Cyberlaw and Computer CrimesSurprisingly it wasnt until 1986 that we had any laws at all (in the US) regarding prosecution of computer crimeseven once legislature was being passed, it was unclear what jurisdiction the FBI had in tracking down computer criminals, nor did the FBI have expertise in tracking down computer criminalsWhat is the status today of cyberlaw? What constitutes a computer crime? What does law enforcement do about it?

A Definition of Computer CrimeOne author states that a computer crime is:unauthorized access of a computer, creating or releasing a malicious computer program, or harassment and stalking in cyberspaceNotice that this definition does not claim that embezzlement or fraud, accomplished by using a computer, is a crimethis is because embezzlement and fraud are already crimes, and all that has changed is the mechanism by which the crime was committedIs it sufficient to define computer crimes as listed above or do we have to also include a list of all crimes that can be committed by computer?

A Different DefinitionA computer crime is any illegal act, the commission of which (in whole or in part):targets computer hardware or software as its focal point, orutilizes computer hardware or software to accomplish or assist in accomplishing the act, orinvolves or uses computer hardware or software to store, preserve, assimilate, or secrete any evidence or any fruits of the act, orunlawfully accesses, invades or violates computer hardware or software integrity in accomplishing or in attempting to perform the actnotice by this definition, that a murder committed by bashing someones head with a computer monitor would be considered a computer crime!

Active vs Passive Computer CrimesAn active crime is considered one in which the crime itself was committed using a computerfor instance, illegally accessing a bank account and altering the data for profit or illegally accessing some file server to steal software being developeda majority of computer crimes are activeA passive crime is one in which the computer was used in support of the crime itselffor instance, illegally accessing a buildings schematics so that one can break into the building and physically steal something, or using the Internet to monitor communications in preparation for a kidnapping or assassination attempt

Types of Computer CrimesComputer as the targettheft of intellectual property, blackmail of information gained through electronic filesComputer as the instrumentfraud (credit card fraud, fraudulent use of ATM accounts, stock market transfers, telecommunications fraud), theft of (electronic) moneyComputer incidental to the crimecomputers used in support, e.g., money laundering, record keeping, tracking of targets, etcComputer associated with the prevalence of the crimesoftware piracy/counterfeiting, copyright violation of software, counterfeit hardware, black market sales of hardware and software, theft of equipment and new technologies

Specific CrimesDenial of service which might be performed for extortion or sabotageFraud, which encompasses many possible actionsemployees altering data, making false entriesas an employee, you might be given access to sensitive data and therefore you can abuse that privilege to commit a crimeimagine for instance changing your friends bank account balanceunauthorized access that leads to altering, destroying, suppressing, or stealing data or outputaltering and destroying data are forms of sabotage, stealing data might be used for identity theftaltering or misusing existing system tools or software packagesaltering or writing code for fraudulent purposeswe can extend this to be altering code for malicious purposes such as changing the traffic lights to all go green at the same time as a form of vandalism or sabotagemanipulating banking systems to make unauthorized identity theft

ContinuedHarassment by computer (cyberstalking, defamation)this unfortunately has become very common you meet someone on-line and they con you into setting up a physical meeting for evil purposes (e.g., kidnapping or rape)Pornographyis pornography a crime? it depends on the local laws which leads to a significant problem if a law exists in the US but the server exists in Canada, is it a crime?Copyright infringementillegal downloads, software piracy, plagiarismLarceny (theft) of software or dataMalicious software (viruses, trojan horses, worms, logic bombs, spyware, backdoors)

How Does Denial of Service Work?Web servers are typically set up to handle a set number of requests at a timeFor instance, a small web server might be set up to handle 20 requestsWeb servers also are set up to offer a certain time period before a time out occursPerhaps 2 minutesNow consider a single web server (1 machine) for a company that is suddenly deluged with 10,000,000 requestsMost of the requests get placed into a queue, waiting for attention by the web serverMost requests do not make it through the queue in time and are thus timed out, so legitimate users get a denial of access to the web server (or denial of service)This is a tactic of sheer sabotage (or cyber terrorism) someone writes a program to generate millions of requests and floods the target web server(s)

SQL InjectionsA web form is one of the few forms of input to a web pageThe web page is set up specifically so that a user (visitor) to that web page can provide information or feedbackTypically, forms use server side programs (scripts) to process the data in the formThis may include generating SQL queries to send to a databaseA clever user can fill in malicious SQL queries into a form and thus, when submitted to the database, the SQL query is enacted this could be a query to overwrite previously stored dataLike the denial of service, this is another form of sabotage or terrorismProper mechanisms must be in place to safeguard against this

Famous SQL InjectionsJan 13, 2006 Russian computer criminals broke into Rhode Island government web site and stole credit card dataJune 29, 2007 a computer criminal used an SQL injection to deface the Microsoft UK websiteApr Aug 2008, a number of attacks against various computers using Microsofts IIS web server and SQL Server database that, when successful, gives the user (hacker) access to the entire computer system an estimated 500,000 web pages were exploited!Aug 17, 2009 US Justice Dept charged an American and two Russians with the theft of 130 million credit card numbers obtained through SQL injections from Heartland Payment Systems, 7-11 and Hannaford Brothers

