Impact of Computers on Society

7. Computer Crime

It was only a matter of time…

 Internet was designed by geeks who were interested in openness and free sharing  DoD commissions ARPANET 1969 – UCLA, UC Santa Barbara, SRI, U Utah (Advanced Research Projects Agency Network)     First e-mail – Ray Tomlinson (1971) Ethernet/ Alohanet (1973) The Well DEC VAX 11/780 (1978) – a favorite in research   VMS UNIX

Early Crimes

      Salami method Accumulate rounding errors in a hidden file Random “errors” These methods require programming expertise in a world where few computers are networked Security was an afterthought The Internet was wide open – it was just a matter of time…

Break-ins

 Hood’s network hacked in the mid-90’s  Various web sites of government agencies  Read the newspaper  Watch TV  What break-ins can you recall?

Four Important Crime Topics

 Hacking  Scams  Fraud, embezzlement, theft  Crime fighting

Hacking vs. Cracking

 Hacking – originally an elegant, sophisticated piece of programming – an art  Cracking – breaking a security scheme – often brute force or using someone else’s “tools”  In the media, “hacking” has assumed the latter meaning, which we will adopt

Hacking and Cyber Attacks

        At first, mostly young men Organized crime and espionage becoming prevalent Originally a test/hazing at MIT, harmless pranks Breaking in where you don’t have access Isaac Asimov foresaw the computer virus  Virus named in his honor: Asimov.1539

Worms (1980’s) Sniffers “Hactivism”

Captain Crunch

        John Draper – 1970’s  A toy whistle found in a cereal box Hacked into Bell South Free calls Shut down phone service Rigged prosecutor’s phone to act like a pay phone FBI calls routed to a 900 sex phone number Legion of Doom – exposes vulnerability of phone system A little like an MIT hack--somewhat amusing if you are not the victim

Kevin Mitnick

 Convicted of hacking universities, cell phone manufacturers, ISP’s  Went into hiding in 1988 while on probation  Arrested in 1995 when he hacked into a security expert’s files at San Diego Supercomputer Center  Crimes aimed at individuals and some businesses

Robert T. Morris

       Grad student at Cornell Son of a security expert at NSA First worm – November 2, 1988  Copied itself onto other computers and spread  Clogged up much of the net Claimed it was an experiment that went awry 400 hours community service A tenured associate professor at MIT as of 2006 Your prof accidentally created a worm!

Some positive effects

 A warning that security holes exist  Occasioned early anti-virus and other security efforts

Three Major Problems

 Weak security  Intrusions frequently go unnoticed  Reluctance even to admit that a break-in has occurred    Embarrassment Negative customer reaction Indicates to others that a way to break in exists

Profile of a Young Hacker

 Young  Male  Introvert  Script Kiddy    Moderately knowledgeable Uses tools created by others and posted on the net Dangerous – imagine a terrorist who posts a tool that does not do what it claims to do…

Organized Criminals

   

Stereotype of young male hacker is much less true now

Willie Sutton…   Why do you keep robbing banks?

That’s where the money is!

Organized criminals have realized that credit information is where the money is.

  Used directly Sold to others Governments have launched cyber attacks   Former Soviet Union?

China?

Worms and Bots

 Bots ( web robots or zombies)     Take over individual computers Form networks of thousands of computers Controlled by a “master” Could bring down the Internet—or part of it!

  Conficker worm Stuxnet worm (

more…

)

Governments

 Russia?

 Estonia  Cyberattacks   May be dangerous Brazil Plunged Into Darkness—November 2009

         

Some Recent PC Viruses/Worms

Leonardo Melissa Love Bug Blaster Worm (remote procedure calls – RPC’s) Beagle/Bagel worm Sober-X Conficker Tools readily available: Symantec  (Note there used to be sneaky competition: Symant

i

c) Virus writers are getting ahead of antivirus software Have you ever had to purge your computer?

More Attacks

 Denial of Service   Distributed Denial of Service, as in Estonia Here’s how a DDS works…  MSIE, MS Outlook   Microsoft Security Essentials Free!

MS Security Updates  MS Malicious Software Removal Tool

Macintosh Viruses (another myth!)

 Contrary to popular belief, Macs are not immune to attack  Possible to buy Macintosh antivirus software  Mac viruses are very rare  Can you explain why?

Ethical questions

 Would it be acceptable for a professor of computer science at Hood College to assign homework directing students to design and code a computer virus or worm?

 What site would you like to hack into and why?

Laws

    If you think something might be illegal, it probably is Many crimes covered by preexisting laws Two major laws specific to computers Computer Fraud and Abuse Act (1986)    Covers federal jurisdiction only Broad scope – theft, breaking in, altering or destroying data Stiff penalties

USA Patriot Act of 2001

     Expanded definition of “attack” to include hacking Restitution includes cost of responding to the attack and restoring system First offense doubled to 10 years Allows government to monitor online activity of suspected hacker without a warrant There is justifiable fear of cyberterrorism

More USAPA

 Criticized as too broad   If a warrant is required for wiretap, why not for online monitoring?

Does a “ reasonable expectation of privacy ” exist online?

Catching hackers

     Honeypots Invite for “job interview” (Russians arrested) Computer forensics / digital forensics Hackers often make dumb mistakes   Not changing return address on email Leaving other clues CERT at Carnegie Melon now a clearing house for security alerts

Overreaction

     Craig Neidorf and “Phrack” (1989) Published part of document about BellSouth phone 911 system Threatened with lengthy jail term and large fine Bell claimed document worth almost $24,000 Info available for $24 from other phone company sources

Legal Problems

 Printing press not involved in Neidorf case – how to apply existing law?

