Computer Ethics

Lecture 7
CRIME
Outline
Chapter 5: Crime
5.1 Introduction
5.2 Hacking
5.2.1 What is hacking?
5.2.2 Hacktivism, or political hacking
5.2.3 The law: catching and punishing hackers
5.2.4 Security
5.3 Identity Theft and Credit Card Fraud
5.3.1 Stealing identities
5.3.2 Responses to identity theft
5.3.3 Biometrics
Introduction

 19th century bank robbers fled the crime scene on

horseback, In 20th century they drove getaway
cars, in 21st century they walk from a PC.
 Computer and the internet make things easier for
us, they also make illegal activities easier for
criminals.
 Crimes committed with computers are more
devastating and harder to detect than other
crimes.
 Hacking: intentional, unauthorized access to
computer systems
Introduction (cont.)

 Average loss from computer crimes is much higher

than with other ones.
 Credit card thieves
 Hackers who break bank systems
 Computer vandalism by teenagers can halt
entire businesses
 Global business networks and the web extend
the criminals’ reach and make arrests and
prosecution more difficult.
What is Hacking?

 Hackers
 An irresponsible destructive criminal
 break into computer systems
 intentionally release viruses
 Steal money, crash websites ,destroy files, disrupt
businesses
 Some hackers do none of these things
 Three phases of Hacking
 Phase 1: early years, from 1960s to 1970s
 Phase II: from 1970s to 1990s
 Phase III: from 1990s till present
Phase I: the joy of programming
 Hacker
 a creative programmer who wrote very elegant/clever
programs.
 Computer virtuosos, created many of the first computer games
and operating systems
 Outside the social stream, spending many hours learning as
much as they could about computer systems and improving
them
 High school and college students who hacked computers at
their schools
 Mostly sought knowledge and intellectual challenges
 Jude Milhon: Hacking is a clever circumvention of imposed
limits.
 Steven Levy: Art, science and play have merged into the
magical activity of programming.
Phase II
 The meaning of ‘hacker’ changed as more people used
computers and more others abused on them.
 ‘Hacking’ got the meaning it has today: breaking into
computers on which the hacker does not have authorized
access.
 By 1980’s hacking also included spreading computer
viruses, mostly in software traded in floppy disks
 Hacking behavior included pranks, theft and phone
phreaking.
 Hacking a computer at a big research center, corporation
or government agency was a challenge that brought a
sense of accomplishment ,lot of files to explore and a
sense of respect from peers.
Phase II (cont’)

