The Computer Misuse
Definition The Computer Misuse Act 1990 (CMA) is an act of the UK Parliament passed in 1990. CMA is designed to frame legislation and controls over computer crime and Internet fraud. The legislation was created to: Criminalize unauthorized access to computer systems.
Computer Misuse Act 1990 4 key points you need to learn/understand/revise
Computer Misuse Act - Reasons No laws specifically to deal with computer crime prior to 1990 The Misuse Act is often labeled “anti-hacking legislation” It was enacted to respond to the growing threat of hacking to computer systems and data Previously hacking was not illegal in the UK. Act now covers much more.
Levels of Offence The Act specifies 3 levels of offence In summary these are:- Unauthorised Access Unauthorised access with intent to commit another offence Unauthorised modification of data (writing viruses comes under this level)
Penalties Unauthorised Access (level 1) is called a summary offence and penalties are limited to 6 months imprisonment and/or a maximum fine of £5000 The other two offences (levels 2 and 3) are more serious and carry jail terms of up to 5 years and unlimited fines
Example 1 A student hacks into a college database to impress his friends unauthorised access Later he decides to go in again, to alter his grades, but cannot find the correct file unauthorised access with intent A week later he succeeds and alters his grades unauthorised modification of data
Example 2 An employee who is about to made redundant finds the Managing Director’s password; logs into the computer system using this and looks at some confidential files unauthorised access After asking a friend, he finds out how to delete files and wipes the main customer database unauthorised modification Having received his redundancy notice he goes back in to try and cause some damage but fails to do so unauthorised access with intent...
Prosecutions A disgruntled IT supplier hacked estate agency website and replaced pictures of houses with Animals pictures. £1250 fine. Ex-employee stole 1,700 customer records on backup tape before setting up competitive PC networking company. Conditional discharge and £15 fine Ex-employee made unauthorised use of his former employer's Mercury telephone account to make "free" calls. £900 fine
Problems However, prosecutions under the Computer Misuse Act are rare for a number of reasons Offences difficult to prove Evidence difficult to collect - firms do not co-operate with police Firms embarrassed by hacking - particularly banks Employees often simply sacked/demoted Police lack expertise; time; money Offence perceived as ‘soft crime’ no one injured/hurt
SCOPE Computer Crime Trends Definition of Computer Crime Case Studies Computer Misuse Act
INTRODUCTION Computer Crimes Trend No. of reported cases relatively low Increasing trend 1993/1994 - 1 1995 - 3 1996 - 7 1997 - 37 1998 - 116 1999 - 185
INTRODUCTION Definition of Computer Crime When there is unauthorized access into a computer system in order to : Destroy data or programs Commit other offences
CASE STUDY ONE The Perfect Computer Crime System Analyst used Trojan horse program to capture colleagues password and used it to modify the Lucky Draw Program. Also gained root access whilst auditing computer system and replaced Lucky Program with fake program that allowed 3 friends to ‘win’ $485,000 Case 1 This ex-employee was allowed entry into the working area of the bank. He then keyed in his account number and the bank over-riding code into an unattended terminal and credited S$1.2 m to his account. He was subsequently charged and convicted under the Computer Misuse Act. He was jailed 5 years. Case 2 The system analyst installed a trojan horse program to capture the password for accessing bank lucky draw program. He then used the password to gain access to the program. He modified it to include his wife as a winner. Subsequently the following year, he was tasked to assist the external auditor. The senior manager allowed him access to the system using the master password. The accused then replaced the original lucky program with his modified version. The modified program then chose 3 of his acquaintances as winners. He was charged and convicted under the CMA, jailed for 4 years.
CASE STUDY TWO Crashing of Factory Computer System Disgruntled system administrator inserted logic bomb that replaced system files with damaged files during backup process. Also used another logic bomb to time backing up process while he was on holiday. Caused entire company’s system to crash and halted production lines. After his dismissal, he asked a computer illiterate colleague to crash system files. Case 3 23 account holders of various banks reported that unauthorised withdrawals were made from their accounts. 5 persons including a cashier were arrested. The cashier supplied NETS receipts to the syndicate while the other members peered at customers keying in their ATM pins. They then made duplicate ATM cards by using a reader and software programs to re-encode these stolen information onto the cards. These cards were then used to made withdrawals from ATMs and purchases thru NETS. The total damage was about $96,000. They were charged and convicted and jailed between 16 months to 4 years. Case 4 A disgruntled employee was not happy with the management. He accidentally discovered the manufacturer’s default password was not removed. He used this default password and retrieved those emails containing adverse financial information and sent it to the clients. He was charged and convicted, fined $10,000 Case 5 Another disgruntled employee (a system administrator) replaced original system files with damaged files during the backup process. He used a logic bomb to time the backup during his absence and as a result the company’s system crashed. Subsequently he left the company and he called a production worker on pretext of removing some personal files. The operator followed his instructions and deleted the system files and the system crashed for the second time.
