Profession

What is this
Why is computer engineering one
How can we join up and where
How must we behave and act?
What are the issues and problems
Do we impact on society - Do we have roles,
functions - Do we contribute to society and economy
What’s ahead

1
How must we behave and act?
Where we talk about professional ethics,
represented by guidelines in the CODE OF
CONDUCT/ETHICS of various engineering
professional associations.

*SCOPE*
What is ethics?
Codes of ethics
2
What on earth is ethics?
…...zzzzzzzzz

3
•Interaction raises ethical questions,
example, decision-making.

•Need for rules when people interact,

get together, in order to regulate
behaviour.

•Choices – to do good or harm to others

•Consequences for others through

these choices 4
*Ethics* arises primarily when
we interact and communicate with
others. In interacting and
communicating with others, there
is always a choice, basically
whether to do good or harm to
someone else, whether to act
ethically or unethically.
5
Choices we have – to do good or
harm to others

Consequences for others through

these choices

NEED FOR ETHICAL

PRINCIPLES TO GUIDE
INTERACTION AND
COMMUNICATION
6
*Ethics* supplies the principles that
guide our interaction with each
other. It is fundamental and basic
to human relationships. Ethical
principles far from being abstract
ideals are just like a framework
in which to interact with others in
a peaceful, productive way.
7
There might actually be only one
ethical principle, that of respect
and consideration for others.others
Ethics only arises with respect and
consideration for others. If we had
no such concern, we would not
care less whether we were acting
ethically or not.
8
 Respect for others

Honest, caring for others, taking

into consideration needs and
interests of others before acting.
When you respect other people
you are honest with them.
9
Ethical realities and examples
What Does E-mail Overload Have to Do
With Ethics?
The way we use e-mail raises questions
about how we treat each other and how we
treat common resources - two classic
concerns of ethics.

Indiscriminate email sending – no respect

for people’s time. Spam, cc-ing to protect
10
oneself, etc.
When and where we answer email – AOL
Survey:
In bed in pajamas (23%)
In class (12%)
In a business meeting (8%)
At Wi-Fi hotspot, like Starbuck's or McDonald's
(6%)
At beach or pool (6%)
In bathroom (4%)
While driving (4%)
11
In church (1%)
What Does E-mail Overload Have to Do With Ethics?

Violation of etiquette AND ethics - affront to

dignity of people who are sitting in front of
us, implicitly denying that they are worthy of
our full attention.
Incessant checking of e-mail further blurs
line between work and home – we are able
to work ALL the time.

12
ETHICAL REALITIES/EXAMPLES

Scandal has touched nearly every institution

from sports to politics and even religion. ….
business culture is particularly vulnerable to
corruption. Business values in general tend to
include an amoral view. Competition,
enterprise and efficiency are the driving
principles and that sets the stage for an
amoral action to be a slippery slope to
immoral behavior.
http://www.commondreams.org/cgi-bin/print.cgi?file=/views02/0712-02.htm

http://www.washingtonpost.com/wp-srv/liveonline/02/business/business_egan080202.htm

13
And Singapore??? How ethical and
professional is our business/corporate
scene?
Transparency International 2004 Singapore world's
fifth least corrupt country - behind Finland, New
Zealand, Denmark and Iceland.

Few opportunities to be unethical - tough laws and

strict enforcement, Singaporeans said to make
great whistle-blowers.

14
In the largest cheating case in history, Chia Teck
Leng, former finance manager of Asia Pacific
Breweries, was jailed May 2004 for 42 years. He
pleaded guilty to cheating four banks out of
S$117mil.
Possible fraud or insider trading investigation
launched into these listed companies:

Singapore's Accord Customer Care Solutions

Citiraya Industries
Informatics Holdings
Auston International
Leong Hin Holdings
Greatronics Ltd. 15
Singapore's white-collar crime unit is investigating
China Aviation Oil (Singapore) Corp, which
supplies a third of China's jet fuel, after it disclosed
the losses caused by bad bets on oil prices.

…Singaporeans are not easy people to persuade to

hand over their money. A recent global survey has
shown Singaporeans as a less trusting people than
others in China, Japan and the United States. …Only
one Singaporean in four would help when
approached by a stranger to lend S$20 because she
had lost her wallet. Fewer than two in 10
Singaporeans feel that people can be trusted.
16
Some “good” companies – considered
“ethical” because exhibit “social
responsibility”:

Ben & Jerry’s (Artix in BB)

Body Shop
Starbucks

17
Reasons people give
for not being ethical

18
Rationalizations to justify unethical
behavior, including:
Denying responsibility: actors convince
themselves they had no choice but to
participate in unethical behavior.
Denying injury: if no one is hurt, the
behavior isn't really unethical.
Denying victims: blaming violated parties
for what happened on the grounds they
"deserved it."
19
Corrupt individuals depend on rationalizations to justify their behavior, including:

Social weighting: includes condemning

anyone who questions their actions as a way
of mitigating the charges. Individuals may
also focus on others that are "worse than we
are" as way to deflect responsibility.
Appeal to higher loyalties: unethical
behavior is justified if it was "for a good
cause" like loyalty or higher ideals.
Self-justification: I have the right to be
unethical, example, because of seniority, etc.
20
How must we behave and act?
Where we talk about engineer ethics, represented
by guidelines in the CODE OF
CONDUCT/ETHICS of various engineering
professional associations.

*SCOPE*
What is ethics?
Codes of ethics
21
 *CODE OF CONDUCT/ETHICS*
For Computer Engineers/IT Professionals
US many computer associations and societies and most have code of
ethics/conduct.

•To look at existing IT codes

•To assess them

22
Rationale

…In order to ensure members of a profession

association a high level of service to the public
and maintain the dignity of the profession…

Professional codes of ethics considerably more

restrictive than those normally applied to
general public.

23
*CODE OF CONDUCT/ETHICS*
Background/overview
Professions differ from commercial trades and
enterprises - members governed by professional
ground rules of ethical and professional behavior
and legislation. These ground rules known as codes.
Violations of code liable to censure or disciplinary
action by regulatory board for serious breaches. But
more a moral sanction. (Where most of difficulty
arises).
24
Possession of code hallmark of professions.

What it is
List of prescribed recommended behaviors and values –
defines roles and responsibilities. Measure of professional
conduct.
Framework for ethical judgment.
Public avowal of engineers commitment to behave in ways
not harmful to society, or bring shame to society and rest of
profession.
Indicates to society concern of members to act
responsibly.
Collective recognition of responsibilities of profession.
25
*CODE OF CONDUCT/ETHICS*

Why – Functions, what does it achieve, do?

Boils down to why we need rules in society? So why do
computer engineers need rules?

Attempt, mechanism, to guide behaviors, especially

in socially responsible ways by stating concretely
what not to do, what is expected.

Generation and application of rules of conduct

designed to control, guide, influence, relations of
professionals, engineers, among themselves,
between themselves and employers and clients, and
between themselves and public. 26
Why – Functions, what does it achieve, do?

Framework for ethical judgment - how to act in

problem situations by applying ethical principles.

Creation of positive working environment – healthy

ethical climate – in which ethical conduct is norm.

Codes help us understand how society and

OURSELVES perceive engineers, their duties and,
responsibilities, how they are expected to discharge
these.

27
Why – Functions, what does it achieve, do?

Protection from employers – code supports

professional and ethical decisions. Justification for
those having to confront unethical behavior
especially from superiors. Back up to ethical
behavior.

Awareness & education of young engineers.

