Computer crimes (Part 2)

This second article is also a very long one but one I feel is absolutely necessary to read. In reading it, you may save yourself the grief that victims of computer crimes have to endure because they didn’t take proper precautions to protect themselves and their computers from computer criminals.

What constitutes computer forgery? What it means in part is using digital technology to commit a traditional forgery of a document. Any person who creates, alters, or deletes any data contained in any computer or computer network, which, if such person had created, altered, or deleted a tangible document or instrument, will have committed forgery under the general forgery statute of the Canadian Criminal Code and as such, will have committed computer forgery. The absence of a tangible written document directly created or altered by the offender will not be a defense to the crime of computer forgery if a creation, alteration, or deletion of data was involved in lieu of a tangible document or instrument.

Computer forgery also includes illegal access to and interception of computers, data interference, system interference and misuse of the computers for other purposes.

In Canada the definition of computer crime is taken from the International Convention on Cyber crime that was passed on November 23, 2001. Canada contributed, and is a signatory to this international of criminal offences involving the use of computers: offences against the confidentiality, integrity and availability of computer data and systems; computer-related offences; content-related offences; offences related to infringements of copyright and related rights; and ancillary liability. At the time of this writing, Canada was in the stage of ratifying the Convention of Cyber crime, so in practice the Canadian Criminal Code would contain a set of laws for regulating the computer crimes, but it may view some of the offences in a different way. Still most of them are classified as following. The Offences against the confidentiality, integrity and availability of computer data and systems include: illegal access, illegal interception, data interference, system interference, misuse of devices. The computer-related offences include: computer-related forgery and computer-related fraud. The content-related offences include: offences related to child pornography. The offences related to infringements of copyright and related rights naturally include everything related to the violation of copyrights and digital rights. The ancillary liability offences include things like attempt and aiding or abetting and corporate liability. Computer crimes touch a lot of parts of the law so in Canada various sections of the Canadian Criminal Code deal with various computer crimes. The theft, forgery of credit cards and unauthorized use of computer is regulated by the Section 342. Privacy is regulated by section 184 and personation with section 403. Also some of the crimes are regulated with Bill C-46. As Canada has not yet ratified this Additional Protocol to the Convention on cyber crime so the Canadian Criminal Code may not fully address all the criminal offences.

The computer crimes that are still partly excluded from the Canadian Criminal Code at the time of this writing mostly deal with discrimination and include: dissemination of racist and xenophobic material through computer systems; racist and xenophobic motivated threat; racist and xenophobic motivated insult; denial, gross minimization, approval or justification of genocide or crimes against humanity; aiding and abetting those crimes.

A case that is of concern to the general public at the time this article was written involved the xenophobic writings of Salman Hossain, a former resident of Mississauga, Ontario who persistently stated in his web site that Jews should all be exterminated. Advocating genocide is a criminal offence in Canada. The police didn’t put out an arrest warrant against this man because at the time of this writing, authority to do so must come from the attorney general of the province where the offender resides.

There is always the risk that a criminal like Hossain can commit his crime on some other person’s computer so that it looks like the owner of the computer created the site. This happened to my co-author years ago when someone wrote a scathing denunciation of Scientology and it appeared in the Internet as if it emanated from my co-author’s computer. He subsequently received a threatening letter from a lawyer in Toronto representing Scientology in which he was told he would be sued. My co-author was able to convince the lawyer and Scientology that it wasn’t he who wrote the statement.

Generally, the targets of the serious computer criminals are the companies and individuals from North America and Europe, so these governments that are mostly affected by cyber crime are giving a great effort on providing an appropriate legislation. The main problem of computer crimes legislation is that the criminal himself can be from any part of the world, and at some points he will be protected by the local laws, or lack of local cyber crime laws.

A criminal act that involves malicious threats intended to cause injury or financial loss to an individual or his company to compel him or her to do an act against his or her will is extortion and it involves a threat to spread information about the target that will defame his or her reputation or bring about criminal actions against him or her unless some amount of money is paid to the individual making the threats.

Cyber criminals are increasingly targeting companies’ computers with ‘Distributed Denial of Service’ attacks, not just to reduce revenues but also to extort money and they do this knowing that the companies are likely not to report the losses because of the bad publicity that will come about once the disclosures becomes public. In many cases, the culprits are often cyber criminals operating outside Canada’s legal jurisdiction. Most companies conveniently stay quiet and pay the ransom to offshore banks.

