Z Score,T Score, Percential Rank and Box Plot Graph
Computer Crimes
1. Chapter 5 -
Legal Issues in Computing
IT 5105 – Professional Issues in IT
Upekha Vandebona
upe.vand@gmail.com
Ref : Tavani, Herman T., “Ethics and technology: controversies, questions, and strategies for ethical computing” , 4th Edition.
[Cyber Crime]
2. Instructional Objectives
Identify methods by which computing services can be
compromised.
Discuss the legal implications of compromising computing
services.
Discuss the types of policies that should be included for system
use and monitoring.
Describe the basic elements of compliance laws – such as ADA508,
FERPA, HIPAA, and Sarbanes-Oxley.
Describe the differences in accountability, responsibility, and
liability.
Describe current approaches to managing risk, and describe the
legal implications of compromising computing services.
Evaluate an acceptable use policy.
COMPUTER
CRIME ACT,
No. 24 OF
2007
2
3. Introduction - Cyber Crime
When was the last time you heard about cyber crimes in
Sri Lankan news media?
What was about it?
A Virus?
Break into financial and government institution network?
Digital Piracy?
Cyber Stalking and Cyber Bullying?
Cyber Pornography?
Phishing?
Were we more focused on financial crimes and neglected
interpersonal criminal behaviors?
3
4. Globally it is more than that…
Hacking pacemakers.
http://www.computerworld.com/article/2981527/cybercrime-
hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html
Ref: http://null-byte.wonderhowto.com/forum/is-hacking-
implanted-medical-devices-next-big-cyber-crime-0149205/ 4
5. In Earlier Days…
Disgruntled employees who altered files in computer
databases or who sabotaged computer systems to seek
revenge against employers.
Computer-savvy teenagers, sometimes described in the
media as “hackers”, breaking into computer systems,
either as a prank or for malicious purposes.
“Hackers” who used computers to transfer money from
wealthy individuals and corporations to poorer individuals
and organizations.
5
6. Many Cybercrimes Go Unreported
Organizations are reluctant to report cybercrimes because
of the embarrassment it might cause them.
Because the victims fear the negative repercussions:
reporting the crimes would be tantamount to admitting
that their computer security practices are inadequate.
What might happen if a customer discovered that the bank where she
deposits and saves money had been broken into;
She might decide to transfer her funds to a bank that she perceives to be
more secure.
If cyber-related crimes committed by employees working inside a financial
institution were reported and publicized, the institution could also suffer a
loss of customer confidence. 6
7. Hackers; Were They Countercultural Heroes?
Stereotypical computer hackers, unlike most professional
criminals, are not generally motivated by greed; some
seem to thrive on a kind of “joyriding” (the thrill
experienced in figuring out how to break into
unauthorized systems).
Inclined to attack computers merely to prove that they
could and “show off” to one another.
7
8. Hackers; Were They Countercultural Heroes?
However, it is also worth noting that many malicious
hackers do not possess outstanding technical skills but are
savvy enough to locate sophisticated “hacking tools” that
can be downloaded from the Internet for free, and many
of these individuals are sufficiently astute to take
advantage of “holes” in computer systems and programs.
8
9. Hacking vs. Cracking
Meaning of “hacker” began to change in the 1980s when
the media started applying the term to criminals using
computers.
In order to avoid confusion with virus writers and
intruders into information systems, traditional hackers
began calling these destructive computer users crackers.
Crackers often engage in theft and vandalism once they
have gained access to computer systems.
According to Hacker Jargon;
Hacker - “an expert or enthusiast of any kind.”
Cracker - “who breaks security on a system.”
9
10. White Hat & Black Hat
“White hat hackers” is used to refer to those “innocent,”
or non-malicious, forms of hacking, while “black hat
hackers” refers roughly to “cracking.”
But for the General Public,
It is one term: hacking
and
it is always bad…
10
11. Counter Hacking
Active defense hacking, sometimes also referred to as
“hacking back against hackers.”
Counter hacking activities have been carried out both by
individuals and corporations; they are directed against
those who are suspected of originating the hacker attacks.
Case of “two wrongs making a right”? Should counter
hacking be legalized? Can it ever be ethically justified?
11
12. Ethical Hackers
Individuals who successfully complete those certification
programs are trained and certified not only in the use of
defensive measures to ensure the security of their
employers, but also appear to be authorized to engage in
security-related activities.
According to Hacker Jargon;
• The goal of the ethical hacker is to help the organization take
preemptive measures against malicious attacks by attacking the
system himself; all the while staying within legal limits . . .
• An Ethical Hacker is very similar to a Penetration Tester . . .