 Young hackers were fond of breaking into Defense

Department computers and they achieved it
 Hackers obtained passwords by sophisticated techniques
and by Social Engineering
 Some hackers turned into serious threats to security and
privacy.
 Using programs called sniffers, they read information
travelling over internet and stole passwords.
 In 1994, they might have compromised one million
passwords.
Phase II (cont’)
 Adult criminals began to recognize the possibilities of
hacking.
 Business espionage, significant threats and fraud
joined the list of hacking activities.
 The Internet Worm demonstrated the vulnerability of the
Internet as a whole in 1988.
 Robert Morris, at Cornell university, wrote a worm
program and released it on internet.
 The worm did not destroy anything, it just spread
quickly to computers running a specific version of
UNIX operating system, jamming it up and preventing
normal processing.
 The worm disrupted research and other activities and
there was disagreement on whether Morris intended
its effect.
Phase III: The growth of the Web
 In this phase, hacking includes a variety of new threats
 Increased use of internet for email, for sensitive
information and for commercial transactions made hacking
more dangerous and damaging.
 Kinds of accessible information extended to include credit
reports, consumer profiles, medical records, tax records
and confidential business information.
 Hacking for political motives increased. As web spread
globally, so did hacking.
Phase III: The growth of the
Web(cont.)
 Hackers modified the U.S Department of Justice website to read ‘U.S
Department of Injustice’
 They changed Central Intelligence Agency(CIA) to read Central Stupidity
Agency.
 Hackers in England impersonated air traffic controllers and gave false
instructions to pilots.
 A decade after the worm, Internet showed it was still vulnerable: Melissa
virus, ILOVEYOU virus
 Many governments and organizations’ web servers had to shut down.
 Estimated $10 billion of damage
 In 2000, denial of service attacks shut down almost a dozen major web
sites for several hours.
 Author: 15 years old ,mafiaboy
 Did not write the program itself, just downloaded it from internet
 Script kiddies
Phase III: The growth of the
Web(cont.)
 Purposes and techniques of hacking have shifted as web and
stored data have grown.
 Emerging problem of credit card stealing
 New virus became popular
 Power to remotely control computers: new type of virus.
 Zombies: infected computers running malicious software,
whose owners are unaware of what their computer is
running.
 Now computers are constantly online, hackers do have many
more avenues for attack and many ways to plant spyware.
 They continue to execute pranks and revenge attacks:
 Modified programming of an online gambling site so that
everyone won.
The future
 Full of surprises
 Most of current users were unplanned and unexpected
 Two areas where hacking will increase:
 Things that think, appliances with computer chips which
now work online. The potential for havoc will increase as
hackers will be able to control devices, not just
information.
 Hacking by terrorists and government organizations is
likely to increase.
 Japanese defense agency said it was developing
viruses for military attacks
 The case of the Estonian government suffering a DoS
attack originating from Russian government.
 When is a cyber attack an act of war?
Is ‘harmless hacking’ harmless?

 Excitement and challenge for breaking in motivates

young hackers.
 When an administrator at an institution or organization
detects an intruder:
 he cannot distinguish a malicious hacker from a thief,
terrorist or spy.
 He should protect the system by stopping the hacker
and tracking it down.
 Companies might even interrupt internet , while
investigating and protecting against an intruder.
Is ‘harmless hacking’ harmless?
(cont.)
 Uncertainty about the intruder's intent and activities has additional
costs for systems that contain sensitive data.
 For ex., after a hacker accessed a Boeing Company computer just to
access another one, Boeing spent a large amount of money to make
sure the hacker had not touched anything from the computer.
 A group of young Danes brought into the weather systems of U.S,
Japan, Israel and Denmark.
 If they had changed weather service files, they could have
halted air traffic, in fact their intervention slowed down the
service
 Serial conditions like tornadoes might have gone undetected
 Uncertainty causes harm, or expense, even if hackers do not have
malicious intents.
 A hacker with a good intention might do damages by mistake.
Hactivisim or Political hacking

 Use of hacking to promote a political cause

 What new problems does hactivism raise?
 Is there ethical justification for such hacking?
 Should penalties for such hacking differ from
penalties for other hackers?
 Some academic writers: hactivizim is ethical, a
modern form of civil disobedience
 Others argue: political motive is irrelevant, or
that political hacking is a form of cyberterrorism
Hactivisim or Political hacking (cont.)
 A hacker posted anti-Israeli messages on the site of a
pro-Israel lobbying organization
 He also posted personal information about a few
hundreds of the group members, including their
credit card numbers.
 Three teenagers hacked into the network of an atomic
research center in India and downloaded files to
protest against India's tests of nuclear weapons.
 Hactivists targeted the governments of Indonesia and
China for their antidemocratic policies
 Pro-Zapatista hackers hit Mexican government sites
 Someone posted a pro-drug message on a U.S police
department antidrug Web site.
Hactivisim or Political hacking (cont.)
 Political hacking can be hard to identify
 Those who agree with the action will see it as activisim, while
the other side as ordinary crime.
 To some political activists, any act that shuts down or steals
from a large corporation is a political act. To the customers
and owners, it is vandalism and theft.
 Some writers argue:
 Hactivism is a legitimate form of civil disobedience, which has
a respected nonviolent tradition.
 Henry Thoreau, Mahatma Gandi and Martin Luther King
refused to cooperate with rules that violated their
freedom.
 To evaluate incidents of activism:
 Fit them in a scale from peaceful resistance to destruction of
others’ property and cause risk to innocent people.
Hactivisim or Political hacking (cont.)
 Freedom of speech does not include the right to hang a political
sign in a neighbor’s window
 We have the right to speak, but not to compel others to
listen
 Activists perform these actions bcs they believe that the
specific content or cause is more important than the
principle of freedom of speech.
 Another factor to consider: the political system where
hacktivists live
 In free countries, there is no need for hactivism, bcs anyone
has the right to express his/her opinions
 Some countries have oppressive governments that control the
means of communication and prohibit open political
discussion.
 May be there are good arguments to justify political
Outline

