…for lack of a better title.
Or for those more whimsical:
Cyber Crime Enforcement – Strengths and Weaknesses.
Definition of Cyber-Crime:
“a criminal offence involving a computer as the object of the crime, or the tool used to commit a material component of the offence.” 1
The police define two ‘types’ of cyber-crime, one where the computer is the ‘TOOL’ (like a pry bar or such implement, the computer is used to assist in the crime.; the second where the computer is the ‘object’ or desire (identity theft, cyber-stalking, unauthorized intrusion, etc.) just as a house or business or other property damage occurs.
Looking at these definitions I would say that pretty much summarizes the capacity of the computer in most of what we see in today’s crime reports. The problem with these definitions is there subjectiveness to the way we use computers ‘at the moment’, and more importantly how they are legally allowed to be used. When the ‘use’ of computers change so does how we look at them. The do lack clarity for other types of crime and newer challenges to cyber-crime.
Let me give you a quick example. In the 50′s to 70′s computing was centralized, and it was foreseen in the end of this era (mid 80′s) that no-one would need to have a computer and that all data would fit into large data storage area’s and archives. Today we foresee huge growth in data mining and farming as well as private sector compliance with current legislation to see that SAN (storage area networks) deployment will be the largest growth sector in the computing industry through 2010. This means we need more stuff to store our data in.
In between time (mid 80′s to 2000) we decentralized. Yes, the birth and adolescence of the PC made everyone aware that we all could become data collectors, and in some cases it made more sense to be (for instance letters, emails, game saves, etc.) your own data collector because during this time your ability to store data improved vastly. In the early years of the PC, both memory and hard disks were very expensive. Only rich and foolish people used hard disks in the beginning of PC computing. Later the technology became more reliable, and the costs dropped to small levels that average consumers could buy them [average?...The first hard disks would take a 2000 system and double the price in some cases simply for 10 or 20 megabytes of storage. It was not cheap, but much less than the price tag of 45,000+ (at the time) for a multi-disk array. Over the years getting more and more data storage became the result of filling more hard disks. Today having a terabyte or two of storage is not unrealistic.
However I believe the PC industry is realizing its limitations of this decentralization, and is falling into the pit of 'convergence' and is truly seeing itself in everything around us, and as well our data needs are being reconsidered. Yes, why couldn't we have a computer who's sole task is to display art? Sure we have paintings and statue's but why not have a computer do that for us? I'm sure it would be cheaper, and if someone stole it, we'd restore a backup from somewhere else. But we don't need to store World of Warcraft on this same box? Does it make sense to?
What this means is that we now will use computers not as Swiss army knifes we've grown to use them for over the years (if in doubt ask the average non-techie what they are going to use the computer for) but as specific tools to the job, just like a hammer or drill. This computer will watch our perimeter, this one will handle the email and news, this one will be the general browser, this will be the 'office' pc('s) this one will be a file server, this will be a media server, etc. Since my computer that shows my art doesn't actually contain any data nor store anything, it just needs a Ethernet connection to update it's changes, and to turn off when I stop paying the bill. So that's why there is a LAN port waay up there.
So yes, how police view 'computer crime' or cyber-crime, will have a direct impact on how we use our computers, and what actually constitutes a crime against or using one.
Encarta Dictionary has one subjective definition of 'crime':
"a shameful, unwise, or regrettable act"
Some people feel that way after buying (or selling) a stock. That doesn't make it a crime. Some people feel that way after other non-criminal acts. This is why it's important to understand what is a crime, and is it really criminal to me. I'm sure the computer is no exception to an area people work or play around where the regular crime vs. legal use comes into play.
Everyone knows racing cars on the street are illegal, but people do it everyday. Most get away with it because of the tolerance in society towards it. So if we were a racer, we'd probably allow this to occur, but if someone tried stealing a set of hub caps off a fellow racer we'd probably do something to stop that, even report them for theft at an illegal race gathering 
Or, how about panhandling and begging or the worst, squeegee-kids who ask for money cleaning your windshield. We may even report them to the police, but all they do is scare them off temporarily. There is nothing else to do that is 'worthy' here, unless one of them gets killed in front of a dumpster. So here goes a crime that we tolerate and ignore for the most part.
