Download
chapter 6 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 6 PowerPoint Presentation

Chapter 6

202 Views Download Presentation
Download Presentation

Chapter 6

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter 6 Cybercrimes

  2. Spam • Good marketing points? • Cheap • Highly effective PgP BUSA331 Chapter 8

  3. Spam • Bad points? • Makes up 90% of U.S. e-mail! PgP BUSA331

  4. Spam Avoidance • Never reply • Do not put email address on web site • Use alias email address in newsgroups • Do not readily give out email address • Use spam filter • Never buy from spam PgP BUSA331

  5. CAN-SPAM • Controlling Assault of Non-Solicited Pornography and Marketing Act • Does not ban sending spam • Due to 1st Amendment, free speech • Some states have more restrictive laws PgP BUSA331

  6. CAN-SPAM Requires • Accurate email headers, valid return address • Opt-out procedures • Why not opt-in? • Clear notice of opt-out • Compliance with opt-out within 10 days • Label commercial email as solicitation • Sender’s valid physical address • Warning labels on sexually oriented material PgP BUSA331

  7. CAN-SPAM Prohibits • Misleading subject lines • Email address harvesting PgP BUSA331

  8. CAN-SPAM Enforcement • FTC • AGs (Attorneys General) • ISPs • No private right of action PgP BUSA331

  9. CAN-SPAM Prosecutions • Illinois, Florida, New York, California • Bottom line-has done little to impede the spam onslaught PgP BUSA331

  10. State SPAM Laws • Patchwork, non uniform • Jurisdictional questions • Opt-in requirements • Limited by first amendment issues PgP BUSA331

  11. Foreign SPAM Laws • Main issue is enforcement PgP BUSA331

  12. Fighting SPAM • FTC-Federal Trade Commission, truth in advertising laws • Trademark infringement • RICO-Racketeer Influenced and Corrupt Organizations Act • Computer Fraud and Abuse Act, unauthorized computer use to get email addresses PgP BUSA331

  13. Murking • Bills vs Laws PgP BUSA331

  14. Mail Bombs • Excessive email to overload server storage • Denial of service attack PgP BUSA331

  15. Permission Based Marketing • Legal, because requested • Opt-in • RSS feed sign up… PgP BUSA331

  16. Social Engineering and Identity Theft

  17. Ultimate Goal • Steal Passwords, Personally Identifiable Information- Your ‘Identity’ • In order to profit • Internet enables this without physical contact PgP BUSA331

  18. Email Spoofing • Forge email header • Appears email came from other than true sender • Why spoof? • Avoid identification under spam laws • Hide identity, avoid liability for illegal activity • Download Trojans to control computers • Obtain confidential information PgP BUSA331

  19. Phishing • Use of official looking emails to trick people into revealing • Usernames • Passwords • Other Personally Identifiable Information • Result- loss of confidence in web transactions PgP BUSA331

  20. Ice Phishing? • No, but there is… • Personalized Phishing-target victim by name, already have some info, hoping to get more • Spear Phishing-Pose as high level executive, demand info • Effective against soldiers • Whaling-Target high level executives • Lesson-think twice before clicking IM or email hyperlink! PgP BUSA331

  21. Pharming • Similar to phishing • Use web sites to obtain personal info • DNS exploits PgP BUSA331

  22. Identity Theft • Goal-obtain key personal info • Falsely obtain goods & services • Sources • Database cracking • Social engineering • Pretexting • Survey • Results-large $ loss • But credit cards safer on web PgP BUSA331

  23. Social Security Numbers • de facto national identifier • Key to a person’s identity • SSNs can be found online in government records PgP BUSA331

  24. Personal Information Safeguard • Dumpster diving • Shred your garbage? • Be mindful of https • Review credit reports • Do not reveal SSN unless a must • Wary of giving personal info • Overwrite old hard drives • Copy machine hard drives? PgP BUSA331

  25. Identity Theft Penalty Enhancement Act • Sounds good-mandatory jail time for possessing identity info with intent of committing crime • Real issue-hold info handlers accountable for data they collect PgP BUSA331

  26. CAAS? • Have you heard of Software as a Service-SAAS? A hot new trend in technology • How about CAAS? • Crimeware as a Service • Criminals Never Stop Innovating PgP BUSA331

  27. Cybercrimes Using Technology

  28. Targets • Computers (like yours!) • Internet Connection PgP BUSA331

  29. Terminology • Beware-cybercrime terms (trojan, virus, malware…) often used interchangeably, but they are different PgP BUSA331

