London, England (AHN)-A new report from computer security company McAfee suggests that organized "cybercrime" gangs are recruiting IT students to join their illegal operations-and are even helping finance the would-be hackers.
The report, titled "Organized Crime and the Internet," also predicts that cybercrime will become more sophisticated in the coming years, as people become more and more aware of traditional e-mail and so-called "phishing" scams.
Dave Rand of Internet security firm Trend Micro, tells Reuters, "The attacks are becoming more sophisticated." Rand predicts hackers will be scouring social networking sites such as MySpace to gather specific information to commit more focused attacks on people's computers.
After McAfee released the new report on Friday, McAfee security analyst Greg Day said, "A growing number of IT students are being recruited by organized criminals. They see students struggling, and offer them what seems a good career path."
"Places like India and Russia produce a lot of IT students. These places where there are poorer economies lend themselves to this kind of career. Organized criminals are sponsoring the IT education of some students," he said.
Julie Farby - All Headline News Staff Writer
cyber crime cybercrime
Monday, December 11, 2006
Phishers target bank security upgrades: RSA
There was a spike in phishing activity last month, with fraudsters targeting an increasing number of brands and using more sophisticated tools to try and fool online banking customers, according to the RSA Online Fraud Intelligence Report for November.
According to RSA, which recently became the security division of storage firm EMC, an increasing number of financial institutions have been upgrading their online banking systems in order to comply with US regulations. Phishers have been using the upgrade activity to try and exploit users.
Just over a year ago, five US banking regulators -- under the FFIEC umbrella -- advised financial institutions to "deploy security measures to reliably authenticate their online banking customers". The global nature of the banking industry means that any such regulations in the US are at least partly relevant for financial institutions based in Australia.
RSA claims that some of the most advanced phishing attacks during November tried to exploit banking customers before or during the implementation of these new systems.
"With the enhanced level of protective measures taking hold across the financial industry, fraudsters are stepping up the level of phishing activity prior to the deployment of additional layers of defence.
"And they are doing so by mimicking the very efforts that financial institutions are implementing to better protect their customers. The latest scam involves a phishing e-mail requesting customers to … upgrade to the bank's new security enhancement," said the RSA report.
Citibank Australia was criticised last month for possibly contradicting its own security guidelines by sending an e-mail that asked customers to update their log-in details due to an upgrade to the bank's online security system.
Security experts and even Citibank's own staff had trouble confirming if the offending e-mail was genuine or a phishing attack.
By Munir Kotadia, ZDNet Australia
cyber crime cybercrime
According to RSA, which recently became the security division of storage firm EMC, an increasing number of financial institutions have been upgrading their online banking systems in order to comply with US regulations. Phishers have been using the upgrade activity to try and exploit users.
Just over a year ago, five US banking regulators -- under the FFIEC umbrella -- advised financial institutions to "deploy security measures to reliably authenticate their online banking customers". The global nature of the banking industry means that any such regulations in the US are at least partly relevant for financial institutions based in Australia.
RSA claims that some of the most advanced phishing attacks during November tried to exploit banking customers before or during the implementation of these new systems.
"With the enhanced level of protective measures taking hold across the financial industry, fraudsters are stepping up the level of phishing activity prior to the deployment of additional layers of defence.
"And they are doing so by mimicking the very efforts that financial institutions are implementing to better protect their customers. The latest scam involves a phishing e-mail requesting customers to … upgrade to the bank's new security enhancement," said the RSA report.
Citibank Australia was criticised last month for possibly contradicting its own security guidelines by sending an e-mail that asked customers to update their log-in details due to an upgrade to the bank's online security system.
Security experts and even Citibank's own staff had trouble confirming if the offending e-mail was genuine or a phishing attack.
By Munir Kotadia, ZDNet Australia
cyber crime cybercrime
Don't open that Word file; it may be carrying a Trojan!
A new vulnerability has been identified in Microsoft Word. According to security analysts at MicroWorld Technologies, exploits for the vulnerability are out already, which can successfully thrust Trojan Downloaders into user computers.
Microsoft says that it is investigating the vulnerability that exists in Microsoft Word 2000, 2002 and 2003, Word Viewer 2003, Word 2004 for Mac, and Word v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.
According to MicroWorld, a specially crafted Word file carrying a Trojan Dropper named 'MSWord.Agent' can push Trojan downloaders into victim's computers. The Trojans deposited in this way can log on to predefined Web sites and bring dangerous malwares like Backdoors and Rootkits into a victim's computer.
"One stream of malware writers are quite enthusiastic about exploring application software vulnerabilities, as they think that it is a lot easier and rewarding than getting into the OS level intricacies," comments Sulabh Mahant, of MicroWorld Technologies.
In the last year, MicroWorld Technologies says that it has detected many vulnerability exploits aimed at MS Word files. While 'Win32.Mdropper' and 'MSWord.1Table.bd' were Trojan Droppers that transported back doors into targeted computers, a recently detected macro virus was primarily acting as a vehicle for password stealing Trojans.
By ICTWorld, 12 December 2006
cyber crime cybercrime
Microsoft says that it is investigating the vulnerability that exists in Microsoft Word 2000, 2002 and 2003, Word Viewer 2003, Word 2004 for Mac, and Word v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.
According to MicroWorld, a specially crafted Word file carrying a Trojan Dropper named 'MSWord.Agent' can push Trojan downloaders into victim's computers. The Trojans deposited in this way can log on to predefined Web sites and bring dangerous malwares like Backdoors and Rootkits into a victim's computer.
"One stream of malware writers are quite enthusiastic about exploring application software vulnerabilities, as they think that it is a lot easier and rewarding than getting into the OS level intricacies," comments Sulabh Mahant, of MicroWorld Technologies.
In the last year, MicroWorld Technologies says that it has detected many vulnerability exploits aimed at MS Word files. While 'Win32.Mdropper' and 'MSWord.1Table.bd' were Trojan Droppers that transported back doors into targeted computers, a recently detected macro virus was primarily acting as a vehicle for password stealing Trojans.
By ICTWorld, 12 December 2006
cyber crime cybercrime
Friday, December 8, 2006
Computer crime: cyber fraud
Like so many other aspects of our lives, major fraud has gone high tech. In fact, fuelled by excited media comment, computer crime and fraud are regarded as synonymous by many. But it’s important to remember that it’s not the computers that commit crimes - it’s the people that use them, and the cost of their crimes to business is immense.
To address the problem, then, it is essential to look at the human factors involved. The first challenge with combating fraud is calculating the size of the problem. We know that it’s a serious issue for businesses around the world, but it is almost impossible to state exactly how big it actually is. After all, some frauds can remain undiscovered for lengthy periods, or are never reported at all. And, understandably, many companies that have been victims of fraud are reluctant to publicise the fact.
But we do have some close approximations available. The authoritative CSO Magazine eCrime Watch Survey estimated that the cost to US organisations alone was $666 million in 2003. Based on these figures, it’s probably safe to say that a total bill of one trillion dollars a year is a conservative estimate.
It’s also said that the average American company loses six per cent of its revenue to crime, fraud and theft - most of it by electronic means. In the UK, and elsewhere, the figure currently stands at around three per cent.
Although many attacks come from outside the organisations, some are ‘insider jobs’ - carried out by employees who have access to systems within the company’s defences. Something the Sumitomo Mitsui Bank in the City of London found out in 2005. Fraudsters attempted to steal approximately £220 million from the bank by entering the building as cleaning staff and connecting hardware bugs to the keyboard sockets of the bank’s computers. The bugs captured keystrokes to reveal account details and other information.
The human factor
We are used to the idea that technology should be deployed to beat IT-enabled crime. World class firewalls, for example, can help fortify an organisation - rather like thick castle walls that prevent the bad guys from getting in. Inside those walls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can monitor applications and services and raise the alarm when access is attempted by an unauthorised stranger, or when unusual behaviour is discovered.
But if we use technology to counter IT problems, we also need to use people to counter human crimes. If employees are vigilant, and if they understand what is expected of them, then security will be enhanced. Organisations need to establish a culture in which their people are all jointly responsible for defending the company against attack. That requires everyone to know how to behave responsibly, be alert to potential problems, and understand the best course of action when confronted by a malicious attack.
Set the scene
So how can this kind of culture be established?
The first step is to make it clear why security measures are needed: if this is not widely understood, then employees are far more likely to see precautions as an unnecessary nuisance than a business-critical activity.
The message that effective security is a business enabler and a useful sales tool – something that inspires customer confidence and can help close important deals – needs to be communicated. Unfortunately far too many people are still only aware of what they have to do and not why they have to do it.
It’s also important for people to be aware of the potential cost of security breaches and fraudulent activity that results. Take the UK as an example. The annual cost to industry is around £32 billion with a further £8 billion being spent on fraud prevention. That £40 billion total is equivalent to more than half the annual cost of the country’s National Health Service.
With sums like this involved, fraud prevention and security is clearly a board-level issue and not just something for the IT department to sort out. And that means that top managers need to be visibly engaged in the fight against e-crime.
Train everyone
It’s true that technology can go wrong on its own, but a crime can only be committed if a human being plays an active part. Therefore organisations need to make everyone aware of the consequences of any behaviour that breaches the rules, whether from outside the company or from within it.
For large multi-nationals that incorporate numerous languages and cultures, this is no mean task. Nor is the problem merely one of linguistics and getting lost in translation. It’s likely that most employees won’t speak the language of the security team so the message needs to be free of jargon and tech-speak to make it as effective as possible.
