Computer and Internet

Crimes
LIVING IN THE IT ERA - WEEK 7

Instructor: Ms. Sairine C. Pregonero

 Computer and Internet Crimes
Security
Types and Effects of Computer Crimes
Governments, businesses, and people around the world have been
affected immeasurably by the unprecedented advancement force of
computer technology. The already enormous and exponentially growing
capacities of electronic storage, transmission, and rapid manipulation of
binary data changed the modern landscape virtually overnight. However,
such fundamental restructuring in the society also resulted in certain
disadvantages, on all levels. Our vulnerability increased with the perceived
value of and reliance on this technology. Increased opportunities for the
industrious to be more productive also allow the less-upright new avenues
for malevolence.
What is “Computer Crime”?
The term "computer crime" could reasonably include a wide
variety of criminal offenses, activities, or issues.
It can be separated into two categories:
(1) crimes facilitated by a computer; and
(2) crimes where the computer is the target.
The different computer security issues and
their effects
We usually keep files containing a month's worth of work or
confidential information in our computers. Protecting these data
should be given careful attention. Almost every day, computer
systems are being broken into, or computer viruses turn up on
someone's computer. They are constant threats, making security
even more critical.
There are basically three overlapping types of risks:
1. Bugs or misconfiguration problems that allow unauthorized remote users to:
•  Steal confidential documents
•  Execute commands on the host machine, allowing them to modify the system
•  Gain information about the host machine, allowing them to break into the system
•  Launch denial-of-service attacks, rendering the machine temporarily unusable
2. Browser-side risks, including:
•  Active content that crashes the browser, damages the user's system, breaches the user's
privacy, or merely creates an annoyance
•  The misuse of personal information knowingly or unknowingly provided by the end-user
3. Interception of network data sent from browser to server or vice versa via network
eavesdropping
 The aspects of computer security
Physical Security – The first and perhaps the
easiest rule of computer security.Everyone
knows that you need to lock your doors to keep
your TV, refrigerator, and other appliances safe
at home. The same idea applies to your
computer as well. We have to make sure that
our computers are attended, watched, or locked
behind our doors.
Viruses – Once you've started using your
computer, viruses can start working on your
computer too. The computer virus is one of
those programs you don't want that usually gets
sent to you by people through email.
The aspects of computer security
Malicious Logic – This usually affects your computer system while you are on the
net. Commands are frequently present in web pages we visit while surfing the net.
This type of computer security problem is usually deliberately created. Symptoms
may include slow response time, system crashes, or uncooperative programs.
Hacking – Hackers found ways to exploit holes in operating systems of local and
remote systems. They developed methods to exploit security holes in various
computer systems.
Internal Misuse – Occasionally, some people use your computer and some files
may be intentionally or unintentionally deleted. When permanently deleted from the
system, this may mean that you will have to redo the work. System crashes can
also occur when files needed by a program are deleted or altered.
Spoofing – Network spoofing is an ingenious way for an intruder to gain access to
the system. The intruder sets up a program that impersonates the sign-on routine
of another system.
 Two categories of electronic crime types.

