Week-7

Computer Misuse:
Hacking
Hacking, unauthorized access
Types of Computer Crime
Introduction of Viruses
Fraud and types of Computer Fraud
Cyber crime
What Is Hacking?
 The act of forfeiting individual freedom of
action or professional integrity in
exchange for wages or other assured
reward
 At first, “hacker” was a positive term for a
person with a mastery of computers who
could push programs beyond what they
were designed to do
Reasons For Hacking
 Theft of services: The first reason is theft
of service, if a system offers some type of
service and a hacker has a use for it, they
will hack the system. Examples of such
systems are on-line information networks
(CompuServe, AOL etc)
 Take valuable files: The second reason a
hacker may hack into a system is to take
valuable files, e.G., Credit card numbers,
or info on operation of telecommunication
systems
 Vengeance and hate: another reason for
hacking is vengeance and hatred
 E.g. Hacker pillaged US files to sell secrets
Saddam
 Thrill and excitement: The fourth reason
hackers break into systems is for the thrill and
excitement of being somewhere you are not
authorized to be
 Thefinal reason why hackers do what
they do is just for knowledge and
experiment. Hackers learn a great deal
every time they break into a new type of
system
Talking the Talk
 Hackers have their own lingo and style of
writing
 Hacker lingo is so pervasive, there’s even
the new hacker’s dictionary, recently
published in its third edition
Attacks on the Increase
A study released this spring by the
computer security institute and the FBI's
international crime squad found that nearly
two-thirds of more than 500 organizations
reported a computer security breach
(violation) within the past year, up from 48
percent a year ago and 22 percent the
year before that
 Many hacker attacks go unreported
because companies want to avoid
negative publicity
 Other companies stung by hackers feel
compelled to tell what happened
What’s Being Done?
 While the internet has revolutionized
(uprising) business and communication
almost overnight, laws regulating its use
and misuse haven't developed as swiftly
 But in the last few years congress and the
courts have started responding to the
threat posed by computer crime
 There are laws in the federal statutes (act,
law) that have been applied to hacker
cases. These laws aren't designed
specifically to counter computer crime, but
have been applied to certain cases when
existing law has proved inadequate in
scope:
How to Be Vigilant
 Get a copy of your credit report
 Shred (cut up) all your information that you
have offline
 Confidential information should be
encrypted
 Another thing you should do is make sure
that you don't give confidential information
by cell phone, or by a remote phone, or on
the internet unless it's encrypted
 And finally, you should put up firewalls so
someone can't come in and steal your
information from your computer
Unauthorized Access
 Eavesdropping on a computer;
• Listening to a specific port, snooping the IP etc
 Making unauthorized use of computers for
personal benefit;
• use of company computer for private work
 Unauthorized alteration or destruction of
information stored on a computer;
 Criminal damage
• Intentionally or recklessly destroys or damages property belonging to
another without lawful excuse.
 Section 3 of the Computer Misuse Act 1990
• 1) A person is guilty of an offence if:
a) he does any act which causes unauthorized modification of the
contents of a computer; and
b) at the time when he does the act he has the requisite intent and the
requisite knowledge.
 Denying access to an authorized user;
 The unauthorized removal of information stored on
a computer.
 U.S. Computer Fraud and Abuse Act
 Unauthorized access to a computer containing data
protected for the national defense or foreign relations
concerns
 Unauthorized access to a computer containing certain
banking or financial information
 Unauthorized access, use, modification, destruction, or
disclosure of a computer or information in a computer
operated on behalf of the U.S. government
 Accessing without permission a “protected computer,”
which the courts now interpret to include any computer
connected to the Internet
 Computer fraud
 Transmitting code that causes damage to a computer
system or network
 Trafficking in computer passwords
Computer Crime

