Hacker turned consultant, Kevin Mitnick (courtesy CNet)
I wrote this paper as part of a law class in the spring of 2010. It details some types of cybercrime as well as the methods that US prosecutors utilize in prosecuting them. One of the more interesting things was that cybercriminals can be prosecuted in the USA despite committing crimes outside the USA, somewhat similar to laws which allow for the prosecution of US citizens who commit child molestation while abroad.
Prosecuting Cybercrime
Could the first man to discover fire and utilize it for the noble goals of keeping warm or cooking have fathomed that it would eventually be used criminally by arsonists? The advent of technologies always runs the risk of later being used by criminals. White collar crime did not exist prior to the evolution of management positions, nor did cybercrime exist prior to the development of electronic computer networks (Samaha, 2008).
Individual incidents of Cybercrime can rapidly result in millions or even billions of dollars of damage between theft and loss of revenue. Even governments are now recognizing the immense power exploiting the computer networks of other governments or businesses carries as is evidenced by recent crimes such as the hacking and distributed denial of service attacks leveled against Google by Chinese students backed by People’s Liberation Army funded universities (Stanglin, 2010). Exploiting networks and systems can also lead to the crippling of an enemy’s infrastructure as incidenced by Russian hackers attacking Georgian government websites during Russia’s 2008 offensive (Fox News, 2008).
As with any technology, law enforcement and the legal system must adapt to combat the new crimes being committed. While a great deal of progress has been made toward dealing with cybercrime, this paper will also reveal some areas where improvement could be made.
A Brief History of Cybercrime
In the 1950’s the first acts of cybercrime evolved from the then new tone dialing technologies implemented by phone companies. It was not difficult for electronics enthusiasts to create small boxes which mimicked the tones used to instruct the phone system to place calls. Phone phreaks, as cybercriminals who exploit phone networks are known, have moved toward the capture and cloning of cell phone numbers; however, with the prevalence of other communication methods such as voice over ip and other methods of communication phone phreaking is declining in popularity (Schmalleger, 2009).
With the rise of computers and networks, individuals began searching for ways to gain unauthorized access to the data held therein. Over time three predominant concepts in attack vectors have been established: attacks via brute force and attacks via social engineering.
Brute Force Methods
Brute force methods, the first paradigm of gaining unauthorized access, involves the use of sheer computational power to overcome protections or exploit a vulnerability in a computer, network, software, or file. This method can be quite time consuming at times; however, with the advent of parallel processing offered by graphics card companies such as the combined AMD and ATI or from Nvidia brute force attacks can be accomplished much faster.
Brute force attacks typically require the use of text files which contain millions of potential passwords or data hashes used to encrypt passwords. For example, using commonly available tables of password hashes called rainbow tables makes it a simple and quick task to retrieve passwords for all users of Microsoft Windows XP if a hacker has physical access to the system. Other types of encryption can take much longer to break, from a few days of dedicated wireless packet interjection in WEP to the nearly unbreakable PGP which is generally not viable to even attempt.
Fortunately, entering another individual’s or businesses network would likely first involve bypassing a firewall by scanning for open ports then attempting brute force bypasses on whichever protocol was left open by system administrators; this style of attack is generally inefficient, leading to the widespread adoption of social engineering methods.
Social Engineering Methods
Sun Tzu wisely taught that the best place to attack is where the opponent is weakest, thereby leading his troops to victory over an army significantly larger than his own. When dealing with any electronic device or network that has any level of security, the human operators will always be the weakest point. While it may sound far fetched, when computer security consultants test a client’s network it is not uncommon that they manage to acquire passwords from staff for as little as a dollar or a chocolate bar (BBC, 2004).
While not everyone will fall prey to such obvious deception, simple ruses abound that prey on curiosity. One of the newest methods of corporate espionage is leaving CD’s, DVD’s, or USB devices lying around the parking lot of the targeted company. When staff find them they are inclined to plug the devices into their office computer and unwittingly make their computer an agent of the attacker.
The most infamous cybercriminal that is often credited as the earliest to fully integrate social engineering into his repertoire was the infamous Kevin Mitnick, a now reformed computer security consultant who during the mid 1990’s found himself embroiled in a two and a half year long game of cat and mouse with the FBI, the media, and other hackers. Mitnick managed to gain access to hundreds of thousands of dollars worth of proprietary software from companies such as Novell, Fujitsu, Motorolla, Sun Microsystems, and many others generally by deceiving individuals into revealing their passwords or weaknesses in security. While Mitnick may have been one of the earliest and most notorious cybercriminals to utilize social engineering, he certainly isn’t the last (US Department of Justice, 2000).
Exploitation Methods
Exploitation can be used in conjunction with the other two methods or employed entirely on it’s own. Exploitation revolves around finding security flaws in software and utilizing those security flaws to gain unauthorized access. Traditional methods include manipulating websites by attacking vulnerabilities in Microsoft IIS server or interjecting SQL code into forms on company websites. Attacks on desktops or workstations typically revolve around mail client, web browser, or scripting vulnerabilities.
Types of Cybercrime
Cybercrime as with it’s traditional criminal sibling comes in many different forms with many different purposes. Motivators vary from challenge, addiction, thrill, revenge, to profit; as can be seen in the following sections, methods can be just as diverse as the motivations.
Hacking
There are a wide variety of goals and methods behind hacking. Hacking is essentially the unauthorized intrusion into a computer or network whether by brute force entry or socially engineered methods. The goal of hacking may be as benign as a simple digital trespass for bragging rights or as sinister as data theft to achieve corporate or governmental espionage.
