Download as PPT, PDF, TXT or read online from Scribd
Download as ppt, pdf, or txt
You are on page 1of 42
Chapter 5: Crime
Corresponding page number:
Intentional, unauthorized access to computer systems The term has changed over time Phase 1: The joy of programming Early 1960s to 1970s It was a positive term A "hacker" was a creative programmer who wrote elegant or clever code A "hack" was an especially clever piece of code
Corresponding page number: 230-231
Phase 2: 1970s to mid 1990s Hacking took on negative connotations Breaking into computers for which the hacker does not have authorized access Includes the spreading of computer worms and viruses Companies began using hackers to analyze and improve security
Corresponding page number: 231-232
Phase 3: The growth of the Web and mobile devices Beginning in mid 1990s The growth of the Web changed hacking; viruses and worms could be spread rapidly Political hacking (Hacktivism) surfaced Denial-of-service (DoS) attacks used to shut down Web sites Large scale theft of personal and financial information
Corresponding page number: 232-235
September 19, 1996, Hackers broke into the CIA's home page Changed it to read "Central Stupidity Agency” Added links to unethical sites
Corresponding page number:
Year 1999 You are using Microsoft Outlook email software. You receive an email from a friend. You open it. Outlook immediately send the same email to the first 50 people on your address book. They receive an email from you. They open it. … Corresponding page number: 2000, 15-year-old Canadian found a virus program on the Internet. He ran it. It shut down Yahoo, eBay, Amazon, E*Trade, Buy.com, CNN, etc. Cost of destruction: $1.7 billion Should we punish him? How? Should such virus programs be illegal?
Corresponding page number: 275
Hacktivism, or Political Hacking Use of hacking to promote a political cause, e.g., anti-abortion, pro-marijuana Disagreement about whether it is a form of civil disobedience and how (whether) it should be punished Some use the appearance of hacktivism to hide other criminal activities How do you determine whether something is hacktivism or simple vandalism?
Corresponding page number: 236-237
Hackers as Security Researchers “White hat hackers” use their skills to demonstrate system vulnerabilities and improve security
Corresponding page number: 237-239
Hacking as Foreign Policy Hacking by governments has increased Pentagon has announced it would consider and treat some cyber attacks as acts of war, and the U.S. might respond with military force. How can we make critical systems safer from attacks?
Corresponding page number: 239-240
Stuxnet An extremely sophisticated worm Targets a particular type of control system Beginning in 2008, damaged equipment in a uranium enrichment plant in Iran
Corresponding page number: 240
Responsibility for Security Application developers have a responsibility to develop with security in mind Businesses have a responsibility to use security tools and monitor their systems to prevent attacks from succeeding. Home users have a responsibility to ask questions and educate themselves on the tools to maintain security (personal firewalls, anti-virus and anti- spyware).
Corresponding page number: 244-245
Discussion Questions Is hacking that does no direct damage a victimless crime? Do you think hiring former hackers to enhance security is a good idea or a bad idea? Why?
Corresponding page number: 230-245
Catching hackers Law enforcement agents read hacker newsletters and participate in chat rooms undercover They can often track a handle by looking through newsgroup or other archives Security professionals set up ‘honey pots’ which are Web sites that attract hackers, to record and study Computer forensics specialists can retrieve evidence from computers, even if the user has deleted files and erased the disks Investigators trace viruses and hacking attacks by using ISP records and router logs
Corresponding page number: 246
Penalties for young hackers Many young hackers have matured and gone on to productive and responsible careers Temptation to over or under punish Sentencing depends on intent and damage done Most young hackers receive probation, community service, and/or fines Not until 2000 did a young hacker receive time in juvenile detention
Corresponding page number: 247-248
The Law: Catching and Punishing Hackers Criminalize virus writing and hacker tools?
Corresponding page number: 248-249
Your bank sends you an email.
What should you do?
Corresponding page number: Phishing without a lure. You want to go to www.yourbank.com Your browser go to a DNS (domain name server) to look up its IP address. It then proceeds to route your request to that IP address. What if the DNS was hacked and gave your browser an IP address pretending to be your bank?
Corresponding page number:
Beware of a free gift. You need an alarm clock on your PC. You download a nice free one. You install it. Hidden in the clock is a keystroke logging program. It records every key that you type and send them to the horse maker.
Corresponding page number:
Thieves search the trash of bank and stores looking for credit card numbers, debit card numbers, and phone numbers. Now, they only print the last 4 digits of these numbers. In some countries, it is illegal to print all the digits.