Anti-Distributed Denial of Service attack services cost about $12,000 a month and are available from companies such as AT&T and MCI Inc.. The most popular tools used are Cisco System Inc.’s Riverhead gear and Arbor Networks Inc.’s intrusion-detection tools are able to filter about 99% of the attacks by these cyber criminals.
In the shadowy world of computer viruses created by people who take pleasure in creating mischief world-wide, has the potential for causing Armageddon in computers world-wide and seemingly lurks around every corner of the earth where there are computers. This is very much reminiscent of the 1992 "Michelangelo" virus scare that threw the computer industry into panic after experts claimed as many as five million machines could be infected on March 6, 2009 the Renaissance artist's birthday centuries ago. The virus ended up spreading to only a few thousand computers. Such is the challenge faced by computer security experts as they hunt, capture and catalogue literally tens of thousands of new specimens of malicious software, or malware every day.

The confidentiality, availability and the integrity of the data is the most important aspect of any company’s or person’s computer security. Computer security refers to securing a computer from the unauthorized access and from internal and external threats like virus, spyware, phishing attacks, Trojan horses, hackers and intruders.

Computer viruses are the one of the most common threats to a computer. Any online computer can be attacked by the viruses and other online threats in less than 20 minutes if it has not been using a proper security mechanism. A virus infected computer can transmitted the viruses to the other connected computers in a network. Viruses can harm your computer in a variety of ways such as they can corrupt data, corrupt the hard disk, delete the operating system files and can crash the system. An up-to-dated antivirus program should be installed in computers and regular scanning of computers should be done to get rid of the potentially dangerous computer viruses.

A company’s employees are most familiar with the computers inside a company or an organization. There are a lot of cases where the annoyed employees of various companies were involved in sabotaging their company’s computer systems. Employee’s sabotage include entering data incorrectly, destroying system hardware, deleting data, changing data, changing the passwords and entering the data incorrectly.

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a malicious programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company. I worked for a law firm in which a fired employee placed a logic bomb in the firm’s computer system. She was ordered back to correct the problem under pain of being charged and sent to prison. She removed the logic bomb and left knowing that she could never look to the firm for a reference.

The best way your clients can avoid the situations like these is to delete the employees’ account after they leaves the company so that they can’t have continued access to the company’s computer systems. Secondly, they should regularly monitor the activities of the employees and restrict their access to the sensitive resources in the overall IT infrastructure.

This is another big threat for the online computers. Spyware is a type of malware that is installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can also be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Spyware enters in a computer through numbers of ways such as when the user visits a spyware infected website, installs spyware-infected software and gets access online to spyware-infected online applications. To get rid computers of the spyware, the user should install up-to-date anti-spyware software and regularly scan his computer with it.

The word phishing is just another way of using the word, ‘fishing’ because that what’s being done in computers. This kind of attack is another growing threat for the online computers The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. Phishing is a type of online deception techniques that is designed to steal your confidential information, passwords, credit card information and important login and password through the fraudulent emails. The best solution to avoid this threat is to not open the email attachments from unknown and unreliable sources. Secondly, never give your personal information to anyone even the emails claim to be delivered from big sources.

In 2003 the proliferation of a phishing scam in which users received e-mails supposedly from eBay claimed that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. A similar phishing scam occurred when the scammers used a Rogers (that provides cable and wireless for its customers) letterhead as a means of fishing for personal ID from those customers who fell for the scam. .

Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the ‘phisher’ counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.

In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a ‘con game’. For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. These con men use appeals to vanity, appeals to authority, and old-fashioned eavesdropping are typical social engineering techniques.

Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.

Child pornography refers to images or films (also known as child abuse images) and in some cases writings depicting sexually explicit activities involving a child; as such, child pornography is a record of child sexual abuse. It is the visual representation of minors under the age of 18 engaged in sexual activity or the visual representation of minors engaging in lewd or erotic behavior designed to arouse the viewer's sexual interest.Abuse of the child occurs during the sexual acts which are recorded in the production of child pornography, and the effects of the abuse on the child (and continuing into maturity) are compounded by the wide distribution and lasting availability of photographs of the abuse.

Child pornography is viewed and collected by pedophiles for a variety of purposes, ranging from private sexual uses, trading with other pedophiles, preparing children for sexual abuse as part of the process known as ‘child grooming’, or enticement leading to entrapment for sexual exploitation such as production of new child pornography or child prostitution

Bill C-15A, in Canada was an act to amend the Canadian Criminal Code with respect to the sexual exploitation of children on the Internet. It received royal assent in June 2002. The amendments created new enforcement measures for these new offences.

The Act includes the offence of possessing and distributing child pornography and the offence of accessing child pornography. The amendments also make it an offence to communicate with children via a computer system for the purpose of facilitating or committing certain sexual offences, such as child luring or abduction.In the context of the Internet, possession of child pornography usually requires offenders to download material onto a computer hard drive, disk or printer. .

Section 163.1(4.1) of the Code, added in 2002, makes it an offence to intentionally access child pornography through such means as Internet browsers (section 163.1(4.2). On summary conviction, the maximum penalty is a fine of $2000, and/or imprisonment for up to six months. For an indictment, the maximum penalty is imprisonment for up to five years.