CASE STUDY THREE Smart Card Scam - Managers of Cinema Chain modified Daily Cashiers’ Reports on computer system and siphoned off cash. Also topped up used Smart cards illegally and sold them to cinema touts. Enlisted help of a computer service engineer to load program into a branch so as to further the crime. Case 3 23 account holders of various banks reported that unauthorised withdrawals were made from their accounts. 5 persons including a cashier were arrested. The cashier supplied NETS receipts to the syndicate while the other members peered at customers keying in their ATM pins. They then made duplicate ATM cards by using a reader and software programs to re-encode these stolen information onto the cards. These cards were then used to made withdrawals from ATMs and purchases thru NETS. The total damage was about $96,000. They were charged and convicted and jailed between 16 months to 4 years. Case 4 A disgruntled employee was not happy with the management. He accidentally discovered the manufacturer’s default password was not removed. He used this default password and retrieved those emails containing adverse financial information and sent it to the clients. He was charged and convicted, fined $10,000 Case 5 Another disgruntled employee (a system administrator) replaced original system files with damaged files during the backup process. He used a logic bomb to time the backup during his absence and as a result the company’s system crashed. Subsequently he left the company and he called a production worker on pretext of removing some personal files. The operator followed his instructions and deleted the system files and the system crashed for the second time.
CASE STUDY FOUR Distribution of user-ids and passwords - Two youths stole user-ids and passwords of unsuspecting users of an ISP during a sessions and displayed the user-ids and passwords on a web site stating that the ISP’s system security had been breached. Case 3 23 account holders of various banks reported that unauthorised withdrawals were made from their accounts. 5 persons including a cashier were arrested. The cashier supplied NETS receipts to the syndicate while the other members peered at customers keying in their ATM pins. They then made duplicate ATM cards by using a reader and software programs to re-encode these stolen information onto the cards. These cards were then used to made withdrawals from ATMs and purchases thru NETS. The total damage was about $96,000. They were charged and convicted and jailed between 16 months to 4 years. Case 4 A disgruntled employee was not happy with the management. He accidentally discovered the manufacturer’s default password was not removed. He used this default password and retrieved those emails containing adverse financial information and sent it to the clients. He was charged and convicted, fined $10,000 Case 5 Another disgruntled employee (a system administrator) replaced original system files with damaged files during the backup process. He used a logic bomb to time the backup during his absence and as a result the company’s system crashed. Subsequently he left the company and he called a production worker on pretext of removing some personal files. The operator followed his instructions and deleted the system files and the system crashed for the second time.
CASE STUDY FOUR Hacking of Television's Stations web-site Two teenagers obtained illegal access to a Television Station web-site by accident and modify several of the web pages with “hacker slogans”.
LESSONS LEARNT Physical Security Electronic Security Lack of Physical Security Electronic Security Good Security Practices Regular System Audit Computer Incident Management Case 3 23 account holders of various banks reported that unauthorised withdrawals were made from their accounts. 5 persons including a cashier were arrested. The cashier supplied NETS receipts to the syndicate while the other members peered at customers keying in their ATM pins. They then made duplicate ATM cards by using a reader and software programs to re-encode these stolen information onto the cards. These cards were then used to made withdrawals from ATMs and purchases thru NETS. The total damage was about $96,000. They were charged and convicted and jailed between 16 months to 4 years. Case 4 A disgruntled employee was not happy with the management. He accidentally discovered the manufacturer’s default password was not removed. He used this default password and retrieved those emails containing adverse financial information and sent it to the clients. He was charged and convicted, fined $10,000 Case 5 Another disgruntled employee (a system administrator) replaced original system files with damaged files during the backup process. He used a logic bomb to time the backup during his absence and as a result the company’s system crashed. Subsequently he left the company and he called a production worker on pretext of removing some personal files. The operator followed his instructions and deleted the system files and the system crashed for the second time.
COMPUTER MISUSE ACT Section 3 - Unauthorised Access to Computer Material Section 4 - Access with Intent to Commit or Facilitate Commission of Further Offence Section 5 - Unauthorised Modification of Contents of Computer
COMPUTER MISUSE ACT Section 6 - Unauthorised Use/Interception of Computer Service Section 7 - Unauthorised obstruction of Use of Computer Section 8 - Unauthorised Disclosure of Access Code Section 9 - Enhanced punishments - Territorial Scope
International Co-operation Asian Working Party (Computer Crime) Links with FBI Hong Kong Malaysia Taiwan Sweden U.K.
COMPUTER CRIME INVESTIGATIONS Report Lodging What to prepare? Who should do the reporting?
COMPUTER CRIME INVESTIGATIONS Preliminary Investigation Interviews (Facts gathering) Complainant / Victims System Administrators Customer Service Engineer Other Witnesses
COMPUTER CRIME INVESTIGATIONS Preliminary Investigation Evidence Collection Physical evidence (eg computer system, storage media) Supporting evidence (eg system logs, callerID records)
COMPUTER CRIME INVESTIGATIONS Preliminary Investigation Evidence Analysis Forensic laboratory and staff for examination of storage media Technical Support from Industry experts Vendors’ information
COMPUTER CRIME INVESTIGATIONS Implications of Police Investigation’ Evidence in police custody till conclusion of the case Commitment of time and resources Adverse publicity
PREVENTION & INCIDENT MANAGEMENT Setting up a Security Team Implement Preventive Measures Incident Management
PREVENTION & INCIDENT MANAGEMENT Preventive Measures Simulation Exercises Tracking software/hardware for bugs & vulnerabilities
PREVENTION & INCIDENT MANAGEMENT Respond swiftly Collation of essential information and facts Gathering of evidence caller id records, system access logs