mh-SERVICE
http://www.mh-service.de/index_forensik.htm
PORTABLE-PC
Portable-PC Anfrage
Computerforensik
Forensik-Anfrage
Garantie und Support
Kontakt
Download
Wir ьber uns
Impressum
Weee Rohs
Unsere ALGB
Computer crime
From Wikipedia, the free encyclopedia
Criminal law
Part of the common law series
Criminal elements
Actus reus · Causation · Concurrence
Mens rea · Intention · Recklessness
Criminal negligence · Ignorantia juris…
Strict, Corporate & Vicarious liability
Crimes against people
Assault · Battery · Robbery
Sexual offences · Pimping · Rape
Kidnapping · Manslaughter · Murder
Crimes against property
Criminal damage · Arson
Theft · Burglary · Deception
Crimes against justice
Obstruction of justice · Bribery
Perjury · Malfeasance in office
Inchoate offenses
Attempt
Conspiracy · Accessory
Criminal defenses
Automatism, Intoxication & Mistake
Insanity · Diminished responsibility
Duress · Necessity
Provocation · Self defence
Other areas of the common law
Contract law · Tort law · Property law
Wills and trusts · Evidence
Portals: Law · Criminal justice
Computer crime, cybercrime, e-crime, hi-tech crime or electronic crime generally refers to criminal activity where a computer or network is the source, tool, target, or place of a crime. These categories are not exclusive and many activities can be characterized as falling in one or more category. Additionally, although the terms computer crime or cybercrime are more properly restricted to describing criminal activity in which the computer or network is a necessary part of the crime, these terms are also sometimes used to include traditional crimes, such as fraud, theft, blackmail, forgery, and embezzlement, in which computers or networks are used to facilitate the illicit activity.
Computer crime can broadly be defined as criminal activity involving an information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.Contents [hide]
1 Discussion
1.1 Fraud
1.2 Offensive Content
1.3 Harassment
1.4 Drug Trafficking
1.5 Cyberterrorism
2 Documented Cases of Computer Crimes
3 See also
4 Applicable laws
4.1 United States
4.2 Canada
4.3 United Kingdom
4.4 Australia
4.5 Singapore
4.6 Others
5 Academic resources
6 Government resources
7 Other external links
8 References
Discussion
A common example would be when a person intends to steal information from, or cause damage to, a computer or computer network. This can be entirely virtual in that the information only exists in digital form, and the damage, while real, has no physical consequence other than the machine ceases to function. In some legal systems, intangible property cannot be stolen and the damage must be visible, e.g. as resulting from a blow from a hammer. Yet denial of service attacks for the purposes of extortion may result in significant damage both to the system and the profitability of the site targeted. A further problem is that many definitions have not kept pace with the technology. For example, where the offense requires proof of a trick or deception as the operative cause of the theft, this may require the mind of a human being to change and so do or refrain from doing something that causes the loss. Increasingly, computer systems control access to goods and services. If a criminal manipulates the system into releasing the goods or authorizing the services, has there been a "trick", has there been a "deception", does the machine act because it "believes" payment to have been made, does the machine have "knowledge", does the machine "do" or "refrain from doing" something it has been programmed to do (or not). Where human-centric terminology is used for crimes relying on natural language skills and innate gullibility, definitions have to be modified to ensure that fraudulent behavior remains criminal no matter how it is committed (consider the definition of wire fraud).
Issues surrounding hacking, copyright infringement through warez, child pornography, and paedophilia (see child grooming), have become high-profile. But this emphasis fails to consider the equally real but less spectacular issues of obscene graffiti appearing on websites and "cyberstalking" or harassment that can affect everyday life. There are also problems of privacy when confidential information is lost, say, when an e-mail is intercepted whether through illegal hacking, legitimate monitoring (increasingly common in the workplace) or when it is simply read by an unauthorized or unintended person.
