Cybercrime
by Charles Nesson, Anita Ramasastry
Last updated: June 22, 2002
Introduction
Case Studies and Readings
Discussion Topics
Introduction
"Cyber Crime" is not a rigorously defined concept. For
our purposes, consider it to embrace criminal acts that can be accomplished
while sitting at the computer keyboard. Such acts include gaining
unauthorized access to computer files, disrupting the operation
of remote computers with viruses, worms, logic bombs, Trojan horses
and denial of service attacks; distributing and creating child pornography
via the internet, stealing another's identity; selling contraband
and stalking victims. Cyber crime is cheap to commit (if one has
the know-how to do it), hard to detect (if one knows how to erase
one's tracks) and often hard to locate in jurisdictional terms,
given the geographical indeterminacy of the net.
Our purpose in considering the subject of cyber crime is not to
catalog it exhaustively, but rather to raise and consider questions
of particular interest that are presented by cyber methodologies
if committing crimes, the most interesting questions arise at the
points where criminal opportunities presented by the new technologies
stretch the bounds of our criminal law.
As background for the case study and discussion problems, please
read the following:
1. The text of United States Code Title 18 Section 1030 (Fraud
and Related Activity in Connection with Computers)
http://www.usdoj.gov/criminal/cybercrime/1030_new.html
2. United States Department of Justice, Field Guidance on New Authorities
That Relate to Computer Crime and Electronic Evidence Enacted in
the USA Patriot Act of 2001 (Read especially the guidance on Section
814 of the USA Patriot Act which amends U.S. Code Title 18 Section
1030)
http://www.cybercrime.gov/PatriotAct.htm
3. Part III of The Electronic Frontier Foundation's Analysis Of
The Provisions Of The USA PATRIOT Act That Relate To Online Activities
(Oct 31, 2001)
http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_eff_usa_patriot_analysis.html
Cyber Protest and Denial of Service Attacks
On February 2000, news reports indicated that that Yahoo, Cable
News Network, eBay, Amazon.com, E*Trade, and Buy.com, (among other
sites) experienced distributed denial of service ("DDOS")
attacks. The challenges to apprehending the suspects proved substantial.
In many cases, the attackers used "spoofed" IP addresses,
so that the address that appeared on the target's log was not the
true address of the system that sent the messages.
The FBI was able to identify a 16-year old Canadian teenager, known
as "Mafiaboy" as a suspect by reviewing Internet chat
room logs that showed Mafiaboy asking others what sites he should
take down - before the sites were attacked. For example, there was
discussion of a possible denial of service attack on CNN before
CNN's site was taken down. Mafiaboy was arrested in April 2000.
In January of 2001, Mafiaboy pleaded guilty to 56 counts of "mischief
to data" in relation to the DDOS attacks from February 2000.
He was charged with "a DDOS attack that brought down CNN.com,
Amazon.com, eBay, Dell Computer and others between February 8 and
14, 2000. The teenager eventually received a sentence of eight months
in detention followed by a year of probation for his actions. The
judge also required him to donate $250 to charity. Mafiaboy allegedly
caused more than US $1.5 billion in damage in connection with the
various DDOS attacks.
In the United States, a hacker who engaged in a DDOS attack would
be prosecuted under the federal Computer Fraud and abuse Act (CFAA).
http://www.fbi.gov/pressrel/pressrel01/mafiaboy.htm
http://www.mafiaboy.com
http://www.newsfactor.com/perl.story/6836.com
http://www.infoworld.com/articles/hn/xml/01/01/18/010118hnmafiaboy.xml
Also in January 2001, an Alaskan resident, Scott Dennis, a former
systems administrator for the United States District Court in Alaska
was sentenced for interfering with a government-owned communications
system. Dennis was charged with launching three DDOS attacks against
the U.S. District Court for the Eastern District of New York. The
prosecution contended that Dennis had bombarded the Eastern District's
server with email messages to prove that it was vulnerable to outside
attack. He was sentenced to 6 months incarceration - three months
in prison and three months home confinement followed by one year
of supervised release. Dennis was also required to perform 240 hours
of community service and to allow his computer activities to be
monitored. Dennis also paid $5,300 in restitution to the New York
federal court system and Internet Alaska.