• When it is done by request and under a contract between an
Ethical Hacker and an organization, it is legal. 12
13. Counter Hacking : Bad Effects
Can cause harm to innocent individuals.
Hacking back against those who launch DDoS attacks, many
innocent persons are adversely affected because the
attacks are routed through their computer systems.
Perpetrators of DDoS attacks use “host computers, ”which
often include the computers of innocent persons, to
initiate their attacks (a technique sometimes referred to as
“IP spoofing”).
This would suggest to the victims of these attacks that they
originated from the host computer, as opposed to the
computer of the initiator of the attack.
So when victims hack back, they can unintentionally cause
the intermediate computer to be assaulted.
13
14. Do we need a separate category in our
legal systems to handle crimes with
computers?
Individual who uses surgeon’s scalpel to commit a murder
would not consider as a medical crime. It’s a murder even
though a medical instrument was being used.
People use automobiles to assist criminals in “getaway”
operations, but we don’t have a category called
automobile crimes.
People steal televisions, but we don’t say television
crime.
So why do we need a separate category,
cybercrime, for criminal acts involving cyber
technology? 14
15. Cyber/Computer Crimes
Yet law-makers have determined it necessary, or at least
useful, to enact specific laws for crimes involving
computers and cyber technology.
Are the following computer crimes?
a.) Boralugoda steals a
computer device (e.g., a
laser printer) from a
computer lab.
15
16. c.) Shaggy enters a computer lab
that he is authorized to use and
then places an explosive device,
set to detonate a short time later,
on a computer system in the lab.
b.) Madapaatha breaks into a computer
lab and then snoops around.
16
17. Definition
By thinking about cybercrimes in terms of their unique or
special features—conditions that separate them from
ordinary crimes—we could distinguish authentic or
“genuine” cybercrimes from other crimes that merely
involve the use or the presence of cyber technology.
“Crime in which the criminal act can be carried out
only through the use of cyber technology and can
take place only in the cyber realm.”
17
18. Cyber Piracy
using cyber
technology in
unauthorized ways
to
• reproduce copies of
proprietary information
• distribute proprietary
information (in digital
form) across a computer
network.
Cyber
Trespass
using cyber
technology to gain
unauthorized
access to
• an individual’s or an
organization’s computer
system
• a password-protected
Web site
Cyber
Vandalism
using cyber
technology to
unleash one or
more programs
that
• disrupt the transmission
of electronic
information across one
or more computer
networks, including the
Internet
• destroy data resident in
a computer or damage a
computer system’s
resources, or both
18
19. Example Cases
Activities involving the unauthorized exchange of copyrighted music
on the Internet via Napster and subsequent P2P-relatedfile-sharing
sites are examples of………….
The launching of the Conficker virus is an instance of ………..
The DDoS attacks on government and commercial Web sites illustrate
an example of…………… , because they
involved the breaking into, as well as the unauthorized use of, third-
party computer systems to send spurious requests to commercial Web
sites (as opposed to the kind of “genuine” requests sent by users who
wish to access those sites for legitimate purposes). Since DDoS attacks
also cause serious disruption of services for the targeted Websites,
they can also be classified as ……………………..
cyber piracy (Category 1);
cyber vandalism(Category 3);
cyber vandalism (Category3);
cyber trespass (Category 2)
19
20. Cyber-related Crimes
Crimes involving stalking, and pornography can each be
carried out with or without computers and cyber
technology;
There is nothing about them that is unique to cyber
technology, so crimes such as, cyber stalking, and Internet
pornography would not qualify as genuine cybercrimes.
20
21. Cyber-Exacerbated vs. Cyber-Assisted Crimes
This distinction enables us to differentiate between a
crime in which someone merely uses cyber technology
from crimes, which are significantly affected by
computers and cyber technology.
Due to the technology, these types of crime rates are
going higher. Specifically in Cyber Exacerbated Crimes.
21
23. Identity Theft
Cyber Exacerbated Crime in which an imposter obtains
key pieces of personal information in order to
impersonate someone else.
The information can be used to obtain credit,
merchandise, and services in the name of the victim, or to
provide the thief with false credentials.
In the past, identity thieves have combed through
dumpsters (and some still do) looking for copies of bank
statements and for papers containing account information
on credit card bills that people dispose of in their trash.
(This behavior is sometimes referred to as “dumpster
diving.”)
23
24. Identity Theft
Factors such as lax security and carelessness involving
customer information contained in computer databases
made it easy for some identity thieves to acquire personal
information about their victims.
Information brokering has become a lucrative business.
Make connect professional criminals and employees in
organizations that have access to sensitive information
about people’s financial records.