In addition, senior executives need to have a clear view of how far their personal liability extends, particularly with a stricter regulatory regime and greater awareness of the need for exemplary corporate governance. It’s still not unknown for members of the board to regard security as a negative cost centre. They need to be persuaded that it can enhance RoI from all IT investments and boost the bottom line of the business.
Middle managers, particularly those in sales and marketing, also need to understand how an effective security policy helps close deals thanks to greater customer confidence.
The general workforce should also be made aware of risk and encouraged to lock both the company’s electronic and physical doors. There are the obvious measures like checking the alarm is set when they leave the building, and ensuring people don’t leave their passwords lying about. But, in our increasingly mobile age, it also includes protecting laptops, smartphones and PDAs – indeed any device which connects to the network and which is all too easily left behind.
As about 80 per cent of all e-crime is caused by people making a mistake, organisations need to develop programmes aimed at prevention, education and raising awareness. This might involve obligatory Computer-Based Training (CBT) packages to be taken at regular intervals; company-wide security clinics; or even global road-shows to ensure awareness is maintained. Organisations may also wish to consider a 24/7 helpdesk to provide support and advice, and to capture details of any incidents that occur.
It’s also vital that a company’s business processes are designed to re-enforce its security policies. The City of London Police believe that only a quarter of crime is reported. However, organisations can implement policies that force its people to inform the necessary officials if they spot, or are the victim of, an offence. So, if a car is damaged or a laptop stolen, it cannot be replaced or repaired without a Crime Reference Number that will trigger an appropriate system.
There are also a number of formal bodies that organisation can work with to minimise the amount and the impact of fraud, including accredited Computer Emergency Response teams who can help trace anyone illegally trying to access systems, as well as the UK’s High-Tech Crime Unit and its international counterparts. This improves the likelihood of tracking down and successfully prosecuting criminals. Equally importantly, it sends a clear message to the hacking community that they will be relentlessly pursued and the equipment confiscated should they attempt to ’break in’ to that particular organisation’s systems.
However, helping the police with their inquiries really should be the last resort. With the correct 'human factors' in place, such extreme measures should not be necessary.
Source: net-security.org
cyber crime cybercrime cyber fraud
To address the problem, then, it is essential to look at the human factors involved. The first challenge with combating fraud is calculating the size of the problem. We know that it’s a serious issue for businesses around the world, but it is almost impossible to state exactly how big it actually is. After all, some frauds can remain undiscovered for lengthy periods, or are never reported at all. And, understandably, many companies that have been victims of fraud are reluctant to publicise the fact.
But we do have some close approximations available. The authoritative CSO Magazine eCrime Watch Survey estimated that the cost to US organisations alone was $666 million in 2003. Based on these figures, it’s probably safe to say that a total bill of one trillion dollars a year is a conservative estimate.
It’s also said that the average American company loses six per cent of its revenue to crime, fraud and theft - most of it by electronic means. In the UK, and elsewhere, the figure currently stands at around three per cent.
Although many attacks come from outside the organisations, some are ‘insider jobs’ - carried out by employees who have access to systems within the company’s defences. Something the Sumitomo Mitsui Bank in the City of London found out in 2005. Fraudsters attempted to steal approximately £220 million from the bank by entering the building as cleaning staff and connecting hardware bugs to the keyboard sockets of the bank’s computers. The bugs captured keystrokes to reveal account details and other information.
The human factor
We are used to the idea that technology should be deployed to beat IT-enabled crime. World class firewalls, for example, can help fortify an organisation - rather like thick castle walls that prevent the bad guys from getting in. Inside those walls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can monitor applications and services and raise the alarm when access is attempted by an unauthorised stranger, or when unusual behaviour is discovered.
But if we use technology to counter IT problems, we also need to use people to counter human crimes. If employees are vigilant, and if they understand what is expected of them, then security will be enhanced. Organisations need to establish a culture in which their people are all jointly responsible for defending the company against attack. That requires everyone to know how to behave responsibly, be alert to potential problems, and understand the best course of action when confronted by a malicious attack.
Set the scene
So how can this kind of culture be established?
The first step is to make it clear why security measures are needed: if this is not widely understood, then employees are far more likely to see precautions as an unnecessary nuisance than a business-critical activity.
The message that effective security is a business enabler and a useful sales tool – something that inspires customer confidence and can help close important deals – needs to be communicated. Unfortunately far too many people are still only aware of what they have to do and not why they have to do it.
It’s also important for people to be aware of the potential cost of security breaches and fraudulent activity that results. Take the UK as an example. The annual cost to industry is around £32 billion with a further £8 billion being spent on fraud prevention. That £40 billion total is equivalent to more than half the annual cost of the country’s National Health Service.
With sums like this involved, fraud prevention and security is clearly a board-level issue and not just something for the IT department to sort out. And that means that top managers need to be visibly engaged in the fight against e-crime.
Train everyone
It’s true that technology can go wrong on its own, but a crime can only be committed if a human being plays an active part. Therefore organisations need to make everyone aware of the consequences of any behaviour that breaches the rules, whether from outside the company or from within it.
For large multi-nationals that incorporate numerous languages and cultures, this is no mean task. Nor is the problem merely one of linguistics and getting lost in translation. It’s likely that most employees won’t speak the language of the security team so the message needs to be free of jargon and tech-speak to make it as effective as possible.
In addition, senior executives need to have a clear view of how far their personal liability extends, particularly with a stricter regulatory regime and greater awareness of the need for exemplary corporate governance. It’s still not unknown for members of the board to regard security as a negative cost centre. They need to be persuaded that it can enhance RoI from all IT investments and boost the bottom line of the business.
Middle managers, particularly those in sales and marketing, also need to understand how an effective security policy helps close deals thanks to greater customer confidence.
The general workforce should also be made aware of risk and encouraged to lock both the company’s electronic and physical doors. There are the obvious measures like checking the alarm is set when they leave the building, and ensuring people don’t leave their passwords lying about. But, in our increasingly mobile age, it also includes protecting laptops, smartphones and PDAs – indeed any device which connects to the network and which is all too easily left behind.
As about 80 per cent of all e-crime is caused by people making a mistake, organisations need to develop programmes aimed at prevention, education and raising awareness. This might involve obligatory Computer-Based Training (CBT) packages to be taken at regular intervals; company-wide security clinics; or even global road-shows to ensure awareness is maintained. Organisations may also wish to consider a 24/7 helpdesk to provide support and advice, and to capture details of any incidents that occur.
It’s also vital that a company’s business processes are designed to re-enforce its security policies. The City of London Police believe that only a quarter of crime is reported. However, organisations can implement policies that force its people to inform the necessary officials if they spot, or are the victim of, an offence. So, if a car is damaged or a laptop stolen, it cannot be replaced or repaired without a Crime Reference Number that will trigger an appropriate system.
There are also a number of formal bodies that organisation can work with to minimise the amount and the impact of fraud, including accredited Computer Emergency Response teams who can help trace anyone illegally trying to access systems, as well as the UK’s High-Tech Crime Unit and its international counterparts. This improves the likelihood of tracking down and successfully prosecuting criminals. Equally importantly, it sends a clear message to the hacking community that they will be relentlessly pursued and the equipment confiscated should they attempt to ’break in’ to that particular organisation’s systems.
However, helping the police with their inquiries really should be the last resort. With the correct 'human factors' in place, such extreme measures should not be necessary.
Source: net-security.org
cyber crime cybercrime cyber fraud
Technologies of political marketing in operations of information-psychological war
Today, observing fast evolution of the election technologies allowing political forces to bring their candidate to the authority, we get more and more convinced, that success in elections of many well-known representatives of the authority is reached thanks to the successfully generated image of the politician combining a victory will, confidence in own power, pragmatic political program, rigidity toward contenders and "touching" attention to problems and cares of ordinary voters. The modern politician cannot manage without army of own policy-technologists, image-makers, promoters, specialists in PR and political advertising, who promote his image as a trade-mark using all opportunities of modern mass media and communications. Actually at a certain moment of the election company the candidate loses his individual features and becomes a political brand which is presented to the consumer, i.e. society, at the elections.
Well-known political technologist Jacque Seguela, who supervised the elective company of Jacque Chirac (1995), already in 1979 formulated this idea in such words: "A politician unlike a writer is a consumption product" [1]. In this respect it is impossible to disagree with T.Ju. Lebedeva that today immemorial aspiration of leaders to reach authority and to keep it has become more commercial with application of all media arsenal which is available now [2].
In modern elective technologies the brand of politician gets the properties of goods which have to be sold competently to voters. In this process a commercial value of such brand is defined by quantity of votes collected in support of the given candidate. Today political technologies of the candidate image promotion and sale to voters are unified by the capacious concept of political marketing which, however, has one specific only for it feature, i.e. political marketing, unlike the commercial one, deals with a special kind of the goods namely the candidate brand, which has its own consumer (electorate), realization market (elections) and commercial cost.
