Computer and Internet Crimes - 4-Week 7 2024

Summary

This presentation discusses Computer and Internet Crimes concepts, security issues, risks, and aspects of security. It also covers different types of computer security threats, such as viruses and worms, and prevention tips.

Full Transcript

Computer and Internet Crimes
Intended Learning Outcomes (ILO)
At the end of the lesson, you will be
able to:

1. Recognize the internet and cybercrimes terms
introduced in this lesson;

2. Understand the consequences of inappropriate
online behavior;

3. Determine what information to share and not
to share online;
Computer and Internet Crimes
Security
Types and Effects of Computer Crimes
Governments, businesses, and people around the world have
been affected immeasurably by the unprecedented advancement
force of computer technology. The already enormous and
exponentially growing capacities of electronic storage,
transmission, and rapid manipulation of binary data changed the
modern landscape virtually overnight. However, such fundamental
restructuring in the society also resulted in certain disadvantages,
on all levels. Our vulnerability increased with the perceived value of
and reliance on this technology. Increased opportunities for the
industrious to be more productive also allow the less-upright new
avenues for malevolence.
What is “Computer Crime”?

The term "computer crime" could reasonably include
a wide variety of criminal offenses, activities, or
issues.
It can be separated into two categories:
(1) crimes facilitated by a computer; and
(2) crimes where the computer is the target.
The different Computer security issues
and their effects

We usually keep files containing a month's worth of work or
confidential information in our computers. Protecting these data
should be given careful attention. Almost every day, computer
systems are being broken into, or computer viruses turn up on
someone's computer. They are constant threats, making security
even more critical.
There are basically three overlapping
types of Risks:
1. Bugs or misconfiguration problems that allow unauthorized remote
users to:
 Steal confidential documents
 Execute commands on the host machine, allowing them to modify the system
 Gain information about the host machine, allowing them to break into the
system
 Launch denial-of-service attacks, rendering the machine temporarily unusable
2. Browser-side risks, including:
 Active content that crashes the browser, damages the user's system,
breaches the user's privacy, or merely creates an annoyance
 The misuse of personal information knowingly or unknowingly provided by the
end-user
3. Interception of network data sent from browser to server or vice
versa via network eavesdropping
The aspects of Computer Security

Physical Security – The first and perhaps
the easiest rule of computer
security.Everyone knows that you need to
lock your doors to keep your TV, refrigerator,
and other appliances safe at home. The
same idea applies to your computer as well.
We have to make sure that our computers
are attended, watched, or locked behind our
doors.
Viruses – Once you've started using your
computer, viruses can start working on your
computer too. The computer virus is one of
those programs you don't want that usually
gets sent to you by people through email.
The aspects of Computer Security
Malicious Logic – This usually affects your computer system while you are on the
net. Commands are frequently present in web pages we visit while surfing the net.
This type of computer security problem is usually deliberately created. Symptoms
may include slow response time, system crashes, or uncooperative programs.
Hacking – Hackers found ways to exploit holes in operating systems of local and
remote systems. They developed methods to exploit security holes in various
computer systems.
Internal Misuse – Occasionally, some people use your computer and some files
may be intentionally or unintentionally deleted. When permanently deleted from the
system, this may mean that you will have to redo the work. System crashes can
also occur when files needed by a program are deleted or altered.
Spoofing – Network spoofing is an ingenious way for an intruder to gain access to
the system. The intruder sets up a program that impersonates the sign-on routine
of another system.
Two categories of electronic crime types.