 The vast, interconnected information systems of today

are a relatively open territory of crime where the modern
computer criminal seems to remain one step ahead of
the law enforcing officials.
 Crimes are committed by people that have:
 Knowledge to gain access to a computer system
 Knowledge to manipulate the system to produce the desired
result
 Generally, the computer is used :
 As tool to commit crime
 As the object of Crime
Computers as Tools to Commit
Crime
 Credit card fraud, by illegally gaining access to back
accounts (or credit cards)
 Making illegal financial transactions like fraudulent
payments
 Counterfeiting money, bank checks, stock and bond
certificates using high-quality printers
Computers as Objects of Crime
 Illegal access and use of the organization's computer based
information systems by a criminal hacker
 Data alteration and destruction many times caused by a virus
(application or system virus), a worm, a logic bomb or a
Trojan horse
 Data and information theft by those that illegally access the
system (usually insiders)
 Equipment theft
 Software piracy by illegally duplicating software (patrolled by
the Software Publishers Association)
 Computer-related scams or cheats especially over the Internet
 International computer crime especially crime related to
obtaining computer hardware, related technology and trade
secrets
Table 1.0: Common Methods Used
to Commit Computer Crimes
(continued)
Types of Computer Crime

 Any crime in which computer-related technology

is encountered.
 The commission of illegal acts through the use of
a computer or against a computer system.

 Types of Computer Crime

 Business attacks
 Financial attacks
 Terrorist attacks
 Grudge attacks
 Fun attacks
 Business attacks
 Unauthorized access or hack the business documents
and reports of a company for any valid reason.
 Financial attacks
 Unauthorized access or hack the financial or account
related documents and reports of a company for any valid
reason.
 Terrorist attacks
 Unauthorized access or hack the any important records,
data or computer of a company for the purpose of
destruction only.
 Grudge attacks
 Unauthorized access or hack the any important records,
data or computer of a company for the feeling of dislike or
revenge.
 Fun attacks
 Unauthorized access or hack the any important records,
data or computer of a company for the feeling of fun.
Computer Virus and its types

 Virus:a program that attaches itself to other

programs

 Worm: an independent program that replicates

its own program files until it interrupts the
operation of networks and computer systems

 Malware: software that is harmful or destructive,

such as viruses and worms
(continued)

 Trojan horse: a program that appears to be useful but

actually masks a destructive program

 Logic bomb: an application or system virus designed to

“explode” or execute at a specified time and date

 Variant: a modified version of a virus that is produced by

the virus’s author or another person who amends the
original virus code
What is Fraud?
Five Conditions of Fraud
 False representation - false statement or
disclosure
 Material fact - a fact must be substantial
(important) in inducing (bring to mind)
someone to act
 Intent to deceive must exist
 The misrepresentation must have resulted in
justifiable reliance (dependence) upon
information, which caused someone to act
 The misrepresentation must have caused
injury or loss
2002 Study of Fraud
 Loss due to fraud equal to 6% of revenues—
approximately $600 billion
 Loss by position within the company:
Why Fraud Occurs

Situational
Available
Pressures
Opportunities
an employee is
poor internal
experiencing
controls
financial difficulties

Personal Characteristics
personal morals of individual employees
 Computer Fraud
 Theft, misuse, or misappropriation of assets by
altering computer data
 Theft, misuse, or misappropriation of assets by
altering software programming
 Theft or illegal use of computer
data/information
 Theft, corruption, illegal copying or destruction
of software or hardware
 Theft, misuse, or misappropriation of computer
hardware
Data Collection Fraud
 This phase of the system is most vulnerable because it is very easy to
change data as it is being entered into the system. Also called input fraud
(unauthorized alteration of data before it is entered, either directly or by
giving incorrect information to an innocent dupe).
 Also, GIGO (garbage in, garbage out) reminds us that if the input data is
inaccurate, processing will result in inaccurate output.
Data Processing Fraud
Program Frauds
 alteringprograms to allow illegal access to
and/or manipulation of data files
 destroying programs with a virus

Operations Frauds
 misuse of company computer resources, such
as using the computer for personal business
Database Management Fraud
Altering, deleting, corrupting, destroying, or
stealing an organization’s data
 also called processing fraud
 writing or altering the program to divert money
(e.g. salami slicing)

 Oftentimes
conducted by disgruntled or
ex-employee
Information Generation Fraud

Stealing, misdirecting, or misusing computer

output
 Also called output fraud
 destroying, hiding or altering computer output (e.g.
printed reports)
Scavenging
 searching through the trash cans on the
computer center for discarded output (the
output should be shredded, but frequently is
not)
Cyber crime
 Types of Cyber crime:
 Unauthorized access by insiders (such as employees)
 System penetration by outsiders (such as hackers)
 Theft of proprietary information (whether a simple user
ID and password or a trade secret worth millions of
dollars)
 Financial fraud using computers
 Sabotage of data or networks
 Disruption of network traffic (e.g., denial of service
attacks)
(continued)
 Creation and distribution of computer viruses
 Software piracy

 Identity theft

 Hardware theft (e.g., laptop theft).

