Unauthorized Access Offences in Cyberworld
© Springer International Publishing Switzerland 2015
Mohamed Chawki, Ashraf Darwish, Mohammad Ayoub Khan and Sapna TyagiCybercrime, Digital Forensics and JurisdictionStudies in Computational Intelligence59310.1007/978-3-319-15150-2_22. Unauthorized Access Offences in Cyberworld
(1)
International Association of Cybercrime Prevention (AILCC), Paris, France
(2)
Department of Computer Science, Faculty of Science, Helwan University, Cairo, Egypt
(3)
Department of Computer Science and Engineering, School of Engineering and Technology, Sharda University, Greater Noida, India
(4)
College of Computer Science and Engineering, Yanbu Branch, Taibah University, Medina, Kingdom of Saudi Arabia
(5)
Institute of Management Studies, Ghaziabad, India
2.1 Emerging Threats: Expected Targets and Forms
Computer hacking is the accessing of a computer system without the express or implied permission of the owner of that computer system (Bainbridge 2004, p. 381). A person who engages in this activity is known as a computer hacker and may simply be motivated by the mere thrill of being able to outwit the security systems contained in a computer. Hackers may gain access remotely, using a computer in his own home or office connected to a telecommunications network (Ibid).
Hacking can be thought of as a form of mental challenge, not unlike solving a cross word puzzle, and the vast majority of hacking activities have been relatively harmless. Sometimes, the hacker has left a message publicizing his feat, reflecting the popular image of a hacker as a young enthusiast who is fascinated by computers and who likes to gain access to secure computer systems to prove his skills to himself or his peers (Ibid).
Computers can be the target of a criminal activity, a storage place for data about a criminal activity and/or the actual tool used to commit a crime (planning criminal activity). One of the most publicized crimes targeting computers involves unleashing a virus through email. A virus is a computer program that disrupts or destroys existing computer systems. A virus spreads rapidly around the world destroying computer files and costing companies and individuals millions in downtime (time when the computers or networks are shutdown). Most viruses are released by hackers as pranks. A hacker is someone who gains unauthorized access to a specific system. Sometimes hackers may target law enforcement or military computers and read or copy sensitive (secret or private) information. Some are concerned that terrorists will unleash viruses to cripple computer systems that control vital transportation networks.
Once the hacker has penetrated a computer system he might do one of several different things. He might read or copy highly confidential information; erase or modify information or programs stored in the computer systems; download programs or data, or he might simply add something, such as a message, boasting of his feat. He might also be tempted to steal money or direct the computer to have goods sent to him.
In days before computers, sensitive information was kept locked away in filing cabinets in locked rooms on the premises of the organization holding the data. This way the sensitive information was safe from being tampered with or copied.
By contrast, information stored on a computer that is linked to a telecommunication system is much more vulnerable. It is analogous to information stored in paper files kept in locked cabinets but left in a public place. It is just a matter of finding the right key to fit the cabinet; not only can a total stranger try the lock, but, often he can spend as long as he likes trying different keys with impunity until he finds one that works.
A recent example of hacking’s dangerous effects can be seen in the various botnet conspiracies currently plaguing the country (Department of Justice 2010, Online). As background, “botnets” are “collections of software agents that run automatically” to commandeer massive numbers of computers to allow cybercriminals to conduct large-scale “malicious activity including spreading spam, stealing log-in credentials and personal information or distributing malware to others.” (Pinguelo and Muller 2011, p. 132). In one small example, conspirators allegedly created a coded botnet program, which could be used to hack into and control another person’s computer. Once transmitted, the program caused the infected computers to log onto a website and wait for commands, allowing the men to control and command the botnet.
With the botnet subject to their every whim, the men accessed, without permission, the user database of T35.net, a website which offered personal and business web-hosting services for thousands of users (Department of Justice 2010, Online). The database contained confidential user identifications and passwords, which the defendants downloaded. Soon thereafter, the men defaced the T35.net website and exposed the customers’ user ids and passwords to the public (Ibid).
It is not only small companies that are vulnerable to botnet attacks, as in 2010, large corporations such as Google, Adobe, and several others were victimized by a targeted botnet attack called “Aurora.” According to an industry insider, “the Aurora botnet was targeted against large international businesses with the goals of network infiltration, theft of business secrets and modification of critical systems data.”
2.2 Criminal Statues
2.2.1 United States
2.2.1.1 The CFAA
The CFAA is a computer security statute aimed at protecting the computers operated by the federal government and banking institutions, and computers linked to the Internet. It creates criminal liability for “trespassing, threats, damage, espionage,” and for government computers “being corruptly used as instruments of fraud.”
2.2.1.2 Access Device Fraud
Section 1029 outlaws the “production, use, possession, or trafficking of unauthorized or counterfeit access devices.” In relation to Cybercrime, the DOJ asserts that the statute could be used to prosecute a cybercriminal who employs “phishing” emails to obtain victims’ private passwords and financial account numbers, or where the cybercriminal deals in stolen bank account or credit card information. The penalties for this variety of fraud are severe, including civil forfeiture and prison terms ranging from a maximum of 10 or 15 years for first time offenders, with repeat offenders being subject to a potential 20 years jail sentence.
2.2.1.3 Stored Wire and Electronic Communications and Transactional Records Access
This statute criminalizes the unauthorized access of email and voicemail. The felony version of the crime has five basic elements: (1) intentional access; (2) without or in excess of authorization; (3) access of a facility where an electronic communication service (ECS) was provided; (4) the defendant obtained, altered, or prevented authorized access to a wire or electronic communication while it was in “electronic storage;” and (5) the defendant acted “for purposes of commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act…”. For first-time offenders who lack the fifth “purpose” element, the maximum penalty is 1 year imprisonment and substantial fines, while repeat violators who lack the “purpose” element, or first-time offenders who commit the act with the “purpose” discussed above, face up to 5 years in prison and heavy fines. Repeat violations that run afoul of the improper purpose element expose the offender to a prison term of up to 10 years, coupled again with extensive fines.
2.2.1.4 Wiretapping and Eavesdropping
In the United States, the use of wire, telephone, or television communication facilities for the purpose of executing a scheme to defraud or obtain money or property by false presences is a federal offence, even where the underlying fraudulent activity is strictly not a federal or state offence.1 Such use must be proved to be in furtherance of the scheme and not merely incidental to it.