cybercrime case scenarios assessment and protection approaches

advertisement
CYBERCRIME CASE SCENARIOS
ASSESSMENT AND PROTECTION
APPROACHES
BY
ADEWALE JONES
PRESENTATION AGENDA









The Challenge of Cybersecurity in Africa
Cybercrime Statistics 2009
Some Evidence of the State of Cybersecurity in Africa.
Some Cybercrime cases and scenarios
Youth Involvement in Cyber-criminality in Nigeria
Youth Engagement as Part of Solution to Cyber-crime
Protection of Children in the face of Cyber-criminality
Some Suggestions in Reducing Cybercrime in Nigeria.
Conclusion
INTRODUCTION




Information systems and networks have created
substantial interconnection between countries.
Nigeria and indeed other Africa countries like the rest
of the world have benefitted from the development but
there have been serious concerns on the negative
activities of some users.
The deployment of broadband which will soon be
witnessed and it projected that because of the
attendant speed it may complicate the current
problems.
What challenges do we have and may have in the
cybersecurity sphere?
THE CHALLENGE OF CYBERSECURITY
IN AFRICA
Absence of Suitable Legal Arrangement in most countries.
 Poor Knowledge of Information Communications
Technology.
 Poor Institutional and Personnel Capacity to Address the
Issue of Cyber-insecurity.
 Absence of the Framework for Dialogue and
Coordination of Strategies at Continental and Regional
Levels.
 Absence of the Required Institutional and Related
Cybersecurity Structures.
= The Inability to address issues concerning Cybercrime
in the Continent.

CYBERCRIME STATISTICS
TOP TEN COUNTRIES IN THE WORLD
United States
 United Kingdom
 Nigeria
 Canada
 Romania
 Italy
 Spain
 South Africa
 Russia
 Ghana
Source:- Internet Crime Complaint Centre –A joint Operation
between FBI and the National White collar Crime Centre.

SOME EVIDENCE OF THE STATE OF
CYBERSECURITY IN AFRICA- NORTH AFRICA
Egypt - Rapid development of ICT Infrastructure
- Along with Morocco and followed by Algeria and Tunisia is one of the three countries with highest
internet traffic.
- Has a law on Cybercrime and E-Signature
Tunisia - Has a functional CERT created in 2004
- CERT is instrumental to the establishment of NGO’s championing IS/IT Security.
- Runs Higher Education Degree in Information Security.
- Has an Agency for Cybersecurity
Algeria –
- Established the first CERT in Africa but it is inactive
Others - No Law in Libya, Morocco and Sudan
Source:-Kristine Cole et al- Model of Accessing Cybersecurity in Africa
SOME EVIDENCE OF THE STATE OF
CYBERSECURITY IN AFRICA- CENTRAL AFRICA
Angola –
- Only Country in the Region with a legislation on cybercrime. Law in
place since 2001
- Law is inadequate-Covers only basic telecommunications. Does not
cover issues like interruption of telecoms services, unauthorised
intrusion, data theft or illegal access
- No CERT in place
Cameroon- Has Public Key Infrastructure developed with support from ITU in
place
Others –
- No Law in Gabon, Democratic Republic of Congo, CAR etc
SOME EVIDENCE OF THE STATE OF
CYBERSECURITY IN AFRICA- SOUTH AFRICA
South Africa
- Has a Cybercrime Law –Electronic Communications Transaction Act.
- No CERT
Namibia
- Has the Computer Misuse and Cybercrime Act since 2003
- No CERT
Mauritius
Enacted the Information and Communications Technology Act, 2001
Emplaced the Computer Misuse and Cybercrime Act, 2003
Has a Data Protection Act since 2000
Has CERT since May 2008
Others
- No Law in Botswana, Zimbabwe etc
SOME EVIDENCE OF THE STATE OF
CYBERSECURITY IN AFRICA- WEST AFRICA
Nigeria
- Has only Advanced Fee Fraud Act, 2006
- Other Initiatives like the following:o
Cybersecurity and Critical Infrastructure Bill
o
Cybersecurity and Information Protection Agency Bill
o
Data Protection Bill
o
Electronic Signature Bill
o
Electronic Commerce Bill
o
Electronic Communications Transaction Bill all yet to be passed
Burkina Faso
- Has a law on Identity Theft
Cape Verde
- Has a law on Identity Theft
Ghana
Has Electronic Transactions Act 2008
Others
No Laws in Liberia, Niger, Sierra-Leone, Gambia, Cote de Voire etc
SOME EVIDENCE OF THE STATE OF
CYBERSECURITY IN AFRICA- EAST AFRICA
-
Zambia
- Enacted a Cybercrime Law in 2004 due to hacking into the State House
website replacing the Presidents Official Photo with a cartoon.-No charge
could be raised –No Cybercrime law at the time.
- Sanction up to 25years in jail for hacking, electronic fraud or other internet
crimes
Uganda
Just recently passed its cybercrime laws
Passed Laws on Electronic Transactions and Electronic Signatures
Aim is to check crime
Computer Misuse Bill is still before parliament.
Others
- Not much news is coming from Kenya, Tanzania etc
SOME CYBERCRIME CASES/SCENARIOS
Advanced Fee Fraud (E-Mail Scam-Nigerian 419)
-The case of some Nigerians (Anajemba, Nwude et al)who defrauded a Brazilian bank and
Shy Bonco Noroeste SA of $242m between 1995-1998 using 4 different Companies.
- Loss came to light during due diligence when the bank was being offered for sale to a
Spanish group.
- Conviction was sustained under the Advanced Fee Fraud Act, 2006
Unauthorised/Illegal Access to a Computer System-Hacking/Cracking
Some of the greatest hackers:(a) Vladimir Levin-Russian Hacker and mathematician-Spearheaded the hacking that made
Citibank lose $10m.
(b) Kevin Mitnick –Involved in many crimes. One was the downloading of 20,000 credit
card numbers
(c) Kevin Poulsen – Serial hacker involved in mail, wire and computer fraud
(d) Robert Morris –Unleashed the internet worm in 1988 which more or less maimed the
growing internet and led to many computers crashing.
(e) John Draper and Mark Abene- Distinguished themselves as frontline phone hackers.
SOME CYBERCRIME CASES/SCENARIOS
Unauthorised/Illegal Access to a Computer System-Hacking/Cracking
- The case of Vashal Ramasur-32 year old Mauritian hacker involved in the sabotage
of the internet connection in 2005.
- He contravened s.7(b) of the Computer Misuse and Cybercrime Act, 2003. Fine was
MUR200,000 ($6201) and penal sentence not exceeding 20years
The North bay case in the US-where the offence was unauthorised access. The
employee used his computer to access the employers accounting system software without
authorization and issued cheques payable to himself and others. They were cashed
- An attempt was made to conceal the fraud by altering the employers electronic
cheque register to present the impression that they were paid out to vendors. The
employer lost $875, 035. The accused pleaded guilty and was sentenced.5yrs jail plus
$250,000 fine
Computer Related Crime -Forgery
-The forgery case of Gold Schifreen in the UK (1988) 2 All E.R. 186 where the
defendants gained unauthorised access to BT Prestel Service and discovered password
code of people’s e-mail account including that of the Duke of Edinburgh. They were
charged for creating a false instrument by entering customer authorization code to
access the system
SOME CYBERCRIME CASES/SCENARIOS