Malicious Software
Malicious software are programs written with the express purpose of compromising or sabotaging a computer or network of computers. Malicious software can come in the form of trojans, rootkits, virusses, or worms. Trojans and rootkits hide on the computer and grant a cybercriminal access to information on the computer.
There are several benefits commandeering computers has for cybercriminals, first the outright sale of the control of a cluster of infected computers which are then utilized by other cybercriminals. Outright sale can be extremely lucrative in and of itself; however, for any crimes committed using those computers the seller can be charged as an accomplice. Second, as SMTP is a relatively simple protocol and coincidingly small program, it is possible to install an SMTP mail daemon which is able to send out bulk email in the form of spam without users being aware. Third, leveraging a massive number of computers, sometimes referred to as a botnet, makes it more effective to shut down websites via distributed denial of service attacks or allows anonymous parallel brute force attacks over the internet. Fourth, it is possible to log keystrokes and websites, effectively handing over access to financial data or email. Finally, since the computers being compromised and utilized will range from desktops in church offices to laptops in coffee shops, none of which have any direct physical connection to the attacker, it makes the cybercriminal much more difficult to apprehend.
Viruses and worms tend to be utilized more for cybervandalism, their purpose is generally directed at the destruction of data or networks but are increasingly being used as a delivery method for trojans. The first worm was created by Robert Tappan Morris, now a professor at MIT, who coincidentally was the first individual to be prosecuted under the 1986 computer fraud and abuse act. Morris claims his intention was to discover the size of the internet; however, the worm quickly infected more than 6,000 computers and brought them to the point that they were unusable (IT Security, 2007).
As earlier mentioned, social engineering is the preferred method of infecting computers, and can range from phishing to calling extensions in a target company pretending to be from technical support, thereafter instructing the hapless employee to install trojans. Another instance of social engineering was used in one of the most devastating viruses to date; the ILOVEYOU virus, which caused an estimated 10 billion in world wide losses and shut down systems at both the CIA and the pentagon, spread via email messages that had a visual basic script which appeared to be a love note (Landler, 2000).
Distributed Denial of Service
A distributed denial of service attack involves commandeering dozens, hundreds, or even thousands of computers which then simultaneously and repeatedly access the target web server or email server. High amounts of website traffic will cause either a massive slowdown in the ability of the target to serve pages and email or will crash the server outright. Distributed denial of service attacks have been increasingly employed by nationalists against targets in an effort to benefit their state, as can be seen in attacks against Georgian websites by Russian nationalists or attacks against US and UK entities by Chinese nationalists.
Data Diddling
Data diddling involves the manipulation of data. Examples of data diddling include using an insider to favorably adjust credit scores; as such, data diddling tends to be closely related to white collar crime (Samaha, 2007).
Salami Attack
The salami attack is one of the oldest known methods of cybercrime. The salami attack involves using or modifying software to steal small amounts of money from many transactions or accounts (Samaha, 2007). Money is transferred to an account that is left open for a relatively short time before the cybercriminal withdraws funds and closes the account. The concept is that if the attacker manages to have enough volume of minute thefts, a large sum of money will quickly accumulate to tens or hundreds of thousands of dollars.
Piracy
Digital piracy has been a hotly debated issue since the advent of peer to peer file sharing networks; however, beyond private individuals exchanging ripped software, books, music, and movies a recent RAND report suggests that international criminal and terrorist organizations make extensive use of piracy in order to fund other more nefarious ventures such as human trafficking, drug manufacture, and terrorism (Cunningham, Goulka, Matthies, Ridgeway, Treverton, & Wong 2009). While this form of piracy may not have garnered very much attention within the United States, it is a significant issue in international law enforcement.
Child Pornography
The age of personal computing and the internet has made it increasingly easy for child pornographers to exchange and images and videos, thereafter easily storing them in advanced encrypted formats using technologies such as Truecrypt. Encryption makes it particularly difficult for law enforcement to gather forensic evidence against pornographers as the amount of resources and time needed to decrypt most 128 bit and 256 bit encryption makes bypassing the encryption prohibitive.
Internet Gambling
Internet gambling is considered illegal under the wire act; however, many companies have operated servers outside the US that US citizens were able to access and gamble on. The justice department has aggressively targeted CEOs of gambling sites that are available from the US. Justice officials have had success targeting and arresting CEOs who are transiting flights in the US.
Phishing and Fraudulent Email
Phishing and fraudulent email are particularly troubling as they are quite effective at gathering personal information from unsuspecting targets. Phishing is the sending of emails which appear to come from a legitimate source such as a bank; website such as ebay or paypal; or other legitimate company. When a user follows the provided links to update their accounts, they essentially provide the attacker with user account names, numbers, and passwords. Even more impressive forms of attack involve requiring the target to call a toll free number where an automated voice recording system records answers to questions about account numbers, names, social security numbers, passwords, and other sensitive data.
Recently phishing has consisted of mimicking legitimate websites as well via poisoned DNS records or simply registering a domain similar to that of a popular website. When the target goes to the site either they will be deceived into entering their personal data or an activex control will install and infect the computer.
Identity Theft
While identity theft is the intended result in many of the aforementioned cybercrimes, it bears mentioning by itself because of the skyrocketing problem that identity theft has become. The national crime victimization survey estimates that during a 12 month period 6% of American households suffer loss as a result of identity theft. In the US, the estimated financial loss during a six month period is believed to be in excess of three billion dollars (NCVS via Schmallenger, 2009).
Cyber Terrorism
Cyber terrorism is using unauthorized computer or network access to accomplish political goals. To date, most attacks have been distributed denial of service attacks; however, as terrorist organizations increase in programming and target selection capabilities, it is believed that cyber terrorism will present a greater threat in the future (Denning, 2000).