In R v Stanford (2006) EWCA Crim 258 the defendant was charged with the unlawful interception of e-mail communications to a public company under s1(2) Regulation of Investigatory Powers Act 2000. After his resignation as deputy chairman of the company, he was found to have intercepted e-mail to and from certain persons in that company. His defense under s1(6) was that the interceptions had been made at his request by the company's computer system administrator who was excluded from criminal liability because either he was a person who had a right to control the operation or use of the system (s1 (6) (a)) or because he had the express or implied consent of such a person to make the interception (s1(6)(b)). The Court of Appeal held that to "control" for the purposes of s1(6) meant to "authorize and forbid". An administrator only has the power physically to use and operate the system. There is no control in the management sense. The objective of s1 of the Act was to protect the privacy of e-mails. If anyone with unrestricted ability to operate and use a telecommunications system were exempt from criminal liability for intercepting communications, it would defeat the purpose of the statute.
E-mail and Short Message Service (SMS) messages are seen as casual communication including many things that would never be put in a letter. But unlike spoken communication, there is no intonation and accenting, so the message can be more easily distorted or interpreted as offensive. In England and Wales, s43 Telecommunications Act 1984 makes it an offense to use a public telecommunications network to send 'grossly offensive, threatening or obscene' material, and a 'public telecommunications network' is widely enough defined to cover Internet traffic which goes through telephone lines or other cables.
Secondly, a computer can be the tool, used, for example, to plan or commit an offense such as larceny or the distribution of child pornography. The growth of international data communications and in particular the Internet has made these crimes both more common and more difficult to police. And using encryption techniques, criminals may conspire or exchange data with fewer opportunities for the police to monitor and intercept. This requires modification to the standard warrants for search, telephone tapping, etc.
Thirdly, a computer can be a source of evidence. Even though the computer is not directly used for criminal purposes, it is an excellent device for record keeping, particularly given the power to encrypt the data. If this evidence can be obtained and decrypted, it can be of great value to criminal investigators. Thus, specialized government agencies and units have been set up to develop the necessary expertise. See below for a link to the U.S. Department of Justice's website about e-crime and its computer forensics services.
Fraud
Computer fraud is any dishonest misrepresentation of fact intended to induce another to do or refrain from doing something which causes loss. In this context, the fraud will result in obtaining a benefit by:
altering computer input in an unauthorized way. This requires little technical expertise and is not an uncommon form of theft by employees altering the data before entry or entering false data, or by entering unauthorized instructions or using unauthorized processes;
altering, destroying, suppressing, or stealing output, usually to conceal unauthorized transactions: this is difficult to detect;
altering or deleting stored data; or
altering or misusing existing system tools or software packages, or altering or writing code for fraudulent purposes. This requires real programming skills and is not common.
Manipulating banking systems to make unauthorized identity theft with reference to ATM fraud.
Offensive Content
The content of websites and other electronic communications may be harmful, distasteful or offensive for a variety of reasons. Most countries have enacted law that place some limits on the freedom of speech and ban racist, blasphemous, politically subversive, seditious or inflammatory material that tends to incite hate crimes. This is a sensitive area in which the courts can become involved in arbitrating between groups with entrenched beliefs, each convinced that their point of view has been unreasonably attacked. In England, s28 Crime and Disorder Act 1998 defines a racial group, following Mandla v Dowell-Lee (1983) 2 AC 548 (in which a requirement to wear a cap as part of a school uniform had the effect of excluding Sikh boys whose religion required them to wear a turban), as a group of persons defined by reference to race, color, nationality (including citizenship) or ethnic or national origin; and a religious group as a group of persons defined by reference to religious belief or lack of religious belief. Therefore, it is equally an offense to show hostility to a person who practices a particular faith as to a person who has no religious belief or faith.
Harassment
Whereas content may be offensive in a non-specific way, harassment directs obscenities and derogatory comments at specific individuals focusing for example on gender, race, religion, nationality, sexual orientation. This often occurs in chat rooms, through newsgroups, and by sending hate e-mail to interested parties (see cyber bullying, harassment by computer, stalking, and cyberstalking). In England, in a broader form than s43 Telecommunications Act 1984, s1 Malicious Communications Act 1988 makes it an offense to send an indecent, offensive or threatening letter, electronic communication or other article to another person. Now, s2 Protection from Harassment Act 1997 criminalizes a course of conduct amounting to harassment which the defendant knows, or ought to know, amounts to harassment of another. If a reasonable person in possession of the same information would think the course of conduct amounted to harassment of the other, the knowledge will be imputed to the defendant. Although harassment is not defined, s7 states that it includes causing alarm or distress, and conduct is defined as including speech in all its forms. In DPP v Collins (2006) 1 WLR 308 the defendant repeatedly telephoned the offices of his MP on a wide range of political matters. In conversations with employees at the office and on messages left on the telephone answering machine, he used racist terms to show the frustration he felt at the way in which his affairs were being handled. No-one was personally offended, but the staff became depressed. Charged under s127(1) Communications Act 2003, the magistrates found that the terms were offensive but that a reasonable person would not find them grossly offensive. To determine whether any message content is merely offensive or grossly offensive depended on their particular circumstances and context, i.e. in the wider society which is an open and just multi-racial society, the test of offensiveness was objective.
