Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Computer Crimes

3 845 vues

Publié le

Professional Issues in IT - Cyber Crimes

Publié dans : Formation
  • Login to see the comments

Computer Crimes

  1. 1. Chapter 5 - Legal Issues in Computing IT 5105 – Professional Issues in IT Upekha Vandebona upe.vand@gmail.com Ref : Tavani, Herman T., “Ethics and technology: controversies, questions, and strategies for ethical computing” , 4th Edition. [Cyber Crime]
  2. 2. Instructional Objectives  Identify methods by which computing services can be compromised.  Discuss the legal implications of compromising computing services.  Discuss the types of policies that should be included for system use and monitoring.  Describe the basic elements of compliance laws – such as ADA508, FERPA, HIPAA, and Sarbanes-Oxley.  Describe the differences in accountability, responsibility, and liability.  Describe current approaches to managing risk, and describe the legal implications of compromising computing services.  Evaluate an acceptable use policy. COMPUTER CRIME ACT, No. 24 OF 2007 2
  3. 3. Introduction - Cyber Crime  When was the last time you heard about cyber crimes in Sri Lankan news media?  What was about it?  A Virus?  Break into financial and government institution network?  Digital Piracy?  Cyber Stalking and Cyber Bullying?  Cyber Pornography?  Phishing?  Were we more focused on financial crimes and neglected interpersonal criminal behaviors? 3
  4. 4. Globally it is more than that…  Hacking pacemakers.  http://www.computerworld.com/article/2981527/cybercrime- hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html Ref: http://null-byte.wonderhowto.com/forum/is-hacking- implanted-medical-devices-next-big-cyber-crime-0149205/ 4
  5. 5. In Earlier Days…  Disgruntled employees who altered files in computer databases or who sabotaged computer systems to seek revenge against employers.  Computer-savvy teenagers, sometimes described in the media as “hackers”, breaking into computer systems, either as a prank or for malicious purposes.  “Hackers” who used computers to transfer money from wealthy individuals and corporations to poorer individuals and organizations. 5
  6. 6. Many Cybercrimes Go Unreported  Organizations are reluctant to report cybercrimes because of the embarrassment it might cause them.  Because the victims fear the negative repercussions: reporting the crimes would be tantamount to admitting that their computer security practices are inadequate. What might happen if a customer discovered that the bank where she deposits and saves money had been broken into; She might decide to transfer her funds to a bank that she perceives to be more secure. If cyber-related crimes committed by employees working inside a financial institution were reported and publicized, the institution could also suffer a loss of customer confidence. 6
  7. 7. Hackers; Were They Countercultural Heroes?  Stereotypical computer hackers, unlike most professional criminals, are not generally motivated by greed; some seem to thrive on a kind of “joyriding” (the thrill experienced in figuring out how to break into unauthorized systems).  Inclined to attack computers merely to prove that they could and “show off” to one another. 7
  8. 8. Hackers; Were They Countercultural Heroes?  However, it is also worth noting that many malicious hackers do not possess outstanding technical skills but are savvy enough to locate sophisticated “hacking tools” that can be downloaded from the Internet for free, and many of these individuals are sufficiently astute to take advantage of “holes” in computer systems and programs. 8
  9. 9. Hacking vs. Cracking  Meaning of “hacker” began to change in the 1980s when the media started applying the term to criminals using computers.  In order to avoid confusion with virus writers and intruders into information systems, traditional hackers began calling these destructive computer users crackers.  Crackers often engage in theft and vandalism once they have gained access to computer systems. According to Hacker Jargon; Hacker - “an expert or enthusiast of any kind.” Cracker - “who breaks security on a system.” 9
  10. 10. White Hat & Black Hat  “White hat hackers” is used to refer to those “innocent,” or non-malicious, forms of hacking, while “black hat hackers” refers roughly to “cracking.” But for the General Public, It is one term: hacking and it is always bad… 10
  11. 11. Counter Hacking  Active defense hacking, sometimes also referred to as “hacking back against hackers.”  Counter hacking activities have been carried out both by individuals and corporations; they are directed against those who are suspected of originating the hacker attacks.  Case of “two wrongs making a right”? Should counter hacking be legalized? Can it ever be ethically justified? 11
  12. 12. Ethical Hackers  Individuals who successfully complete those certification programs are trained and certified not only in the use of defensive measures to ensure the security of their employers, but also appear to be authorized to engage in security-related activities. According to Hacker Jargon; • The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits . . . • An Ethical Hacker is very similar to a Penetration Tester . . . • When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal. 12
  13. 13. Counter Hacking : Bad Effects  Can cause harm to innocent individuals.  Hacking back against those who launch DDoS attacks, many innocent persons are adversely affected because the attacks are routed through their computer systems.  Perpetrators of DDoS attacks use “host computers, ”which often include the computers of innocent persons, to initiate their attacks (a technique sometimes referred to as “IP spoofing”).  This would suggest to the victims of these attacks that they originated from the host computer, as opposed to the computer of the initiator of the attack.  So when victims hack back, they can unintentionally cause the intermediate computer to be assaulted. 13
