H6301 The Information Society

The Internet has made its name to be the ‘next-big-thing’ in the media. Its pervasiveness catches the attention of academic, business and political organizations who are all trying to reap the most benefits out of it, but there is also a dark side – the ‘bad-guys’ have seen its potential for criminal activities never before thought possible. What crimes are committed through the Internet? Are the victims aware of that and do they report the cases? How capable are the police forces in combating that? Are the current laws and legislation sufficient? How to protect ourselves from being the next victim?

This report starts with examples of crimes committed using the Internet, focusing on damage and motives. A technical aspect will be examined to understand why they are possible. Actions taken by the police force in combating Internet crimes are reviewed. Current laws and legislation on computer crimes are inspected and the effectiveness in punishment and prevention are discussed. Then, major international organizations and international meetings conducted to improve worldwide cooperation in combating these high-tech crimes are highlighted. Comments will be made referencing the global actions required and what we can do to protect ourselves.

"Roughly" $2 billion worth of software was stolen over the Internet last year, a growing portion of the total $7.4 billion the Software Publishers Association reckons was lost to piracy " "The Association has identified 1,600 bulletin boards carrying bootleg software."(Web Police, 1998) - this is just a tip of the iceberg of the enormous crimes committed using the Internet. In fact, the notion `Internet crime' might be interpreted in a number of ways. One is to limit it to new forms of crime that can be performed on the Internet. Another is to apply it not only to new forms of crime, but also to variants of existing crimes that are adapted into the Internet context. Finally, it might be used to encompass any criminal activity that involves use of the Internet.

In a recent interview, an Interpol specialist on networked computer crimes was quoted as saying that Interpol divides digital crime into three areas (Clarke, 1997):

• computer crime, which includes piracy, data-theft and time-theft (computer break-ins);
• computer-related crime, which is mainly bank fraud -- "what was a crime earlier with paper, but is now done with a computer,"; and
• "network crime": the use of the Internet for transactions that are already illegal -- child pornography -- or aid illegal activity -- often involving the drug trade, customs evasion and money laundering.

A remarkably wide range of criminal acts are capable of being performed using the Internet. Examples include conspiracy, harassment, incitement, extortion, fraud, forgery and falsification, tax evasion, `computer crimes' (e.g. harm to data) and particular forms of assault. The borderless nature of the Internet is one of the characteristics that make it so susceptible to crime. The following paragraphs elaborate on a few examples.

Credit card fraud tops the list of 7 main concerns of US consumers with daily access to a PC, a study of cyberspace shopping conducted by MasterCard, National Retail Federation, and Global Concepts found. The study shows that while credit card fraud is a concern to Internet shoppers, such fears are much more prevalent among nonbuyers (Martin, 1996). One of the aspects of Internet fraud that sets it apart from other types of fraud is that the bad guys are for the most part invisible. The cases have involved on-line marketing for phony schemes, including bogus income opportunities, credit-repair services (five of the 10 cases the FTC prosecuted in March), and a computer-equipment supply scam. The motives are to acquire financial gains - it is easy for someone to pick up transaction data en route over the Internet and anyone can put up a handsome web site making it difficult to distinguish fraudulent promoters from legitimate ones. The Internet also makes it possible to send e-mails to thousands of people at once at relatively low cost. Moreover, it is easy to post information in newsgroups or to lurk in chat rooms, offering phony stock tips or money-making opportunities (Grant, 1998).

These can be military, intelligence or business attacks. The criminals are often called "hackers", a term coined in the late 70s to describe the activities of "Captain Crunch" in making free long distance telephone calls in the USA (Mulhall, 1997). One of the infamous computers hacker is Kevin Mitnick, who is accused of stealing millions of dollars worth of computer software during a 2.5 year hacking spree. High-tech agents, including representatives from the Department of Justice and NASA, caught up with Mitnick in September 1995. Mitnick is charged with 14 courts of wire fraud and systematic theft of software from Motorola, Novell, NEC, Nokia Mobile Phones and Fujitsu. He is being charged with damaging computer equipment at USA and attacking computer systems that belong to Internet service providers (Bee, 1996, paragraph 2). Friends and relatives of Mitnick have defended his hacking, saying he did it for the intellectual challenge and to pull pranks -- but never for profit.

