CC 201-001 Midterm Study Guide

What are the three kind of hackers?

Hacking  

• 3 kinds of hackers

o Black Hat 

▪ Hacker with malicious intent for personal gain

o Grey Hat 

▪ Doesn’t work for own personal gain, but might technically commit crimes  and do things many would find unethical  

• Ex. Hacker finds security flaw in a system but then exposes it  

publically instead of directly to the company

o White Hat 

▪ “ethical hackers” who use skills for legal and ethical reasons

• Ex. many are employed by corporations to test the flaws in their  

cyber security  

• Hacking refers to destroying/interfering with the normal operation of a computer system o Can cause damage or disruption

• Crackers 

o people with malevolent intent (cracking into computers)

• Unauthorized access 

o Doing something without consent (ex. approaching, trespassing within,  communicating with, storing data in/retrieving data from, et.)

What is a identity theft?

We also discuss several other topics like math 3800 carleton

o Hacking and unauthorized access can go hand-in-hand- most cybercriminals get  charged with both

Cyberspace:

• first coined by author William Gibson (1982)

o Referred to any “virtual environment where networked computer activity  takes place”  

“New Crimes”

• Academic discussion became known as “Old wine, new bottles” debate • “old” crimes

o fraud, identity theft, false advertising “spam”

• “new” crimes

o Hacking (unauthorized access)

o Distributed denial of service (DDoS)

o Ransomware

The Commerce Clause:

• Gives government power to regulate commerce internationally and interstate (includes  Indian reservations)

• Interstate- virus may be made in Alabama but could affect people in Kentucky • Effect of clause depends on Supreme Court’s interpretation Don't forget about the age old question of general psychology chapter 1 and 2 test

o Post 1937 era, commerce clause now gives power to congress to authorize federal  control of economic matters unlimitedly

What is a individual victimization?

o Recently has become more restricted again  

▪ Limited to matters of trade and production 

Computer Fraud and Abuse Act of 1986 (CFAA) 

• Specifies criminal offenses against protected computers

• Protected computers are:

o Any ordinary computer, including cellphones, due to interstate nature of most  internet communication 

• 7 parts: 

o having knowingly accessed a computer you don’t have access too/ stealing  information and using it and or not letting those who have access to it access it o stealing financial information

o breaking into a government computer If you want to learn more check out college borard

o hacking with the intent to commit fraud (craigslist murders) (only up to $5000 in  a 1-year period)

o knowingly cause transmission of a program, information, code or command that  causes reckless damage/damage (viruses)  

o trafficking any password or similar information (Snowden)

o extortion

Criticisms of CFAA

• It’s a federal crime to violate the terms of service of a website  

• Research is limited

• Remove protections found elsewhere in law

The United States of America v. Aaron Swartz 

• Co-founder of Reddit

• Prosecuted for downloading numerous academic journal articles from JSTOR • Plan was to download the entirety of JSTOR and then upload all the articles to an open,  public and free website

• Caught after completing the first part of plan

• Was facing up to 35 years and up to $1 million in fines

• Crime was likened to “checking out too many books”

• Committed suicide before he could be prosecuted

United States v. Lori Drew (2008) 

• Victim: Megan Meier

• Summer 2006

o Drew became concerned that Meier was spreading false statements about her  daughter

o Lori Drew, daughter Sarah, and Lori’s employee Ashley Grills create fake  Myspace account of a 16-year-old boy under alias Josh Evans

o Begin to use account to contact Meier’sDon't forget about the age old question of in drosophila, the ratio of x chromosomes to autosomes directly influences _______.

