Cyberlaw and Computer Crimes• Surprisingly it wasn’t until 1986 that we had any

laws at all (in the US) regarding prosecution of computer crimes– even once legislature was being passed, it was unclear

what jurisdiction the FBI had in tracking down computer criminals, nor did the FBI have expertise in tracking down computer criminals

• What is the status today of cyberlaw? What constitutes a computer crime? What does law enforcement do about it?

A Definition of Computer Crime• One author states that a computer crime is:

– unauthorized access of a computer, creating or releasing a malicious computer program, or harassment and stalking in cyberspace

• Notice that this definition does not claim that embezzlement or fraud, accomplished by using a computer, is a crime– this is because embezzlement and fraud are already crimes,

and all that has changed is the mechanism by which the crime was committed

• Is it sufficient to define computer crimes as listed above or do we have to also include a list of all crimes that can be committed by computer?

A Different Definition• A computer crime is any illegal act, the commission of

which (in whole or in part):– targets computer hardware or software as its focal point, or

– utilizes computer hardware or software to accomplish or assist in accomplishing the act, or

– involves or uses computer hardware or software to store, preserve, assimilate, or secrete any evidence or any fruits of the act, or

– unlawfully accesses, invades or violates computer hardware or software integrity in accomplishing or in attempting to perform the act

• notice by this definition, that a murder committed by bashing someone’s head with a computer monitor would be considered a computer crime!

Active vs Passive Computer Crimes• An active crime is considered one in which the

crime itself was committed using a computer– for instance, illegally accessing a bank account and

altering the data for profit or illegally accessing some file server to steal software being developed

– a majority of computer crimes are active

• A passive crime is one in which the computer was used in support of the crime itself– for instance, illegally accessing a building’s

schematics so that one can break into the building and physically steal something, or using the Internet to monitor communications in preparation for a kidnapping or assassination attempt

Types of Computer Crimes• Computer as the target

– theft of intellectual property, blackmail of information gained through electronic files

• Computer as the instrument– fraud (credit card fraud, fraudulent use of ATM accounts, stock

market transfers, telecommunications fraud), theft of (electronic) money

• Computer incidental to the crime– computers used in support, e.g., money laundering, record

keeping, tracking of targets, etc

• Computer associated with the prevalence of the crime– software piracy/counterfeiting, copyright violation of software,

counterfeit hardware, black market sales of hardware and software, theft of equipment and new technologies

Specific Crimes• Denial of service

– which might be performed for extortion or sabotage• Fraud, which encompasses many possible actions

– employees altering data, making false entries• as an employee, you might be given access to sensitive data – and

therefore you can abuse that privilege to commit a crime• imagine for instance changing your friend’s bank account balance

– unauthorized access that leads to altering, destroying, suppressing, or stealing data or output

• altering and destroying data are forms of sabotage, stealing data might be used for identity theft

– altering or misusing existing system tools or software packages– altering or writing code for fraudulent purposes

• we can extend this to be altering code for malicious purposes such as changing the traffic lights to all go green at the same time as a form of vandalism or sabotage

– manipulating banking systems to make unauthorized identity theft

Continued• Harassment by computer (cyberstalking,

defamation)– this unfortunately has become very common – you

meet someone on-line and they con you into setting up a physical meeting for evil purposes (e.g., kidnapping or rape)

• Pornography– is pornography a crime? it depends on the local laws

which leads to a significant problem – if a law exists in the US but the server exists in Canada, is it a crime?

• Copyright infringement– illegal downloads, software piracy, plagiarism

• Larceny (theft) of software or data• Malicious software (viruses, trojan horses,

worms, logic bombs, spyware, backdoors)

How Does Denial of Service Work?• Web servers are typically set up to handle a set number of

requests at a time– For instance, a small web server might be set up to handle 20

requests• Web servers also are set up to offer a certain time period before

a “time out” occurs– Perhaps 2 minutes

• Now consider a single web server (1 machine) for a company that is suddenly deluged with 10,000,000 requests– Most of the requests get placed into a queue, waiting for attention

by the web server– Most requests do not make it through the queue in time and are thus

timed out, so legitimate users get a denial of access to the web server (or denial of service)

• This is a tactic of sheer sabotage (or cyber terrorism) – someone writes a program to generate millions of requests and floods the target web server(s)

SQL Injections• A web form is one of the few forms of input to a

web page– The web page is set up specifically so that a user (visitor)

to that web page can provide information or feedback

– Typically, forms use server side programs (scripts) to process the data in the form

• This may include generating SQL queries to send to a database

• A clever user can fill in malicious SQL queries into a form and thus, when submitted to the database, the SQL query is enacted – this could be a query to overwrite previously stored data

• Like the denial of service, this is another form of sabotage or terrorism– Proper mechanisms must be in place to safeguard against

this

Famous SQL Injections• Jan 13, 2006 – Russian computer criminals broke into

Rhode Island government web site and stole credit card data

• June 29, 2007 – a computer criminal used an SQL injection to deface the Microsoft UK website

• Apr – Aug 2008, a number of attacks against various computers using Microsoft’s IIS web server and SQL Server database that, when successful, gives the user (hacker) access to the entire computer system – an estimated 500,000 web pages were exploited!