 Introduction
 Hacking
 What is hacking?
 Hactivism, or political hacking
 The law: catching and punishing hackers
 Security
 Identity Theft and Credit Card Fraud
 Stealing identities
 Responses to identity theft
 Biometrics
The Law
 When teenagers started hacking, there was disagreement
not only about whether the activity was considered a crime
under existing law, but also whether it should be.
 Gradually, state governments passed laws that specifically
addressed computer crimes.
 Computer Fraud and Abuse Act (CFAA) in 1986
 Covers areas which the federal government has
jurisdiction: government computers, financial
systems, medical systems etc
 Sections of the law address altering, damaging or
destroying information
 It covers DoS and launching of computer viruses
The Law (cont.)

 Prosecutors use more than a dozen other federal

laws to prosecute people for crimes related to
computer and telecommunication systems.
 A person might accidentally interrupt the
operation of a computer or cause a computer to
malfunction. These are considered crimes if done
intentionally.
 Other illegal actions include:
 Accessing a computer to commit fraud
 Disclosing passwords or other access codes
 Interrupting or impairing government
operation

The Law (cont.)

 USA Patriot Act includes amendments to CFAA

 It expanded the definition of loss to include the cost
of responding to a hacking attack, accessing damage
and restoring systems.
 Raised the penalty from 5 years to 10 years
 Increased penalties for hacking computers used by
criminal justice system or military system.
 It allows the gov. to monitor online activity of
suspected hackers without a court order
 Definition of malicious acts according to PATRIOT act
are very wide and include definitions few would
consider terrorism
Catching Hackers
 It took only one week to catch the author of Melissa virus
 How do hacker trackers do their job?
 Initially, the response of law enforcement agencies was ill
informed and embarrassing
 overreacted in several cases
 The paranoia or hysteria about hackers came partly
from the ignorance and the discovery that teenagers
could break into large companies computers
 Law enforcement agencies now employ people who are
well informed about hacking and hacking culture
 Some of them , undercover, attend hacking
conferences
 Some set up ‘honey pots’ that look attractive to
hackers
Catching Hackers(cont.)
 Mafiaboy was identified as a suspect only by his handle
 Once they know the handle, they search for all messages by
the same handle till they find some relation to the real name.
 Two Russian hackers who demanded jobs as security consultants
after stealing thousands of credit card numbers found officers
waiting to arrest them when they arrived in U.S for job interview.
 The activity of collecting evidence from computer files and disks
is called computer forensics.
 The same tools that threaten privacy, aid in catching criminals.
 Investigators trace viruses and hacking attacks by using ISP
records, router logs etc.
 The author of Melissa virus used another one’s AOL account,
but AOL’s logs contained enough info to link it back to the
authors’ telephone line.
Catching Hackers(cont.)