▪ When Meier's wasn’t acting the way they thought she would, they begin to  flirt with her

o In October messages change

▪ “Josh” doesn’t want to be friends anymore because “he’s heard that  

Meagan was mean to her friends”

▪ Meier’s responses are shared with others online

▪ “Josh” essentially tells her to kill herself Don't forget about the age old question of sexmol

▪ Meier’s hangs herself 20 minutes after last message

The Case:

• State of Missouri announces that they will not charge Lori Drew because there isn’t  enough evidence

• The Federal government decides to charge Lori Drew due to the fact that the  communications moved across state lines (Myspace servers are located in California)

Federal Case:

• First count alleged that Drew and her co-conspirators agreed to violate the CFAA by  intentionally accessing a computer used in interstate commerce “without authorization”  and in “excess of authorized use”

• Counts 2-4 allege that Drew violated CFAA by accessing MySpace servers to obtain  information regarding Meier in breach of the MySpace Terms of Service Don't forget about the age old question of biology transcription translation studyfaq

Electronic Frontier Foundation (EFF):

• International non-profit digital rights group 

• Provides funds for legal defense in court, presents amicus curiae (friend of the court)  briefs, defends individuals and new technologies from what it considers abusive legal  threats, and works to expose government malfeasance  

• Say that it was not unauthorized access, and would create a bad precedent

Verdict:

• Jury was deadlock on count one for conspiracy but unanimously found Drew not guilty of counts 2-4

• Drew found guilty of a misdemeanor violation of CFFA

Acquittal:

• Drew files a motion for acquittal

• Found not guilty because not all three conditions were met 

o Accessed a computer without authorization

o Access has to involve interstate of foreign communication

o Obtained information

▪ The first one was not met

• Many courts had already found that any computer that provides a  

web-based application accessible through the internet would  

satisfy the interstate communication requirement of the second  

element

• Found that the third element is met whenever a person using a  

computer contacts and internet website and reads any part of that  

site

• But in terms of #1… 

o Just because she misusing the terms of service is too broad 

Since then…

• Missouri

o New legislation that includes penalties for cyberbullying via computers o More than 20 other states have enacted similar legislation  

o School boards must adopt these policies to address cyberbullying

United States v. Collins et. Al. (2011) 

• Operation payback 1.0

o Several Bollywood companies launch DDoS attacks on piracy websites o Anonymous launches operation payback by launching a DDoS attack on the  company that’s attacking the piracy websites

o Find out someone has already hacked Aiplex, so they launch attacks on copyright  organizations 

• Operation payback 2.0

o WikiLeaks came under intense pressure to stop publishing secret U.S. diplomatic  cables  

o Credit card companies block users from making donations to WikiLeaks o Anonymous begins to attack credit card companies/banks 

▪ Do this using the Low Orbit Ion Cannon 

• Downloadable tool that makes it possible for anyone to perform a  

DDoS attack 

o Multiple computers are used to target a single system. The 

attack causes the system to shut down 

The case:

• 14 people charged under CFAA for planning and participating in the DDOS (known as  the PayPal 14) 

• lawyer argued that the 13 acts that were committed were civil disobedience o claimed that acts were free speech 

Leniency request:

• Founder of EBay

o Believes they should be facing misdemeanor charges instead of felony charges Verdict:

• Court found defendants guilty of misdemeanor offenses and fined them $86,000 in total o $6,615 per defendant

United States V. Neil Scott Kramer 

• 15-year-old female in Missouri accidentally texts a 39-year-old male in Louisiana • Kramer replies and begins regular conversations with the girl

o Girl reveals to Kramer that she’s only 15

• Kramer meets with girl, gives her illegal narcotics, engages in sexual intercourse

o Acts span over 3-day period. On 3rd day Kramer takes girl to bar

▪ The girl goes to the bathroom and texts the police

• Kramer gets arrested

o Charged with transporting a minor across state lines in order to engage in illegal  sexual activity 

o State looks into a harsher sentence because of the use of his cellphone ▪ State argues that the cellphone falls under the definition of a computer  under U.S. Law 

Verdict:

• Court conclude that Kramer’s phone did constitute a “computer” and applied a two level  enhancement

• Goes from a 140-month sentence to a 168-month sentence

The Appeal:

• Calls into question whether a cellphone constituted a computer

• Court argues 3 main points

o The phone may include copyrighted Motorola and third-party software  o The phone keeps track of network connection time

▪ Logical and arithmetic operations

o The phone stores sets of characters that are available to a user when typing a  message

▪ Storage functions

• Court ends up affirming Kramer’s sentence –phone is an electronic or other high-speed  data processing device 