There are many different ways to attack computers and

networks to take advantage of what has made shopping,
banking, investment, and leisure pursuits a simple matter of
― “dragging and clicking” for many people.
The different types of electronic crime fall into two main
categories:
- crimes in which computer is the target of the attack,
- and incidents in which the computer is a means of
perpetrating a criminal act.
 The following is a list of some of the noted computer crimes
committed over the past years:
• The Morris Worm (November, 1988) – Robert Morris released what has become known
as the Internet Worm. This was the first large-scale attack on the Internet and the worm
infected roughly 10 percent of the machines then connected to the Internet and caused
an estimated $100 million damages.
• Citibank and Vladimir Levin (June-October, 1994) – Levin reportedly accomplished the
break-ins by dialing into Citibank‘s cash management system. This system allowed
clients to initiate their own fund transfers to other banks.
• Kevin Mitnick (February, 1995) – Mitnick admitted to having gained unauthorized
access to a number of different computer systems belonging to companies such as
Motorola, Novell, Fujitsu, and Sun Microsystems. He also admitted to having used
stolen accounts at the University of Southern California to store proprietary software he
had taken from various companies.
 The following is a list of some of the noted
computer crimes committed over the past years:
• Omega Engineering and Timothy Lloyd (July, 1996) – The program that run on
July 30 deleted all the design and production programs for the company, severely
damaging the small firm and forcing the layoff of 80 employees.
• Jester and the Worcester Airport (March, 1997) – Airport services to the FAA
control tower as well as the emergency services at the Worcester Airport and the
community of Rutland, Massachusetts were cut off for a period of six hours. This
disruption occurred as a result of a series of commands sent by a teenage computer
hacker who went by the name ― “jester”.
• Solar Sunrise (February, 1998) – A series of computer intrusions occurred at a
number of military installations in the U.S. Over 500 domain name servers were
compromised during the course of the attacks. Making it harder to track the actual
origin of the attacks was the fact that the attackers made a number of ―hops‖
between different systems, averaging eight different systems before arriving at the
target.
 The following is a list of some of the noted
computer crimes committed over the past years:
• The Melissa Virus (March, 1999) – Melissa is the best-known early macro type
viruses that attach themselves to documents for programs that have limited macro
programming capability. The virus, written and released by David Smith, infected
about a million computers.
• The Love Letter Worm (May, 2000) – Also known as the ― “ILOVEYOU” virus and
the “Love Bug,” was written and released by a Philippine student named Onel de
Guzman. The worm was spread via email with the subject line of “ILOVEYOU.” The
virus spread via email attachments. When the receiver ran the attachment, it
searched the system for files with specific extensions in order to replace them with
copies of itself.
• The Code-Red Worm (2001) – This infection took only 14 hours to occur. The worm
took advantage of a buffer-overflow condition in Microsoft‘s IIS web servers. The
worm itself was memory resident so simply turning off an infected machine eliminated
it.
• Adil Yahya Zakaria Shakour (August, 2001-May, 2002) – Shakour admitted to having
accessed several computers without authorization, including a server at Eglin Air Force
Base, computers at Accenture, a computer system at Sandia National Laboratories, and a
computer at Cheaptaxforms.com.
• The Slammer Worm (2003) – It exploited buffer- overflow vulnerability in computers
running Microsoft‘s SQL Server or Microsoft SQL Server Desktop Engine.
Slammer_x0002_infected hosts were generating a reported 1TB of worm-related traffic
every second. The worm doubled its number of infected hosts every 8 seconds.
• July 2009 cyberattacks – These were a series of coordinated cyberattacks against major
government, news media, and financial websites in South Korea and the United States.
The first wave of attacks occurred on July 4, 2009 and the last wave of attacks began on
July 9, 2009.
• Shamoon (2012) – It is a computer virus discovered in 2012 that attacks computers
running the Microsoft Windows operating system. It is also known as Disttrack. Shamoon
is capable of wiping files and rendering several computers on a network unusable.
There are a number of different threats to security and these are
the following:

Viruses and Worms – A virus is a self-replicating program that spreads by inserting

copies of itself into other executable code or documents. A worm is a type of malware
and is a self-replicating program similar to a virus.
Intruders – The act of deliberately accessing computer systems and networks without
authorization is generally referred to as hacking. It also applies to the act of exceeding
one‘s authority in a system. This includes authorized users who attempt to gain access
to files or obtain permissions that they have not been granted.
A script kiddie is a derogatory term for inexperienced crackers who use scripts
and programs developed by others for the purpose of compromising computer
accounts and files, and for launching attacks on whole computer systems. Elite
hackers are people who are not only capable of writing scripts to exploit known
vulnerabilities, but also capable of discovering new ones.
Insiders – They have the access and knowledge necessary to cause
immediate damage to an organization. They may also have all the
access they need to perpetrate criminal activity such as fraud.
Moreover, they have knowledge of the security systems in place and
will be better able to avoid detection.
Criminal Organizations – Attacks by criminal organizations can fall
into the structured threat category, which is characterized by a greater
amount of planning, a longer period of time to conduct the activity,
more financial backing to accomplish it, and possibly, corruption of or
collision with insiders.
Terrorists and Information Warfare – An information warfare is
conducted against information and information processing equipment
used by an adversary.
Computer security and network security

Computer security is the effort to create a secure computing platform,

designed so that agents (users or programs) can only perform actions
that have been allowed. This involves specifying and implementing a
security policy.
Network security is a protection of networks and their services from
unauthorized modification, destruction, or disclosure, and provision of
assurance that the network performs its critical functions correctly and
there are no harmful side-effects.
CIA of security.

