Cybercrime today

Our blog has thus far only focused on specific types of cybercrime activities and on incident-based arguments, but through this post we attempt to give a more generic overview and cover the state of cybercrime today.

This blog post is inspired from the following video which reveals some shocking statistics about cybercrime.

http://www.youtube.com/watch?v=7RbUBaQ4Nu8

The numbers shown on the video are definitely not negligible, and they keep increasing every year. The number of cybercrimes each year has grown exponentially since the first attacks several decades ago, but it is apparent that our initiatives taken to counter these deeds are not keeping up with the pace.

Today cybercrimes not only affect individuals but also corporations, financial institutions and governments. These attacks cause losses in the form of data, information, money, necessities (like electricity), and so on. And these losses are massive. As (dramatically) exemplified by the video: the information stolen from an ATM within 24 hours costs a million dollars; computer crime has cost America 8 billion dollars over the past 2 years; in 2008, 1 trillion dollars were lost in businesses because of cyber-attacks.

How did we allow such huge problems to arise? Or did everything happen before we could even realize it? I think the second statement is more correct. Internet is often defined by words like anonymity, speed, low-cost, connectivity, no border constraint, mass coverage and so on, and these are the qualities that have made us blind all this while. Moreover, the Internet wasn’t designed with security in mind. Only later did such issues crop up.

Recently, international police (INTERPOL) took initiative to intervene in this ever-growing computer security business (which, as of today, is estimated to have a value of 105 billion dollars according to McAfee) and set some rules. Authorities have slowly begun to realize that cyber-attacks can have real and dramatic consequences on nations and economies, and , what’s worse, these consequences will only grow in magnitude with time. At the anti-crime conference held on 18th September 2010, Ronald K. Noble, secretary general of INTERPOL, asserted that “We have been lucky so far that terrorists did not — at least successfully or at least of which we are aware — launch cyberattacks”.

Indeed, in my opinion the first step to fight cyber attacks is to set up solid international rules and regulations, and constant monitoring of internet activities just like we do in real world. While some of this is already happening, we still have a long way to go.

“CONGRATULATIONS: YOU HAVE WON …. “

Being an Internet user, you have certainly got used to NEWS like “Congratulation”, “You won”, “Donation” pops up or mails coming from nowhere. I’m myself receiving several mails like that a week and even some a day.

It is now a usual scenario when people call in the name and tell that the person has won a huge  amount of money  since his number was chosen in the lottery or his card was chosen and even though they are directly contacting him, they are still playing so wonderful games.  Many people think it is time their luck coming as the number they tell is correct and then such people fall in bad traps. By replying or doing anything to this kind of email, cyber criminals can hack your email account if you are using online banking and reveal your personal information, your bank account is at risk of hacking.

Has YAHOO or MSN & MICROSOFT WINDOWS had any method to warn their users about this risk? Not yet. So far what users can do is to manually use spam filters. There is still no law claiming that it is illegal to cheat people through such kind of spam. Therefore, there has been some cases that the victims finally have to turn to police for help. It’s time to take actions against this kind of widespread cram rather than let non-experienced users wonder about their sudden luck and get cheated.

http://www.symantec.com/business/resources/articles/article.jsp?aid=20080729_spam_report

This phenomenon should have something to deal with the big question that my tutor raised in the discussing time. His question was that between virtual rape and cheating online, which one is more severe. In my opinion, virtual raping or any kinds of motional harassment should leave moral hurt but it has nothing to do with economic perspective.  For online cheating, it does harm both sides.  At the first time I’ve ever received such spam, I got excited about the sudden luck but confused on the other hand. I did think much about that mail and I am quite sure people first time receiving it do too.  Thus does make users upset and a bit angry when finding cheated just like the way that virtual harassment hurts people’s feelings. But that’s just the virtual life, based on some opinions, as we can choose to ignore, delete or choose a new avatar (for virtual rape case) and it does no real harm to us eventually.

To me, on the contrary, it’s a potential risk. It may temporarily cause no harm but will certainly do for non-experienced users in near future unless there are actions in time against it. It will no longer be virtual if some day, your email or bank account gets hacked and your privacy contacts or money get violated. The boundary between virtual and real crime is not clear enough. For such kind of cyber crime, as long as they can make money from it, they will continue.

