Simon Fraser University Cybercrime and Hacking Discussion

User Generated

benatvv

Law

Simon Fraser University

Description

Cover information demonstrating your understanding of the week's material and critical thinking, and a typical post with meeting this requirement will be at least ~250-300 words.

This week's reading compromises the topic of Cybercrime Hacking and Hackers.

After finish reading the Word document in the attachment (a few video links in the document), please provide a presentation cover information demonstrating your understanding of the week's material and critical thinking, and a typical post with meeting this requirement will be at least ~250-300 words.

Unformatted Attachment Preview

Back in the 1960s and 70s, the term “hacker” was used to describe law abiding enthusiasts who looked at a computer and saw a tool – a tool they could use to innovate and build new things with. They could find new ways to use computers other than their originally intended purpose. A lot of new technology was born this way, for example, gaming, security improvements, and the mouse. If “hackers” did what they did with a bad purpose, they were called a “cracker”. Interestingly, this original definition of “hacker” did not have a motive associated to it, or, if it did, it had a positive association. But over time, the media has changed the way we look at this word. And now the word “hacker” has a bad connotation. Topic 1: Famous “Hackers” The original definition of a hacker. Steve Wozniak, also known by his nickname "Woz": - He was an innovator who found ways to develop new tools from existing technology. - Steve Wozniak, along with Steve Jobs, “hacked together” the Apple computer. - Wozniak co-founded the Apple computer. He looked at the transistors in the circuit boards and thought “Hey! I can build a computer that the average person can buy!” Shawn Fanning, He created Napster, the first traditional peer-to-peer file-sharing system. He used it for exchanging music files, MP3s. Peer-to-peer (P2P) technologies made downloading digital media more efficient as they connect computers together through a centralized network. This means that, rather than requiring a server to store and share every single song available (which would likely be extremely slow and limited in content and quality), the P2P file sharing system connects a large network of computers together to facilitate file sharing between the connected computers. Bill Gates. He had a request to build a new operating system. In response to this request, he built MS-DOS. MS-DOS is the predecessor to the Windows program that we all know and love today. - Gates wanted to create an operating system that would make personal computers accessible to everyone. He used the tools that he had available to him to create something new. Sergey Brin and Larry Page. They are the creators of Google. Topic 2: Malicious Hackers: Jeanson James Ancheta. Ancheta’s case was the first of its kind in the United States. He controlled a large number of botnets (hijacked computers) that he used for financial gain. He was charged “with conspiring to violate anti-spam and computer misuse laws, and fraud” (BBC News, 2006). The malicious hacker is now the default terminology of the hackers. Robert Tappan Morris. He created the Morris worm in 1988, the first computer worm on the internet. A worm is a computer program that spreads from computer to computer by exploiting security vulnerabilities in target machines. Once released, it operates without human assistance or control, scanning the Internet for new hosts to infect, attacking them and then launching a new copy of the software on the new host. While experimental worms had been developed in the past, Morris's worm spread much further and faster than any previous worm. Morris did not use the worm to steal information or to destroy data. Instead, he created the worm to satisfy his curiosity and had no intent to profit from it. Despite there being no ill-intent involved in his creation of the Morris worm, he was charged under the Computer Fraud and Abuse Act. This is Albert Gonzalez. He was the mastermind behind one of the largest credit card thefts in history (Suddath, 2009). He stole credit card information and resold more than 130 million debit and credit card numbers from 2006 to 2008. Case Study: REvil Ransomware REvil was a ransomware-as-a-service (RaaS) operation that was based in Russia. REvil would attack a target and then threaten to hold the stolen data, or release it publicly, unless a ransom payment was received. It is estimated that REvil attempted to extort close to $38 million USD from its victims. Topic 3: Types of Hackers Classifying Hackers: Motivation White Hat Hackers: White hat hackers are the good guys of the hacker world, are usually security professionals, and quite often called “ethical hackers” as they hack with permission. They use the same techniques as other hackers to hack into systems, but before starting they must have permission to test the security of the system. Their activities are legal. They focus on security and protecting IT systems. (Java T