Precedent:

• Because of these three cases we now have

o Determined terms of service cannot criminalize behavior (Drew 2008) ▪ Improved cyberbullying laws

o Ruled that DDOS attacks are not free speech (Collins et.al 2011)

o Shown cellphones are computers in the eyes of the court (Kramer 2011)

Social engineering 

• Psychological manipulation of people into performing actions/giving up  confidential information

Types of Social Engineering:

• Pretexting 

o Act of inventing/finding pretext (a half-truth)

o Ex. when a person is trying to impersonate someone else, they will be  more successful if they have a general knowledge of the person they are  trying to impersonate- SS, address, phone number, etc.  

• Phishing 

o Attempt to obtain sensitive information (usernames, passwords, etc.) by  pretending to be a trustworthy entity electronically

▪ Ex. fake emails from your bank, social media outlets, payment  

processors

• Baiting 

o Attacker leaves malware infected CD/USB drive with a legitimate looking  label in a location where it is sure to be found and waits for the victim to  

use the device  

▪ Ex. employee picks up USB drive in parking lot and then uses it in  

a company computer

o The use will install the malware onto the computer and  

often proceed to infect the rest of the network

• Tailgating 

o Attacker looking to get into a restricted area walks behind a person who  has legitimate access

Spyware and surveillance software

• Software that aims to gather information about a person/organization w/o their  knowledge or that asserts control over a computer w/o the consumer’s knowledge  o Most common form of spyware is fake anti-spyware programs

▪ Programs falsely report a system infection then prompt the user to  

download a free tool to rid the system of infection

• Often this download is the spyware

• Ex. MacSweeper, AntiVirus 360, AntiVirus 2009, etc.

Malicious software

• Malware is any software used to disrupt computer operations, gather sensitive  info, gain access to private computer systems, or display unwanted advertising o Malware is preferred terminology but most people refer to malware as  “computer viruses”

Types of Malware:

• Computer viruses, worms, Trojan horses, ransomware, spyware, adware, and  scareware

CryptoLocker:

• Ransomware Trojan (2013)

o A type of malicious software designed to block access to a computer system  until a sum of money is paid. 

• Targets computers running Windows

• Spread via infected email attachments

• When activated, malware encrypts certain types of files stored on user’s hard drives  o Private key is stored only on the malware’s control servers

• Once the files are encrypted the malware then displays a message which offers to  decrypt the data if the victim makes a payment (using Bitcoin) by a deadline • If deadline is not met, malware threatens to delete the private key which would make  it impossible to restore the encrypted data 

• Once the botnet was shut down that distributed CryptoLocker, it was calculated that  about 1.3% of the victims infected paid the ransom

o operators believed to have extorted around $3 million in 9 months

Hacking motivations:

• self-satisfaction 

o 2003 study- most cyber-criminals were looking for an intellectual challenge o another 2003 study- hackers are shown to have an experimental curiosity • peer respect 

o malicious (Black hat) hackers want respect from their peers

o performing acts that show that they believe they are above the system/ show that  they have superior ability/knowledge prove this

• impress potential employers 

o Hacker Michael Buen created/named a virus after himself (W97M/Michael-B) ▪ Computer infected by virus would stop all print jobs and would instead  print a copy of Michael’s resume

• Money 

• Revenge 

o Revenge porn

▪ Type of revenge hacking

▪ Refers to uploading sexually explicit material to humiliate and intimidate  the subject

▪ Typically happens when a relationship ends

• Political beliefs

o Hactivism

▪ Hacks conducted in order to further a political goal/view

o Project Chanology 

▪ Protest movement against practices of the Church of Scientology by  

Anonymous

• Started in response to the Church’s attempts to remove material  

from a highly publicized interview with Scientologist Tom Cruise

• Launched in the form of a YouTube video

o Video states that Anonymous views the Church’s actions as  

internet censorship

o Wants to “expel the church from the internet”

o DDOS attacks followed along with “black faxes” and prank  

phone calls 

“Identity theft”