The original goal of computer and network security is to provide

confidentiality, integrity, and availability.
• Confidentiality refers to the security principle that states that
information should not be disclosed to unauthorized individuals.
• Integrity is the security principle that requires information to not be
modified except by individuals authorized to do so.
• Availability applies to hardware, software, and data. All of these
should be present and accessible when the subject (the user) wants
to access or use them.
 Authentication deals with the desire to ensure that an individual is
who they claim to be. On the other hand, non-repudiation deals with the
ability to verify that a message has been sent and received and that the
sender can be identified and verified the security principles. The three
ways an organization can choose to address the protection of its networks
are:
- ignore security issues,
- provide host security, and
- approach security at a network level.
Least privilege is applicable to many physical environments as well as
network and host security. Least privilege means that an object should
have only the necessary rights and privileges to perform its task, with no
additional permissions.
Layered security
• It is important that every environment have multiple layers of
security. Those layers may employ a variety of methods such as
routers, firewalls, network segments, IDSs, encryption,
authentication software, physical security, and traffic control.
• The layers are depicted, usually, starting from the top, with more
general types of protection, and progressing downward through
each layer, with increasing granularity at each layer as you get
closer to the actual resource.
Diversity of defense is a concept that complements the idea of various layers of
security.
Access is the ability of a subject to interact with an object. Access controls refers to
devices and methods used to limit which subjects may interact with specific objects.
Authentication mechanisms ensure that only valid users are provided access to the
computer system or network.
The following are the various methods to implement access controls:
Discretionary Access Control – It is a means of restricting access to objects based
on the identity of subject and/or groups to which they belong.
Mandatory Access Control – It is a means of restricting access to objects that is
based on fixed security attributes assigned to users and to files and other objects.
Role-Based Access Control – It is an alternative to traditional access control models
(e.g., discretionary or non-discretionary access control policies) that permits the
specification and enforcement of enterprise-specific security policies in a way that
maps more naturally to an organization's structure and business activities.
 Health Issues
• Why do few computer workstations give eyestrain and muscle
fatigue?
• Why is the video recorder one of the most frustrating
domestic items to operate?
• Why do some car seats leave you aching after a long journey?