More problematic are deliberate attacks which amount to defamation although, in March 2006, Michael Keith-Smith became the first person to win damages from an individual internet user after she accused him of being a 'sex offender' and 'racist blogger' on a Yahoo! discussion site. She also claimed that his wife was a prostitute. The High Court judge decided that Tracy Williams, of Oldham, was "particularly abusive" and "her statements demonstrated that ... she had no intention of stopping her libellous and defamatory behavior". She was ordered to pay £10,000 in damages, plus £7,200 costs. In general, libel is not treated as a criminal matter except when it may provoke the person defamed into retaliatory violence (see cybersmearing as it affects business [1]. All forms of unsolicited e-mail and advertisements can also be considered to be forms of Internet harassment where the content is offensive or of an explicit sexual nature. Now termed spam, it has been criminalized in various countries[2]
Drug Trafficking
Drug traffickers are increasingly taking advantage of the Internet to sell their illegal substances through encrypted e-mail and other Internet Technology. Some drug traffickers arrange deals at internet cafes, use courier Web sites to track illegal packages of pills, and swap recipes for amphetamines in restricted-access chat rooms.
The Internet's easy-to-learn, fast-paced character, global impact, and fairly reliable privacy features facilitate the marketing of illicit drugs. Detecting money laundering of cash earned by drug traffickers is very difficult, because dealers are now able to use electronic commerce and Internet banking facilities. Also, traffickers have been using online package tracking services offered by courier companies to keep tabs on the progress of their shipments. If there happened to be some sort of undue delay, this could signal authority interception of the drugs, which would still allow the dealers time to cover their tracks. Law enforcement is also more deficient because illicit drug deals are arranged instantaneously, over short distances, making interception by authorities much more difficult.
The rise in Internet drug trades could also be attributed to the lack of face-to-face communication. These virtual exchanges allow more intimidated individuals to more comfortably purchase illegal drugs. The sketchy effects that are often associated with drug trades are severely minimized and the filtering process that comes with physical interaction fades away. Furthermore, traditional drug recipes were carefully kept secrets. But with modern computer technology, this information is now being made available to anyone with computer access.
Cyberterrorism
Main article: Cyberterrorism
Government officials and IT security specialists have documented a significant increase in Internet probes and server scans since early 2001. There is a growing concern among federal officials[attribution needed] that such intrusions are part of an organized effort by cyberterrorists, foreign intelligence services, or other groups to map potential security holes in critical systems. A cyberterrorist is someone who intimidates or coerces a government or organization to advance his or her political or social objectives by launching computer-based attack against computers, network, and the information stored on them.
Even before the September 11, 2001, terrorist attacks, the U.S. government considered the potential threat of cyberterrorism serious enough that is established the National Infrastructure Protection Center in February 1998. This function was transferred to the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate to serve as a focal point for threat assessment, warning, investigation, and response for threats or attacks against US critical infrastructure, which provide telecommunications, energy, banking and finance, water systems, government operations, and emergency services. Successful cyberattacks against the facilities that provide these services could cause widespread and massive disruptions to the normal function of our society.
Cyberterrorism in general, can be defined as an act of terrorism committed through the use of cyberspace or computer resources. As such, a simple propaganda in the Internet, that there will be bomb attacks during the holidays can be considered cyberterrorism. At worst, cyberterrorist may use the Internet or computer resources to carry out an actual attack.
Documented Cases of Computer Crimes
The Yahoo website was attacked at 10:30 PST on Monday, 7 February 2000. The attack lasted three hours. Yahoo was pinged at the rate of one gigabyte/second.