• Term used incorrectly as a catchall term to explain fraud due to impersonation o In most cases hackers will steal bank logins and passwords in order to remove  funds 

▪ Known as input fraud 

▪ Criminals are not attempting to steal the entire identity but rather to 

pretend to be the victim temporarily to steal funds 

1. Trashing 

• Sorting through a targets trash (dumpster diving)

• Document shredders make trashing difficult

• Cons: both labor intensive and local

2. Phishing 

• Typically, will consist of millions of emails being sent

• Most rely on a recipient’s inability to distinguish it from a trustworthy email • Two newer forms include:

o Vishing

▪ Use of Voice Over Internet Protocol (VoIP) to send recorded messages  to voicemails instead of email  

o SMiShing (SMS stands for short message service)

▪ Bulk text messages instead of emails

3. Pharming 

• Also known as DNS cache poisoning and DNS spoofing

• DNS Spoof

o Attack on the computers that translate, for example, www.google.com into  the IP address where Google’s servers reside

o Attacker can pretend to be a DNS and redirect a user’s request for google  to any IP address they choose

o Usually means a fake site designed to look like the site the user is  

attempting to reach

4. Spyware  

• Designed to steal all types of user information

o Sometimes enough to steal identity

Phreaking:

• people who study, experiment with hacking phone calls

• Used a system of tones used to route long-distance calls

• By re-creating these tones, phreaks could switch calls from the phone handset, allowing  free calls to be made around the world

Phreaking Boxes:

• Devices used to perform various functions normally reserved for operators  Black Box:

• Tricked switching equipment into believing a call had not been answered when in fact it  had, resulting in free incoming long distance calls

• Only on the receiving end

Beige Box: 

• Improvised linesman’s handset typically made from a one-piece telephone and alligator  clips

o Linesman’s handset is a special type of telephone used by technicians for  installing and testing local loop telephone lines

o Still works today- tapping directly into phone line

Blue Box: 

• Emulated the in-band signaling tones once used by long distance operators and switching  equipment

• fancier version of the Captain Crunch whistle

• allows you to make free phone calls

Red Box: 

• emulated the tones generated by payphones when coins are deposited  

John “Captain Crunch” Draper:

• Discovered that the Cap’n Crunch whistle would make the specific sound needed to  phreak a call

• Legal trouble has left him unemployed/homeless

Steve “Berkeley Blue” Wozniak: 

• Found out about Captain Crunch while reading a 1971 Esquire article about freaking • Him and Steve Jobs turn info into a small black-market business form UC Berkeley  campus

Kevin “Dark Dante” Poulsen: 

• Famous for winning a Porsche by hacking his way into telephone company switches and  making himself the 102 caller in a LA radio station giveaway

• Arrested by FBI and served 3 years in prison

• Became a successful tech editor for WIRED magazine  

• Now has close relationship with FBI

o 2005-2006

▪ wrote automated script to search MySpace’s 100 million profiles for  

registered sex offenders

Kevin “Condor” Mitnick: 

o “public enemy number one” FBI 1980s-early 1990s

o master of social engineering

o would routinely perform phreaks in the “real world”

▪ once pretended to be an employee of Pacific Bell (now a part of AT&T o Fake tag name: John Draper (Captain Crunch’s real name)

o Evaded capture by cloning cell phones of FBI agents

Juice jacking 

o Fraudulent charge stations can siphon off important data from cell-pones such as  passwords, contacts, pictures, and credit card data

o Avoid by using portable batteries or places that you do trust

“Evil Twin” Wi-Fi 

o a fraudulent Wi-Fi access point that appears to be legitimate, set up to eavesdrop  on wireless communications

o can be used to steal passwords by monitoring connections or by phishing

Cost of hacking: 

• McAfee  

o Estimates annual global cost of attacks could be over $400 billion

▪ More money less effort

o Average armed bank robbery nets $6,000

• 2013

o 7% of US organizations lost $1 mil or more

o 19% of US organizations report losses of $50,000 or more

Individual victimization:

• growing group 

• cybercrimes against individuals reported to the FBI in 2013 totaled losses of over $781  million

o average loss of nearly $3,000 per complaint 

Types of crimes:

