Criminal Investigation Lesson 17
Discuss how scareware attacks are executed.
A scareware attack often starts with a pop-up message on your screen, "Virus Activity Detected!" claiming that your computer has a virus—and for $19.95 you can download antivirus software to fix the problem. The unwary user who buys the software thinks the problem is resolved, but the software is really useless and delivers malware, and the vendor sells the user's credit card number. In 2010, a new method of delivering scareware, using a bogus update to the Firefox web browser, was discovered in England.
Cybercrime tools and services are being mass marketed on the Internet. They are found on publicly accessible web forums, such as Internet Relay Chat (IRC) as well as on the Deep Web. Where are the major vendors principally located?
A) Russia B) Eastern Europe C) Malaysia D) All of the answers are correct.
Discuss the issues relating to cybercrime/computer/high technology/electronic crime units at the state and local level.
As departmental size decreases, so does the probability that such units exist. These "poor cousins" and larger agencies both face barriers to establishing and growing an effective computer-, cyber-, or electronic-crimes unit, because: (1) the needs for, and benefits of, an electronic crimes unit are not well understood; (2) many local agencies cannot alone afford to provide adequate office space, purchase the necessary hardware and software, or dedicate and train the staff required; (3) administrators are reluctant to engage in the hard and uncertain work of recruiting qualified information technology partners from industry and the academic community; (4) support for such units is often nonexistent or low, especially for administrators who are trying to meet more basic service delivery needs; (5) the inability to fully staff such units means that where they do exist, their mission may be restricted to a few crimes—for example, identity theft, child pornography, online child predators, cyberbullying and stalking, and non-delivery of merchandise ordered online—because the "unit" consists of a single officer; (6) it is difficult to retain trained and experienced officers; (7) existing laws may be inadequate; and (8) prosecutorial expertise may be lacking. Of necessity, many local agencies depend on the computer-crime expertise of their state investigative agency, state police, or state patrol. These state agencies are often staffed with a combination of officers trained in computer-crime investigation and civilian information technology specialists. In addition to a staff located at headquarters, qualified personnel are usually located within troop commands or other geographical districts. These agencies also operate TFs, as do State Attorney Generals and local prosecutors. A number of local agencies have also cooperated in founding their own units, the services of which are shared.
Hackers/crackers who use their skills to illegally make money are called _____.
Black hatters
Discuss the various types of computer intrusions.
Computer intrusions are accomplished by the use of malware, a term derived from combining malicious and software. 1. Botnets: A "herder" ("botmaster") uses malware to hijack hundreds to tens of thousands of computers and is able to remotely control them all, including the ability to update the malware and to introduce other programs such as spyware. 2. Viruses: At any one time, there may be as many as 16,000 viruses floating around. The primary purpose of a virus is to replicate as many times as possible and to cause as much mischief or damage as possible. A virus is an unauthorized software program that is surreptitiously inserted into an executable program on a single computer. When a user launches the infected program, the virus looks for other executable programs in which to place a copy of its malicious code. Thus, the typical virus requires human intervention to spread itself. Worms are considered a variant or subclass of viruses and therefore are substantially similar to them. The key difference between the two is once inserted into a computer, a worm can distribute itself across the Internet without any action by the computer user because it is self-contained and does not have to be part of another software program. 3. Time, logic, and email bombs: A time bomb is programmed to "go off" at a particular time or date, such as April Fool's Day, Halloween, or Friday the 13th. A logic bomb is "detonated" when a specific event occurs—for example, all personnel records are erased when an electronic notation is made that a particular person was fired. Email bombs are intended to overwhelm a person's email account by surreptitiously subscribing it to dozens or even hundreds of mailing lists. 4. Ransomware: Also known as a cryptovirus, ransomware holds the data on a computer or the use of the computer hostage until a payment is made. 5. Dead drop: Some cybercriminals prefer to distance themselves from incriminating files; they use another computer or server, a virtual dead drop, sometimes called an egg drop or drop zone, on which to store the data they have stolen. 6. Trojan horse: There are numerous platforms for delivering Trojan horses. One way is to offer what appears to be legitimate software program with a title that mimics a well-known package that many users may try, such as a free download of a "Web Accelerator." 7. Spyware: Spyware is a broad term that sometimes is used to mean the same thing as malware but more narrowly is thought of as a surveillance tool, such as the infostealer form of a Trojan horse. 8. Rootkits: In many computer operating systems (OSs), the "root" is a "superuser" account for system administration. A "kit" is the malware introduced into the computer. A rootkit gives an attacker "super powers" over computers—for example, the ability to steal sensitive personal information. 9. Scareware: A scareware attack often starts with a pop-up message on your screen, "Virus Activity Detected!" claiming that your computer has a virus—and for $19.95 you can download antivirus software to fix the problem. The unwary user who buys the software thinks the problem is resolved, but the software is really useless and delivers malware, and the vendor sells the user's credit card number.
Identify the two prerequisites for the emergence of cybercrime.
Computers had to be commonplace and had to be linked in a network.
_____ is a broad term that sometimes is used to mean the same thing as malware but more narrowly is thought of as a surveillance tool, such as the infostealer form of a Trojan horse.
Spyware
In which of the following situations is parents' ability to give consent to search the room of their child not valid?
D) All of the answers are correct.
To avoid personal contact, intelligence agents use a location called a(n) _____ to leave and pick up messages.
Dead drop
The first online service provider for consumers was _____.
Delphi
A(n) _____ occurs when a botnet herder uses all of his/her zombies to overwhelm even the largest servers.
Distributed denial of service (DDoS) attack
What are the eight steps in documenting the computer crime scene?