  30. Computer Cybercrime-Cookie Poisoning • Cookies-data to enhance web browsing experience • Cookie downside-tracking • Cookie poisoning-attacker modifies cookie • For protection, encrypt cookies • Cookie Background at GRC PgP BUSA331

  31. Computer Cybercrime-Spyware • Tracks and forwards data without user consent • Uses computer for malicious purposes • Also slows performance, crashes computer • FTC investigates, has prosecuted under federal computer privacy laws • Sears has used spyware on customers-oops • Steal user stock account login • Sell portfolio • Manipulate stocks using account • Avoid public computers, change passwords often PgP BUSA331

  32. Computer Cybercrime-Drive-by Download • Program download without consent • Viewing web site or email • Similar to spyware • Form of computer trespass • Avoid by using security software PgP BUSA331

  33. Computer Cybercrime-Malware • Virus-copies itself, infects computer • Worm-self replicating virus • Trojan horse-malicious program within harmless program, like spyware-non-self-replicating • Used to take control PgP BUSA331

  34. Internet Connection Cybercrime-Wardriving • Using Wi-Fi laptop to map Wireless Access Points • Subsequent use of Internet connection is telecommunications theft. PgP BUSA331

  35. Internet Connection Cybercrime-Piggy-backing • Using wireless internet connection without permission • State laws vary • Countries vary PgP BUSA331

  36. Internet Connection Cybercrime-Issues • Others use your internet connection to commit cybercrimes • Downloading child pornography • Is a business liable for the unauthorized use of their unsecured wireless internet connection to commit a crime? • Courts not yet involved • Solution-secure / encrypt wireless access! PgP BUSA331

  37. What’s Next? • Electromagnetic Keyboard Sniffing • Steal computer keypress/keystrokes from 65 feet away wirelessly! • http://en.wikipedia.org/wiki/Keystroke_logging#Electromagnetic_emissions PgP BUSA331

  38. Cybercrimes and Individuals

  39. Mule Scam • Victim/mule (usually unknowingly) helps launder stolen online funds • Uses mule’s PayPal account to transfer defrauded victim’s funds, • Mule paid commission from % of defrauded victim’s funds • Defrauded victim contacts mule seeking funds back • eBay will require mule to pay innocent defrauded victim PgP BUSA331

  40. Cyberstalking • Using email, IM, blog… to harass victim • Also incite others against victim • Can be combined with real world stalking PgP BUSA331

  41. Corporate Cyberstalking • Corporation stalking ex customer or ex employee • Or vice versa, but less likely PgP BUSA331

  42. Cyberstalking Law • No federal law • State law varies • Harassment vs stalking • Harassment barred by 41 states PgP BUSA331

  43. Federal Statutes-Securities • Spam, message boards and chat rooms used to hype stocks, trying to manipulate prices • Also violate state securities laws • SEC estimates 100 million stock spam messages per week • IPO quiet time (90 day) can be violated by blog or tweet PgP BUSA331

  44. USA PATRIOT Act • Rushed response to 9/11 attacks • Amended many federal statutes • Civil liberty protections suffered • Lessened standard for government to intercept electronic messages • Broad reach, beyond terrorists PgP BUSA331

  45. USA PATRIOT Act • Subpoena of bank account and credit card numbers from ISPs • Request ISP to release customer info voluntarily • Danger in government labeling someone terrorist • Expansive search warrant powers • Secret ‘National Security Letters’ without court order! • Declared unconstitutional in 2004 • FBI eavesdrops on computer traffic PgP BUSA331

  46. Online Gambling • Est 2006 revenue-$12 billion • Est 2010 revenue-$25 billion-half from U.S. • State regulated • Internet issues- may be legal in other locations, but not where bet is placed • Eight states outlaw online gambling • British online gambling execs arrested on U.S. soil PgP BUSA331

  47. Gambling Types • Casino • Sports PgP BUSA331

  48. International Level • No agreement, legal is some countries • Countries complain about U.S. • WTO declares U.S. out of compliance • Either let citizens gamble online • Or total ban (including lottery tickets) PgP BUSA331

  49. Wire Wager Act of 1961 • Prohibits use of wire transmission in interstate or foreign commerce of bets, wagers, information on them • Government must prove • Engaged in gambling • Interstate transmission of bets… • Used wire communication facility • Acted knowingly PgP BUSA331

  50. Unlawful Internet Gambling Enforcement Act-2006 • Congress goes after money, not gamblers • Illegal to process gambling payments • But U.S. gamblers may use off-shore payment processors PgP BUSA331