Point, 2021). Black Hat Hackers: As opposed to white-hat hackers, who have permission, black-hat hackers do not have permission to do what they do. They are also known as unethical hackers or crackers. These are the individuals we think of when calling someone a “hacker”. They try to steal money, credit cards, or break in to disable a system. Black-hat hacking is illegal Black-hat hackers are criminals who break into computer networks with malicious intent. They may also release malware that destroys files, holds computers hostage, or steals passwords, credit card numbers, and other personal information. Grey Hat Hackers: There is a category of hackers who do not fit into either the white-hats, or black-hats. Without asking for permission, they usually experiment with, or hack into, a system without meaning to cause damage or steal anything. In most cases, they tell the administrator of that system of the vulnerability, hoping to make the system more secure. They could even ask for a fee to help the administrator resolve the security flaw. The problem is that this is all without permission, so technically it is still illegal. Hacktivist: Hacktivists are not in it for the money. A hacktivist is motivated by something other than financial gain or personal gain. Hacktivists are often motivated by human rights, free speech, freedom of information, etc. They gain unauthorized access to computer files or networks to further social or political ends. Cyber Terrorist: Even though cyber terrorists are politically motivated, they might be interested in financial gain. The money they accumulate from their attacks may be used to buy firearms or explosives or to fund other terrorist activities. Hacktivists are more altruistic, whereas cyber terrorists are more politically motivated. The FBI defines cyber terrorism as: “The premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against non-combatant targets by sub-national groups or clandestine agents.” Classifying Hackers: Skill Level Novice hackers Make up the largest portion of all hackers. Just like anyone else, novice hackers start with a very basic level of knowledge. They do not know very much about hacking but they are interested in practicing and learning. They will often begin by looking for existing tools and experimenting with them. These hackers usually download tools or use available hacking codes written by more experienced developers and hackers. Generally, they do not have a good underlying knowledge of what these tools do or what it is that they’re doing. However, they are interested in learning and may have a desire to become full-blown hackers. Novice hackers pose a relatively small threat, but collectively they can cause large problems just based on their sheer numbers. For example, in 1999, nearly half a million machines suffered from a vulnerability accessible to novice hackers. Compare this to the lottery. The players have no skill, a single individual barely has any chance of winning, but collectively someone usually wins. Similarly, a single hacker barely has a chance to break in anywhere, but collectively, someone will get lucky and “win”. Intermediate Hackers: Once a novice hacker has practiced and learned more about hacking, they may move up to the intermediate level. They keep researching, experimenting, and studying. Eventually they begin to understand what it is that they're doing. These hackers are much fewer in number than novice hackers and their understanding of computer concepts are far better. If we are talking about real-world monetary value, intermediate hackers’ skills are worth quite a bit. They will have marketable skills that may be attractive to others. Intermediate hackers are interested in continuing to try different tools and learn new methods. They are highly motivated because they are seeking to gain reputation and establish a name for themselves. The best way to learn how to become a better hacker is through discussion with other hackers. They often seek out peers and attempt to learn from each other. However, to talk to the most elite hackers, they need to acquire valuable information or pull off a noteworthy attack. Reputation is king, and intermediate hackers will value their reputation, try to grow it, and mingle with hackers having higher reputations, with the hope of learning. Elite Hackers: Elite hackers can break into most systems and understand the inner workings of most commercial systems, databases, and websites. They are the least common type of hackers. Unlike novice and intermediate hackers, they do not have to rely on existing code, tools, or techniques to break in. They have a deep fundamental knowledge of computer systems and are able to create new code, tools or techniques. Elite hackers have no need for reputation anymore. Rather, their motivation is to develop new tools and hoard them for potential future use. These hackers are difficult to detect, identify, and capture by law enforcement as they tend to fly under the radar. Novice hackers use the tools without understanding. Intermediate hackers use the tools with understanding. Elite hackers create the