Corresponding page number:
Stealing Identities Identity Theft –various crimes in which criminals use the identity of an unknowing, innocent person Use credit/debit card numbers, personal information, and social security numbers 18-29 year-olds are the most common victims because they use the Web most and are unaware of risks E-commerce has made it easier to steal and use card numbers without having the physical card
Corresponding page number: 250-253
Stealing Identities Techniques used to steal personal and financial information Requests for personal and financial information disguised as legitimate business communication Phishing – e-mail Smishing – text messaging Vishing – voice phishing Pharming – false Web sites that fish for personal and financial information by planting false URLs in Domain Name Servers Online resumés and job hunting sites may reveal SSNs, work history, birth dates and other information that can be used in identity theft Corresponding page number: 252-253 Responses to Identity Theft Google Chrome sometimes warns you of suspicious websites. Use of encryption to securely store data, so it is useless if stolen Authenticating customers to prevent use of stolen numbers, may trade convenience for security In the event information is stolen, a fraud alert can flag your credit report; some businesses will cover the cost of a credit report if your information has been stolen
Corresponding page number: 253-256
Responses to Identity Theft Authenticating customers and preventing use of stolen numbers Activation for new credit cards Retailers do not print the full card number and expiration date on receipts Software detects unusual spending activities and will prompt retailers to ask for identifying information Services, like PayPal, act as third party allowing a customer to make a purchase without revealing their credit card information to a stranger
Corresponding page number: 255-256
Most customers using a credit card at a shop do not want the hassles of authentication and verification. Most merchants do not check signatures or photos. Some merchants do not even require a signature for small purchases. Some offers self-service checkout. Retails shops accept some losses in order to make it more convenient for the customers. Corresponding page number: Biometrics Biological characteristics unique to an individual No external item (card, keys, etc.) to be stolen Used in areas where security needs to be high, such as identifying airport personnel Biometrics can be fooled, but more difficult to do so, especially as more sophisticated systems are developed
If a thief steals your credit card, you can get a
replacement. If a hacker obtains your finger print biometrics, …
Corresponding page number: 257-258
People spend billions of dollars on eBay each year. Sellers do not send the items or inferior products. Bid on your own good to drive up the price Sells drugs without a doctor’s prescription Sells copyrighted material
Corresponding page number:
eBay’s competitor Send out bots (AI programs) to scan eBay websites Collect list of products and their prices Relist them on Bidder’s Edge at cheaper prices.
Corresponding page number:
Corresponding page number: When Digital Actions Cross Borders Laws vary from country to country. Corporations that do business in multiple countries must comply with the laws of all the countries involved. Someone whose actions are legal in their own country may face prosecution in another country where their actions are illegal.
Corresponding page number: 258 - 262
Corresponding page number: Started on 5 May 2000, local time in the Philippines Overwriting image files Sent a copy of itself to the first 50 addresses in the Windows Address Book used by Microsoft Outlook Within ten days, over fifty million infections had been reported causing billions of dollars of damage Two young Filipino computer programmers were arrested. Since there were no laws in the Philippines against writing malware at the time, both were released with all charges dropped by state prosecutors. Should police arrest the man if he visits Canada? Corresponding page number: Yahoo and French censorship Display and sale of Nazi memorabilia illegal in France and Germany Yahoo was sued in French court because French citizens could view Nazi memorabilia offered on Yahoo’s U.S.-based auction sites Legal issue is whether the French law should apply to Yahoo auction sites on Yahoo’s computers located outside of France.
Corresponding page number: 260-261
Applying U.S. copyright law to foreign companies Russian company sold a computer program that circumvents controls embedded in electronic books to prevent copyright infringement. Program was legal in Russia, but illegal in U.S. Program’s author, Dmitry Sklyarov, arrested when arrived in U.S. to present a talk on the weaknesses in control software used in ebooks. After protests in U.S. and other countries, he was allowed to return to Russia. Corresponding page number: 261 Arresting executives of online gambling and payment companies An executive of a British online gambling site was arrested as he transferred planes in Dallas. (Online sports betting is not illegal in Britain.) Unlawful Internet Gambling Enforcement Act prohibits credit card and online-payment companies from processing transactions between bettors and gambling sites.
Corresponding page number: 262
Libel, Speech and Commercial Law Even if something is illegal in both countries, the exact law and associated penalties may vary. In cases of libel, the burden of proof differs in different countries.
Corresponding page number: 262-263
Libel, Speech and Commercial Law Libel tourism Traveling to places with strict libel laws in order to sue SPEECH Act of 2010 makes foreign libel judgments unenforceable in the U.S. if they would violate the First Amendment. Foreign governments can still seize assets Where a trial is held is important not just for differences in the law, but also the costs associated with travel between the countries; cases can take some time to come to trial and may require numerous trips. Freedom of speech suffers if businesses follow laws of the most restrictive countries.
Corresponding page number: 263-264
Libel, Speech and Commercial Law Some countries have strict regulations on commercial speech and advertising.
Corresponding page number: 264
Discussion Questions What suggestions do you have for resolving the issues created by differences in laws between different countries? What do you think would work, and what do you think would not?
Corresponding page number: 263-264
Respecting cultural differences is not the same as respecting laws Where a large majority of people in a country support prohibitions on certain content, is it ethically proper to abandon the basic human rights of free expression and freedom of religion for minorities?
Corresponding page number: 265
International agreements Countries of the World Trade Organization (WTO) agree not to prevent their citizens from buying certain services from other countries if those services are legal in their own. The WTO agreement does not help when a product, service, or information is legal in one country and not another.
Corresponding page number: 266
Alternative principles Responsibility-to-prevent-access Publishers must prevent material or services from being accessed in countries where they are illegal. Authority-to-prevent entry Government of Country A can act within Country A to try to block the entrance of material that is illegal there, but may not apply its laws to the people who create and publish the material, or provide a service, in Country B if it is legal there.