Monday, August 11, 2008

Computer Misuse:

Hacking, unauthorized access
Types of Computer Crime
Introduction of Viruses
Fraud and types of Computer Fraud
Cyber crime
What Is Hacking?
The act of forfeiting individual freedom of action or professional integrity in exchange for wages or other assured reward
At first, “hacker” was a positive term for a person with a mastery of computers who could push programs beyond what they were designed to do
Reasons For Hacking
Theft of services: The first reason is theft of service, if a system offers some type of service and a hacker has a use for it, they will hack the system. Examples of such systems are on-line information networks (CompuServe, AOL etc)

Take valuable files: The second reason a hacker may hack into a system is to take valuable files, e.G., Credit card numbers, or info on operation of telecommunication systems

Vengeance and hate: another reason for hacking is vengeance and hatred
E.g. Hacker pillaged US files to sell secrets Saddam
Thrill and excitement: The fourth reason hackers break into systems is for the thrill and excitement of being somewhere you are not authorized to be

The final reason why hackers do what they do is just for knowledge and experiment. Hackers learn a great deal every time they break into a new type of system
Talking the Talk
Hackers have their own lingo and style of writing
Hacker lingo is so pervasive, there’s even the new hacker’s dictionary, recently published in its third edition
Attacks on the Increase
A study released this spring by the computer security institute and the FBI's international crime squad found that nearly two-thirds of more than 500 organizations reported a computer security breach (violation) within the past year, up from 48 percent a year ago and 22 percent the year before that

Many hacker attacks go unreported because companies want to avoid negative publicity
Other companies stung by hackers feel compelled to tell what happened
What’s Being Done?
While the internet has revolutionized (uprising) business and communication almost overnight, laws regulating its use and misuse haven't developed as swiftly
But in the last few years congress and the courts have started responding to the threat posed by computer crime

There are laws in the federal statutes (act, law) that have been applied to hacker cases. These laws aren't designed specifically to counter computer crime, but have been applied to certain cases when existing law has proved inadequate in scope:

How to Be Vigilant
Get a copy of your credit report
Shred (cut up) all your information that you have offline
Confidential information should be encrypted

Another thing you should do is make sure that you don't give confidential information by cell phone, or by a remote phone, or on the internet unless it's encrypted

And finally, you should put up firewalls so someone can't come in and steal your information from your computer
Unauthorized Access

Eavesdropping on a computer;
Listening to a specific port, snooping the IP etc
Making unauthorized use of computers for personal benefit;
use of company computer for private work
Unauthorized alteration or destruction of information stored on a computer;
Criminal damage
Intentionally or recklessly destroys or damages property belonging to another without lawful excuse.
Section 3 of the Computer Misuse Act 1990
1) A person is guilty of an offence if: a) he does any act which causes unauthorized modification of the contents of a computer; and b) at the time when he does the act he has the requisite intent and the requisite knowledge.
Denying access to an authorized user;
The unauthorized removal of information stored on a computer.

U.S. Computer Fraud and Abuse Act
Unauthorized access to a computer containing data protected for the national defense or foreign relations concerns
Unauthorized access to a computer containing certain banking or financial information
Unauthorized access, use, modification, destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government
Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet

Computer fraud
Transmitting code that causes damage to a computer system or network
Trafficking in computer passwords
Computer Crime
The vast, interconnected information systems of today are a relatively open territory of crime where the modern computer criminal seems to remain one step ahead of the law enforcing officials.
Crimes are committed by people that have:
Knowledge to gain access to a computer system
Knowledge to manipulate the system to produce the desired result
Generally, the computer is used :
As tool to commit crime
As the object of Crime
Computers as Tools to Commit Crime
Credit card fraud, by illegally gaining access to back accounts (or credit cards)
Making illegal financial transactions like fraudulent payments
Counterfeiting money, bank checks, stock and bond certificates using high-quality printers
Computers as Objects of Crime
Illegal access and use of the organization's computer based information systems by a criminal hacker
Data alteration and destruction many times caused by a virus (application or system virus), a worm, a logic bomb or a Trojan horse
Data and information theft by those that illegally access the system (usually insiders)
Equipment theft
Software piracy by illegally duplicating software (patrolled by the Software Publishers Association)
Computer-related scams or cheats especially over the Internet
International computer crime especially crime related to obtaining computer hardware, related technology and trade secrets
Table 1.0: Common Methods Used to Commit Computer Crimes
Types of Computer Crime
Any crime in which computer-related technology is encountered.
The commission of illegal acts through the use of a computer or against a computer system.