There are many different ways to attack computers and
networks to take advantage of what has made
shopping, banking, investment, and leisure pursuits a
simple matter of ― “dragging and clicking” for many
people.
The different types of electronic crime fall into two main
categories:
- crimes in which computer is the target of the
attack,
- and incidents in which the computer is a means
of perpetrating a criminal act.
 The following is a list of some of the noted
omputer crimes committed over the past years:
The Morris Worm (November, 1988) – Robert Morris released what has
become known as the Internet Worm. This was the first large-scale attack
on the Internet and the worm infected roughly 10 percent of the machines
then connected to the Internet and caused an estimated $100 million
damages.
Citibank and Vladimir Levin (June-October, 1994) – Levin reportedly
accomplished the break-ins by dialing into Citibank‘s cash management
system. This system allowed clients to initiate their own fund transfers to
other banks.
Kevin Mitnick (February, 1995) – Mitnick admitted to having gained
unauthorized access to a number of different computer systems
belonging to companies such as Motorola, Novell, Fujitsu, and Sun
Microsystems. He also admitted to having used stolen accounts at the
University of Southern California to store proprietary software he had
taken from various companies.
 The following is a list of some of the noted
computer crimes committed over the past years:
Omega Engineering and Timothy Lloyd (July, 1996) – The program
that run on July 30 deleted all the design and production programs for the
company, severely damaging the small firm and forcing the layoff of 80
employees.
Jester and the Worcester Airport (March, 1997) – Airport services to
the FAA control tower as well as the emergency services at the Worcester
Airport and the community of Rutland, Massachusetts were cut off for a
period of six hours. This disruption occurred as a result of a series of
commands sent by a teenage computer hacker who went by the name ―
“jester”.
Solar Sunrise (February, 1998) – A series of computer intrusions
occurred at a number of military installations in the U.S. Over 500 domain
name servers were compromised during the course of the attacks. Making
it harder to track the actual origin of the attacks was the fact that the
attackers made a number of ―hops‖ between different systems, averaging
eight different systems before arriving at the target.
 The following is a list of some of the noted
computer crimes committed over the past years:
The Melissa Virus (March, 1999) – Melissa is the best-known early
macro type viruses that attach themselves to documents for programs that
have limited macro programming capability. The virus, written and released
by David Smith, infected about a million computers.
The Love Letter Worm (May, 2000) – Also known as the ―
“ILOVEYOU” virus and the “Love Bug,” was written and released by a
Philippine student named Onel de Guzman. The worm was spread via
email with the subject line of “ILOVEYOU.” The virus spread via email
attachments. When the receiver ran the attachment, it searched the
system for files with specific extensions in order to replace them with
copies of itself.
The Code-Red Worm (2001) – This infection took only 14 hours to occur.
The worm took advantage of a buffer-overflow condition in Microsoft‘s IIS
web servers. The worm itself was memory resident so simply turning off an
infected machine eliminated it.
 Adil Yahya Zakaria Shakour (August, 2001-May, 2002) – Shakour admitted
to having accessed several computers without authorization, including a server at
Eglin Air Force Base, computers at Accenture, a computer system at Sandia
National Laboratories, and a computer at Cheaptaxforms.com.
The Slammer Worm (2003) – It exploited buffer- overflow vulnerability in
computers running Microsoft‘s SQL Server or Microsoft SQL Server Desktop
Engine. Slammer_x0002_infected hosts were generating a reported 1TB of worm-
related traffic every second. The worm doubled its number of infected hosts every
8 seconds.
July 2009 cyberattacks – These were a series of coordinated cyberattacks
against major government, news media, and financial websites in South Korea and
the United States. The first wave of attacks occurred on July 4, 2009 and the last
wave of attacks began on July 9, 2009.
Shamoon (2012) – It is a computer virus discovered in 2012 that attacks
computers running the Microsoft Windows operating system. It is also known as
Disttrack. Shamoon is capable of wiping files and rendering several computers on
a network unusable.
here are a number of different threats to security
and these are the following:
Viruses and Worms – A virus is a self-replicating program that spreads by
inserting copies of itself into other executable code or documents. A worm is
a type of malware and is a self-replicating program similar to a virus.
Intruders – The act of deliberately accessing computer systems and
networks without authorization is generally referred to as hacking. It also
applies to the act of exceeding one‘s authority in a system. This includes
authorized users who attempt to gain access to files or obtain permissions
that they have not been granted.
A script kiddie is a derogatory term for inexperienced crackers who use
scripts and programs developed by others for the purpose of compromising
computer accounts and files, and for launching attacks on whole computer
systems. Elite hackers are people who are not only capable of writing scripts
to exploit known vulnerabilities, but also capable of discovering new ones.
Insiders – They have the access and knowledge necessary to
cause immediate damage to an organization. They may also
have all the access they need to perpetrate criminal activity
such as fraud. Moreover, they have knowledge of the security
systems in place and will be better able to avoid detection.
Criminal Organizations – Attacks by criminal organizations
can fall into the structured threat category, which is
characterized by a greater amount of planning, a longer
period of time to conduct the activity, more financial backing
to accomplish it, and possibly, corruption of or collision with
insiders.
Terrorists and Information Warfare – An information
warfare is conducted against information and information
processing equipment used by an adversary.
Computer security and network security

