Cyber-Crime and the Uphill Battle Faced by the Business World

Cyber-Crime and the Uphill Battle faced by the Business World

Jeremy R. Poch

Computer Science and Software Engineering Department

University of Wisconsin Platteville

Abstract

As the Internet has become a needed tool at home and in businesses it has also become a tool and target for crime. The anonymity of the Internet allows for all sorts of illegal activity to take place without many repercussions. Until recently, law enforcement has seen cyber-crime as insignificant and not worth their time. Due to companies’ reliance on the Internet and their networks the losses sustained are often large and potentially catastrophic. This paper will introduce the different types of cyber-crime and also describe why the fight against cyber-crime has been so difficult for both companies and law enforcement.

Introduction

Technology has always provided new ways of solving old problems as well as distributing information. The Internet has made all types of information readily available. This wealth of information has opened up a whole new world of problems. These problems deal with the security of computer networks. As the general public has gotten more technologically advanced so too has the criminal. The reliance on the Internet for information has also allowed criminals to find ways of obtaining the most private of data. The Internet is also proving to be a tough place to police. This inability to find and prosecute criminals has become a costly problem to society, and more specifically to the business world. Internet crime is a big problem but by no means the only problem. There are many other criminal acts being committed with the aid of computers and networks. It is important for current and future members of the business world to understand these crimes, the motivations for such crimes and what can be done to find and stop such criminals.

Defining Cyber-Crime

There are many different definitions of cyber-crime depending upon whose text is read. This fact has confused lawmakers and law enforcement officials alike. The most accepted definition comes from the book Digital Evidence and Computer Crime. This book defines cyber-crime as: “any crime that involves computers and networks, including crimes that do not rely heavily on computers.” [1] This definition appears in several online encyclopedias and is widely accepted. This definition allows any criminal activity involving a computer to be defined as a cyber-crime. To illustrate the broadness of the cyber-crime spectrum lets look at the two extremes. On one hand a cyber-crime could be as basic as sending someone an offensive email. This email would be seen by the recipient as harassment and thus is a cyber-crime since a computer was used. The computer wasn’t needed to carry out the crime, but was used anyway. On the other hand would be a complex crime in which a hacker breaks into a company’s database to steal or destroy customer information. This illustrates the great amount of area between these two crimes. That area represents the entire spectrum of cyber-crime. Now that the entire scope can be seen, it is time to explain the many different types of cyber-crime.

Classifying Cyber-Crime

Cyber-crime can happen essentially on two levels. The crime can be done against a person or against a company and property. For the purposes of this document the crimes against companies and property will be given more attention. According to the book Computer Forensics and Cyber Crime, by Marjie Britz there are four classes by which cyber-crimes can be grouped. These classes are: phreaking, internet scams, neo-traditional crimes, and other web related crime.

The first classification is phreaking, which is a precursor to hacking. The goal of phreaking is to break into a “secure” system and then brag about it. Most of the time such intruders cause little to no damage and seem very innocent. In those cases where damage did occur the intruders believed that they were providing a valuable service. They felt they were helping the Internet community by pointing out flaws in security so they could be fixed at a later date. [1] The term phreaking is not a new one to the world of technology. Phreaking was originally the term used for people breaking into telephone systems to get free long distance calls. Among the tools for doing so was a whistle found in a box of Cap’n Crunch cereal. This whistle created the proper tone to cause the operator to hang up allowing for free calls to be made from the other end of the line. Other phone crimes involved hacking into the phone switches in order to make pay phones operate like regular phones. A crime that was detrimental to law enforcement was also executed via phone switches. The switches contain whether or not there is a wiretap on someone’s phone. Some phreakers compromised the system and then called people whose line was tapped to inform them of the lack of privacy on their line. [2]

The second classification is internet scams. Included in these scams are phishing, web cramming and ISP jacking. Phishing is an Internet scam where an individual receives an email that appears to be from a legitimate source. This source could be a financial institution, credit card company, or an online auction site such as Ebay. In fact, Ebay and their escrow services are the places that scammers are most likely to pretend they are representing. The email they send usually expresses some concern with their own site’s security and requests the recipient to click a link where they will be asked to enter in their username and password. The link is not the valid site that the email claims to be. The site is simply a place for a criminal to obtain usernames and passwords. Web Cramming is a crime in which “criminals develop new web pages for small business and non-profit groups for little or no expense. While advertising their services as free, these criminals actually engage in unauthorized phone charges on their victims account.” [1] Lastly is ISP Jacking, which “involves disconnecting individual users from their selected Internet Service Provider and redirecting them to illegitimate servers.”[1] This form of crime requires the user to have downloaded some software that actually contains a hidden program. This program disconnects them from their ISP and reconnects them to a new server somewhere half way around the world. This all occurs without the victim’s knowledge and leads to some very hefty long distance phone charges.