Section 163.1(6) and (7) of the Criminal Code extend the defences of artistic merit, educational, scientific or medical purpose and of serving ‘the public good,’ which would apply to existing child pornography offences. In section 163.1, the term ‘child pornography’ refers to any written material or visual representation, whether photographic, film or video, made by any mechanical or electronic means, that:
• shows or depicts a person who is, or appears to be, under the age of eighteen, engaging in (or depicted as engaging in) explicit sexual activities
• has as its dominant characteristic the depiction, for sexual purposes, of a sexual organ or the anal region of a person under the age of eighteen years
• advocates or counsels sexual activity with a person under the age of eighteen years.

Section 172.1 was added to the Code to criminalize electronic communication with a person believed to be a child for the purpose of facilitating the commission of sexual offences. Depending on the offence, the requisite age (real or believed) of the intended victim varies from 14 to 18. Internet luring of children is punishable on summary conviction in which the maximum penalty is a fine of $2000, and/or imprisonment for up to six months. For an indictable offence, the punishment is imprisonment up to five years. .

Child pornography may include actual or simulated sexual intercourse involving minors, deviant sexual acts, bestiality, masturbation, sado-masochistic abuse, or the exhibition of genitals in a sexually arousing fashion. . In most instances, however, the mere visual depiction of a nude or partially nude minor does not rise to the level of child pornography. Thus, home movies, family pictures, and educational books depicting nude children in a realistic, non-erotic setting are protected by the free speech clause in the Canadian Charter of Rights and as such, do not constitute child pornography.

An increasing number of adolescents and young adults in Canada, with ready access to information, services, and contacts through the Internet, are contributing to the Canadian drug problem by engaging in various types of illegal and harmful behavior. Internet use has grown rapidly in this country, and many young Canadians now use the Internet regularly. The large number of younger Canadians accessing the Internet has encouraged legitimate and illegitimate entrepreneurs, including drug offenders, to market and sell their products to young people through this powerful medium. Many websites, newsgroups, bulletin boards, and chat rooms promote the drug culture by providing a wide variety of information on drugs and drug paraphernalia.

Virtually any prescription drug can be consumed for reasons other than its medical purpose; however, it is usually drugs with psychotropic properties that are the focus of abuse. Some of the more popular prescription drugs for abuse include opiate-based drugs for pain relief, tranquillizers, stimulants and amphetamines, and sedatives and barbiturates. Many of these drugs are being sold to users via the Internet. Unfortunately, sometimes mixing these drugs can have disastrous results.

A whitepaper from web security firm ‘Imperva’ showed that most of computer users choose passwords that are not only too short, but far too easy to guess. When Imperva analyzed the 32 million passwords that were recently exposed as a result of the Rockyou.com breach, the findings were shocking. A large number of people didn’t make any effort to keep their account secure when they chose the most common passwords such as simple numeric sequences: ‘12345’, ‘123456’, and ‘1234567’ etc.

Almost 776,000 users chose the above as passwords, while a further 61,958 chose ‘Password’ as their password. Imperva found that 1% of 22 million people they surveyed had used as their passwords, 123456. Some of the easy to remember passwords were 12345, QWERTY, (the first five letters on everyone’s keyboard) 123abc and princess. Using one’s birth date as a password is just as stupid. There must be millions who use their birthdates as their passwords. As an interesting aside, many of the German embassies during the Second World War used Hitler’s date of birth for the combination of their safes. That’s why it was so easy for spies to crack them. .
Other common passwords included ‘iloveyou’, ‘princess’, ‘rockyou’, and ‘abc123’. In other words, almost 20% of the users chose names, slang, common dictionary words or simple sequences of numbers or letters, leaving them open to easy hacking.

Another study has found that almost 50 % of web surfers use the same or a similar password for all of their internet accounts, so being vulnerable like this could open them up to identity theft. Imperva said that the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will on average gain access to one new account per second, taking only 17 minutes to break into 1,000 accounts.

The following steps should be undertaken to protect computers:
1. Install an up-to-dated antivirus program and regularly scan the computer.
2. Regularly update your operating system with the latest security patches, services packs and the hot fixes.
3. Install and configure a software or hardware firewall.
4. Set a very strong password to open the computer.
5. Make backups of your important data and emails.
6. Don’t download anything from the insecure websites.
7. Never open email attachments from the unknown and unreliable sources.
8. Increase the computer’s browser’s security level.
9. While using MSN messenger, don’t open any links from the unknown sources otherwise the user will lose his account’s access.
10. Use UPS to protect hard disk failure and data loss due to the power failure.

There, you have it. I hope that you have found this article informative and interesting.