• $81 mil – romance scammers

• $51 mil – auto scammers

• $18 mil – real estate rental scams

• $6 mil – FBI scammers –about $700 per victim

Remote Access Tools: 

• piece of software that gives someone remote control of a system as if they were  physically accessing the system  

• Luis Mijangos 

o Hacker behind most famous sextortion case to date 

o Victims:

▪ Spring- 2009

▪ College student received an instant message from someone who claimed  to know her

▪ Told her what her bedroom looked like and claimed to have nude photos  of her

• Sends photos to her and asks her to have “web sex” with him

▪ Girl contacts boyfriend who had the naked photos

• The two students exchange instant messages about stalker trying to  

figure out what happened

o Not long after she gets a message from the stalker  

threatening her telling her he knows what her and her  

boyfriend had talked about and not to go to the police

▪ Contacts campus police

▪ Officer shows up to room and she tells him information and leaves

▪ Stalker then threatens her boyfriend because she contacted the police

▪ Happened to several other women

The Case:

• Hacker had gone after so many people that the Glendale Calif. Police take notice and see  the broader pattern

• FBI investigated and on March 8, 2010 after 6 months of investigating and interviewing  they are lead to 32-year-old Luis “Guicho” Mijangos 

o Wheelchair bound  

o Illegal alien

o Shot at 17 and was paralyzed from waist down

o Admitted to FBI that he hacked people’s computers 

o Favorite trick was to put files on peer to peer networks that would infect people’s  computers when they downloaded it (this would give him access to their 

machines) 

o Claims to have only done it 5 times  

o FBI originally thought that there were 3 people involved, not one

o Stalker-style behavior was being “misconstrued” 

o Claimed that he was doing it to catch cheating boyfriends/girlfriends/spouses and  was hired  

Charges:

• FBI finds 4 laptops, a blackberry, and a bunch of USB drives in the home • Hacked a total of 129 different computers and victimized a total of 230 victims

• 44 of the victims were juveniles 

• After arrest he admits that he supports himself through complicated financial hacks makes around $3,000 a day

• Hung around hacker forums like “CC power” and learned how to use tools like Poison  Ivy and SpyNet and “crypter” software to hide who he was from other machines

Sextortion:

• Was calling card

• Spent a significant amount of time targeting victims 

• If he gained access to a woman’s computer, he would search for incriminating  information or access webcam to create his own

• If he accessed a man’s computer, he would impersonate the man and reach out to the  female partner  

• Once he received photos he would threaten to post them online unless they kept sending  them  

• Constantly monitoring people’s communications 

• Watch instant messages and email communications, phone conversations he would listen  in on over the computers microphone 

• Omniscient effect would terrify victims 

Verdict:

• Plea deal with government and copped to 2 felony charges 

• Required to no longer participate in hacks  

• Only sentenced to 72 months  

o “Harsh” sentence due to the fact of his “psychological warfare” and “sustained  effort to terrorize victims”

Routine Activities Theory:

• Created in early 1900s by Marcus Fleson and Lawrence Cohen

• “crime opportunity” theory that focuses on the situations around crimes instead of the  offenders themselves 

• Explains VICTIMIZATION

o Ex. Gang members that sell drugs are more likely to be the victims of crime  relating to their drugs being stolen

• Premise of theory is that crime is relatively unaffected by social causes o Ex. Poverty, inequality, and unemployment

• Used post WWII America to describe:

o Economy of Western Countries was booming and welfare states were expanding o Despite this, crime rose significantly during this time

o The argument that people need/want things causes them to steal no longer worked  • Argued that the increase in prosperity created more opportunities for crime to occur  o There is now more to steal because more people own valuable possessions

Controversy:

• RAT has been criticized by many sociologists/criminologists because theory makes a  large assumption

o There will always be criminals or “motivated offenders”

RAT:

• For a crime to occur, you need:

o A motivated offender 

▪ Must be capable of committing crime and willing to commit crime

o A suitable target 

▪ Person or object that is seen as vulnerable/attractive to offender

o The absence of a capable guardian  

▪ No police/guard dogs, cameras, etc.