  14. 14. Do we need a separate category in our legal systems to handle crimes with computers?  Individual who uses surgeon’s scalpel to commit a murder would not consider as a medical crime. It’s a murder even though a medical instrument was being used.  People use automobiles to assist criminals in “getaway” operations, but we don’t have a category called automobile crimes.  People steal televisions, but we don’t say television crime.  So why do we need a separate category, cybercrime, for criminal acts involving cyber technology? 14
  15. 15. Cyber/Computer Crimes  Yet law-makers have determined it necessary, or at least useful, to enact specific laws for crimes involving computers and cyber technology.  Are the following computer crimes? a.) Boralugoda steals a computer device (e.g., a laser printer) from a computer lab. 15
  16. 16. c.) Shaggy enters a computer lab that he is authorized to use and then places an explosive device, set to detonate a short time later, on a computer system in the lab. b.) Madapaatha breaks into a computer lab and then snoops around. 16
  17. 17. Definition  By thinking about cybercrimes in terms of their unique or special features—conditions that separate them from ordinary crimes—we could distinguish authentic or “genuine” cybercrimes from other crimes that merely involve the use or the presence of cyber technology. “Crime in which the criminal act can be carried out only through the use of cyber technology and can take place only in the cyber realm.” 17
  18. 18. Cyber Piracy using cyber technology in unauthorized ways to • reproduce copies of proprietary information • distribute proprietary information (in digital form) across a computer network. Cyber Trespass using cyber technology to gain unauthorized access to • an individual’s or an organization’s computer system • a password-protected Web site Cyber Vandalism using cyber technology to unleash one or more programs that • disrupt the transmission of electronic information across one or more computer networks, including the Internet • destroy data resident in a computer or damage a computer system’s resources, or both 18
  19. 19. Example Cases  Activities involving the unauthorized exchange of copyrighted music on the Internet via Napster and subsequent P2P-relatedfile-sharing sites are examples of………….  The launching of the Conficker virus is an instance of ………..  The DDoS attacks on government and commercial Web sites illustrate an example of…………… , because they involved the breaking into, as well as the unauthorized use of, third- party computer systems to send spurious requests to commercial Web sites (as opposed to the kind of “genuine” requests sent by users who wish to access those sites for legitimate purposes). Since DDoS attacks also cause serious disruption of services for the targeted Websites, they can also be classified as …………………….. cyber piracy (Category 1); cyber vandalism(Category 3); cyber vandalism (Category3); cyber trespass (Category 2) 19
  20. 20. Cyber-related Crimes  Crimes involving stalking, and pornography can each be carried out with or without computers and cyber technology;  There is nothing about them that is unique to cyber technology, so crimes such as, cyber stalking, and Internet pornography would not qualify as genuine cybercrimes. 20
  21. 21. Cyber-Exacerbated vs. Cyber-Assisted Crimes  This distinction enables us to differentiate between a crime in which someone merely uses cyber technology from crimes, which are significantly affected by computers and cyber technology.  Due to the technology, these types of crime rates are going higher. Specifically in Cyber Exacerbated Crimes. 21
  22. 22. 22
  23. 23. Identity Theft  Cyber Exacerbated Crime in which an imposter obtains key pieces of personal information in order to impersonate someone else.  The information can be used to obtain credit, merchandise, and services in the name of the victim, or to provide the thief with false credentials.  In the past, identity thieves have combed through dumpsters (and some still do) looking for copies of bank statements and for papers containing account information on credit card bills that people dispose of in their trash. (This behavior is sometimes referred to as “dumpster diving.”) 23
  24. 24. Identity Theft  Factors such as lax security and carelessness involving customer information contained in computer databases made it easy for some identity thieves to acquire personal information about their victims.  Information brokering has become a lucrative business. Make connect professional criminals and employees in organizations that have access to sensitive information about people’s financial records. 24
  25. 25. Identity Theft From Emails  A scheme involving e-mail that appears to have been sent by a reputable business.  For example, you may receive e-mail that looks as if it were sent by eBay, Amazon, or PayPal.  Often these e-mail messages include the official logos of the companies they purport to represent and might look legitimate; the message informs you that your account is about to expire and that you need to update it by verifying your credit card number as well as other kinds of personal information. 25
  26. 26. 26
  27. 27. Avoid Identity Theft from Emails  How can a potential victim differentiate legitimate e-mail sent from businesses such as eBay or PayPal from that sent by identity thieves?  Typically, e-mail from identity thieves will not address the potential victim by name; so this can be an indication that the e-mail is not from a legitimate source.  Users wishing to verify the authenticity of the e-mail can contact the company by phone, or through the company’s legitimate e-mail address, if they are in doubt. 27
  28. 28. Phishing and Identity Theft  Many e-mail messages sent from identity thieves are generated through spam.  Using spam to gather personal information is sometimes referred to as phishing or “automated identity theft”.  An automated version of phishing, sometimes called “pharming,” automatically “redirects the victim to the offending site”.  Activities involving pharming and phishing, along with conventional e-mail spam, increase the amount of identity theft that can be accomplished over the Internet. 28
