Computer Crime An In-Depth Look at Problems and Solutions

Tracy Willis

2/1/2015

Criminal Law I

ABSTRACT

Criminal justice professionals and experts in the field of cyber security agree that

computer crime is becoming more prevalent in this country and throughout the rest of the world.

Many involved in this field of criminal justice doubt that traditional law enforcement agencies

are prepared to handle this constantly changing threat. This paper reviews various forms of

computer crime, and the techniques of investigating and prosecuting these types of crimes.

Computer Crime

1

The U.S. Department of Justice (“DOJ”) broadly defines computer crime as “any

violations of criminal law that involve a knowledge of computer technology for their

perpetration, investigation, or prosecution” (Galicki, Havens & Pelker, 2014, p. 876). The forms

that this type of crime can take are just as hard to narrow down because they are constantly

changing. New ways to commit, and to profit from computer crimes are always emerging. This

is why law enforcement agencies need to employ and constantly train experts who can keep up

with this ever-changing and very exciting field.

It is extremely difficult for experts to calculate the damage caused by computer crimes.

In one analysis of computer crime, authors Galicki, Havens & Pelker report that a joint effort in

2006, between the DOJ and the Department of Homeland Security, found that nearly sixty-seven

percent of businesses reported at least one incident of computer crime in that year (Galicki,

Havens & Pelker, 2014, pp. 876-877). It would probably be correct to assume that the number of

these incidents have increased dramatically in the nine years following that study.

Computer crimes can take many different forms. They can be perpetrated against the

computer itself. This crime occurs if someone steals the actual hardware or software of the

computer. A computer may also be the subject of a crime or an attack. This type of computer

crime includes “attacks called spam, viruses, worms, Trojan horses, logic bombs, sniffers,

distributed denial of service attacks, and unauthorized web bots or spiders” (Galicki, Havens &

Pelker, 2014, pp. 876-877). Another form of computer crime involves the facilitation of a crime

via a computer. This particular type of computer crime includes distribution of child

pornography, identity theft, copyright infringement, and wire fraud (Galicki, Havens & Pelker,

2014).

Computer Crime

2

The most terrifying, and potentially the most dangerous of computer crimes, are

committed using what is referred to as weaponized Øday (zero day) exploits. Authors Stockton

& Golabek-Goldman explain that a Øday exploit is a vulnerability in software that is not known

by the computer user and software manufacturer. It is called a Øday exploit, because a software

manufacturer has zero days to remedy the vulnerability if a hacker discovers it first, and exploits

it for unauthorized access to computer systems (Stockton & Golabek-Goldman, 2013, p. 240).

Whenever you install a software update or patch on your computer, or other device, you are

correcting a Øday exploit.

Disturbingly, these Øday exploits can also be weaponized, which occurs when they are

modified to disrupt, disable or destroy computer networks and components. Weaponized Øday

exploits can be used to target the applications layer of the industrial control systems on which the

United States electric grid, and other critical infrastructure sectors depend (Stockton & Golabek-

Goldman, 2013, pp. 240-241).

Public officials ranging from President Obama, to the Deputy Assistant Secretary of

Defense for Cyber Policy Eric Rosenbach, have called this type of weaponized Øday exploit the

most worrisome of computer crimes. Rosenbach even went so far as to say that this type of

attack is “what worries us the most,” (Stockton & Golabek-Goldman, 2013, p. 241).

Surprisingly, Øday exploits are openly sold in online market places, with little to no

regulation. This is because they are considered dual-use. Øday exploits can be used for good by

researchers, to test computer systems for security flaws and to help safeguard against attacks. If

a researcher intends to engage in “responsible disclosure” of the Øday exploit, it would generally

be sold on what is called the “white market” to software vendors or other companies that aid

developers in correcting security flaws (Stockton & Golabek-Goldman, 2013, pp. 240-247).

Computer Crime

3

On the “black market,” usually located in what is called the “Deep Web,” one can

purchase Øday exploits which can be used for more nefarious purposes, such as gathering

intelligence information, incapacitating computer systems, or doing physical damage (Stockton

& Golabek-Goldman, 2013, pp. 240-247).

A subject that is hotly debated among professionals in the field of computer crime, is

whether the good that comes out of the legitimate use of Øday exploits outweighs the potential

deadly consequences if a researcher decides to weaponize these exploits for profit. There seem

to be no clear answers coming out of these debates.

However, Stockton and Golabek-Goldman do offer some guidelines for addressing the

Øday exploit market. First, the Safety Act should be leveraged to incentivize software security

and innovation, which would theoretically result in curtailing the ability to discover and

weaponize the exploits for harmful purposes. Second, there should be criteria, created by the

international community, for illegitimate Øday exploit sales. Uniform control of such sales

could be established through the already existing Wassenaar Arrangement. Finally, this country

should strengthen its tools to prosecute criminals who sell Øday exploits that target critical

infrastructure (Stockton & Golabek-Goldman, 2013, pp. 251-261)

Additionally, one type of crime that is currently on the rise is related to gang and

organized crime activity on social media websites. In this country and throughout the world, it is

very common for criminal gangs to use the internet to further their activities. Social media

websites in particular have proved themselves helpful tools when it comes to identifying and

monitoring criminal gang activities, including identity theft rings and prostitution/human

trafficking activity.