The third classification is that of neo-traditional crimes. This is a type of crime where a computer is not needed to perform the criminal activity but the use of a computer has opened up new avenues for performing such crimes. Any form of fraud attempted with the use of a computer is a neo-traditional crime. This is still fraud but since a computer is used it is further defined as computer fraud. Another similar crime is IP spoofing. This is the act of altering packet headers to conceal the identity of a criminal by changing the IP address. Perhaps the most famous neo-traditional crime is the salami technique, thanks to the movie Office Space. The salami technique is the redirection of the rounded off portions of dollars from one account into another account where it will accumulate over time. It is known as the salami technique since only small slices, or the equivalent of hundredths of a cent are moved per transaction. [1]

The last classification encompasses the wide array of crimes not covered in the previous three categories. This is the category where hacking is generally placed. While it is true that hacking generally leads to other cyber-crimes, it is simply too broad to be covered solely by any of the other classifications. Hacking is, “the process by which individuals gain unauthorized access to computer systems for the purpose of stealing and corrupting data.” [5] In terms of stealing data criminals may choose to perform the crime of identity theft. This is becoming the fastest growing type of cyber crime since most sites that sell things online don’t do any background checks in order to ensure the purchaser is who they claim to be. Hackers also steal data in order to hurt either a former employer or a large organization that they despise. Corrupting data is also a favorite pastime of hackers and can be accomplished via several tools. These tools include worms, viruses, distributed denial of service (DDOS) attacks and Trojan horses. These tools have evolved with the ever-changing technology and enable hackers of all skill levels to wreak havoc on computer systems. This class of crime also has newfound potential since the September 11th 2001 terrorist attacks. Cyber-terrorism is yet another avenue for hackers to cause damage for political instead of personal reasons. Cyber-terrorism is defined as, “a deliberate, politically or religiously motivated attack against data compilations, computer programs, and/or information systems which is intended to disrupt and/or deny service or acquire information which disrupts the social, physical or political infrastructure of the target.” [5]

Assessing the Damages of Cyber Crime

Criminals have educated themselves in the world of technology in recent years in hopes of cashing in on a big payday. The payday is more realistic now than ever since information private to companies has become available on the Internet. In 2004, cyber criminals were responsible for more than ten billion dollars of damages to corporations. This number varies depending upon the source, with some websites claiming the number to be near one hundred billion dollars. This discrepancy is caused by the fact that very few companies actually report these crimes.

Why are companies reluctant to report their systems were compromised? First of all Internet commerce is built upon the notion that all information on the web can only be seen by the eyes that are meant to see it. For example only John Smith can see the website for his bank. As nice as it sounds, this is entirely unlikely since hackers find ways into the server or database and not into an individual’s computer. If a company reports that vital information was stolen or damaged by hackers it will cause several problems. The first problem is it may cause customers, especially those whose information was used to commit a fraudulent crime, to stop doing business with the company. The next problem is that the company’s stock prices would drop due to the error making losses twofold. Many companies feel the repercussions of covering up such a security breach will ultimately be cheaper than admitting the mistake. Admission of a mistake will more than likely cause panic where as a cover-up follows the old notion, what they don’t know can’t hurt them. [3]

In a 2002 survey conducted by the FBI it was reported that ninety percent of organizations responding had detected breaches in security within the past year. The survey also reported that eighty percent of organizations had lost money due to the security breaches. Lastly only thirty four percent of companies reported these attacks to law enforcement officials. As this survey shows the reason cyber crime is so prevalent is due to the fact that companies are unwilling to admit their security is not as good as it should be. [5]