On 3 August 2000, Canadian federal prosecutors charged MafiaBoy with 54 counts of illegal access to computers, plus a total of ten counts of mischief to data for his attacks on Amazon.com, eBay, Dell Computer, Outlaw.net, and Yahoo. MafiaBoy had also attacked other websites, but prosecutors decided that a total of 66 counts was enough. MafiaBoy pled not guilty.
About fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in DoS attacks.
In 26 March 1999, the Melissa worm infected a document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people.
See also
Cybercrime
malicious code
Denial-of-service attack
Hacking
virus
trojan horse
Cyberterrorism
Information warfare
Cyberstalking
Fraud and identity theft, including phishing
Virtual crime
Applicable laws
United States
ACCESS DEVICE FRAUD. 18 U.S.C. § 1029. Fraud and related activity in connection with access devices.
COMPUTER FRAUD AND ABUSE ACT. 18 U.S.C. § 1030. Fraud and related activity in connection with computers.
CAN-SPAM ACT. 15 U.S.C. § 7704. Controlling The Assault of Non-Solicited Pornography and Marketing Act of 2003.
EXTORTION AND THREATS. 18 U.S.C. § 875. EXTORTION and THREATS. Interstate communications.
IDENTITY THEFT AND ASSUMPTION DETERRENCE ACT of 1998. 18 U.S.C. § 1028. Fraud and related activity in connection with identification documents, authentication features, and information.
WIRE FRAUD. 18 U.S.C. § 1343. Fraud by wire, radio, or television.
No Electronic Theft ("NET") Act. 17 U.S.C. § 506. Criminal Offenses. (criminal copyright infringement)
Digital Millennium Copyright Act of 1998 (DMCA) . 17 U.S.C. § 1201. Circumvention of copyright protection systems.
Electronic Communications Privacy Act, 18 U.S.C. § 2701, et seq. (STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS)
Trade Secrets Act. 18 U.S.C. § 1832. Theft of trade secrets.
Economic Espionage Act. 18 U.S.C. § 1831. Economic Espionage.
US Computer Crime Laws by State
Canada
Criminal Code of Canada, Section 342. Unauthorized Use of Computer.
Criminal Code of Canada, Section 184. Interception of Communications
United Kingdom
The Computer Misuse Act 1990 (chapter 18.)
The Regulation of Investigatory Powers Act 2000 (chapter 23.)
The Anti-terrorism, Crime and Security Act 2001 (chapter 24.)
The Data Protection Act 1998 (chapter 29.)
The Fraud Act 2006 (chapter 35.)
Potentially the Forgery and Counterfeiting Act 1981 (chapter 45) may also apply in relation to forgery of electronic payment instruments accepted within the United Kingdom.
The CMA was recently amended by the Police and Justice Act 2006 (chapter 48)
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (Statutory Instrument 2003 No. 2426.)
See also the UK Internet Rights web site and the All Party Internet Group report on recommended amendments to the CMA.
Australia
Cybercrime Act 2001 (Commonwealth)
Crimes Act 1900 (NSW): Part 6, ss 308-308I.
Criminal Code (WA): Section 440a, Unlawful Operation of a Computer System
Singapore
Computer Misuse Act 1993 (Chapter 50A)
Others
Council of Europe Convention on Cybercrime
Global Survey of Cybercrime Law
Unauthorized Access Penal Laws in 44 Countries
Convention on Cybercrime
Academic resources
Cybercrimes.net and Cyb3rCrim3.org Susan W. Brenner
Cybercrime - High Tech crime JISC Legal Information Service
A Guide to Computer Crime Practitioner.Com
Criminal Justice Resources - Cybercrime
Cybercrime NYLS
Government resources
Cybercrime.gov US Department of Justice CCIPS
US CERT United States Computer Emergency Readiness Team (US-CERT)
FBI Cyber Investigations Home Page
US Secret Service Computer Fraud
On Guard OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.