 Jurisdiction – the Web crosses boundaries  Hard to frame laws that discriminate between criminal acts and acts of youthful indiscretion  Perverse that hackers are often hired as security consultants

What do you think?

 Would you hire a hacker as a security consultant?

 What do you think should be done to discourage youthful hackers?

Security Problems

 Often very lax – similar to leaving your iPad on the front seat of an unlocked car  The Internet has a history of being open  Laziness  Lack of knowledge  Expense

More Security Problems

 Human nature to take precautions after a disaster  Unanticipated flaws in software  Users do not take the risk of a break-in seriously  A balancing act between security and ease of use

SATAN (1995)

 Security Administrator Tool for Analyzing Networks – Dan Farmer & Wietse Venema  SATAN scanned for known security holes in UNIX/Linux systems  Public controversy

Farmer & Venema respond



Why wasn’t there a limited distribution to only the “white hats”? History has shown that attempts to limit distribution of most security information and tools has only made things worse. The “undesirable” elements of the computer world will obtain them no matter what you do, and people that have legitimate needs for the information are denied.

A First Amendment Question

 Should it be illegal to write viruses and hacking tools?

  Recall Philip Zimmerman’s PGP (1991) Recall Daniel Bernstein’s attempts to publish cryptography research (1993 - 1996)

Scams, Frauds, Attacks, and Other Mischief

 Online Scams  Not a new problem, but a new venue  Auctions such as eBay and Yahoo    The toasted cheese sandwich purportedly bearing the likeness of Christ Auctions for health care Should it be allowed to advertise for a kidney transplant?

Fraud, Embezzlement, Sabotage, Data Theft, Forgery

  Willie Sutton (again!)   Why rob banks?

That’s where they keep the money!

Nothing new – the Internet is just a new venue  Stock fraud      Credit card fraud Identity theft ATM theft Telecom/cell-phone theft How many “computer crimes” can you think of that are completely new—did not exist before computers?

Identity Theft

 Again, nothing new – just new tools  Succeeds because of the magnitude of the system  A problem for the victim because SSA, DMV, credit bureaus, law enforcement do not provide much help

DOJ: Fewer ID Theft Victims

  About 9.3 million victims previously counted Only about 3.6 million ID thefts in the US counted in 2005 – that’s 3 out of every 100 people  Includes misuse of cell phone, credit card, other personal info.

  1.7 million of the 3.6 were unauthorized credit card use About 540,000 households said someone misused personal info to open accounts, get loans, or commit other crimes. This is the usual definition of ID theft.



Associated Press in Washington Post, April 3, 2006

Online ID theft is a BIG problem

 But not as big as you might imagine  US population in 2010 was 309.1 million.

 There are 3.3 million ID thefts per year.

 Of those, only a small percentage take place online.

 Although not directly online, some thefts do involve computers indirectly.

Common Sources of ID Theft – Summary

Consumer Business Computer (Margin of error) Total ID Theft 55 % 35 % 8 % 2 % 100 %

Source: Javelin Strategy & Research 2006

Common Sources of ID Theft – Business

Corrupt Employee Stolen from data company Misuse of data in store, mail, telephone Some other way Total ID Theft via Business 15 % 6 % 7 % 7 % 35 %

Source: Javelin Strategy & Research 2006

Common Sources of ID Theft – Consumer

Lost or stolen checkbook, credit card, wallet Relatives, neighbors, friends, home employee Stolen mail, fraudulent change of address Garbage, dumpster-diving Total ID Theft via Consumer 30 % 15 % 8 % 1 % 54 %

Source: Javelin Strategy & Research 2006

Common Sources of ID Theft – Computer

Viruses, spyware, hackers Phishing Online transactions 5.0 % 3.0 % 0.3 % Total ID Theft via Computer 8.3 %

Source: Javelin Strategy & Research 2006

Phishing

 Combines the traditional “fishing expedition” with identity theft  Relies on a very few responses out of thousands of phishing messages

Swindle and Sabotage

     What is the weakest part of any security system?

The employees  Disgruntled employees – sabotage, logic bomb, denial of service  Dishonest employees – theft (DC Office of Tax & Revenue lost over $44M) It is easy to do a lot of damage in a hurry Audit trails Backup, backup, backup

Competitors

 Industrial espionage  Breach of confidentiality agreement  Reverse engineering (often legal)  SLAPP suits (Strategic Lawsuit Against Public Participation)   TheStraights.com

Melvin Sembler

Digital Forgery

        Pictures  O. J. Simpson ID cards , licenses , passports easily purchased online Money Corporate stationery Corporate documents Proposals for a national ID card with embedded computer chip Passports will have embedded chips, beginning summer of 2006 Well, they were supposed to!

How do you establish ID in cyberspace?

 Who is behind that computer? Email?

 Digital signatures  Reputable businesses    Can you decipher the bill?

Clear procedures for dealing with problems?

How does a business know you are you?

Fighting Crime versus Civil Liberties

   Automated surveillance – 9/11, England Biometric identifiers       Facial recognition systems Fingerprints Retinal scan Iris scan DNA Airport security scan (game) Potential for loss of privacy is immense

More Crime Fighting

 Seizure of a computer containing data of people in addition to the one for whom a warrant was issued: The Frederick Madam  Loss of equipment can shut down a business without a trial  Is the goal of law enforcement or harassment?

 To what extent should an ISP become an arm of law enforcement?