Crime Slide 2: Hacking Hacking trophy hacking phone phreaking Phone Phreaking 1970s John Draper Captain Crunch blueboxes phone phreaking Cracker

Transcription

1 Crime a) Cases through the years show how the Web changes the impact of crime and the impact of law. b) Our financial health is affected by technology all the new cybercrime that we have to keep up with and learn how to avoid. c) Because the hackers and criminals are so clever in finding security holes and stealing information, the technology has to continually evolve to keep up with finding and patching security flaws. Computers and the Internet make illegal activities easier to commit; they are more devastating and harder to detect. The average loss from a computer fraud is more than $100K. Identity Theft affects millions of people (8-10 million per year). No more is it just teenagers spray painting the speed limit sign to make the 35 look like 85 - computer vandalism by teenagers can bring business to a halt. Think about the damage that terrorists could accomplish they could sabotage power and communications systems. Did you know that your cell phone, handhelds, ipods, navigation systems, digital frames and other smaller devices can get viruses or be hacked into? Slide 2: Hacking Hacking breaking into computer systems on which the hacker has no authorized access. Early on, hacking referred to a creative programmer who wrote very elegant or clever programs. They created many of the first computer games and operating systems. Most had no intention of disrupting service; they frowned on doing damage. Hackers sought knowledge and intellectual challenges; some broke into systems just to see if they could do it, or to see how many times they could do it, which is referred to as trophy hacking. In the 1980s, hacking started taking on a more negative meaning, and included spreading computer viruses, pranks, thefts, and phone phreaking. o Phone Phreaking was a popular past time in the late 1970s and 1980s where the telephone service was tricked into giving free access to long-distance phone lines. o 1970s John Draper ( Captain Crunch ) discovered that a whistle in a cereal box generated a tone identical to the one used by the US telephone network and was able to fool the telephone system into giving free access to long-distance telephone lines. Eventually, instead of blowing the whistle into a pay phone mouthpiece, Draper and other resourceful individuals developed blueboxes, electronic tone generators that could reproduce the full series of tones that the US telephone network used in its call-routing system, making it possible to call anywhere in the world for free. Since then, phone phreaking has become a popular past time. Steve Wozniak, before created the Apple computer and cofounding Apple Computer Corp., was building blueboxes. Cracker in an attempt to preserve the original meaning of hacker, this term was to refer to those who break into systems without authorization, or those whose intent is to do damage, but hacker is more commonly used. White-hat hacker term used for those who hack into a system just to see if they can, just for the fun of it, with no criminal intent or intent to do damage; often to demonstrate system vulnerabilities or to improve security Black-hat hacker term for those who hack into a system with intent to destroy information or for illegal gain Script kiddies young, amateur, inexperienced hackers who sometimes use tools created by skilled hackers that they can find on the Internet Sniffers programs that read information traveling over the Internet and extract passwords Social engineering fooling people into disclosing information, such as passwords

2 Something to think about: Suppose a 16-year old hacker uses automatic-dialing software to flood the emergency 911 telephone system with calls, knocking out 911 service. What penalty do you think is appropriate? Would your opinion change if it had resulted in the death of someone because an emergency call couldn t get through? Slide 3: Hacking Cases 1970s John Draper ( Captain Crunch ) explained above late 1970s 1980s Kevin Mitnick famous hacker, has spent nearly ½ his adult life either in prison or as a fugitive. Beginning at age 12, he used social engineering to gain information on how to bypass systems; at 12, he found out how to obtain his own punch for the punch-cards used for the buses in LA and soon was getting free bus rides all over LA; he was into the phone phreaking craze enabling him to make free phone long distance phone calls; he gained unauthorized access to his first computer network in 1979 at the age of 16, getting into DECs computers and copying software; he gained unauthorized access to dozens of other computer networks, claiming to never have destroyed or deleted any files; he was a wanted fugitive of the FBI for a number of years, and was finally caught in the mid-1990s. He served 5 years in prison, including 8 months in solitary confinement because law enforcement officials convinced a judge that he was able to start a nuclear war by whistling into a pay phone. He was released in Jan Now he has his own computer security consulting firm. There is controversy about what he has been accused of and what he actually did. Now, AT&T is denying service to him see this article: April 27, 1987 Captain Midnight - viewers