1. Social Implications of a Computerized Society Lecture 4 Computer Crime Instructor: Oliver Schulte Simon Fraser University

2. What We Will Cover Hacking Identity Theft Crime Fighting Versus Privacy and Civil Liberties Laws That Rule the Web Security technologies

3. Themes in Computer Crime We’re going to review some general themes from this course as they apply to computer crime issues. –Anonymity –Security/Surveillance/Interception – Responsibility of Web Technology Providers

4. Anonymity and Cybercrime Some ways in which anonymity facilitates cybercrime compared to the “real” world. –Anonymity requires identification for legitimate purchases  Identity theft makes it easy to impersonate someone. –Anonymity makes it easier to get away with fraud and deception. E-bay scams. Phishing Click Fraud. –Anonymity facilitates hacking as trespassing (use other people’s computer, username).

5. Security/Surveillance/Int erception Much personal information is stored or transmitted on the web insecurely. “Big Hacker is watching you”. Also an issue for privacy.

6. Hacking as programming Hacking – currently defined as gaining illegal or unauthorized access to a file, computer, or network The term has changed over time Phase 1: early 1960s to 1970s –It was a positive term –A "hacker" was a creative programmer who wrote elegant or clever code –A "hack" was an especially clever piece of code

7. Hacker-programmer: Examples Reprogram the Wii to play music. Break copy protection, fast-forward protection. Reprogram Iphone to work with networks other than the “official” provider.

8. Hacking and entering Phase 2: 1970s to mid 1990s –Hacking took on negative connotations –Breaking into computers for which the hacker does not have authorized access –Still primarily individuals –Includes the spreading of computer worms and viruses and ‘phone phreaking’ –Companies began using hackers to analyze and improve security (“white-hat” hackers).

9. Hacking and entering: examples Phone phreaking: “Legion of Doom” broke into BellSouth computers. Pranks, reroute FBI numbers to phone sex lines, free long-distance calls. German hacker breaks into Pentagon computers. Ontario hackers send fake e-mails from Ontario premier’s office.

10. Discussion Question Is hacking into a computer system always morally wrong? If so, why? If not, when is it wrong and when isn’t it?

11. Is Hacking Trespass? Rights-based argument: Can you compare hacking to walking into someone else’s home? - Physical intrusion. Or is it more like looking through a window? - gathers information, no intrusion. Maybe no old category fits---on the web observation does not require physical presence. The lack of physical presence of an observer/intruder also seems relevant to privacy/surveillance issues--- cybersurveillance doesn’t “feel” so intrusive. Utilitarian argument: monitoring and checking causes a lot of damage. E.g., Boeing had to spend a lot of money to check that no files were changed.

12. Hacking and the Web Phase 3: beginning with the mid 1990s –The growth of the Web changed hacking; viruses and worms could be spread rapidly –Political hacking (Hacktivism) surfaced –Denial-of-service (DoS) attacks used to shut down Web sites –Large scale theft of personal and financial information.

13. Internet hacking: examples The Internet Worm 1988, Robert Morris from Cornell. A worm is a program that copies itself to other computers. A virus is a malicious program hidden inside a file, program or document (e.g. Word macro). Mellisa virus (1999): mail copies of itself to 50 e-mail addresses in address book. Infected 1 mill computers. Love bug (2000): also mailing itself. Infected 80% of U.S. agencies, millions of computers, $10 billion in damages.

14. Internet hacking: more examples Denial of Service attack (DoS). Overload target site with 10 5 requests for web pages. 15-year old Canadian aka “mafiaboy” shut down Yahoo, eBay, Amazon etc, $1.7 billion damage. Estonian government was attacked.

15. Identity Theft, Spam: Phase 4 E-commerce has experienced huge growth, estimated around $200 Billion in the U.S.  many people send passwords, credit cards on-line.  Opportunities for fraud and impersonation: e-bay, Nigerian account scheme. Emergence of organized cybercrime rings: targets e- business by stealing IDs, often international. Phishing, farming, botnets, sniffers. FTC estimates 8.3 million victims of identity theft, $15.6 billion losses.

