Cyber_Crime

Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 1 AN INTRODUCTION TO CYBERCRIMES: A MALAYSIAN PERSPECTIVE Sonya Liew Yee Aun University of Strathclyde Introduction The fast-paced development of information and communication technologies in the world during the last fifty years has led to a thriving online community. This community exists in a place called cyberspace and are known collectively as netizens1. Netizens are encouraged by cyberspace’s architecture to communicate, trade2 and to commit crimes in ways that are different from the tangible world. Also, free speech is encouraged to flourish and anybody could publish statements and/or information online. This architecture also provides an environment that is conducive for the perpetrators of cyber crimes to mask their identity and to commit such crimes with ease. Governments of countries, including the Malaysian government3 has voiced concerns over such crimes in the Internet and in any online environment. Niser, the National ICT Security and Emergency Response Centre of Malaysia (‘Niser’) had reported online on 14th March 2005 that: “INFORMATION and communications technology (ICT) networks and systems in the Government are facing a serious threat of cyber attacks. So far this year, a whopping 100 million intrusion attempts have been detected by the Government Computer Emergency Response Team, a special team established by Malaysian Administrative Modernisation and Management Planning Unit (Mampu) to address ICT security incidences in the public sector.”4 This paper will focus on the current issues of cybercrimes that are getting more prevalent in cyberspace against the backdrop of the Malaysian legal landscape. Firstly, a brief overview will be conducted in relation to the popular computer crimes. Thereafter, the applicable Malaysian laws will be identified and where necessary, analysed. Such analysis will provide a glimpse of the current challenges that these crimes introduce into these current laws. Lastly, solutions, if any, will be recommended to overcome such challenges. New Age Crimes Malaysians are now exposed to computer crimes that have amusing or strange names. For example, terms such as ‘Phreaking’, ‘Hacking’, ‘Worming’, ‘Phishing’ and ‘Spoofing’ gives one the impression that these terms are used in the shipping industry. However, these terms are names for computer crimes that came into existence within the last 50 years or so. 1 Means ‘A person actively involved in online communities…coined by Michael Hauben’, Wikipedia, the free encyclopedia, “Netizen” at http://en.wikipedia.org/wiki/Netizens 2 Examples include business models such as online auctions, reverse auctions and online purchases. 3 As reflected by the Malaysian Prime Minister on the eve of Malaysia’s national day which was televised nationwide. Specially mentioned was the prevalence of on-line pornography. 4 http://www.niser.org.my/news/2005_03_14_01.html Pusat Kajian E-Komuniti, FSSK-UKM Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 2 There are other computer crimes that had emerged within the last 50 years. They do not sound as strange but are nonetheless as damaging. They are: i) ii) iii) iv) v) vi) vii) malignant hacking; online fraud; disseminating malicious programs; online-pornography; online-credit card fraud; defacing of websites; and denial of service attacks What is hacking' There is benign hacking and malignant hacking. Benign hacking used to mean hacking activities (that are harmless) upon computer networks or computers. The hacker has a burning curiosity to explore and understand data, systems or the security features of such computer systems or computers. However, the hacker does not intend to harm the systems or the computers and would not leave any trail of destruction upon his exit from the same. Malignant hacking5 (also known as cracking) on the other hand, is a more prevalent activity today. Worms, Trojans, viruses and spywares6 are examples of malicious programmes that are created by malignant hackers. Worms7 are computer programmes that are selfexecutable. They are usually released into the Internet and distributed through attachments in e-mails or via a website wherein the Worm attaches itself unto the unwitting visitor’s computer system. Worms may be programmed to open up ‘trapdoors’ in security systems, harvest security passwords or to just create chaos. The word Trojan was taken from Homer’s well-known work – The Odyssey, as the functions of these malicious software are the same as the Trojan horse. They are made to ‘hitch along’ other harmless software that are uploaded into computers or computer systems. They then unleash themselves upon the computers or computer systems. As akin to worms, Trojans may also be programmed to open up ‘trapdoors’ in security systems, harvest security passwords or to just create chaos. What is Phreaking' According to an online encyclopedia8, Phreaking is: “… a slang term coined to describe the activity of a subculture of people who study, experiment with, or exploit telephones, the telephone companies, and systems connected to or composing the Public Switched Telephone Network (PSTN) for the purposes of hobby or utility…It has also come to mean doing similar things to anything such as vending machines.”9 5 Malignant hackers are usually known as crackers. For information on the difference between hacking and cracking, visit http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211852,00.html 6 Malicious computer programmes that track and spy on the Internet user by tracking browser activities. 