Introduction - Binghamton



Computer Crime

Martin Goldman

CS 495

Spring 2004

Abstract

The reliance upon computers in industrialized nations has increased dramatically over the past 40 years. Unfortunately, that reliance has created myriad new opportunities for crime. This paper provides an overview to computer crime: a brief history of the field, the types of computer-related offenses, the types of individuals that commit them, and the federal laws in place to protect against them.

Contents

|About the Author |3 |

|Introduction |4 |

|Historical Perspective: A Timeline of Significant Events |5 |

|Types of Computer Crime |5 |

|Who Commits Computer Crimes, and Why? |7 |

|Computer Crime and the Law |7 |

|Conclusion |8 |

|Works Cited |9 |

Figures

|Figure 1: Results of Department of Defense’s Computer Penetration Test |4 |

|Figure 2: Unauthorized Use of Computer Systems Within the Last 12 Months |4 |

|Figure 3: Types of Unauthorized Computer Use Within the Last 12 Months |6 |

About the Author

Martin Goldman (b. 1983) is a senior double majoring in computer science and music at Binghamton University, State University of New York. He has been studying computer crime for one month. After receiving his dual baccalaureate in May 2005, he plans to join the Banking Technology group at Goldman Sachs in New York.

Introduction

Computer crime is defined as criminal activity that is committed using computers, or that targets computers, or both. One might wonder what the extent of the computer crime problem is. Unfortunately, it is difficult to say. This is because the FBI’s National Computer Crime Squad estimates that as few as 3% of incidents are actually reported. However, the results of a Department of Defense-sponsored system penetration test performed in the early 1990s were not encouraging. Of the nearly 9,000 hosts that were tested, nearly 90% of hosts were successfully compromised, while only 5% of the attacks were detected (Icove, 3). See Figure 1:

[pic]

To get a look at how computer crime affects businesses, government agencies, universities, and financial institutions, the Computer Security Institute and the FBI cosponsor an annual Computer Crime and Security Survey. In 2004, about 500 organizations participated. About half reported experiencing one or more incidents of computer crime in the previous 12 months, collectively costing the organizations over $140 million. However, the news is not all bad. The survey also indicated that the percentage of organizations that reported experiencing computer crimes has dropped for the fourth year in a row (“2004 CSI/FBI Computer Security Survey”). See Figure 2:

[pic]

There are dozens of types of computer-related crimes, which can be broken down into four categories: breaches of physical security, personnel security, data and communications security, and operations security. These offenses violate a number of the rules set forth in the Association for Computing Machinery’s Code of Ethics, including “Be honest and trustworthy,” “Honor property rights,” “Honor confidentiality,” and “Respect the privacy of others” (“ACM Code of Ethics”). The purpose of this paper is to introduce the reader to the field of computer crime: the history, the types of offenses, who the perpetrators are, and the federal laws that prohibit them.

Historical Perspective: A Timeline of Significant Events

July 1981 – Pat Riddle, aka Captain Zap, a cracker, is arrested for breaking into the telephone system and federal government computers, as well as for hacking into credit agency computers and sales and invoicing systems at computer companies in order to fraudulently acquire hundreds of thousands of dollars worth of equipment. He is the first person to ever be convicted of a computer crime (Clough, pp. 61-69).

June 1983 – The movie War Games is released, bringing cracking and crackers into the public eye. Following its release, the computer underworld continues to grow in popularity (Clough, p. 164).

November 1985 – Phrack, the first magazine dedicated to hacking, begins publication (Clough, p. 58).

August 1986 – While investigating a 75-cent accounting error at Lawrence Berkeley National Laboratory, Cliff Stoll uncovers a West German computer espionage ring, the first documented international computer security incident (Clough, pp. 175-176).

October 1987 – The first documented virus attack occurs at the University of Delaware, infecting several hundred disks. The virus, a boot sector virus called Brain, is traced to two brothers in Pakistan. Although it does no deliberate damage, it inadvertently renders about 1% of infected disks unusable (Clough, pp. 85-88).

December 1987 – The first major Trojan horse incident occurs at a German university. The Trojan, called Christmas, spreads through e-mail, masquerading itself as a Christmas greeting (Clough, p. 101).