Types of Computer Crime

Business attacks
Financial attacks
Terrorist attacks
Grudge attacks
Fun attacks

Business attacks
Unauthorized access or hack the business documents and reports of a company for any valid reason.
Financial attacks
Unauthorized access or hack the financial or account related documents and reports of a company for any valid reason.
Terrorist attacks
Unauthorized access or hack the any important records, data or computer of a company for the purpose of destruction only.

Grudge attacks
Unauthorized access or hack the any important records, data or computer of a company for the feeling of dislike or revenge.
Fun attacks
Unauthorized access or hack the any important records, data or computer of a company for the feeling of fun.
Computer Virus and its types
Virus: a program that attaches itself to other programs
Worm: an independent program that replicates its own program files until it interrupts the operation of networks and computer systems
Malware: software that is harmful or destructive, such as viruses and worms
Trojan horse: a program that appears to be useful but actually masks a destructive program
Logic bomb: an application or system virus designed to “explode” or execute at a specified time and date
Variant: a modified version of a virus that is produced by the virus’s author or another person who amends the original virus code
What is Fraud? Five Conditions of Fraud
False representation - false statement or disclosure
Material fact - a fact must be substantial (important) in inducing (bring to mind) someone to act
Intent to deceive must exist
The misrepresentation must have resulted in justifiable reliance (dependence) upon information, which caused someone to act
The misrepresentation must have caused injury or loss
2002 Study of Fraud
Why Fraud Occurs
Employee Fraud
Committed by non-management personnel
Usually consists of: an employee taking cash or other assets for personal gain by circumventing a company’s system of internal controls
Management Fraud
It is perpetrated (committed) at levels of management above the one to which internal control structure relates.
It frequently involves using the financial statements to create an illusion that an entity is more healthy and prosperous than it actually is.
If it involves misappropriation (fraud) of assets, it frequently is shrouded (masked) in a maze of complex business transactions.
Fraud Schemes
Three categories of fraud schemes according to the Association of Certified Fraud Examiners:
A. fraudulent statements
B. corruption
C. asset misappropriation
A. Fraudulent Statements
Misstating the financial statements to make the copy appear better than it is
Usually occurs as management fraud
May be tied to focus on short-term financial measures for success
May also be related to management bonus packages being tied to financial statements
B. Corruption
Bribery or Corruption
illegal gratuities
conflicts of interest
economic extortion

C. Asset Misappropriation
Most common type of fraud and often occurs as employee fraud.
making charges to expense accounts to cover theft of asset (especially cash)
lapping: using customer’s check from one account to cover theft from a different account
transaction fraud: deleting, altering, or adding false transactions to steal assets
Computer Fraud
Theft, misuse, or misappropriation of assets by altering computer data
Theft, misuse, or misappropriation of assets by altering software programming
Theft or illegal use of computer data/information
Theft, corruption, illegal copying or destruction of software or hardware
Theft, misuse, or misappropriation of computer hardware
Data Collection Fraud
This phase of the system is most vulnerable because it is very easy to change data as it is being entered into the system. Also called input fraud (unauthorized alteration of data before it is entered, either directly or by giving incorrect information to an innocent dupe).
Also, GIGO (garbage in, garbage out) reminds us that if the input data is inaccurate, processing will result in inaccurate output.
Data Processing Fraud
Program Frauds
altering programs to allow illegal access to and/or manipulation of data files
destroying programs with a virus
Operations Frauds
misuse of company computer resources, such as using the computer for personal business
Database Management Fraud
Altering, deleting, corrupting, destroying, or stealing an organization’s data
also called processing fraud
writing or altering the program to divert money (e.g. salami slicing)

