COM6650/6655 Professional Issues in Information Technology ... Issues in Information Technology Part IX:Computer Misuse and Computer Crime ... activities such as computer hacking and

  • View
    215

  • Download
    2

Embed Size (px)

Text of COM6650/6655 Professional Issues in Information Technology ... Issues in Information Technology Part...

  • COM6650/6655 ProfessionalIssuesinInformationTechnology PartIX:ComputerMisuseandComputerCrime

    Dr.AmandaSharkey

    DepartmentofComputerScienceUniversityofSheffield

  • Takehomeexam:tobereleasedonMoleonTuesday1stDecember

    3exam-stylequestions DueMonday14thDecember

    2

  • 1Introduction 2WhatisComputerMisuse? 3ComputerFraud 4SoftwarePiracy 5Viruses 6Hacking 7TheComputerMisuseAct1990 8Conclusions 9Summary

  • 1Introduction!

    IThaschangedthewayinwhichcrimesarecommitted: Valuableassetsarestoredascomputerdata; Telecommunicationshavebroadenedthegeographyofcrime;

    Computershavegivenrisetoanewrangeofcriminalactivitiessuchascomputerhackingandviruses.

    Muchofthisactivityhascapturedtheimaginationofthepublic,butiscomputercrimereallyabigproblem?

  • 1.1Whatisthescaleofcomputercrime? DataoncomputercrimeiscollectedbytheAuditCommission

    (http://www.auditcommission.gov.uk).!

    Theftcoverslosstoemployersthroughtheftofdataorsoftware;seldomdoesthiscauseanydirectloss.

    1997updatetothissurveyfound10%increasesince1994innumberoforganisationsreportingcomputermisuse

    TypeofMisuse

    1994 1990 1987

    No. DirectLoss No. DirectLoss No. DirectLoss

    Fraud 108 2,904,430 73 1,102,642 61 2,526,751

    Theft 121 196,305 27 1,000 22 34,500

    Hacking 47 65,500 26 31,500 35 100

    Viruses 261 30,485 54 5,000 0 0

    Totals 537 3,196,720 180 1,140,142 118 2,561,351

  • AuditCommissionUK(2005)figurefortotalvalueoffraudinpublicsectorwas83million(notrestrictedtocomputerfraud)

    Problemofunder-reporting. USsurvey(2004)estimatedthatphishingattackscostUSbanks$1.2billionin2003,and57millionAmericanshadreceivedphishinge-mails.

  • 2012 Cost of Cyber Crime Study: United StatesPonemonins[tutereport:

    Averageannualcostofcybercrimefor56organisa[onswas$8.9millionperyear

    Mostcostly:denialofservice,maliciousinsidersandweb-baseda]acks.

    7

  • 2WhatisComputerMisuse? Inthelate1980stherewasgrowingconcernabouthackersandthedamagetheycouldcause.

    Twostudies:ScottishLawCommission(reported1987),EnglishLawCommission(reported1989)!

    ScottishLawCommissionidentifiedeightdifferentcategoriesofcomputermisuseina1987report.

    PromptedtheComputerMisuseAct1990(CMA). Bearinmindthattheactionsdescribedbelowwillsometimesgiverisetoliabilitiesundercivillaw.

  • !EightdifferentcategoriesofcomputermisuseidentifiedbyScottish

    Lawreport(1987)!(1)Erasureorfalsificationofdataorprogramstogainafinancialor

    otheradvantageThiscategorydealswithfraudortheft!(2)ObtainingunauthorisedaccesstoacomputerThiscovershackingandunauthoriseduseofanemployer'scomputerby

    anemployee.Hackersthatdamagecomputersystemsoftenhavenointentionofdoing

    so.Withoutintent,thereisnocrime.ThisloopholehasbeenaddressedbytheCMA.

    !