November 1988 – The Morris Internet worm is loaded on to the ARPANET. Through such means as exploiting a security flaw in the Sendmail e-mail handling agent and guessing passwords, the worm propagates across the ARPANET and MILNET, infecting about 10% of the hosts on the network. Although the worm is not intended to cause damage, bugs in the code cause it to repeatedly infect the same hosts, often crashing them (Clough, pp. 94-99).

April 1991 – Cracker Kevin Poulsen is arrested after a year and a half of running from the FBI on charges of phone tampering. In one instance, he jammed incoming calls to a radio prize line in order to win a $50,000 Porsche (Furnell, pp. 89-91).

June 1994 – Vladimir Levin leads a Russian cracker gang in the first documented electronic bank robbery, breaking into computer systems at Citibank and transferring $10 million into his accounts (Wall, p. 34).

February 1995 – Kevin Mitnick is arrested by the FBI for breaking into countless computers, intercepting private electronic communications, and copying confidential materials (Furnell, pp. 84-89).

March 1999 – A Microsoft Word macro virus called Melissa becomes the fastest spreading virus to date. By spreading through e-mail, the virus infected over 100,000 Internet hosts in a single weekend (Furnell, pp. 155-159).

February 2000 – The Web sites of CNN, eBay, Yahoo, Amazon, and are paralyzed for hours by denial of service attacks (“The Denial of Service Aftermath”).

Types of Computer Crime

It is possible to break computer-specific crimes into groups based roughly upon the types of security measures that aim to prevent them. These include breaches of physical security, breaches of personnel security, breaches of communications and data security, and breaches of operations security.

Physical security concerns the physical protection of computer hardware, storage media, and related documentation. There are a number of computer-related crimes that can be committed when such assets are not physically protected. Perhaps the most obvious one is disruption of the availability of computer-provided services. This can be accomplished either physically – by damaging hardware or disrupting utilities in a data facility – or remotely over the Internet by flooding a server with requests in order to consume its memory, CPU time, and network bandwidth, crashing the server or slowing it down enough that it is unable to respond to legitimate service requests.

Another way in which computer criminals can breach physical security is by intercepting wire communications. For example, by tapping into poorly protected telephone or network wiring, a criminal can listen in on phone conversations or sniff network data for passwords or other classified information. Another breach of physical security often practiced by computer criminals is dumpster diving, which consists of searching through trash looking for discarded media and printouts that may contain confidential information (Icove, pp. 29-35).

Personnel security involves manipulation or imitation of insiders of an organization. One type of personnel security breach is masquerading, the act of using another person's identity to gain unauthorized access to a computer system. This can be done physically – for example, by using another person's ID card to get into a building – or electronically – for example, by figuring out a user's password and using it to remotely access a computer system. A favorite type of personnel security breach among criminal criminals is social engineering, which is a process by which the perpetrator manipulates others into revealing confidential information. In one classic social engineering scenario, a perpetrator calls a secretary in the accounting office large company. “This is Bob from the help desk,” he tells the secretary. “We've been hearing a lot of reports of people having trouble logging into the accounting system this afternoon. Why don't you go ahead and log in for me?” Frequently, the secretary will oblige. The criminal continues: “Okay, did the log-on prompt come up? What username did you type? What password?” All too often, the secretary will divulge this information without even a second thought (Icove, pp. 35-40).

Communications and data security concern the protection of software and data. An obvious example of an attack on data is data theft; for example, an industrial spy might attempt to steal trade secrets from a competitor. A less obvious example is traffic analysis, which is the act of analyzing seemingly unimportant data in an effort to deduce secrets. For example, in one instance, an industrial spy monitored a company's use of an online service to track its progress on a research and development project.

Attacks on software also fall into the category of breaches of communications and data security. One common example of software attacks is malicious software – viruses, worms, and Trojan horses. A virus is a self-replicating program that spreads by attaching copies of itself to other programs, documents, or storage media. Some viruses are fairly benign and serve only to annoy the user. However, many are intentionally destructive, for example, by erasing data. Worms are also self-replicating and may or may not cause intentional damage, but unlike viruses, they are standalone programs. Trojan horses are malicious standalone programs that are disguised as legitimate software. Another example of a software attack is “salami slicing,” a type of attack on a financial system that involves stealing a large amount of assets in very small increments. The classic example of salami slicing, which has been depicted in several films, involves rounding off balances, and dropping the remainder into an account held by the perpetrator (Icove, p. 45). Another type of software attack that has become common in recent years is spyware, which is software that gathers data about a user and sends it to a third party over the network without the user’s consent (“Recognizing and Avoiding Spyware”).