Today both the sphere of policy and the sphere of business operate under the laws of marketing. In the modern policy marketing is developing to the creations of the complete image of the leader, including both its "packing", and brand designing, and choice of the core campaign topics and its tonality [3]. Unlike the elective technologies, in operations of information-psychological war [4-6] the product of commercial consumption is not an image of the separate leader, but an image of concrete political event, sequence of such events, military campaign or foreign policy direction of the state-aggressor as a whole. In this case on the background of the successful armed campaign, for example, the trade-mark representing the armed intrusion in certain light is formed: for example, in the form of the "peace-making operation" addressed to release distressful people of the country, undergone to an attack, from bloody dictatorship, and the whole world community from a threat of, for example, international terrorism (2003, war in Iraq). The consumer of such commercial product, like an image of the military conflict presented in the market by its own trade mark, remain the society which opinion better than any other indicators reflects the success of this product on a sale.
As example of the political marketing technologies application the success image of "emancipating" war in Iraq (2003 - to the moment) can serve [7], when within several months millions of spectators all around the globe bewitchingly followed the multi-series reports of operations which on the popularity have superseded even well-known "soap operas".
In this case in consciousness of the observers the certain image of war was formed thanks to competent management of information streams, dosage of information from a battlefield and sketchiness of real events representation in mass-media, which gradually transfers from a tragedy of at least one nation to some simplified image, a brand of "the struggle against the international terrorism and dictatorship”. Further promotion and consumption of this product by outer and inner audience took place under the laws of commercial marketing, the same way as of any other goods. Today there are no hesitations that the trade mark of the military conflict in Iraq created by the American experts on psychological war allowed to introduce quickly and effectively in the consciousness of population the ideology of preventive use of armed forces in the interests of narrow group political elites governing the USA now. And the price, which has been paid (and continue being paying) by the citizens who have accepted this ideology (i.e. the consumers of the commercial product, namely an image of the military conflict, promoted in the market by means of its own trade mark) are losses, which armies of the USA have in Iraq and Afghanistan, a growing threat from the countries which not without bases believing, that they will be following objects of aggression, and destruction of the formed in tens of years system of political balances and counterbalances, providing international stability. Another bright example of the political conflict “brand” creation and promotion is the psychological campaign of the USA concerning Iran. Under the same laws of political marketing the technology of country’s foreign policy of promotion is built, i.e. through creation of the trade mark which gives to foreign policy the features of the commercial product ready for consumption. Commercial cost of such mark is expressed in quantity indicators of support of the foreign policy by citizens inside of the country and allies outside it; in declination to own advantage someone hesitating and neutral; in inactivity, confusion, passivity of political contenders and opponents.
References.
1. Seguela J. Ne dites pas a ma mere que je suis dans la publicite. P. Flammarion 1979. p. 175.
2. Lebedeva T. Ju. The way to authority. France: president elections/Editor Ja.N. Zasursky. – M.: Moscow University Press, 1995. – p.10.
3. Lebedeva T. Ju. The way to authority. France: president elections ….. – p.16.
4. Manoïlo A. V., Gestion de la guerre psychologique dans le cadre de la politique informationnelle de l’Etat. – P.: Politique et société, №2’ 2004
5. Manoilo A.V., Petrenko A.I., Frolov D.B., 2003: State information politics under the conditions of information – psychological war. – M.: Hot line – Telecom, 541 p.: fig.
6. Veprintsev V.B., Manoilo A.V., Petrenko A.I., Frolov D.B., 2005: Operations of information-psychological war. Methods, means, technologies: Short encyclopedic handbook. - M.: Hot line - Telecom - 495 p.: fig.
7. RIA Iran News, Information-psychological war: factors, determining format of the modern armed conflict (Andrey Manoilo, 22.07.05 11:33),
http://www.iran.ru/rus/news_iran.php?act=news_by_id&news_id=31796
8. Manoilo A.V., Information-psychological war: factors, determining format of the modern armed conflict. – Kiev: Proceedings of the V International scientific-practical conference “Information technologies and security”, №8, 2005 г., p. 73-80.
By: Andrei Manoilo
cyber crime cybercrime
Well-known political technologist Jacque Seguela, who supervised the elective company of Jacque Chirac (1995), already in 1979 formulated this idea in such words: "A politician unlike a writer is a consumption product" [1]. In this respect it is impossible to disagree with T.Ju. Lebedeva that today immemorial aspiration of leaders to reach authority and to keep it has become more commercial with application of all media arsenal which is available now [2].
In modern elective technologies the brand of politician gets the properties of goods which have to be sold competently to voters. In this process a commercial value of such brand is defined by quantity of votes collected in support of the given candidate. Today political technologies of the candidate image promotion and sale to voters are unified by the capacious concept of political marketing which, however, has one specific only for it feature, i.e. political marketing, unlike the commercial one, deals with a special kind of the goods namely the candidate brand, which has its own consumer (electorate), realization market (elections) and commercial cost.
Today both the sphere of policy and the sphere of business operate under the laws of marketing. In the modern policy marketing is developing to the creations of the complete image of the leader, including both its "packing", and brand designing, and choice of the core campaign topics and its tonality [3]. Unlike the elective technologies, in operations of information-psychological war [4-6] the product of commercial consumption is not an image of the separate leader, but an image of concrete political event, sequence of such events, military campaign or foreign policy direction of the state-aggressor as a whole. In this case on the background of the successful armed campaign, for example, the trade-mark representing the armed intrusion in certain light is formed: for example, in the form of the "peace-making operation" addressed to release distressful people of the country, undergone to an attack, from bloody dictatorship, and the whole world community from a threat of, for example, international terrorism (2003, war in Iraq). The consumer of such commercial product, like an image of the military conflict presented in the market by its own trade mark, remain the society which opinion better than any other indicators reflects the success of this product on a sale.
As example of the political marketing technologies application the success image of "emancipating" war in Iraq (2003 - to the moment) can serve [7], when within several months millions of spectators all around the globe bewitchingly followed the multi-series reports of operations which on the popularity have superseded even well-known "soap operas".
In this case in consciousness of the observers the certain image of war was formed thanks to competent management of information streams, dosage of information from a battlefield and sketchiness of real events representation in mass-media, which gradually transfers from a tragedy of at least one nation to some simplified image, a brand of "the struggle against the international terrorism and dictatorship”. Further promotion and consumption of this product by outer and inner audience took place under the laws of commercial marketing, the same way as of any other goods. Today there are no hesitations that the trade mark of the military conflict in Iraq created by the American experts on psychological war allowed to introduce quickly and effectively in the consciousness of population the ideology of preventive use of armed forces in the interests of narrow group political elites governing the USA now. And the price, which has been paid (and continue being paying) by the citizens who have accepted this ideology (i.e. the consumers of the commercial product, namely an image of the military conflict, promoted in the market by means of its own trade mark) are losses, which armies of the USA have in Iraq and Afghanistan, a growing threat from the countries which not without bases believing, that they will be following objects of aggression, and destruction of the formed in tens of years system of political balances and counterbalances, providing international stability. Another bright example of the political conflict “brand” creation and promotion is the psychological campaign of the USA concerning Iran. Under the same laws of political marketing the technology of country’s foreign policy of promotion is built, i.e. through creation of the trade mark which gives to foreign policy the features of the commercial product ready for consumption. Commercial cost of such mark is expressed in quantity indicators of support of the foreign policy by citizens inside of the country and allies outside it; in declination to own advantage someone hesitating and neutral; in inactivity, confusion, passivity of political contenders and opponents.
References.
1. Seguela J. Ne dites pas a ma mere que je suis dans la publicite. P. Flammarion 1979. p. 175.
2. Lebedeva T. Ju. The way to authority. France: president elections/Editor Ja.N. Zasursky. – M.: Moscow University Press, 1995. – p.10.
3. Lebedeva T. Ju. The way to authority. France: president elections ….. – p.16.
4. Manoïlo A. V., Gestion de la guerre psychologique dans le cadre de la politique informationnelle de l’Etat. – P.: Politique et société, №2’ 2004
5. Manoilo A.V., Petrenko A.I., Frolov D.B., 2003: State information politics under the conditions of information – psychological war. – M.: Hot line – Telecom, 541 p.: fig.
6. Veprintsev V.B., Manoilo A.V., Petrenko A.I., Frolov D.B., 2005: Operations of information-psychological war. Methods, means, technologies: Short encyclopedic handbook. - M.: Hot line - Telecom - 495 p.: fig.
7. RIA Iran News, Information-psychological war: factors, determining format of the modern armed conflict (Andrey Manoilo, 22.07.05 11:33),
http://www.iran.ru/rus/news_iran.php?act=news_by_id&news_id=31796
8. Manoilo A.V., Information-psychological war: factors, determining format of the modern armed conflict. – Kiev: Proceedings of the V International scientific-practical conference “Information technologies and security”, №8, 2005 г., p. 73-80.
By: Andrei Manoilo
cyber crime cybercrime
Credit card scam
Cyber crime, computer hacking, identity theft -- it all comes down to someone trying to get between you and as much of your money as possible.
But instead of a gun these thieves generally use a keyboard, and often, an Internet connection.
Sarasota attorney John Patterson recently brought a high-powered panel of experts on computer crime to a meeting of the Tiger Bay Club, a panel that had worried-looking Tiger Bay members muttering about firewalls and password managers as they later left the room.
Patterson quickly got the audience's attention pointing out that somewhere between $50 billion and $200 billion a year is lost to Internet-related thieves of one kind or another. Much of the information stolen -- and later used to steal your money -- is remarkably easy to obtain.
For example, Andrew Adkins of the University of Florida Law Center pointed out that our credit card numbers and passwords are usually stored on the cell phones we casually toss onto the table in a restaurant or bar.