Criteria to Judge a Cybercrime

During Tutorial 3 ,  we had a deeper discussion on Bungle’s case, who ‘raped’  someone virtually on cyber space. Regarding the question “should anyone suffer real world consequence “, we had a heated debate which resulted in no correct answer on either side. Finally, the tutor summarized that those who held the view that Bungle should not suffer real world consequence are judging a crime by the ‘consequence’ of an action, while the other side, who stuck to the opinion that Bungle should be punished for what he had done, was in view of ‘activity’.  This discussion led us to take it more seriously on how we should judge a cybercrime.

The case serves as a hook to discuss about the criteria of judging a cybercrime, while two sides of the view are indeed very typical and represents two theories—–motive consequentialism and negative consequentialism. The former theory defines an act on the basis of its motive. Namely, according to this theory, an action is not considered wrong if the motive to make the decision to act is good. Therefore Bungle should be punished. Conversely, the later theory focuses solely on the consequence of an act. That is to say, an act with a bad consequence is regarded wrong even if the motive to act is good. In this case, Bungle should not suffer real world consequence because no one is harmed in real world.

Even in defining traditional crime, there is still inconsistency between these two theories. Most of the time, negative consequentialism is more acceptable because the consequence of an act is usually more obvious and visible than the motive to do it.  But in certain circumstances, the laws give preference to motive consequentialism for the sake of justice, for example: the distinction between murdering and justifiable homicide, which may share the same consequence but different motives.

Similarly, both motive consequenctialism and negative consequentialism should be applied flexibly in establishing the legislation of cybercrime. However, cybercrime varies from traditional crime mainly because it is all happened in a virtual world and the consequence in real world cannot be easily judged, for instance, stealing money through i-banking leads to a great influence in real world, while raping the avatar in cyber space does not cause real harm to the user. But it is still not proper to say that unless a valid consequence is done in real world, we cannot regard it as a cybercrime. Stealing other’s personal information or a company’s documents is usually considered illegal even though sometimes it does not harm the victim in real life if the information-thief does not take advantage of these information to do sins.

Well, cybercrime is a newly-born issue, which is inevitable with the development of computing and ICT. Unlike traditional crime, it does not have such a long history of trial and error to test the rationality and feasibility. Fortunately, the criteria and system of traditional crime lends a mass of reference to that of cybercrime when being compare carefully. After all, there is still a long way to go before we make criteria of cybercrime perfect.

Wang Jun

The fifth domain of warfare – Cyber Space

This post is a follow-up to the previous post on cyberterrorism.

After land, sea, air and space cyber space has become the next platform for warfare. Cyberwarfare is defined by Richard A. Clarke (government security expert) as ‘actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.’

What makes cyberwarfare the next big threat to many countries? In this electronic age almost all government activities have gone online giving way to the concept of “e-government”. E-Government is an easy and transparent interaction platform between citizens/companies/other governments and government. This means that an excessive amount of data is communicated through internet. These data together with other official information/systems are named as “digital assets” (e.g. official documents, trading systems, personal data…) and are treasured by nations. According to President Barack Obama, U.S’s digital infrastructure is considered as a “strategic national asset”. In fact in 2009, this cyberwarfare market was estimated at around 8.2 billion dollars.

On one hand digital assets are crucial to countries but on the other hand cyber weapons are so easily affordable, launched at low cost and deployed within minutes. Cyber attacks are becoming more common, frequent, sophisticated and intellectual.

We all know that internet was initially designed for connectivity and convenience rather than security. But the ever expanding internet network over unsecure platforms and growing dependence on computers only multiply the opportunities for cyber-attacks. Also, Internet has reduced distances between countries which is convenient for hackers since now states are just a firewall away. Manipulating trading systems and financial data, attacks on power grids may lead to financial chaos and economic damages within days. Cyber weapons are just too effective and are able to massively destruct, disrupt or manipulate digital content which worries governments.

The question is how are these countries fighting against cyber-attacks? More governments are planning to develop defensive and offensive cyberwarfare strategies and capabilities. In July 2010, about 15 countries (including US, UK, China and Russia) have signed an agreement to follow the norms of accepted behaviours in cyberspace imposed by the U.N. This is the first official agreement to fight cyberwarfare.

Singapore had a recent conference in June 2010 which discussed about the measures our country should adopt to be prepared and be able to fight cyberwarfare if such situation occurs. The chief executive of the International Institute of Strategic Studies, Dr John Chipman said that “the cyber space is unregulated and there is no law of cyber conflict, and no accepted rules or norms of engagement”.

In my opinion, cyberwarfare is probably the most dangerous that our world has seen so far. Cheap, fast and efficient weapons are what nations fear about. I think that countries should start taking more actions and at a faster pace. Hopefully, the first U.N. agreement will encourage more in the future.