Operations security concerns protection of an organization’s procedures for detecting and preventing computer crime. One breach of operations security is so-called “data diddling” – that is, modifying data that is stored a computer system. For example, a perpetrator who is a student might attempt to crack into his school’s computer to change his grades. Another common breach of operations security is the allocation of excess access privileges. Most modern operating systems support intricate file permissioning schemes, allowing system administrators to grant users access only to specific files. Unfortunately, in many organizations, users are given more access privileges than they need. This is a problem because it allows legitimate users to access data they are authorized to view. It is also a problem because, when an account with excess privileges is compromised, the perpetrator is able to take advantage of those privileges.

The 2004 Computer Crime and Security Survey reports the frequency of a number of specific attacks. See Figure 3:

Who Commits Computer Crime, and Why?

The types of individuals that commit computer crimes, as well as the motivating factors behind them, are as varied as the crimes themselves. To help law enforcement agencies combat perpetrators of computer crimes, the FBI developed the Computer Crime Adversarial Matrix in 1995. The matrix attempts to make generalizations about various types of computer criminals. It breaks computer criminals into three groups: crackers, “professional” criminals, and vandals.

Crackers are typically intelligent, young computer hobbyists. They are bored with school or work, so they seek excitement, intellectual stimulation, and the opportunity to “fight the system” via the computer underworld. Relatively few are motivated by personal gain. Many are socially awkward and have few friends. Of these, many seek human interaction on electronic bulletin board systems and Internet chat rooms, especially with other crackers, with whom they can share knowledge and collaborate. Others are true loners, choosing to learn by trial and error and to carry out their own attacks. Crackers frequently do not consider their offenses crimes and don't hesitate to talk freely about their actions, and many retain documentation of their attacks. These tendencies often lead to crackers' downfalls.

Although all perpetrators of computer crimes are certainly criminals, the FBI gives special distinction to “professional” criminals – that is, those who commit fraud, extortion, or espionage for financial or political gain. Among fraud-related offenses, criminal organizations have used computers to launder drug money, manipulate money transfers, and adding fake employees to payroll systems in order to collect paychecks and retirement payments. Extortionists have planted viruses in computer system, refusing to provide antidotes until their conditions are met. In addition, numerous instances of espionage have occurred over the years. This includes cases of both industrial espionage, in which companies hire contractors to steal trade secrets from their competitors, and governmental espionage, in which rogue governments and terrorists hire contractors to steal information from defense, academic, and other government facilities.

Computer criminals who are classified as vandals are typically seeking revenge against their targets. Although acts of computer vandalism can be committed by outsiders, most vandalism offenses are inside jobs; that is, they are committed by someone within the organization being attacked. For example, if a employee is fired or denied a raise by his employer, he may feel the need to exact revenge on the organization by erasing critical data or introducing a virus into the employer's network. There have also been instances in which programmers have inserted “logic bombs” into applications that can be remotely activated to make the software “self destruct.” Vandalism cases are particularly worrisome for employers because the perpetrators are typically trusted employees (Icove, pp. 68-69).

Computer Crime and the Law

As the frequency of computer crime cases increased throughout the 1970s and 1980s, it became apparent that existing criminal laws in the United States were often insufficient to prosecute them. Although some computer crimes could be prosecuted using existing statutes – wiretapping laws, for example – many could not. An example of such a case is The Commonwealth of Virginia v. Lund (1977), in which Charles Lund, a graduate student at Virginia Tech, was convicted of stealing computer time under an existing larceny statute. Lund appealed his case to the Virginia Supreme Court, which overturned the ruling, on the grounds that “at common law, larceny is the taking and carrying away of the goods of another with intent to deprive the owner of the possessions thereof permanently … the phrase ‘goods and chattels’ cannot be interpreted to include computer time and services in light of the often repeated mandate that criminal statutes must be strictly construed” (“Commonwealth v. Lund”).