Worse, said Adkins who's also director of the Legal Technology Institute at the UF Law Center, those credit card numbers, your name, address and even driver license number is usually embedded on every one of those key cards you're given to open the door to your room when you check into a hotel.
And it doesn't take a lot of expertise to set up a card reader to decode those cards. In other words, the cards should be treated like your money -- because they're certainly a gateway to it.
Right here in Sarasota, panel member John Jorgensen is president of Sylint, a company specializing in cyber security. Jorgensen related that he recently drove around the community with a laptop computer and found 67 wireless computer networks operating so openly he could detect them just driving by -- and 45 of them had no security protection at all.
Not only that, Jorgensen explained, but many small companies that have their computer systems breached and data stolen are reluctant to report that fact because they don't want to news to get out to their customers.
Simply put, Adkins said, "If you don't want to see your private information made public, don't send it on the Internet."
Only about 7 percent of the cyber crime in Florida is actually reported, according to Patterson. This despite the fact Florida has some tough laws with minimum mandatory sentences for cyber crime.
"The question is," he asked, "is reporting cyber crime effective?"
Russell Hayes, a special agent of the Federal Bureau of Investigation's Tampa division, told the Tiger Bay Club there are limitations on the effectiveness of reporting. For example, Hayes pointed out the U.S. Attorney's Office normally only prosecutes cases involving more than $50,000. There have been cases where that figure was as low as $15,000, he added, but only if "very sensitive data" were involved.
That brought a response from panel member Chris Golembe, vice president and a manager of corporate fraud investigation for Wachovia Corporation. Golembe related that Wachovia, a $500 billion company, sees $15 million to $20 million a year tied up in cyber crime.
Golembe admitted his staff investigates cases and "wraps them up with a ribbon," before shopping them around for prosecution.
"Maybe we take them to the FBI, the IRS, Secret Service, the post office or local law enforcement," he explained, in hopes of getting them prosecuted.
"The biggest mistake is waiting until it's too late," Jorgensen opined. "Much of the time companies don't know who is trying to invade their data or how."
He said in some cases his company "sets up a honey pot," in an attempt to attract the criminal back for another try -- "and then we can make life miserable for that perpetrator."
Many of the panel members provided tips on how individuals or small businesses can make themselves less vulnerable to cyber crime.
"If something shows up in your in-box and you're not expecting it -- just delete it," Hayes of the FBI suggested.
"Technology is years ahead of the law -- maybe seven to 10 years ahead," Adkins said.
"Nobody can look out for you like you," he added, especially warning about "phishing."
That's where computer users are asked for their passwords and credit card numbers by what appear to be authentic messages from their banks or credit card companies. Except the messages aren't authentic at all.
For example, Adkins showed a phishing message on IRS letterhead that asked for the receiver's pin number.
"Ask yourself," Adkins pointed out, "why would the IRS want your pin number?"
"So the best defense is self defense," Patterson concluded.
Admitting he's not what he calls "a cyber person," Patterson became interested in information management after being appointed to the Trial Court Technology Committee by the Florida Supreme Court and the Technology Task Force of the Florida Bar.
Detective Jack Carter of the Sarasota Police Department said later that nearly 10 percent of the country's population was involved in some degree of identity theft over the past five years. He suggested the best test of whether that group includes you is to monitor your credit reports.
"Get a credit report and use it as a base and then check them at least annually," he suggested. "After all, a good identity thief can make $5,000 a day in cash and at least that much in merchandise."
He added that it takes the average victim about 175 hours of effort and $1,200 "to get their good name back."
By: Bob Arden
cyber crime cybercrime credit card scam
But instead of a gun these thieves generally use a keyboard, and often, an Internet connection.
Sarasota attorney John Patterson recently brought a high-powered panel of experts on computer crime to a meeting of the Tiger Bay Club, a panel that had worried-looking Tiger Bay members muttering about firewalls and password managers as they later left the room.
Patterson quickly got the audience's attention pointing out that somewhere between $50 billion and $200 billion a year is lost to Internet-related thieves of one kind or another. Much of the information stolen -- and later used to steal your money -- is remarkably easy to obtain.
For example, Andrew Adkins of the University of Florida Law Center pointed out that our credit card numbers and passwords are usually stored on the cell phones we casually toss onto the table in a restaurant or bar.
Worse, said Adkins who's also director of the Legal Technology Institute at the UF Law Center, those credit card numbers, your name, address and even driver license number is usually embedded on every one of those key cards you're given to open the door to your room when you check into a hotel.
And it doesn't take a lot of expertise to set up a card reader to decode those cards. In other words, the cards should be treated like your money -- because they're certainly a gateway to it.
Right here in Sarasota, panel member John Jorgensen is president of Sylint, a company specializing in cyber security. Jorgensen related that he recently drove around the community with a laptop computer and found 67 wireless computer networks operating so openly he could detect them just driving by -- and 45 of them had no security protection at all.
Not only that, Jorgensen explained, but many small companies that have their computer systems breached and data stolen are reluctant to report that fact because they don't want to news to get out to their customers.
Simply put, Adkins said, "If you don't want to see your private information made public, don't send it on the Internet."
Only about 7 percent of the cyber crime in Florida is actually reported, according to Patterson. This despite the fact Florida has some tough laws with minimum mandatory sentences for cyber crime.
"The question is," he asked, "is reporting cyber crime effective?"
Russell Hayes, a special agent of the Federal Bureau of Investigation's Tampa division, told the Tiger Bay Club there are limitations on the effectiveness of reporting. For example, Hayes pointed out the U.S. Attorney's Office normally only prosecutes cases involving more than $50,000. There have been cases where that figure was as low as $15,000, he added, but only if "very sensitive data" were involved.
That brought a response from panel member Chris Golembe, vice president and a manager of corporate fraud investigation for Wachovia Corporation. Golembe related that Wachovia, a $500 billion company, sees $15 million to $20 million a year tied up in cyber crime.
Golembe admitted his staff investigates cases and "wraps them up with a ribbon," before shopping them around for prosecution.
"Maybe we take them to the FBI, the IRS, Secret Service, the post office or local law enforcement," he explained, in hopes of getting them prosecuted.
"The biggest mistake is waiting until it's too late," Jorgensen opined. "Much of the time companies don't know who is trying to invade their data or how."
He said in some cases his company "sets up a honey pot," in an attempt to attract the criminal back for another try -- "and then we can make life miserable for that perpetrator."
Many of the panel members provided tips on how individuals or small businesses can make themselves less vulnerable to cyber crime.
"If something shows up in your in-box and you're not expecting it -- just delete it," Hayes of the FBI suggested.
"Technology is years ahead of the law -- maybe seven to 10 years ahead," Adkins said.
"Nobody can look out for you like you," he added, especially warning about "phishing."
That's where computer users are asked for their passwords and credit card numbers by what appear to be authentic messages from their banks or credit card companies. Except the messages aren't authentic at all.
For example, Adkins showed a phishing message on IRS letterhead that asked for the receiver's pin number.
"Ask yourself," Adkins pointed out, "why would the IRS want your pin number?"
"So the best defense is self defense," Patterson concluded.
Admitting he's not what he calls "a cyber person," Patterson became interested in information management after being appointed to the Trial Court Technology Committee by the Florida Supreme Court and the Technology Task Force of the Florida Bar.
Detective Jack Carter of the Sarasota Police Department said later that nearly 10 percent of the country's population was involved in some degree of identity theft over the past five years. He suggested the best test of whether that group includes you is to monitor your credit reports.
"Get a credit report and use it as a base and then check them at least annually," he suggested. "After all, a good identity thief can make $5,000 a day in cash and at least that much in merchandise."
He added that it takes the average victim about 175 hours of effort and $1,200 "to get their good name back."
By: Bob Arden
cyber crime cybercrime credit card scam
Beware of phishing, useful hints
Someone claiming to be the Internal Revenue Service e-mailed Lynn VanVerth about her $63.80 tax refund - all they needed was a credit card number to secure the transaction.
The genuine IRS, which is actively investigating several similar attempts at fraud, is warning people to be on the lookout for Internet scam artists pretending to represent the federal government.
Though the notification had every semblance of appearing legitimate - including copyright information at the bottom of the linked Web page - Mrs. VanVerth, an accountant for her husband's Computer Troubleshooters franchise in Arnold, wasn't fooled by the latest incarnation of the Internet phishing scam. Phishers, who take their name from hackers' tendency to replace f with ph when typing and not the band, are Internet scam artists looking to trick the unsuspecting into revealing personal information such as Social Security and credit card numbers.
"I know it's fake," Mrs. VanVerth said. "The IRS would never do something like that."
Now phishers are aping government Web sites, such as the IRS, in their latest ploy to fleece the unsuspecting.
Phishers have commonly tried to pass themselves off as banks or sites such as eBay, PayPal or Amazon to swindle personal information. But a recent spate of phishing attempts have been trying to pass themselves off as official government communication.
"People see something (purporting to be) coming from a government agency is more serious and needs more attention," said Jim Dupree, a spokesman for the IRS in Baltimore.
The IRS has investigated 12 phishing scams from 11 countries since November, and Mrs. VanVerth found her suspicious e-mail listed among them. Last month the IRS received examples of nearly 1,300 bogus e-mails from concerned taxpayers.
The Anti-Phishing Work Group, a division of the National Center for Forensic Science at the University of Central Florida, received 20,109 reports of phishing in May, up 15 percent from the previous month and 34 percent more than was reported in January.