Computer security is the effort to create a secure computing
platform, designed so that agents (users or programs) can
only perform actions that have been allowed. This involves
specifying and implementing a security policy.
Network security is a protection of networks and their
services from unauthorized modification, destruction, or
disclosure, and provision of assurance that the network
performs its critical functions correctly and there are no
harmful side-effects.
CIA of security

The original goal of computer and network security is to
provide confidentiality, integrity, and availability.
Confidentiality refers to the security principle that states
that information should not be disclosed to unauthorized
individuals.
Integrity is the security principle that requires information
to not be modified except by individuals authorized to do so.
Availability applies to hardware, software, and data. All of
these should be present and accessible when the subject
(the user) wants to access or use them.
 Authentication deals with the desire to ensure that an
individual is who they claim to be. On the other hand, non-
repudiation deals with the ability to verify that a message has
been sent and received and that the sender can be identified and
verified the security principles. The three ways an organization
can choose to address the protection of its networks are:
- ignore security issues,
- provide host security, and
- approach security at a network level.
Least privilege is applicable to many physical environments
as well as network and host security. Least privilege means that
an object should have only the necessary rights and privileges to
perform its task, with no additional permissions.
Layered Security
It is important that every environment have multiple
layers of security. Those layers may employ a variety of
methods such as routers, firewalls, network
segments, IDSs, encryption, authentication
software, physical security, and traffic control.
The layers are depicted, usually, starting from the top,
with more general types of protection, and progressing
downward through each layer, with increasing granularity
at each layer as you get closer to the actual resource.
Diversity of defense is a concept that complements the idea of various
layers of security.
Access is the ability of a subject to interact with an object. Access controls
refers to devices and methods used to limit which subjects may interact with
specific objects. Authentication mechanisms ensure that only valid users are
provided access to the computer system or network.
The following are the various methods to implement access controls:
Discretionary Access Control – It is a means of restricting access to
objects based on the identity of subject and/or groups to which they belong.
Mandatory Access Control – It is a means of restricting access to objects
that is based on fixed security attributes assigned to users and to files and
other objects.
Role-Based Access Control – It is an alternative to traditional access
control models (e.g., discretionary or non-discretionary access control
policies) that permits the specification and enforcement of enterprise-specific
security policies in a way that maps more naturally to an organization's
structure and business activities.
Health Issues
Why do few computer workstations give
eyestrain and muscle fatigue?
Why is the video recorder one of the most
frustrating domestic items to operate?
Why do some car seats leave you aching
after a long journey?