7 ‘…The name worm was taken from The Shockwave Rider, a 1970s science fiction novel by John Brunner. Researchers writing an early paper on experiments in distributed computing noted the similarities between their software and the program described by Brunner and adopted the name…’, at http://en.wikipedia.org/wiki/Computer_worm 8 http://www.wikipedia.com 9 Wikipedia, the free encyclopedia, “Phreaking” at http://en.wikipedia.org/wiki/Phreaking Pusat Kajian E-Komuniti, FSSK-UKM Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 3 ‘Phreakers’ create devices that are able to imitate frequencies used in PSTN telephone systems. Such devices are then used to obtain free long distance calls to connect their computers online for hacking purposes. Hence, phreaking on its own is a manipulation of telephone networks to perform activities according to the whims and fancies of Phreakers. In the early days of the Internet, phreaking and hacking were skills that hackers had to acquire for ‘high quality’ hacking. The phreaking culture today also results in intrusions upon telephone networks and wanton misuse of telephone lines. Currently, this activity has expanded to not only include PSTN telephone structures but also vending machines. What is Phishing' Phishing is also known as carding and spoofing. The term ‘Phishing’ is from the word ‘fishing’. This term first appeared in the online hackers’ magazine known, as the 2600 Magazine. Hackers usually replace the alphabet ‘f’ with the alphabets ‘ph’, as in the case of ‘freaking’ and ‘Phreaking’. ‘Fishing’ or rather, ‘Phishing’ in this context, is to ‘fish’ for passwords, security clearance codes, financial and personal details10. Phishing is more common in the form of bogus websites. These websites are prone to be similar to banks’ or financial institutions’ websites wherein Internet users are invited to enter personal and financial details into the website. Thereafter, such information is used to create fake identity cards, passports and/or credit cards. The gathering of such information is known as ‘Identity theft’. In the early Phishing culture, passwords were stolen from unsuspecting AOL (America Online) (or any other similar platform) users by attackers to be used as covers to generate spam or to hack into other computer systems. Today, Phishing has matured into a more efficient system of stealing identity. Customers of Ebay, Paypal and even certain banks have been specifically targeted by Phishers11. Information is gathered from unsuspecting clients who are asked to verify account and personal information, online, by bogus websites and pop-ups. Between May 2004 and May 2005, it is estimated that approximately 1.2 million computer users in the United States have suffered losses amounting to USD 929 million due to Phishing12. The different ways to commit a computer crime From the overview in paragraph 2 above, computer crimes are committed in various ways. The offences as mentioned may be committed: i. against a computer or a computer system; ii. with the aid of a computer or a computer system; and iii. on the computer or a computer network which is incidental to the committing of another offence13. For the purpose of a structured discussion, the mentioned crimes are divided into the above categories to describe the effects of such crimes. Offences committed at a computer or a computer network ‘Phishing’, Wikipedia at http://en.wikipedia.org/wiki/Phishing Phishing activities with special targets are known as ‘Spear Phishing’ 12 ibid 13 Digital Evidence and Computer Crimes (Forensic Science, Computers and the Internet), The Language of Cybercrime, Chapter 2, pg. 17 11 10 Pusat Kajian E-Komuniti, FSSK-UKM Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 4 Attackers who target computers and computer systems commit these offences. Examples of such crimes are Denial of Service Attacks14, cracking and unleashing of viruses, Trojans and Worms into computers and/or computer systems. The Computer Crimes Act 1997 (‘CCA’) was enacted in Malaysia to deal with computer crimes. The relevant sections that are applicable to the identified crimes above are, inter alia: i) S3. CCA, Unauthorised access to computer material, wherein this section prohibits hacking and cracking activities; and ii) S.5 CCA, Unauthorised modification of the contents of any computer, wherein this section prohibits viruses and Trojans from infecting computers. Offences committed with the aid of a computer or a computer network Perpetrators of such offences are only capable of committing such offences with the aid of computers and/or computer systems. The use of computers and/or the Internet provides efficiency in the commission of such crimes. For example, identity thefts are easily committed by Phishers and Crackers online to: i) manufacture fake credit cards or commit credit card fraud; ii) commit theft (tricking vending machines); and iii) commit online-banking fraud. The following are the laws that may be the most applicable in relation to the identified crimes: i) S.4 CCA, Unauthorised access with intent to commit or facilitate commission of further offence, wherein this section prohibits Phishing and other types of online identity theft; and ii) S.6 CCA, Wrongful communication, wherein this section prohibits a person from knowingly communicating a password, access code or other means of access to an unauthorized person. Offences committed on a computer or a computer network which is incidental to the committing of another offence The perpetrators in this category of offences have the choice to either use or not to use a computer to facilitate their criminal activities. Examples of such crimes are: i) Drug trafficking, wherein e-mail or short messaging systems (SMS) are used as a form of communication amongst drug dealers; ii) Pornography, wherein pornographic pictures are sold and sent via e-mail as opposed to ordinary postal mails; iii) Harassment, wherein e-mails and SMS messages are used to harass an individual; and iv) Seditious blogging15. The applicable penal sections for such crimes are: 14 A group of offenders perform ‘Denial of Service’ attacks upon a certain website when they send hundreds or thousands of messages to a website or an online bulletin board so as to cripple the website. This not only disables the functionality of the website, it also prevents legitimate users from accessing to the infected websites. 