 Most people are unaware that word processors

(Word for ex) include lots of invisible information
in files, like unique numbers and author names.
 Many techniques worked bcs hackers did not know
about them
 They continuously learn what mistakes to
avoid.
 Investigators could not find the author of Code
Red worm in 2001
 Security professionals update their methods
and tools as hackers change theirs.
Penalties for young hackers
 Many young hackers are the modern analogue of other
generations of young people who performed clever pranks
 We want young hackers:
 to mature, to learn the risks of their actions and to use their
skills in better ways.
 To get good jobs and not destruct their careers by putting
them in jail
 Kids should be given good directions and irresponsibility
should not be rewarded, but overreaction and over-
punishment should be avoided too.
 Some young hackers might become the inventors of the
future.
 Steve Wozniak, before cofounding Apple, was building
blue boxes, devices that enabled people to make phone
calls without paying for them.
 Nobel prize winner,Richard Feynman used hacker
techniques to break safes containing classified work on
bombs.
Penalties for young hackers (cont.)
 Many young hackers act do not include financial gain for the hacker
 Difficult penalty issues arise for hackers who are young, do not intend to do
damage, and hackers that through immaturity and ignorance do more than they
can pay for
 Sentences for hacking depend on:
 The person’s intent, age, and the damage done
 In many hacking cases, the hacker pleaded guilty.
 At first, most young hackers received light sentences ( 2-3 years of
probation, community service and a fine)
 The teens who launched the attack on Pentagon received such sentences
 The 15 year old who disabled an airport radio system got probation
 a 16 year old, who had broken into NASA was sentenced to 6 months in a
juvenile detention facility
 As young people caused more disruption, the severity of penalties
increased.
 The purpose of penalty: discourage people from committing crimes
Penalties for young hackers(cont.)
 People advocate heavy penalties for minor hacking to ‘send
signals’ to others who might be thinking of trying smth similar
 Potential to do this bcs of costs to victims and the potential
risks to the public.
 On the other hand, justice requires that punishments fit the
specific crime and not be increased dramatically.
 Give a hacker a job instead of a jail sentence?
 Many officials are very critical of rewarding hackers with
security jobs.
 But sometimes, the responsibility which comes with the job
are enough to run the hacker’s energy and skills toward
productive uses.
 With young people, flexibility is probably more important.
 We need a combination of appropriate penalties, education
about ethics and risks, and parental responsibility.
Outline

 Introduction
 Hacking
 What is hacking?
 Hacktivism, or political hacking
 The law: catching and punishing hackers
 Security
 Identity Theft and Credit Card Fraud
 Stealing identities
 Responses to identity theft
 Biometrics
 Security
 Security is the other side of hacking.
 A variety of factors contribute to security weaknesses
 From the history of internet and web
 From inherent complexity of computer systems
 From the speed at which new applications develop
 From economic and business factors and from human nature
 During first years, the internet was primarily a communication medium for researchers
 Open access, ease of use and sharing information were desirable qualities
 Security depended primarily on trust
 WWW developed as a communication tool for physics researchers, security was not
an issue.
 It is not surprising that security of computers at universities and businesses was
weak, it is astonishing how easy it was to invade government and military systems.
 In 1996, there were 500.000 hacker attacks on Defense Department, 65% successful
and only 1% were detected
 Security experts argued that most of the targeted computers did not contain
classified information. This fact is not reassuring.
 GAO reported that computer security at NASA in 1999 was weak
Security(cont.)

 In 2000, the GAO reported that:

 EPA computers were riddled with security
weaknesses
 Hackers had access to classified information,
were able to modify files, launch attacks on
other agencies from EPA computers and set up
their chat room in EPA system.
 A British hacker extracted in U.S in 2007 was
accused of breaking in into almost 100 military
and NASA systems. (claiming that was looking
for info related to UFO-s)
Security(cont.)

 Attitudes about security in businesses, organizations and gov.

agencies were slow to catch up with risks.
 Dramatically improved in 2000s
 Businesses increased their security budgets
 Computer scientists responded with improved security
technology
 Entrepreneurs set up security and consulting firms
Security(cont.)