Example, university education - little training in
professional problems, expected behaviors and
norms. Lack of moral compass. Working life is vastly different from students
– new experiences, new problems, uncertainty, what to do

28
Code of ethics especially for computer
engineers
Area of technology
Dangers of technology – computer crimes...

29
 *CODE OF CONDUCT/ETHICS*
For Computer Engineers
IT Professionals
US many computer associations and societies and most have code of
ethics/conduct.

•To look at existing codes for this group

•To assess them

30
EXISTING CODES
Professional engineers code of professional
conduct and ethics:
http://www.peb.gov.sg/peb/html/per_code.html

IEE, IEEE, ACM, SCS

SOFTWARE ENGINEERING CODE OF ETHICS

AND PROFESSIONAL PRACTICE (IEEE-CS/ACM ) :
http://www.computer.org/tab/seprof/code.htm

31
*CODE OF CONDUCT/ETHICS*

Codes of Ethics are concerned with a range of

issues, including:

Professional honesty
Adherence to confidentiality agreements
Data privacy
Handling of human subjects
Impartiality in data analysis and professional
consulting
Professional accountability
Resolution of conflicts of interest
Software piracy
32
Common themes
Personal integrity – claim of competence
Personal responsibility for work (no one but you on computer)
Responsibility to employer/client
Responsibility to profession
Confidentiality of information
Conflict of interest
Dignity
Respect for persons/Worth of people
Public safety, health, welfare
Participation in professional societies
Increase public knowledge about technology.
33
So we have a code but
what good is it?

34
Criteria of good code
Must be more than mere motherhood statements but
must contain reasonable policies to ensure that the
practice of the profession is provided adequately to
the public and not merely to enforce a monopoly
situation or to restrict competition amongst
practitioners.

35
What it DOES do:

∆Set out ideals and responsibilities of profession

∆Exert a de facto regulatory effect, protecting both
clients and professionals
∆Improve profile of profession
∆Motivate and inspire practitioners, by attempting
to define their raison d'être
∆Provide guidance on acceptable conduct
∆Raise awareness and consciousness of issues
∆Improve quality and consistency

36
LIMITATIONS: What it DOESN’T do,
can’t do, won’t do

A professional association can establish a code of

ethics, publicize and lecture on it but remains
largely up to each practitioner to interpret and
apply it as personal circumstances and professional
outlook dictate.

37
Not a legal document. Not legally binding.

Efficacy from how code is regarded in actual fact

and reality.

Power of moral principles can act as mechanism for

ostracization, the shame factor, even expulsion.
Would depend on respect and regard for moral
principles.

38
Protection from employers – code supports
professional and ethical decisions - but cannot
sue employer.

Can whistle blow – publicizing unethical

actions – but censure - telling tales, snitching,
disloyal to company and employer, etc.

39
Codes only tell us what is the right thing to do, advocating
long established principles, highlighting what is considered
honorable to uphold the dignity and pride of the profession,
but the code would be as good as dead if persons had no
such inclination toward acting in these ways.

Gap between codes – providing information – knowledge -

and action. If we act ethically only because of code, fear of
punishment – how ethical are we really?

Ethical action should come from our own voluntary choice.

Codes are coercive. Fosters ethical action – but with stick
rather than carrot.

40
Not a recipe for ethical behavior. Cannot be
applied cookbook fashion. Cannot generally
tell people what to do in specific situations.

Does outline factors to be considered. A

starting point for ethical decision making.

But cannot substitute for judgment.

Ethical reasoning needs THINKING.

41
Codes –perceived as only necessary to recognition
as profession. Primarily a convention among
professions - formal adherence to ethical behavior
as part of professionalism.

Shows profession is honoring certain ethical

behaviors, will police itself with regard to violations
which would harm society.

Even though code of ethics is largely unenforceable,

observance of strong code sets tone for
professionalism of entire membership. 42
In other words, codes can deteriorate into window
dressing – good for show but no action.

43
Character counts. Ethics is not for wimps.

Codes can teach character, but not action – needs individual

strength and principles, that is, character.

Most rational persons already know what is right and

wrong, it’s deciding to do the right thing we need. Ethics –
whether you decide to act ethically.

Biggie question: Do codes help in ethical decision making?

Do we really need a code of ethics???

44
Professional ethics –
computer ethics – why
computer engineers need
codes

45
 Unethical computer/ IT use
Information technology will be the most
fundamental area of ethical concern for
46

business in the next decade.

Very important to stress
Not some airy fairy study about ideal life up in clouds.

Ethics is part of, integrated with what we do

everyday.
We mix and interact with people everyday.
How we act towards them, for them, with them
matters. This is ethics.

Computer ethics is important for computer

professionals because the discipline is closely related to
and conducted in relation to PEOPLE. You may sit by
your lonesome in front of a computer but what you do
affects OTHERS. Recall points on profession. 47
SIGNIFICANCE -do we need it – one
suggestion:

Software is the glue that holds systems

together. If software is hopeless system is
hopeless. Software always most troublesome
component in systems that depend on
computer control.

Hi-tech lifestyle: BB for The Treatment of Employees in

High-tech Start-ups: A Test of Executive Character - Weakness rather than evil
accounts for many instances of unethical behavior.
48
Difficulty of software engineering

Can build adequately reliable software systems but

these become reliable only after extensive testing in
field. Although responsible developers perform
many tests, including simulations, before releasing
software, serious problems always remain when first
customers use product. Test designers overlook the
same problems the software designers overlook. No
experienced person trusts a software system before
it has seen extensive use under actual operating
conditions.
49
Unethical computer use

Where computer is the baddie – instrument of unethical

action. Examples: Fraud, theft, defamation.

When computer is object of act. Examples: Unauthorized

access to a data base, spreading viruses.

When reliance placed on autonomous nature of computers.

Examples: Automated trading, weapons use.

So what do we get??????
50
51
Using term loosely – computer crimes

Why & how computer technology (ICT) causes

problems – areas which persons can manipulate,
exploit, to their gain, and our loss.

52
What’s a crimes ?

Strict sense: Violation of law. Liable to public

prosecution and punishment. Significant,
example, traffic violations not crime.

General sense, more in use: Moral law as well,

example, crime against humanity. Usually
considered an evil act.

53
Why crime?

A main and major problem – many unethical uses NOT

considered wrong.

Often, people commit computer crimes without

even knowing they are doing so…

Crime
Intentioned harm to others, violation, usually of
rights. Ignorance not excuse.
Breaking of law – problem - laws against unethical
use recent. 54
Why ccccccrime - Violating rights

Right to know. To what extent do we have right to know,

have access to, the information that relates to us in a
database? What about others’ right to know – about us?

Right to privacy. To what extent do we have a right to

control the use of information that relates to us? What
privacy rights do others have in regard to the data we hold
on them?

Right to property. To what extent do we have a right to

protect our computer resources from abuse and misuse?
55
Computer crime

Using a computer to steal, embezzle, or defraud.

Any type of electronic fraud/cyber scams: Credit

and debit cards, electronic funds transfer, software
piracy and any other general misuse of computer
system, in which computer plays essential part.

Aka Computer Crime, E-Crime, Hi-Tech Crime or

Electronic Crime – FBI S$676 billion
Talk on computer crime: http://www.youtube.com/watch?v=HPW2b84-d0A
56
Areas/types

Software – products. Weaknesses, glitches.

Example, new products that need patches.

57
Areas/types vulnerabilities

Network configuration/management- our

computer systems, way it is configured,
managed. Example, how secure is it, how
seriously does management view security?