ID Theft one-stop national resource to learn about the crime of identity theft
FindLaw Computer Crime
RCMP Computer Crime Prevention Royal Canadian Mounted Police
Other external links
Australian High Tech Crime Centre
Australian Computer Abuse Research Bureau (ACARB) introduction to computer abuse concepts
European Convention on Cybercrime [3]
Computer Crime Research Center - Daily news about computer crime, Internet fraud and cyber terrorism
Computer Forensics
Cyber Crime Law - News and commentary on preventing, detecting, and prosecuting computer crimes
Information Security Investigations - Real-life stories of hunting down computer criminals and cyber terrorists
http://www.cybercrime.gov - U.S. Department of Justice cybercrime web site
http://www.e-crimecongress.org - Annual e-Crime Conference Serving Europe & International corporations
http://www.ecce-conference.com/ - e-crime and computer evidence conference (first held in 2005 - now an annual event)
U.S. Department of Justice National Institute of Justice Electronic Crime Program
http://www.mosstingrett.no/info/legal.html#28 - The Legal Framework - Unauthorized Access to Computer Systems
http://www.cybercrimelaw.org/index.cfm - Cybercrime Law
http://www.rbs2.com/ccrime.htm#anchor666666 - Computer Crimes, Ronald B. Standler
Politically Motivated Computer Crime News and analysis
References
Categories: All pages needing cleanup | Wikipedia articles needing factual verification since October 2007 | Computer crimes | Criminal law | Computer law
Introduction
There are no precise, reliable statistics on the amount of computer crime and the economic loss to victims, partly because many of these crimes are apparently not detected by victims, many of these crimes are never reported to authorities, and partly because the losses are often difficult to calculate. Nevertheless, there is a consensus among both law enforcement personnel and computer scientists who specialize in security that both the number of computer crime incidents and the sophistication of computer criminals is increasing rapidly. Estimates are that computer crime costs victims in the USA at least US$ 5×108/year, and the true value of such crime might be substantially higher. Experts in computer security, who are not attorneys, speak of "information warfare". While such "information warfare" is just another name for computer crime, the word "warfare" does fairly denote the amount of damage inflicted on society.
I have posted a separate document, Tips for Avoiding Computer Crime, which includes suggestions for increasing the security and reliability of personal computers, as well as links to websites on computer viruses, computer crime, and anti-virus and firewall software.
Two comments on word usage in this essay:
I normally write in a gender neutral way, but here I use the masculine pronoun for computer criminals, because (1) female computer criminals are rare and (2) I can't imagine a feminist attacking me because I deny equal recognition to women criminals.
To some professional computer programmers, the word "hacker" refers to a skilled programmer and is neither pejorative nor does it refer to criminal activity. However, to most users of English, the word "hacker" refers to computer criminals, and that is the usage that I have adopted in this essay.
I originally wrote this essay in May 1999. I do not have the spare time that would be required for a thorough search and analysis of reported cases and statutes on computer crime, as well as newspaper accounts (most criminal proceedings are resolved without generating any judicial decision that is reported in legal databases or books), so my revisions are mostly generalizations.
new crimes in cyberspace
There are three major classes of criminal activity with computers:
unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojan Horse program.
creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse).
harassment and stalking in cyberspace.
old crimes
When lay people hear the words "computer crime", they often think of obscene pictures available on the Internet, or solicitation of children for sex by pedophiles via chat rooms on the Internet. The legal problem of obscenity on the Internet is mostly the same as the legal problem of obscenity in books and magazines, except for some technical issues of personal jurisdiction on the Internet. I have discussed obscenity on the Internet in my May 1997 essay on law & technology and I have nothing further to say about obscenity in this essay on computer crime.
Similarly, many crimes involving computers are no different from crimes without computers: the computer is only a tool that a criminal uses to commit a crime. For example,
Using a computer, a scanner, graphics software, and a high-quality color laser or ink jet printer for forgery or counterfeiting is the same crime as using an old-fashioned printing press with ink.
Stealing a laptop computer with proprietary information stored on the hard disk inside the computer is the same crime as stealing a briefcase that contains papers with proprietary information.
Using the Internet or online services to solicit sex is similar to other forms of solicitation of sex, and so is not a new crime.
Using computers can be another way to commit either larceny or fraud.
In contrast to merely using computer equipment as a tool to commit old crimes, this essay is concerned with computer crimes that are new ways to harm people.
false origin
There are many instances of messages sent in the name of someone who neither wrote the content nor authorized the sending of the message. For example:
E-mails with bogus From: addresses were sent automatically by malicious programs (e.g., the Melissa virus in 1999, the BadTrans worm in 2001, the Klez program in 2002).