Cybercrime Laws
There are a variety of local and federal laws which apply to cybercrime; however, to cover the entirety of state and local laws on cybercrime would be far too exhaustive. What follows is a collection of federal statutes which apply to cybercrime.
18 U.S.C. §1030
18 U.S.C. §1030 is the computer fraud and abuse act. It makes it a crime to knowingly access protected computers without authorization in government or financial institutions. It also has provisions for interstate unauthorized access and access which causes more than $5,000 in losses. Furthermore the code authorizes the Secret Service and the FBI to enforce provisions of the statute.
18 U.S.C. §1961
18 U.S.C. §1961 relates to racketeering; however, it includes provisions for illegal gambling operations and piracy.
18 U.S.C. §2331
18 U.S.C. §2331 is related to terrorism. It makes it a federal offense to utilize computers or networks to endanger human life in order to further political goals.
18 U.S.C. §2511
18 U.S.C. §2510 makes it illegal to intercept electronic communications. This statute makes it a crime to crack wireless networks, packet sniff, intercept e-mail, or perform man in the middle attacks.
18 U.S.C. §2701
18 U.S.C. §2701 makes it a criminal offense to access stored communications without authorization. 18 U.S.C. §2701 allows the prosecution of individuals who hack email servers or phone message systems.
18 U.S.C. §2702
18 U.S.C. §2702 makes it a criminal offense to disclose information about clients held on a company computer. For example, this makes it illegal for an email service to disclose a client’s emails to a third party. It would also make it illegal to disclose other personal information from databases to third parties.
18 U.S.C. §3056
18 U.S.C. §3056 contains provisions for the Secret Service to enforce laws “relating to electronic fund transfer frauds, access device frauds, false identification documents or devices, and any fraud or other criminal or unlawful activity in or against any federally insured financial institution” (18 U.S.C. §3056 (b)(3)).
18 U.S.C. §3103(a)
18 U.S.C. §3103(a) allows the issuance of warrants for electronic evidence. Evidence may be on a computer or obtained via interception of wire transmissions.
18 U.S.C. §3121
18 U.S.C. §3121 makes it a crime to use pen registers or trap and trace devices without a warrant. It also contains provisions for the issuance of warrants for the use of pen registers and trap and trace devices; as the provision clearly outlines addressing and routing of electronic communications it applies to tcp/ip traffic as well.
18 U.S.C. §3286
18 U.S.C. §3286 places an eight year statute of limitations in which a prosecutor must indict a suspect of cybercrimes not including cyber terrorism. Acts of terrorism have no statute of limitations.
47 U.S.C. §551
47 U.S.C. §551 makes it a crime for cable operators to share information about their customers. The importance of 47 U.S.C. §551 lies in it’s ability to limit the ability of individuals to use information from the cable company as pretext for socially engineered attacks.
17 U.S.C. §504(c)
17 U.S.C. §504(c) creates civil remedies for digital piracy. Depending on the nature of the crime, up to $150,000 USD can be recovered from the perpetrator.
Prosecution
As Schmalleger (2009) points out, the hackers operating prior to the new millenium were largely motivated by curiosity, thrill, and challenge. Consider Steve Wozniak the cofounder of Apple Computers and noted philanthropist; Kevin Mitnick, the once most wanted hacker in the world, is now a prolific writer on computer security, a security consultant, and has even testified before senate hearings on internet security; Kevin Poulson, who hacked the FBI databases and even managed to redirect toll free numbers aimed at providing information to Unsolved Mysteries about him, is now a journalist and has assisted law enforcement in prosecuting over 700 pedophiles and child pornographers on Myspace; or Robert Tapan Morris, creator of the first worm turned tenured professor at MIT (IT Security, 2007). Even the most infamous and notorious of cybercriminals can be made into upstanding citizens by serving relatively short sentences consisting of between a few hundred hours of community service to 4 years in prison.
The prosecution of domestic cybercriminals that are motivated by thrill, boredom, curiosity, or other such reasons are best dealt with by plea bargaining. Age plays a large factor in rehabilitation just as it does with general criminality; however, given that most cybercriminals in this category are intelligent and skilled, it is not difficult for them to find lucrative employment as computer security specialists or consultants despite young age, which in turn negates future criminal tendency (Samaha, 2009). Society stands a chance to benefit just as much or more from their expertise as it suffered from it.
That said, the collection of evidence can become more difficult when the scene of the crime spans across cities and states. One issue to contend with is the reluctance of local law enforcement to fully investigate crimes when the victim is not found within their jurisdiction (Swire, 2009).
Fortunately, the same ability of the internet to cross boundaries and borders can be leveraged by investigators (Swire, 2009). A few years ago my brother in law was contemplating entering his company into a business deal with another company but had some concerns based on rumors that the owner of the other business may have been involved in unethical activities such as spam emails. Based on a business card he had been provieded, we sat down at his computer and began some searches on the name of the individual and DNS registrar information of the email domain held on the card. Within two hours of searching we discovered the business and owner each had hundreds of thousands of dollars worth of as of yet unpaid judgments against them relating to spam email in San Jose and found records indicating involvement in various internet frauds in Nevada and Seattle; needless to say my brother in law opted not to do business with that company. While not all such internet based investigations may be successful, it does illustrate that the internet is the scene of the crime and the basis from which to begin an investigation.
During the process of investigation, evidence can be collected from the hard drives of computers suspected to have been used or utilized by the cybercriminal. Creating a one to one forensic image of hard drives allows trained investigators to search for evidence of the crime.