  • !!Eightdifferentcategoriesofcomputermisuseidentifiedby

    ScottishLawreport(1987)continued.!3)EavesdroppingonacomputerThisinvolvestheuseofequipmenttopickupradiation

    emissionsfromacomputerscreen.!(4)TakinginformationwithoutphysicalremovalLegalproblemsariseheresince'information'isnota

    physicalthing;itcannotbestolen.Dealingwiththisproblemwouldrequirechangestothelaw

    oftheft;amajorundertaking.Copyright,patentsandlawofconfidenceoffersome

    protection.10

  • !EightdifferentcategoriesofcomputermisuseidentifiedbyScottish

    Lawreport(1987)continued!(5)Unauthorisedborrowingofcomputermaterial

    Borrowingofcomputermediadoesnotconstitutetheft.!(6)Denialofaccesstoauthorisedusers

    Auserofacomputersystemcouldprejudiceotherusersbydenyingthemaccesstothecomputer,ordenyingthemaccesstoparticulardatathattheyneed.

    !(7)Unauthoriseduseofcomputertime/facilities

    Authorisedusersofacomputercouldusethemforunauthoriseduses,suchasprivateresearchanddevelopmentwhichiscompetitivewiththeiremployer.

    !(8)Maliciousorrecklesscorruptionorerasureofdataorprograms

    Theresultsofthisactivitycouldcausefinancialloss,damagetotheenvironmentorevenlossoflife.

  • BasicsofEnglishcriminallaw

    MostcriminaloffencesaresetoutinActsofParliament:e.g.TheftAct1968,FraudAct2006,ComputerMisuseAct1990.

    Somecommonlawoffencesremain,e.g.Murder Elementsofanoffencecanbeanalysedintermsof

    Mensrea(mentalelement,andintention) Actusreus(actualbehaviour)

    Someoffencestermedstrictliabilityoffencesforwhichthereisnomensrea (e.g.Drivingatnightwithfaultyrearlightisanoffenceevenifthedriverdidnotknowthelightwasfaulty)

  • Criminaloffences: Policeinformed TheymaychargethepersonandthenpassthecaseovertotheCrownProsecutionService.

    AccusedappearsinMagistratescourt CasemaybecommittedfortrialinCrownCourt. Minor(summary)offencesdealtwithinmagistratescourt

    Serious(indictable)offencestriedinCrownCourt. Intermediateoffences,e.g.Theftandfraud,aretriableeitherway(magistrateorcrowncourt).

  • 3.ICTFraud

    Computersystemsvulnerabletofraud. E.g.RvSunderland(unreported)1983,employeeofBarclaysBankusedbankscomputertofindadormantaccount,andthenforgedtheholderssignaturetowithdraw2,100.

    Sentencedto2yearsimprisonment,butillustratesvulnerabilityofsuchsystems,especiallyfromwithinanorganisation.

  • !3.1Typesofcomputerfraud(AuditCommission)!3.1.1Entryofanunauthorisedinstruction(inputfraud)

    Unauthorisedalterationofdatapriortoitbeinginputintoacomputer.Probablycommon.

    Example:inputdataforms!3.1.2Alterationofinputdata(datafraud)

    Dataheldonacomputersystemismodifiedforfraudulentmeans.!3.1.3Suppressionofdata(outputfraud)!Outputfromacomputersystemisdestroyedoraltered.Themotiveisusuallytoconcealcriminalactivity.Example:auditrollsfromcashtill!3.1.4Programfraud!Alterationofacomputerprogram.Sophisticated,andthereforehardtodetectExample:salamifraud

  • 3.2Fraudoffences Fraudisacollectionofsimilaroffences,someofwhichwerecoveredbythe

    TheftActs1968and1978!

    3.2.1Obtainingpropertybydeception!

    Problemswitholddeceptionoffences!

    TheTheftAct1968definestheoffenceoftheftasfollows: Apersonwhobyanydeceptiondishonestlyobtainspropertybelongingto

    another,withtheintentionofpermanentlydeprivingtheotherofit,shallonconvictiononindictmentbeliabletoimprisonmentforatermnotexceedingtenyears.

    Thisdefinitionimpliesthedeceptionofaperson.TheLawLordsconfirmedthisviewin1974:foradeceptiontotakeplacetheremustbesomepersonorpersonswhowillhavebeendeceived

    Apersoncommittingacomputerfrauddeceivesthecomputer,notahumanmind.So,thisoffenceisprobablyinappropriateforcomputerfraud.