These questions and many others may leave us
hanging on how we can handle such irritations and
inconveniences. But these can be avoidable by
applying ergonomics.
 Many computer-related health problems are minor and caused
by a poorly designed work environment.
Keyboards and computer screens may be fixed in place or
difficult to move.
Desks and chairs may also be uncomfortable.
The computer screen may be hard to read, with problems of glare
and poor contrast. The hazardous activities associated with these
unfavorable conditions are collectively referred to as work
sensors.
Although these problems may not be of major concern to casual
users of computer systems, continued stressors such as eyestrain,
awkward posture, and repetitive motion, may cause more serious
and long-term injuries. If nothing else, these problems can severely
limit productivity and performance.
 The study of designing and positioning computer equipment, called
ergonomics, has suggested a number of approaches to reduce these
health problems. Ergonomics is an approach which puts human needs
and capabilities at the focus of designing technological systems.
The objective of ergonomics is to ensure that humans and
technology work in complete harmony, with the equipment and tasks
aligned to human characteristics. Another goal is to have “no pain”
computing.
The placement and design of computer tables and chairs, the
positioning and design of display screens, and the slope of the keyboard
have been carefully studied. Flexibility is a major component of
ergonomics and an important feature of computer devices. People of
differing sizes and preferences require different positioning of
equipment for best results
ifferent essential implications to achieve productivit
efficiency,safety, and health in work setting.
Ergonomics has various applications to everyday domestic
situations, but there are even more essential implications for
productivity, efficiency, safety and health in work settings. Here are the
following examples:
Designing equipment and work arrangements to improve working
posture and ease the load on the body, thus reducing instances of
Repetitive Strain Injury/Work Related Upper Limb Disorder.
Information design, to make the interpretation and use of handbooks,
signs, and displays easier and less error-prone.
Designing equipment and systems including computers, so that they
are easier to use and less likely to lead to errors in operation –
particularly important in high stress and safety-critical operations such
as control rooms.
 Designing working environments, including lighting and heating, to
suit the needs of the users and the tasks performed. Where
necessary, design of personal protective equipment for work and
hostile environments.
Design of training arrangements to cover all significant aspects of
the job concerned and to take account of human learning
requirements.
The design of military and space equipment and systems – an
extreme case of demands on the human being.
Designing tasks and jobs so that they are effective and take
account of human needs such as rest breaks and sensible shift
patterns, as well as other factors such as intrinsic rewards of work
itself.
In developing countries, the acceptability and effectiveness of
even fairly basic technology can be significantly enhanced.
 The multi-disciplinary nature of ergonomics, sometimes called “Human
Factors”, is immediately obvious. The ergonomist works in teams which
may involve a variety of other professions: design engineers,
production engineers, industrial designers, computer specialists,
industrial physicians, health and safety practitioners, and
specialists in human resources.
The overall aim is to ensure that our knowledge of human
characteristics is brought to bear on practical problems of people at work
and in leisure. We know that, in many cases, humans can adapt to
unsuitable conditions, but such adaptation leads often to inefficiency,
errors, unacceptable stress, and physical or mental cost. Trace the origins
of ergonomics.
Ergonomics, a relatively new branch of science, celebrated its 50th
anniversary in 1999. It relies on research carried out in many other older,
established scientific areas, such as physiology, psychology, and
engineering.
The checklist for a use-friendly workstation.
The following are equipment checklist for
a Use-Friendly Workstation:
Buying Tips
 Ask for equipment that meets American National Standards Institute (ANSI)
standards. These are ergonomic standards applicable to computer terminals,
associated furniture, and the work environment.Try equipment out before
purchasing whenever possible.
Computer Terminal
 Easy to use brightness and control knobs
 No perceptible screen flicker
 Detachable keyboard
 Reduced electromagnetic fields (EMF) emissions
 Tiltable screen
 Character size at least 3/16" Chair
 Back provides firm lower and mid-back support.
 Adjustable arm rests, if needed to prevent shoulder fatigue.