o physical convergence of time and space

• primary theory used for explaining cyber victimization 

• infinite amount of motivated offenders (hackers)

• computers contain desirable information (ex. bank account info, pics (suitable targets))  some computers are hacked and some aren’t  

o ones that are hacked are the ones that do not have “capable guardians” • looking at things on the macro-level (the big picture)

o Example: Neighborhood/Hotel

Target Hardening:

• RAT practice

• Making yourself less likely to become a victim 

o Anti-virus programs

o Strong passwords

o Two step identification 

▪ Securing your devices with both a password and another device 

o Don’t share passwords

o Webcam stickers 

▪ Prevent malicious hackers from being able to watch/photograph/video you  through your webcam 

Self-check

Multiple choice

1. _____Black hat 2. _____Cyberspace

A. Doesn’t work for own personal gain but  might technically commit crimes and do  things many would find unethical

B. A type of malicious software designed to  block access to a computer system until a sum of money is paid

3. _____EFF

4. _____Grey Hat

5. _____ DDoS

6. _____ Ransomware

7. _____Commerce Clause  8. _____Project Chanology 9. _____Input Fraud

10. _____White Hat

11. _____Trashing

12. _____Phishing

13. _____Pharming

14. _____Spyware

15. _____Juice Jacking 16. _____Evil Twin Wi-Fi 17. _____Remote Access Tool

C. Protest movement against practices of  the Church of Scientology by Anonymous

D. Hacker with malicious intent for personal  gain

E. Attempt to obtain sensitive information  (usernames, passwords, etc.) by pretending  to be a trustworthy entity electronically  

F. Fraudulent charge stations can siphon off  important data from cell-pones such as  passwords, contacts, pictures, and credit  card data

G. virtual environment where networked  computer activity takes place

H. “ethical hackers” who use skills for legal  and ethical reasons

I. “crime opportunity” theory that focuses  on the situations around crimes instead of  the offenders themselves

J. Attacker leaves malware infected  CD/USB drive with a legitimate looking  label in a location where it is sure to be  found and waits for the victim to use the  device  

K. Gives government power to regulate  commerce internationally and interstate

L. Act of inventing/finding pretext (a half truth)

M. Multiple computers are used to target a  single system. The attack causes the system  to shut down

N. piece of software that gives someone  remote control of a system as if they were  physically accessing the system  

O. Sorting through a targets trash (dumpster  diving)

18. _____Routine Activities Theory

19. _____Pretexting 20. _____Baiting

Matching:

1._____ Hacking

2._____ Cracker

3._____ Black Box 4._____ Beige Box 5._____ Blue Box 6._____ Red Box

P. International non-profit digital rights  group that defends individuals and new  technologies from what it considers abusive  legal threats, and works to expose  government malfeasance

Q. Software that aims to gather information  about a person/organization w/o their  knowledge or that asserts control over a  computer w/o the consumer’s knowledge  

R. Criminals are not attempting to steal the  entire identity but rather to pretend to be the  victim temporarily to steal funds

S. Attack on the computers that translate, for  example, www.google.com into the IP  address where Google’s servers reside

T. fraudulent Wi-Fi access point that  appears to be legitimate, set up to eavesdrop  on wireless communications

A. Emulated the in-band signaling tones  once used by long distance operators and  switching equipment

B. Improvised linesman’s handset  typically made from a one-piece  

telephone and alligator clips

C. emulated the tones generated by  payphones when coins are deposited  

D. Destroying/interfering with the  normal operation of a computer system

E. people with malevolent intent  

(cracking into computers)

F. Tricked switching equipment into  believing a call had not been answered  when in fact it had, resulting in free  incoming long distance calls

C 6. A 5. B 4. F 3. E 2. D Matching answers: 1.

J 20. L 19. I 18. N 17. T. 16 F 15. Q 14.

S 13. E 12. O 11. H. 10 R 9. C 8. K. 7 B 6. M5. A 4. P 3. G 2. D answers: 1. Multiple choice