These questions and many others may leave us hanging on how

we can handle such irritations and inconveniences. But these can
be avoidable by applying ergonomics.
 Many computer-related health problems are minor and caused by a
poorly designed work environment.
• Keyboards and computer screens may be fixed in place or difficult to
move.
• Desks and chairs may also be uncomfortable.
• The computer screen may be hard to read, with problems of glare and
poor contrast. The hazardous activities associated with these unfavorable
conditions are collectively referred to as work sensors.
Although these problems may not be of major concern to casual users of
computer systems, continued stressors such as eyestrain, awkward posture,
and repetitive motion, may cause more serious and long-term injuries. If
nothing else, these problems can severely limit productivity and performance.
 The study of designing and positioning computer equipment, called
ergonomics, has suggested a number of approaches to reduce these
health problems. Ergonomics is an approach which puts human needs
and capabilities at the focus of designing technological systems.
The objective of ergonomics is to ensure that humans and technology
work in complete harmony, with the equipment and tasks aligned to
human characteristics. Another goal is to have “no pain” computing.
The placement and design of computer tables and chairs, the
positioning and design of display screens, and the slope of the keyboard
have been carefully studied. Flexibility is a major component of
ergonomics and an important feature of computer devices. People of
differing sizes and preferences require different positioning of equipment
for best results
 Different essential implications to achieve productivity, efficiency,
safety, and health in work setting.
Ergonomics has various applications to everyday domestic situations, but there
are even more essential implications for productivity, efficiency, safety and health in
work settings. Here are the following examples:
• Designing equipment and work arrangements to improve working posture and
ease the load on the body, thus reducing instances of Repetitive Strain
Injury/Work Related Upper Limb Disorder.
• Information design, to make the interpretation and use of handbooks, signs, and
displays easier and less error-prone.
• Designing equipment and systems including computers, so that they are easier to
use and less likely to lead to errors in operation – particularly important in high
stress and safety-critical operations such as control rooms.
• Designing working environments, including lighting and heating, to suit the
needs of the users and the tasks performed. Where necessary, design of
personal protective equipment for work and hostile environments.
• Design of training arrangements to cover all significant aspects of the job
concerned and to take account of human learning requirements.
• The design of military and space equipment and systems – an extreme
case of demands on the human being.
• Designing tasks and jobs so that they are effective and take account of
human needs such as rest breaks and sensible shift patterns, as well as
other factors such as intrinsic rewards of work itself.
In developing countries, the acceptability and effectiveness of even fairly
basic technology can be significantly enhanced.
 The multi-disciplinary nature of ergonomics, sometimes called “Human Factors”,
is immediately obvious. The ergonomist works in teams which may involve a variety
of other professions: design engineers, production engineers, industrial
designers, computer specialists, industrial physicians, health and safety
practitioners, and specialists in human resources.
The overall aim is to ensure that our knowledge of human characteristics is
brought to bear on practical problems of people at work and in leisure. We know that,
in many cases, humans can adapt to unsuitable conditions, but such adaptation leads
often to inefficiency, errors, unacceptable stress, and physical or mental cost. Trace
the origins of ergonomics.
Ergonomics, a relatively new branch of science, celebrated its 50th anniversary
in 1999. It relies on research carried out in many other older, established scientific
areas, such as physiology, psychology, and engineering.
The checklist for a user-friendly workstation.
The following are equipment checklist for a User-Friendly Workstation:
Buying Tips
 Ask for equipment that meets American National Standards Institute (ANSI) standards.
These are ergonomic standards applicable to computer terminals, associated furniture, and the
work environment.Try equipment out before purchasing whenever possible.
Computer Terminal
•  Easy to use brightness and control knobs
•  No perceptible screen flicker
•  Detachable keyboard
•  Reduced electromagnetic fields (EMF) emissions
•  Tiltable screen
•  Character size at least 3/16" Chair
•  Back provides firm lower and mid-back support.
•  Adjustable arm rests, if needed to prevent shoulder fatigue.
•  Seat and back easily adjustable for height and tilt from seated position without
use of tools.
•  Seat upholstered and padded curves down at front edge.
•  Five (5) casters for stability. Table
•  Easily adjustable from seated position without use of tools
•  Bi-level to allow independent adjustment of screen and keyboard
•  Adequate leg room
•  Adequate table top space for required tasks
Accessories (As Needed)
•  Foot rest for users whose feet don‘t rest flat on the floor
•  Adjustable keyboard tray, if table is too high
•  Wrist rest that is padded, movable, same height as keyboard home row
•  Document holder adjustable to screen height
•  Glare screen with grounding wire
•  Lumbar support cushion, if chair doesn‘t support lower back
• Telephone headset
•  Task lighting
Reduce Glare to Avoid Eyestrain
•  Lower lighting level to about half of normal office lighting
•  Avoid placing computer directly under a bank of lights
•  Avoid light shining directly into your eyes or onto your screen
•  Use window curtains or blinds if necessary
•  Position screen at right angle to window
•  Hold a mirror in front of your screen to identify sources of glare
•  Use task lighting if necessary
 Information Ethics
Ethics is a set of principles which involves systematizing,
defending, and recommending concepts of right and wrong
behavior.
Information ethics can be regarded as part of normal business
ethics since to do otherwise would mean that normally unethical
acts might be all right via computer.
Business ethics is the “code of morals of a particular profession”
and “the standards of conduct of a given profession”. Since morals
are “principles if right and wrong in conduct”, information ethics,
therefore, can be defined as an agreement among information
systems professionals to do right and to avoid wrong in their work.
Four unique information systems attributes addressed by
information ethics