PhishingIllegally attempting to gain sensitive information from people for the purpose of computer-based fraud, these attempts can includesocial engineering calling or emailing someone pretending to be official and asking for confidential information such as password or social security #password cracking attempting to break into an account by guessing a password (possibly trying all possible passwords, or guessing based on what you know of the person)packet sniffing listening over a network for sensitive information (passwords, credit card numbers) wireless networks are especially susceptiblewebsite forgery pretending to be a website to intercept confidential information (such as a phony paypal page to get someones account info)link manipulation for website spoofing here, an email has a link pretending to be to a page you visit (e.g., paypal) but in fact the link is to a spoofed or forged site

CyberterrorismCyberterrorism can be defined as the use of information technology by terrorist groups and individuals to further their agendathis can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronicallyExamples includehacking into computer systemsintroducing viruses to vulnerable networksweb site defacing and SQL injectionsdenial-of-service attacksterrorist threats made via electronic communicationInformation warfare occurs when these actions are performed by one entity in order to gain a competitive advantage over another entity

Training Law EnforcementOne expert recommends the following immediately for law enforcement personnel:introduction to computer evidence awarenessidentification, collection, transportation and preservation of electronic evidence and related componentswhere to find data recovery expertsIn addition, computer technology skills must be taught to at least some subset of the law enforcement community includingoperating system technologies, information management skills, data collection and organization, database design, statistical analysis, data protection and encryption, and how computers are used to commit computer crimes

The Patriot Act (HR 3162)Signed by President Bush on October 26, 2001Adds terrorism offenses, computer fraud, and abuse offenses to the list of predicates for obtaining Title III wiretapsAlso permits roving wiretaps under the Foreign Intelligence Surveillance Act of 1978 (FISA) in the same manner as they are permitted under Title III wiretapsIntelligence information obtained from wiretaps may be shared with law enforcement, intelligence, immigration, or national security personnelRecipients can use the information only in the conduct of their duties and are subject to the limitations in current law of unauthorized disclosure of wiretap information. Also expands the use of traditional pen register or trap and trace devices (captures the telephone numbers of incoming callers) so that they apply not just to telephones, but also to Internet communications so long as they exclude "content"

The Dark WebGoal: collect relevant web pages from terrorism web sites and make them accessible for specific terrorism-related queries and inferencesStarting from reliable URLs, use a web crawler to accumulate related web pageslink analysis and human input are both applied to prune irrelevant pagesAutomatically collect the pages from the URLs and annotate the pages including those with multimedia and multilingual contentContent analysis performed by humans using domain specific attributes of interestOnce established, terrorism researchers can use a variety of techniques to examine the Dark WebStatistical analysis, link analysisData miningLink and text extraction and analysis

UA Dark Web CollectionUniversity of Arizona is creating a dark web portal, containing pages from 10,000 sites of 30 identified terrorist and extremist groupsContent primarily in Arabic, Spanish, English, JapaneseIncludes web pages, forums, blogs, social networking sites, multimedia content (a million images and 15,000 videos)Pages are obtained through a web crawler and then analyzed Content analysis by human labeling (with software support)recruitment, training, ideology, communication, propagandaWeb metric analysis of technical features of the web site such as ability to use tables, CGI, multimedia filesSentiment and affect analysis some web sites are not directly related to a terrorist/extremist organization but might display sentiment (or negativity) toward one of these organizations by tracking these sites, the researchers can determine how infectious a given site or cause isAuthorship analysis determine the most likely author of a given piece of text

Clustering on the Dark WebDomestic web sites of US hate groupsMiddle East terror organizations sitesClustering and classification algorithms are run on web site data, here are some resultsClustering performed usingstatistical hierarchical clustering,features include those derived throughsocial analysis, link analysis, andpatterns derived through groups of linksand sites

Using TerrorNetGiven 200 documents from the DarkWeb portal and an information extraction AI programa network of relationships between terrorists and terror suspects was generated a portion of which is shown to the right

This set of notes first defines computer crimes and talks about the types of crimes and then turns to Internet-related crimes.

The earliest forms of computer crimes revolved around using computers to illegally obtain free long distance phone calls, known as phreaking. This required the computer users to hack into phone company computers. Hacking became more predominant in the 1980s when personal computers and home modems were first becoming readily available. Unfortunately, the term hacking is also synonymous with computer programming so the term cracking is also sometimes used. Hacking (or cracking) today is not targeted toward the phone company but just about any organization that has computers available via network. The idea is that if you can break into someone elses computer you can then download files (software, data), upload files (viruses, altered data from their computer) or delete files. By downloading data files and altering them, you can obtain monetary gain (consider altering your bank account entry by adding a couple of 0s to your balance!) Or, you can obtain credit card numbers for identity theft.

