tracy willis - thesis - computer crime
TRANSCRIPT
Computer Crime An In-Depth Look at Problems and Solutions
Tracy Willis
2/1/2015
Criminal Law I
ABSTRACT
Criminal justice professionals and experts in the field of cyber security agree that
computer crime is becoming more prevalent in this country and throughout the rest of the world.
Many involved in this field of criminal justice doubt that traditional law enforcement agencies
are prepared to handle this constantly changing threat. This paper reviews various forms of
computer crime, and the techniques of investigating and prosecuting these types of crimes.
Computer Crime
1
The U.S. Department of Justice (“DOJ”) broadly defines computer crime as “any
violations of criminal law that involve a knowledge of computer technology for their
perpetration, investigation, or prosecution” (Galicki, Havens & Pelker, 2014, p. 876). The forms
that this type of crime can take are just as hard to narrow down because they are constantly
changing. New ways to commit, and to profit from computer crimes are always emerging. This
is why law enforcement agencies need to employ and constantly train experts who can keep up
with this ever-changing and very exciting field.
It is extremely difficult for experts to calculate the damage caused by computer crimes.
In one analysis of computer crime, authors Galicki, Havens & Pelker report that a joint effort in
2006, between the DOJ and the Department of Homeland Security, found that nearly sixty-seven
percent of businesses reported at least one incident of computer crime in that year (Galicki,
Havens & Pelker, 2014, pp. 876-877). It would probably be correct to assume that the number of
these incidents have increased dramatically in the nine years following that study.
Computer crimes can take many different forms. They can be perpetrated against the
computer itself. This crime occurs if someone steals the actual hardware or software of the
computer. A computer may also be the subject of a crime or an attack. This type of computer
crime includes “attacks called spam, viruses, worms, Trojan horses, logic bombs, sniffers,
distributed denial of service attacks, and unauthorized web bots or spiders” (Galicki, Havens &
Pelker, 2014, pp. 876-877). Another form of computer crime involves the facilitation of a crime
via a computer. This particular type of computer crime includes distribution of child
pornography, identity theft, copyright infringement, and wire fraud (Galicki, Havens & Pelker,
2014).
Computer Crime
2
The most terrifying, and potentially the most dangerous of computer crimes, are
committed using what is referred to as weaponized Øday (zero day) exploits. Authors Stockton
& Golabek-Goldman explain that a Øday exploit is a vulnerability in software that is not known
by the computer user and software manufacturer. It is called a Øday exploit, because a software
manufacturer has zero days to remedy the vulnerability if a hacker discovers it first, and exploits
it for unauthorized access to computer systems (Stockton & Golabek-Goldman, 2013, p. 240).
Whenever you install a software update or patch on your computer, or other device, you are
correcting a Øday exploit.
Disturbingly, these Øday exploits can also be weaponized, which occurs when they are
modified to disrupt, disable or destroy computer networks and components. Weaponized Øday
exploits can be used to target the applications layer of the industrial control systems on which the
United States electric grid, and other critical infrastructure sectors depend (Stockton & Golabek-
Goldman, 2013, pp. 240-241).
Public officials ranging from President Obama, to the Deputy Assistant Secretary of
Defense for Cyber Policy Eric Rosenbach, have called this type of weaponized Øday exploit the
most worrisome of computer crimes. Rosenbach even went so far as to say that this type of
attack is “what worries us the most,” (Stockton & Golabek-Goldman, 2013, p. 241).
Surprisingly, Øday exploits are openly sold in online market places, with little to no
regulation. This is because they are considered dual-use. Øday exploits can be used for good by
researchers, to test computer systems for security flaws and to help safeguard against attacks. If
a researcher intends to engage in “responsible disclosure” of the Øday exploit, it would generally
be sold on what is called the “white market” to software vendors or other companies that aid
developers in correcting security flaws (Stockton & Golabek-Goldman, 2013, pp. 240-247).
Computer Crime
3
On the “black market,” usually located in what is called the “Deep Web,” one can
purchase Øday exploits which can be used for more nefarious purposes, such as gathering
intelligence information, incapacitating computer systems, or doing physical damage (Stockton
& Golabek-Goldman, 2013, pp. 240-247).
A subject that is hotly debated among professionals in the field of computer crime, is
whether the good that comes out of the legitimate use of Øday exploits outweighs the potential
deadly consequences if a researcher decides to weaponize these exploits for profit. There seem
to be no clear answers coming out of these debates.
However, Stockton and Golabek-Goldman do offer some guidelines for addressing the
Øday exploit market. First, the Safety Act should be leveraged to incentivize software security
and innovation, which would theoretically result in curtailing the ability to discover and
weaponize the exploits for harmful purposes. Second, there should be criteria, created by the
international community, for illegitimate Øday exploit sales. Uniform control of such sales
could be established through the already existing Wassenaar Arrangement. Finally, this country
should strengthen its tools to prosecute criminals who sell Øday exploits that target critical
infrastructure (Stockton & Golabek-Goldman, 2013, pp. 251-261)
Additionally, one type of crime that is currently on the rise is related to gang and
organized crime activity on social media websites. In this country and throughout the world, it is
very common for criminal gangs to use the internet to further their activities. Social media
websites in particular have proved themselves helpful tools when it comes to identifying and
monitoring criminal gang activities, including identity theft rings and prostitution/human
trafficking activity.