of HBO in the US watching The Falcon and the Snowman saw their screens go blank and the message on the slide appeared for about 4 minutes. An angry satellite dish salesman figured out how to intercept the signal and broadcast that message as a protest against HBO s decision to scramble its satellite signal so that backyard dish owners were forced to buy or hire decoders to view HBO s programs. This really illustrated the vulnerability of satellites and other communications systems what if this guy was an international terrorist who was able to change the orbit of a satellite into the path of another satellite, many of which carry small nuclear reactors as a power source (satellites are directed from the ground by using radio signals to control the functioning of their small maneuvering engines). Late 1980s Fry Guy a 15-year old hacked into McDonald s payroll computer to give his friends raises. He also hacked a credit reporting service & the telephone system in a scheme to get Western Union to wire him $$ from other people s accounts. He is the same guy who in 1989 diverted all calls to the Palm Beach County Probation Department in Delray Beach, FL to a phonesex hotline in NY. Russian man & Citicorp A Russian man with accomplices in several countries used stolen passwords to steal $400,000 from Citicorp. While unknowingly under computer surveillance by authorities, he transferred another $11,000,000 to bank accounts in other countries Michelangelo virus was a time bomb that infected the computer on March 6 th if the PC user executed the program that contained the virus on that day. The virus overwrote critical records on the boot disk, which is usually the C: drive, in which case destroying the contents of the hard drive. o Viruses a type of malware, or malicious logic program (programs that get onto a computer without the user s knowledge and does malicious, sometimes very harmful things to the computer system. Malware can come from websites that you visit some are re-directs, some are just sites that you happen to visit. Malware includes viruses, worms, Trojan horses, spyware, adware, and other malicious unwanted software. There were 41,000 pieces of malware in 2006.) viruses are self-replicating programs embedded within another program, called a host, that causes damage and infects other programs, floppy disks, or hard disks by copying itself onto them. Viruses can be spread from machine to machine via diskettes or

3 CDs. They may be passed to a computer when a file is downloaded from the Internet. A 2003 study revealed that 45% of the executable files people downloaded from KaZaA contained viruses or Trojan horses. Also, viruses can be spread via through an attachment. Some are fairly harmless, just occupying disk space or consuming CPU time, but most are not usually resulting in hard disk erasure or file corruption. o Time bombs are programs that are triggered by an event in time, such as the Michelangelo which did it s damage on March 6 th, the birth date of the famous artist. o Logic bombs are programs that are triggered by the addition or deletion of data, such as one that deletes a company s data when the status of a certain employee changes from employed to terminated gambling web site hackers modified the programming at a gambling site so that everyone won; the site lost $1.9 million. Air traffic controllers in England hackers in England impersonated air-traffic controllers and gave false instructions to pilots > What kind of impact could that have today with terrorism??? 1999 Melissa virus mailed copies of itself to the first 50 people in a computer s address book on systems using popular Microsoft software. Each new copy sent 50 more copies, and the virus quickly infected approximately a million computers worldwide. Many of the clogged systems shut down the Love Bug or ILOVEYOU spread around the world in a few hours, propagating among computers using Microsoft s Windows and Outlook programs by ing itself to all the people in the infected computer s address book. It also destroyed digital images and music files, modified the computer s operating system and Internet browser and collected passwords. The virus infected major corporations like Ford and Siemens and 80% of US federal agencies, including the State Department, the Pentagon, and NASA along with members of the British Parliament and the US Congress. Many businesses and government agencies had to shut down their severs. The virus hit tens of millions of computers and did $10 billion in damage. The creator of the Love Bug was a 23-year old Filipino computer science student. When he created the virus, the Philippines had no laws against computer hacking, and he was not prosecuted. Slide 4: Hacking Cases 2000 Mafiaboy Within about a week in 2000, almost a dozen major web sites were shut down, some for several hours, by denial-of-service attacks. Victims included Yahoo!, ebay, Amazon, E*Trade, Buy.com, CNN, and others. In this kind of attack, hackers overload the target site with hundreds of thousands of requests for web pages and other information. The requests were generated by programs (worms) planted on numerous other systems (many at universities) to disguise their origin (zombie computers); thus it is also called a distributed denial-of-service attack. The attack was traced to a 15 year