Back in mid-1994, Vladimir Levin, a 26-year-old computer scientist in St Petersburg, is supposed to have led a gang that hacked into Citibank in New Jersey, and organised more than 40 wire transfers from customer accounts. Russia's Mafia is said to have been involved.

According to Brian Gorcyk, special agent for the FBI Computer Crimes Division in New York, most victims are unaware that their computers have been violated. He cited a Department of Defense study in which 9,000 computers within the department's network were attacked intentionally. The test participants were successful in entering 87% of the time, but fewer than 5% of the victims were aware that their systems had been violated. According to Gorcyk, recent cases have involved interception of electronic mail, vandalism of Web sites, and electronic mail bombs. One of the major problems with hacker attacks is that break-ins are often not considered to be a crime, even though cyberfraud losses cost organizations millions of dollars a year (Deering, 1996).

Such attacks have raised the concerns about the integrity of modern IT-based infrastructure systems that go beyond traditional threats, because even limited failures in extensive and interconnected systems can cause widespread disruption and damage. In addition to hostile nation-states, international and domestic terrorism and organized crime have the demonstrated potential to undermine societies.

Recently, Belgium's high-tech police are closing in on a child-pornography ring that used the Internet to lure teenagers and distribute kiddie porn for profit. When police searched the computer of suspected porn distributor Michel Nihoul, they discovered a cache of Usenet logs, recorded chat sessions and E-mail addresses - all clues pointing toward a crime ring operating on the 'Net(Ellen, 1997).

About 100 people in 12 countries were arrested this September in what police said was the biggest-ever worldwide swoop on pedophiles operating on the Internet (Reuters, 1998). British police coordinated the raids, code-named "Operation Cathedral," in Europe, Australia, and the United States. They recovered more than 100,000 indecent images of children as young as two from one U.S.-based pedophile club known as "Wonderland." "The content would absolutely turn the stomach of any right-minded person. It is disgusting stuff," said Detective Superintendent John Stewardson, who led the operation from Britain. Charges have not yet been filed and will differ from country to country according to their different judicial systems. But charges could range from possession of pornographic material to the more serious offense of sexual abuse of children.

Is the Internet really unsafe? Do the ‘bad-guys’ really get in the victims’ computer networks so easily? This is particularly true of systems that rely on connectionless communications protocols (like TCP/IP) in which it is possible to enter the system without confirming a verifiable end-to-end link. The scale of this problem may be enormous--as demonstrated by the 1988 Internet worm which created major damage to a global "network of networks"--and numerous "cracking" tools have been developed to test out system weaknesses by simulating an attack. The Computer Emergency Response Team (CERT) at Carnegie Mellon University, responsible for Internet security since 1988, handled 2,241 computer security incidents affecting over 40,000 sites during 1994 and observed in its end-of-year report that "over the past four years, the incident rate has increased by 489%. As the incident rate has grown, so has the sophistication of intruders." While we cannot usefully compare security statistics within centralized mainframe and distributed environments, it is clear that networked systems have become the major entry point for logical attacks (Herman, 1995).

In the case of Kevin Mitnick’s break-in, a technique called IP snoofing is applied to manipulate the handshake sequence numbers to impersonate another computer, which is possible because the handshake procedures, created in an era when nobody worried much about Internet security, hand been designed merely to clarify who was who on the Internet, not verify(Shimomura, 1996). Other common techniques like password sniffing, scanning and data diddling are applied to steal passwords and modify data, making an opening wedge into a bank computer – and eventually into some accounts from which funds can be transferred (Icove, 1996).