Oftentimes conducted by disgruntled or ex-employee
Information Generation Fraud
Stealing, misdirecting, or misusing computer output
Also called output fraud
destroying, hiding or altering computer output (e.g. printed reports)
searching through the trash cans on the computer center for discarded output (the output should be shredded, but frequently is not)
Cyber crime
Types of Cyber crime:
Unauthorized access by insiders (such as employees)
System penetration by outsiders (such as hackers)
Theft of proprietary information (whether a simple user ID and password or a trade secret worth millions of dollars)
Financial fraud using computers
Sabotage of data or networks
Disruption of network traffic (e.g., denial of service attacks)

Creation and distribution of computer viruses
Software piracy
Identity theft
Hardware theft (e.g., laptop theft).
Terrorists that target critical infrastructures, such as the PSTN, and the air traffic control system.

CSI/FBI Computer Crime and Security Survey Results Revealed:
Organizations are under cyberattack from both inside and outside their electronic perimeters.
A wide range of cyberattacks have been declared.
Cyberattacks can result in serious financial losses.
Defending successfully against such attacks requires more than just the use of information security technologies.
Types of Cyberattacks, by percentage (source- FBI)
Financial fraud: 11%
Sabotage (damage) of data/networks: 17%
Theft of proprietary information: 20%
System penetration from the outside: 25%
Denial of service: 27%
Unauthorized access by insiders: 71%
Employee abuse of internet privileges 79%
Viruses: 85%
Top Cyber Crimes that Attack Business
Industrial Espionage and Hackers
Wi-Fi High Jacking

“Spam accounts for 9 out of every 10 emails in the United States.”
MessageLabs, Inc., an email management and security company based in New York.

“We do not object to the use of this slang term to describe UCE (unsolicited commercial email), although we do object to the use of the word “spam” as a trademark and the use of our product image in association with that term”

Can-Spam Act of 2003
Controlling the Assault of Non-Solicited Pornography and Marketing Act (Can-Spam)
Signed into law by President Bush on Dec 16, 2003
Took effect Jan 1, 2004

Unsolicited commercial email must:
Be labeled
Include Opt-Out instructions
No false headers –lists all the latest in federal, state, and international laws
Spam is Hostile
You pay for Spam, not Spammers
Email costs are paid by email recipients
Spam can be dangerous
Never click on the opt-out link!
May take you to hostile web site where mouse-over downloads an .exe
Tells spammers they found a working address
They won’t take you off the list anyway
What should you do?
Filter it out whenever possible
Keep filters up to date
If you get it, just delete the email
Viruses and Worms
software that piggybacks (attach, associate, take credit) on other software and runs when you run something else
Macro in excel, word
Transmitted through sharing programs on bulletin boards
Passing around floppy disks
An .exe, .com file in your email
software that uses computer networks to find security holes to get in to your computer – usually in Microsoft OS!! But worm for MAC was recently written
Hackers are Everywhere

Stealing data
Industrial Espionage (spying)
Identity theft
Deleting data for fun
A lot of bored 16 year olds late at night
Turning computers into zombies
To commit crimes
Take down networks
Distribute porn
Harass (Irritate) someone
Ethical/white hat hackers exist too
Help break into networks to prevent crimes
Wireless Fidelity (Wi-Fi)
Using antennas to create “hot spots”
Hotspots – Internet Access (sometimes free)
Newport Harbor - All the boats in Harbor have internet access
San Francisco Giants Stadium – Surf the web while catching a game

Wi-Fi High Jacking
60-70% wireless networks are wide open

Why are the Wi-Fi networks unprotected?
Most people say “Our data is boring”
But… criminals look for wireless networks to commit their crimes
And… the authorities will come knocking on your door…..

Protect your Computers!
Use anti-virus software and firewalls - keep them up to date

Keep your operating system up to date with critical security updates and patches

Don't open emails or attachments from unknown sources

Use hard-to-guess passwords. Don’t use words found in a dictionary. Remember that password cracking tools exist

Back-up your computer data on disks or CDs often

Don't share access to your computers with strangers

If you have a wi-fi network, password protect it

Disconnect from the Internet when not in use

Reevaluate your security on a regular basis

Make sure your employees and family members know this info too!

No comments: