12/3/08 CSC309 Miller 1

Ch7 Computer Crime

9/28/08 CSC309 Miller 2

Good Security Web Sitehttp://www.sans.org/

The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization.

I like “NewsBites” and the access to on-line articles. Great place to learn how to be a spy.

12/3/08 CSC309 Miller 3

Crime not always about money SANS NewsBites Vol. 10 Num. 94--MySpace Suicide Case Verdict: Three Misdemeanor Convictions 11/26/08

The perpetrator of an Internet hoax that prompted a 13-year old neighbor to kill herself, was convicted of three misdemeanor offenses (max each of year in prison/ fine of $100,000) of accessing computers without authorization. She was tried under the US Computer Fraud and Abuse Act for violating the MySpace terms of agreement by establishing a phony identity and harassing another MySpace member.

2/28/01 CSC309 Miller 4

Threats to Computer Systems

1. Environmental: This is a major threat but wetend to not give it a lot of attention.

2. Accidental: It turns out that the good guys are going to give us more problems than the bad guys.

3. Computer crime: More fun to talk about than power surges or programmer errors and it does turn out that protection against criminal activities often provides protection against the impact of environmental or accidental threats.

9/28/08 CSC309 Miller 5

Threats to Computer Systems

1. Power surges (a spike is less than a millionth of a second in duration)

2. Fire (where do you put the computer room?)

3. Water (floods, hurricanes, sprinklers, air conditioner related, etc.)

4. Chemical (chlorine gas, acid in Tec206, etc.)

9/28/08 CSC309 Miller 6

Threats to Computer Systems

5. Static electricity (the need for dress codes, static prevention floors and waxes)

6. Strange (molten steel, four truck loads of concrete, explosions)

7. Bah Humbug (spill drink on keyboard)

8. Rage (drop, hit, shoot, blowup)

3/2/01 CSC309 Miller 7

Accidental

1. Programming errors

2. Improper labeling of data

3. Destruction of data during processing

4. Procedures that lead to disaster

5. Dumb moves (not thinking through backup)

2/11/09 CSC309 Miller 8

Nigerian Scam

Not sure I want to push this as computer crime because in the early 1980s this scam was alive and well and used US mail (envelope always looked like it was made from a paper grocery bag).

Examples at: ht tp://www.quatloos.com/cm-niger/ nigerian_scam_letter_museum.htmComic relief at:http://www.quatloos.com/brad-c/elvis.htm

2/11/09 CSC309 Miller 9

419

"419" is a reference to the section of the Nigerian criminal code that outlaws this business. "419 is just a game; you are the loser, I am the winner," sings pop crooner Uzodinma Okpechi, whose single "I Go Chop Your Dollar" was a hit across Africa and was adopted by 419ers as their theme song. It celebrates the gullibility essential for this scam.

2/28/01 CSC309 Miller 10

Computer Crime

Computer crime comes in all shapes and sizesand includes the very simple (print account numbers on deposit slips left in lobby of bank) to the complex (Insurance fraud). They can be of the "I never would have thought of thatvariety" (kidnapping, routing scam). They can be senseless acts of vandalism (virus) or leave an environment exactly as it found it.

Typical problems on a college campus ...

As an expert witness ...

1/19/02 CSC309 Miller 11

Computer Abuse

The willful or negligent unauthorized activity that affects the availability, confidentiality, orintegrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.

10/31/01 CSC309 Miller 12

How Bad?

In 1983 (when the world was just starting to really get interested in this topic) the following figures appeared in ComputerWorld.

$100,000,000 July 11

$100,000,000 to $3,000,000,000 October 31

$1,500,000,000 to $3,000,000,000 November 21

A "fraction" of $40,000,000,000 December 12

$70,000,000,000 December 26

3/3/01 CSC309 Miller 13

Profile of a bad guy

1. Typically there is no criminal history.

2. Hackers (computer criminals/abusers, etc.)often portrayed as "bright, Inquisitive young people (always male) who explore computer systems for fun and intellectual challenge."

11/28/01 CSC309 Miller 14

Profile of a bad guy

3. Usually an employee and usually in some type of managerial position.

4. Basically the same as an embezzler: an individual with needs (sick child, nagging spouse, living beyond means, gambling debts, etc.) who is presented with an opportunity to take company resources.

6/27/02 CSC309 Miller 15

Profile of a Bad Guy Could be Changing

In a 1997 study conducted by San Francisco’sComputer Security Institute (CSI) in cooperation with the FBI, 43% of the respondentsreported one to five attacks from the inside while47% were reporting the same number of attacks from outside. WorldCom’s 3.8 billion insider problem will skew the dollar loss figures.

3/2/01 CSC309 Miller 16

What's Different?1. We anticipate errors.Union Dime Savings Bank chief teller steals $30,000 per day.

2. Things of value are not obvious/labeled.Million dollar software package stolen at trade show.

3. Major increase in computational power.Salami schemes. Duplicate set of books.

3/2/01 CSC309 Miller 17

What's Different?

4. Centralization of function.Protection offered by separation of duties lost.

5. Centralization of information.Everything now kept in one location.

6. Teleprocessing/Remote data entry.Jerry Schneider and the telephone company.

10/31/01 CSC309 Miller 18

What's Different?

7. Circumvention of controls.Error correcting routines are a major weak spot in system security but imagine how systems would work without them. (This has been tried.)

8. Question of ownership.Who owns the code? " ... and he stole the code and rode into the mountains and the posse (onhorses of course) followed."

1/17/09 CSC309 Miller 19

What's Different?

9. Lack of visible records/ Data compression.What’s on a flash drive?

10. AnonymityThings can be done remotely without exposing ones identity.

11. User friendly/Computer literacyGone is protection offered by the paucity of people with computer skills.

3/2/01 CSC309 Miller 20

What's Different?

12. Things can be "taken" but still be there(a produce packing house in California).

13. Lack of established code of ethics.(But we are trying.)

1/19/02 CSC309 Miller 21

Terminology/Jargon

A computer virus is a program that attaches itself to an executable program and reproduces itself to spread from file to file.

A worm is a program which reproduces itself but unlike a virus does not need to be attached to an executable program to reproduce.

A Trojan horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

6/20/02 CSC309 Miller 22

Terminology/JargonA Logic bomb is a destructive action taken by a program when it detects that a certain set of conditions has been met. A Time bomb is a logic bomb which is triggered by time/date information.

6/1/02  A disgruntled (former) employee planted a logic bomb in his company's computer system when he was demoted; it detonated months after he resigned, destroying part of the program supporting the sales force's hand held computers.  The company went after the employee, and he has been sentenced to two years in prison and ordered to pay restitution of $200,000. http://www.cio.com/archive/060102/doom_content.html

6/27/02 CSC309 Miller 23

Terminology/JargonA SYN Attack is an attack against a computer that provides service to customers over the Internet. SYN (Synchronize) refers to the type of message that is used between computers when a connection is made. It jams the service of the victim computer. Also called a Denial-of-Service attack.

Denial-of-Service attacks include those thatdisable equipment, flood communication networks, and/or degrade service.

1/31/09 CSC309 Miller 24

Terminology/Jargon(1/28/09) Ongoing distributed denial-of-service (DDoS)attacks against Kyrgyzstan's two largest Internet ISPs have bumped most computers in the country offline. The attacks began on January 18, and are believed to be controlled by a Russian "cybermilitia." The group behind the attacks appears to be the same one that orchestrated similar attacks against the Republic of Georgia last summer. The issue could be Russia's demand that Kyrgyzstan "oust" foreign airforces before it will lend the country US $300 million and invest an additional US $1.7 billion in energy.

2/4/09 CSC309 Miller 25

Kyrgyzstan

(2/4/09) Kyrgyzstan's government submitted a draft bill to parliament Wednesday that would close a U.S. base that is key to the American military campaign in Afghanistan. The base, which is located with the Manas civilian airport near Kyrgyzstan's capital, is an important air-mobility facility, home to tanker planes that refuel warplanes flying over Afghanistan. It also supports airlifts and medical evacuation operations and houses troops heading into and out of Afghanistan.(No mention of DDoS attacks.)

6/27/02 CSC309 Miller 26

Terminology/JargonA Sniffer program intercepts and reads your e-mail at one of the computers it is being routed through. Name/password combinations are a prime target.

Social Engineering is when someone is able topass himself off as someone authorized to receive from legitimate sources user passwordsand access rights. [A trivial example comes byexploiting the process for getting a passwordwhen you forget your own. On the phone you can be anybody.]

11/28/01 CSC309 Miller 27

Terminology/Jargon

A Salami Scheme is a scheme in which a small amount is stolen from a large number of people or accounts. Usually the amount is small enough that even if noticed it will not be reported.

Early versions had the computer moving fractions of cents resulting from interest calculations to a hidden account.

1/17/09 CSC309 Miller 28

Terminology/Jargon

Spoofing is pretending to be someone else. Masquerading, Mimicking, and Impersonation are forms of Spoofing. In an attack known as IP Spoofing, attackers run a software tool that creates Internet messages that appear to come from a computer trusted by the victim.

Dumpster Diving: Look through the trash.(Surprisingly effective and still a major way folks get our data.)

1/18/02 CSC309 Miller 29

Terminology/Jargon

A Tiger Team is a Government or industry – sponsored team of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes.

A Sneaker is an individual hired to break into places in order to test their security; analogous to tiger team.

1/11/05 CSC309 Miller 30

Terminology/Jargon

Phishing scams use e-mail to try and trick users into revealing sensitive information. The scammers provide links to phony Web pages that look like legitimate e-commerce sites, where they ask a user to enter his personal data. However, the scammer, not the e-commerce site, is getting that information.

10/18/08 CSC309 Miller 31

Terminology/Jargon

Clickjacking is a term coined to describe a series of flaws that allow attackers to trick users into clicking on potentially malicious links.

1/21/09 CSC309 Miller 32

Terminology/Jargon

--Store Owner Draws 33-Month Sentence for Card Skimming (January 16, 2009)A store owner has been sentenced to 33-months in prison for using a card skimmer in his shop to steal information from more than 300 customers. He then used the stolen information to make fraudulent transactions totalingapproximately US $300,000. He was also ordered to pay more than US $214,000 in restitution. SANS NewsBites Vol. 11 Num. 5

2/3/09 CSC309 Miller 33

Terminology/Jargon

Swatting is a refinement of the false alarm ploy.Computers are used to place 911 calls reporting situations where calling out the swat team is Appropriate. Typically a home owner gets to deal with an armed swat team that assumes the home owner is the bad guy. Money and resources wasted, and this can be dangerous.

6/27/02 CSC309 Miller 34

Fraud

Fraud: intentional perversion of the truth in order to induce another to part with something of value or to surrender a legal right.

6/26/02 WorldCom disclosed last night that ithad perpetrated a $3.9 billion accountingfraud. The chief financial officer apparentlyhad inflated earnings by reporting expenses as capital expenditures. 17,000 to be fired. Stock dropped to 35 cents per share. Arthur Andersonwas the auditor during the period in question.

6/2702 CSC309 Miller 35

More Terms

Computer Fraud: is computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value.

Embezzlement is "fraudulent appropriation of property by a person to whom it has been entrusted."

1/19/09 CSC309 Miller 36

Hackers/Crackers

1. There was a time when “Hacker” was a positive term designating a programmer who would take on difficult projects just for the challenge. Good example is the folks that gave us C and UNIX.

2. When “Hacker” began to be used to describe folks who broke into computers, a new term “Cracker”was introduced primarily to protect the good name of true Hackers.

3/22/09 CSC309 Miller 37

New Problem

--Jurors Admit to Accessing Internet to Research Cases (March 18, 2009)The pervasiveness of connectivity through Blackberrys, iPhones and other devices is causing problems in court cases around the country. A judge in a federal drug trial in Florida was forced to declare a mistrialafter nine of the jurors admitted they had been researching the case on the Internet.

3/3/01 CSC309 Miller 38

Passwords

1. A program was used to check for “breakable”passwords on a shared computer housed in the computer science department. 40% of the passwords were cracked.

2. Studies have found that even on highly secure systems there usually is at least one weak password.

3. Some security experts feel we would be more secure if we stopped using passwords.

6/26/02 CSC309 Miller 39

Make Passwords Hard to Break (and easy to remember)

A basic four-character password containing onlynumbers offers only 10,000 variations. If we use only lower-case letters that increases to 456,976 variations. A four-character password that can contain numbers and both upper and lower case letters can provide 14,776,336 variations. If we add special characters to the mix then we are looking at 84,934,656 possibilities. An eight digit password with one digit, one special character, and upper and lower case letters yields approximately 354,289,330,000,000 choices.

10/12/01 CSC309 Miller 40

Electronic Crime 2000Given the popularity of auction sites such as ebay, which attracts 16 million users per month, it’s not surprising that 87 percent ofonline fraud cases in 2000 were estimated to be related to such auctions.

Most victims were in the 20 to 40 age range.

Average loss was approximately $600.

Internet traffic projected to increase by a factor of 1000 every three years. (2000+)

10/21/01 CSC309 Miller 41

Identity Theft1. In 2000 there were 700,000 Americans who had their identities stolen and the early estimate for 2001 is 750,000.

2. In 2001 Identity Theft was called this nationsfastest-growing crime.

3. Losses were in the billions with much related to credit card abuse.

4. 1999 is the year that the IRS stopped putting Social Security numbers on mailing labels.

10/21/01 CSC309 Miller 42

Identity Theft5. More than 20% of victims take more thantwo years to learn they have a problem.

6. The average discovery time is 15 months.

7. This is a white collar crime that is low priority with most law enforcement agencies.

8. Remember it is not just your credit rating that is at risk when your identity is stolen. Thieves have used identity theft to avoid traffic tickets, arrests, and to hide terrorist activities.

9/4/03 CSC309 Miller 43

Identity TheftThe federal Trade Commission, in a survey conducted in March and April of 2003, estimated that over the past five years there have been 27.3 million victims of identity theft, with 9.9 million American victims in 2002. 2002 losses were 5 million for individuals and 48 million for businesses.

http://www.ftc.gov  

 

1/17/09 CSC309 Miller 44

Identity TheftThe Federal Trade Commission, has reported that, 1 in 6 Americans will be a victim of identity theft in 2009. In 2008 9.93 million people had some type of identity theft crime committed against them. “Victims spend on average $1,200 in out-of-pocket expenses and an average of 175 hours in your efforts to resolve the many problems caused by identity thieves. http://www.ftc.gov

  

1/17/09 CSC309 Miller 45

Identity Theft1. Don’t carry your Social Security number.

2. Shred receipts, etc. (every household needs a Shredder)

3. Check your credit report yearly.TransUnion, Experian, and Equifax areThe three you should check: 

annualcreditreport.com

4. Call on bills that don’t arrive on time.

5. Provide no personal information over the phone.

9/17/03 CSC309 Miller 46

Identity Theft--17 December 2002 Another Phony eBay Site Tries to Gather Personal Data

For the third time in recent weeks, eBay customers have been targeted by a fraudulent site asking them to verify their account information; the operators of the sites harvest eBay usernames and passwords as well as credit card, banking, drivers’ license and social security numbers. An eBay spokesman says the company never asks members for their passwords.http://www.vnunet.com/News/1137643

9/22/03 CSC309 Miller 47

Identity Theft--16 September 2003 (Computerworld) Banks in UK, Canada hit with e-mail scam. Story by Linda Rosencrance

Fraudsters sent an e-mail message purporting to be from the bank with a link to what appeared to be the bank's Web site. It was, in fact, a spoof site where customers were prompted to enter personal information such as passwords and personal identification numbers, which could be used to withdraw cash or transfer funds to other accounts. 400 customers reported being contacted.

9/22/03 CSC309 Miller 48

Identity TheftIn Canada, e-mails told consumers to click on a URL that would take them to the banks' Web site -- where they could enter to win $500. The link actually took viewers to a cloned Web site, where they were asked to enter bank account numbers and passwords. The-mails also contained a Trojan horse, which was activated when consumers clicked on the link. It enabled the hackers to take control of users' computers and steal information. After the spoofed site was shut down, the hackers sent out another e-mail to customers saying the hackers had been caught but in the process their personal information might have been deleted, ….

8/28/01 CSC309 Miller 49

Russian Crackers 7/16/01

Russian crackers are increasingly working with organized crime groups,stealing credit card and bank account numbers as well as proprietary information. They sometimes attempt extortion, either demanding money in return for repairing vulnerable systems, or threatening to release sensitive data if their demands are not met.

http://www.zdnet.com/intweek/stories/news/0,4164,2784950,00.html  

3/3/01 CSC309 Miller 50

ATM Fraud

1. A bogus ATM machine used to capture account numbers and PINs in 1993 at a mall in Connecticut.

2. Counterfeit cards made with a stolen card encoder and 7700 names and PINs taken from a bank database.

3/3/01 CSC309 Miller 51

ATM Fraud (Cont.)

3. They do take your picture so one fellow had over 20 withdrawals done in costume one morning.

4. Software bug allowed unlimited withdrawals.

5. Estimated at $60 million per year.

3/3/01 CSC309 Miller 52

Telecommunications Fraud

1. Gained first national attention due to the activities of Captain Crunch in the 70's.

2. For years airport travelers have been aware of the need to protect their long distance authorization sequence from recording devices held by people who were close by.

3/3/01 CSC309 Miller 53

Telecommunications Fraud

3. Estimated at between $1 billion and $5 billion annually.

4. Cellular phone cloning is a $400 million annual problem.

3/3/01 CSC309 Miller 54

Card Abuse Prevention

1. Profiling can be used to identify abuse.

2. Establish limits.

3. Customer awareness (don't throw the salesslip away and be aware of who is in the area).

4. Make cards harder to duplicate (use the concept of a magnetic fingerprint or holograms).

3/3/01 CSC309 Miller 55

Swindling the Customer

1. The overbilling scam is probably the computer crime that you have been caught in.

2. Grocery store automatic barcode scannersystems almost always have some prices that do not agree with posted shelf prices.

3. Hospitals remain the most obvious place for being a victim.

3/3/01 CSC309 Miller 56

Swindling the Customer

4. Ever notice that computer billing errors (and bank errors) are almost never in your favor?

5. Both Hertz and Sears have been caught foroverbilling.

10/21/02 CSC309 Miller 57

Forgotten Details

1. The Xerox worm 1982 demonstrated the ability of a program to propagate through a network. While it was designed with the best of intentions it resulted in denial of services (it clogged machines).

2. In 1984 "core wars" appeared. This was a program that let two computers do battle with each other.

1/16/09 CSC309 Miller 58

Forgotten Details3. On 11/3/1983, UCLA professor Dr. Fred Cohen conceived the first computer virus as an experiment to be presented at a weekly seminar on computer security. One week later he presented it. In 2000, the estimated year’s loss to viruses was $10.7 billion. In 2007, spam viruses losses estimated at $7 billion with 850,000 Americans forced to replace their computers. When Cohen presented his results at the 2nd IFIP International Conference on Computer Security held in Toronto, in 1984, lots of people thought he shouldn't have.

1/16/09 CSC309 Miller 59

Downadup Worm

6.5 million infections 4 days (1/13/09-1/16/09)

1/16/09 CSC309 Miller 60

Downadup Worm

The Downadup worm exploits a flaw in the Windows Serverservice used by all supported versions of Windows. The flaw was addressed in an out-of-cycle patch released in October 2008. The largenumber of infections is due in part to the fact that 30 percent of Windows systems have remained unpatched.

2/11/09 CSC309 Miller 61

Downadup Worm

Once implanted, the worm searches out nearby servers and executes a brute force password breaking program to get access. It also spreads itself to any shared hard drives. What’s more, it makes a copy of itself on any device plugged into a USB port, such as any thumb drives, music players, or digital cameras. When that infected device is later plugged into another PC, it infects that machine.

2/11/09 CSC309 Miller 62

Downadup Worm

Infected PCs becomes bots and Downadup continues spreading. So far, nothing beyond that. But, at least once a day, each infected machine tries to connect sequentially with a list of 250 domains for further instructions. Each day this list of 250 domains - each one a potential command and control server -changes.

2/11/09 CSC309 Miller 63

Downadup Worm

Three weeks after they became infected, IT staff at five hospitals in Sheffield, UK were still cleaning the worm from more than 800 of the hospitals' 7,000 PCs. Managers had turned off the automatic Windows update late last year apparently to prevent the repetition of an incident whereby PCs in an operating theatre rebooted during surgery.

2/13/09 CSC309 Miller 64

Downadup Worm

2/6/09 Houston Police have stopped arresting people with outstanding traffic warrants, as Downadup (also known as Conficker) continues to infect Houston government agencies. $25,000 paid to contractor to clean up mess. The virus appears to be contained to the Municipal Court and Parking Management systems and has blocked access to most data on computer hard drives.

3/22/09 CSC309 Miller 65

Downadup Worm

The French Navy's Rafale aircraft were "nailed to the ground" because they were unable to "download their flight plans". Naval officials said the "infection"' was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key.

2/13/09 CSC309 Miller 66

Downadup Worm

In the first days of January 2009 the British Defense Ministry was attacked by a hybrid of Downadup/Conficker that had substantially and seriously infected the computer systems of more than 24 RAF bases and 75 per cent of the Royal Navy fleet including the aircraft carrier Ark Royal.

2/13/09 CSC309 Miller 67

Downadup Worm

(April 28 & 29, 2009)The Conficker worm is now installing malware called Waledac oninfected machines that turns the machines into spam servers that send out spam at a rate ofabout 10,000 -20,000 messages per machine each day. As many as 12 million machines are believed to be infectedwith Conficker.http://www.zdnetasia.com/news/security/0,39044215,62053678,00.htmhttp://www.msnbc.msn.com/id/30453812/[Editor's Note (Skoudis): Just last week at RSA, I mentioned that themost likely outcome of Conficker is that it would be used for fairlymainstream and pedestrian purposes such as spam. Kind of anti-climacticgiven all the hype.(Ullrich): The "12 million" machine number appears to be outdated.Thanks to all the media coverage, conficker was removed from most ofthese systems and there are probably only 1-2 Million infected systemsleft at this point.(Honan): This is where having proper egress rules on your firewallrestricting email traffic from only the IP addresses of your emailservers helps you to not become part of the spam problem. If you areactively monitoring your firewall logs it will also detect infectedmachines on your network.]

3/22/09 CSC309 Miller 68

--Pirated Copies of iWork 09 Contain Trojan

Illegal copies of Apple's iWork 09 have been appearing on filesharing websites. The pirated software is believed to contain a Trojan horseprogram known as iServices.A. The Trojan has root access to infected computers. Once in place, it connects to a remote server and downloadsadditional software that makes the infected computer part of a botnet. The Trojan has already been inadvertently downloaded by an estimated 20,000 users. (January 22, 2009)

6/27/02 CSC309 Miller 69

Some Old Questions

1. Your typical (if there is such a thing) person who poses the major threat to a company's computer systems is ?  2. What is the over-billing scam and why is it so hard to stop? 3. When we talk about anonymity being a factor in many computer crimes what point are we trying to make? 4. Captain Crunch designed, built, and used blue boxes to ?