Information ethics is a specific application of business ethics to

information systems. Thus, they may be mistakenly assumed to be
identical to business ethics. However, information ethics addresses issues
unique to information systems. The following are the four (4) unique I.S.
attributes:
• Location - With a computer, an unethical act can be committed from
many locations.
• Time- Information systems make it possible to commit unethical acts
quickly.
• Separation of Act from Consequences- Most people feel guilty when
they see someone hurt by their actions.
• Individual Power- Would-be criminals often need help to misbehave.
 Privacy refers to the right of people to not reveal information about them. It is the
right to keep personal information, such as personal email messages,medical
histories, student records, and financial information from getting into the wrong hands.
The right to privacy at work is also an important issue. Some experts believe
that there will be a collision between workers who want their privacy and companies
that demand to know more about their employees. Recently, companies that have
been monitoring their employees have raised concerns. Workers may find that they
are being closely monitored via computer technology.
Email also raises some interesting issues about work privacy. Federal law allows
employers to monitor email sent and received by employees. Furthermore, email
messages that have been erased from hard disks may be retrieved and used in
lawsuits because the laws of discovery demand that companies produce all relevant
business documents. Alternatively, the use of email among public officials may violate
“open meeting” laws. These laws, which apply to many local, state, and federal
agencies, prevent public officials from meeting in private about matters concerning the
state or local area.
 Information Accuracy
For information to be accurate, it must be error-free, complete, and relevant to
decisions that are to be based on it. Professional integrity is one of the guarantors of
information accuracy. An ethical approach to information accuracy calls for the
following:
a. Individuals should be given an opportunity to correct inaccurate information held
about them in database.
b. Databases containing data about individuals should be reviewed at frequent
intervals, with obsolete data discarded.
c. System safeguards, such as control audits, are necessary to maintain information
accuracy. Regular audits of data quality should be performed and acted upon.
d. A professional should not misrepresent his or her qualifications to perform a task.
e. A professional should inform his or her employer what consequences to expect if
his or her judgment is overruled.
Accessibility
Access to files, both online and offline, should be restricted only to those
who have a legitimate right to access – because they need those files to do
their jobs. Many organizations keep a transaction log that notes all accesses or
attempted accesses to data. Most LAN management software includes this
function.

