7,000 PCs. Managers had turned off the automatic Windows update late last year apparently to prevent the repetition of an incident whereby PCs in an operating theatre rebooted during surgery.

2/11/09 CSC309 Miller 63

Downadup Worm

2/6/09 Houston Police have stopped arresting people with outstanding traffic warrants, as Downadup (also known as Conficker) continues to infect Houston government agencies. $25,000 paid to contractor to clean up mess. The virus appears to be contained to the Municipal Court and Parking Management systems and has blocked access to most data on computer hard drives.

2/13/09 CSC309 Miller 64

Downadup Worm

The French Navy's Rafale aircraft were "nailed to the ground" because they were unable to "download their flight plans". Naval officials said the "infection"' was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key.

3/22/09 CSC309 Miller 65

Downadup Worm

In the first days of January 2009 the British Defense Ministry was attacked by a hybrid of Downadup/Conficker that had substantially and seriously infected the computer systems of more than 24 RAF bases and 75 per cent of the Royal Navy fleet including the aircraft carrier Ark Royal.

2/13/09 CSC309 Miller 66

Downadup Worm

(April 28 & 29, 2009) The Conficker worm is now installing malware called Waledac on infected machines that turns the machines into spam servers that send out spam at a rate of about 10,000 -20,000 messages per machine each day. As many as 12 million machines are believed to be infected with Conficker.

http://www.zdnetasia.com/news/security/0,39044215,62053678 ,00.htm

http://www.msnbc.msn.com/id/30453812/ [Editor's Note (Skoudis): Just last week at RSA, I mentioned that the most likely outcome of Conficker is that it would be used for fairly mainstream and pedestrian purposes such as spam. Kind of 67

--Pirated Copies of iWork 09 Contain Trojan

Illegal copies of Apple's iWork 09 have been appearing on filesharing websites. The pirated software is believed to contain a Trojan horse program known as iServices.A. The Trojan has root access to infected computers. Once in place, it connects to a remote server and downloads additional software that makes the infected computer part of a botnet. The Trojan has already been inadvertently downloaded by an estimated 20,000 users.

(January 22, 2009) 3/22/09 CSC309 Miller 68

Some Old Questions

1. Your typical (if there is such a thing) person who poses the major threat to a company's computer systems is ? 2. What is the over-billing scam and why is it so hard to stop?

3. When we talk about anonymity being a factor in many computer crimes what point are we trying to make?

4. Captain Crunch designed, built, and used blue boxes to ?

6/27/02 CSC309 Miller 69