  • TheTheftAct1968definestheoffenceasfollows: Apersonwhobyanydeceptiondishonestlyobtainspropertybelongingtoanother,withtheintentionofpermanentlydeprivingtheotherofit,shallonconvictiononindictmentbeliabletoimprisonmentforatermnotexceedingtenyears.!

    Ifapersongainsaccesstoacomputersystemwithoutpermissionandthenmakesaprintoutoftheinformationcontainedtherein,hashecommittedtheft?

  • OxfordvMoss(1978) Studentborrowedanexaminationpaperbeforetheexam

    Couldnotbeprosecutedfortheftsincehereturnedtheitem

    Wasprosecutedfortheftofconfidentialinformation Butacquittedongroundsthatinformationcannotberegardedaspropertyandsocannotbestolen.

  • RvLloyd(1985)

    Projec[onistinacinemaand2others,tookfilmsfrom cinema,andcopiedthembutreturnedthem.

    Thepiratedcopiesweresoldataconsiderableprofit

    BUTthechargeofthej(conspiracytosteal)washeldtobe inappropriate

    nointen[ontopermanentlydeprive.

    chargeofconspiracytodefraudmighthaveworkedbe]er

    19

  • 3.2.2Conspiracytodefraud Commonlawoffence Aconspiracyisanagreementbetweentwoormorepersonstocarryoutanunlawfulact.

    Conspiracytodefraudmaybeapplicabletocomputerfraud,sincedeceptionneednotbeproven

  • TheftAct1968: Dishonestlyextractingelectricity

    Unauthorisedaccesswillresultinsomeconsumptionofelectricity

    Butwillhavetodemonstratethatthepersonrealisedtheywerebeingdishonest

    RvGhosh(1982)GhoshTest Needtodeterminewhetherthedefendanthimselfrealisedthatwhathewasdoingwasby[ordinarystandardsofreasonableandhonestpeople]dishonest

  • 3.2.3Attempts Tobechargedwithanattempt,apersonmusthavedonean

    actwhichis'morethanmerelypreparatorytothecommissionofanoffence'.

    Acomputerfraudwhichisnotcompletedmaybeanattempttostealmoney.ConfusionoverthisisonereasonwhysectiontwooftheComputerMisuseAct1990wasenacted(seelater).

    SeealsoFraudAct2006 3.2.4Fraudastheft Applyingtheoffenceofthefttocomputerfraudnormally

    presentsnoproblems,exceptingourreservationsaboutpermanentlydepriving.

  • FraudAct2006DealswithsomeofdeficienciesofTheftActs1968and1978,especiallyICTfraud

    Apersonisguiltyoffraudifinbreachofanyofthefollowing:

    -(i)fraudbyfalserepresentation -(ii)fraudbyfailingtodiscloseinformation -(iii)fraudbyabuseofpositionPenalties:Summaryconviction(Magistratescourt):imprisonmentforupto12monthsand/orfine

    Convictiononindictment(Crowncourttrialbyjury):imprisonmentforupto10yearsand/orfine

  • (i)Fraudbyfalserepresentation(FraudAct2006,section2) Occurswhenpersondishonestlymakesafalserepresentation,intendingtomakeagainforhimselforanother,ortocauselosstoanother,ortoexposeanothertoriskofloss.

    E.g.phishingobtaininginformationsuchasbankaccountdetailsbysendingemail(orSMS)purportingtobefromthatpersonsbank

    E.g.pharming(directingtraffictogenuinewebsitetobogusone)

    UnlikeTheftAct1968(permanentlydeprive),noneedforactualgainorloss,orforittobepermanent.

  • (ii)Fraudbyfailingtodiscloseinformation(FraudAct2006Section3)

    Thisformofoffenceoffraudapplieswhenapersondishonestlyfailstodisclosetoanotherpersoninformationwhichheisunderalegaldutytodisclose,andintends,byfailingtodisclosetheinformation,tomakeagainforhimselforanother,ortocauselosstoanotherortoexposeanothertoriskofloss.