24
25. Identity Theft From Emails
A scheme involving e-mail that appears to have been sent
by a reputable business.
For example, you may receive e-mail that looks as if it
were sent by eBay, Amazon, or PayPal.
Often these e-mail messages include the official logos of
the companies they purport to represent and might look
legitimate; the message informs you that your account is
about to expire and that you need to update it by
verifying your credit card number as well as other kinds
of personal information.
25
27. Avoid Identity Theft from Emails
How can a potential victim differentiate legitimate e-mail
sent from businesses such as eBay or PayPal from that sent
by identity thieves?
Typically, e-mail from identity thieves will not address the
potential victim by name; so this can be an indication that
the e-mail is not from a legitimate source.
Users wishing to verify the authenticity of the e-mail can
contact the company by phone, or through the company’s
legitimate e-mail address, if they are in doubt.
27
28. Phishing and Identity Theft
Many e-mail messages sent from identity thieves are
generated through spam.
Using spam to gather personal information is sometimes
referred to as phishing or “automated identity theft”.
An automated version of phishing, sometimes called
“pharming,” automatically “redirects the victim to the
offending site”.
Activities involving pharming and phishing, along with
conventional e-mail spam, increase the amount of identity
theft that can be accomplished over the Internet.
28
29. Combat Cyber Crime - Tools
Packet Sniffing
Track criminals and their activities.
A packet sniffer or “sniffer” is a program that Monitors
the data traveling between networked computers;
However, these kinds of software programs have also
been used by malicious hackers to capture user IDs and
passwords.
29
30. Combat Cyber Crime - Tools
Keystroke Monitoring
To track the activities of criminals who use cyber
technology.
A specialized form of audit-trail software that records
every key struck by a user and every character of the
response that the system returns to the user.
It is especially useful in tracking the activities of
criminals who use encryption tools to encode their
messages.
30
31. Combat Cyber Crime - Techniques
Sting Operations and Entrapment
To catch members of organized crime involved in drug
dealing, gambling, pornography, and so forth.
Would such kind of techniques are ethically justifiable?
Can save many innocent lives and can significantly
lessen the harm that might otherwise occur to some
individuals.
31
32. Surveillance
On Telephones
Pen Registers : When a suspect makes a phone call,
displays the number being dialed
Trap-and-Trace Devices : when the suspect receives a
phone call, displays the caller’s phone number.
A pen register used on the Internet can reveal the URLs of
Web sites visited by a suspect.
http://vesess.com/warrantless-wiretapping-sri-lanka/
32
33. Surveillance is Ethical?
Critics argue that this increased domestic surveillance will
erode basic civil liberties.
Could be abused by those in power, under the convenient
excuse of crime prevention and national defense, to
achieve certain political ends.
http://www.cpalanka.org/freedom-of-expression-on-the-
internet-in-sri-lanka/
http://www.cpalanka.org/the-internet-as-a-medium-for-
free-expression-a-sri-lankan-legal-perspective/
33
34. Biometrics
Biometric technologies have also been used by law
enforcement agencies to combat crime and terrorism.
the biological identification of a person, which includes
eyes, voice, hand prints, finger prints, retina patterns,
and hand-written signatures.
Through biometric technologies, one’s iris can be read in
the same way that one’s voice can be printed.
The digital representation of these biometric data is
usually transformed via some algorithm to produce a
template, which is stored in a central computer database.
34
35. Biometrics
As biometric technologies used for authenticating an
individual’s identity, as passports.
While biometric devices are a highly accurate means for
validating an individual’s identity, they are also
controversial.
Biometric identification tool using face-recognition
technology can scan the faces of people entering a public
place. The scanned images can then instantly matched
against the facial templates of suspected criminals and
terrorists, which were contained in a central computer
database.
35
36. Biometrics - Issues
Some supports this, even it violates civil liberties.
Point to at least three problems: error, abuse, and
privacy.
Errors occur in matches resulting, will make innocents
the guilty.
Purposes for which biometric technologies are
originally authorized can expand significantly and can
lead to possible abuses.
Loss of privacy and civil liberties for individuals.
Those who favor using biometric technology argue that it
provides increased security, even if using this technology
undercuts some civil liberties for ordinary citizens. 36
37. Global Reach
Laws are typically limited in jurisdiction to nations where
they are enacted. Traditionally, crimes are prosecuted in
the legal jurisdictions in which they were committed.
In certain cases, suspected criminals have been
extradited from one legal jurisdiction to another (and
sometimes from one country to another) to stand trial for
an accused crime.