The IRS has its own investigative division and will pursue international phishers, said Peggy Thomas, a spokeswoman for the IRS' criminal division.
"If there's a foreign individual that's committing fraud in the U.S. we will work to have them extradited," she said.
The IRS warns customers it does not solicit personal information via the Internet and all such request should be treated with suspicion.
"We aren't just going to send out e-mails blindly seeking personal information..." Mr. Dupree said. "If we need to get in contact with you, you're going to get written correspondence first and then maybe a phone call."
Helpful hints
State Attorney General Joseph Curran and the IRS are warning the public about a new phishing scam in which con artists send bogus IRS e-mails from tax-refunds@irs.gov or admin@irs.gov and sometimes link to a Web site that mimics the IRS.
Be suspicious of e-mails that:
• Urge you to act quickly because your account may be suspended or closed.
• Don’t address you by name, but uses a more generic title, like “Dear Taxpayer.”• Ask for account numbers, Social Security numbers, passwords or other personal information.
If you receive these type of e-mails:
• Do not open any attachments.
• Do not click on any links.
• Delete them immediately.
Suspicious e-mails can be reported to the Attorney General’s Office at 888-743-0023 or to the federal Treasurer Inspector General for Tax Administration at 800-366-4484 or e-mail phishing@irs.gov.
For more information on identity theft, visit www.consumer.gov/idtheft.
By: ANDREW CHILDERS
cyber crime cybercrime scam
The genuine IRS, which is actively investigating several similar attempts at fraud, is warning people to be on the lookout for Internet scam artists pretending to represent the federal government.
Though the notification had every semblance of appearing legitimate - including copyright information at the bottom of the linked Web page - Mrs. VanVerth, an accountant for her husband's Computer Troubleshooters franchise in Arnold, wasn't fooled by the latest incarnation of the Internet phishing scam. Phishers, who take their name from hackers' tendency to replace f with ph when typing and not the band, are Internet scam artists looking to trick the unsuspecting into revealing personal information such as Social Security and credit card numbers.
"I know it's fake," Mrs. VanVerth said. "The IRS would never do something like that."
Now phishers are aping government Web sites, such as the IRS, in their latest ploy to fleece the unsuspecting.
Phishers have commonly tried to pass themselves off as banks or sites such as eBay, PayPal or Amazon to swindle personal information. But a recent spate of phishing attempts have been trying to pass themselves off as official government communication.
"People see something (purporting to be) coming from a government agency is more serious and needs more attention," said Jim Dupree, a spokesman for the IRS in Baltimore.
The IRS has investigated 12 phishing scams from 11 countries since November, and Mrs. VanVerth found her suspicious e-mail listed among them. Last month the IRS received examples of nearly 1,300 bogus e-mails from concerned taxpayers.
The Anti-Phishing Work Group, a division of the National Center for Forensic Science at the University of Central Florida, received 20,109 reports of phishing in May, up 15 percent from the previous month and 34 percent more than was reported in January.
The IRS has its own investigative division and will pursue international phishers, said Peggy Thomas, a spokeswoman for the IRS' criminal division.
"If there's a foreign individual that's committing fraud in the U.S. we will work to have them extradited," she said.
The IRS warns customers it does not solicit personal information via the Internet and all such request should be treated with suspicion.
"We aren't just going to send out e-mails blindly seeking personal information..." Mr. Dupree said. "If we need to get in contact with you, you're going to get written correspondence first and then maybe a phone call."
Helpful hints
State Attorney General Joseph Curran and the IRS are warning the public about a new phishing scam in which con artists send bogus IRS e-mails from tax-refunds@irs.gov or admin@irs.gov and sometimes link to a Web site that mimics the IRS.
Be suspicious of e-mails that:
• Urge you to act quickly because your account may be suspended or closed.
• Don’t address you by name, but uses a more generic title, like “Dear Taxpayer.”• Ask for account numbers, Social Security numbers, passwords or other personal information.
If you receive these type of e-mails:
• Do not open any attachments.
• Do not click on any links.
• Delete them immediately.
Suspicious e-mails can be reported to the Attorney General’s Office at 888-743-0023 or to the federal Treasurer Inspector General for Tax Administration at 800-366-4484 or e-mail phishing@irs.gov.
For more information on identity theft, visit www.consumer.gov/idtheft.
By: ANDREW CHILDERS
cyber crime cybercrime scam
To catch a cybercriminal
WHAT is cybercrime? The Oxford Reference Online defines cybercrime as crime committed over the Internet (www.oxfordreference.com/views/ENTRY.html?ssid=175131518&entry=t49.000925&srn=1&cate gory= - FIRSTHIT). Some people call cybercrime “computer crime.” The Encyclopaedia Britannica defines computer crime as any crime that is committed by means of special knowledge or expert use of computer technology.
Computer crime could reasonably include a wide variety of criminal offences, activities, or issues. The scope of the definition becomes even larger with the frequent companion or substitute term “computer-related crime.” Some writers are also of the opinion that “computer crime” refers to computer-related activities which are either criminal in the legal sense of the word or just antisocial behaviour where there is no breach of the law (Lee, M.K.O. (1995) Legal control of computer crime in Hong Kong, Information Management & Computer Security 3(2) 13-19 – http://mustafa.emeraldlibrary.com/vl=4775179/cl=50/nw=1/rpsv/~1177/v3n2/s3/p13).
The word “hacker” should also be defined here, as it will be used extensively in this article – hackers are basically people who break into and tamper with computer information systems. The word “cracker” carries a similar meaning, and “cracking” means to decipher a code, password or encrypted message.
What is concerning is that organised crime is escalating on the Internet, according to a 2002 statement by the head of Britain's National High-tech Crime Unit, Lee Hynds (www.ananova.com/news/story/sm_724492.html?menu). According to him the Internet provides organised crime groups with “a relatively low risk theatre of operations.”
As the topic of cybercrime is so wide, what I would like to do is focus on Malaysia’s Computer Crimes Act 1997, local law enforcement and practical tips on how to prevent cybercrime.
Computer crime laws in other countries, the enforcement and multilateral efforts to harmonise laws against cybercrime will be discussed in next month’s column.
Are there laws in Malaysia to prosecute cybercriminals? What are the penalties for cybercriminals in Malaysia?
The need for laws against cybercriminals is obvious. A school dropout from the Philippines who wrote the ILOVEYOU virus was not prosecuted by the Philippine Government because at that time, the country did not have laws relating to virus creators. Ironically, the then President Estrada stated that perhaps the Philippines should leverage on the fact that they have such good virus writers to attract global technology companies to base themselves in the Philippines, considering the capable talent available in the country.
Viruses and worms are getting more insidious nowadays – take for instance, the Swen worm, which cleverly disguises itself as an e-mail message from Microsoft with a patch attached.
Illegal uses
Besides hacking and cracking, technology and the Internet can be used for a myriad of other illegal purposes: drug dealers use encrypted fax machines to send orders for narcotics to their suppliers in a neighbouring country.
Gangsters can use computers for extortion. Prostitution rings maintain their customer payments and client lists through computer software applications. Burglary rings track break-ins and then inventory their winnings from each job. Gangsters who want to murder a person in hospital can crack the hospital’s computers to alter the dosage of medication (www.scmagazine.com/scmagazine/2000_04/cover/cover.html).
Cybercriminals can range from teenagers who vandalise websites to terrorists who target a nation. However, we will leave the discussion on cyberterrorism to another installation of this column.
Laws specifically catered for criminal activity through, over and using the Internet is essential for a nation state to have, especially in this globalised, Internet age. Take the example of the ILOVEYOU virus again, which spread to at least 45 million computers worldwide causing billions of dollars in damage (www.ananova.com/news/story/sm_51942.html).
The Computer Crimes Act 1997 provides for offences against cybercrime. Now, it is not the case that the other Acts of Parliament do not provide for criminal offences (like the Communications and Multimedia Act 1998, the Digital Signature Act 1997 and the Optical Discs Act 2000), it is just that in terms of cybercrime itself, the Act of Parliament which is the most relevant is the Computer Crimes Act. This Act is divided into three parts, that is the “Preliminary,” “Offences” and “Ancillary And General Provisions” parts and is 12 sections long. It came into force on June 1, 2000.
Section 3 provides for the offence of unauthorised access to computer material. A person shall be guilty of an offence if three elements exist, that is:
- He causes a computer to perform any function with intent to secure access to any program or data held in any computer;
- The access he intends to secure is unauthorised; and
- He knows at the time that he accesses the computer without authorisation.
The section then states that the intent a person has to have to commit the offence need not be directed at any particular program or data, a program or data of any particular kind or a program or data held in any particular computer. One meaning of this part may be that it does not matter whether or not a hacker knows what the consequences of his act will be, which program or data he or she will access or even which computer he or she will access, just as long as he knows that his access is unauthorised. The penalty for this offence is a maximum fine of RM50,000, a maximum prison sentence of five years or both the fine and imprisonment.
Section 4 provides for the offence of unauthorised access with intent to commit or facilitate the commission of a further offence. A person shall be guilty of an offence under this section if two elements exist, that is:
- He or she accesses unauthorised computer material without access; and
- He or she accesses this computer material with the intent of: committing an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code; or facilitating the commission of such an offence whether by himself or by any other person.