  29. 29. Combat Cyber Crime - Tools  Packet Sniffing  Track criminals and their activities.  A packet sniffer or “sniffer” is a program that Monitors the data traveling between networked computers;  However, these kinds of software programs have also been used by malicious hackers to capture user IDs and passwords. 29
  30. 30. Combat Cyber Crime - Tools  Keystroke Monitoring  To track the activities of criminals who use cyber technology.  A specialized form of audit-trail software that records every key struck by a user and every character of the response that the system returns to the user.  It is especially useful in tracking the activities of criminals who use encryption tools to encode their messages. 30
  31. 31. Combat Cyber Crime - Techniques  Sting Operations and Entrapment  To catch members of organized crime involved in drug dealing, gambling, pornography, and so forth.  Would such kind of techniques are ethically justifiable?  Can save many innocent lives and can significantly lessen the harm that might otherwise occur to some individuals. 31
  32. 32. Surveillance  On Telephones  Pen Registers : When a suspect makes a phone call, displays the number being dialed  Trap-and-Trace Devices : when the suspect receives a phone call, displays the caller’s phone number.  A pen register used on the Internet can reveal the URLs of Web sites visited by a suspect.  http://vesess.com/warrantless-wiretapping-sri-lanka/ 32
  33. 33. Surveillance is Ethical?  Critics argue that this increased domestic surveillance will erode basic civil liberties.  Could be abused by those in power, under the convenient excuse of crime prevention and national defense, to achieve certain political ends.  http://www.cpalanka.org/freedom-of-expression-on-the- internet-in-sri-lanka/  http://www.cpalanka.org/the-internet-as-a-medium-for- free-expression-a-sri-lankan-legal-perspective/ 33
  34. 34. Biometrics  Biometric technologies have also been used by law enforcement agencies to combat crime and terrorism.  the biological identification of a person, which includes eyes, voice, hand prints, finger prints, retina patterns, and hand-written signatures.  Through biometric technologies, one’s iris can be read in the same way that one’s voice can be printed.  The digital representation of these biometric data is usually transformed via some algorithm to produce a template, which is stored in a central computer database. 34
  35. 35. Biometrics  As biometric technologies used for authenticating an individual’s identity, as passports.  While biometric devices are a highly accurate means for validating an individual’s identity, they are also controversial.  Biometric identification tool using face-recognition technology can scan the faces of people entering a public place. The scanned images can then instantly matched against the facial templates of suspected criminals and terrorists, which were contained in a central computer database. 35
  36. 36. Biometrics - Issues  Some supports this, even it violates civil liberties.  Point to at least three problems: error, abuse, and privacy.  Errors occur in matches resulting, will make innocents the guilty.  Purposes for which biometric technologies are originally authorized can expand significantly and can lead to possible abuses.  Loss of privacy and civil liberties for individuals.  Those who favor using biometric technology argue that it provides increased security, even if using this technology undercuts some civil liberties for ordinary citizens. 36
  37. 37. Global Reach  Laws are typically limited in jurisdiction to nations where they are enacted. Traditionally, crimes are prosecuted in the legal jurisdictions in which they were committed.  In certain cases, suspected criminals have been extradited from one legal jurisdiction to another (and sometimes from one country to another) to stand trial for an accused crime.  As cyberspace has no physical boundaries, it can be difficult to prosecute cybercrimes involving multiple nations, as well as multiple states within nations.  So, it is a question whether the concept of legal jurisdiction makes any sense in cyberspace. 37
  38. 38. Enforcing Cybercrime Laws Globally  Criminal enforcement has been hampered by the lack of international legal agreements and treaties on cyber crime.  E.g.: ILOVEYOU virus in 2001 - Originated in Philippines but effect was global.  Budapest Convention  https://en.wikipedia.org/wiki/Convention_on_Cybercrime  http://www.coe.int/en/web/cybercrime/home 38
  39. 39. Software Contracts - Case Study  MegaTech Corporation, a major computer company in the United States, has developed and released a new software product that has been distributed globally.  However, this product has a serious defect that causes computer systems using it to crash under certain conditions. These system crashes, in turn, result in both severe disruption and damage to system resources.  MindWaves, a company headquartered in eastern Asia that purchased this product from MegaTech, has experienced multiple system crashes since installing it, which has also resulted in a severe loss of revenue for that company.  What legal recourse does/should MindWaves have in its complaint against MegaTech Corp., given that its complaint involves companies in two sovereign nations? 39
  40. 40. Software Contracts - Case Study  Disclaimers and caveats issued by manufacturers to protect themselves against litigation.  Applicable Jurisdiction clause for tailor made software contract agreements. 40
  41. 41. Cybercrime and Free Press  A relatively recent challenge for law enforcement in cyberspace, especially at the international level, has emerged in response to controversial “journalistic” practices involving some new online media outlets and organizations.  Should they be viewed as journalistic activities that are protected by a free press?  E.g.: WikiLeaks controversy 41
  42. 42. 42 Sri Lankan Police Website
  43. 43. 43 Sri Lanka Computer Emergency Readiness Team

×