Chapter 6
Cybercrimes
Spam
Good marketing points?CheapHighly effective
PgPBUSA331 Chapter 8
2
Spam
Bad points?Makes up 90% of U.S. e-mail!
PgPBUSA331
3
Spam Avoidance
Never replyDo not put email address on web siteUse alias email address in newsgroupsDo not readily give out email addressUse spam filterNever buy from spam
PgPBUSA331
4
CAN-SPAM
Controlling Assault of Non-Solicited Pornography and Marketing ActDoes not ban sending spamDue to 1st Amendment, free speechSome states have more restrictive laws
PgPBUSA331
5
CAN-SPAM Requires
Accurate email headers, valid return addressOpt-out proceduresWhy not opt-in?Clear notice of opt-outCompliance with opt-out within 10 daysLabel commercial email as solicitationSender’s valid physical addressWarning labels on sexually oriented material
PgPBUSA331
6
CAN-SPAM Prohibits
Misleading subject linesEmail address harvesting
PgPBUSA331
7
CAN-SPAM Enforcement
FTCAGs (Attorneys General)ISPsNo private right of action
PgPBUSA331
8
CAN-SPAM Prosecutions
Illinois, Florida, New York, CaliforniaBottom line-has done little to impede the spam onslaught
PgPBUSA331
9
State SPAM Laws
Patchwork, non uniformJurisdictional questionsOpt-in requirementsLimited by first amendment issues
PgPBUSA331
10
Foreign SPAM Laws
Main issue is enforcement
PgPBUSA331
11
Fighting SPAM
FTC-Federal Trade Commission, truth in advertising lawsTrademark infringementRICO-Racketeer Influenced and Corrupt Organizations ActComputer Fraud and Abuse Act, unauthorized computer use to get email addresses
PgPBUSA331
12
Murking
Bills vs Laws
PgPBUSA331
13
Mail Bombs
Excessive email to overload server storageDenial of service attack
PgPBUSA331
14
Permission Based Marketing
Legal, because requestedOpt-inRSS feed sign up…
PgPBUSA331
15
Chapter 9
Social Engineering and Identity Theft
Ultimate Goal
Steal Passwords, Personally Identifiable Information- Your ‘Identity’In order to profitInternet enables this without physical contact
PgPBUSA331
17
Email Spoofing
Forge email headerAppears email came from other than true senderWhy spoof?Avoid identification under spam lawsHide identity, avoid liability for illegal activityDownload Trojans to control computersObtain confidential information
PgPBUSA331
18
Phishing
Use of official looking emails to trick people into revealingUsernamesPasswordsOther Personally Identifiable InformationResult- loss of confidence in web transactions
PgPBUSA331
19
Ice Phishing?
No, but there is…Personalized Phishing-target victim by name, already have some info, hoping to get moreSpear Phishing-Pose as high level executive, demand infoEffective against soldiersWhaling-Target high level executivesLesson-think twice before clicking IM or email hyperlink!
PgPBUSA331
20
Pharming
Similar to phishingUse web sites to obtain personal infoDNS exploits
PgPBUSA331
21
Identity Theft
Goal-obtain key personal infoFalsely obtain goods & servicesSourcesDatabase crackingSocial engineeringPretextingSurveyResults-large $ lossBut credit cards safer on web
PgPBUSA331
22
Social Security Numbers
de facto national identifierKey to a person’s identitySSNs can be found online in government records
PgPBUSA331
23
Personal Information Safeguard
Dumpster divingShred your garbage?Be mindful of httpsReview credit reportsDo not reveal SSN unless a mustWary of giving personal infoOverwrite old hard drivesCopy machine hard drives?
PgPBUSA331
24
Identity Theft Penalty Enhancement Act
Sounds good-mandatory jail time for possessing identity info with intent of committing crimeReal issue-hold info handlers accountable for data they collect
PgPBUSA331
25
CAAS?