The outcomes cases such as Lund provoked legislators to pass laws on both the state and federal levels that specifically address computer-related offenses. The following are the primary federal laws that are used today to prosecute computer criminals in the United States.

The Computer Fraud and Abuse Act of 1984 (amended in 1986, 1994, 1996, and 2001) made it illegal to knowingly access a computer without authorization in order to:

• obtain information about national defense, foreign relations, and other classified information;

• obtain records of a financial institution or a consumer reporting agency;

• obtain access to any nonpublic computer belonging to the federal government;

• defraud any person or organization;

• intentionally cause unauthorized damage, or knowingly cause the transmission of a program or command to cause unauthorized damage, to a protected computer to cause damage to a computer that resulting in financial losses, alteration of medical data, physical injury to any person, a threat to public safety, or affect administration of justice, national defense, or national security;

• participate in trafficking in passwords that affects interstate or foreign commerce or that concerns federal government computers; or

• use interstate or foreign communication to threaten a protected computer with intent to extort.

The Electronic Communication Privacy Act of 1986 (amended in 1994), an amendment to an existing federal wiretap law, made it illegal to intercept electronic communication – both in transit and in storage – without authorization from the parties involved in the communication. However, it allows Internet service providers to intercept such communication in order to maintain service. In addition, it allows the government to obtain a warrant to access such communications without authorization

The Digital Millennium Copyright Act of 1998 made it illegal to circumvent anti-piracy measures built into commercial software, as well as to manufacture and sell devices to bypass such measures. It also limited the liability of Internet service providers in copyright infringement offenses committed by their users, so long as they take appropriate measures to stop such offenses when they are discovered.

The Cyber Security Enhancement Act of 2002 was passed as part of the Homeland Security Act, and made it legal for Internet service providers to voluntarily hand over personal information about its customers to government agents if there is reason to believe the information concerns a crime. It also authorized sentences of 20 years to life for individuals who commit computer crimes resulting in death or serious bodily injury. In addition, it increased penalties for first-time interceptors of cellular phone traffic (“US Code Collection”).

Conclusion

In 1965, the AT&T telephone monopoly installed the first electronic telephone switch, initiating the replacement of phone operators with computers (“History of AT&T”). It could be argued that this simple action marked the beginning of an era. For the first time, ordinary citizens began to rely upon computers in their everyday lives. Since then, the number of tasks we have entrusted to computers has grown at an incredible pace. Today, computers run our communications networks, our utilities, our bank accounts – even our national defense systems.

History has demonstrated that many innovations that can be used to improve life can also be used by criminals for their own selfish purposes. For example, the invention of the automobile made it easier to rob banks, and the popularization of the telephone was a boon for extortion and blackmail. Unfortunately, in this regard, computers are even worse. In addition to their usefulness to criminals in traditional offenses, the dependence of industrialized nations on computing has introduced myriad new opportunities for crime. These new crimes, which include breaches of physical security, personnel security, communications and data security, and operations security, are committed by a variety of perpetrators for a variety of reasons. Only after understanding the scope of the computer crime problem can we ever hope to address it.

Works Cited

“ACM Code of Ethics.” Oct 1992. 17 Oct 2004 .

Clough, Bryan and Mungo, Paul. Approaching Zero: The Extraordinary World of Hackers, Phreakers,

Virus Writers, and Keyboard Criminals. London: Faber & Faber, 1993.

“Commonwealth v. Lund.” n.d. 17 Oct 2004

.

“CSI/FBI Computer Crime and Security Survey.” 2004. 17 Oct 2004

< >.

“Denial of Service Aftermath.” Feb 2000. 17 Oct 2004

.

Furnell, Steven. Cybercrime: Vandalizing the Information Society. Boston: Addison-Wesley, 2002.

“History of AT&T.” n.d. 17 Oct 2004. .

Icove, David, Seger, Karl, and VonStorch, William. Computer Crime: A Crimefighter's Handbook.

Sebastopol, CA: O'Reilly & Associates, 1995.

“Recognizing and Avoiding Spyware.” Sept 2004. 17 Oct 2004 .

“U.S. Code collection.” n.d. 17 Oct 2004 .

-----------------------

[pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download