Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply



Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Transcript

    • 1. Cybercrime By:- IQxplorer
    • 2.  
    • 3. What Is Cybercrime?
      • Most broadly, cybercrime consists of any crime committed using computers.
      • Such crimes divide into two groups:
        • Crimes that merely use computers;
        • Crimes that harm computers.
      • Identity theft, online fraud, and IP theft are examples of the first; denial of service attacks and viruses are examples of the second.
    • 4.
      • Viruses
      • Worms
      • Trojans
      • Denial of Service
      • Computer Intrusions
      Crimes of the Second Type
    • 5. Crimes of the First Type
      • Theft of Information
      • Data Loss or Manipulation
      • Phone Phreaking
      • Child Pornography
      • Copyright Violations
      • Theft of Trade Secrets
      • Identity Theft
      • Credit Cards
    • 6. High Low 1980 1985 1990 1995 2000 password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans DoS www attacks Tools Attackers Intruder Knowledge Attack Sophistication “ stealth” / advanced scanning techniques burglaries network mgmt. diagnostics Sophistication Versus Knowledge
    • 7. Liability under the CFAA
      • 1030(a)(2)(C) imposes liability on whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.”
        • Computers used in “interstate or foreign commerce or communication” are “protected.” 1030(e)(2).
    • 8. Liability under the CFAA
      • 1030(a)(5) imposes liability on anyone who
        • (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
        • (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
        • (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.
    • 9. Liability Under The CFAA
      • 1030(g): “Any person who suffers damage or loss by reason of a violation of the section, may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”
    • 10. Damage Defined
      • 1030 (e)(8): the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information, that--
        • (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;
        • (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;
        • (C) causes physical injury to any person; or
        • (D) threatens public health or safety
    • 11. United States v. Morris
      • United States v. Morris applies the CFAA.
      • Morris was a Cornell university computer science doctoral student.
      • He released a worm over the Internet.
        • A worm is a self-replicating computer program designed to spread over the Internet without any further human interaction with the program once it is released.
    • 12. Purpose of the Morris Worm
      • Morris did not intend his worm to cause any harm.
      • As the court notes, “The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers.”
    • 13. The Design of the Worm
      • Morris designed the worm to copy itself from Internet system to Internet system; however, before it copied itself, the worm first asked the computer if it already had a copy of the worm.
      • Point: multiple copies would slow the computer down and make the computer owner aware of the worm’s presence.
      • Morris wanted to show that the worm could spread undetected.
    • 14. The Design of the Worm
      • The worm did not copy itself if it got a “yes” answer.
      • However, Morris also worried that system owners who became aware of the worm would stop its spread by programming their computers to answer “yes.”
      • So he programmed the worm to copy itself every seventh time it received a “yes” from the same computer.
    • 15. The Error
      • Morris greatly underestimated the number of times a computer would be asked if it had the worm.
      • The worm spread with great rapidity over the Internet causing computer slowdowns and shutdowns and imposing on system owners the cost of removing the worm.
      • Morris was prosecuted criminally under the Computer Fraud and Abuse Act.
    • 16. The Issues
      • The court: “The issues raised are (1) whether the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of ‘access without authorization.’”
    • 17. The Ruling
      • The court holds that the only intent required is the intent to access the system.
      • The authorization issue: Morris was authorized to access the computers he initially accessed.
      • He exceeded the use he was authorized to make.
      • Is this enough to make his access unauthorized?
      • The court answers that it is.
    • 18. Electronic Communications Privacy Act (18 USC 121, Sec. 2701)
      • The Act imposes liability on anyone who
        • “ intentionally accesses without authorization a facility through which an electronic communication service is provided; or
        • intentionally exceeds an authorization to access that facility;
        • and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.”
    • 19. Exceptions
      • Liability is not imposed if the access is authorized
        • “ by the person or entity providing a wire or electronic communications service; [or]
        • by a user of that service with respect to a communication of or intended for that user.”
      • Note, if a one party to the communication agrees to access, liability is avoided.
    • 20. Federal Wiretap Act (18 U.S.C. § 2510, et seq . )
      • The Act provides for criminal punishment and a private right of action against "any person who--(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept wire, oral, or electronic communication [except as provided in the statute]." Section 2511.
    • 21. Exception
      • "It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or any State. " § 2511(2)(d); § 2511(2)(d)
    • 22. EU Convention on Cybercrime: Access
      • The convention directs the member states to criminalize intentional unauthorized access to computer systems, where the states may require that
          • “ the offence be committed by infringing security measures,
          • with the intent of obtaining computer data or other dishonest intent,
          • or in relation to a computer system that is connected to another computer system.”
      • CFAA, ECPA.
    • 23. Interception
      • States are to criminalize the intentional unauthorized interception of data transferred between computers, where they may require that
        • “ the offence be committed with dishonest intent,
        • or in relation to a computer system that is connected to another computer system.”
      • Wiretap Act.
    • 24. Interference
      • The states are to criminalize, when intentional, “the damaging, deletion, deterioration, alteration or suppression of computer data without right [without authorization].”