Another example is kids. Kids ponder these items every day (well we used to I'm not sure about today's kids so much).
We'd know that Mrs. Abbot down the street will call our folks and the police if anyone wanders into her yard and tries to get apples from her trees, but the kids do it anyways, because she has the best apples (forbidden fruit anyone?). The police never charge anyone, they simply warn the kids not to bother the lady or her apples. We agree with out halo's spit-polished, and our fingers crossed behind our backs.
Trespassing is against the law, and the police could easily charge these kids (us) with this crime, however its unlikely we'd be convicted as it could be defended that there is no signage to indicate 'normal activity' may be deemed trespassing.
Yes you do not need permission to enter someone's yard if you are there for a purpose. (Again, once you commit a crime on the property you now void yourself of that right) , so until we get that apple we are ok. Since we are familiar to the property owner, the owner should make a clear statement as to whether we are welcome or not. By doing nothing the law states that this is permission. Now if you are fearful for your life calling 911 and reporting it as such is appropriate, but we'll assume most women are not afraid of a group of 6 year olds[?].
Also there are no locks applied to the gates further indicating ‘authorized use only’. Yes bypassing a lock is referred to as ‘breaking’, and then ‘entering’ the property, so is a criminal offense (unless the lock is a safety hazard). Imagine if she had only gotten a big noisy dog.
So what am I going on about apples and six year olds for? Well this is a good example of where ‘practically, or technically’ we have a law being broken and a clearly definable AND chargeable instance that occurs, yet it probably never will be seen in a court of law since ‘reality’ would not deem this worthy or ‘worth’ the effort of laying charges, going to court, etc. But comparing this to cyber-crime and you can see where the same ideas in a computer or network could be highly suspect and may very well lead to a criminal charge. Sure Mrs. Abbot tried, but the law didn’t see any damages. ABC Corporation on the other hand will look rather unfavorably towards unauthorized use of company resources, or in the case of this text, it should take a very serious look at this. This isn’t just apples.
‘Classification’ of crime. This is where you’ll see no lack of correlation between ‘brick and morter’ types of crime and cyber-crime.
When it comes to the Internet, every second, hundreds if not thousands of crimes occur on computers, and this statistic is growing rapidly, however many of these are just like our apples and six year olds example, they are not worthy of reporting or even taking seriously because of any array of reasons. I’ll call these ‘false-crimes’, just like we saw the ignored-crime above. They may or may not be crimes, but we won’t take them seriously as crimes by themselves.
Namely but not exclusively, are some of the false-crimes are:
Portscans. Most jurisdictions define this as annoying, and not criminal but it’s role in a real cyber-crime cannot be ignored.
Vulnerability detection. These also may or may not apply to your computer, most aren’t so these tend to be forgotten also. Again, in a real cyber-crime you cannot ignore this.
Atypical Network activity. This is the kind of stuff you typically see but your seeing it in a new or different light in this case. Is it a bad software, broken nic, vulnerability scans on a PC, who knows.
IPS false positives. Yes badly tuned instruments of protection can start causing grief all the way down the chain of command. This can lead to wasted diagnosis to improper enforcement to unecessary weekend rebuilds of computers and/or networks.
Misdiagnosis. Yes, you thought World War 8 broke out in the server room, but it was a random test from an authorized pen-tester you hired last week. You wasted all day before recalling that fact, maybe even wasted some other folks time too. It’s a funny thing to think, but its does happen. Well maybe you did some ground work for that report the pen-tester will hand in next week, if your lucky.
Now, on the other hand you may have a more serious, we’ll call it a ‘true-crime’, not to be misread as a actual crime but just to differentiate between a ‘false-crime’ which also may or may not be a crime. T-crime = we believe this is a crime we should deal with; F-crime = we don’t believe this is a crime we should deal with.
Some of the examples that could be used as a ‘true-crime’ reason, but then again this is subjective to the person or corporation.
Intrusion. Access gained by an intruder. Intruder defined as someone without authorized access.
Break in. – vulnerability has been used, and a open door left behind for the attacker. This could be reused but unfound for some time, so it’s not a true cross between a property break in, where open doors are usually detected immediately and fixed.