Risks from possible glitches within company's

own computer system, leading to unintended
dissemination of proprietary or personal
information.

58
Computer RISKS

Examples

OfficeMax customers who e-mailed links to

company's Web site to their friends -
programming error - e-mails contained personal
information and credit card data.

IKEA's Web site - customers who requested

online catalogues received error message
containing name of database - could access
names, mailing addresses, and telephone numbers
of customers who had previously requested IKEA
catalogs. 59
Two areas/types vulnerabilities

Broadband/WiFi – connectivity – crook

connectivity, too – opportunity for hackers and
ilk

Increase in browser based attacks – will

increase even more with instant messaging

Example, DoS

60
E-MAIL

E-mail risks/vulnerabilities:

Lack of privacy (more later)

Transmission of viruses

Ease of accidental compromise

Inability to ever fully erase
Remote Access
Uncertain origin.
61
E-MAIL

Most e-mail insecure

Unless encoded or encrypted. Like postcard -
anyone who receives can read. May also be read if
stored on servers during transmission. System
administrators can also read e-mails.

Hard to destroy
Deleted e-mail remains -most electronic documents
backed up and recoverable. Email “evidence” now
acceptable as legal records in courts of law. Example:
Microsoft court case dredged up incriminating old emails 62
Personal/home computer and user

Easy targets – on most of the time

High speed connections (what office
might not give us we get ourselves)
Personal information and activity – online
form filling, booking, shopping, gaming,
chats, etc.

63
Definition of terms : Computer RISKS

Computer control of aircraft

Nuclear power plant control
Military computers
Traffic lights
ATMs
Computer power switch location
E-commerce privacy
64
TO NOTE

Many crimes involving computers no

different from crimes without computers:
computer only tool that criminal uses to
commit crime – most times more
effectively.

65
Examples

Using computer, scanner, graphics software, and

high-quality color laser or ink jet printer for forgery
or counterfeiting same as using old-fashioned way.

Stealing laptop computer with proprietary

information on hard disk same as stealing briefcase.

Using Internet for illegal solicitation of nefarious

activities similar to other such forms, example,
duping someone on Net same as on street.
66
CASES: What is stealing?
1. Breaking into a store and taking $3,000 in
merchandise
2. "Borrowing" a friend's car indefinitely
3. Taking an unlocked bicycle
4. Developing a computer program on company
time for your company, and then patenting a
considerably improved version of the program under
your own name

67
CASES: What is stealing?

5. Borrowing a book from a friend, keeping it by

mistake for a long time and then failing to return it
because the friend has moved away
6. Using some ideas you developed at Firm A for a
different process at Firm B
7. Using Firm A's management methods at Firm B
8. Picking up a quarter that you saw someone drop
on the street
9. Failing to return a sheet of paper (or paper clip)
you borrowed 68
CASES: What is stealing?

10. Picking up a quarter that someone (you don't

know who) has dropped on the street

No single criterion to decide the issue - most-

obvious - monetary value of property in question.

69
CASES: What is stealing?

But what about snatching dollar bill from elderly

person - more clearly theft than using idea that
you've developed at Company A for a very different
application at Company B, even though the latter
involves vastly greater sums of money than the first.
Similar consideration can be applied to bribery - not
always find it easy to determine what is and is not a
bribe.

70
CRIMINAL ACTIVITY
Fraud, embezzlement, forgery, sabotage

http://www.taipeitimes.com/News/worldbiz/archives/2005/06/22/2003260310/print

http://msnbc.msn.com/id/8307418/

http://catless.ncl.ac.uk/Risks/23.83.html#subj2 on biometrics horror stories

http://www.crime-research.org/news/15.02.2006/1827/ computer crime research

centre

http://www.cybercrime.gov/compcrime.html

Security crimes on increase:

http://netsecurity.about.com/gi/dynamic/offsite.htm?site=http://www.theregister.co.uk/
2005/12/07/sophos%5F2005%5Fsecurity%5Fsurvey/

Digital wights and wongs: http://www.theregister.co.uk/internet/rights/

71
FOR COMPUTERS ONLY???
Computer intrusions (e.g. malicious hacking), unauthorised
modification/destruction of data, Denial of Service (DoS)
attacks, creation and distribution of malicious software (e.g.
viruses, worms, trojans).

Unauthorized use of computer, example, stealing username

and password, accessing victim's computer via Internet
through Trojan Horse backdoor program.

Reading or copying confidential or proprietary information,

but leave data alone. Still a crime – entering someone’s
private space – violation.
72
EXAMPLES
Changing data. Change grade on school transcript, add
"money" to a checking account, etc. Fraudulent.

Deleting data. Deleting entire files vandalism or sabotage.

Harassment and stalking in cyberspace.

Old crimes made new or “better: Obscenity/porn, child

solicitation for sex via chat rooms on the Internet, violence
against minorities, terrorism.

73
Getting Better…Or Worse…
Cheating goes hi-tech – plagiarism old hat, now UK using
outsourcing websites where bidders compete to write
assignments - “contract cheating” - students put
coursework out to tender and suppliers bid to complete
work. Legitimate outsourcing webs but illegitimate use.

Extortion – pay me $$$$ or will put YOU on Net –

ransomware – pay up else we hack, DoS, inject malware.
Targets – banks, e-commerce portals, gaming, gambling
and porn sites.

74
CASE Ransomware

Malware sent into computers – malicious code Gpcoder.

Trojan virus that encrypts data files such as documents,
spreadsheets and databases.

Once files encrypted, cannot be accessed – unless victim

pays hacker US$200 for antidote, after which perpetrator
kindly leaves decryption instructions for user in folder.

75
It happened in Singapore…

Singapore also hit in biggest data breach in history 2005

with theft of private information on more than 40 million
credit card holders. Japan, HK affected.

Australia and Singapore at risk. Singapore – about 20,000

exposed to fraud risk – DBS, OUB, etc.

76
Why crime?

A main and major problem – many unethical uses NOT

considered wrong.

Often, people commit computer crimes without

even knowing they are doing so…

Crime
Intentioned harm to others, violation, usually of
rights. Ignorance not excuse.
Breaking of law – problem - laws against unethical
use recent. 77
Ccccccrime - Violating rights, exploiting
risks
Right to know. To what extent do we have right to
know, have access to, the information that relates to us in a
database? What about others’ right to know – about us?
Right to privacy. To what extent do we have a right to
control the use of information that relates to us? What
privacy rights do others have in regard to the data we hold
on them?
Right to freedom of speech/expression. People who
restrain us from speaking out – crime
Right to property (intellectual property). To what
extent do we have a right to protect our computer resources
from abuse and misuse? 78
How technology helps us be crooks – software,
computer pirates, thiefs, creeps, liars, etc.

Store all sorts of information, text, graphics, sound, in

standard digitized formats
High volume, relatively cheap digital storage media,
example, hard disks, CD-ROMs, DVDs
Character scanners, image scanners
Compression formats, example, MP3, shrink music, film
files for downloading, copying, storing
Easy - to do – error free duplication; to distribute over
computer networks; to find.
79
How technology helps us be crooks

 To transfer via peer-to-peer technology like Gnutella,

Morpheus – can copy files among users without going
through any central service (like near defunct Napster) ML
Advances in technology – more computer space – now
onto terabytes already, faster computers, new compression
formats for files, new storage media, and of course – Net
itself- new services that provide music, TV, e-books, etc.
Problem – like MP3 – no mechanism for preventing
unlimited or unauthorized copying.