• Aug 17, 2009 – US Justice Dept charged an American and two Russians with the theft of 130 million credit card numbers obtained through SQL injections from Heartland Payment Systems, 7-11 and Hannaford Brothers

Phishing• Illegally attempting to gain sensitive information from

people for the purpose of computer-based fraud, these attempts can include– social engineering – calling or emailing someone pretending to

be “official” and asking for confidential information such as password or social security #

– password cracking – attempting to break into an account by guessing a password (possibly trying all possible passwords, or guessing based on what you know of the person)

– packet sniffing – listening over a network for sensitive information (passwords, credit card numbers) – wireless networks are especially susceptible

– website forgery – pretending to be a website to intercept confidential information (such as a phony paypal page to get someone’s account info)

– link manipulation for website spoofing – here, an email has a link pretending to be to a page you visit (e.g., paypal) but in fact the link is to a spoofed or forged site

Cyberterrorism• Cyberterrorism can be defined as the use of information

technology by terrorist groups and individuals to further their agenda– this can include use of information technology to organize and

execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically

• Examples include– hacking into computer systems– introducing viruses to vulnerable networks– web site defacing and SQL injections– denial-of-service attacks– terrorist threats made via electronic communication

• Information warfare occurs when these actions are performed by one entity in order to gain a competitive advantage over another entity

Training Law Enforcement• One expert recommends the following immediately for

law enforcement personnel:– introduction to computer evidence awareness

– identification, collection, transportation and preservation of electronic evidence and related components

– where to find data recovery experts

• In addition, computer technology skills must be taught to at least some subset of the law enforcement community including– operating system technologies, information management

skills, data collection and organization, database design, statistical analysis, data protection and encryption, and how computers are used to commit computer crimes

The Patriot Act (HR 3162)• Signed by President Bush on October 26, 2001• Adds terrorism offenses, computer fraud, and abuse offenses to

the list of predicates for obtaining Title III wiretaps• Also permits roving wiretaps under the Foreign Intelligence

Surveillance Act of 1978 (FISA) in the same manner as they are permitted under Title III wiretaps

• Intelligence information obtained from wiretaps may be shared with law enforcement, intelligence, immigration, or national security personnel

• Recipients can use the information only in the conduct of their duties and are subject to the limitations in current law of unauthorized disclosure of wiretap information.

• Also expands the use of traditional pen register or trap and trace devices (captures the telephone numbers of incoming callers) so that they apply not just to telephones, but also to Internet communications so long as they exclude "content"

The Dark Web• Goal: collect relevant web pages from terrorism

web sites and make them accessible for specific terrorism-related queries and inferences– Starting from reliable URLs, use a web crawler to

accumulate related web pages• link analysis and human input are both applied to prune

irrelevant pages– Automatically collect the pages from the URLs and

annotate the pages • including those with multimedia and multilingual content

– Content analysis performed by humans using domain specific attributes of interest

• Once established, terrorism researchers can use a variety of techniques to examine the Dark Web– Statistical analysis, link analysis– Data mining– Link and text extraction and analysis

UA Dark Web Collection• University of Arizona is creating a dark web portal,

containing pages from 10,000 sites of 30 identified terrorist and extremist groups– Content primarily in Arabic, Spanish, English, Japanese– Includes web pages, forums, blogs, social networking sites,

multimedia content (a million images and 15,000 videos)• Pages are obtained through a web crawler and then analyzed

– Content analysis by human labeling (with software support)• recruitment, training, ideology, communication, propaganda

– Web metric analysis of technical features of the web site such as ability to use tables, CGI, multimedia files

– Sentiment and affect analysis – some web sites are not directly related to a terrorist/extremist organization but might display sentiment (or negativity) toward one of these organizations – by tracking these sites, the researchers can determine how “infectious” a given site or cause is

– Authorship analysis • determine the most likely author of a given piece of text

Clustering on the Dark Web

Domestic web sites of US hate groups

Middle East terror organizations sites

Clustering and classification algorithms are run on web site data, here are some results

Clustering performed usingstatistical hierarchical clustering,features include those derived throughsocial analysis, link analysis, andpatterns derived through groups of linksand sites

Using TerrorNet• Given 200 documents from the DarkWeb portal and an information extraction AI program– a network of

relationships between terrorists and terror suspects was generated

• a portion of which is shown to the right