old Canadian (script kiddie) who used the name mafiaboy; he pleaded guilty to a long list of charges. The US government estimated the cost of this incident at $1.7 billion. One disturbing aspect of this case is that mafiaboy apparently did not write the destructive programs himself; he found them on the Net, where other 15 year olds can find them too. o DoS where a (zombie) computer repeatedly makes requests of some other computer, tying up that other computer to the point to where it shuts down and doesn t respond to any requests, not even legitimate ones. It could be overloading the target site with hundreds or thousands of requests for Web pages and other information. This is accomplished with a Trojan Horse type of malware Trojan Horses get their name from Greek mythology where the giant, wooden horse hid the Greek soldiers which led to the defeat of the Trojans; Trojans are programs that hide in or appear to be something other than what they really are some sort of malware. They can be a program that is installed on your computer that gives someone else control of your computer, where they can delete all the files on your computer,

4 send spam s, run programs like keylogger programs, launch DoS attacks on other computers, etc., turning your computer into a zombie computer. o DDoS where programs planted on hundreds or thousands of other (zombie) computers (many at universities) to disguise their origin, generated the requests of some other computer at the same time much harder to trace the origin of the attack when it s coming from hundreds or thousands of computers can cripple the computer system that is under attack; e- Bay and Amazon were victims of this 2001 Code Red worm program quickly spread to 300,000 server computers at thousands of businesses worldwide. It exploited a flaw in Microsoft server software discovered a month earlier and caused infected servers to flood the White House web site with huge numbers of messages, clogging the Internet. This worm spread to more than 359,000 hosts in less than 14 hours Hacktivism hackers, like the group called Anonymous, modified or defaced the web pages of the White House, the Bureau of Labor Statistics, and the FBI. They revised the Department of Justice page to read Department of Injustice ; they changed the CIA s site to read Central Stupidity Agency and added links to porn sites. Is political hacking just an open form of political discussion, protected by our 1 st Amendment freedom of speech rights? What if it s a Denial of Service attack that interferes with health and emergency services? 2001 Code Red worm In 2001, this worm quickly spread to 300,000 server computers at thousands of businesses worldwide. It exploited a flaw in Microsoft server software discovered a month earlier and caused infected servers to flood the White House web site with huge numbers of messages, clogging the Internet. This worm spread to more than 359,000 hosts in less than 14 hours. o Worm a self contained program that spreads itself through a computer network by exploiting security holes. They infect idle workstations or terminals on the network. The earliest worms were exploratory programs that demonstrated the concept itself and were generally not destructive, although they often replicated to the point at which a network would collapse. o What is the difference between viruses and worms? Worms tend to exist in memory and are not permanent, whereas viruses tend to reside on disk where they are permanent until eradicated. Worms are also network oriented, with segments of the worm inhabiting different machines and knowing about he existence of other segments in other nodes on the networks. They actively seek out idle machines and retreat when the machine load increases. Sometimes used to create botnets for DDoS attacks. Viruses have none of these capabilities Sapphire worm or Slammer was released on January 25, It is notable for being the fastest-spreading computer worm in history. The number of hosts it infected doubled every 8.5 seconds. It ended up affecting at least 78,000 computers worldwide. It exploited a bug found in both Microsoft s SQL Server and SQL Server Desktop Engine. It overloaded networks and made database servers inaccessible. It resulted in cancelled airline flights, unavailable ATMs, and failures of emergency 911 service Blaster worm exploited a bug on Windows 2000 and Windows XP computers. Blaster infected hundreds of thousands of PCs worldwide. It s purpose seemed to be to launch a denial-ofservice attack against windowsupdate.com to prevent customers from accessing the server to download the patch needed to fix the bug. But, windowsupdate.com was a shortcut to the actual web site, so Microsoft just deleted the shortcut. However, the Blaster worm did have the effect of slowing down some computer systems. It disrupted the signaling of CSX freight trains and Amtrak passenger trains in the Northeast, leading to service delays Sasser worm was launched, which exploited a previously identified security weakness with Windows computers. About 18 million computers worldwide were infected they just shut themselves down shortly after booting. Still the worm made millions of computers unusable and disrupted operations at Delta Airlines, the European Commission, Australian railroads, and the British coast guard.