Of course we can monitor connections and see if the break in reoccurs.
Data theft. Due to intrusion and/or break in and/or by authorized access, data is taken without permission and removed and/or copied to other medium.
Data loss. Due to some reason, data is lost to the company, typically from permanent loss of tape archives. This has been mislabeled as a crime, when in most cases it’s been seen that careless handling and usage of archives is typically the problem. If better tracking and control methods were integrated, the losses would not occur. Now if a company has decent procedures, and they are neglectfully not followed, would that be a criminal offense?
Forensic costs. Costs associated with recovery of data or systems. Sometimes misused as cleanup and other costs (replacement of hardware, appropriation of licenses, etc.) which should be avoided. (i.e. ‘You probably needed that firewall BEFORE the intrusion also’)
Unauthorized access. Someone (or thing) using the system without authorization to do so.
Use of unauthorized hardware/software. This is where nearly everyone who works for a company will fall victim to. Some companies are not that concerned, others can be very concerned. But connecting or installing anything to a company owned ‘network’ and/or’ infrastructure systems or subsystems’ can also be considered criminal. Typically you just lose your bonus for the year
Unprivileged use of systems. Another area of growing concern (thanks in part to effective management of group policy) is how much use is being done with privileges that the user should not have. Or worse someone from outside your company has found a open door, and simply walked in.
Unauthorized installation or removal of hardware/software. Here again is a fuzzy area that may or may not be a problem in some corporations, where is should be very concerning. If you are adding or removing hardware for ‘any’ reason,
it should be documented. If you audit the hardware on your boxes (for licenses, product fitness, etc) then this simply should not be allowed. If it is then it’s clear that you deem this inappropriate behavior and can follow up as necessary. If not, then what? What if you don’t document or audit your hardware? It may sound silly to some but what if someone ‘adds’ hardware to your network? This could be the cause of bigger issues like intrusion, theft of bandwidth, theft of storage.
Theft of hardware/software. A traditional crime with a high tech face. Hardware theft is pretty obvious, ranging from petty to grand larceny. Software theft can be more insidious, ranging from ‘borrowing’ licensed goods, to taking exact copies from backups restored to different systems, to copying licenses for use elsewhere. In some cases this is done to commit further cyber-crimes (using stolen hardware for cyber-stalking, or breaking into other systems, using credentials stored in hardware to access systems, replacing licenses, there was even a case of an NOC being robbed and the property used by a competitor to startup., etc.)
Cyber-stalking. This is a newer and older type of crime rolled into one term. The traditional stalking in relation to computers is still performed but in some cases with the use of tools freely available to anyone. From debt tracking, to credit checks, to phone lists, memberships, etc. tracking down someone on the internet is not that hard if you can find the resources and they allow you to use their systems. Lots of this stuff is supposed to be ‘access restricted’ but I’ve seen cases where if your visa card works, it’s ok for us to allow you usage. Newer stalking is less direct, but just as personal where someone goes to every site and or IM network you are in and continuously sends you messages either decent or otherwise, whether you want them or not. Sometimes this gets confused with addictive personality behavior, but it can get really out of hand, such as when someone flames you everywhere you go.
Theft of Bandwidth/Storage. This used to mean after access, someone used your bandwidth or storage for their nefarious purposes, but not so much anymore. Nowadays it can mean using someone’s web site too much. How silly is that?
Misc. Harassment or Abuse of person(s). This covers more normal usage used inappropriately. Such as sending a legit email to simply harass someone.
And the list grows on and on. This is by no means a complete list, nor an accurate definition of each type. Nearly every law enforcement office in Canada had it’s own definitions, and only two used the Canadian Police College definition of cyber-crime.
How you view these types of behavior vs. the type of incidents that are ‘typical’ on a daily basis depends on what you do with your systems, but there is little correlation between the problems ‘in your yard’ vs. ‘the worthy’ ones.
So we can see that the technical reality of cyber-crime and the actual concern of the legal system are not equal. This is why in the past when definitions were less meaningful most institutions would not bother law enforcement with their ‘internal’ problems. However as organized crime gains larger and larger access to today’s public systems, the protection of these systems should grow systemically. They do not.