Posting messages in an Internet newsgroup or online bulletin board with a false author's name that is intended to harm the reputation of the real person of that name.
These acts might be punishable by existing criminal statutes that prohibit impersonation, forgery, deceit, or fraud. However, a judge might decide that the specific language in old statutes about writing or signature does not apply to e-mail. Rather than write new statutes for forged e-mail addresses or unauthorized sending of e-mail in someone else's name, I would prefer that legislatures broaden the existing criminal statutes for analogous crimes with paper and ink.
Similar issues arise in both: (1) fictitious From: addresses in some unsolicited commercial e-mail, also called spam or junk e-mail, and (2) fictitious source IP addresses in denial of service attacks.
1. Unauthorized Use
Unauthorized use of computers tends generally takes the following forms:
Computer voyeur. The criminal reads (or copies) confidential or proprietary information, but data is neither deleted nor changed.
In 1999, the Melissa virus infected a [possibly confidential] document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people. Subsequently, the SirCam and Klez malicious programs made a similar release of [possibly confidential] documents from a victim's computer. These malicious programs are a new way to release confidential information from a victim's computer, with the confidential information going not to the author of the malicious program, but to some person unknown to the author of the malicious program.
Changing data. For example, change a grade on a school transcript, add "money" to a checking account, etc. Unauthorized changing of data is generally a fraudulent act.
Deleting data. Deleting entire files could be an act of vandalism or sabotage.
Denying service to authorized users. On a modern time-sharing computer, any user takes some time and disk space, which is then not available to other users. By "denying service to authorized users", I mean gobbling unreasonably large amounts of computer time or disk space, for example:
by sending large amounts of junk e-mail in one day, a so-called "mail bomb",
by having the computer execute a malicious program that puts the processing unit into an infinite loop, or,
by flooding an Internet server with bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the server. This is called a denial of service (DoS) attack.
During 1950-1975, computer programs and data were generally stored on cardboard cards with holes punched in them. If a vandal were to break into an office and either damage or steal the punch cards, the vandal could be adequately punished under traditional law of breaking and entering, vandalism, or theft.
However, after about 1975, it became common to enter programs and data from remote terminals (a keyboard and monitor) using a modem and a telephone line. This same technology allowed banks to retrieve a customer's current balance from the bank's central computer, and merchants to process credit card billing without sending paper forms. But this change in technology also meant that a criminal could alter data and programs from his home, without physical entry into the victim's building. The traditional laws were no longer adequate to punish criminals who used computer modems.
Most unauthorized use of a computer is accomplished by a person in his home, who uses a modem to access a remote computer. In this way, the computer criminal is acting analogous to a burglar. The classic definition of a burglary is:
the breaking and entering of a building with the intent to commit a felony therein.
In traditional burglaries, the felony was typically larceny, an unlawful taking of another person's property. However, in the unauthorized use of another's computer, the criminal "enters" the computer via the telephone lines, which is not breaking into the building. Either the burglary statute needed to be made more general or new criminal statute(s) needed to be enacted for unauthorized access to a computer. Legislatures chose to enact totally new statutes.
To successfully use a remote computer, any user (including criminals) must have both a valid user name and valid password. There are several basic ways to get these data:
Call up a legitimate user, pretend to be a system administrator, and ask for the user name and password. This sounds ridiculous, but many people will give out such valuable information to anyone who pretends to have a good reason. Not only should you refuse to provide such information, but please report such requests to the management of the online service or the local police, so they can be alert to an active criminal.
Search user's offices for such data, as many people post their user name and password on the side of their monitor or filing cabinet, where these data can be conveniently seen.
Write a program that tries different combinations of user names and passwords until one is accepted.
Use a packet "sniffer" program to find user names and passwords as they travel through networks.
Search through a garbage bin behind the computer building in a university or corporate campus, find trash paper that lists user names and passwords.
A disgruntled employee can use his legitimate computer account and password for unauthorized uses of his employer's computer. This can be particularly damaging when the disgruntled employee is the computer system administrator, who knows master password(s) and can enter any user's file area. Such disgruntled employees can perpetrate an "inside job", working from within the employer's building, instead of accessing a computer via modem.