Computer Crime

4

Domestic gangs, such as the Bloods and the Crips, use the internet for online recruiting.

This practice has been called ‘Net Banging’ by gangsters (Hanser, 2011, pp.47-48). In the

United States, various internet-based companies have worked with law enforcement agencies to

curtail this type of computer crime, and to identify gang members along with their criminal

activities. YouTube and MySpace have both successfully aided authorities with investigations

into gang-related activity on their sites (Hanser, 2011).

The Russian Mafia has made many headlines in this country, and is often cited by news

media as one of the main perpetrators of computer crimes in the world. Authors Serio and

Gorkin looked at this issue in depth, and have determined that the threat from the Russian Mafia

has been exaggerated (2003). They make the argument that the threat from inside the

organization is far greater than threats made from outside organizations (Serio & Gorkin, 2003,

pp. 192-201). In other words, the cyber-criminal you know, or who works for you, is more

dangerous than outside threats such as the Russian Mafia.

Better pre-employment screening seems clear as a possible solution to help prevent

computer crime after the realization that employees are the biggest threat to cyber security.

Many organizations are already implementing this type of pre-emptive solution. Pre-

employment screening for government and private workers now includes more thorough

background checks. Credit and background checks are now a matter of routine for anyone who

could potentially have access to sensitive information, in all fields of employment. While these

checks do not catch all potential criminals, they are a valuable preventative tool.

One study, written by McMullan and Perrier (2007), describes a very interesting

computer crime case that involved a scheme, cooked up by a former employee, to defraud

Computer Crime

5

electronic gambling machines in Canada. The offenders utilized three separate techniques to

compromise the electronic gambling machines (McMullan & Perrier, 2007, pp.435-436).

The first technique allowed the criminals to uncover and crack the gambling machines’

payout codes by using a computer program. For the second technique, the group deployed an

operation known as ‘boot tracing.’ This method utilized RAM to modify a back-up board which

manipulated the contents of the bonus meter memory logic. This modification allowed the

criminals to trigger the bonus and cash it out at will. The third technique involved inserting a

‘trap door’ device into the machines which made them appear to be operating in online mode,

when they were actually working in stand-alone mode (McMullan & Perrier, 2007, pp.435-436).

In the case of the gambling machines, law enforcement negotiated an agreement with two

of the members of the computer crime ring. The two criminals provided information regarding

their crimes in exchange for lighter sentences. This information was gathered through a two-day

interview process and gave valuable insight into the operations and organization of cyber-

criminal rings (McMullan & Perrier, 2007, p.433).

As the last case demonstrates, the ability of law enforcement agencies to successfully

prevent and prosecute computer crimes depends on their ability to adapt and to learn from the

criminals themselves (Kain, 2013, p.37). The good news for all of us is that the future appears

promising in this regard.

The criminal justice system in this country is currently transitioning through a period of

dramatic self-evaluation and change. Now, more than ever, criminal justice professionals are

able to recognize tactics that do not work and to stop using them. They are willing look past the

outdated, punitive system of the past and to instead try new, sometimes even radical ideas.

Computer Crime

6

Law enforcement agencies around the country are directing much needed resources to

new Computer and Cyber Crimes Units. Criminal justice professionals are also obtaining

degrees in higher education at dramatically higher rates than in the past. If this evolution

continues, the United States will be very well-equipped to deal with the future of computer

crimes.

Computer Crime

7

References

Galicki, Alexander, Havens, Drew & Pelker, Alden (2014). Computer Crimes. American

Criminal Law Review, 51(4), 875-922.

Hanser, Robert D. (2011). Gang-related cyber and computer crimes: Legal aspects and practical

points of consideration in investigations. International Review of Law, Computers &

Technology, 25(1/2), 47-55. doi:10.1080/13600869.2011.594656

Kain, Robert C. (2013). Federal Computer Fraud and Abuse Act: Employee Hacking Legal in

California and Virginia, But Illegal in Miami, Dallas, Chicago, and Boston. Florida Bar

Journal, 87(1), 36-39.

McMullan, John L. & Perrier, David C. (2007). Controlling Cyber-Crime and Gambling:

Problems and Paradoxes in the Mediation of Law and Criminal Organization. Police

Practice and Research, 8(5), 431-444. doi:10.1080/15614260701764298

Serio, Joseph D. & Gorkin, Alexander (2003). Changing Lenses: Striving for Sharper Focus on

the Nature of the ‘Russian Mafia’ and its Impact on the Computer Realm. International

Review of Law, Computers & Technology, 17(2), 191-202.

doi:10.1080/1360086032000124996

Stockton, Paul N., & Golabek-Goldman, Michele (2013). Curbing the Market for Cyber

Weapons. Yale Law & Policy Review, 32(1), 239-266.