http://www.cybercrime.gov/dennis.htm
http://www.cybercrime.gov/dennisplea.htm
Within the past several years, distributed denial of service (DDOS)
attacks have generated a tremendous amount of concern from governments
as well as the private sector. During the fall of 1999, there was
a great deal of publicity concerning a new set of computer tools
known as "Trinoo," "Tribal Flood Net" and "Stacheldraht"
(German for "barbed wire").
How are these "tools" utilized? Hackers gain unauthorized
access to a computer system(s) and place software code on it that
renders that system a "master". The hackers also intrude
into other networks and place malicious code, which converts those
systems into agents (also known as "slaves"). Each master
can control multiple agents. Network owners typically are unaware
that these tools have been placed and reside on their systems.
The masters are activated either remotely or by internal programming
(such as a command to begin an attack at a prescribed time) and
are used to send information to the agents, activating a DDOS attack.
The agents then generate numerous requests to connect with various
targeted websites. The agents will typically leave a fictitious
or "spoofed" IP (Internet Protocol) address, thus providing
a falsified identity as to the source of the request.
In laypersons terms, the agents request the same web page continuously
and the volume of traffic is so high as to make the requested website
inaccessible. Due to the volume of requests the targeted website's
computer becomes overwhelmed in its efforts to acknowledge and complete
a transaction with the sending computers. The targeted server must
deny service to legitimate website visitors -- hence the term "Denial
of Service" For example, in the February 2000 attacks, if you
wanted to order a book from Amazon, you might not have been able
to access the Amazon site. These attacks are especially damaging
when they are coordinated from multiple sites - hence the term Distributed
Denial of Service.
An analogy would be if someone launched an automated program to
have thousands of phone calls placed to the Amazon.com switchboard
simultaneously. Many incoming callers would receive busy signals
due to the high volume of telephone traffic.
The United States government has become worried that international
groups are using DDOS tools as a form of political protest. The
United States National Infrastructure Protection Center ("NIPC"),
has issued bulletins alerting government entities and the general
public to the threat posed by politically motivated DDOS attacks.
Such attacks are described as politically motivated because the
sites that are attacked are in some way linked to the issues that
the group is protesting.
A report issued by the NIPC in November 2001 reported:
Beginning on September 11, patriot hackers and hacking groups
on Internet Relay Chat (IRC) and newsgroups called for attacks
on Pakistani and Afghani web sites. They promoted active retaliation
for the terrorist attacks on the World Trade Center and Pentagon.
A web site dealing with Afghan dogs was reportedly the first victim
of pro-U.S. cyber protesters. On September 12, the official web
site of the Government of Pakistan was defaced. Other web sites
defaced were those belonging to the Afghan News Network, Afghan
Politics, Taleban.com, and Talibanonline.com.
Spam (unwanted mass e-mails) was also used to encourage hackers
to join together in attacking web sites of Islamic fundamentalism
and those supporting terrorism. Recipients were encouraged to
further disseminate the message to persuade others to join the
fight in any way they could, be it by active hacking or in a support
role such as information gathering. Denial-of-service (DoS) attacks
were also used by hackers. E-mail bombing is a popular form of
a DoS attack. Massive amounts of e-mail or web traffic are directed
against a specific site, overloading it and causing it to crash.
On September 12, the official web site of the Presidential Palace
of Afghanistan was affected by a DoS attack that rendered it inaccessible.
Usenet newsgroups dealing with Islam have also experienced DoS
attacks. The newsgroup soc.religion.islam was e-mail bombed by
hackers and subsequently crashed.