The Federal Bureau of Investigation (FBI) of US has a good track record in keeping pace with the sheer number of crimes, it has made some big collars, including the following (DiDio, 1998):

• The arrest of infamous telecommunications hacker Kevin David Mitnick in 1995.

• The 1996 arrest of 88 people - 78 of whom were convicted - in the FBI's Operation "Innocent Images" bust for trading child pornography over the Internet.

• The 1997 Cyber Strike" investigation run by the NCCS (Nantional Computer Crime Squad)'s San Francisco unit, which concentrated on criminals who improperly use copyrighted information and commercial software. The investigation also uncovered stolen credit-card and calling-card numbers and the theft of telephone services.

• Traditional crimes such as investment fraud and gambling also are thriving on the Internet, according to Charles L. Owens, chief of the FBI's financial crimes section. Last spring, Owens testified before the Senate Judiciary Committee's Subcommittee on Technology, Terrorism and Governmental Information about a case that the NCCS tracked in which investors were offered an annual return of 200% to 420% on "prime bank instruments," a nonexistent securities instrument. "Losses from that scheme are believed to have totaled $3.5 million," Owens said. On the gambling front, the FBI's Northeast field office conducted raids on two suspected Internet gambling operations; the 1996 proceeds were estimated at $56 million.

Catching the criminals is never the end of stories – laws are required to lead to appropriate punishment on the criminals and deter others from repeating the offences.

In the US, a number of federal laws protect against attacks on computers, misuse of passwords, electronic invasions of privacy, and other transgressions.

• The Computer Fraud and Abuse Act of 1986 (it has been amended several times) is the main piece of legislation that governs most common computer crimes (Icove, 1995). While it makes it illegal to access financial records such as credit reports in a computer without authority, it does not offer the same protection to computers holding non-financial data.

• The Copyright Act proscribes unauthorized copying of software and other protected property for financial gain. But MIT student David LaMacchia recently escaped conviction on charges that he ran an electronic bulletin board that others used to steal software because it could not be shown that he gained financially from the activity.

• The Internet Gambling Prohibition Act of 1997 prohibits Internet gambling and cyber-casinos.

• Protecting Children From Internet Predators Act of 1997 to penalize the use of computer network or services to target children under age 16 for sexually explicit messages or contracts.

• The Interstate Transportation of Stolen Property Act covers only physical goods. There was a case where source code was stolen, taken across state lines, and the court said that's not covered because it's intangible property (Anthes, 1995).

• In order to strength protections against the theft or misuse of proprietary business information and punish those who intrude into, damage or steal from computer networks, the President recently signed the Economic Espionage Act of 1996 which aims to eliminate gaps in the criminal laws covering attacks against computers and the information they contain(Bee, 1996, paragraph 2).

In the UK, hackers on telex networks will generally have committed a crime under the Computer Misuse Act 1990. Such offences are charged as unauthorized access to computer material, unauthorized access with intent to commit further crimes such as fraud and blackmail, and unauthorized modification of computer material. But now with the extensive use of the Internet, an international system, it proves that prevention is better than cure. A company that has been the victim of an overseas fraudster on the Internet may find it difficult to obtain a remedy or a prosecution. Lawyers now have the problem of deciding where a crime has been committed. A fraudster with a laptop computer in France could call up his or her Internet provider in Germany to defraud a business with a computer in Canada (Walker, 1998).

During the Persian Gulf War, Dutch hackers who attacked Pentagon computers were beyond the reach of U.S. justice because the Netherlands did not recognize their activities as crimes. And in 1995, an Argentine hacker who broke into sensitive U.S. systems avoided punishment because his country had insufficient computer crime legislation. The pursuit of infrastructure assurance through liability allocation faces similar obstacles. Liability rules vary between and within countries. Furthermore, a court may not be able to obtain civil jurisdiction over the entity that an injured party may wish to hold liable, particularly as extradition does not apply to civil matters (Lukasik, 1998). All these shows there are loopholes one way or the other in the current legislation that makes ‘leeway’ for hackers on the Internet.