5 2001 Choke & Hello worms two early worms to strike instant messaging systems were Choke and Hello, which appeared in Worms were less devastating back then because only about 141 million people used instant messaging. Today, more than 800 million people use instant messaging, so the impact can be much greater. In April 2005, the appearance of the Kelvir worm forced the Reuters news agency to remove 60,000 subscribers from its Microsoft-based instant messaging service for 20 hours. Firewalls software or hardware (or combination of both) that help protect against malware; they monitor incoming communications, possibly preventing unauthorized access from external sources. Firewalls may be great at stopping unwanted intrusions, but they often do little or nothing to detect virus-laden s or stop intrusive adware and spyware. You'll want separate antivirus and spyware checkers to stymie these threats. Windows comes with a firewall program, as does MacOS (disabled by default). There are other 3 rd party firewalls, some free, that are very good. Slide 5: Firewalls software or hardware (or combination of both) that help protect against malware; they monitor incoming communications, possibly preventing unauthorized access from external sources. Firewalls may be great at stopping unwanted intrusions, but they often do little or nothing to detect virus-laden s or stop intrusive adware and spyware. You'll want separate antivirus and spyware checkers to stymie these threats. Windows comes with a firewall program, as does MacOS (disabled by default). There are other 3 rd party firewalls, some free, that are very good. Slide 6: First Amendment We saw in Chapter 3 that writing about how to make bombs online is not illegal; what about virus or hacking code? (We didn t talk about that yet ) Slide 7: Virus Code Online Hospital example: which one(s) should be considered guilty, or hold some degree or responsibility? Slide 8: Identity Theft FTC receives hundreds of thousands of complaints of identity theft each year. Ages are the most common victims use Web heavily or are less aware of risks? Department of Justice reports that fraud losses amount to billions of dollars per year in the U.S. with several million victims About 8-10 million people per year are victims of identity theft in the U.S. 3-12% (depending on source) are computer-related. It is estimated (by the FTC) that 1 in 6 Americans will be a victim of identity theft this year alone. Victims spend on average $1200 in out-of-pocket expenses and an average of 175 hours in their efforts to resolve the many problems caused by identity thieves. Slide 9: Methods of Identity Theft In 1998, Congress made it a federal crime to knowingly use another person s identification Phishing an example of social engineering - - phishing quiz online Vishing (voice phishing) modified phishing scams where the provides a fake phone number to call where the victim hears requests for their account number and other identifying information

6 Pharming another technique to lure people to fake Web sites where thieves collect personal data involves planting false Internet addresses in the tables on a DNS, sometimes via software inadvertently downloaded from a dishonest or hacked Web site, so when you type in the address for a bank Web site, for example, a counterfeit site comes up Whaling s to small business owners that look like a subpoena from U.S. District Court when you click on it, it downloads a virus that gathers all passwords on your computer, sends them back to criminals who then logs into your accounts & changes your passwords then they clean out your accounts Resumes online if they contain SSNs and other identifying information, target for identity thieves SSNs a part-time English teacher at a California junior college used the SSNs of some of her students provided on her class lists to open fraudulent credit card accounts; rings of identity thieves with members working on hospital staffs obtained SSNs of hospitalized patients from their wristbands or hospital charts. o who it is ok to give your SSN to: motor vehicle departments; tax departments; welfare departments; any transactions involving taxes (banks, brokerages, employers); most other businesses have no legal right to demand your number. In some states, there are laws preventing schools from requiring SSNs of the children. Doctor s offices will want it mainly to make sure if you don t pay your bill, they have a way to track you down, but they legally don t have a need for it. Dumpster diving the #1 way thieves get our information; a tv reporter did some dumpster diving behind a number of banks and found that they unloaded old files & records without shredding them records with SSNs, addresses, dob, etc. Mailbox theft 20% of identity theft is a result of this practice bank statements, credit card statements, pre-approved credit card offers, etc. Pretexting someone will call you impersonating someone from a legitimate company, like your insurance company, trying to get you to verify your account information Shoulder surfing sometimes use devices like cell phones to record you without your knowledge; also, some have used binoculars, telescopes, and video cameras to spy on customers Slide 10: Methods of Identity Theft Social networking sites names, addresses, even birthdates are easy to find File sharing and peer to peer software the people accessing