Have you heard of Software as a Service-SAAS? A hot new trend in technologyHow about CAAS?Crimeware as a ServiceCriminals Never Stop Innovating
PgPBUSA331
26
Chapter 10
Cybercrimes Using Technology
Targets
Computers (like yours!)Internet Connection
PgPBUSA331
28
Terminology
Beware-cybercrime terms (trojan, virus, malware…) often used interchangeably, but they are different
PgPBUSA331
29
Computer Cybercrime-Cookie Poisoning
Cookies-data to enhance web browsing experienceCookie downside-trackingCookie poisoning-attacker modifies cookieFor protection, encrypt cookiesCookie Background at GRC
PgPBUSA331
30
Computer Cybercrime-Spyware
Tracks and forwards data without user consentUses computer for malicious purposesAlso slows performance, crashes computerFTC investigates, has prosecuted under federal computer privacy lawsSears has used spyware on customers-oopsSteal user stock account loginSell portfolioManipulate stocks using accountAvoid public computers, change passwords often
PgPBUSA331
31
Computer Cybercrime-Drive-by Download
Program download without consentViewing web site or emailSimilar to spywareForm of computer trespassAvoid by using security software
PgPBUSA331
32
Computer Cybercrime-Malware
Virus-copies itself, infects computerWorm-self replicating virusTrojan horse-malicious program within harmless program, like spyware-non-self-replicatingUsed to take control
PgPBUSA331
33
Internet Connection Cybercrime-Wardriving
Using Wi-Fi laptop to map Wireless Access PointsSubsequent use of Internet connection is telecommunications theft.
PgPBUSA331
34
Internet Connection Cybercrime-Piggy-backing
Using wireless internet connection without permissionState laws varyCountries vary
PgPBUSA331
35
Internet Connection Cybercrime-Issues
Others use your internet connection to commit cybercrimesDownloading child pornographyIs a business liable for the unauthorized use of their unsecured wireless internet connection to commit a crime?Courts not yet involvedSolution-secure / encrypt wireless access!
PgPBUSA331
36
What’s Next?
Electromagnetic Keyboard SniffingSteal computer keypress/keystrokes from 65 feet away wirelessly!http://en.wikipedia.org/wiki/Keystroke_logging#Electromagnetic_emissions
PgPBUSA331
37
Chapter 11
Cybercrimes and Individuals
Mule Scam
Victim/mule (usually unknowingly) helps launder stolen online fundsUses mule’s PayPal account to transfer defrauded victim’s funds,Mule paid commission from % of defrauded victim’s fundsDefrauded victim contacts mule seeking funds backeBay will require mule to pay innocent defrauded victim
PgP BUSA331
Cyberstalking
Using email, IM, blog… to harass victimAlso incite others against victimCan be combined with real world stalking
PgP BUSA331
Corporate Cyberstalking
Corporation stalking ex customer or ex employeeOr vice versa, but less likely
PgP BUSA331
Cyberstalking Law
No federal lawState law variesHarassment vs stalkingHarassment barred by 41 states
PgP BUSA331
Federal Statutes-Securities
Spam, message boards and chat rooms used to hype stocks, trying to manipulate pricesAlso violate state securities lawsSEC estimates 100 million stock spam messages per weekIPO quiet time (90 day) can be violated by blog or tweet
PgP BUSA331
USA PATRIOT Act
Rushed response to 9/11 attacksAmended many federal statutesCivil liberty protections sufferedLessened standard for government to intercept electronic messagesBroad reach, beyond terrorists
PgP BUSA331
USA PATRIOT Act
Subpoena of bank account and credit card numbers from ISPsRequest ISP to release customer info voluntarilyDanger in government labeling someone terroristExpansive search warrant powersSecret ‘National Security Letters’ without court order!Declared unconstitutional in 2004FBI eavesdrops on computer traffic
PgP BUSA331
Online Gambling
Est 2006 revenue-$12 billionEst 2010 revenue-$25 billion-half from U.S.State regulatedInternet issues- may be legal in other locations, but not where bet is placedEight states outlaw online gamblingBritish online gambling execs arrested on U.S. soil
PgP BUSA331
Gambling Types
CasinoSports
PgP BUSA331
International Level
No agreement, legal is some countriesCountries complain about U.S.WTO declares U.S. out of complianceEither let citizens gamble onlineOr total ban (including lottery tickets)
PgP BUSA331
Wire Wager Act of 1961
Prohibits use of wire transmission in interstate or foreign commerce of bets, wagers, information on themGovernment must proveEngaged in gamblingInterstate transmission of bets…Used wire communication facilityActed knowingly
PgP BUSA331
Unlawful Internet Gambling Enforcement Act-2006
Congress goes after money, not gamblersIllegal to process gambling paymentsBut U.S. gamblers may use off-shore payment processors
PgP BUSA331
Virtual Crime
Online multiplayer environmentsHabboSecond LifeVirtual goods, so virtual or actual theft?Physical coercion to obtain virtual artifactsSecond Life does $1Million/day of commerce!Will only get worse…
PgP BUSA331
0
Embed
Upload