80
How technology helps us be crooks

How secret is your password

Takes about 65,780 guesses to find correct monker
of just five characters. So if eight characters
impossible?
BEWARE!!!!!!!
Guesses can be made from username, example, test,
admin. Many too lazy to change default – Google
“default password”.

81
Guesses can be made from username, example, test,
admin.
Username key to successful attack – through
default passwords, then common username and
password combinations.
Dictionary attack – running through common
words.
Brute force – attempts to crack code like a safe,
bombarding with different combinations.
Inurl:service.pwd OR
Simply call organization and ask. 82
FOCUS: Internet Fraud

Fraud – a wide umbrella term that encapsulates most

micky mouse on computer (other would be malice)

DRAB’s take on fraud: Deceiving others to give you

something, mainly money, some gain, advantage, which
they would not have if they had known it.

Formal: Use of computer or computer system to help

execute a scam or illegal activity, any scheme that uses
Web, chat room, email, or for the really unlucky, all
three, to defraud target, via fraudulent solicitations to
prospective victims, fraudulent transactions. 83
Internet Fraud

Main technique : To present fraudulent schemes in ways

that look, as much as possible, like vast majority of
legitimate e-commerce merchants offer.

Major curse: Undermine consumer confidence in

legitimate e-commerce and the Internet, erosion of
trust.
INTERNET Micky Mouse
http://www.miami.com/mld/miamiherald/business/14557140.htm?template=co
ntentModules/printstory.jsp

http://news.bbc.co.uk/1/hi/business/637094.stm
84
http://news.bbc.co.uk/1/hi/business/637478.stm
Internet Fraud

Mainly direct theft or indirect: EXAMPLES

Of information from a secure or private computer

system, trade secrets and computer-aided duplication of
copyrighted materials, example, video games, movies,
music. Why theft – DID NOT PAY : -

Break into long distance systems to “steal” service for

free calls, offering nonexistent goods to buyer (online
auction), stealing someone’s funds by hacking into bank
or credit card account, illegally using access devices,
such as those of a paid news subscription service.

85
WEB WATCH OUT FOR:
Business Opportunity/"Work-at-Home" Schemes
Online. Advertise business opportunities to earn thousands
of dollars a month in "work-at-home" ventures. Have to
pay to join, but only thing delivered is depleted bank
account.

Investment Schemes Online.

Market Manipulation Schemes. Manipulate securities
markets for personal profit. "Pump-and-dump" schemes -
disseminate false and fraudulent information to cause
dramatic price increases in thinly traded stocks or stocks of
shell companies (the "pump"), then immediately sell off
their holdings of those stocks (the "dump") to realize 86

substantial profits before stock price falls back to usual low

CASE Internet market fraud

1. Defendants allegedly purchased, directly and through

someone, total of 130,000 shares in XYZ, declared
several months earlier.
2. Defendants then allegedly posted bogus e-mail messages
on hundreds of Internet bulletin boards, falsely stating
XYZ to be taken over by another company. At time of
defendants' alleged purchases of XYZ stock, stock priced
between 9 cents and 13 cents a share.
3. In single morning of trading, XYZ stock rose in 45
minutes from $8 per share to $15, before falling, within
half-hour, to 25 cents per share.
4. Defendants allegedly realized profits of $362,625.
87
CASE Internet market fraud

1. Zev who worked for ABC, created a bogus Bloomberg

news Web site which falsely reported that ABC was
about to be acquired by Israeli company
2. Posted fraudulent e-mail messages, containing links to
the counterfeit Bloomberg news site, on financial news
bulletin boards.
3. On the day bogus report on Internet, ABC stock rose
approximately 30 percent before ABC issued own press
release stating report false.

88
You Wont Need This but To Amuse…

Internet “divorce”

Web sites that advertise "quick divorce" opportunity to

obtain in Dominican Republic or other foreign countries
for $1,000 or more, without having to leave United
States.
Often contain false, misleading, or legally inaccurate
information about process for obtaining such divorces
(e.g., that neither spouse has to visit the country in
which the divorce is being sought).
People who sent money eventually receive false
assurances they are legally divorced. In fact, haven’t!!!!
89
HACKING (HACKERY?)

Illegal entry into computer’s hardware system.

Forms
Obtain passwords and delete information
Create programs to steal passwords
Rummage through garbage to get information
Create and transmit computer viruses.

Wf What is a hacker?

90
Hacking (Hackery?)

History: http://library.thinkquest.org/04oct/00460/hackingHistory.html

“Break” into computer not your own. Well known -

generated new terminology, language. Logic bombs, witty
worms, bacteria, rabbit, Trojan Horse.

Have we come full cycle? 1970’s hacking was positive, a person who wrote very good and
clever programs – first computer games and operating systems. Then negative, 70s-90s – did it because could do it,
challenge & thrill, is it now positive again? Mainly teenage culprits. 90s onwards – whitewashed image good hackers,
bad hackers.

Good artix: http://www.stanford.edu/class/cs201/08_Spafford.pdf (In notes, also p/o)

91
Hacking (Hackery?)

Traditional meaning: Someone who spends large amount of

time exploring and figuring out how wired world works.
Today main with computer criminals

Old School Hackers - highly skilled professionals who hire

out skills to organizations concerned about network safety.
Differentiate from criminals or crackers.

92
TYPES
Internals. Either employees dissatisfied with
company management or ex-employees who know
security “ropes”. Use knowledge to hack in.

Cyber punks. Stereotype hackers, antisocial,

socially inept, angry at world, etc. Relate better to
computers than people, capable of writing
malicious programs. Usually guilty of damaging
acts such as spamming, credit card number theft,
defacing web pages, etc.

93
TYPES

Professional Criminals and Cyber Terrorists.

Most dangerous, ex-intelligence operatives and
professional criminals, basically, guns for hire. Access to
state of art equipment, extremely well trained, specialize in
corporate espionage. More on stealing intelligence data.

Newbies and Script Kiddies

(Usually teenagers) wanna-be dangerous hackers but lack
miserably in required determination and skills. Want the
glamour. Use ready-made cracking programs (made by
others), intending to cause damage to and corrupt systems.
Almost always caught because brag.

94
Hacking Singapore

ThinkSECURE's AIRRAID - A WIRELESS HACKING

TOURNAMENT - AUG 2005, SINGAPORE – to find
cleverest hacker, to educate on hacking, even a hacking
course run by Ernst & Young. Many such. Yet: -

2003: Singapore some of the world's toughest laws

against computer hackers and virus writers,
allowing police to arrest suspects before they strike.

95
 Examples of punishment:
Hacking Singapore

OFFENCES on "protected computers", such as accessing

and altering programmes, causing problems in receiving or
despatching resources for emergency services: fine up to
$100,000, jail up to 20 years.

Unauthorised access to someone's web server or personal

computer: fine up to $5,000 (up from $2,000), jail up to
two years, or both.

96
 Examples of punishment:
Hacking Singapore

Unauthorised modification to computer material, such

as introducing computer virus, and unauthorised use or
interception, such as cloning mobile phones and pagers,
fine $10,000 (up from $2,000),
jail up to three years (from two years previously), or
both.

97
Who usually guilty ?
Students!!!!!!!!
White-hat hackers--after breaking into the system, they
usually inform the victims
Black-hat hackers--are cyber vandals who deliberately
cause trouble for people
Crackers--hackers for profit
Hacktivists--politically motivated hackers
Script bunnies/kiddies -wanna-be’s, but don’t have
technical expertise – trying-hards, don’t quite hack it, no
pun intended. May unleash harmful or destructive attacks
without even realizing it. Generally no goal in mind but to
see how much chaos can create.
98
Is hacking an issue any longer?