Computer Crime
4
Domestic gangs, such as the Bloods and the Crips, use the internet for online recruiting.
This practice has been called ‘Net Banging’ by gangsters (Hanser, 2011, pp.47-48). In the
United States, various internet-based companies have worked with law enforcement agencies to
curtail this type of computer crime, and to identify gang members along with their criminal
activities. YouTube and MySpace have both successfully aided authorities with investigations
into gang-related activity on their sites (Hanser, 2011).
The Russian Mafia has made many headlines in this country, and is often cited by news
media as one of the main perpetrators of computer crimes in the world. Authors Serio and
Gorkin looked at this issue in depth, and have determined that the threat from the Russian Mafia
has been exaggerated (2003). They make the argument that the threat from inside the
organization is far greater than threats made from outside organizations (Serio & Gorkin, 2003,
pp. 192-201). In other words, the cyber-criminal you know, or who works for you, is more
dangerous than outside threats such as the Russian Mafia.
Better pre-employment screening seems clear as a possible solution to help prevent
computer crime after the realization that employees are the biggest threat to cyber security.
Many organizations are already implementing this type of pre-emptive solution. Pre-
employment screening for government and private workers now includes more thorough
background checks. Credit and background checks are now a matter of routine for anyone who
could potentially have access to sensitive information, in all fields of employment. While these
checks do not catch all potential criminals, they are a valuable preventative tool.
One study, written by McMullan and Perrier (2007), describes a very interesting
computer crime case that involved a scheme, cooked up by a former employee, to defraud
Computer Crime
5
electronic gambling machines in Canada. The offenders utilized three separate techniques to
compromise the electronic gambling machines (McMullan & Perrier, 2007, pp.435-436).
The first technique allowed the criminals to uncover and crack the gambling machines’
payout codes by using a computer program. For the second technique, the group deployed an
operation known as ‘boot tracing.’ This method utilized RAM to modify a back-up board which
manipulated the contents of the bonus meter memory logic. This modification allowed the
criminals to trigger the bonus and cash it out at will. The third technique involved inserting a
‘trap door’ device into the machines which made them appear to be operating in online mode,
when they were actually working in stand-alone mode (McMullan & Perrier, 2007, pp.435-436).
In the case of the gambling machines, law enforcement negotiated an agreement with two
of the members of the computer crime ring. The two criminals provided information regarding
their crimes in exchange for lighter sentences. This information was gathered through a two-day
interview process and gave valuable insight into the operations and organization of cyber-
criminal rings (McMullan & Perrier, 2007, p.433).
As the last case demonstrates, the ability of law enforcement agencies to successfully
prevent and prosecute computer crimes depends on their ability to adapt and to learn from the
criminals themselves (Kain, 2013, p.37). The good news for all of us is that the future appears
promising in this regard.
The criminal justice system in this country is currently transitioning through a period of
dramatic self-evaluation and change. Now, more than ever, criminal justice professionals are
able to recognize tactics that do not work and to stop using them. They are willing look past the
outdated, punitive system of the past and to instead try new, sometimes even radical ideas.
Computer Crime
6
Law enforcement agencies around the country are directing much needed resources to
new Computer and Cyber Crimes Units. Criminal justice professionals are also obtaining
degrees in higher education at dramatically higher rates than in the past. If this evolution
continues, the United States will be very well-equipped to deal with the future of computer
crimes.
Computer Crime
7
References
Galicki, Alexander, Havens, Drew & Pelker, Alden (2014). Computer Crimes. American
Criminal Law Review, 51(4), 875-922.
Hanser, Robert D. (2011). Gang-related cyber and computer crimes: Legal aspects and practical
points of consideration in investigations. International Review of Law, Computers &
Technology, 25(1/2), 47-55. doi:10.1080/13600869.2011.594656
Kain, Robert C. (2013). Federal Computer Fraud and Abuse Act: Employee Hacking Legal in
California and Virginia, But Illegal in Miami, Dallas, Chicago, and Boston. Florida Bar
Journal, 87(1), 36-39.
McMullan, John L. & Perrier, David C. (2007). Controlling Cyber-Crime and Gambling:
Problems and Paradoxes in the Mediation of Law and Criminal Organization. Police
Practice and Research, 8(5), 431-444. doi:10.1080/15614260701764298
Serio, Joseph D. & Gorkin, Alexander (2003). Changing Lenses: Striving for Sharper Focus on
the Nature of the ‘Russian Mafia’ and its Impact on the Computer Realm. International
Review of Law, Computers & Technology, 17(2), 191-202.
doi:10.1080/1360086032000124996
Stockton, Paul N., & Golabek-Goldman, Michele (2013). Curbing the Market for Cyber
Weapons. Yale Law & Policy Review, 32(1), 239-266.