The big problem with cyberlaw is that law enforcement is difficult. The law enforcement agencies often lag behind the hackers in terms of knowledge for finding hackers. Also, it is often difficult to detect that a crime even took place. Organizations must protect their computers on their own via firewalls, strong passwords, encryption and other forms. Many organizations are either unaware of this or nave about how to do this and so the hackers often defeat their defenses.*The malicious programs include viruses, trojan horses, worms, rootkits, spyware and dishonest adware. A computer virus is a self-replicating program so that it can spread to other computers. It and the trojan horse program will wait for some condition to arise and then activate. Activation might simply be an annoyance such as taking control of your mouse or displaying some message on your screen, or a truly malicious act such as erasing your hard disk. Once infected, it is difficult to clean your hard disk of a virus because it can copy itself into other files. The trojan horse pretends to be some useful software that you run unaware that it can do something malicious. The worm typically affects networks instead of stand alone computers. Every computer effected makes copies of the worm, flooding the network with copies, eventually bringing the network down. The most popularly-cited example of a worm is the Internet worm unleashed by a graduate student in 1988 who was trying to demonstrate some of the security flaws in Unix. The worm successfully brought down a large portion of the Internet over a few days.

A rootkit allows a hacker to obtain continued access to the computer system. It is a backdoor that the hacker can use even if the computer system has at a later date been made more secure.

Adware and spyware are often downloaded by when you visit websites. These programs sit in the background and monitor your activities. Spyware will occasionally report your activities which can include websites you have visited and information you have filled into forms (including your credit card). Honest spyware only reports on your activities. Adware usually consists of windows that pop up on you advertising some sites service or software. Dishonest adware will mislead you into going to websites you do not suspect. Some act as viruses and tell you that to cleanse your machine, you must purchase a specific brand of antiviral support and takes you to that site. Unfortunately, purchasing the support will not usually help!*The first entry means that the target of the crime is computer hardware (e.g., stealing hardware, vandalizing hardware) or software (piracy). Using hardware or software to commit the crime includes such things as changing data for your benefit (embezzlement, identity theft). The third entry means that the computer is used in support of a crime as in keeping money laundering records. The final entry again refers to hacking as part of the illegal act. Computer viruses could potentially fall under the second and fourth entries.*A question arises when we define computer crimes. Many of the crimes we commit on computer are already existing crimes, but here we are adding that the crime was committed by using or was abetted by using a computer. For instance, fraud, stealing and blackmail are crimes. If you commit the crimes by using a computer, or with the help of a computer, is there any differences? From the criminals point of view, there is a significant difference. Imagine that you want to rob a bank. You could get a gun, go to the bank and hold up a teller, demand cash and run for it. Or, you can hack into the back, change your bank account to be bigger than it is, go to the bank and cash out your account. Which is more dangerous? Which might cause you to risk your life to commit? Which has a greater chance of getting caught or going wrong? The physical action of holding up the bank is far riskier than the computer-based approach. Should both crimes be considered the same? We might actually think of the hold up as a blue collar approach to the crime and the hacking version as a white collar approach. *Here we see a slightly different way to categorize computer crimes. I do not like this list because I would think software piracy should be part of the first category.*We cover denial of service in a couple slides.

*An example of a form generating an SQL query might be this:

A given form is used to accumulate peoples names and email addresses to be added to a mailing list. The form has 2 boxes, name, email, and a submit button. When you click on submit, the name and email are wrapped up and an SQL query is generated and sent to a mysql database. The query is something like this:INSERT INTO mailing_list(name, email)VALUES($form[name], $form[email]);

That SQL code is generated by the form itself to insert data into the mailing_list table. However a clever hacker might feed in an SQL query into a form such that it replaces or adds to an SQL statement such asUPDATE some_tableSET salary = 10000000WHERE first_name = Richard and last_name = Fox;Or, a statement might attempt to delete an entire table such asSELECT * FROM my_data WHERE id=1; DROP TABLE accounts;

*You can find other such stories on wikipedia at http://en.wikipedia.org/wiki/SQL_injection near the bottom of the web page.**Our own computer forensics minor addresses this issue. Law enforcement personnel know the law but not the technology. IT specialists know the technology but not the law. The Comp Forensics minor then covers both sides. Criminal justice classes to learn how to gather and present evidence, what evidence is legal to present, and how you can go about acquiring the evidence lawfully. The computer information technology classes cover computer security, computer crimes and how to track those crimes. As of 4 years ago, there were only a couple computer forensics programs available in the US. Now, more and more universities are offering some form of coursework whether its a single class, a minor or a full major.*The Dark Web is a result of artificial intelligence research in computer science. It combines a number of different AI approaches such as statistical reasoning, data mining, and natural language processing. The intent is to identify terrorist websites and monitor the messages posted to such sites. Its an extremely challenging problem.*Note: the term terrorist is not limited to middle east radical Islamic terrorists. Terrorism occurs in many countries from their own citizens (militants in west Texas or Montana or hate groups like neo-nazis in the US, Russian citizens in Georgia who are seeking independence, the Irish Republican Army, etc) *Clustering helps identify from a group of websites, the type of terrorist organization. Clustering is commonly performed through statistical analysis.*Here, after clustering, new relationships are found between websites and the people discussed in the websites. This form of discovery can lead to new intelligent information which can lead to the intelligence community adding surveillance to someone who previously was not considered important.*