Impact of Computers on
Society
7. Computer Crime
It was only a matter of time…

Internet was designed by geeks who were interested
in openness and free sharing





DoD commissions ARPANET 1969 – UCLA, UC Santa
Barbara, SRI, U Utah (Advanced Research Projects
Agency Network)
First e-mail – Ray Tomlinson (1971)
Ethernet/Alohanet (1973)
The Well
DEC VAX 11/780 (1978) – a favorite in research


VMS
UNIX
Early Crimes






Salami method
Accumulate rounding errors in a hidden file
Random “errors”
These methods require programming expertise in a
world where few computers are networked
Security was an afterthought
The Internet was wide open – it was just a matter of
time…
Break-ins





Hood’s network hacked in the mid-90’s
Various web sites of government agencies
Read the newspaper
Watch TV
What break-ins can you recall?
Four Important Crime Topics




Hacking
Scams
Fraud, embezzlement, theft
Crime fighting
Hacking vs. Cracking

Hacking – originally an elegant, sophisticated
piece of programming – an art

Cracking – breaking a security scheme – often
brute force or using someone else’s “tools”

In the media, “hacking” has assumed the latter
meaning, which we will adopt
Hacking and Cyber Attacks





At first, mostly young men
Organized crime and espionage becoming prevalent
Originally a test/hazing at MIT, harmless pranks
Breaking in where you don’t have access
Isaac Asimov foresaw the computer virus




Virus named in his honor: Asimov.1539
Worms (1980’s)
Sniffers
“Hactivism”
Captain Crunch

John Draper – 1970’s








A toy whistle found in a cereal box
Hacked into Bell South
Free calls
Shut down phone service
Rigged prosecutor’s phone to act like a pay phone
FBI calls routed to a 900 sex phone number
Legion of Doom – exposes vulnerability of phone
system
A little like an MIT hack--somewhat amusing if you
are not the victim
Kevin Mitnick




Convicted of hacking universities, cell phone
manufacturers, ISP’s
Went into hiding in 1988 while on probation
Arrested in 1995 when he hacked into a
security expert’s files at San Diego
Supercomputer Center
Crimes aimed at individuals and some
businesses
Robert T. Morris



Grad student at Cornell
Son of a security expert at NSA
First worm – November 2, 1988






Copied itself onto other computers and spread
Clogged up much of the net
Claimed it was an experiment that went awry
400 hours community service
A tenured associate professor at MIT as of 2006
Your prof accidentally created a worm!
Some positive effects

A warning that security holes exist

Occasioned early anti-virus and other security
efforts
Three Major Problems



Weak security
Intrusions frequently go unnoticed
Reluctance even to admit that a break-in has
occurred



Embarrassment
Negative customer reaction
Indicates to others that a way to break in exists
Profile of a Young Hacker




Young
Male
Introvert
Script Kiddy



Moderately knowledgeable
Uses tools created by others and posted on the net
Dangerous – imagine a terrorist who posts a tool
that does not do what it claims to do…
Organized Criminals


Stereotype of young male hacker is much less true now
Willie Sutton…



Organized criminals have realized that credit information is
where the money is.



Why do you keep robbing banks?
That’s where the money is!
Used directly
Sold to others
Governments have launched cyber attacks


Former Soviet Union?
China?
Worms and Bots

Bots (web robots or zombies)






Take over individual computers
Form networks of thousands of computers
Controlled by a “master”
Could bring down the Internet—or part of it!
Conficker worm
Stuxnet worm (more…)
Governments

Russia?


Estonia
Cyberattacks


May be dangerous
Brazil Plunged Into Darkness—November 2009
Some Recent PC Viruses/Worms








Leonardo
Melissa
Love Bug
Blaster Worm (remote procedure calls – RPC’s)
Beagle/Bagel worm
Sober-X
Conficker
Tools readily available: Symantec



(Note there used to be sneaky competition: Symantic)
Virus writers are getting ahead of antivirus software
Have you ever had to purge your computer?
More Attacks

Denial of Service



Distributed Denial of Service, as in Estonia
Here’s how a DDS works…
MSIE, MS Outlook


Microsoft Security Essentials Free!
MS Security Updates

MS Malicious Software Removal Tool
Macintosh Viruses (another myth!)




Contrary to popular belief, Macs are not
immune to attack
Possible to buy Macintosh antivirus software
Mac viruses are very rare
Can you explain why?
Ethical questions

Would it be acceptable for a professor of
computer science at Hood College to assign
homework directing students to design and
code a computer virus or worm?

What site would you like to hack into and
why?
Laws




If you think something might be illegal, it probably
is
Many crimes covered by preexisting laws
Two major laws specific to computers
Computer Fraud and Abuse Act (1986)



Covers federal jurisdiction only
Broad scope – theft, breaking in, altering or destroying
data
Stiff penalties
USA Patriot Act of 2001





Expanded definition of “attack” to include
hacking
Restitution includes cost of responding to the
attack and restoring system
First offense doubled to 10 years
Allows government to monitor online activity
of suspected hacker without a warrant
There is justifiable fear of cyberterrorism
More USAPA



Criticized as too broad
If a warrant is required for wiretap, why not
for online monitoring?
Does a “reasonable expectation of privacy”
exist online?
Catching hackers




Honeypots
Invite for “job interview” (Russians arrested)
Computer forensics / digital forensics
Hackers often make dumb mistakes



Not changing return address on email
Leaving other clues
CERT at Carnegie Melon now a clearing
house for security alerts
Overreaction





Craig Neidorf and “Phrack” (1989)
Published part of document about BellSouth
phone 911 system
Threatened with lengthy jail term and large
fine
Bell claimed document worth almost $24,000
Info available for $24 from other phone
company sources
Legal Problems




Printing press not involved in Neidorf case –
how to apply existing law?
Jurisdiction – the Web crosses boundaries
Hard to frame laws that discriminate between
criminal acts and acts of youthful indiscretion
Perverse that hackers are often hired as
security consultants
What do you think?