tools. Classifying Hackers: Organizational Structure Individual Hackers: In the 1980s and 1990s, when computers and the Internet were becoming more popular, hackers would often hack alone. When computers were a lot more basic, they were a lot more exploitable, and a single person could acquire enough knowledge to carry out the entire attack. Computers did not have antivirus software or firewalls. It was relatively easy to break into them if the hacker had some background knowledge about what they were doing. It was easy to hack alone due to the lack of system protections. This is no longer the case. For the most part, the days of individual hacking is behind us. Organized Groups: Today, most hacks are done in small groups of trusted members. Hackers get in quickly and are out fast. As we now have very strong firewalls and antivirus products, the skills of an individual are no longer enough to break into a computer. To carry out a hack, hackers need people to come together and work as a team. Currently, we see that organized groups carry out the majority of the attacks. Disorganized Groups: With disorganized groups, some hacks may be done by volunteers who form groups based on motivation about a certain topic. Hackers join and disjoin the group all the time. When attacking a computer, hackers will get in and out quickly. An example of a disorganized group is Anonymous. Recently, Anonymous has declared a cyberwar on Putin’s Russia over the aggressive invasion of Ukraine. Anonymous claims that it has already targeted Kremlin controlled media websites, Russian oil companies, TV channels, etc. For more information about this attack and the potential risks associated with it, see this video: https://www.msnbc.com/morning-joe/watch/hacker-group-anonymous-declarescyber-war-on-putin-s-russia-134590533620 State-sponsored Groups: State-sponsored groups are hackers sponsored by the state. These groups are typically branches of the military, the public safety sector, or another branch of government. State-sponsored groups have a lot of money and resources at their disposal as the government is financing them. An organized group is financially motivated and will break in to steal money, while a state-sponsored group is not interested in money (they have the backing of an entire government!) thus they will be looking for other things. For example, they may be looking for vulnerabilities that they can use to break into an enemy's computer system, or vulnerabilities in their own systems that the enemy could use to their advantage. Topic 4: Tools of the Trade Three Examples of Hacking Example 1: Social Engineering The following is a hacking example from 2012, where a writer from Wired magazine was hacked. This example illustrates that not all hacks require technical skills. Sometimes, hacks are carried out through the ability to manipulate people rather than based on a hacker’s technical skill. Most hacks are carried out in this fashion. 2012 4:33pm 2012 ▪ Hackers have email address ▪ Someone called AppleCare claiming to be Mat ▪ “He” couldn’t get into his Me.com e-mail ▪ Wants to reset AppleID password ▪ However, Apple needs address and partial credit card ▪ “He” can’t answer Mat’s security questions ▪ “He” can answer address and credit card 4:50pm ▪ Password reset confirmation arrived in Me.com inbox ▪ Hackers send it to the trash ▪ Hackers follow the link in the e-mail to reset Mat’s AppleID password 2012 4:52pm ▪ Gmail password recovery e-mail arrives in Me.com inbox 2012 4:54pm ▪ Google change-of-password notification email arrives in Me.com inbox ▪ Hackers delete message 2012 5:00pm ▪ With iCloud’s “Find My” tool, iPhone remotely wiped 2012 5:02pm ▪ Twitter password reset 2012 5:05pm ▪ MacBook remotely wiped ▪ Google account deleted 2012 5:12pm ▪ Hackers take credit through post to Twitter 2012 Post-Hack: Why? Victim: “I asked him why. Was I targeted specifically? Was this just to get to Gizmodo's Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal. “ Hacker: “I honestly didn’t have any heat towards you before this. I just liked your username like I said before” he told me via Twitter Direct Message. 2012 Post-Hack: How Did the Hacker Get Mat’s Email? ▪ Target: A Twitter account ▪ Hacker realized Mat used his Gmail for Twitter email ▪ On Gmail, without two-factor authentication, Gmail shows the alternate/recovery email ▪ m••••n@me.com ▪ Not hard to guess: mhonan@me.com 2012 Post-Hack: How Did the Hacker Get Mat’s Partial Credit Card? 1. 2. 3. 4. 5. 6. 7. 8. 