Impact of Computers on Society

1
Impact of Computers on Society

• 7. Computer Crime

2
It was only a matter of time

• Internet was designed by geeks who were
  interested in openness and free sharing
• DoD commissions ARPANET 1969 UCLA, UC Santa
  Barbara, SRI, U Utah (Advanced Research Projects
  Agency Network)
• First e-mail Ray Tomlinson (1971)
• Ethernet/Alohanet (1973)
• The Well
• DEC VAX 11/780 (1978) a favorite in research
• VMS
• Unix

3
Early Crimes

• Salami method
• Accumulate rounding errors in a hidden file
• Random errors
• These methods require programming expertise in a
  world where few computers are networked
• Security was an afterthought
• The Internet was wide open it was just a matter
  of time

4
Break-ins

• Hoods network hacked in the mid-90s
• Various web sites of government agencies
• Read the newspaper
• Watch TV
• What break-ins can you recall?

5
Four Important Crime Topics

• Hacking
• Scams
• Fraud, embezzlement, theft
• Crime fighting

6
Hacking vs. Cracking

• Hacking originally an elegant, sophisticated
  piece of programming an art
• Cracking breaking a security scheme often
  brute force or using someone elses tools
• In the media, hacking has assumed the latter
  meaning, which we will adopt

7
Hacking

• At first, mostly young men
• Organized crime and espionage becoming prevalent
• Originally a test/hazing at MIT, harmless pranks
• Breaking in where you dont have access
• Isaac Asimov foresaw the computer virus
• Worms (1980s)
• Sniffers
• Hactivism

8
Captain Crunch

• John Draper 1970s
• A toy whistle found in a cereal box
• Hacked into Bell South
• Free calls
• Shut down phone service
• Rigged prosecutors phone to act like a pay phone
• FBI calls routed to a 900 sex phone number
• Legion of Doom exposes vulnerability of phone
  system
• A little like an MIT hack--somewhat amusing if
  you are not the victim

9
Kevin Mitnick

• Convicted of hacking universities, cell phone
  manufacturers, ISPs
• Went into hiding in 1988 while on probation
• Arrested in 1995 when he hacked into a security
  experts files at San Diego Supercomputer Center
• Crimes aimed at individuals and some businesses

10
Robert T. Morris

• Grad student at Cornell
• Son of a security expert at NSA
• First worm November 2, 1988
• Copied itself onto other computers and spread
• Clogged up much of the net
• Claimed it was an experiment that went awry
• 400 hours community service
• A tenured professor at MIT as of 2006
• Your prof accidentally created a worm!

11
Some positive effects

• A warning that security holes exist
• Occasioned early anti-virus and other security
  efforts

12
Three Major Problems

• Weak security
• Intrusions frequently go unnoticed
• Reluctance even to admit that a break-in has
  occurred
• Embarrassment
• Negative customer reaction
• Indicates to others that a way to break in exists

13
Profile of a Young Hacker

• Young
• Male
• Introvert
• Script Kiddy
• Moderately knowledgeable
• Uses tools created by others and posted on the
  net
• Dangerous imagine a terrorist who posts a tool
  that does not do what it claims to do

14
Organized Criminals

• Stereotype of young male hacker is less true
• Willie Sutton
• Why do you keep robbing banks?
• Thats where the money is!
• Organized criminals have realized that credit
  information is where the money is.
• Used directly
• Sold to others
• Governments
• Soviet union?
• China?

15
Governments

• Russia?
• Estonia
• Cyberattacks
• May be dangerous

16
Some Recent Viruses/Worms

• Leonardo
• Melissa
• Love Bug
• Blaster Worm (remote procedure calls)
• Beagle/Bagel worm
• Sober-X
• Conficker
• Tools readily available Symantec
• (Note there used to be sneaky competition
  Symantic)
• Virus writers are getting ahead of antivirus
  software
• Have you ever had to purge your computer?

17
More Attacks

• Denial of Service
• Distributed Denial of Service, as in Estonia
• MSIE, MS Outlook
• Windows Defender Tool
• MS Security Updates
• MS Malicious Software Removal Tool

18
Ethical questions

• Would it be acceptable for a professor of
  computer science at Hood College to assign
  homework directing students to design and code a
  computer virus or worm?
• What site would you like to hack into and why?

19
Laws

• If you think something might be illegal, it
  probably is
• Many crimes covered by preexisting laws
• Two major laws specific to computers
• Computer Fraud and Abuse Act (1986)
• Covers federal jurisdiction only
• Broad scope theft, breaking in, altering or
  destroying data
• Stiff penalties

20
USA Patriot Act of 2001

• Expanded definition of attack to include
  hacking
• Restitution includes cost of responding to the
  attack and restoring system
• First offense doubled to 10 years
• Allows government to monitor online activity of
  suspected hacker without a warrant
• There is justifiable fear of cyberterrorism

21
More USAPA

• Criticized as too broad
• If a warrant is required for wiretap, why not for
  online monitoring?
• Does a reasonable expectation of privacy exist
  online?

