Information Technology

Crimes
Dr. Stephen Blythe

SIUE

Types of Computer Crime

Comes in many forms:
hacking - programming for joy, often to breach security
on-line scams - using the web for fraudulent business
sabotage - intentionally breaking/stealing from a system
embezzlement - using legally granted access to steal
digital forgery - using computers to fabricate items
information theft - acquiring data for illicit purposes

Hacking
To gain access to a computer illegally
-Miriam-Webster on-line dictionary
To write computer programs for enjoyment
-Miriam-Webster on-line dictionary (also!!)

so, which one is it?

History of Hacking, part I

1960 - 1970:
good hack -- especially clever program code
considered clever circumvention of imposed limits
Art, science, and play had merged into the magical activity
of programming
-Steven Levy, Hackers:Heroes of the Computer Revolution
 History of Hacking, part II
1970-1990:
using computers still a mystery to most people
breaking in to computers became commonplace
trophy hacking - breaking into as many systems as
possible

break-ins usually were pranks or misdemeanors

a few were security threats (ex. password sniffers)
business espionage began

History of Hacking, part III

1990-present:
WWW developed & Internet grows exponentially
number of viruses & worms also grows exponentially
ex. Windows 98 released on 6/25/98; virus released in 4/98!

web page defacing/disabling/hijacking began

information theft/corruption/hijacking increased
technical sophistication of attacks increases
anyone can download and use attacks (script kiddies)

Viruses and Worms

virus:
A (usually) malicious program
spread by (infected) users
ex. opening attachments causes virus to replicate
can stay resident on infected computers indefinitely
worm:
again, a (usually) malicious program
spread by self replication over networks
exploits known computer security issues to replicate
often stay resident on infected computers indefinitely

Virus/Worm Growth
Suppose a virus replicates twice at each infection:

1 infected computer
 Virus/Worm Growth
Suppose a virus replicates twice at each infection:

3 infected computers

Virus/Worm Growth
Suppose a virus replicates twice at each infection:

7 infected computers

Virus/Worm Growth
Suppose a virus replicates twice at each...infection:
...
...
...
...
...
15 infected computers ...
...
after 20 steps, will be > 1,000,000 infected computers

worse yet, each step usually replicates 50+ times!

Is Hacking Always Bad?

some (usually young) hackers do it for fun
this costs a computers systems administrator time
the systems administrator must:
track down what the hacker did (even if nothing)
fix any damage
patch the security flaw that let the hacker in
but ... proper patching may block future attacks ...
... which should increase consumer confidence ...
... and increase sales for the company
What if a well meaning hacker makes a mistake ?
 Hacktivism
hacktivism - use of hacking to promote an agenda
political (ex. defacing a campaign web site)
religious (ex. hijacking an abortion info web site)
military (ex. adding misinformation to enemy sites)
environmentalist (ex. defacing a paper companys site)
...
Is this OK in a free country?
where we can freely post our opinions?
How about in a country under an oppressive regime?
where there is no freedom of speech?

Hackers vs. Crackers

computer scientists object to the stigma of hacking
instead, they consider two sides in the issue
crackers - the bad guys who break into systems to:
be malicious and cause harmful damage
make/steal money
utilize downloaded exploitations (script kiddies)
hackers - the good guys who use computers to:
create elegant solutions to tough problems
expose security flaws
build secure systems

Hacking and the Law

Government slowly got tired of hackers ...
in U.S., states first passed laws:
intentional unauthorized computer use illegal
many did not address actual results of hacking
could not cover interstate computer crime ...
Computer Fraud and Abuse Act (CFAA)
passed by U.S. Congress in 1986
covered government systems, medical systems ...
... and interstate computer crimes (Internet!!!)
the PATRIOT ACT (2001) increased penalties
allows suing for cost of recovery from hacking

Catching Hackers
How are hackers caught?
honey pots - traps too enticing for hackers to resist
digital forensics - gets evidence from digital devices
a.k.a computer forensics
analyzing disks for erased files (or even disks)
examining invisible data in files
Computer Emergency Response Team (CERT)
catalogs and warns about security threats
posts (links to) solutions and patches
 Security
a.k.a. : Why can hackers still succeed?
problems are often fixed only after exploited
many companies ignore CERT warnings
use software for reasons other than security
it is so bad that some companies hire hackers
they rarely hire crackers, though ...
big business for computer consultants!
many companies believe in security via secrecy
opposite of open source model
hackers (and crackers) love this challenge!

A Security Tool Example

The Security Administrator Tool for Analyzing Networks
a.k.a. SATAN (no joking!)
contains exploits of most CERT security advisories
benignly exposes many security problems ..
... and reports each to user in detail
critics said tool could be used by crackers ...
... and crackers would then abuse results
proponents claimed it would help boost security
also pointed out crackers succeed without the tool

Internet Scams
On-Line Auction Fraud
some E-Bay sellers bid on their own items!
shill bidding (raises the prices of their items)
eventually E-Bay added customer feedback, etc...
On-Line Stock Fraud
spread rumors about potential stock performance
people buy the stock, so price rises
perpetrator then sells his stock, making $$$!
sudden large volume of selling drops price
purchaser looses most of invested money

Phishing Scams
Phishing?
sending email that either:
looks identical to official enterprise e-mail
directs user to a facsimile of an enterprise website
and then tricks a user into divulging:
on-line user-ids
passwords
social security numbers
phone numbers
....
 Phishing Protection
Protection from Phishing
most businesses will never ACTIVELY ask for:
on-line user-ids
passwords
social security numbers
phone numbers
....
so, dont divulge them as a result of e-mail
watch the true web site address in the address box
phishers usually dont have the correct one

Fighting Internet Crime

Scam Scanning:
automated software agents that patrol the web
looking for keyphrases like get rich quick
such occurrences are kept in a database
invasion of privacy in chat rooms?
Better user authentication:
instead of passwords, use biometric challenges

retinal scans
fingerprint feature scans

Fighting Internet Crime ...

Search, Seizure, and Analysis of Computers:
currently, the government can seize any computer
... if there is sufficient evidence of criminal use
equipment can be seized indefinitely
computer forensics are needed to analyze seizures:
hard drives (deleted files)
cracking encryption keys
internal wear and tear indicating usage patterns
requires significant training/research