A person guilty of an offence under this section shall on conviction be liable to a maximum fine of RM150,000 or a maximum prison term of 10 years or both the fine and imprisonment. As you can see, the legislature has provided for a higher fine and a higher prison term for this offence, as the crime here is more serious than in Section 3, as the commission of a further offence of fraud, dishonesty or injury is envisaged.
Unauthorised modification
Section 5 provides for the offence of unauthorised modification of the contents of any computer. A person shall be guilty of the offence if he does any act which he knows will cause unauthorised modification of the contents of any computer. Section 5 also states that it is immaterial that the act in question is not directed at any particular program or data a program or data of any kind or a program or data held in any particular computer.
This most probably means that it does not matter whether or not the hacker knows which program or data, or even which computer will be affected by his actions, just as long as he knows his actions will cause unauthorised modifications. For the purposes of Section 5, it is immaterial whether an unauthorised modification is, or is intended to be, permanent or merely temporary. The penalty is a maximum fine of RM100,000 or a maximum prison sentence of seven years or both the fine and prison sentence. However, if the modification was done to cause injury, then the maximum fine is RM150,000 and the maximum prison term is 10 years.
Section 6 is the offence of wrongful communication. A person shall be guilty of an offence if he communicates directly or indirectly a number, code, password or other means of access to a computer to any person other than a person to whom he is duly authorised to communicate it to. The penalty for the offence is a maximum fine of RM25,000 or a maximum prison sentence of three years or both.
Section 7 provides for a criminal offence if a person assists in the commissioning of any of the offences above, attempts to commit any of the offences above or was preparing to commit any of the offences above.
Section 11 provides for the criminal offence if:
- A person assaults, obstructs, hinders or delays a police officer when the latter is attempting to enter any premises for the purposes searching, seizing or arresting as provided for under the Act; or
- A person fails to comply with any lawful demands of a police officer acting in the execution of his duty under the Act.
A person found guilty under Section 11 faces a maximum fine of RM25,000 or a maximum prison term of three years or to both the fine and prison term.
Section 9 of the Computer Crimes Act states that the provisions of the Act shall have effect outside as well as within Malaysia and where the commission of the offence was performed outside Malaysia, he may be dealt with in respect of such offence as if it was committed at a place within Malaysia. Section 9 goes on to state that the Act shall apply if, for the offence in question, the computer, program or data was in Malaysia or capable of being connected to or sent to or used by or with a computer in Malaysia at the material time.
This practically means that the Computer Crimes Act has extra-territorial jurisdiction – the law can be enforced against an alleged offender even if he is in another country.
One more interesting thing about the Act is that Section 10 gives the power to any police officer to arrest without warrant any person whom he (the police officer) reasonably believes to have committed or is committing an offence under the Act.
Thus, the police have sweeping powers of arrest with regards to cybercrime and reflects the legislature’s consideration that it viewed the offences in the Act as pretty serious.
Practical examples of cybercrime
Some people may argue that there is a difference between hackers who break into a website to deface its homepage and cyberterrorists who go to these same websites with the purpose of causing harm to people and damage to databases and information systems (see for instance Lee, M.K.O. (1995) above). However, if you look at Section 5 of the Act carefully, Malaysian law does not make a distinction between a harmless hacker who defaces a webpage and a cyberterrorist who desires to cause injury – both will be guilty of offences under the Act, and both will be punishable, although by different sections of the Act.
Practical examples of cybercrimes include but are not limited to:
Cyberstalking. The goal of a cyberstalker is control. Stalking and harassment over cyberspace is more easily practised than in real life. There are many cases where cyberstalking crosses over to physical stalking.
Some examples of computer harassment are:
- Live chat obscenities and harassment;
- Unsolicited and threatening e-mail;
- Hostile postings about someone;
- Spreading vicious rumours about someone;
- Leaving abusive messages on a website’s guest books.
Cases where the crime can occur even if there was no computer – however, the use of technology makes the commission of the crime faster and permits the processing of larger amounts of information. Examples would be credit card fraud, drug trafficking, criminal breach of trust, forgery, cheating, illegal betting or gambling, forgery of valuable documents (money, cheques, passports and identification cards) and money laundering. In the past, the Malaysian Police has investigated rumour mongering and defamation on the Internet.
Malicious codes like worms, viruses and Trojan horses. These exploit security vulnerabilities of a system and they tend to alter or destroy data. The damage they cost is worth millions of Ringgit to companies as well as government agencies. Worms are different from viruses because they are able to spread themselves with no user interaction. A virus can attack systems in many ways: by erasing files, corrupting databases and destroying hard disk drives.
Hacking. Hacked systems can be used for information gathering, information alteration, and sabotage. Vulnerabilities exist in almost every network. Hackers sometime crack into systems to brag about their abilities to penetrate into systems, but others do it for illegal gain or other malicious purposes. Today, hacking is simpler than ever – hackers can now go to websites and download protocols, programs and scripts to use against their victims.
Cyberterrorism. This is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets. We shall discuss cyberterrorism as a separate topic as this is an area of special concern and because certain countries have legislated on the topic.
Industrial espionage. This is where corporations spy on other companies and with network systems, this can be an easy task. Companies can retrieve sensitive information rarely leaving behind any evidence. Cyberespionage can also be applied to nations that spy on other countries' sensitive information.
Spoofing of IP addresses. This is where a false IP address is used to impersonate an authorised user.
The reproduction and distribution of copyright protected material and software piracy.
Cyberattacks on financial systems. This includes electronic banking and payment systems.
Cybervandalism. The defacing of webpages.
Pyramid schemes on the Internet.
E-mail abuse. This includees malicious or false e-mail.
Denial of service attacks.
Who are the local enforcers – what type of enforcement do we have in Malaysia?
Cyberlaw enforcers face several challenges:
Firstly, there is the identification of the criminal – Internet investigations are equipment- and labour-intensive. It is not that easy to identify cybercriminals.
This is because they operate in a virtual world and do not leave physical clues and paper trails behind, like the more traditional criminals do. Although they do leave their digital fingerprints now and then, enforcers need to move quickly before evidence fades away. Furthermore, with encryption, route relay and other types of technology and processes, they can make themselves almost undetectable by cyberenforcers.
Secondly, if the cybercriminal was in another country and he perpetrated his crimes against information systems here in Malaysia, how do you prosecute and ultimately impose the sentence against him?
This is where the harmonisation of a framework of cyberlaw globally will undoubtedly help (this was discussed in the Cyberlaws column in In.Tech, April 22. It is also the objective in respect to cyberlaw in the second phase of the MSC's development from 2003 to 2010), as the Internet is borderless and does not have regard to the laws of sovereign nations.
Insufficient Personnel
Besides legal differences, there are practical differences in terms of enforcement and co-ordination efforts between nations.
There may not be enough trained personnel or sufficient equipment to detect and to bring cybercriminals to book.
Finally, technology always evolves and the enforcers must keep up with changes.
Even in the United States as recently as 2000, it was noted that American law enforcement agencies, including the Justice Department, lacked the staff to investigate and prosecute cybercrimes like digital break-ins, data destruction and viruses. As a result of this, cybercriminals were breaking into or paralysing US-based websites with little fear of retribution, costing the private sector hundreds of millions of dollars.
Even Interpol, the organisation set up to track fugitives and investigate international crime and of which Malaysia is a member of, considered letting a Silicon Valley computer security company, AtomicTangerine, help it to protect businesses from hackers. This is after it acknowledged that international law enforcers were unable to combat computer crime effectively and also after acknowledging that governments found it difficult to coordinate cross-border efforts to combat this new phenomenon. Its secretary general at the time, Raymond Kendall stated that “... there's a limit to how you can transform police officers or detectives into technicians” (http://lists.insecure.org/lists/isn/2000/Jul/0056.html).
In Malaysia, the Malaysian Police formed the Technology Crime Investigation Branch (TCIB) in October 1998. It is under the Commercial Crime Investigation Division. The officers in the TCIB are specially trained in cybercriminal investigation methods. The TCIB also lends its assistance to overseas enforcement agencies in investigating online gambling, hacking and illegal distribution of pirated software.
Here are a couple of tips on how to prevent cybercrime:
- Install hardware and software that will recognise hacker attacks, data spying and data altering, like firewalls, encryption (for e-mail, the encryption program called Pretty Good Privacy can be used), virus detection and smartcards. An Intrusion Detection System can protect your information systems in the event of the failure of the firewall and from internal attacks. An Incident Handling System will be able to identify hacker attacks as they happen. Full backups are important so that evidence like damaged or altered files, files left by the intruder, the relevant IP address and login times can be collected. A police report should then be made.
- Assess your information systems to identify weaknesses.
- Ensure that computers that run critical infrastructure are not physically connected to any other computer that is possibly connected to the Internet.
- Maintain clear and consistent security policies and procedures.
- Use alphanumeric passwords (i.e. passwords with letters and numbers in them). Login passwords should be changed frequently.
- Employees have to be trained to understand security risks – this practically means that they must know that they should never give out PINs, passwords and calling card numbers of the company without proper third party verification.
Notorious hacker, Kevin Mitnick, who was the most wanted hacker at one time in the United States, told of how he accessed the information systems of the US’ Department of Motor Vehicles by simply calling up an officer, disguising himself as an officer from another government agency and obtaining the appropriate username and passwords from her.
- Correct identified problems – although this may seem straightforward and logical, I have seen many cases where security of certain information systems were compromised because problems were not fixed.