22
Catching hackers

• Honeypots
• Invite for job interview (Russians arrested)
• Computer forensics / digital forensics
• Hackers often make dumb mistakes
• Not changing return address
• Leaving other clues
• CERT at Carnegie Melon now a clearing house for
  security alerts

23
Overreaction

• Craig Neidorf and Phrack (1989)
• Published part of document about BellSouth phone
  911 system
• Threatened with lengthy jail term and large fine
• Bell claimed document worth almost 24,000
• Info available for 24 from other phone company
  sources

24
Legal Problems

• Printing press not involved in Neidorf case how
  to apply existing law?
• Jurisdiction the Web crosses boundaries
• Hard to frame laws that discriminate between
  criminal acts and acts of youthful indiscretion
• Perverse that hackers are often hired as security
  consultants

25
What do you think?

• Would you hire a hacker as a security consultant?
• What do you think should be done to discourage
  youthful hackers?

26
Security Problems

• Often very lax similar to leaving your iPod on
  the front seat of an unlocked car
• The Internet has a history of being open
• Laziness
• Lack of knowledge
• Expense

27
More Security Problems

• Human nature to take precautions after a disaster
• Unanticipated flaws in software
• Users do not take the risk of a break-in
  seriously
• A balancing act between security and ease of use

28
SATAN (1995)

• Security Administrator Tool for Analyzing
  Networks Dan Farmer Wietse Venema
• SATAN scanned for known security holes in
  Unix/Linux systems
• Public controversy

29
Farmer Venema respond

• Why wasnt there a limited distribution to only
  the white hats? History has shown that attempts
  to limit distribution of most security
  information and tools has only made things worse.
  The undesirable elements of the computer world
  will obtain them no matter what you do, and
  people that have legitimate needs for the
  information are denied.

30
A First Amendment Question

• Should it be illegal to write viruses and hacking
  tools?
• Recall Philip Zimmermans PGP (1991)
• Recall Daniel Bernsteins attempts to publish
  cryptography research (1993 - 1996)

31
Scams, Frauds, Attacks, and Other Mischief

• Online Scams
• Not a new problem, but a new venue
• Auctions such as eBay and Yahoo
• The toasted cheese sandwich purportedly bearing
  the likeness of Christ
• Auctions for health care
• Should it be allowed to advertise for a kidney
  transplant?

32
Fraud, Embezzlement, Sabotage, Data Theft, Forgery

• Willie Sutton (again!)
• Why rob banks?
• Thats where they keep the money!
• Nothing new just a new venue
• Stock fraud
• Credit card fraud
• Identity theft
• ATM theft
• Telecom/cell-phone theft

33
Identity Theft

• Again, nothing new just new tools
• Succeeds because of the magnitude of the system
• A problem for the victim because SSA, DMV, credit
  bureaus do not provide much help

34
DOJ Fewer ID Theft Victims

• About 9.3 victims previously counted
• Only about 3.6 million ID thefts in the US
  counted in 2005 thats 3 out of every 100
  people
• Includes misuse of cell phone, credit card, other
  personal info.
• 1.7 million of the 3.6 were unauthorized credit
  card use
• About 540,000 households said someone misused
  personal info to open accounts, get loans, or
  commit other crimes. This is the usual definition
  of ID theft.
• Associated Press in Washington Post, April 3, 2006

35
Online ID theft is a BIG problem

• But not as big as you might imagine
• There are 3.3 million ID thefts per year.
• Of those, only a small percentage take place
  online.
• Although not directly online, some thefts do
  involve computers indirectly.

36
Common Sources of ID Theft Business

• Source Javelin Strategy Research 2006

37
Common Sources of ID Theft Consumer

• Source Javelin Strategy Research 2006

38
Common Sources of ID Theft Computer

• Source Javelin Strategy Research 2006

39
Common Sources of ID Theft Summary

• Source Javelin Strategy Research 2006

40
Phishing

• Combines the traditional fishing expedition
  with identity theft
• Relies on a very few responses out of thousands
  of phishing messages

41
Swindle and Sabotage

• What is the weakest part of any security system?
• The employees
• Disgruntled employees sabotage, logic bomb,
  denial of service
• Dishonest employees theft (DC Office of Tax
  Revenue lost over 44M)
• It is easy to do a lot of damage in a hurry
• Audit trails
• Backup, backup, backup

42
Competitors

• Industrial espionage
• Breach of confidentiality agreement
• Reverse engineering (often legal)

43
Digital Forgery

• Pictures
• O. J. Simpson
• ID cards, licenses, passports
• Money
• Corporate stationery
• Corporate documents
• Proposals for a national ID card with embedded
  computer chip
• Passports will have embedded chips, beginning
  summer of 2006

44
How do you establish ID in cyberspace?

• Who is behind that computer? Email?
• Digital signatures
• Reputable businesses
• Can you decipher the bill?
• Clear procedures for dealing with problems?
• How does a business know you are you?

45
Fighting Crime versus Civil Liberties

• Automated surveillance 9/11, England
• Biometric identifiers
• Facial recognition systems
• Fingerprints
• Retinal scan
• Iris scan
• DNA
• Airport security scan
• Potential for loss of privacy is immense

46
More Crime Fighting

• Seizure of a computer containing data of people
  in addition to the one for whom a warrant was
  issued
• Loss of equipment can shut down a business
  without a trial
• Is the goal of law enforcement or harassment?
• To what extent should an ISP become an arm of law
  enforcement?