Computer Related Crime-Identity Theft
The Act of Obtaining a persons identification through various surreptitious/untoward
means
9.9 m victims in the US in 2007(Federal Trade Commission Report)
There are three levels as defined by ITU
(a) Act of obtaining identity related information
(b) Act of possessing or transferring identity related information
(c) Act of using identity related information
-The US case of an identity card thief who obtained the names of 400 richest
Americans from the Forbes Magazine with some personal information contained
therein.
He got other info from the internet and by information obtained form credit
agencies by sending forged investment bank letters.
Spent so much money but was caught trying to trnasfer$10m from Thomas Siebel’s
Account. Source:- Adapted from O.Osuagwu (2007)
SOME CYBERCRIME CASES/SCENARIOS
Data Interference- Illegal Data Mining
- There was also the US case of illegal data mining. The accused had the business
of distributing advert through the internet to e-mail addresses on behalf of
advertisers. He was said to have with some of his employees illegally accessed
computer data base owned by another company and downloaded a huge amount
of data containing the personal information of some individuals for about 18months.
- The downloaded data would have created problems if they were used for
fraudulent purpose.
Illegal Data Interference- Phishing Scam-Fraudulent Acquisition of Sensitive
Information
- The Case of Daniel Level and Others – A gang operated a phishing scam
against E-bay retail account, netting over 200,000 pounds from fraudulent sales.
- Damage cost by Phishing include :-Loss of Access to E-mail, Financial Losses
SOME CYBERCRIME CASES/SCENARIOS
Illegal Systems Interference
- The UK case of Thompson-an employee of a bank in Kuwait who manipulated the banks
computers to debit some accounts and credit accounts under his control.
He visited the UK and sent a request to transfer the monies to accounts in the UK. The fraud
was discovered. See [1984] 3 All E.R 565
- Denial of Service Attack (DOS Attack)-Flooding the bandwidth of a network or e-mail box
with spam mail. Websites like Amazon, CNN, Yahoo and E-bay have been victims
- E-mail Bombing – Sending huge volume of e-mail to an address to stuff e-mail box and
overwhelm server.
- Logic Bomb – a programming code
(a)The case of Michael Lauffenberger –an employee who inserted a logic bomb in order to
delete critical rocket project data.
(b)Tony Xiaotong- Installed a logic bomb while working as a programmer for Deutsche
Morgan Grenfell
(c) There was the US case of the use of logic bomb which cause a damaged of more than
$3m to the employers network
SOME CYBERCRIME CASES/SCENARIOS
Other Crime Outlets
- The Ghana ‘Sakawa’ Group in Nima whose
prime focus is the sale of stolen credit card numbers
and the use of same to buy over the internet.
- Modus Operandi is to buy or steal credit card
numbers from Hotel employees and cashiers of
supermarkets.
YOUTH INVOLVEMENT IN CYBERCRIMINALITY IN NIGERIA