  Seat and back easily adjustable for height and tilt from seated position
without use of tools.
 Seat upholstered and padded curves down at front edge.
 Five (5) casters for stability. Table
 Easily adjustable from seated position without use of tools
 Bi-level to allow independent adjustment of screen and keyboard
 Adequate leg room
 Adequate table top space for required tasks
Accessories (As Needed)
 Foot rest for users whose feet don‘t rest flat on the floor
 Adjustable keyboard tray, if table is too high
 Wrist rest that is padded, movable, same height as keyboard home row
 Document holder adjustable to screen height
 Glare screen with grounding wire
 Lumbar support cushion, if chair doesn‘t support lower back
Telephone headset
 Task lighting
Reduce Glare to Avoid Eyestrain
 Lower lighting level to about half of normal office lighting
 Avoid placing computer directly under a bank of lights
 Avoid light shining directly into your eyes or onto your
screen
 Use window curtains or blinds if necessary
 Position screen at right angle to window
 Hold a mirror in front of your screen to identify sources of
glare
 Use task lighting if necessary
Information Ethics
Ethics is a set of principles which involves systematizing,
defending, and recommending concepts of right and wrong
behavior.
Information ethics can be regarded as part of normal
business ethics since to do otherwise would mean that
normally unethical acts might be all right via computer.
Business ethics is the “code of morals of a particular
profession” and “the standards of conduct of a given
profession”. Since morals are “principles if right and wrong
in conduct”, information ethics, therefore, can be defined
as an agreement among information systems professionals
to do right and to avoid wrong in their work.
Four Unique information systems attributes
Addressed by information ethics
Information ethics is a specific application of business
ethics to information systems. Thus, they may be mistakenly
assumed to be identical to business ethics. However, information
ethics addresses issues unique to information systems. The
following are the four (4) unique I.S. attributes:
Location - With a computer, an unethical act can be
committed from many locations.
Time- Information systems make it possible to commit
unethical acts quickly.
Separation of Act from Consequences- Most people feel
guilty when they see someone hurt by their actions.
Individual Power- Would-be criminals often need help to
misbehave.
 Privacy refers to the right of people to not reveal information about
them. It is the right to keep personal information, such as personal email
messages,medical histories, student records, and financial information from
getting into the wrong hands.
The right to privacy at work is also an important issue. Some experts
believe that there will be a collision between workers who want their privacy
and companies that demand to know more about their employees. Recently,
companies that have been monitoring their employees have raised concerns.
Workers may find that they are being closely monitored via computer
technology.
Email also raises some interesting issues about work privacy. Federal
law allows employers to monitor email sent and received by employees.
Furthermore, email messages that have been erased from hard disks may be
retrieved and used in lawsuits because the laws of discovery demand that
companies produce all relevant business documents. Alternatively, the use of
email among public officials may violate “open meeting” laws. These laws,
which apply to many local, state, and federal agencies, prevent public
officials from meeting in private about matters concerning the state or local
area.
Information Accuracy
For information to be accurate, it must be error-free, complete, and
relevant to decisions that are to be based on it. Professional integrity is one
of the guarantors of information accuracy. An ethical approach to information
accuracy calls for the following:
a. Individuals should be given an opportunity to correct inaccurate information
held about them in database.
b. Databases containing data about individuals should be reviewed at frequent
intervals, with obsolete data discarded.
c. System safeguards, such as control audits, are necessary to maintain
information accuracy. Regular audits of data quality should be performed and
acted upon.
d. A professional should not misrepresent his or her qualifications to perform a
task.
e. A professional should inform his or her employer what consequences to
expect if
his or her judgment is overruled.
Accessibility
Access to files, both online and offline, should be restricted only to those
who have a legitimate right to access – because they need those files to do
their jobs. Many organizations keep a transaction log that notes all accesses or
attempted accesses to data. Most LAN management software includes this
function.