No. Outrightly illegal, and unethical. Harmful. If we can’t

justify breaking into a store why is “technological break-
in” any different?

Usual justification
Information should be free – no longer. Laws.
To show system insecure, flaws. So do home security
services break into homes to show homes need them, or
same with car alarm systems?
Does no harm – no one need know. Helps hacker find out
something about system. Did hacker have to break in to
find out? Hacking not only way. Giving children electric
99
shocks to learn good way, too. Still violation of our rights.
Hacktivism/hacktivity

Current form – although not yet (if ever) in Singapore -

combination of traditional hacking - not accepting
technologies at face value, opening them up, understanding
how they work, exploring limits and constraints on human
communications, with social and political activism -
convergence of computer hacking and political activism -
electronic civil disobedience, same as traditional protest
action.

Hackers trespass and block certain passageways, cause

disruption - bring down websites, clogg servers, unleash
viruses or e-bombs. Thus gain attention. 100
Hacktivism/hacktivity

EXAMPLE: During the protest against World Economic

forum in Melbourne 2000, hactivists hijacked many
websites. Not only did they bring down the World
Economic forum's website, they also redirected people
trying to access websites such as Nike or the Olympics, to
that of their own

Can be used by legitimate political groups. EXAMPLE:

2000 pro-Israeli website that provided tools to visitors to

attack webs affiliated with Hezbollah, anti-Israeli terrorist
organization – to hit them with zillions of hits a day –
Denial of service – incapacitating them – common form of
hacktivism. 101
Hacktivism/hacktivity

Significance :Link to cyberterrrorism

Some government and media use terms synonymously -
hacktivism serious breach to national security.

But hacktivism no intent of disrupting normal operations

for a specified target, will not cause serious damage to
organisation. Cyberterrorism - politically motivated
hacking attacks with intent of causing serious loss of life or
severe economic damage.

102
Hacktivism/hacktivity

CASE
Student Hacks System to Alter Grades

US top university custom program, eGrades -

faculty can submit and alter grades. Password
protected, with backup, so faculty who forget
password can reset using SSN and DoB.
Student worked for insurance company, was
able to obtain SSN and DoB for two faculty
members which used to reset their passwords
and change grades.
103
Hacktivism/hacktivity

CASE
Hacking for love

Singapore student charged and arrested under

Computer Misuse Act for stealing online identities
to prey on women anonymously.
Apparently hacked into their accounts or duped
them into giving up user names and passwords by
offering upgraded software. Also hacked into email
and instant messaging accounts, then changed
passwords to get accounts for himself.
Unauthorized access to computer or network and
fraud: $50,000 fine or jail up to 10 years or BOTH.
104
Hacktivism/hacktivity

The password hacker who says

``we aren't hurting anything by
looking around'' is exactly
analogous to the joyrider saying
``we aren't stealing the car
permanently.

What do you think?

105
Hackers hit everyone
Security breaches in recent years have affected companies
including a major provider of online banking services, CD
Universe, Yahoo! Inc., Amazon.com Inc., and eBay Inc.

Targeted S1 Corp., which provides Web-based banking

services for hundreds of financial institutions - gained
access to usernames and passwords, potentially putting
individual bank accounts at risk.

Hacker retrieved stored credit card numbers from CD

Universe's database, posted them on the Internet when
company refused to comply with demand for $100,000
payoff. 106
DENIAL OF SERVICE (DOS)

Denying service to authorized users. When Internet server

flooded with nearly continuous stream of bogus requests for
webpages. Gobbling unreasonably large amounts of
computer time or disk space. Legitimate users can’t get in.
Server may even crash. Can also destroy programming and
files in a computer system.

Usually by hackers trying to stop people from using the

server. Re: hacktivism example – hackivists able to hijack
targets by sending messages to targets – clog the system,
disables them.
107
Can sometimes happen accidentally.
What can happen

Conversely, denial of service includes

“mailbombing,” which is when someone
purposely attempts to disable an email account by
sending massive amounts of emails to its address.

Disable computer, network, and organization.

Worst case, for example, a Web site accessed by
millions of people forced to temporarily cease
operation.

108
HOW?
“Flood" network, thereby preventing legitimate network
traffic
Disrupt connections between two machines, thereby
preventing access to a service
Prevent particular individual from accessing service
Disrupt service to a specific system or person
Send large amounts of junk e-mail in one day -
"mail bomb"
Malware- virus, worms malicious program that puts the
processing unit into an infinite loop, or,
Flood server with bogus requests for webpages - deny
legitimate users opportunity to download page and also
possibly crashing server.
109
DoSSingapore

One way DoS – code gets into computer and take controls
turning them into “bots” – network of compromised
computers – then used to launch DoS. Bots can now be
rented out. What next???

2005: Pacific Internet customer’s server turned into rogue

computer to control about 10,000 machines in Australian
university. Foiled when Australian Computer Emergency
Team investigated and traced infection to Pacific Internet
Network. Singapore Computer Emergency Response
Team contacted – shut down ISP.

110
MALWARE
Broad concept, umbrella term – anything that harms via
computer – intentionally – malicious intent.

Short for "malicious software," - software programs

designed to damage or do other unwanted actions on a
computer system:

Malicious code
Malicious program
Rogue program

Specific example malware: http://www.hewett.co.nz/gcg/200505c.html

111
MALWARE bbb

Scary statistics
70% of malware detected during Q1 2006
cybercrime-related - "designed to generate
financial returns."
40% spyware (collecting data on users'
Internet activities)
17% Trojans (including software that steals
confidential data related to bank services)
8% dialers (code that deals up premium-rate
phone numbers without a user's knowledge) and
"bots," which involves the sale or rental of
networks of infected computers.
 112
MALWARE
Cause various types of damage and nuisance to computer
and users. Include mainly worms, Trojan Horses, viruses,
spyware and adware. May slow down Internet, use
computer to spread the evil to other Webbers.

Around for quite a while, but problem bad because high-

speed internet connections and millions of computing
devices - accelerated speed at which worms and viruses
spread.

Malware insidious - installed silently and remain hidden on

systems.
113
Examples MALWARE Evil
Virus

Worms

Trojan Horse
Often comes bundled with other programs (KazaA, iMesh, and other file sharing
programs biggest bundlers).

Installed from websites, pretending to be software needed to view the website.

114
HOW IT HAPPENS…

Install themselves through holes in Internet

Explorer, weak spots in software, like virus would,
requiring you to do nothing but visit the wrong web
page to get infected.

Vast majority, however, must be installed by user –

user must take some action – which they usually
will, example, open email, open files.

115
Carriers - Where they hide

Executable files – exe.extension - most “classic”

target when virus attaches itself to host programme.
Others .com, .sys, .ovl, .dll, .prg.

Scripts – scripts are carriers, of files that use

scripting language such as Micrososft Visual Basic
Script, Java, Apple, Perl.

How big is the bug – Google survey - One in 10 web pages

scrutinised by Google contained malicious code that could infect a
user's PC: http://news.bbc.co.uk/2/hi/technology/6645895.stm
116
What they “eat”:

Macros – files that support macro scripting

language of particular application such as word
processor, spreadsheet, or database application.

Boot sector – specific areas of computer disks such

as master boot record or DOS capabale of executing
malicious code.

Getting infected with malware usually much easier

than getting rid of it - once infected, tends to
multiply - will reinstall, hide themselves, even after
you think you have removed them.
117
What they “eat”:

What carries them/how they are conveyed

Removable media – file transfer - most common

and prolific. Early ones floppies, now networks.