- Report attacks to the National ICT Security and Emergency Response Centre (Niser) so that any pattern of cybercrime in Malaysia can be detected and large-scale attacks prevented.
- There must exist incident response capabilities so that there is appropriate action taken against impending attacks.
- When an employee resigns or is terminated, employers must always ensure that the former does not have access to their computers anymore. The 1997 UN Manual on the Prevention and Control of Computer-Related Crime noted that 90% of economic crimes such as theft of information and fraud were committed by the relevant company’s employees. Even the Malaysian Police’s Technology Crime Investigation Branch is of the opinion that “more often than not, unauthorised access, hacking or e-mail abuse cases involve disgruntled employees taking advantage of ineffective security policies.”
- Maintain backups of all important data.
- When external persons service your system, save confidential information on other media before the service. Observe them during the service. Never let external people take computers or servers with confidential information from your site.
Conclusion
In a speech in Kuala Lumpur in February 2000, Deputy Prime Minister Datuk Seri Abdullah Ahmad Badawi stated that:
“The development of the Multimedia Super Corridor and the creation of a pioneer legal and regulatory framework encompassing, amongst other things, the Communications and Multimedia Act, the Computer Crimes Act and the Digital Signatures Act is indicative of the Government's commitment towards the creation of a knowledge-based economy.” (The Harvard Business School Alumni Club luncheon talk on Managing Malaysia in the New Global Economy.)
Thus, the Computer Crimes Act must be seen not only as a law which regulates the behaviour of people who use and do business over the Internet, but it also must be seen as the Government’s efforts to put in place soft infrastructure to nurture the MSC and the knowledge-based economy so that Malaysia can achieve Vision 2020.
At the same time, the Government should be aware that technological innovation and the deviousness of human minds would mean that the law as well as enforcement must not only keep up with cybercriminals, but it must ensure that their officers are one step ahead of cybercriminals, ready to catch them if the cybercriminals perform their dirty deeds.
By A.J. Surin
cyber crime cybercrime cybercriminal scam
Computer crime could reasonably include a wide variety of criminal offences, activities, or issues. The scope of the definition becomes even larger with the frequent companion or substitute term “computer-related crime.” Some writers are also of the opinion that “computer crime” refers to computer-related activities which are either criminal in the legal sense of the word or just antisocial behaviour where there is no breach of the law (Lee, M.K.O. (1995) Legal control of computer crime in Hong Kong, Information Management & Computer Security 3(2) 13-19 – http://mustafa.emeraldlibrary.com/vl=4775179/cl=50/nw=1/rpsv/~1177/v3n2/s3/p13).
The word “hacker” should also be defined here, as it will be used extensively in this article – hackers are basically people who break into and tamper with computer information systems. The word “cracker” carries a similar meaning, and “cracking” means to decipher a code, password or encrypted message.
What is concerning is that organised crime is escalating on the Internet, according to a 2002 statement by the head of Britain's National High-tech Crime Unit, Lee Hynds (www.ananova.com/news/story/sm_724492.html?menu). According to him the Internet provides organised crime groups with “a relatively low risk theatre of operations.”
As the topic of cybercrime is so wide, what I would like to do is focus on Malaysia’s Computer Crimes Act 1997, local law enforcement and practical tips on how to prevent cybercrime.
Computer crime laws in other countries, the enforcement and multilateral efforts to harmonise laws against cybercrime will be discussed in next month’s column.
Are there laws in Malaysia to prosecute cybercriminals? What are the penalties for cybercriminals in Malaysia?
The need for laws against cybercriminals is obvious. A school dropout from the Philippines who wrote the ILOVEYOU virus was not prosecuted by the Philippine Government because at that time, the country did not have laws relating to virus creators. Ironically, the then President Estrada stated that perhaps the Philippines should leverage on the fact that they have such good virus writers to attract global technology companies to base themselves in the Philippines, considering the capable talent available in the country.
Viruses and worms are getting more insidious nowadays – take for instance, the Swen worm, which cleverly disguises itself as an e-mail message from Microsoft with a patch attached.
Illegal uses
Besides hacking and cracking, technology and the Internet can be used for a myriad of other illegal purposes: drug dealers use encrypted fax machines to send orders for narcotics to their suppliers in a neighbouring country.
Gangsters can use computers for extortion. Prostitution rings maintain their customer payments and client lists through computer software applications. Burglary rings track break-ins and then inventory their winnings from each job. Gangsters who want to murder a person in hospital can crack the hospital’s computers to alter the dosage of medication (www.scmagazine.com/scmagazine/2000_04/cover/cover.html).
Cybercriminals can range from teenagers who vandalise websites to terrorists who target a nation. However, we will leave the discussion on cyberterrorism to another installation of this column.
Laws specifically catered for criminal activity through, over and using the Internet is essential for a nation state to have, especially in this globalised, Internet age. Take the example of the ILOVEYOU virus again, which spread to at least 45 million computers worldwide causing billions of dollars in damage (www.ananova.com/news/story/sm_51942.html).
The Computer Crimes Act 1997 provides for offences against cybercrime. Now, it is not the case that the other Acts of Parliament do not provide for criminal offences (like the Communications and Multimedia Act 1998, the Digital Signature Act 1997 and the Optical Discs Act 2000), it is just that in terms of cybercrime itself, the Act of Parliament which is the most relevant is the Computer Crimes Act. This Act is divided into three parts, that is the “Preliminary,” “Offences” and “Ancillary And General Provisions” parts and is 12 sections long. It came into force on June 1, 2000.
Section 3 provides for the offence of unauthorised access to computer material. A person shall be guilty of an offence if three elements exist, that is:
- He causes a computer to perform any function with intent to secure access to any program or data held in any computer;
- The access he intends to secure is unauthorised; and
- He knows at the time that he accesses the computer without authorisation.
The section then states that the intent a person has to have to commit the offence need not be directed at any particular program or data, a program or data of any particular kind or a program or data held in any particular computer. One meaning of this part may be that it does not matter whether or not a hacker knows what the consequences of his act will be, which program or data he or she will access or even which computer he or she will access, just as long as he knows that his access is unauthorised. The penalty for this offence is a maximum fine of RM50,000, a maximum prison sentence of five years or both the fine and imprisonment.
Section 4 provides for the offence of unauthorised access with intent to commit or facilitate the commission of a further offence. A person shall be guilty of an offence under this section if two elements exist, that is:
- He or she accesses unauthorised computer material without access; and
- He or she accesses this computer material with the intent of: committing an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code; or facilitating the commission of such an offence whether by himself or by any other person.
A person guilty of an offence under this section shall on conviction be liable to a maximum fine of RM150,000 or a maximum prison term of 10 years or both the fine and imprisonment. As you can see, the legislature has provided for a higher fine and a higher prison term for this offence, as the crime here is more serious than in Section 3, as the commission of a further offence of fraud, dishonesty or injury is envisaged.
Unauthorised modification
Section 5 provides for the offence of unauthorised modification of the contents of any computer. A person shall be guilty of the offence if he does any act which he knows will cause unauthorised modification of the contents of any computer. Section 5 also states that it is immaterial that the act in question is not directed at any particular program or data a program or data of any kind or a program or data held in any particular computer.
This most probably means that it does not matter whether or not the hacker knows which program or data, or even which computer will be affected by his actions, just as long as he knows his actions will cause unauthorised modifications. For the purposes of Section 5, it is immaterial whether an unauthorised modification is, or is intended to be, permanent or merely temporary. The penalty is a maximum fine of RM100,000 or a maximum prison sentence of seven years or both the fine and prison sentence. However, if the modification was done to cause injury, then the maximum fine is RM150,000 and the maximum prison term is 10 years.
Section 6 is the offence of wrongful communication. A person shall be guilty of an offence if he communicates directly or indirectly a number, code, password or other means of access to a computer to any person other than a person to whom he is duly authorised to communicate it to. The penalty for the offence is a maximum fine of RM25,000 or a maximum prison sentence of three years or both.
Section 7 provides for a criminal offence if a person assists in the commissioning of any of the offences above, attempts to commit any of the offences above or was preparing to commit any of the offences above.
Section 11 provides for the criminal offence if:
- A person assaults, obstructs, hinders or delays a police officer when the latter is attempting to enter any premises for the purposes searching, seizing or arresting as provided for under the Act; or
- A person fails to comply with any lawful demands of a police officer acting in the execution of his duty under the Act.
A person found guilty under Section 11 faces a maximum fine of RM25,000 or a maximum prison term of three years or to both the fine and prison term.
Section 9 of the Computer Crimes Act states that the provisions of the Act shall have effect outside as well as within Malaysia and where the commission of the offence was performed outside Malaysia, he may be dealt with in respect of such offence as if it was committed at a place within Malaysia. Section 9 goes on to state that the Act shall apply if, for the offence in question, the computer, program or data was in Malaysia or capable of being connected to or sent to or used by or with a computer in Malaysia at the material time.
This practically means that the Computer Crimes Act has extra-territorial jurisdiction – the law can be enforced against an alleged offender even if he is in another country.
One more interesting thing about the Act is that Section 10 gives the power to any police officer to arrest without warrant any person whom he (the police officer) reasonably believes to have committed or is committing an offence under the Act.
Thus, the police have sweeping powers of arrest with regards to cybercrime and reflects the legislature’s consideration that it viewed the offences in the Act as pretty serious.