The computer voyeurs, like petty criminals who peek in other people's windows, generally hack into other people's computers for the thrill of it. In the 1970s and early 1980s, many of these computer voyeurs also used technology to make long-distance telephone calls for free, which technology also concealed their location when they were hacking into computers. Many of these voyeurs take a special thrill from hacking into military computers, bank computers, and telephone operating system computers, because the security is allegedly higher at these computers, so it is a greater technical challenge to hack into these machines.
The criminals who change or delete data, or who deliberately gobble large amounts of computer resources, have a more sinister motive and are capable of doing immense damage.
Of course, there is always the possibility that a computer voyeur will "accidentally" bumble around an unfamiliar system and cause appreciable damage to someone else's files or programs. Traditional criminal law in the USA places a great deal of emphasis on willful or intentional conduct, so such "accidental" damage would not satisfy the traditional requirement of mens rea (literally "guilty mind" or criminal intent). My personal opinion is that someone who deliberately hacks into someone else's computer should be accountable under criminal law for whatever damage is done by the unauthorized hacking, even if the damage is "accidental". In this regard, I would make an analogy to a homicide that occurs "accidentally" during the commission of a felony: the perpetrators are then charged with "felony murder": the intent to commit the hacking constitutes the malice or intent to cause the damage.
In the 1970s and early 1980s, a common reaction was that hackers were a minor nuisance, like teenagers throwing rolls of toilet paper into trees. Then, in August 1983, a group of young hackers in Milwaukee hacked into a computer at the Sloan-Kettering Cancer Institute in New York City. That computer stored records of cancer patients' radiation treatment. Altering files on that computer could have killed patients, which reminded everyone that hacking was a serious problem. This 1983 incident was cited by the U.S. Congress in the legislative history of a federal computer crime statute.
S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480.
There is an interesting case under California state law for a criminal who improved his clients' credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).
altering websites
In recent years, there have been a large number of attacks on websites by hackers who are angry with the owner of the website. Victims of such attacks include various U.S. Government agencies, including the White House and FBI. Attacking the FBI website is like poking a lion with a stick.
In a typical attack, the hacker will delete some pages or graphics, then upload new pages with the same name as the old file, so that the hacker controls the message conveyed by the site.
This is not the worst kind of computer crime. The proper owner of the site can always close the website temporarily, restore all of the files from backup media, improve the security at the site, and then re-open the site. Nonetheless, the perpetrator has committed a computer crime by making an unauthorized use of someone else's computer or computer account.
The Internet is a medium for freely sharing information and opinions. However the criminals who trash other people's websites are acting as self-appointed censors who deny freedom of speech to those with whom they disagree. These criminals often make the self-serving excuse for their actions that they only attack sites sponsored by bad corporations or bad people. However, this excuse makes these criminals into vigilantes who serve as legislature, judge, jury, and executioner: arrogantly determining what is in the best interests of society.
One example of punishment for the crime of defacing a website is the case of Dennis M. Moran. On 9 March 2001, Moran (alias "Coolio"), a high school dropout, was sentenced in New Hampshire state court to nine months incarceration and ordered to pay a total of US$ 15000 restitution to his victims for defacing two websites:
In November 1999, he defaced the website of DARE America, an organization that campaigns against use of illicit drugs, whose website was in Los Angeles, California.
In February 2000, he defaced the website of RSA Security in Massachusetts.
In February 2000, he made "unauthorized intrusions" into computers at four different U.S. Army and Air Force installations.
See the New Hampshire DoJ press release.
Denial of Service (DoS) Attacks
A denial of service attack occurs when an Internet server is flooded with a nearly continuous stream of bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the webserver.
Criminals have developed a simple technique for executing a distributed DoS attack:
The criminal first plants remote-control programs on dozens of computers that have broadband access to the Internet. The remote-control program will, at the command of the criminal, issue a nearly continuous series of pings to a specified victim's website.
When the criminal is ready to attack, he instructs the programs to begin pinging a specific target address. The computers containing the remote-control programs act as "zombies".
The victim computer responds to each ping, but because the zombie computers gave false source addresses for their pings, the victim computer is unable to establish a connection with the zombie computers. Because the victim computer waits for a response to its return ping, and because there are more zombie computers than victims, the victim computer becomes overwhelmed and either (a) does nothing except respond to bogus pings or (b) crashes.