Property
Many networks have audit controls to track which files were opened, which
programs and servers were used, and so on. This creates an audit trail, a
record of how a transaction was handled from input through processing and
output.
The following are the federal computer crime laws:
Fair Credit Reporting Act of 1970 (FCRA). Controls operations of
credit-reporting bureaus, including how they collect, store, and use credit
information.
Freedom of Information Act of 1970. Ensures access of individuals to
personal data collected about them and about government activities in
federal agency files.
Tax Reform Act of 1976. Regulates the collection and use of certain
information by the Internal Revenue Service.
Rights to Financial Privacy Act of 1978. Regulates government access
to certain records held by financial institutions.
Electronic Funds Transfer Act of 1979. Enumerates the responsibilities
of companies that use electronic funds transfer systems, including
consumer rights and liability for bank debit cards.
Computer Matching and Privacy Act of 1988. Regulates cross-
reference between federal agencies‘ computer files.
 Video Privacy Act of 1988. Prevents retail stores from disclosing video
rental
records without a court order.
 Telephone Consumer Protection Act of 1991. Limits telemarketers‘
practices.
 Cable Act of 1992. Regulates companies and organizations that provide
wireless communication services, including cellular phones.
 Computer Abuse Amendments Act of 1994. Prohibits transmissions of
harmful computer programs and code, including viruses.
 Children’s Online Privacy Protection Act of 1998. Establishes standards
for sites that collect information from children. Its purpose is to prohibit unfair
or deceptive acts or practices in connection with the collection, use, or
disclosure of personally identifiable information from and about children on the
Internet.
 Education Privacy Act. Restricts collection and use of data by federally
funded educational institutions, including specifications for the type of data
The following are the federal computer crime laws:
Copyrights Law. Sets standards on copyrights and computer programs.
Fraud and False Statements Law. Standards against fraud and related
activity in connection with access devices and computers.
Espionage and Censorship. Sets standards in gathering, transmitting, or
losing defense information.
Mail Fraud Law
General prohibition on pen register and trap and trace device use
Pen Registers and Trap and Trace Devices
Standards against fraud by wire, radio, or television
Standards against Interception and disclosure of wire, oral, or electronic
communications prohibited
Wire and Electronic Communications Interception and Interception of Oral
Communications
Tips in preventing crimes on the Internet
Internet security can include firewalls and a number of methods
to secure financial transactions. A firewall includes hardware and
software combinations that act as a barrier between an organization‘s
information system and the outside world. A number of systems have
been developed to safeguard financial transactions on the Internet.
The following tips can be taken to help prevent crime on the
Internet:
Use of stand-alone firewall, including hardware and software with
network monitoring capabilities.
Use Internet security specialists to perform audits of all Internet and
network activities.
Develop effective Internet and security policies for all employees.
Monitor managers and employees to make sure they are using the
Internet for business purposes only.
Data alteration/theft
Data and information are valuable corporate assets. The
intentional use of illegal and destructive programs to alter or
destroy data is as much a crime as destroying tangible goods.
Most common of these types of programs are viruses and
worms, which are software programs that, when loaded into a
computer system, will destroy, interrupt, or cause errors in
processing. There are more than 53,000 known computer viruses
today, with more than 6,000 new viruses and worms being
discovered each year.
Some viruses and worms attack personal computers, while
others attack network and client/server systems.
 A personal computer can get a virus from an infected
disk, an application, or e-mail attachments received from
the Internet.
A virus or worm that attacks a network or client/server
system is usually more severe because it can affect
hundreds or thousands of personal computers and other
devices attached to the network.
Workplace computer virus infections are increasing
rapidly because of several viruses spread through e-mail
attachments.
Malicious Access
Crimes involving illegal system access and use of computer services are a
concern to both government and business. Federal, state, and local government
computers are sometimes left unattended over weekends without proper security,
and university computers are often used for commercial purposes under the
pretense of research or other legitimate academic pursuits.
A 28-year-old computer expert allegedly tied up thousands of US West computers
in an attempt to solve a classic math problem. The individual reportedly obtained
the passwords to hundreds of computers and diverted them to search for a new
prime number, racking up ten years of computer processing time. The alleged
hacking was discovered by a US West Intrusion Response Team after
company officials noticed that computers were taking up to five minutes to
retrieve telephone numbers, when normally they require only three to five
seconds. At one point, customer calls had to be rerouted to other states, and the
delays threatened to close down the Phoenix Service Delivery Center.
 Since the outset of information technology, computers
have been plagued by criminal hackers.
A hacker is a person who enjoys computer technology and
spends time learning and using computer systems. A criminal
hacker, also called a cracker, is a computer-savvy person
who attempts to gain unauthorized or illegal access to
computer systems. In many cases, criminal hackers are
people who are looking for fun and excitement – the
challenge of beating the system.
Classification of Computer Viruses
The two most common types of viruses are application
viruses and system viruses.

Application viruses infect executable application files, such
as word processing programs. When the application is
executed, the virus infects the computer system.
A system virus typically infects operating system programs
or other systems files. These files of viruses usually infect the
system as soon as the computer is started.
 Another type of program that can destroy a system is a Logic bomb, an
application or system virus designed to “explode” or execute at a specified time
and date. Logic bombs are often disguised as a Trojan horse, a program that
appears to be useful but actually masks the destructive program. Some of these
programs execute randomly; others are designed to remain inert in software until a
certain code is given. When it detects the cue, the bomb will explode months, or
even years, after being “planted”.
A macro virus is a virus that uses an application‘s own macro programming
language to distribute itself.
Unlike the viruses mentioned earlier, macro viruses do not infect programs, they
infect documents. The document could be a letter created using a word
processing application, a graphics file developed for a presentation, or a
database file.
Macro viruses that are hidden in a document file can be difficult to detect. As
with other viruses, however, virus detection and correction programs can be
used to find and remove macro viruses.