As cyberspace has no physical boundaries, it can be
difficult to prosecute cybercrimes involving multiple
nations, as well as multiple states within nations.
So, it is a question whether the concept of legal
jurisdiction makes any sense in cyberspace.
37
38. Enforcing Cybercrime Laws Globally
Criminal enforcement has been hampered by the lack of
international legal agreements and treaties on cyber
crime.
E.g.: ILOVEYOU virus in 2001 - Originated in Philippines
but effect was global.
Budapest Convention
https://en.wikipedia.org/wiki/Convention_on_Cybercrime
http://www.coe.int/en/web/cybercrime/home
38
39. Software Contracts - Case Study
MegaTech Corporation, a major computer company in the
United States, has developed and released a new software
product that has been distributed globally.
However, this product has a serious defect that causes
computer systems using it to crash under certain conditions.
These system crashes, in turn, result in both severe disruption
and damage to system resources.
MindWaves, a company headquartered in eastern Asia that
purchased this product from MegaTech, has experienced
multiple system crashes since installing it, which has also
resulted in a severe loss of revenue for that company.
What legal recourse does/should MindWaves have in its
complaint against MegaTech Corp., given that its complaint
involves companies in two sovereign nations?
39
40. Software Contracts - Case Study
Disclaimers and caveats issued by manufacturers to
protect themselves against litigation.
Applicable Jurisdiction clause for tailor made software
contract agreements.
40
41. Cybercrime and Free Press
A relatively recent challenge for law enforcement in
cyberspace, especially at the international level, has
emerged in response to controversial “journalistic”
practices involving some new online media outlets and
organizations.
Should they be viewed as journalistic activities that are
protected by a free press?
E.g.: WikiLeaks controversy
41
most computer crimes involve either fraud or abuse, or both, distinguishes between the
two notions in the following way: He identifies computer fraud as computer-related
crimes involving “deliberate misrepresentation or alteration of data in order to get
something of value”;he defines computer abuse, on the contrary, as “willful or negligent
unauthorized activity that affects the availability, confidentiality, or integrity of computer
resources.”Power notes that these abuses can include “embezzlement, theft, malicious
damage, unauthorized use, denial of service, and misappropriation.”
Can we construct a profile for a typical cybercriminal? Some people associate cyber criminals with “hackers,” “malicious hackers.”
Many
people think of the typical computer hacker as the very bright, technically sophisticated and Young. Is such a portrayal accurate?
A problem solver rather than as a criminal.”
we should carefully distinguish hackers who commit crimes. People who are primarily nonprofessional or
amateur criminals, and “professional criminals.”
Although many malicious hackers are considered amateur criminals, some possess an expertise with computers comparable to that of the best technical experts in computer science.
computer criminals are often referred to in the media as
hackers, and that, as a result, “hacker” now has a negative connotation.
“Hacker” meant anyone who “programmed enthusiastically” and who believed that
“information sharing is a powerful positive good.”
Hacker as “an expert or enthusiast of any kind.”Note that, according to this definition, a hacker need
not be a computer enthusiast; for example, someone could be an astronomy hacker. In
fact, a hacker, in the generic sense of the term, might have no interest in computers or
Cyber technology at all.
However, distinctions between hacking and cracking, and between white-hat and
black-hat hackers, are generally not recognized and observed in the world beyond
the computer community. So themedia often refers to crackers, or“black hat hackers,”
simply as hackers. This, in turn, has perpetuated the negative image of hackers and
hacking in society at large.
In some cases, counter hacking has been preemptive; in other cases, it has been reactive.
It is difficult to provide a moral justification for counter hacking; and from a legal
perspective, it is not clear whether “hacking back” can be viewed in a way that is not
criminal. For example, if hacking is illegal, then it would seem that hacking back would be
no less illegal. However, until a case of counter hacking—especially one that involves a
pre-emptive attack in the form of a DDoS—is officially tried in court, it is difficult to say
how our legal system will respond.
Clearly, (a)–(c) are criminal acts, but should any of these acts necessarily be viewed
as a computer crime or cybercrime? One could point out that it would not have been
possible to commit any of them if computer technology had never existed, and this might
initially influence some to believe that the three criminal acts are somehow unique to
computer technology. Even though each act involves the presence of computer technoogy, each of them can easily be understood and prosecuted as a specific example of
ordinary crime involving theft, breaking and entering, and vandalism, respectively. So we
might infer that there are no legitimate grounds for having a separate category of
computer crime. Can we justify such an inference?
Some cybercrimes will span more than one category.
Disclaimers : a statement that denies something, especially responsibility.
Caveats : a warning or proviso of specific stipulations, conditions, or limitations.