Typically, after one or two hours, the criminal instructs his programs to stop pinging the victim. This brief duration is not because the criminal is a nice person, but because long-duration attacks make it easier for engineers at the victim's website to promptly trace the source of the attacks.
This may sound sophisticated, but the remote-control programs, and instructions for using them, are readily available from many pro-hacker websites since June 1999. My essay, Tips for Avoiding Computer Crime, has specific suggestions for how you can use firewall software on your computer to prevent your computer from being used by criminals in DoS attacks on victims.
Another kind of DoS attack uses a so-called "ping of death" to exploit bugs in software on webservers.
A study during three weeks in February 2001, showed that there are about 4000 DoS attacks each week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts.
David Dittrich, a senior security engineer at the University of Washington and expert on Unix system administration, has posted a large collection of links to resources on distributed DoS attacks.
The following is one case involving a famous series of DoS attacks:
The Yahoo website was attacked at 10:30 PST on Monday, 7 Feb 2000. The attack lasted three hours. Yahoo was pinged at the rate of one gigabyte/second.
The websites of amazon.com buy.com cnn.com eBay.com were attacked on Tuesday, 8 Feb 2000. Each attack lasted between one and four hours. CNN reported that the attack on its website was the first major attack since its website went online in August 1995.
The websites of E*Trade, a stock broker, and ZDNet, a computer information company, were attacked on Wednesday, 9 Feb 2000.
About fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in these DoS attacks.
The attacks received the attention of President Clinton and the U.S. Attorney General, Janet Reno. The FBI began to investigate. A CNN news report posted at 18:44 EST on 9 Feb 2000 quotes Ron Dick of the FBI's National Infrastructure Protection Center as saying "A 15-year-old kid could launch these attacks. It doesn't take a great deal of sophistication to do."
His remark was prophetic, because, on 18 April 2000, a 15-year-old pupil in Montréal Canada was arrested and charged with two counts of "mischief to data" arising from his DoS attack on CNN. Because he was a juvenile, his name can not be publicly disclosed, so he was called by his Internet pseudonym Mafiaboy. The Royal Canadian Mounted Police seized Mafiaboy's computer.
CNN reported that Mafiaboy was granted bail, with the following conditions:
"may only use computers under the direct supervision of a teacher."
"prohibited from connecting to the Internet"
prohibited from entering "a store or company where computer services or parts are sold."
"barred from communicating with three of his closest friends."
On 3 August 2000, Canadian federal prosecutors charged Mafiaboy with 54 counts of illegal access to computers, plus a total of ten counts of mischief to data for his attacks on Amazon.com, eBay, Dell Computer, Outlaw.net, and Yahoo. Mafiaboy had also attacked other websites, but prosecutors decided that a total of 66 counts was enough. Mafiaboy pled not guilty.
In November 2000, Mafiaboy's bail was revoked, because he skipped school in violation of a court order. He spent two weeks in jail.
In December 2000, Mafiaboy, now 16 y old, dropped out of school (after being suspended from school six times since the beginning of that academic year, and failing all of his classes except physical education), and was employed at a menial job. He was again granted bail.
On 18 Jan 2001, Mafiaboy pleaded guilty to 5 counts of mischief to data and 51 counts of illegal access to computers. As part of a plea agreement between his attorney and prosecutors, the prosecution dismissed the remaining ten counts.
On 20 June 2001, a social worker reported to the court that Mafiaboy "shows no sign of remorse" and "he's still trying to justify what he did was right."
On 12 Sep 2001, Mafiaboy was sentenced to spend eight months in a juvenile detention center, then spend one year on probation. Because Mafiaboy was a child at the time of his crime, the maximum sentence that he could have received would be incarceration for two years. In issuing the sentence, Judge Gilles Ouellet commented:
This is a grave matter. This attack weakened the entire electronic communications system. And the motivation was undeniable, this adolescent had a criminal intent."
http://www.rbs2.com/ccrime.htm
Society/People/Lost_or_Missing/Locator_Services
criminallawyers
Related Links
Criminal Lawyers
Identity Theft
Florida DUI Attorney
California DUI Attorney
Illinois DUI Attorney
New Jersey DWI Attorney
Los Angeles DUI Attorney
Criminal Lawyer
Georgia DUI Attorney
Los Angeles DUI Lawyer
Texas DWI Attorney
| Posted in »