Network shares – poor network security

P2P – readily available on Net

Email

118
What these will do…

Hijack your browser, redirect your search

attempts, serve up nasty pop-up ads, track what web
sites you visit, and generally screw things up.
Usually poorly-programmed slow down
computer, create instability, other havoc
Usually pop-up ads, sending revenue from the
ads to the program's authors.

Case: Double trouble spyware scumbag:

http://www.theregister.co.uk/2006/11/10/trojan_pervert_jailed/print.html

119
What these will do…

Backdoor – unauthorized access to computer

Data corruption or deletion

Information theft

DoS – denial of service - system shutdown –

CRASH.
Good examples and images of malware in action:
http://blog.spywareguide.com/2007/05/images_speak_louder_than_words_1.html
120
MALWARE
Malware threats are increasingly created for financial gain,
with more sophisticated attack techniques.

More common activities include trying to steal bank

account or credit card numbers and passwords through
phishing and keylogging malware.

The information gathered can then be sold on the web.

Internet Relay Chat (IRC) channels, for example, are a
common "flea market" for stolen personal data.

121
Charges: What they earn

•$1000 – $5000 (US) : Customised Trojan program, which

could be used to steal online account information
•$500 : Credit Card Number with PIN
•$150 : Driver‘s licence
•$150 : Birth certificate
•$100 : Social Security Card
•$7 - $25 : Credit card number with security code and
expiration date.
•$7 : Paypal account log-on and password

122
Case: Malware from Craigslist

An employee at Sana was looking for a car on craigslist,

and emailed the person with the advert. He got the
following email:

Thank you for your interest in my car. I gladly inform you

that it is still on sale so you are right on time. Sorry for the
delay, as I am staying in the hospital right now. As I have
to cover all the costs myself, I am selling it and the deal is
very good for you. The car is in an excellent good
condition. Please, follow the link and download all the
specific information about the car:
http://url_removed/myalbum.exe. 123
Case: Malware from Craigslist

As soon as you download it, you will have all the necessary
data: description, photos, and other details. Please, make
sure you are well acquainted with the info so that your
decision would be reasonable. The car is in excellent
condition, no accident. Thank you.

Please, reply ASAP and feel free to ask any questions.

P.S. To watch the pictures you are to save the portfolio on
your computer and launch it.

And surprise surprise myalbum.exe is not photos, but a

nasty piece of malware 124
OTHERS: Hijackers

How?

Almost exclusively target Internet Explorer

Take control of various parts of web browser,
including home page, search pages, and search bar.
Redirect you to certain sites should you mistype an
address
Prevent you from going to a website they don’t want
you to go to
Redirect you to their own search engine when you
attempt a search.
125
Toolbars. Search forms or pop-up blockers.
Google and Yahoo! probably most common
legitimate examples. But malware toolbars
emulate functionality and look – but possess
malware characteristics.

Dialers. Programs that set up your modem

connection to a telephone number. Number’s
owner enjoys free calls and you the phone bill.

126
VIRUS
Drab readmore: http://computer.howstuffworks.com/virus.htm
A little history…

First computer virus found "in the wild" written in 1986 in

a computer store in Lahore, Pakistan.
1980s, computer viruses generally spread by passing
floppy disks from one user to another user.
Late 1990s, computer viruses generally spread via the
Internet, either in e-mail (e.g., a virus contained in a
Microsoft Word macro, or a worm contained in an
attachment to e-mail) or in programs downloaded from a
website..
First prosecution US under Federal computer crime statute: Robert Tappan Morris, then a graduate
student in computer science at Cornell University, released his worm into the Internet on 2 Nov 1988.
127
Worm rapidly copied itself and effectively shut down the Internet.
VIRUS
The virus threat is increasing for several reasons:

Creation of viruses is getting easier. The same technology

that makes it easier to create legitimate software is also
making it easier to create viruses, and virus construction
kits are now available on the Internet. About 200 to 300
new viruses are being created each month, while the old
ones continue to spread.
The increased use of portable computers, e-mail, remote
link-ups to servers, and growing links within networks and
between networks mean that any computer that has a virus
is increasingly likely to communicate with -- and infect --
other computers and servers than would have been true a
128
few years ago.
As organizations increasingly use computers for critical
VIRUS
So what is it?

Small piece of software that piggybacks on real programs.

Must piggyback on top of some other program or document

in order to get executed. Example, spreadsheet program.
Each time the spreadsheet program runs, virus runs, too.

Once running, then able to infect other programs or

documents.

129
VIRUS

Thus key features

Ability to propagate by attaching itself to executable files

(e.g., application programs, operating system, macros,
scripts, boot sector of a hard disk or floppy disk, etc.)

Running executable file may make new copies of virus.

Causes harm only after it has infected an executable file

and the executable file is run.

Most common - E-mail viruses - moves around email and

usually replicates itself by automatically mailing itself to
dozens of people in the victim's e-mail address book. 130
VIRUS
Dangerous!!!!!
Able to generate itself. Spreads. Also able to modify other
programs - can "infect" other programs by modifying them
or their environment - a call to an infected program implies
a call to a copy of the virus.

Examples
March 1999, Melissa virus so powerful Microsoft and a number of other very large
companies forced to completely turn off email until virus could be contained.

January 2004: Mydoom worm infected approximately quarter-million computers in

single day.

ILOVEYOU virus in 2000 anything but love.

131
WHYWHYWHY

A lot of trouble taken. Why do all this?

Same psychology that drives vandals and arsonists. Busting

car windows, spray painting signs, setting fires. The thrill?
Thrilll of what? Destruction, mostly, scaring, defacing.
Watching things blow up? Creating virus like bomb inside
computer, the more computers that get infected the more
"fun" the explosion.

Bragging rights – example, see a security hole that could be

exploited, so feel compelled to exploit hole yourself.

132
VIRUS

PC Magazine artix:
http://www.pcmag.com/print_article2/0,1217,a=148845,00.asp HOAX!!!
Computer virus and hoax different!

Virus Hoaxes
Easier than writing a program to make computers mess
themselves up - writing a letter to make humans mess
computers up.

Pretend to be a virus alert, or some other sort of computer

security alert - worded to frighten people and get them to
forward the message to 'everyone they know' − or at least
to a lot of other people.

Can slow down or even stop mail server, flood mailboxes-

lose time and waste time and energy 133
Worms

Computer program with ability to copy itself from machine

to machine. Small piece of software that uses computer
networks and security holes to replicate itself.

How?
Copy of worm scans network for another machine that has
specific security hole. Copies itself to this using security
hole, and then starts replicating from there, as well.

134
Worms
Distinction between a virus and worm

Virus never copies itself –is copied only when infected

executable file is run.

Virus infects an executable file, while worm is stand-alone

program.

Virus requires human action to propagate (e.g., running an

infected program, booting from a disk that has infected
boot sectors) even if human action is inadvertent, while a
worm propagates automatically.

135
Worms

Beginning with Klez worm in early 2002, worm could drop

a virus into victim's computer - a blended threat -
combined two different types of malicious code.

Pure and original worms: Neither delete nor change files

- simply makes multiple copies of itself and sends these
copies from victim's computer, thus clogging disk drives
and Internet with multiple copies of the worm. Slows
legitimate traffic on Internet, as continuously increasing
amounts of traffic are just duplicates of worm.