The call to hackers to join forces has been successful. A group
calling itself the Dispatchers has taken up the task of striking
out against Palestinian and Afghani web sites. Lead by a hacker
named The Rev, who has defaced several sites since February, the
group vowed to target those responsible for the September 11 terrorist
attacks. Their first known defacement, committed on September
16, was the Iranian Ministry of the Interior. They stated their
intentions to continue defacing and crashing sites in retaliation
of the terrorist attacks and they have successfully done so, although
they have not been heard from since late September.
http://www.nipc.gov/publications/nipcpub/cyberprotests1101.pdf
Client-Side Distributed Denial of Service: A Variant on DDOS
In addition to DDOS attacks, another form of denial of service
requires that several thousand persons participate directly in the
action in order to create a so-called "cyber" protest
or "virtual" protest. Unlike DDOS attacks, client -side
distributed denial of service (CDOS) or client-side actions, requires
many users to log onto their computers at the same time, and to
launch a program on their PCs that would direct their browsers to
request the same website over and over again. CDOS actions are the
equivalent of protests in cyberspace. Various NGOs and grass roots
groups have engaged in CDOS as a means of protesting everything
from genetically modified food to Starbucks to globalization and
world trade.
Such client-side actions are done for limited periods of time,
and are done with much publicity (i.e. unlike DDOS attacks which
are done covertly, these are done in an open and transparent manner).
Often, the goal is not to shut a site down completely but to slow
down the site, making it harder (but not impossible to access).
CDOS attacks emerged in 1998, when the pro-Zapatista group Electronic
Disturbance Theater unveiled FloodNet software that targeted sites
of the Mexican government, the U.S. Department of Defense, and the
Frankfurt Stock Exchange, and succeeded in crashing the site of
former Mexican president Ernesto Zedillo. Where once law enforcement
had to track down only the dedicated servers hurling outsized packets
of data, now they have to contend with thousands of people working
with toys on their home computers.
Yet the work of organizations engaged in CDOS is viewed by some
as far less malevolent than the DDOS attacks that hackers launched
against major corporate sites. CDOS actions rely on the mass participation
of individuals -not automated technology controlled by one or at
most a handful of individuals.
In the fall of 1999, during the Seattle Ministerial of the World
Trade Organization ("WTO"), virtual protestors engaged
in a CDOS protest against the WTO. Similarly, in the fall of 2000,
while 12,000 activists flooded the streets of Prague during the
annual meeting of the International Monetary Fund and World Bank,
thousands of other protesters waged war online.
Orchestrated by a group of French cyber activists called the Federation
of Random Action ("FRA") the virtual sit-in used a DDOS
tool that anyone could download in the comfort of their own homes.
The plan of the virtual protest was to target the websites of the
IMF and the World Bank with repeated requests for information, overloading
their server.
Unlike Mafiaboy who hijacked computers and automated them to crash
the sites of CNN.com and eBay in February, the FRA announced the
action up-front and created a program that required mass participation
to be effective.
FRA claimed the action caused some sporadic slowdown on the sites
of the World Bank and the IMF. FRA estimated that perhaps 5000 people
got involved-far fewer than the 452,000 who reportedly bombarded
the WTO's site in December 1999 during a virtual sit-in organized
by a U.K. group, the Electrohippies.
The Electrohippies have described their action as follows:
What the Electrohippies did for the WTO action was a client-side
distributed DOS action. The electrohippies method of operation
is also truly distributed since instead of a few servers, there
[were] tens of thousands of individual computer users involved
in the action. The requests sent to the target servers are generated
by ordinary Internet users using their own desktop computer and
(usually) a slow dial-up link. That means client-side distributed
actions require the efforts of real people, taking part in their
thousands simultaneously, to make the action effective. If there
are not enough people supporting then the action it [sic.] doesn't
work. The fact that service on the WTO's servers was interrupted
on the 30th of November and the 1st of December, and significantly
slowed on the 2nd and 3rd of December, demonstrated that there
was significant popular support for the electrohippies action.