Practical examples of cybercrime
Some people may argue that there is a difference between hackers who break into a website to deface its homepage and cyberterrorists who go to these same websites with the purpose of causing harm to people and damage to databases and information systems (see for instance Lee, M.K.O. (1995) above). However, if you look at Section 5 of the Act carefully, Malaysian law does not make a distinction between a harmless hacker who defaces a webpage and a cyberterrorist who desires to cause injury – both will be guilty of offences under the Act, and both will be punishable, although by different sections of the Act.
Practical examples of cybercrimes include but are not limited to:
Cyberstalking. The goal of a cyberstalker is control. Stalking and harassment over cyberspace is more easily practised than in real life. There are many cases where cyberstalking crosses over to physical stalking.
Some examples of computer harassment are:
- Live chat obscenities and harassment;
- Unsolicited and threatening e-mail;
- Hostile postings about someone;
- Spreading vicious rumours about someone;
- Leaving abusive messages on a website’s guest books.
Cases where the crime can occur even if there was no computer – however, the use of technology makes the commission of the crime faster and permits the processing of larger amounts of information. Examples would be credit card fraud, drug trafficking, criminal breach of trust, forgery, cheating, illegal betting or gambling, forgery of valuable documents (money, cheques, passports and identification cards) and money laundering. In the past, the Malaysian Police has investigated rumour mongering and defamation on the Internet.
Malicious codes like worms, viruses and Trojan horses. These exploit security vulnerabilities of a system and they tend to alter or destroy data. The damage they cost is worth millions of Ringgit to companies as well as government agencies. Worms are different from viruses because they are able to spread themselves with no user interaction. A virus can attack systems in many ways: by erasing files, corrupting databases and destroying hard disk drives.
Hacking. Hacked systems can be used for information gathering, information alteration, and sabotage. Vulnerabilities exist in almost every network. Hackers sometime crack into systems to brag about their abilities to penetrate into systems, but others do it for illegal gain or other malicious purposes. Today, hacking is simpler than ever – hackers can now go to websites and download protocols, programs and scripts to use against their victims.
Cyberterrorism. This is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets. We shall discuss cyberterrorism as a separate topic as this is an area of special concern and because certain countries have legislated on the topic.
Industrial espionage. This is where corporations spy on other companies and with network systems, this can be an easy task. Companies can retrieve sensitive information rarely leaving behind any evidence. Cyberespionage can also be applied to nations that spy on other countries' sensitive information.
Spoofing of IP addresses. This is where a false IP address is used to impersonate an authorised user.
The reproduction and distribution of copyright protected material and software piracy.
Cyberattacks on financial systems. This includes electronic banking and payment systems.
Cybervandalism. The defacing of webpages.
Pyramid schemes on the Internet.
E-mail abuse. This includees malicious or false e-mail.
Denial of service attacks.
Who are the local enforcers – what type of enforcement do we have in Malaysia?
Cyberlaw enforcers face several challenges:
Firstly, there is the identification of the criminal – Internet investigations are equipment- and labour-intensive. It is not that easy to identify cybercriminals.
This is because they operate in a virtual world and do not leave physical clues and paper trails behind, like the more traditional criminals do. Although they do leave their digital fingerprints now and then, enforcers need to move quickly before evidence fades away. Furthermore, with encryption, route relay and other types of technology and processes, they can make themselves almost undetectable by cyberenforcers.
Secondly, if the cybercriminal was in another country and he perpetrated his crimes against information systems here in Malaysia, how do you prosecute and ultimately impose the sentence against him?
This is where the harmonisation of a framework of cyberlaw globally will undoubtedly help (this was discussed in the Cyberlaws column in In.Tech, April 22. It is also the objective in respect to cyberlaw in the second phase of the MSC's development from 2003 to 2010), as the Internet is borderless and does not have regard to the laws of sovereign nations.
Insufficient Personnel
Besides legal differences, there are practical differences in terms of enforcement and co-ordination efforts between nations.
There may not be enough trained personnel or sufficient equipment to detect and to bring cybercriminals to book.
Finally, technology always evolves and the enforcers must keep up with changes.
Even in the United States as recently as 2000, it was noted that American law enforcement agencies, including the Justice Department, lacked the staff to investigate and prosecute cybercrimes like digital break-ins, data destruction and viruses. As a result of this, cybercriminals were breaking into or paralysing US-based websites with little fear of retribution, costing the private sector hundreds of millions of dollars.
Even Interpol, the organisation set up to track fugitives and investigate international crime and of which Malaysia is a member of, considered letting a Silicon Valley computer security company, AtomicTangerine, help it to protect businesses from hackers. This is after it acknowledged that international law enforcers were unable to combat computer crime effectively and also after acknowledging that governments found it difficult to coordinate cross-border efforts to combat this new phenomenon. Its secretary general at the time, Raymond Kendall stated that “... there's a limit to how you can transform police officers or detectives into technicians” (http://lists.insecure.org/lists/isn/2000/Jul/0056.html).
In Malaysia, the Malaysian Police formed the Technology Crime Investigation Branch (TCIB) in October 1998. It is under the Commercial Crime Investigation Division. The officers in the TCIB are specially trained in cybercriminal investigation methods. The TCIB also lends its assistance to overseas enforcement agencies in investigating online gambling, hacking and illegal distribution of pirated software.
Here are a couple of tips on how to prevent cybercrime:
- Install hardware and software that will recognise hacker attacks, data spying and data altering, like firewalls, encryption (for e-mail, the encryption program called Pretty Good Privacy can be used), virus detection and smartcards. An Intrusion Detection System can protect your information systems in the event of the failure of the firewall and from internal attacks. An Incident Handling System will be able to identify hacker attacks as they happen. Full backups are important so that evidence like damaged or altered files, files left by the intruder, the relevant IP address and login times can be collected. A police report should then be made.
- Assess your information systems to identify weaknesses.
- Ensure that computers that run critical infrastructure are not physically connected to any other computer that is possibly connected to the Internet.
- Maintain clear and consistent security policies and procedures.
- Use alphanumeric passwords (i.e. passwords with letters and numbers in them). Login passwords should be changed frequently.
- Employees have to be trained to understand security risks – this practically means that they must know that they should never give out PINs, passwords and calling card numbers of the company without proper third party verification.
Notorious hacker, Kevin Mitnick, who was the most wanted hacker at one time in the United States, told of how he accessed the information systems of the US’ Department of Motor Vehicles by simply calling up an officer, disguising himself as an officer from another government agency and obtaining the appropriate username and passwords from her.
- Correct identified problems – although this may seem straightforward and logical, I have seen many cases where security of certain information systems were compromised because problems were not fixed.
- Report attacks to the National ICT Security and Emergency Response Centre (Niser) so that any pattern of cybercrime in Malaysia can be detected and large-scale attacks prevented.
- There must exist incident response capabilities so that there is appropriate action taken against impending attacks.
- When an employee resigns or is terminated, employers must always ensure that the former does not have access to their computers anymore. The 1997 UN Manual on the Prevention and Control of Computer-Related Crime noted that 90% of economic crimes such as theft of information and fraud were committed by the relevant company’s employees. Even the Malaysian Police’s Technology Crime Investigation Branch is of the opinion that “more often than not, unauthorised access, hacking or e-mail abuse cases involve disgruntled employees taking advantage of ineffective security policies.”
- Maintain backups of all important data.
- When external persons service your system, save confidential information on other media before the service. Observe them during the service. Never let external people take computers or servers with confidential information from your site.
Conclusion
In a speech in Kuala Lumpur in February 2000, Deputy Prime Minister Datuk Seri Abdullah Ahmad Badawi stated that:
“The development of the Multimedia Super Corridor and the creation of a pioneer legal and regulatory framework encompassing, amongst other things, the Communications and Multimedia Act, the Computer Crimes Act and the Digital Signatures Act is indicative of the Government's commitment towards the creation of a knowledge-based economy.” (The Harvard Business School Alumni Club luncheon talk on Managing Malaysia in the New Global Economy.)
Thus, the Computer Crimes Act must be seen not only as a law which regulates the behaviour of people who use and do business over the Internet, but it also must be seen as the Government’s efforts to put in place soft infrastructure to nurture the MSC and the knowledge-based economy so that Malaysia can achieve Vision 2020.
At the same time, the Government should be aware that technological innovation and the deviousness of human minds would mean that the law as well as enforcement must not only keep up with cybercriminals, but it must ensure that their officers are one step ahead of cybercriminals, ready to catch them if the cybercriminals perform their dirty deeds.
By A.J. Surin
cyber crime cybercrime cybercriminal scam
Wednesday, December 6, 2006
Cybercrime Report Looks at Online Crime
| Cybercrime cost $400 billion in 2004 with 2,000 new threats emerging each month compared to 300 two years ago, says a new report from McAfee. According to the McAfee Virtual Criminology Report: North American Study into Organized Crime and the Internet, 85% of malware (malicious software) is now being written to make a profit. Here are some of the key findings from the report. The timing of the increase in cybercrime comes as more people and information are online. E-commerce reached $70 billion in the US in 2004, representing a 24% increase from the previous year, and approximately one third of the US workforce or 50 million people are now online. Almost half of the Internet users in Canada and the US - approximately sixty million residents of North America - have online bank accounts. As a result cybercrime has evolved into a very professional activity. Online fraud can be divided into 7 main categories:
|
cyber crime cybercrime cybercriminal scam
Subscribe to:
Posts (Atom)