Cyberterrorism and Google Earth

Cyberterrorism is often considered as a subset of Cybercrime and it is the “convergence of terrorism and cyberspace” as cited in Denning’s Testimony before the Special Oversight Panel on Terrorism (Denning, 2000). Though there is no universally agreed definition for the term, in short it is the activity of using Internet to plan and/or execute terrorist attacks. It can either mean attacks on computers or network in order to steal crucial information or the use of Internet technologies to plot attacks. This post talks about the later aspect of Cyberterrorism.

Terrorists use a wide range of technologies to plot an attack like specialized softwares (e.g. for hacking), but also freely available tools used by any internet user –such as Google Earth.

Google Earth offers very clear and accurate satellite images of almost every part of the planet which is creating more and more concerns among the governments. Their stand is that Google Earth captures very sensitive sites of their countries such as army camps, government buildings and so on. They worry, doubt and sometime even confirm that terrorists use these images to study the sites in detail and plan their attacks accordingly.

In fact, the only surviving terrorist from the 2008 Mumbai attack has confessed that they used Google Earth to study their target sites and synchronised their acts accordingly.

Google’s take on this is that Google Earth’s noble uses outweigh the misuses of the tool. It says that the tool is used for many life-saving situations during natural disasters e.g. earthquakes, forest fires and so on.  This can be related to the misuse of Craigslist mentioned by Anand during lecture.

The current solution is that many governments blur out images showing sensitive areas and other countries just ban the tool (such as in Iran and Sudan).

But to what extent can the governments, especially for large countries, hide the numerous sensitive places from Google Earth images? And for those countries that ban the tool: aren’t they missing the good uses of the tool as well? What can/should Google do to overcome this issues and complaints? And finally to what extent can Google or Craigslist be responsible for the misuses, considered as cybercrimes, which have occurred?

President Obama’s Twitter Hacked !

As we all know, Twitter is a micro-blogging website used by millions of people including politicians, movie stars, sports celebrities and so on. People use this medium to express their opinions in a status message format which can’t be longer than 140 characters.

http://news.bbc.co.uk/2/hi/europe/8586269.stm

The above news article is about a young Frenchman who hacked into President Obama’s Twitter account. The accused confessed that he cracked passwords by simply trying different possibilities. He also said that it is against his ethics to steal or destroy any information and that his only aim was to prove that twitter is vulnerable to attacks.

The hacker’s act is clearly a cybercrime, however it has made everyone doubt and worry about the website’s security policies. This is called “White Hat” hacking, or ethical hacking, where the hacker’s only intention is to expose the security flaws of a particular system or website.

Now the obvious question is whether anyone can claim to be a “white hat” hacker and get involved in these types of activities?
In my opinion, if ethical hacking becomes an excuse for malicious hackers then there is no end to it. “White hat” hackers should be recognized legally and should work under a recognized firm and hacking should be part of their profession, not their hobby.

http://www.bbc.co.uk/news/10409802

Since the accused was unemployed and hacked into Obama’s account by sheer personal interest, he was given suspended jail terms.

On another note, to what extent is Twitter to be blamed in this hacking issue? Generally speaking, is a single password enough to verify identity when it comes to social networking websites?

Internet Monitoring over Kids …

Safe Computer Kids – Internet Monitoring

The video shows a recent problem, which started approximately two decades ago, about children growing up with computers and having easy access to the Internet from anywhere and at anytime. The issue seems so complicated that even parental monitoring is not possible every time.

Moreover, with the computer at their disposal, it is easier for kids to meet strangers online especially if the computer is placed in the kid’s bedroom. The kid gets complete privacy to do whatever he wishes. And it gets easier to plan out something notorious or dangerous.

Parental check is so far considered as the biggest solution to this issue. It is the parent’s job to make sure what the child is doing while surfing the web. Parents take out some time to discuss what new findings they have made through the web. At the end of the day, preventing their child from cyber crime is in their hands.

This clip reminds me of the Ryan’s case that the professor mentioned in the first day of our class. Not only Ryan, but probably many other kids might have been saved from cyber crime if their parents turned to such ICT softwares earlier.

However, Are those ICT softwares appropriate tools to protect kids from cyber crime?

I start to wonder whether this is a great solution and if all parents use it to check on their children,how will the kids react ? Is it acceptable and legal to give parents the rights to keep track of their kids online activities on a daily basis ? I myself believe “No”  and that is another kind of crime, privacy violation.