Those involved are between 18-25 years mostly resident in the
urban centres.
The internet has help in modernizing fraudulent practices among the
youths.
Online fraud is seen as the popularly accepted means of economic
sustenance by the youths involved.
The corruption of the political leadership has enhanced the growth
of internet crime subculture.
The value placed on wealth accumulation has been a major factor in
the involvement of youths in online fraud.
Source:- Study by Adebusuyi Adeniran-International Journal of
Cyber-criminology, 0794-2891, vol.2(2) 368-381, July-December,
2008
YOUTH ENGAGEMENT AS A PART
SOLUTION TO CYBERCRIME
Pursuit of More Private Initiatives on Youth Orientation e.g.
- Collaboration between Microsoft and Paradigm Initiative Nigeria
(PIN) and other stakeholders under the Internet Safety, Security and
Privacy Initiative for Nigeria on youth education on cybercrime and
positive use of computer skills.
Need to provide employment for the Youths should be top priority in
the Agenda of government.
Youths without skills should be assisted to acquire some to make them
employable.
Renewed vigour required in the work of the National Orientation
Agency-There is need to put the right values on the table
Punishment of erring youths to be pursued to deter prospective
cybercrime recruits.
PROTECTION OF CHILDREN IN THE
FACE OF CYBER-CRIMINALITY
Need to leverage on the ITU initiative-re:1. Guidelines for Policy Makers on Child Online Protection
- Revisit the legal framework for child Protection-Look again
at the Children and Young Person’s Act
- Ensure there is adequate education, training and resources
for law enforcement.
- Strengthen reporting mechanism
- Step up the education for all stake-holders.
2. Guidelines for Industry on Child Online Protection
3. Guidelines for Parents, Guardians and Educators on Child
Online Protection
4. Guidelines for Children on Child Online Protection
SOME SUGGESTIONS FOR ADDRESSING THE
PROBLEMS OF CYBERCRIME IN NIGERIA




Need for legal and regulatory framework for addressing
cybercrime and other forms of electronic transaction
including electronic signature.
Rely on the Council of Europe Convention on cybercrime
2001 in :-defining domestic criminal offences and sanctions
- establishing procedure for detecting, investigating and
prosecuting computer crimes
- collecting electronic evidence
-setting up a system for international co-operation
Rely also on the ITU Cybercrime legislation tool kit.
Need for a regional approach like in the EU, OAS, APEC
SOME SUGGESTIONS FOR ADDRESSING THE
PROBLEMS OF CYBERCRIME IN NIGERIA







The adoption of the ECOWAS Directive on fighting Cybercrime is
commendable. The Directive should also guide the formulation of our
domestic law and strengthen regional collaboration.
The need to note the content of the Commonwealth legal framework
for addressing cybercrime –drafted along the lines of the Council of
Europe Directive.
The CERT initiative is great and should be pursued.
Create standards and policies for systems security
Organizations-Public or Private should be encouraged to pursue ISO
27000 certification on Information Security and Standards.
Need to train Law enforcers on cyber-forensics and how to fight
cybercrimeNeed to enhance judicial capacity.
SOME SUGGESTIONS FOR ADDRESSING THE
PROBLEMS OF CYBERCRIME IN NIGERIA





Need to build capacity (technical and administrative) in Information
Systems Security Management i.e
- Develop Security Professionals
Encourage certification under (International Information Systems
Security Certification; Critical Infrastructure Protection Certification.
Provide education for all especially now that Glo 1 and Main 1
broadband connectivity are around and internet speed will increase.
- awareness posters
- e-security website and e-security newsletter
Need to step up technological intervention-Establish the required
technical framework for cybercrime prevention and protection of critical
infrastructure.
Ignite the fire behind the National Cybersecurity Initiative (NCI) and the
Nigerian Cybercrime Working Group (NCWG)
SOME SUGGESTIONS FOR ADDRESSING THE
PROBLEMS OF CYBERCRIME IN NIGERIA

Need for Cooperation as follows:-
-Public/private partnership/co-operation
i.e Co-operation between the Government , Business, other Organizations and
Individual who develop, manage service, provide and use ICT
- Institutional co-operation
- Industry Cooperation even among competitors

Create information sharing mechanism
- Regional/International co-operation to reduce the impact of jurisdictional
limitations


Implement the ITU global security agenda – Framework for International
Co-operation in Cybersecurity. - Develop of culture of cybersecurity to
address cybercrime in line with UN Resolution 58/199 of December, 2003
Promote self reporting of cybercrimes and discourage non reporting.
CONCLUSION
The summary of all the foregoing in three bullet points are :The need to develop and enforce legislation, regulations,
standards and competence in the face of pervasive and
dynamic digital technology and the attendant security
concerns.
The need to create response teams to address cybercrime and
the protect critical information and communications
infrastructure.
Stress the need to engage in end to end user education on
dangers of cybercrime, on the imperative of adequate
cybersecurity, on the protection of critical infrastructure and
on the need for self-reporting.
THANK YOU FOR YOUR
ATTENTION
Download