15 The word blogging comes from weblogging. One does weblogging when one writes and express thoughts in specific websites meant for weblogs in the Internet. This is a demonstration of a feature of the Internet, ie, the encouragement of free speech as abovementioned. Pusat Kajian E-Komuniti, FSSK-UKM Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 5 i) i) ii) S.233 of the Communications and Multimedia Act 1998, wherein this section prohibits any person to send any obscene, indecent, false, menacing or offensive content with intent to annoy, abuse, threaten or harass another person; S.292 of the Penal Code, wherein this section prohibits the sale of pornographic material; and S.4 of the Sedition Act 1948, wherein this section prohibits the publication and forwarding of seditious contents. The challenges The architecture of the Internet with its ever improving technologies for online computing and the development of the Internet culture have spawned the following challenges to any legal jurisdiction in the world: i) confusion as to the jurisdiction in which the crime was committed; ii) the law does not provide for a new generation of crimes; iii) difficulty in prosecuting certain types of cybercrimes as the elements of such crimes are not committed in a single jurisdiction; ii) the difficulty in collecting evidential proof of computer crimes; iii) ignorance of Internet users on using technology for protection; and iv) the implementation of encryption technologies and security technologies that are time consuming and costly. Jurisdictional issues In the online world, a defamatory statement which is criminal in nature may be posted by a Malaysian in an American website that is hosted in Zimbabwe. Likewise, an illegal online money transfer may have the instructions issued in the United Kingdom to a bank in Barbados, to transfer funds into a bank account in Switzerland belonging to a Chinese national. Both of these crimes may be committed in the span of 10 minutes. The ease in the execution of such activities and the inter-jurisdictional nature of these transactions are common in cyberspace. These two features of the architecture of cyberspace provide speed and confusion as to the jurisdiction in which the crime was committed. Such attributes are added advantages for online criminals. These attributes are indeed posing teasers to all lawmakers around the world. In Malaysia, the intended solution may be found in S. 9 of the CCA. This section provides that any person, whatever his nationality or citizenship shall be liable for an offence within the CCA, if in the event the computer, program or data (used or forwarded to commit the offence) was in Malaysia or are capable of being sent to or used in Malaysia. Shortcomings of the law Malaysian law does have its shortcomings. There are websites on the Internet, which enable or encourage Malaysians to commit online crimes. For example, the hacker website known as the 2600 magazine provides hacking manuals for free. Also, online gambling and pornographic websites are accessible by any Malaysian. These contents that are available to the Malaysian public are not within the jurisdiction of any Malaysian enforcement agency as the providers of the contents are not Malaysians, and the servers are not in Malaysia. Pusat Kajian E-Komuniti, FSSK-UKM Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 6 Following that, cookies or other spywares that attach itself into one’s browser to collect the browsing history of the browser user are commonly found in the Internet. The information collected by such programmes may be ranging from books that were purchased online to one’s password for the email address. Malaysia currently does not have a data protection regime (wherein such a regime exists in Europe)16 to protect the online user’s personal information. Difficulty in collecting and presenting evidential proof of computer crimes in court All content in cyberspace is intangible in nature as these content are in digitized formats and are stored in servers and in drives all over the world. The probability of losing online content is higher than the probability of losing written information. This feature of the Internet’s architecture is an obstacle to digital forensic experts that are collecting evidence for a digital crime as information may be: i) ii) iii) deleted at ease by perpetrators; kept in servers that are in various parts of the world; and manipulated to conceal the crime. Ignorance as to the different types of protection available online Seasoned netizens are aware of the different types of protection that one may employ in protecting oneself. However, new users of the Internet and the non-techno savvy computer user will not be aware of the different types of online protection that are available. They are, inter alia: i) ii) iii) iv) Antivirus, anti-malware, anti-adware and anti-spyware programmes that are to be updated from the Internet to keep up with newly introduced malicious computer programmes; Effective firewalls to keep out malicious programmes from entering into local or wide area networks; Encryption technologies; and Digital signatures. Over and above these technologies, computer users and netizens alike are to employ a vigilant attitude when using the Internet and other types of connected computers. Costly security technologies Most of the popular security technologies such as Pretty Good Privacy (‘PGP’), Secure Socket Layer (‘SSL’), antivirus, anti-adware, anti-malware and anti-spyware programmes, to name a few, are usually manufactured in the United States or European Union countries. Malaysians do not have a choice but to purchase these security technologies by paying the same rate as all citizens of the United States or the European Union. Due to the nature of the Malaysian Ringgit’s exchange rate with the Euro and the American Dollars, Malaysians are in fact paying more for the same technology. 