Another difficulty arises when the prosecution wishes to call witnesses, as it can be difficult to procure witnesses from geographically distant places. This further emphasizes the benefits of achieving plea bargains prior to trial.
Prosecution of International Cybercrime
Due to the global nature of the internet, what are the ramifications to the prosecution of individuals who attack US based targets from outside the US? In US v. Aleksey Vladimirovich Ivanov (175 F.Supp.2d 367 [2001]) the court held that the findings of US v. Muench (694 F.2d 28 [1982]):
“The intent to cause effects within the United States … makes it reasonable to apply to persons outside United States territory a statute which is not expressly extraterritorial in scope.” Id. at 33. “It has long been a commonplace of criminal liability that a person may be charged in the place where the evil results, though he is beyond the jurisdiction when he starts the train of events of which that evil is the fruit.”
and US v. Steinberg (62 F.2d 77,78 [1932]):
“[T]he Government may punish a defendant in the same manner as if [he] were present in the jurisdiction when the detrimental effects occurred.”
apply to cybercrime. This effectively allows states or the federal government to prosecute international offenders as though they were within the jurisdiction of the offense.
The next issue becomes arresting the cybercriminal. In some instances, suspects are arrested in the airports of the US or extraditable countries, in other instances, the individuals are arrested and extradited from their country of origin. Cooperation and diplomacy are key in extraditing cybercriminals and often includes the FTC or FBI working in tandem with law enforcement from other countries (Robinson, 2000). Once in the states, the aforementioned rulings make prosecution relatively similar to domestic incidents of cybercrime.
Conclusion and Implications
While the problem of cybercrime is real and may seem a significant obstacle facing law enforcement, relatively few changes are required to adapt to the threat. The US Government has already moved the protection of government and military websites into the jurisdiction of Homeland Security and US Strategic Command respectively; however, operating under the old adage that it takes a thief, security specialists with hacking expertise are in demand (Greenberg, 2000). The numbers of advanced hacking capable IT personnel needs to climb to 20,000 personnel spread between the public and private sectors; therefore, the government and industry will need to step up active recruitment.
Furthermore, federal and state entities need to begin relying more on operating systems in which the user space and root space do not collide. Installation of a properly configured Unix or Linux derived operating system such as Red Hat, Suse, BSD, Debian, or MacOSX effectively prevents the installation of malicious software.
Continuing cooperation and joint training between US and foreign law enforcement must be nurtured. Foreign law enforcement will become increasingly important in apprehending suspects and gathering digital forensic evidence; therefore, they must have policies and procedures that will withstand the tests of a US court of law.
Finally, more attention needs to be paid to the human element of the equation. The human operator at the computer is now and always will be the weakest link in the security chain. Thorough background checks are necessary on individuals who can access sensitive or private information, and staff need to be regularly retrained in security measures.
In conclusion, the US has gone a long way toward meeting the challenges posed by cybercrime, and while there are still challenges left to face, they are entirely surmountable when approached with determination and ingenuity.
References
BBC News. (2004, April 20). Passwords revealed by sweet deal. Retrieved from http://news.bbc.co.uk/2/hi/technology/3639679.stm
Cunningham, K.J., Goulka, J., Matthies, C., Ridgeway, J., Treverton, G.F., & Wong, A. (2009). Film piracy, organized crime, and terrorism. Santa Monica, CA: RAND.
Denning, D.E. (2000, May 23). Cyberterrorism: testimony before the special oversight panel on terrorism, committe on armed services, and us house of representatives. Retrieved from http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html
Fox News. (2008, August 13). Russian hackers attack georgia in cyberspace. Retrieved from http://www.foxnews.com/story/0,2933,402406,00.html
Greenberg, A. (2009, June 1). Cybercops without borders. Retrieved from http://www.forbes.com/2009/06/01/cyberbusts-security-internet-technology-security-cyberbusts.html
Greenberg, A. (2009, May 21). Pentagon seeks high school hackers. Retrieved from http://www.forbes.com/2009/05/21/cybersecurity-students-hackers-technology-security-cybersecurity.html
IT Security. (2007, April 24). Top 10 most famous hackers of all time. Retrieved from http://www.itsecurity.com/features/top-10-famous-hackers-042407/
Landler, M. (2000, October 21). A Filipino linked to ‘love bug’ talks about his license to hack. Retrieved from http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-hack.html?pagewanted=1
Robinson, J.K. (2000, May 29). Internet as the scene of the crime. Retrieved from http://www.justice.gov/criminal/cybercrime/roboslo.htm
Samaha, J. (2008). Criminal law 6th edition. Belmont, CA: Thomson Learning.
Schmalleger, F. (2009). Criminology today:an integrative introduction. Columbus, Ohio: Pearson.
Stanglin, D. (2010, February 22). Google hacking traced to 2 chinese universities. Retrieved from http://content.usatoday.com/communities/ondeadline/post/2010/02/report-google-hacking-traced-to-two-chinese-universities/1
Swire, P. (2009). No cop on the beat: underenforcement in e-commerce and cybercrime. Journal on Telecommunications & High Technology Law, Winter, 2009. Retrieved from http://www.lexisnexis.com.ezproxy2.apus.edu/us/lnacademic/results/docview/docview.do?docLinkInd=true&risb=21_T8867907448&format=GNBFI&sort=RELEVANCE&startDocNo=1&resultsUrlKey=29_T8867907455&cisb=22_T8867907452&treeMax=true&treeWidth=0&selRCNodeID=2&nodeStateId=411en_US,1,2&docsInCategory=16&csi=294665&docNo=6
US Department of Justice. (2000, July 18). Kevin mitnick sentenced to nearly four years in prison: computer hacker ordered to pay restitution to victim companies whose systems were compromised. Retrieved from http://www.justice.gov/criminal/cybercrime/mitnick.htm
Prosecuting Cybercrime
Could the first man to discover fire and utilize it for the noble goals of keeping warm or cooking have fathomed that it would eventually be used criminally by arsonists? The advent of technologies always runs the risk of later being used by criminals. White collar crime did not exist prior to the evolution of management positions, nor did cybercrime exist prior to the development of electronic computer networks (Samaha, 2008).