International cooperation is required to combat the crimes on the Internet. A number of organizations are formed for this purpose. The following are some examples.

There are a number of international conferences conducted in quest of crime fighting and crime prevention worldwide.

In December 1997, Government officials from a variety of countries met in Washington to discuss how to combat Internet-based crime hosted by the Department of Justices of the US. The group is focus on improving international cooperation and making bilateral law enforcement agreements more Internet-specific (Thibodeau, 1997).

"As the Internet becomes a more broad-based communications device, we are going to see it abused like the telephone is abused. People are offering products for sale that they don't have, for example." said Scott Charney, chief of the Computer Crime Unit in the Criminal Division of the U.S. Department of Justice in Washington, projected the major trends in computer crime.

There is no time to wait for Internet crime fighting. For instance, Britan’s police forces are lagging behind the rest of the world in combating computer crime, according to one of the country's most experienced computer investigators - who has just returned to walking the beat.

Whereas in America there are specialist units in every state and a similar system is being put in place in Australia. There's nothing nearly as comprehensive in Britain. Countries worldwide has to help each other to keep abreast of the latest developments with Internet-related applications and extend their cooperation in investigation on hackers. Stronger encryption technology should be applied to all communications between computers. As prevention do not make digital crimes totally impossible, Internet service providers and corporate network management should take measures to detect and handle them. Current laws and legislation should be reviewed timely to keep pace with advances in technology. Moreover, bilateral agreements between countries should be made to facilitate prosecution of Internet crime conducted overseas.

With so many threats online, the Information Superhighway may seem unsafe. You can protect yourself by constantly keeping your guard up. It's a never-ending process.

Web Police. (1998). Latest Web Crimes Statistics.

Clarke, Roger. (1997). Technological Aspects of Internet Crime Prevention. Australian Institute for Criminology's Conference on 'Internet Crime'. (16-17 February 1998). Melbourne University.

Martin, Frances. (1996). Are Internet Fraud fears overblown? Credit Card Management. (May 1996).

Mulhall, Tom. (1997). Where Have All The Hackers Gone? A Study in Motivation, Deterrence, and Crime Displacement. Computer & Security. (Vol 16, pp. 277-284). Elsevier Science Ltd..

Bee, Adrianne. (1996). Hackers can’t hide. Computer Fraud & Security. December 1996. (p. 5). Elsevier Science Ltd..

Messmer, Ellen. (1997). Belgian police turn to the 'Net to hunt down suspected crooks. Network World. (May 19, 1997). Framingham.

Reuters (1998). Crackdown on Net child porn. Special to CNET News.com. (September 2, 1998, 3:20 p.m. PT.).

Deering, Ann. (1996). Protecting against cyberfraud. Risk Management. (December 1996). New York.

Herman, Gary. (1995). Operating Systems Security for Midrange and Large Computers: Overview.

[CD-ROM] General Report. (2 October 1995). Datapro Information Services.

Shimomura, Tsutomu and Markoff, John. (1996). Take-down. (p. 91). London: Martin Secker & Warburg Limited.

Icove, David, Seger, Karl, VonStorch, William. (1995). Computer Crime: A Crimefighter’s Handbook. (pp. 16, 48-52). Sebastopol, CA: O’Reilly & Associates, Inc..

Radcliff, Deborah. (1998). Police officers trek to a California agency to keep pace with computer criminals. In Depth. (September 7, 1998). Computerworld. Framingham.

Didio, Laura. (1998). Special FBI unit targets online fraud, gambling. (April 27, 1998). Computerworld. Framingham.

Taiwan Fights Internet Crime. Infowar.com (September 28, 1997). [Online].

Walker, Peter. (1998). Is the Internet safe? Credit Management. (Jun 1998). Stamford.

Lukasik, S.J., Greenberg, L.T., Goodman, S.E.. (1998). Protecting an invaluable and ever-widening infrastructure. Association for Computing Machinery. (Jun 1998). Communications of the ACM. New York.