16 Malaysia is going to implement such a regime soon. For more information in relation to this regime, go to: http://www.ktkm.gov.my/template01.asp'Content_ID=368&Cat_ID=4&CatType_ID=84 Pusat Kajian E-Komuniti, FSSK-UKM Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 7 Recommendations International Cybercrime laws The Council of Europe had in late 2001 adopted its Convention on Cybercrime Treaty (‘the Treaty’). This treaty was signed by 30 of the Council of Europe members and 4 partner countries that include the United States of America, Canada, Japan and South Africa. This treaty provides for domestic procedural laws to investigate computer crimes and calls for international cooperation in investigating computer crimes. The effect of the Treaty is that any of its member country is to standardize its domestic laws to its requirements. Given the fact that the Treaty originated from the Council of Europe, such requirements in the Treaty may not be suitable to be implemented in countries that do not have similar legal systems and legal cultures. It is suggested that perhaps the rest of the countries in the world should co-operate through the United Nations to develop a treaty that provide all if not most of the solutions that crime enforcers face today when fighting cybercrimes. Such laws should be the minimum standard to be adopted by member countries, wherein the jurisdictional issues as stated in paragraph 4.1 above should be addressed. More laws and codes to be amended The current laws and codes in Malaysia are to be amended. As was pointed out in paragraph 4.2 above, there are indeed loopholes in the Malaysian legal landscape that have to be addressed. It is suggested that Malaysia’s amendments must take into account that its laws concerning technology are to be technology neutral. This is because of the fact that technology is fast evolving in the on-line world. Hence, the best way forward is not to entrench technology into the law but to entrench rules in cyberspace to protect Malaysians. A good guide in evidence preservation It is suggested that the Royal Malaysian Police and any other investigative body in Malaysia are to have a complete and comprehensive guide as to the preservation of evidence from digital crimes. At the moment, it is noted that S.90A of the Evidence Act of 1950 provides for the admission of documents. The effect of this section is that any document printed by a computer is admissible in court, provided that the computer produces the document in its ordinary use. To prove that the document was issued by the computer in its ordinary use, a person who is responsible for the management of the operation of that computer, or for the conduct of the activities for which that computer was used, is to issue a certificate stating that the document was indeed produced by the computer in its ordinary use. It is submitted that at the moment with the prevalence of worms, viruses and Trojans, such a certificate may not be enough. Perhaps an additional certificate is required from a qualified computer specialist to certify that the computer was not tampered with or affected by any malicious codes. Pusat Kajian E-Komuniti, FSSK-UKM Prosiding Seminar Kebangsaan E-Komuniti 2005. UKM. 6-7 Disember 2005. Putrajaya 8 The public should be guided and educated Educational and informative materials are to be supplied to the pubic to be made aware of risk of the different types of cybercrimes and the different protection technologies that are available to combat against the same. Over and above that, the public should be encouraged to develope homegrown security technologies that are in compliance with international standards, such as the ISO/IEC17799:2000 for Information Security management and the British Standards Industries (BSI) BS7799-2:002 for data protection. Both these standards are being promoted by Niser and SIRIM QAS International Sdn. Bhd. (a subsidiary of SIRIM Berhad) in Malaysia to enhance security in the ICT sector. Conclusion In conclusion, Malaysia, in its bid to be technologically advanced has put into place its various national Information Communication and Technology (ICT) projects such as the Multimedia Super Corridor and the various technology parks to promote the use and development of ICT. Such promotion will result in a widespread use of the Internet and the Internet culture. It is submitted that Malaysia must have up-to-date laws to effectively deal with the cybercrimes that comes along with the Internet. To this end, Malaysia must constantly check and conduct measurements to determine the use utility of its current laws to combat cybercrime. One cannot deny that the online environment cannot and will never be rid of cybercrimes due to the Internet’s unique architecture. References Casey, E (2000), Digital Evidence and Computer Crimes (Forensic Science, Computers and the Internet). London: Academic Press Lessig, L (1999), Code and other laws of Cyberspace. New York: Basic Books Lloyd, I.J. (2000), Information Technology Law, Third Editition. Edinburgh: Butterworths Mitnick, K.D. & Simon, W.L. (2002), The Art of Deception, United States of America: Wiley Publishing, Inc Power, R. (2000), Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace, Indiana: QUE Corporation Wallace, J. and Mangan, M., Sex, Laws and Cyberspace, New York: Henry Holt & Company Inc. Penal Code Act 574 Evidence Act 1950 Communications and Multimedia Act 1998 Computer Crimes Act 1997 http://www.wikipedia.org http://www.2600.com http://www.niser.org.my Pusat Kajian E-Komuniti, FSSK-UKM