Understanding Hackers

Conventional wisdom tells IT professionals and law enforcement that in order to stop a cyber criminal one must first understand their motives and actions. Steven Branigan writes in his book, High-Tech Crimes Revealed, that there are seven steps to hacking. [2]

The first step is choosing a target to attack. Criminals will choose a target based upon what they want. If the criminal is interested in money they will choose something like a credit card database. If the criminal is looking to impress others then they will instead choose to hack something along the lines of a high profile web server. The second step is to find the computers that are accessible via the Internet. There are many free pieces of software designed to do just that, so even inexperienced hackers can gain access to these computers. The third step is to discover vulnerable computer systems that contain the data being sought. This is similar to how a burglar will check the place they intend to rob for unlocked doors before breaking a window. Step four is to break into the computer system; there are many hacking tools for this. The fifth step is to elevate access privileges to the maximum allowed. This is known as “rooting a box” and allows the hacker to find anything that is on that computer. To relate this to a real world crime, it is making a forge of someone’s employee pass to gain total access into a building. The sixth step is to monitor what other computer users are doing. This step serves two purposes. The first purpose is to find more vulnerable systems by watching where other people go. The second purpose is to see if anyone is knowledgeable of the security breach. The final step is to install backdoors allowing the hacker to re-enter the computer at any point in the future if the security weakness has been repaired. Steps six and seven are unique to high tech crimes. These steps make high tech crimes more difficult to detect and defend against. [2]

Now that the process of hacking itself is understood, the reasons people would cause destruction must be investigated. There are two types of hackers: the internal hacker and the external hacker. The internal hacker is someone who is currently or was previously employed by the company and has easy access to the computer system. The external hacker is more commonly called the professional hacker. Both types of hackers do so for some of the same reasons. The four reasons hackers hack are: revenge, profit, glory, and to aid in showing security flaws. Revenge is a motivator only to the internal hacker, they could be angry about getting laid-off or being passed over for a promotion. Both internal and external hackers can be enticed by profit. Hacking into a system and using information to commit other crimes can be very profitable. Glory and aiding in showing security flaws is unique to the external hacker. Some hackers break into systems simply for bragging rights but this is very rare. Also rare are hackers who hack in order help find security flaws. These hackers are becoming more abundant though due to companies wanting to use hackers to test system security. The belief is that there is nobody more qualified to test system security than someone who has been arrested for breaking into computer systems. Like most other criminal acts, the almighty dollar seems to be the driving force in the majority of cases. [2]

How Companies Protect and Fight Back

The war against cyber-crime will be a long and painful one. There are several things though that can be done in order to protect the computer systems and detect unauthorized users. The first line of defense for any company’s information is a firewall. A firewall is a filter that will block certain traffic while allowing other traffic through. This can be looked at as the border patrol. Only those people with citizenship or access are allowed in, while everyone else is turned away. A firewall also keeps log files to remember who has tried to gain access from the outside. The drawback to a firewall is that as a company’s network grows the firewall becomes more difficult to configure. It is also important to remember that a firewall is to protect from attacks by people on the outside not to keep information from behind the firewall from leaving. Believing otherwise creates a false sense of security. Once the company has a firewall installed they must test it to make sure that their sensitive data is safe.

Another way to check and make sure the firewall is secure and a company’s computer system is safe is to use sneakers. Sneakers are hackers who are hired to test the security of a company’s network by trying to violate the system. [2] As mentioned above the thought process of this is that there is no one better at checking for security flaws than someone whose profession is breaking into computer systems.

Honey Pots are a new method that some organizations have tried to utilize to detect and monitor security breaches. A honey pot is essentially a bogus server that someone sets up and fills with useless information. This server is then under constant surveillance to watch who accesses it. Any person accessing this server is unauthorized since there is no connection between this server and anything useful. The log files on the firewall of the honey pot will be useful in identifying hackers. There are no laws at the moment about the legality of honey pots. The idea of a honey pot brings up some serious ethical questions. One such question is whether a hacker’s curiosity is prosecutable. The hacker hasn’t committed a crime by looking at the honey pot but they are hacking and are probably doing damage to a system somewhere. Another question is should a company employing a honey pot be required to share the log files of hacker IP addresses with other companies and law enforcement. As mentioned before, looking isn’t a crime but these people are potentially dangerous. Due to the lack of laws and the ethical dilemma, honey pots are rare. [6]