Individual incidents of Cybercrime can rapidly result in millions or even billions of dollars of damage between theft and loss of revenue. Even governments are now recognizing the immense power exploiting the computer networks of other governments or businesses carries as is evidenced by recent crimes such as the hacking and distributed denial of service attacks leveled against Google by Chinese students backed by People’s Liberation Army funded universities (Stanglin, 2010). Exploiting networks and systems can also lead to the crippling of an enemy’s infrastructure as incidenced by Russian hackers attacking Georgian government websites during Russia’s 2008 offensive (Fox News, 2008).
As with any technology, law enforcement and the legal system must adapt to combat the new crimes being committed. While a great deal of progress has been made toward dealing with cybercrime, this paper will also reveal some areas where improvement could be made.
A Brief History of Cybercrime
In the 1950’s the first acts of cybercrime evolved from the then new tone dialing technologies implemented by phone companies. It was not difficult for electronics enthusiasts to create small boxes which mimicked the tones used to instruct the phone system to place calls. Phone phreaks, as cybercriminals who exploit phone networks are known, have moved toward the capture and cloning of cell phone numbers; however, with the prevalence of other communication methods such as voice over ip and other methods of communication phone phreaking is declining in popularity (Schmalleger, 2009).
With the rise of computers and networks, individuals began searching for ways to gain unauthorized access to the data held therein. Over time three predominant concepts in attack vectors have been established: attacks via brute force and attacks via social engineering.
Brute Force Methods
Brute force methods, the first paradigm of gaining unauthorized access, involves the use of sheer computational power to overcome protections or exploit a vulnerability in a computer, network, software, or file. This method can be quite time consuming at times; however, with the advent of parallel processing offered by graphics card companies such as the combined AMD and ATI or from Nvidia brute force attacks can be accomplished much faster.
Brute force attacks typically require the use of text files which contain millions of potential passwords or data hashes used to encrypt passwords. For example, using commonly available tables of password hashes called rainbow tables makes it a simple and quick task to retrieve passwords for all users of Microsoft Windows XP if a hacker has physical access to the system. Other types of encryption can take much longer to break, from a few days of dedicated wireless packet interjection in WEP to the nearly unbreakable PGP which is generally not viable to even attempt.
Fortunately, entering another individual’s or businesses network would likely first involve bypassing a firewall by scanning for open ports then attempting brute force bypasses on whichever protocol was left open by system administrators; this style of attack is generally inefficient, leading to the widespread adoption of social engineering methods.
Social Engineering Methods
Sun Tzu wisely taught that the best place to attack is where the opponent is weakest, thereby leading his troops to victory over an army significantly larger than his own. When dealing with any electronic device or network that has any level of security, the human operators will always be the weakest point. While it may sound far fetched, when computer security consultants test a client’s network it is not uncommon that they manage to acquire passwords from staff for as little as a dollar or a chocolate bar (BBC, 2004).
While not everyone will fall prey to such obvious deception, simple ruses abound that prey on curiosity. One of the newest methods of corporate espionage is leaving CD’s, DVD’s, or USB devices lying around the parking lot of the targeted company. When staff find them they are inclined to plug the devices into their office computer and unwittingly make their computer an agent of the attacker.
The most infamous cybercriminal that is often credited as the earliest to fully integrate social engineering into his repertoire was the infamous Kevin Mitnick, a now reformed computer security consultant who during the mid 1990’s found himself embroiled in a two and a half year long game of cat and mouse with the FBI, the media, and other hackers. Mitnick managed to gain access to hundreds of thousands of dollars worth of proprietary software from companies such as Novell, Fujitsu, Motorolla, Sun Microsystems, and many others generally by deceiving individuals into revealing their passwords or weaknesses in security. While Mitnick may have been one of the earliest and most notorious cybercriminals to utilize social engineering, he certainly isn’t the last (US Department of Justice, 2000).
Exploitation Methods
Exploitation can be used in conjunction with the other two methods or employed entirely on it’s own. Exploitation revolves around finding security flaws in software and utilizing those security flaws to gain unauthorized access. Traditional methods include manipulating websites by attacking vulnerabilities in Microsoft IIS server or interjecting SQL code into forms on company websites. Attacks on desktops or workstations typically revolve around mail client, web browser, or scripting vulnerabilities.
Types of Cybercrime
Cybercrime as with it’s traditional criminal sibling comes in many different forms with many different purposes. Motivators vary from challenge, addiction, thrill, revenge, to profit; as can be seen in the following sections, methods can be just as diverse as the motivations.
Hacking
There are a wide variety of goals and methods behind hacking. Hacking is essentially the unauthorized intrusion into a computer or network whether by brute force entry or socially engineered methods. The goal of hacking may be as benign as a simple digital trespass for bragging rights or as sinister as data theft to achieve corporate or governmental espionage.
Malicious Software
Malicious software are programs written with the express purpose of compromising or sabotaging a computer or network of computers. Malicious software can come in the form of trojans, rootkits, virusses, or worms. Trojans and rootkits hide on the computer and grant a cybercriminal access to information on the computer.