 Terrorists that target critical infrastructures,

such as the PSTN, and the air traffic control
system.
CSI/FBI Computer Crime and Security Survey Results
Revealed:

 Organizations are under cyberattack from both inside

and outside their electronic perimeters.
 A wide range of cyberattacks have been declared.
 Cyberattacks can result in serious financial losses.
 Defending successfully against such attacks requires
more than just the use of information security
technologies.
CYBERCRIME 2000

 Types of Cyberattacks, by percentage (source- FBI)

 Financial fraud: 11%
 Sabotage (damage) of data/networks: 17%
 Theft of proprietary information: 20%
 System penetration from the outside: 25%
 Denial of service: 27%
 Unauthorized access by insiders: 71%
 Employee abuse of internet privileges 79%
 Viruses: 85%
Top Cyber Crimes that Attack
Business
Spam
Viruses/Worms
Industrial Espionage and Hackers
Wi-Fi High Jacking
Spam
“Spam accounts for 9 out of every 10
emails in the United States.”
MessageLabs, Inc., an email management
and security company based in New
York.

“We do not object to the use of this slang

term to describe UCE (unsolicited
commercial email), although we do
object to the use of the word “spam” as
a trademark and the use of our product
image in association with that term”
www.hormel.com
Can-Spam Act of 2003
 Controlling the Assault of Non-Solicited Pornography and Marketing
Act (Can-Spam)
 Signed into law by President Bush on Dec 16, 2003
 Took effect Jan 1, 2004

 Unsolicited commercial email must:

 Be labeled
 Include Opt-Out instructions
 No false headers

 www.spamlaws.com –lists all the latest in federal, state, and

international laws
Spam is Hostile
 You pay for Spam, not
Spammers
 Email costs are paid by email
recipients
 Spam can be dangerous
 Never click on the opt-out link!
 May take you to hostile web
site where mouse-over
downloads an .exe
 Tells spammers they found a
working address
 They won’t take you off the list
anyway
 What should you do?
 Filter it out whenever possible
 Keep filters up to date
 If you get it, just delete the
email
Suzanne Mello - Nov 5 2004
Viruses and Worms
 Viruses
 software that piggybacks
(attach, associate, take credit)
on other software and runs
when you run something else
 Macro in excel, word
 Transmitted through sharing
programs on bulletin boards
 Passing around floppy disks
 An .exe, .com file in your email
 Worms
 software that uses computer
networks to find security holes
to get in to your computer –
usually in Microsoft OS!! But
worm for MAC was recently
written
Hackers are Everywhere

 Stealing data
 Industrial Espionage (spying)
 Identity theft
 Deleting data for fun
 A lot of bored 16 year olds late at
night
 Turning computers into zombies Mafia Boy
 To commit crimes
 Take down networks
 Distribute porn
 Harass (Irritate) someone
 Ethical/white hat hackers exist too
 Help break into networks to
prevent crimes
Wireless Fidelity (Wi-Fi)
 Usingantennas to create “hot spots”
 Hotspots – Internet Access (sometimes free)
 Newport Harbor - All the boats in Harbor have internet access
 San Francisco Giants Stadium – Surf the web while catching a
game
Wi-Fi High Jacking
60-70% wireless networks are wide open

Why are the Wi-Fi networks unprotected?

 Most people say “Our data is boring”
 But… criminals look for wireless networks to commit their crimes
 And… the authorities will come knocking on your door…..
Protect your Computers!
 Use anti-virus software and
firewalls - keep them up to date
 Keep your operating system up to
date with critical security updates
and patches
 Don't open emails or attachments
from unknown sources
 Use hard-to-guess passwords.
Don’t use words found in a
dictionary. Remember that
password cracking tools exist
 Back-up your computer data on
disks or CDs often
 Don't share access to your
computers with strangers
 If you have a wi-fi network,
password protect it
 Disconnect from the Internet
when not in use
 Reevaluate your security on a
regular basis
 Make sure your employees
and family members know
this info too!