      • CFAA, ECPA.
    • 25. Functioning
      • The states are to criminalize, when intentional, “serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.”
      • CFAA, ECPA?
    • 26. Devices
      • The states are to make criminal, when intentional, the possession or “the production, sale, procurement for use, import, distribution or otherwise making available of ” devices (including passwords, data, and computer programs) designed primarily for the purpose of committing the foregoing offenses, with the intent that it be use to commit one of those offenses.
      • The Digital Millennium Copyright Act.
    • 27. 17 USC 1201
      • (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that -
      • (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
      • (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
      • (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
    • 28. In Addition
      • States are to criminalize acts involving computer-related forgery, fraud, offenses involving child pornography, and offenses related to the infringement of intellectual property rights.
    • 29. Victim Liability to Third Parties
      • ATT v. Jiffy Lube (F. Supp. 1164 (1993).
      • ATT supplied Jiffy Lube with long-distance telephone service which included the ability for remote access to the service.
      • Remote uses dialed an 800 number, entered a password (“lube”), and were then able to place long-distance calls.
      • A hacker obtained the 800 number and password and then published both on a BBS.
    • 30. Jiffy Lube Must Pay
      • The court held that Jiffy Lube was contractually liable for the approximately $55,000 in charges.
      • The court—of course!—rejected Jiffy Lube’s argument that making it pay violated public policy.
        • Jiffy Lube is the party that controls who calls through remote access to the 800 number.
    • 31. Compare Maine Public Utilities Commission v. Verizon-Maine
      • Verizon-Maine provides wholesale Internet access to local telecommunications companies--Competitive Local Exchange Carriers (CLECs).
      • On January 25th, 2003, the Slammer worm invaded the Verizon network.
      • To contain the worm, Verizon shut down its interfaces with all the CLECs, which had no Internet access through Verizon until late in the day on the 26th.
      • The Maine Public Utilities Commission awarded a rebate of $62,000 from Verizon.
    • 32. Non-Contractual Cases
      • There are none—yet.
      • But there will be: whoever undertakes to do something must do it in the manner that a reasonable person would.
      • Internet systems that undertake to provide security are no exception to this principle.
      • Given the importance of the Internet to the critical infrastructure of the United States, courts will not hesitate to impose negligence liability and legislators will pass relevant statutes.
    • 33.  
    • 34. Outsourcing Issues
      • If you outsource to another entity, and your client or another relevant third party is harmed by their lack of security, what is your liability?
      • It will depend on contractual provisions, but note in HIPAA CFR § 164.308(b)(1) and CFR § 164.314(a)(1)) require that business associates implement certain security procedures.
    • 35. Cooperating with the Investigation
      • What the FBI wants you to do:
        • Attempt to identify source
        • Stop the attack
        • Enable logging
        • Retrieve and secure Logs
        • Start the “Sniffers”
        • Call the FBI
      • What you must do.
    • 36. Looping Sites .edu, .com, .gov Logs Trap/Trace Monitoring Subpoena Search Warrant Victim Site Source ISP
    • 37. The Traditional Three Levels of 4 th Amendment Protection
      • First level : Non-exigent searches and seizures typically require a warrant based on probable cause .
      • Second level : Some less invasive actions (stopped on the street by a police officer) are permissible on reasonable suspicion (specific, articulable facts that criminal activity is occurring).
      • Third level : Where the government seeks records from a third party, it can use a subpoena.
        • This does not require reasonable suspicion, only a finding that the information sought is relevant to an investigation.
        • The target of the subpoena can challenge it, before the records are handed over, on grounds of irrelevance or overbreadth.
        • Examples: credit reports, financial and medical records.
    • 38. Beyond the Three Levels
      • Delayed notice subpoena : requires danger that notice might frustrate the investigation; used to obtain financial records.
      • Ex parte subpoena : challengeable by the third party holding the records; used to obtain e-mail.
      • Relevance order : issued by a court on grounds of relevance; used to obtain phone records.
    • 39. Beyond the Three Levels
      • Certification order : issued by a court based on a claim of relevance by the police; the court does not make an independent judgment of relevance. Used to intercepted transaction information about calls and e-mails.
      • Extrajudicial Certification : Issued by police based on police claim of relevance. Used to obtain federal public records and records related to terrorism.
      • No requirement : All other public records not protected by state laws.
    • 40. Private Enforcement
      • Private companies and organizations police the Internet in order to detect cybercrimes.
      • Private enforcement is critical in controlling cybercrime.
        • Simply consider eBay: it has over 22 million members and over 6 million items for sale a day. Public law enforcement cannot monitor all this activity on a daily basis.
    • 41. Private Detectives and Watchdog Groups
      • eBay retains private detectives to police its site.
      • There are also watchdog organizations:
        • The Internet Fraud Watch
          • Enforces laws privately
        • The Software Publishers Association
          • Prosecutes copyright violations and piracy
        • International Chamber of Commerce
          • Polices financial and IP crimes
      • Various statutes create private rights of action.