There are several benefits commandeering computers has for cybercriminals, first the outright sale of the control of a cluster of infected computers which are then utilized by other cybercriminals. Outright sale can be extremely lucrative in and of itself; however, for any crimes committed using those computers the seller can be charged as an accomplice. Second, as SMTP is a relatively simple protocol and coincidingly small program, it is possible to install an SMTP mail daemon which is able to send out bulk email in the form of spam without users being aware. Third, leveraging a massive number of computers, sometimes referred to as a botnet, makes it more effective to shut down websites via distributed denial of service attacks or allows anonymous parallel brute force attacks over the internet. Fourth, it is possible to log keystrokes and websites, effectively handing over access to financial data or email. Finally, since the computers being compromised and utilized will range from desktops in church offices to laptops in coffee shops, none of which have any direct physical connection to the attacker, it makes the cybercriminal much more difficult to apprehend.
Viruses and worms tend to be utilized more for cybervandalism, their purpose is generally directed at the destruction of data or networks but are increasingly being used as a delivery method for trojans. The first worm was created by Robert Tappan Morris, now a professor at MIT, who coincidentally was the first individual to be prosecuted under the 1986 computer fraud and abuse act. Morris claims his intention was to discover the size of the internet; however, the worm quickly infected more than 6,000 computers and brought them to the point that they were unusable (IT Security, 2007).
As earlier mentioned, social engineering is the preferred method of infecting computers, and can range from phishing to calling extensions in a target company pretending to be from technical support, thereafter instructing the hapless employee to install trojans. Another instance of social engineering was used in one of the most devastating viruses to date; the ILOVEYOU virus, which caused an estimated 10 billion in world wide losses and shut down systems at both the CIA and the pentagon, spread via email messages that had a visual basic script which appeared to be a love note (Landler, 2000).
Distributed Denial of Service
A distributed denial of service attack involves commandeering dozens, hundreds, or even thousands of computers which then simultaneously and repeatedly access the target web server or email server. High amounts of website traffic will cause either a massive slowdown in the ability of the target to serve pages and email or will crash the server outright. Distributed denial of service attacks have been increasingly employed by nationalists against targets in an effort to benefit their state, as can be seen in attacks against Georgian websites by Russian nationalists or attacks against US and UK entities by Chinese nationalists.
Data Diddling
Data diddling involves the manipulation of data. Examples of data diddling include using an insider to favorably adjust credit scores; as such, data diddling tends to be closely related to white collar crime (Samaha, 2007).
Salami Attack
The salami attack is one of the oldest known methods of cybercrime. The salami attack involves using or modifying software to steal small amounts of money from many transactions or accounts (Samaha, 2007). Money is transferred to an account that is left open for a relatively short time before the cybercriminal withdraws funds and closes the account. The concept is that if the attacker manages to have enough volume of minute thefts, a large sum of money will quickly accumulate to tens or hundreds of thousands of dollars.
Piracy
Digital piracy has been a hotly debated issue since the advent of peer to peer file sharing networks; however, beyond private individuals exchanging ripped software, books, music, and movies a recent RAND report suggests that international criminal and terrorist organizations make extensive use of piracy in order to fund other more nefarious ventures such as human trafficking, drug manufacture, and terrorism (Cunningham, Goulka, Matthies, Ridgeway, Treverton, & Wong 2009). While this form of piracy may not have garnered very much attention within the United States, it is a significant issue in international law enforcement.
Child Pornography
The age of personal computing and the internet has made it increasingly easy for child pornographers to exchange and images and videos, thereafter easily storing them in advanced encrypted formats using technologies such as Truecrypt. Encryption makes it particularly difficult for law enforcement to gather forensic evidence against pornographers as the amount of resources and time needed to decrypt most 128 bit and 256 bit encryption makes bypassing the encryption prohibitive.
Internet Gambling
Internet gambling is considered illegal under the wire act; however, many companies have operated servers outside the US that US citizens were able to access and gamble on. The justice department has aggressively targeted CEOs of gambling sites that are available from the US. Justice officials have had success targeting and arresting CEOs who are transiting flights in the US.
Phishing and Fraudulent Email
Phishing and fraudulent email are particularly troubling as they are quite effective at gathering personal information from unsuspecting targets. Phishing is the sending of emails which appear to come from a legitimate source such as a bank; website such as ebay or paypal; or other legitimate company. When a user follows the provided links to update their accounts, they essentially provide the attacker with user account names, numbers, and passwords. Even more impressive forms of attack involve requiring the target to call a toll free number where an automated voice recording system records answers to questions about account numbers, names, social security numbers, passwords, and other sensitive data.
Recently phishing has consisted of mimicking legitimate websites as well via poisoned DNS records or simply registering a domain similar to that of a popular website. When the target goes to the site either they will be deceived into entering their personal data or an activex control will install and infect the computer.
Identity Theft
While identity theft is the intended result in many of the aforementioned cybercrimes, it bears mentioning by itself because of the skyrocketing problem that identity theft has become. The national crime victimization survey estimates that during a 12 month period 6% of American households suffer loss as a result of identity theft. In the US, the estimated financial loss during a six month period is believed to be in excess of three billion dollars (NCVS via Schmallenger, 2009).
Cyber Terrorism
Cyber terrorism is using unauthorized computer or network access to accomplish political goals. To date, most attacks have been distributed denial of service attacks; however, as terrorist organizations increase in programming and target selection capabilities, it is believed that cyber terrorism will present a greater threat in the future (Denning, 2000).