This is why it will become misleading to gauge our ability based on public protection. One needs to understand and know how to identify acceptable use and how to identify unacceptable use, and then determine to what degree that use is classified for punishment is critical. This will allow persons or corporations to take appropriate action with issues rather than respond either too seriously or leniently.
Today though, a growing number of (corporate) citizens are feeling that law enforcement needs to take a larger role and become the gatekeepers so to speak. This is the wrong approach. People and more importantly corporations need to address their own ‘law enforcement’ approach with it’s systems, and understand that they have a great role in the society that organization has created for itself. Understanding how to track and report, and ultimately deal with it’s own ‘law breakers’ will go a long way to assisting the public at large with understanding what it is dealing with. Is it a CEO that is viewing child porn who needs to be sent to therapy to straighten out (as well as taken out of a pivotal role the company needs a stable person at the helms), or is it a saboteur that is slowing stealing resources to slow down some projects completion, or is it a mole stealing data from the warehouse.
StatsCan does not look at all the types or classifications of cyber-crime the same, (and I should say nor should they) they state:
In addition to cyber-crime, there is also computer-supported crime which covers the use of computers by criminals for communication and document or data storage. This type of crime is not included in the definition of cyber-crime used in this report.
The terms computer crime, computer-related crime, high-tech crime, cyber-crime and Internet crime are often used interchangeably when police and other information sources are discussed.
One of the more important pieces of legislation our government has passed is Bill C-15A. This bill is specific in regard to child pornography.
Bill C15A – Legislation to better protect children from sexual exploitation:
Creates a new offence that targets criminals who use the Internet to lure and exploit children for sexual purposes;
Makes it a crime to transmit, make available, export and intentionally access child pornography on the Internet;
Allows judges to order the forfeiture of any materials or equipment used in the commission of a child pornography offence;
Enhances the ability of judges to keep known sex offenders away from children by making prohibition orders, long-term offender designations and one-year peace bonds available for offences relating to child pornography
and the Internet; and,
Amends the child sex tourism law enacted in 1997 to simplify the process to prosecute Canadians who sexually assault children in other countries.
Source: Department of Justice Canada: 2002
Just as interesting is when we look at the NIBRS report of 2000:
Three classification categories arise, against person, against property and against society.
We do not differentiate against these categories but they may be worthwhile in a criminal case. Simply put it is a case against a noun, and we will defend against the noun. Our english prof would be so proud.
We see that the computer is never the victim in a sexual crime (whew!) so it doesn’t generate any stats towards this, but in a murder it did! Hasn’t everyone wanted to kill a computer now and then?
We can also see how there is no civil definition over some of our classifications, for instance we are not concerned about murder as that is not a cyber crime, but hold on you say. Lets pretend you contacted an assassin in secret over an encrypted session on the internet? Now we would want to see, legit access (??) to gain information discussed in that session. This is where one would traditionally wiretap the session and gather the information this way. I do not see this as a cyber-crime.
Ok, how about this one. Thanks to the Internet and eBay, we now have widespread Internet fraud. Well there was those 419 schemes, aka Nigerian email scams. It’s amazing how well these work. Anyways, Internet fraud is now as common as regular fraud:
Amazing that business fraud is at the bottom of this chart, or is it? Not bad for the first year.
Well maybe most businesses accept responsibility for being shafted and don’t look at everyone as a thief. Then again maybe most do, but they are just nicer to them
I still think that this type of fraud will always be underreported regardless of reason. ID theft however I think is becoming a bigger issue, and at this stage it was not being diagnosed correctly by most seeing the reports.
But we can see that since these are two widespread uses of cyber-crime people highly want these controlled. Here industry has shown it cannot nor will not police itself even though both actions are clearly
against most industries ‘acceptable use’ polices or similar papers.
Now lets keep in mind, most XXX web sites forbid the use of child pornography, and will terminate anyone’s account associated with allowing minors to access the material or sharing content consisting of minors.
They make good money legitimately why would they screw around with child porn or people associated with it? So where are the problems? Instant Messaging, and web cams. These two area’s have allowed kids to become unwitting porn starts (or in some cases wittingly) or be stalked by sexual predators seeking minors.
eBay has a lot of processes involved in making sure that the auctioneers and the buyers are in the up and up as well. They have created some of the keener idea’s at self-policing, such as feedback, that keep the place from completely going to hell. Yes it appears peer pressure is still the most effective, but then there are a few who seem to have no conscience.