16. Cybercrime: examples –Phishing - e-mail fishing for personal and financial information disguised as legitimate business e- mail. Recent SFU attackRecent SFU attack –Pharming - false Web sites that fish for personal and financial information by planting false URLs in Domain Name Servers. –Zombie viruses, botnets: normal computers remotely controlled by distributor. Typically 200,000 infected machines or more. Botnet ArticleBotnet Article

17. The TJX case Largest ID theft case in U.S. History: 40 million card numbers stolen from 2004- 07. Card numbers appear to have been sold to other criminals. 11 people charged, one pleaded guilty.

18. Discussion Question The Federal Trade Commission (U.S.) has imposed sanctions on TJX. They say that “companies that collect sensitive consumer information have a responsibility to keep it secure”. Do you agree with that? How much responsibility do users/customers have? For example, using firewalls, encryption, coded credit cards, provide ID with credit card?

19. Security Technologies Big business: e-mail security sales $1.2 bn in 2008. Firewalls monitor network traffic. Web browsers check websites for proper authorization. Biometrics may be a new way to identify yourself. Public-key encryption: important theoretical tool. New authentication methods? preference-based identificationpreference-based identification Fundamental trade-off: security versus convenience.

20. Encryption and Biometrics Public-key encryption: Encryptor makes two keys, one secret, one public. With public key, anyone can encrypt, but only encryptor can decrypt. Biometrics: fingerprint, face, Iris, Voice. Included in Toshiba Portege M800 laptop. Desired false positive/false negative rate: < 0.1%. Currently no single technology gets this, maybe we need to use combinations.

21. Auction Fraud FTC reports that online auction sites are one of the top sources of fraud complaints –Some sellers do not send items or send inferior products –Shill bidding is used to artificially raise prices –Sellers give themselves or friends glowing reviews to garner consumer trust Auction sites use various techniques to counter dishonest sellers.

22. Discussion Question Fraud on e-bay has steadily increased. Does an auction site like e-bay have an obligation to protect customers from fraud any more than a search engine has an obligation to prevent illegal downloading of copyrighted material? What about monitoring the sale of illegal goods, like brand name fakes? e-bay casee-bay case What about the obligation of Youtube to remove copyrighted material?

23. Responsibility of Web Providers E-bay at first: “we are like a newspaper publishing classified ads” (common carrier). No responsibility for what people do with our technology. Now: fraud departments, risk warnings, reputation scores and other systems for combatting fraud. Some responsibility for avoiding fraud. Is this an ethical obligation or just business sense? Ethical argument: E-bay is in a better position to check identities and trust-worthiness than regular customers.

24. Scams and Forgery Click fraud - repeated clicking on an ad to either increase a site’s revenue or to use up a competitor's advertising budget Stock fraud - most common method is to buy a stock low, send out e-mails urging others to buy, and then sell when the price goes up, usually only for a short time Digital Forgery - new technologies (scanners and high quality printers) are used to create fake checks, passports, visas, birth certificates, etc., with little skill and investment. Canadian Case: 400 SIN numbers stolen by government employee, $7m fraud. sin casesin case

25. Whose Laws Rule the Web When Digital Actions Cross Borders: Laws vary from country to country. –E.g., German court said E-bay has to prevent sale of fake Rolexes. U.S. court said they don’t have to for fake Tiffany jewellery. Corporations that do business in multiple countries must comply with the laws of all the countries involved. Someone whose actions are legal in their own country may face prosecution in another country where their actions are illegal.

26. Whose Laws Rule the Web (Cont.) Arresting Foreign Visitors: A Russian citizen was arrested for violating the DMCA when he visited the U.S. to present a paper at a conference; his software was not illegal in Russia An executive of a British online gambling site was arrested as he transferred planes in Dallas (online sports betting is not illegal in Britain)

27. Whose Laws Rule the Web Discussion Questions What suggestions do you have for resolving the issues created by differences in laws between different countries? What do you think would work, and what do you think would not?