Cybercrime Laws
There are a variety of local and federal laws which apply to cybercrime; however, to cover the entirety of state and local laws on cybercrime would be far too exhaustive. What follows is a collection of federal statutes which apply to cybercrime.
18 U.S.C. §1030
18 U.S.C. §1030 is the computer fraud and abuse act. It makes it a crime to knowingly access protected computers without authorization in government or financial institutions. It also has provisions for interstate unauthorized access and access which causes more than $5,000 in losses. Furthermore the code authorizes the Secret Service and the FBI to enforce provisions of the statute.
18 U.S.C. §1961
18 U.S.C. §1961 relates to racketeering; however, it includes provisions for illegal gambling operations and piracy.
18 U.S.C. §2331
18 U.S.C. §2331 is related to terrorism. It makes it a federal offense to utilize computers or networks to endanger human life in order to further political goals.
18 U.S.C. §2511
18 U.S.C. §2510 makes it illegal to intercept electronic communications. This statute makes it a crime to crack wireless networks, packet sniff, intercept e-mail, or perform man in the middle attacks.
18 U.S.C. §2701
18 U.S.C. §2701 makes it a criminal offense to access stored communications without authorization. 18 U.S.C. §2701 allows the prosecution of individuals who hack email servers or phone message systems.
18 U.S.C. §2702
18 U.S.C. §2702 makes it a criminal offense to disclose information about clients held on a company computer. For example, this makes it illegal for an email service to disclose a client’s emails to a third party. It would also make it illegal to disclose other personal information from databases to third parties.
18 U.S.C. §3056
18 U.S.C. §3056 contains provisions for the Secret Service to enforce laws “relating to electronic fund transfer frauds, access device frauds, false identification documents or devices, and any fraud or other criminal or unlawful activity in or against any federally insured financial institution” (18 U.S.C. §3056 (b)(3)).
18 U.S.C. §3103(a)
18 U.S.C. §3103(a) allows the issuance of warrants for electronic evidence. Evidence may be on a computer or obtained via interception of wire transmissions.
18 U.S.C. §3121
18 U.S.C. §3121 makes it a crime to use pen registers or trap and trace devices without a warrant. It also contains provisions for the issuance of warrants for the use of pen registers and trap and trace devices; as the provision clearly outlines addressing and routing of electronic communications it applies to tcp/ip traffic as well.
18 U.S.C. §3286
18 U.S.C. §3286 places an eight year statute of limitations in which a prosecutor must indict a suspect of cybercrimes not including cyber terrorism. Acts of terrorism have no statute of limitations.
47 U.S.C. §551
47 U.S.C. §551 makes it a crime for cable operators to share information about their customers. The importance of 47 U.S.C. §551 lies in it’s ability to limit the ability of individuals to use information from the cable company as pretext for socially engineered attacks.
17 U.S.C. §504(c)
17 U.S.C. §504(c) creates civil remedies for digital piracy. Depending on the nature of the crime, up to $150,000 USD can be recovered from the perpetrator.
Prosecution
As Schmalleger (2009) points out, the hackers operating prior to the new millenium were largely motivated by curiosity, thrill, and challenge. Consider Steve Wozniak the cofounder of Apple Computers and noted philanthropist; Kevin Mitnick, the once most wanted hacker in the world, is now a prolific writer on computer security, a security consultant, and has even testified before senate hearings on internet security; Kevin Poulson, who hacked the FBI databases and even managed to redirect toll free numbers aimed at providing information to Unsolved Mysteries about him, is now a journalist and has assisted law enforcement in prosecuting over 700 pedophiles and child pornographers on Myspace; or Robert Tapan Morris, creator of the first worm turned tenured professor at MIT (IT Security, 2007). Even the most infamous and notorious of cybercriminals can be made into upstanding citizens by serving relatively short sentences consisting of between a few hundred hours of community service to 4 years in prison.
The prosecution of domestic cybercriminals that are motivated by thrill, boredom, curiosity, or other such reasons are best dealt with by plea bargaining. Age plays a large factor in rehabilitation just as it does with general criminality; however, given that most cybercriminals in this category are intelligent and skilled, it is not difficult for them to find lucrative employment as computer security specialists or consultants despite young age, which in turn negates future criminal tendency (Samaha, 2009). Society stands a chance to benefit just as much or more from their expertise as it suffered from it.
That said, the collection of evidence can become more difficult when the scene of the crime spans across cities and states. One issue to contend with is the reluctance of local law enforcement to fully investigate crimes when the victim is not found within their jurisdiction (Swire, 2009).
Fortunately, the same ability of the internet to cross boundaries and borders can be leveraged by investigators (Swire, 2009). A few years ago my brother in law was contemplating entering his company into a business deal with another company but had some concerns based on rumors that the owner of the other business may have been involved in unethical activities such as spam emails. Based on a business card he had been provieded, we sat down at his computer and began some searches on the name of the individual and DNS registrar information of the email domain held on the card. Within two hours of searching we discovered the business and owner each had hundreds of thousands of dollars worth of as of yet unpaid judgments against them relating to spam email in San Jose and found records indicating involvement in various internet frauds in Nevada and Seattle; needless to say my brother in law opted not to do business with that company. While not all such internet based investigations may be successful, it does illustrate that the internet is the scene of the crime and the basis from which to begin an investigation.
During the process of investigation, evidence can be collected from the hard drives of computers suspected to have been used or utilized by the cybercriminal. Creating a one to one forensic image of hard drives allows trained investigators to search for evidence of the crime.
Another difficulty arises when the prosecution wishes to call witnesses, as it can be difficult to procure witnesses from geographically distant places. This further emphasizes the benefits of achieving plea bargains prior to trial.