your music files also have access to other files on your computer Bogus job offers thieves will place fake employment ads and get you to fill out an application, including your SSN Fake sweepstakes or lotteries usually sent my and claim that you ve won the Canadian lottery or some other sweepstakes that you ve never actually entered Hacking can get access to all the info on your computer Lost or stolen items purse, wallet, laptop, PDA, etc. Workers in your home contractors or other workers can find account info that you may have in plain view Changing your address thieves will often forge your signature to have your mail forwarded to another address then they will get your bank statements, etc. Copying info from a transaction stealing your credit card info when processing your transactions Credit reports they may pose as a potential employer or landlord (pretexting) to get a copy or your credit report RFID readers thieves build RFID readers to steal the info off your cards (that use RFID) Slide 11: How the Victim is Affected

7 Slide 12: How to Protect Yourself Don t carry checkbook, SSN card, or all your credit cards with you all the time Shred your credit card offers, etc. Use updated anti-spyware/anti-theft software on your computer Never give out personal info over the phone Monitor your credit reports 4 out of 5 credit reports have errors on them. If you have a PayPal account, you can free credit alerts sign in to your PayPal account, then using their search box, search for Equifax choose the first item returned, and then that brings up the registration page for Equifax Credit Alerts - - no longer available for free now it s $14.95 per month with Equifax ID Patrol Be careful of using your credit cards in restaurants Might be a good idea to write ask for id on the back of your card although won t help if the store clerk doesn t even check the back of the card One college instructor signed Elmer Fudd and the clerk never noticed Another experiment where a white man used a credit card that had a picture of a black man on it clerk never noticed Biometrics: including fingerprints, voice prints, face structure, hand geometry, eye patterns, and DNA will biometrics make us more secure or will it make it easier to build dossiers on people? What happens when a hacker gets a copy of a file with our digitized thumbprint or retina scan? Something to think about: Have you used a biometric system somewhere? Or do you know of somewhere in your town or city where biometrics is used? Describe the application and its benefits and risks. See if you can find out if there have been problems with the technology. Slide 13: If You Think You ve Been a Victim of Identity Theft: 1. police report 2. fraud alert a flag that credit agencies put on your credit report, that prevents anyone from taking out any credit in your name, so no car loans, no credit cards, etc. The creditor will notify you to verify that you want this transaction to take place. Lenders do still have access to your credit report. Problem with fraud alerts creditors are supposed to contact you to verify, but they are not required by law to, so sometimes they do not. 3. credit freeze a lock that will prevent new lenders from being able to access your credit report at all. As of November of 2007, the three main credit reporting bureaus make it available in all 50 states. When you want to apply for credit, you need to request the credit agency to lift the freeze, then the lender can access the report, and then you request to have the freeze reinstated. There is usually a fee to initiate a freeze and one to unfreeze unless you have been a victim of identity theft. Slide 14: What Are Your Rights? Truth in Lending Federal law passed in 1968 that protects consumers in credit transactions by requiring clear disclosure of key terms of the lending agreement and all costs. One of the things this law gives you is the 3 day right of rescission that you have to change your mind about certain credit transactions that use your home as collateral, such as on a home equity loan or if you refinance your home with a different lender (but not a mortgage for an original purchase) Fair Credit Reporting Act originally passed in 1970; enforced by the FTC regulates the collection, dissemination, and use of consumer information. It says that you must be told what s in your credit file and have any errors corrected. If you are refused credit, you can get your report for

8 free and the credit bureau must help you interpret the data if you need interpretation. If you notify the bureau of any error, they have 30 days to resolve the dispute. Fair Credit Billing Act An amendment to the Truth In Lending Act, passed in 1986, to protect consumers from unfair billing practices and to provide a mechanism for dealing with billing errors; applies to open end credit accounts, such as credit cards and other revolving charge accounts. Creditors are required to promptly credit your payments and correct billing mistakes and you can withhold payments on defective goods. You can sue them if they violate any of these requirements. Examples of errors: Slide 15: The Credit Card Act of 2009 The latest update of the Truth In Lending Act signed into law by Obama over the summer to protect consumers from abusive tactics used by credit card companies 1. Banks must notify 45 days in advance when changing interest rates or late fees (only