Property
Many networks have audit controls to track which files were opened, which
programs and servers were used, and so on. This creates an audit trail, a
record of how a transaction was handled from input through processing and
output.
The following are the computer crime laws:
• Fair Credit Reporting Act of 1970 (FCRA). Controls operations of credit-reporting
bureaus, including how they collect, store, and use credit information.
• Freedom of Information Act of 1970. Ensures access of individuals to personal
data collected about them and about government activities in federal agency files.
• Tax Reform Act of 1976. Regulates the collection and use of certain information by
the Internal Revenue Service.
• Rights to Financial Privacy Act of 1978. Regulates government access to certain
records held by financial institutions.
• Electronic Funds Transfer Act of 1979. Enumerates the responsibilities of
companies that use electronic funds transfer systems, including consumer rights and
liability for bank debit cards.
• Computer Matching and Privacy Act of 1988. Regulates cross-reference between
federal agencies‘ computer files.
 Video Privacy Act of 1988. Prevents retail stores from disclosing video rental
records without a court order.
 Telephone Consumer Protection Act of 1991. Limits telemarketers‘ practices.
 Cable Act of 1992. Regulates companies and organizations that provide wireless
communication services, including cellular phones.
 Computer Abuse Amendments Act of 1994. Prohibits transmissions of harmful
computer programs and code, including viruses.
 Children’s Online Privacy Protection Act of 1998. Establishes standards for sites
that collect information from children. Its purpose is to prohibit unfair or deceptive acts or
practices in connection with the collection, use, or disclosure of personally identifiable
information from and about children on the Internet.
 Education Privacy Act. Restricts collection and use of data by federally funded
educational institutions, including specifications for the type of data collected, access by
parents and students to the data, and limitations on disclosure.
The following are the federal computer crime laws:
Copyrights Law. Sets standards on copyrights and computer programs.
Fraud and False Statements Law. Standards against fraud and related activity in
connection with access devices and computers.
Espionage and Censorship. Sets standards in gathering, transmitting, or losing
defense information.
Mail Fraud Law
• General prohibition on pen register and trap and trace device use
• Pen Registers and Trap and Trace Devices
• Standards against fraud by wire, radio, or television
• Standards against Interception and disclosure of wire, oral, or electronic
communications prohibited
• Wire and Electronic Communications Interception and Interception of Oral
Communications
 Tips in preventing crimes on the Internet
Internet security can include firewalls and a number of methods to secure
financial transactions. A firewall includes hardware and software combinations
that act as a barrier between an organization‘s information system and the
outside world. A number of systems have been developed to safeguard financial
transactions on the Internet.
The following tips can be taken to help prevent crime on the Internet:
• Use of stand-alone firewall, including hardware and software with network
monitoring capabilities.
• Use Internet security specialists to perform audits of all Internet and network
activities.
• Develop effective Internet and security policies for all employees.
• Monitor managers and employees to make sure they are using the Internet for
business purposes only.
Data alteration/theft
Data and information are valuable corporate assets. The intentional
use of illegal and destructive programs to alter or destroy data is as much
a crime as destroying tangible goods.
Most common of these types of programs are viruses and worms,
which are software programs that, when loaded into a computer system,
will destroy, interrupt, or cause errors in processing. There are more than
53,000 known computer viruses today, with more than 6,000 new viruses
and worms being discovered each year.
Some viruses and worms attack personal computers, while others
attack network and client/server systems.
 A personal computer can get a virus from an infected disk, an
application, or e-mail attachments received from the Internet.
A virus or worm that attacks a network or client/server system is
usually more severe because it can affect hundreds or thousands of
personal computers and other devices attached to the network.
Workplace computer virus infections are increasing rapidly
because of several viruses spread through e-mail attachments.
 Malicious access
• Crimes involving illegal system access and use of computer services are a
concern to both government and business. Federal, state, and local government
computers are sometimes left unattended over weekends without proper security,
and university computers are often used for commercial purposes under the
pretense of research or other legitimate academic pursuits.
• A 28-year-old computer expert allegedly tied up thousands of US West
computers in an attempt to solve a classic math problem. The individual
reportedly obtained the passwords to hundreds of computers and diverted them
to search for a new prime number, racking up ten years of computer processing
time. The alleged hacking was discovered by a US West Intrusion Response
Team after company officials noticed that computers were taking up to five
minutes to retrieve telephone numbers, when normally they require only three to
five seconds. At one point, customer calls had to be rerouted to other states, and
the delays threatened to close down the Phoenix Service Delivery Center.
 Since the outset of information technology, computers have been
plagued by criminal hackers.
A hacker is a person who enjoys computer technology and spends
time learning and using computer systems. A criminal hacker, also
called a cracker, is a computer-savvy person who attempts to gain
unauthorized or illegal access to computer systems. In many cases,
criminal hackers are people who are looking for fun and excitement –
the challenge of beating the system.
Classification of computer viruses

The two most common types of viruses are application viruses and
system viruses.

• Application viruses infect executable application files, such as word

processing programs. When the application is executed, the virus
infects the computer system.
• A system virus typically infects operating system programs or other
systems files. These files of viruses usually infect the system as soon
as the computer is started.
 Another type of program that can destroy a system is a Logic bomb, an application or
system virus designed to “explode” or execute at a specified time and date. Logic bombs
are often disguised as a Trojan horse, a program that appears to be useful but actually
masks the destructive program. Some of these programs execute randomly; others are
designed to remain inert in software until a certain code is given. When it detects the cue,
the bomb will explode months, or even years, after being “planted”.
A macro virus is a virus that uses an application‘s own macro programming language to
distribute itself.
• Unlike the viruses mentioned earlier, macro viruses do not infect programs, they infect
documents. The document could be a letter created using a word processing application,
a graphics file developed for a presentation, or a database file.
• Macro viruses that are hidden in a document file can be difficult to detect. As with other
viruses, however, virus detection and correction programs can be used to find and
remove macro viruses.