136
EXAMPLE WORM Code Red July 19 2001

Replicated itself over 250,000 times in approximately nine

hours. Experts predicted Internet would completely grind to
a halt. But not so bad as predicted.

Each copy scanned Internet for Windows NT or Windows 2000 servers that did not have
Microsoft security patch. Each time an unsecured server, copied itself to that server. New
copy then scanned for other servers to infect. Depending on the number of unsecured
servers, a worm could conceivably create hundreds of thousands of copies.

Designed to :
Replicate itself for the first 20 days of each month
Replace web pages on infected servers with a page that
declares "Hacked by Chinese"
Launch concerted attack on White House Web server137in
attempt to overwhelm it
Trojan horse

Simply a computer program - claims to do one thing (it

may claim to be a game) but instead does damage when
you run it

Deceptively labeled program -contains at least one function

unknown to user and that harms user.

Does not replicate, which distinguishes it from viruses and

worms.

138
Trojan horse

Some more serious Trojan horses allow hackers to

remotely control victim's computer, collect passwords and
credit card numbers, launch DoS.

Could be installed on victim's computer by an intruder,

without any knowledge of the victim.

Downloaded (perhaps in an attachment in e-mail) and

installed by user, who intends to acquire benefit quite
different from undisclosed true purpose of Trojan Horse.

139
logic bomb is a program that "detonates" when
some event occurs. The detonated program might
stop working (e.g., go into an infinite loop), crash the
computer, release a virus, delete data files, or any of
many other harmful possibilities.

time bomb is a type of logic bomb, in which the

program detonates when the computer's clock
reaches some target date.

140
Case

Trojan horse spammed out to email addresses

posing as digital photograph:

Subject line: My best photos! or the best pictures of

us. Just take a look, I am excited! or Wanna see? or
You’ve asked for pictures. See this. Message body:
Hi, Honey My best photo ever! Xoxoxo Attached
file: photos.zip Inside the ZIP file is another file
called DSC00342.jpg .exe.

141
Case

Executable file a Trojan horse, which has been

developed to download more pernicious code from
the Internet, posing as JPG graphic.

Opening file will not show you picture, but blast

opens hole in PC’s security.

142
Even if benefits to society, still unauthorized access.
Argument weak because doesn’t make it legal, or that
should then be allowed because shows up a problem.

Example given: Low pressure in automobile tires causes

tire failure, which, in turn, causes automobile accidents.
Would it be reasonable for someone to walk around a
parking lot, letting some air out of tires, so tires are
seriously underinflated, with justification that ensuing
accidents will call attention to problem of underinflated
tires? Ludicrous.

143
PHISHING
Phishers are the new con artists of cyberspace.

144
PHISHING
Phishers are the new con artists of cyberspace.
Phishing not really new -- scam that predates computers -
done over the phone for years – “social engineering”.
Attempt to fraudulently acquire sensitive information by
masquerading as trustworthy person.

Aka carding or spoofing. A scam where perpetrator sends

out legitimate looking emails in effort to phish for
personal information. Why phishing – fishing for
information.

145
Example::http://www.nus.edu.sg/comcen/security/security_alert0502.htm

Criminal attempts to steal users’ personal information by

masquerading as a trustworthy business, such as a bank or
auction site, in emails or other electronic communications.

Any personal data captured is used for identity theft, credit

card fraud, and other crimes.

Usually start with emails - “spoofed” - appear to be from

trusted financial institution or commercial entity.

UK survey more people fear computer crime:

http://technology.guardian.co.uk/print/0,,329596040-117802,00.html
146
Phishermen gains….

British banks more than $13.2 million, American $797

million June 2005-June 2006.

Don’t take their bait:-

Never go to web from email link. Internet banking - type
bank’s address into browser.

Similar security measures – password safe, don’t say it

aloud in your sleep, etc.

147
Example

Nov. 17, 2003, many eBay Inc. customers received e-mail

notifications their accounts compromised and being
restricted. In message was hyperlink to what appeared to
be eBay Web page where they could re-register. Top of
page looked just like eBay's home page and incorporated
all eBay internal links.

To re-register, customers told to provide credit card data,

ATM personal identification numbers, Social Security
number, date of birth and mother's maiden name. All a
hoax.

148
 Phishing email example
Date: Wed, 9 Jun 2004 10:34:16 -0500
From: USbank-securijt@UsBank.com
Reply-To: product@u.washington.edu
Subject: USBank.com Security Update – URGENcs

Security Key: vnydramifyg .txcwq

Dear US Bank Customer,
During our regular update and verification of the Internet Banking Accounts,
We could not verify your current information. Either your information has been
Changed or incomplete, as a result your access to use our services has been
Limited. Please update your information.

To update your account information and start using our services please click
on the link below:
http:www.usbank.com/interfnetBanking/RequestRouter?requestCmdId=DisplayLo
ginPackage

Note: Requests for information will be initiated by US Bank Business Development;

this process cannot be externally requested through customer support.
149
 Phishing Web site example

Virtually identical to legitimate Web site except for possible additional fields and
behind the scenes coding changes.

150
Football phishing

Digital Life ST 20/6/2006: Fraud email and

phishing scams selling tickets, getting fans to give
account details and passwords to bogus sires.
Bogus links that lure you to phishing sites as well –
real case reported by journalist.

Another – offering wall chart of event which when

executed infects PC with Trojan.

151
Now Pharming !!!!!!!

Does not use email but attacks web browsers and

Internet’s addressing system. - even individuals who type
desired Internet destination into web browser may be
redirected to phony web site, with same disastrous results
as phishing.

Must read Phishing Economy: http://www.firstmonday.org/issues/issue10_9/abad/

152
Singapore Scene:
http://www.pacific.net.sg/article.php?id=393062

http://skype.pacific.net.sg/: Pacific Net reports increase phishing

Many banks have phishing warning, example, DBS, HSBC.

***Several phishing scams targeting banks in Asia in recent years. In December

2003, Malaysia’s Maybank fell prey to a similar scam. Also, a malicious pop-up
program attempted to steal Internet banking particulars from a number of banks
across the world, including Hong Kong's Dah Sing Bank and Citibank’s sites in
Australia and Singapore. OCBC target in 2004.

After tsunami or any world disaster phishermen get active:

http://www.asiamedia.ucla.edu/article.asp?parentid=19905

Radical look: http://www.streettech.com/bcp/BCPgraf/StreetTech/cud.htm

153
SPYWARE Malicious websites may attempt to install spyware on
readers' computers, example, pop-up that offers spyware in the guise of a
security upgrade.

154
Don’t confuse with ADWARE
Adware generally software that installs
reminder service or spawns targeted ads as
you surf.
Referred to in advertising as interstitials or
simply “pop-ups”.
Might also profile surfing and shopping habits,
gather information.

155
Adware

Class of programs that place advertisements on screen -

advertisements embedded in programs, advertisements
placed on top of ads in web sites - pop-ups, pop-unders
Pop-ups generally not stopped by pop-up stoppers
Often not dependent on Internet Explorer being open. Can
show up when you playing game, listening to music

More nuisance not really malware (like spam)

156
SPYWARE

Malicious websites

Software that surreptitiously intercepts or takes partial

control of computer, monitors user, subverts computer's
operation for benefit of third party.

Steals personal information to somebody else, example,

name, browser history, login names and passwords, credit
card numbers, and your phone number and address.