on new balances) (took effect Aug. 20 th ) 2. No more retroactive interest rate hikes on existing balances 3. No more raising interest rates based on customer s late payments on other, unrelated cards or utility bills 4. Payment due dates must be at least 21 days after mailing of bill (took effect Aug. 20 th ) 5. Extra payment above minimum due must be applied to higher rate balances first 6. Must opt-in to over-the-limit fees if you don t agree to it, then transactions that would take you over your limit will just be rejected o plus other fee restrictions: banks cannot charge a fee for paying by phone or online (unless it s to expedite a payment); if you pay in person at the local branch, it has to be credited the same day; payments received by the due date (or the next day if it s on a day that they don t receive mail) won t trigger a late fee -> but Clark Howard conducted an experiment into this issue in using a credit card, Clark sent nine monthly payments via next day delivery, and every one of them arrived within a day as expected. But of those nine payments, only two of them were posted on time. The other seven were posted a day or more after the due date even though Clark knew they arrived on time. You are protected virtually 100 percent if you pay electronically. It s cheaper, quicker and more secure. 7. Must disclose to consumers how long it will take to pay off; also must disclose what the payments would be for paying off within 12, 24, or 36 months o If you owe $5000 at 18% interest, and all you pay is the minimum amount due each month it will take you over 30 years to pay it off!!! 8. Restricts card issuance to students under 21 if you cannot prove an independent means of income or provide the signature of a co-signer, they will not give you a credit card o According to a Sallie Mae study college students carried an average balance of $3173 on their credit cards last year 9. Gift card protections they cannot expire for at least 5 years; cannot assess inactivity fees unless the card has gone unused for 12 months

9 Slide 16: Establishing Good Credit first of all, know that credit card companies target college students you have to be smart with your credit cards Checking account having a checking or savings account can help show that you have money and know how to manage it Department store cards can help establish good payment history Prepaid cards another good place to start Co-signer on applications helps establish good payment history - the Web site where you can get a free copy of all 3 credit reports: TransUnion, Experian, Equifax - - less than 15% of people pull their credit reports; they receive and process millions of records daily, which include bill-paying history; information from public records such as lawsuits, bankruptcies, or liens; supposed to be used as info for evaluating applicants for credit; some employers also use them as part of a background check on job applicants o point out FAQs o an amendment in 2003 now enables you to get a free copy of your credit reports one from each reporting agency per year o insurance companies are going to start looking at credit reports - Fair Isaac Score average credit score (as of 1/29/07) is 723 (ranges from ) your FICO score affects your ability to get a loan, and what rate you get. To raise your score, get your debt paid off; keep at least one credit card active (use it sparingly and pay it off each month); don t have more than 1 or 2 credit cards if you do close out credit cards, keep the older ones (if they have good rates) because the longer you have an account open and in good standing, the better your score o Fair Isaac is changing the way they figure your score used to be that a late payment would demolish your FICO score now an occasional late pay will not harm your score, but a pattern of late payments will destroy it. They may even start using your payment history with things like utility bills, rent, and bounced checks, which currently do not affect your FICO score. o closing an old credit card drops your score by about 12 points Slide 17: Crime Fighting vs Privacy & Civil Liberties 4 th Amendment requires that search warrants be specific about what is to be searched or seized Assignment 5.32 page 302: Find the final decision or current status of the case described in the box BASEBALL, LABORATORY FILES, AND THE FOURTH AMENDMENT (Section 5.5.1) so what happens when authorities are searching a computer for one thing and finds other illegal activities, or illegal activities by other people who use that same computer? or when a computer technician is servicing someone s computer and finds what he believes is illegal material on the person s computer see if you can find out whatever happened in the Washington State vs Westbrook case, where this happened and the technician reported it to authorities Slide 18: Whose Laws Rule the Web? ILOVEYOU virus infected millions of computers worldwide, destroying files, collecting passwords, and shutting down computer systems at major corporations and government agencies o this was the one written by a student from the Phillippines charges were dropped because they had no laws against releasing a virus at the time what should happen to him if he were to travel to the U.S., Canada, France, Germany, or any other country where the virus did damage? Other cases in the book pages (we ll talk about in a different module)