Prosecution of International Cybercrime
Due to the global nature of the internet, what are the ramifications to the prosecution of individuals who attack US based targets from outside the US? In US v. Aleksey Vladimirovich Ivanov (175 F.Supp.2d 367 [2001]) the court held that the findings of US v. Muench (694 F.2d 28 [1982]):
“The intent to cause effects within the United States … makes it reasonable to apply to persons outside United States territory a statute which is not expressly extraterritorial in scope.” Id. at 33. “It has long been a commonplace of criminal liability that a person may be charged in the place where the evil results, though he is beyond the jurisdiction when he starts the train of events of which that evil is the fruit.”
and US v. Steinberg (62 F.2d 77,78 [1932]):
“[T]he Government may punish a defendant in the same manner as if [he] were present in the jurisdiction when the detrimental effects occurred.”
apply to cybercrime. This effectively allows states or the federal government to prosecute international offenders as though they were within the jurisdiction of the offense.
The next issue becomes arresting the cybercriminal. In some instances, suspects are arrested in the airports of the US or extraditable countries, in other instances, the individuals are arrested and extradited from their country of origin. Cooperation and diplomacy are key in extraditing cybercriminals and often includes the FTC or FBI working in tandem with law enforcement from other countries (Robinson, 2000). Once in the states, the aforementioned rulings make prosecution relatively similar to domestic incidents of cybercrime.
Conclusion and Implications
While the problem of cybercrime is real and may seem a significant obstacle facing law enforcement, relatively few changes are required to adapt to the threat. The US Government has already moved the protection of government and military websites into the jurisdiction of Homeland Security and US Strategic Command respectively; however, operating under the old adage that it takes a thief, security specialists with hacking expertise are in demand (Greenberg, 2000). The numbers of advanced hacking capable IT personnel needs to climb to 20,000 personnel spread between the public and private sectors; therefore, the government and industry will need to step up active recruitment.
Furthermore, federal and state entities need to begin relying more on operating systems in which the user space and root space do not collide. Installation of a properly configured Unix or Linux derived operating system such as Red Hat, Suse, BSD, Debian, or MacOSX effectively prevents the installation of malicious software.
Continuing cooperation and joint training between US and foreign law enforcement must be nurtured. Foreign law enforcement will become increasingly important in apprehending suspects and gathering digital forensic evidence; therefore, they must have policies and procedures that will withstand the tests of a US court of law.
Finally, more attention needs to be paid to the human element of the equation. The human operator at the computer is now and always will be the weakest link in the security chain. Thorough background checks are necessary on individuals who can access sensitive or private information, and staff need to be regularly retrained in security measures.
In conclusion, the US has gone a long way toward meeting the challenges posed by cybercrime, and while there are still challenges left to face, they are entirely surmountable when approached with determination and ingenuity.
References
BBC News. (2004, April 20). Passwords revealed by sweet deal. Retrieved from http://news.bbc.co.uk/2/hi/technology/3639679.stm
Cunningham, K.J., Goulka, J., Matthies, C., Ridgeway, J., Treverton, G.F., & Wong, A. (2009). Film piracy, organized crime, and terrorism. Santa Monica, CA: RAND.
Denning, D.E. (2000, May 23). Cyberterrorism: testimony before the special oversight panel on terrorism, committe on armed services, and us house of representatives. Retrieved from http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html
Fox News. (2008, August 13). Russian hackers attack georgia in cyberspace. Retrieved from http://www.foxnews.com/story/0,2933,402406,00.html
Greenberg, A. (2009, June 1). Cybercops without borders. Retrieved from http://www.forbes.com/2009/06/01/cyberbusts-security-internet-technology-security-cyberbusts.html
Greenberg, A. (2009, May 21). Pentagon seeks high school hackers. Retrieved from http://www.forbes.com/2009/05/21/cybersecurity-students-hackers-technology-security-cybersecurity.html
IT Security. (2007, April 24). Top 10 most famous hackers of all time. Retrieved from http://www.itsecurity.com/features/top-10-famous-hackers-042407/
Landler, M. (2000, October 21). A Filipino linked to ‘love bug’ talks about his license to hack. Retrieved from http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-hack.html?pagewanted=1
Robinson, J.K. (2000, May 29). Internet as the scene of the crime. Retrieved from http://www.justice.gov/criminal/cybercrime/roboslo.htm
Samaha, J. (2008). Criminal law 6th edition. Belmont, CA: Thomson Learning.
Schmalleger, F. (2009). Criminology today:an integrative introduction. Columbus, Ohio: Pearson.
Stanglin, D. (2010, February 22). Google hacking traced to 2 chinese universities. Retrieved from http://content.usatoday.com/communities/ondeadline/post/2010/02/report-google-hacking-traced-to-two-chinese-universities/1
Swire, P. (2009). No cop on the beat: underenforcement in e-commerce and cybercrime. Journal on Telecommunications & High Technology Law, Winter, 2009. Retrieved from http://www.lexisnexis.com.ezproxy2.apus.edu/us/lnacademic/results/docview/docview.do?docLinkInd=true&risb=21_T8867907448&format=GNBFI&sort=RELEVANCE&startDocNo=1&resultsUrlKey=29_T8867907455&cisb=22_T8867907452&treeMax=true&treeWidth=0&selRCNodeID=2&nodeStateId=411en_US,1,2&docsInCategory=16&csi=294665&docNo=6
US Department of Justice. (2000, July 18). Kevin mitnick sentenced to nearly four years in prison: computer hacker ordered to pay restitution to victim companies whose systems were compromised. Retrieved from http://www.justice.gov/criminal/cybercrime/mitnick.htm