9. Call Amazon, tell them you want to add a credit card to your account Add a new (fake) credit card to your Amazon account Hang up Call back saying you've lost access to your account Provide name, billing address, new credit card Add a new email address Go to the Amazon website, reset password using your new email Enter Amazon's website, get partial credit card Phone Apple and entre account 2012 Post-Hack: What Skills Were Needed in this Attack? ▪ This attack took approximately 30 minutes to complete ▪ No technical hacking skills were used to carry out the attack The hackers were good at exploiting the processes of two businesses against each other 2012 The previous example where Mat was hacked involved the use of social engineering According to Mitnick and Simon: “Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.” (Sagarin & Mitnick, 2012) Social Engineering Historically The first recorded social engineering attack. “Are you familiar with the story of the Trojan Horse trick, first mentioned in the famous novel The Odyssey? The year was 1184 B.C. The Trojans and Greeks were immersed in a long, seemingly never-ending war. After a 10-year siege, the Greeks realized they had to get crafty to defeat the Trojans. They constructed a giant wooden horse and hid some of their army inside it. The rest of the military sailed away, appearing defeated. The Trojans fell for the trick; dragging the wooden statue past their protective barriers as a trophy for their long-overdue victory. After the sun went down and the Trojans went to bed, the Greek soldiers waiting inside of the horse snuck out and unlocked the gates around their city— sneaking in the rest of their armed forces who sailed back under the cover of darkness. The Greeks then used the element of surprise to destroy the city of Troy from the inside, formally ending the war. And therein lies the first recorded instance of social engineering. While these acts of deceit were alive and well for nearly all of civilized humanity, it wasn’t until millennia later that someone put a name to this type of deceit— something more methodical and planned than a simple ruse… calculated steps carefully orchestrated to manipulate and breach a barrier.” (Mitnick Security, 2022) The 4 Stages of a Social Engineering Attack The Research Stage o o Learn about a person in order to be able to gain trust Pick best target Developing Rapport and Trust o o Establish contact with the victim to obtain information directly Through telephone, email, face-to-face chat, etc. Exploiting Trust o Rely on psychological techniques such as authority, linking and similarity, being helpful, and reciprocation to exploit the gained trust Using Information o o Get the information wanted In some cases the information gained from an attack is used toward a new social engineering attack Example 2: Software So… you’re on campus one day and you see that someone has accidentally left their USB flash drive behind. What do you do? • • Maybe, you could plug it in to your computer to see if you can find some identifying information about the owner so that you can return it to them? Or, you may think… sweet! Free USB! You will just plug it in and wipe the data and upload your own files onto it. Well… You really shouldn’t do any of these Social Engineering and Flash Drives Flash drive attacks can also be orchestrated through social engineering. An example: Perhaps the hacker managed to get into an office space through developing trust and rapport with the office workers. The attacker leaves an infected flash drive on the desk of an unsuspecting employee. The employee assumes that, since the office space is in a secure area, they can plug in the drive to see what is on it. After all, maybe their boss left it on their desk because it contains important files for them to review. Once the employee connects the flash drive and the malware is installed on the company’s computer, the company is in big trouble! The attacker may have access to restricted and confidential files, they might be able to connect to the network and infiltrate other computers, they may hold the company’s data for ransom, etc. Here is a video that shows how USB drives can pose a threat to cybersecurity: https://www.youtube.com/watch?v=Rsx3lUWicMg Example 3: Technical Hacks We saw how people can be exploited through social engineering that does not require technical hacking skill. Now, we will explore how websites can be exploited through technical hacks. SQL Injection Attacks SQL = Structured Query Language, that language databases use “injection” = The exploitation of a bug (flaw) that allows the program to process invalid data and can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution This method can be used to map out a database then retrieve selected or all data, then finally infect visitor to site with malware. Example: Let's pretend that the image below is a real website that is used to order pizza. • • If you want to attack this website, you need to interact with it. How do you interact? Well… you have only one choice. That textbox! So what would a “normal” user enter, when prompted to enter a month? Maybe 10. In the background, the “10” (which the user entered) is put into a question for the database, saying “show me all the orders for month 10. The specific query to the database would look like: SELECT pizza, toppings, quantity, order_day FROM orders WHERE order_month= 10 This is perfectly normal, and expected. Let’s assume the database looks like this: Pizza Topics Quantity Order_Day Order_Month Pizza01 4 4 22 1 Pizza02 1 2 4 12 Pizza03 2 1 21 3 Pizza04 2 4 14 9 Pizza05 2 1 19 7 Pizza06 5 3 15 10 Pizza07 3 4 25 6 Pizza08 2 1 21 6 Pizza09 3 5 14 12 Pizza10 2 4 16 10 The database would go row-by-row, and