 Firewalls
 Software or separate computer who monitor incoming
traffic and filter that from untrusted sites
 Intrusion detection systems monitor computer systems for
unauthorized or inappropriate activity
 Password Security Policies
 Digital Signatures, Biometrics and other tools for
identification
 Insurance companies offer insurance for hacker attacks
 Software companies hire hackers to find security flaws of
their system
Security(cont.)
 Still, hackers and security professionals regularly find
gaping holes
 Two people figured out how to send fake traffic and
weather information to navigation systems.
 Web browser have many security weaknesses.
 As Google grew and offered services beyond searching,
hackers found vulnerabilities in its software.
 Wireless networks often lack sufficient protection.
Software developers are constantly finding and patching
security flaws.
 Still many banks and large retailers lack sufficient
protection for the data and money in their care:
 TJX example, out of data protection system, over 18
months, hackers stole millions of debit and credit
card numbers.
Responsibility for Security
 Many parallels between security issues for preventing crime and
security issues for protecting privacy
 Principles and techniques for developing good systems exist, and
responsible software designers must learn and use them.
 When systems contain sensitive data, system administrators have
a professional and ethical obligations to protect them
 We cannot expect profession, but we should expect
professionalism.
 Most individual PC users have no technical training.
 They do not use firewalls and antivirus software bcs they do
not understand the risks or bcs they find security tools too
confusing.
 Phone users do not ask whether they phone calls are
encrypted or easily intercepted.
 Question: Aside from protecting ourselves, do we have an ethical
responsibility to take steps to prevent our computers from
harming others?
Criminalize virus writing and
hacker tools?

 One can find hacking scripts and computer code for

thousands of computer viruses.
 Should the software itself be illegal?
 Some law enforcement personnel and security
professionals propose making it a crime to write or post
computer viruses and other hacking software.
 Security work and research could be made more
difficult
Outline
Chapter 5: Crime
5.1 Introduction
5.2 Hacking
5.2.1 What is hacking?
5.2.2 Hactivism, or political hacking
5.2.3 The law: catching and punishing
hackers
5.2.4 Security
5.3 Identity Theft and Credit Card Fraud
5.3.1 Stealing identities
5.3.2 Responses to identity theft
5.3.3 Biometrics
Identity Theft and Credit
Card Fraud (cont.)
Stealing Identities (cont.):
 Techniques used to steal personal and financial
information
 Phishing - e-mail fishing for personal and
financial information disguised as legitimate
business e-mail
 Pharming - false Web sites that fish for
personal and financial information by planting
false URLs in Domain Name Servers
 Online resumes and job hunting sites may
reveal SSNs, work history, birth dates and
other information that can be used in identity
theft
Identity Theft and Credit
Card Fraud (cont.)
Stealing Identities (cont.):
 Techniques used to protect personal and financial
information
 Activation for new credit cards
 Retailers do not print the full card number and
expiration date on receipts
 Software detects unusual spending activities and
will prompt retailers to ask for identifying
information
 Services, like PayPal, act as third party allowing a
customer to make a purchase without revealing
their credit card information to a stranger
Identity Theft and Credit
Card Fraud (cont.)
Responses to Identity Theft:
 Authentication of e-mail and Web sites
 Use of encryption to securely store data, so it is
useless if stolen
 Authenticating customers to prevent use of stolen
numbers, may trade convenience for security
 In the event information is stolen, a fraud alert
can flag your credit report; some businesses will
cover the cost of a credit report if your
information has been stolen
Identity Theft and Credit
Card Fraud (cont.)
Biometrics:
 Biological characteristics unique to an individual
 No external item (card, keys, etc.) to be stolen
 Used in areas where security needs to be high,
such as identifying airport personnel
 Biometrics can be fooled, but more difficult to do
so, especially as more sophisticated systems are
developed
Identity Theft and Credit Card Fraud

Discussion Questions

 What steps can you take to protect yourself from

identity theft and credit card fraud?
 How can you distinguish between an e-mail that is a
phishing attempt and an e-mail from a legitimate
business?