Would you hire a hacker as a security
consultant?

What do you think should be done to
discourage youthful hackers?
Security Problems





Often very lax – similar to leaving your iPad
on the front seat of an unlocked car
The Internet has a history of being open
Laziness
Lack of knowledge
Expense
More Security Problems




Human nature to take precautions after a
disaster
Unanticipated flaws in software
Users do not take the risk of a break-in
seriously
A balancing act between security and ease of
use
SATAN (1995)



Security Administrator Tool for Analyzing
Networks – Dan Farmer & Wietse Venema
SATAN scanned for known security holes in
UNIX/Linux systems
Public controversy
Farmer & Venema respond

Why wasn’t there a limited distribution to
only the “white hats”? History has shown
that attempts to limit distribution of most
security information and tools has only made
things worse. The “undesirable” elements of
the computer world will obtain them no
matter what you do, and people that have
legitimate needs for the information are
denied.
A First Amendment Question

Should it be illegal to write viruses and
hacking tools?


Recall Philip Zimmerman’s PGP (1991)
Recall Daniel Bernstein’s attempts to publish
cryptography research (1993 - 1996)
Scams, Frauds, Attacks, and Other
Mischief



Online Scams
Not a new problem, but a new venue
Auctions such as eBay and Yahoo



The toasted cheese sandwich purportedly bearing
the likeness of Christ
Auctions for health care
Should it be allowed to advertise for a kidney
transplant?
Fraud, Embezzlement, Sabotage, Data
Theft, Forgery

Willie Sutton (again!)



Why rob banks?
That’s where they keep the money!
Nothing new – the Internet is just a new venue






Stock fraud
Credit card fraud
Identity theft
ATM theft
Telecom/cell-phone theft
How many “computer crimes” can you think of that are
completely new—did not exist before computers?
Identity Theft



Again, nothing new – just new tools
Succeeds because of the magnitude of the
system
A problem for the victim because SSA, DMV,
credit bureaus, law enforcement do not
provide much help
DOJ: Fewer ID Theft Victims


About 9.3 million victims previously counted
Only about 3.6 million ID thefts in the US counted
in 2005 – that’s 3 out of every 100 people



Includes misuse of cell phone, credit card, other personal
info.
1.7 million of the 3.6 were unauthorized credit card use
About 540,000 households said someone misused
personal info to open accounts, get loans, or commit other
crimes. This is the usual definition of ID theft.

Associated Press in Washington Post, April 3, 2006
Online ID theft is a BIG problem





But not as big as you might imagine
US population in 2010 was 309.1 million.
There are 3.3 million ID thefts per year.
Of those, only a small percentage take place
online.
Although not directly online, some thefts do
involve computers indirectly.
Common Sources of ID Theft –
Summary
Consumer
55 %
Business
35 %
Computer
8%
(Margin of error)
2%
Total ID Theft
100 %
Source: Javelin Strategy & Research 2006
Common Sources of ID Theft –
Business
Corrupt Employee
15 %
Stolen from data company
6%
Misuse of data in store, mail, telephone
7%
Some other way
7%
Total ID Theft via Business
35 %
Source: Javelin Strategy & Research 2006
Common Sources of ID Theft –
Consumer
Lost or stolen checkbook, credit card, wallet
30 %
Relatives, neighbors, friends, home employee
15 %
Stolen mail, fraudulent change of address
8%
Garbage, dumpster-diving
1%
Total ID Theft via Consumer
54 %
Source: Javelin Strategy & Research 2006
Common Sources of ID Theft –
Computer
Viruses, spyware, hackers
5.0 %
Phishing
3.0 %
Online transactions
0.3 %
Total ID Theft via Computer
8.3 %
Source: Javelin Strategy & Research 2006
Phishing


Combines the traditional “fishing expedition”
with identity theft
Relies on a very few responses out of
thousands of phishing messages
Swindle and Sabotage


What is the weakest part of any security system?
The employees





Disgruntled employees – sabotage, logic bomb, denial of
service
Dishonest employees – theft (DC Office of Tax &
Revenue lost over $44M)
It is easy to do a lot of damage in a hurry
Audit trails
Backup, backup, backup
Competitors




Industrial espionage
Breach of confidentiality agreement
Reverse engineering (often legal)
SLAPP suits (Strategic Lawsuit Against
Public Participation)


TheStraights.com
Melvin Sembler
Digital Forgery

Pictures








O. J. Simpson
ID cards, licenses, passports easily purchased online
Money
Corporate stationery
Corporate documents
Proposals for a national ID card with embedded
computer chip
Passports will have embedded chips, beginning
summer of 2006
Well, they were supposed to!
How do you establish ID in
cyberspace?



Who is behind that computer? Email?
Digital signatures
Reputable businesses



Can you decipher the bill?
Clear procedures for dealing with problems?
How does a business know you are you?
Fighting Crime versus Civil Liberties


Automated surveillance – 9/11, England
Biometric identifiers







Facial recognition systems
Fingerprints
Retinal scan
Iris scan
DNA
Airport security scan (game)
Potential for loss of privacy is immense
More Crime Fighting




Seizure of a computer containing data of
people in addition to the one for whom a
warrant was issued: The Frederick Madam
Loss of equipment can shut down a business
without a trial
Is the goal of law enforcement or harassment?
To what extent should an ISP become an arm
of law enforcement?