Yes, regardless of even the FBI getting them, some think they have a right to defraud you. It’s truly sad but a fact that about 3-5% of all online auctions end in fraud. For the record eBay has one of the lowest ratios in the business (and they dominate it!), but this also means they have the lions share of the numbers.
I heard of one guy selling stuff he really didn’t have to get enough money to leave town. Yep, he was using a friends computer and account. Nice friend.
Well the reality of most fraud is it occurs randomly, and it’s hard to know just when someone is going to do so.
But is auction fraud ‘really’ cyber-crime? Isn;’t this the same good old fashioned fraud just using eBay instead of the back alley? Some say that this fact, that you can do this over the Internet gives one a bigger audience, better tools, faster response, easier hiding out, easier to pull off, but still it’s the same old crime.
Nowadays encountering direct forgeries of goods is becoming a huge problem. You buy the popular new X Doll, and you find a site selling them for pennies each. You buy a lot, and then resell them. They look like the goods and everythings fine, except they were not made buy the real manufacturer of X Doll. But to you, me, the buyer, the seller most are not going to notice the difference. Besides imitators and knock off producers also are not new, they are just becoming much larger players thanks to on-line auctions and the demand for CHEAP and LOW PRICED goods. More importantly a global economy is to blame. Good luck changing that one, but is that a cyber-crime or just a victim?
Auction fraud for instance is a huge and growing crime area, yet law enforcement does nothing about it unless it’s very large and very serious. We cannot ignore crime because it’s small, this just lets everyone think that no one cares and that simply isn’t true. But if we spend all our time worrying about pedophiles and rapists who stack MSN chat, then we will never stop the bigger and more important crimes against society as a whole.
So, there are many crimes being performed either more effectively and/or more successfully due to the advantages of computers and the Internet, but so are many law enforcement organizations.
Many are now building and/or using databases for tracking incidents and outcomes. Many are utilizing other databases in the country and internationally to compare and analyze which is allowing many more law enforcement organizations to be wiser when crime moves from jurisdiction to jurisdiction. This in the past allowed many criminals to simply disappear when a new country would know nothing of an individual, or they may even be illegally hiding there (with or without knowledge of the local law enforcement) and still to be deemed at large in their home country.
Today systems are being built and implemented to allow law enforcement to track the movement of people at such places like airports, shipyards, train stations, bus depots, and car rental outfits. Some are still many years from implementation, and other may already be in place. Some car rental agencies have camera’s built into the dashes of the car and record everything the driver does, like smoke or not wearing a seatbelt, being the driver recorded speeding at a particular time.
Some places in the UK they can track your movements across town via camera. But I digress, some other time I’ll discuss this.
I for one would like to see a better definition of cyber-crime at all levels of the law, and clearly remove crimes that are ‘traditional’ but simply use computers as a tool are clearly ignoring other much more important types of crimes that are completely missing law enforcements radar either due to lack of interest in upholding the law or lack of ability to properly enforce it, both need to be reviewed and improved.
Cyberspace is a vast and expanding universe that invades all levels of life, as such integrating laws into this universe is essential to its well being. However some may see policing and laws as interfering with the regular day to day use and detract from it’s purpose. Truthfully we need to understand what is a ‘traditional’ crime, how technology modifies those crimes, and how technology creates new crimes.
For instance, how would we deal with cyber-stalking using Web 2.0? Food for thought.
1 This definition is offered at the Canadian Police College, where Canadian police officers undergo training in computer crime investigative techniques.
(Source: Report on Cyber-Crime. Statistics Canada Catalogue no. 85-558)
Comments Off 
Security
broadband internet service, claim, copy, data, download, EAC, ebay, email, error, file, fix, free broadband, geektools, google, gui, install, ivan, law states, malware, method, methods, OS, pertinent details, phish, phisher, phishing, proxy, red flags, ripe whois, scam, site, solution, sophisticated method, spam, ssl, system, telephone service company, update, whois data, whois query 