So, the difference between the two actions is one of popular
legitimacy versus individual will.
Excerpt from The electrohippies collective occasional paper no.1
Client-side Distributed Denial-of-Service: Valid campaign tactic
or terrorist act? (February 2000) http://www.fraw.org.uk/archive/ehippies/papers/op1.html
Case Study and Discussion
Problem: Client Side Denial of Service
The e-boy collective
The eboy collective is an international group of male artists and
activists who are united to create art to promote world peace. In
1999, the eboy collective registered for the domain name eboy.com.
The collective is headquartered in Amsterdam. E-boys.com, is a large
clothing chain based in New York that sells clothing to male teenagers
over the Internet. The eboy collective is several years older than
E-boys.com, which was incorporated in 2001.
In November 2001, E-boys attempted to buy the domain eboy.com from
the collective for $700,000. eboy turned down the offer.
On November 29, 2001, E-boys.com obtained a court injunction preventing
eboy from operating a website at www.eboy.com, which had been registered
before E-boys even existed. To obtain the injunction, E-boys told
the judge that eboy.com was confusing to its customers and that
the site contained lewd and pornographic images. The judge ordered
the collective to close down their website or face paying $10,000
per day in damages. The eboy collective went into exile at an undisclosed
numeric address.
Many organizations saw E-boy's actions as a threat to independent
publishers and small businesses on the Internet. In an effort to
mobilize support for the eboy collective, another activist group,
the Internet Beatniks, decided to stage a virtual protest against
E-boys.com. They sent out emails to members and supporters asking
them to participate in a virtual sit-in against E-boys. I-Beatniks,
which is in no way associated with eboy, aims to publicize what
it sees as the widespread corporate abuse of democratic institutions.
To this end it solicits and distributes funding for "sabotage
projects." Their E-boys virtual sit-in consisted of asking
visitors to the I-Beatnik site to program their web browsers to
repeatedly go to the E-boys site, potentially slowing its functions
during the busy holiday shopping season. Visitors had to visit the
I-Beatniks website and download automated software designed to access
the target E-boys site every few seconds and to send an email message
to E-boys.com.
The announcement on the I-Beatniks website read:
Blockade the E-boys.com website
Take part in a virtual protest against corporate globalization
and domination. Support art and world peace. Support the eboy
collective. On December 15, 2001, visit the I-Beatnik website,
download a software program that will allow your browser to repeatedly
visit the E-boys.com website.
This initiative is designed to provide a lasting warning to
e-commerce corporations against behaving unethically on the Web.
The outcome of this case has enormous implications for free speech
on the Internet and could set a precedent determining whether
the Internet will be governed by the brute force of multinational
corporations or by individuals and democratic processes.
The virtual sit-in began on December 15, 2001. The "sit-in"
had little effect on the first day, but, on the second day, massively
overloaded E-boys's server by filling its customer database with
emails and unnecessary customer requests. At times, customers in
both the US and Europe were unable to reach E-boys.com. Online ordering
was slowed down or blocked. It is estimated that more than 50,000
people participated in the virtual sit in.
E-boys stock, which had previously been rising, plummeted over
50%. Having lost a day's worth of orders during its vital holiday
selling season, E-boys found itself with extra inventory on hand
and had to extend its deadline for by-Christmas delivery until Saturday
of the pre-Christmas week, the second slowest day on the web.
In January, E-boys effectively surrendered, announcing to the press
that it was "moving away" from its lawsuit against eboy
in response to public outcry. E-boys dropped its case against eboy
"without prejudice" and formally agreed to pay eboy's
court costs and other expenses incurred as a result of the lawsuit.
Discussion
Questions
1. What, if any, legal consequences do the I-Beatniks actions have?
Can they be prosecuted for their actions? Can they be sued civilly?
2. How do the amendments to the Computer Fraud and Abuse Act contained
in the USA PATRIOT ACT affect the legality of the I-Beatniks actions?
|