compare the order_month to the user’s request of 10. Is the order_month for row 1 equal to 10? No. Skip. Is it equal in row 2? No. Skip. … Is it equal in row 6? Yes. Show to the user. … etc. At the end, row 6 and 10 would be shown, as they are the only two orders in month 10. However, a hacker doesn’t think like your average law-abiding user. They will get creative, and enter in something unexpected and non-sensical like “0 OR 1=1”, making the question be: SELECT pizza, toppings, quantity, order_day FROM orders WHERE order_month= 0 OR 1=1 Note the condition “order_month= 0 OR 1=1”. So when is order_month equal to 0? Well, never. When is 1=1? Always. Thus “order_month= 0 OR 1=1” is always true, meaning it is true for all records in the database, thus all records are returned. The malicious user has just compromised the database. More experienced hackers will input more and more complex questions, like “month=0 AND 1=0 UNION SELECT cardholder, number, exp_month, exp_year FROM creditcards” SELECT pizza, toppings, quantity, order_day FROM orders WHERE order_month= month=0 AND 1=0 UNION SELECT cardholder, number, exp_month, exp_year FROM creditcards The details are beyond this course, but this is in effect 2 questions: SELECT pizza, toppings, quantity, order_day FROM orders WHERE order_month= month=0 AND 1=0 Which is never true, there is never an order_month = 0, and 1=0 is also never true. This question doesn’t have any answers. BUT, there is a second question: SELECT cardholder, number, exp_month, exp_year FROM creditcards This one tells the database to show all credit card details. The database is now compromised even further! A skilled hacker will use this strategy to map out a database, slowly, through trial-anderror, and eventually find something of value. Then they’ll proceed to steal that information. This takes knowledge, patience, and luck. For more information, please see this video: https://www.youtube.com/watch?v=cx6Xs3F_1Uc Summary of Examples In the previous examples, we saw how many ways a hacker could use to interact with the website. This means that each component of the website needs to be protected. In this week’s lesson, we have learned that attackers can compromise or attack websites, e-mails, suppliers, etc. Employees and their computers can also be attacked through social engineering. When developing cybersecurity protection, it is important that companies also protect: • • • • Websites Email Suppliers’ computers Employees This can be summarized as follows: • • Security needs to protect everything Bad guys however just have to compromise a single thing Thus, the chain is only as strong as its weakest link! Topic 5: Laws It can be tricky for the Canadian criminal justice system to respond to cyber-attacks. Here are some things to consider: 1. Depending on what the hacker does, the business might not want to even press charges 2. Even if a business is compromised, the hackers might not be reachable 3. If law enforcement does investigate, they may likely find out that the attackers are located in another country 4. If those responsible are living in another country and that country does not have a compatible legal system to ours, we cannot extradite Canadian Laws Here in Canada, we do have two laws specifically trying to address hackers. The first is “Unauthorized Use of a Computer, section 342.1 of the Canadian Criminal Code”, which states that s. 342.1: Unauthorized Use of a Computer Every one who, fraudulently and without colour of right, (a) obtains, directly or indirectly, any computer service, (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, or (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction While 342.1 focuses on a person, Section 430, “Mischief to Data” focuses on the damage: s. 430: Mischief to Data (1.1) Every one commits mischief who willfully (a) destroys or alters computer data; (b) renders computer data meaningless, useless or ineffective; (c) obstructs, interrupts or interferes with the lawful use of computer data; or (d) obstructs, interrupts or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access to it. The punishment in relation to data is as follows: (5) Every one who commits mischief in relation to data (a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or (b) is guilty of an offence punishable on summary conviction. Unauthorized Use of a Computer and Mischief to Data are Canada’s two main laws for hacking. One is against intrusions into computers, and the other is against the modification of data.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

View attached explanation and answer. Let me know if you have any questions.

1

Cybercrime
Student’s Name
Course
Institution
Date

2

Nowadays, the term "hacker" has an overwhelmingly negative undertone, bringing up
images of cybercriminals out to steal identities and unleash destructive viruses. That was not
always the case. In actuality, society's first perception of computer hackers was that they were
technology enth...


Anonymous
Great study resource, helped me a lot.

Studypool
4.7
Indeed
4.5
Sitejabber
4.4

Similar Content

Related Tags