157
SPYWARE

Examples
Posers up to no good

Drab refce: http://computer.howstuffworks.com/spyware.htm

158
SPYWARE

What can be spied on: -

Could relay addresses of sites visited, terms you search

for, to server somewhere, may send back information from
e-forms, files downloaded, search hard drive and report
back on programs installed, contents of e-mail address
book (usually to be sold to spammers)

Crooks only/commercial profit - delivery of unsolicited

pop-up adverts, theft of personal information (including
financial information); monitoring of Web-browsing
activity for marketing, routing of web requests to
advertising sites.
159
160
How it happened one day in real life…

For over a year, unknown to people who used Internet

terminals at Kinko's stores in a New York store, Juju Jiang
was logging everything users typed including their
passwords to financial institutions. Jiang had covertly
installed, in at least a dozen Kinko's stores, spyware that
logged keystrokes. He captured more than four hundred
user names and passwords, using them to access and even
open bank accounts online.

Danger –how easy - more of this type of ID theft will

occur.
161
How its done
Does not usually self-replicate. Infected system does not
attempt to transmit infection to other computers. Instead,
gets on a system through deception of the user or through
exploitation of software vulnerabilities.

Most direct route - user installs it. To get around usual

caution about software installation such as disruption or
privacy, deceive either by piggybacking on a piece of
desirable software, or Trojan Horses - tricking users to do
something that installs the software without them realizing.
Example, "rogue anti-spyware” programs, which
masquerade as security software while actually doing
damage. 162
How its done

Smuggles in something dangerous in the guise of

something desirable. Presents program as useful - users
download and install without immediately suspecting
harm.

He will explore the Internet with you as your very own

friend and sidekick! He can talk, walk, joke, browse,
search, e-mail, and download like no other friend
you've ever had! He even has the ability to compare
prices on the products you love and help you save
money! Best of all, he's FREE!

Commonly associated with IDENTITY 163

 IDENTITY THEFT
Case:
http://www.usdoj.gov/criminal/cybercrime/hattenPlea.htm
164
Nugget June 2006

South Korea’s president and PM reported as

victims of online identity theft after ID
numbers used to access hundreds of game
and porno websites

ID numbers readily available on search

engines

165
How its done

IDENTITY THEFT
Spyware biggest culprit because can surreptitiously gather
confidential information without anyone being wiser.

“Ssssnoopware” - can access everything online including

usernames, passwords – a ripe and ready market for the
pickings

Spyware good for identity theft because - “remote

installation” – can be put indirectly through OTHER legit
software – needs no physical access to the machine.
Examples - programs to monitor kids, employees, or
spouse 166
Identity theft increasing thanks to success of phishing,
spyware, ability of crooks to get personal information from
computer - and amount of information ready for grabs.
Wrongful taking of someone else’s “real world’ identity for
purpose of committing fraud.

How?
Thief gets hands on enough information to pretend to be
you. May open up fraudulent credit card accounts, apply
for loans, or try to secure other property using YOUR
identity. Some may even go as far as using your name to
get job and stick you with the taxes. Scariest aspect - be
arrested for crime someone else committed while being
YOU. 167
How its done

IDENTITY THEFT

…A thief doesn’t even have to be technically

skilled to install a commercial keylogger and to
retrieve your personal information. Once
installation is deployed the thief can have
information e-mailed back to them or the
software will open up a “backdoor” where the
spy can log into the machine and retrieve
keystroke or snapshot logs. Consumers must
exercise even more caution when using public
computer systems and realize that in open
computing environments there are situations 168

that can leave them vulnerable…

CASE

www.shadowcrew.com – maybe defunct now but 2005

largest illegal online centre for trafficking in stolen
identity information and documents, credit cards, etc.
About 4,000 crooks operating malicious computer
hacking – this is their job – stealing credit card #s, etc.

US engineer identified keylogger program connected to

large identity theft operation - his company's
investigation found several thousand computers
infected with keyloggers of various types.

169
CASE
2003: 27.3 million Americans victims of identity theft in
last five years. Example: Crooks allegedly obtained names
and Social Security numbers of U.S. military officers from
Web site, then used more than 100 of these names and
numbers to apply via Internet for credit cards with local
bank.

Previous quote praising anonymity of Net: On the Internet,

nobody knows you’re a dog. Now they do, and more.
Cannot see you but know about you.

170
Everybody’s fave activity in Singapore:

Online shopping!!!!

Auction and Retail Schemes Online

Fraudulent online auction sites most frequently reported

Internet fraud.
Supposedly offer high-value online retail goods, items -
ranging from Cartier® watches to computers to collectibles
such as Beanie Babies® - induce victims to send money,
but deliver nothing, or counterfeit or altered goods.

171
How it might happens…

When potential consumer contacts "seller," "seller"

promises to ship item before consumer has to pay anything.

If consumer agrees, "seller" (without consumer's

knowledge) uses consumer's real name, along with
unlawfully obtained credit card number belonging to
another person, to buy item at legitimate Web site.

Once Web site ships item to consumer, consumer,

believing legitimate transaction, then authorizes credit card
to be billed in favor of "seller" or sends payment directly to
"seller."
172

As a result, there are two victims of the scheme: the

Thus two victims - original e-commerce merchant who
shipped item based on unlawfully used credit card; and
consumer who sent money after receiving item that "seller"
fraudulently ordered from merchant.

“Seller" may have transferred fraudulent proceeds to bank

accounts beyond effective reach of either merchant or the
consumer.

173
CASE

If a website sells/auctions fake/false goods without

knowing it, is it liable?

eBay
Accused of auctioning off paintings which were
originals, but passed off in someone else’s name. Example,
selling a Picasso but in your name. Also a copyright
problem.
Also bogus Tiffany items – law suit. Claims eBay
promoting fakery. EBay – nay – cannot check zillions of
items offered - eBay only providing channel.

Next sw piracy 174

Harassment & Stalking

Generally, harasser intends to cause emotional distress not

real harm – duh???
http://www.angelfire.com/ga/random/internetstalking.html 175
Harassment & Stalking
No legitimate purpose to harassment

Examples: Continuing to send e-mail to someone,

threats, sexual remarks, pejorative labels (i.e.,
hate speech).

Criminal: Forged e-mail that appears to be from victim

containing horrible message to tarnish victim.

It is often difficult to get law enforcement personnel and

prosecutors interested in harassment, unless threats of
death or serious bodily harm are made. Law treats
harassment as misdemeanor, less serious crimes.
176
Technology - mobile phone: Happy Slapping
Violent craze in which individual or gang humiliates or
assaults victim while filmed on mobile phone.

Circulated to friends for their entertainment. New

social phenomenon in UK – and in Singapore!!!!!!!

Technology in the form of 3G mobile phones has now

placed that capability within the hands of many
teenagers.

177
SOFTWARE/COMPUTER PIRACY

…if you don’t support your favourite band by

buying their music, then that band will have
to get a real job in order to pay the
rent…(PLACEBO)
Overview artix bit outdated
1998 but issues still relevant:
http://u.cc.utah.edu/~bac2/piracy/paper/paper.html

178
 Thots to think about
Does everyone perceive these as unethical,
crimes? Nothing wrong?

If codes guide behavior, how successful in

preventing such issues or misdemeanors?

Importance of ethics for IT

professionals

179
 Thots to think about
Rules because we want freedom. Ironical.
Rules don’t restrict freedom but preserve it.

We blame technology for computer crimes, or

the computer, but it’s the user that did it. No
difference stealing from bank funds through
computer than with holding a gun to rob a bank.
Only medium changed.

180
*THOTS TO THINK ABOUT*

What do professionals
have that others don’t?

181
*THOTS TO THINK ABOUT*

Can be USED
Can be MISused
182