Documenting the Scene 1. Both in the report and by video and photography identify the location, type of devices, their condition, and power status. Get views of all sides, including the backs, where cables are attached. 2. Record all activity and processes visible on the monitor. 3. Note all devices physically connected to the computer as well as the same for wireless components. Record their serial numbers, the content of "sticky notes" attached to them, and related written information. 4. Note the condition and power status of the computer's network access. 5. Document, photograph, and sketch all wires, cables, and devices connected to, or inserted in, the computer. 6. Tag every cable as to where each end was attached. 7. Document and photograph every wireless device in the locations at which they were found. 8. Document and photograph the locations of related evidence, such as printed pages of Internet addresses, financial records, images, computer code, GPSs/maps/directions, electronic money transfers, books on hacking, software packages, lists of computers accessed and dead drops, credit card information, reproductions of signatures, checks and money orders, diaries and calendars, mail in victims' names, cash, fictitious identification, passwords and information on encryption, and steganography. ("Steg" or "Stego" has been used for thousands of years. Historically, steg means writing in a cipher or code so that only the sender and the recipient know what the message means. In the context of computers, steg means hiding a file in a larger file so that others are not aware of its presence or meaning.)
Discuss the differences between black hatters and white hatters.
Hackers/crackers who use their skills to illegally make money are called black hatters; those who use them for good—for example, for identifying security risks in computer systems and networks and then notify corporations of their vulnerability—are called white hatters. Other computer hackers or computer security experts who may violate the law or at least violate ethical business standards, but who do not have the malicious or criminal intent of a black hatter, are often called gray hatters. These individuals often have exceptional skills and when they find vulnerability in a system, rather than exploit it directly for their own financial gain or sell it to others for financial gain, they may attempt to fix it for a fee.
Discuss the physical evidence that an investigator should consider when investigating cybercrime.
Evidence related to computer-assisted crimes and cybercrimes is subject to the same fundamentals of crime processing that were discussed earlier. Important evidence may be associated with many items, including computer notebooks and laptops, desktops, rack systems, and main frames, as well as external hard drives, printers, scanners, compact disks, flash drives, memory card readers, web cameras, and wireless access points and network servers. The existence of a wireless network should alert investigators to the possibility that evidence may also be located on devices located away from the primary crime scene, such as in another room or a garage. Search warrants may be issued to cover both the seizure of the targeted computers and peripherals and the actual digital forensic examination of them, or separate search warrants may be used.
Which statement about the typical computer hacker is not correct?
Hackers tend to be very socially active
Which of the following types of hackers may work for a national government to destroy the operational capabilities of the target?
Information/Espionage Warfare
Which of the following types of cybercriminals is more likely to cause the greatest losses?
Internal/Insider
Which of the following statements is true about a cryptovirus?
It holds the data on a computer or the use of the computer hostage until a payment is made.
If persons of interest are located at a computer-assisted or cybercrime scene, which of the following should an investigator do?
Keep them in separate rooms
The first personal computer was the _____.
Kenbak-1
A(n) _____ is "detonated" when a specific event occurs—for example, all personnel records are erased when an electronic notation is made that a particular person was fired.
Logic bomb
Which of the following types of cybercriminals is not listed in the taxonomy of cybercriminals?
Phisherman
Discuss polymorphic and metamorphic viruses.
Polymorphic and metamorphic viruses are similar in that they each make changes to their replicants to hide from security software, but they do so differently. A polymorphic virus, such as Virut, encrypts its replicant into an alternate form, but it must then decrypt itself back into its original form to execute. In contrast, a metamorphic virus completely rewrites itself each time it reproduces. No metamorphic replicant or "child" looks like its parent.
Which of the following is not a type of computer intrusion?
Shlumping
Discuss the professional criminal typology of cybercriminal, including their characteristics, motivations, and skill level.
Professional criminal characteristics: 1. Some number are well-trained former intelligence operatives—Russia, Eastern Block European countries, and some Asian gangs 2. Crime is their career field 3. Seldom arrested; convicted even less often 4. Choose lucrative targets, e.g., banks, casinos, intellectual property (e.g., games, movies, recipes) 5. Fully exploit the potential of the Internet as a crime tool 6. Apolitical, will commit national security espionage for profit, even against their own governments 7. "Guns for hire," if the price for accepting a "project" is right 8. High tolerance for risk Motivations: 1. Money and financial gain 2. Lifestyle attractive Skill level 1. Very high
_____ developed email.
Ray Tomlinson
Discuss the creation of the cybercriminal, a new breed of criminals, and how cybercriminals differed from past criminals.
The satisfaction of the two prerequisites set the stage for a new breed of criminals who (1) didn't have to leave the comfort of their homes to commit crimes; (2) were invisible/anonymous, avoiding the dangers of personal contact with their victims; (3) could strike anywhere in the world; (4) were enabled to approach thousands of potential victims simultaneously; (5) executed crimes that victims might never detect or be too embarrassed to report; (6) committed crimes that might be discovered only much later, hampering investigations; (7) stood to reap profits far beyond those associated with conventional crimes; and (8) didn't have to worry about fencing tangible stolen property—for example, televisions and cars—because what they stole was intangible property—for instance, they looted checking, savings, and casino accounts.
Name the types of cybercriminals described in the taxonomy of cybercriminals.
The types of cybercriminals are as follows: 1. Novice 2. Cyberpunks 3. Internals/Insiders 4. Petty crooks 5. Virus writers 6. Old guard hackers 7. Professional criminals 8. Information/Espionage Warfare
In the context of the taxonomy of criminals, which of the following is a characteristic of "insiders"?
They are often information technology (IT) professionals.
A(n) _____ is programmed to "go off" at a particular time or date, such as April Fool's Day, Halloween, or Friday the 13th.
Time bomb
Which of the following is the primary purpose of a virus?
To replicate itself as many times as possible and cause mischief or damage to the infected computer
When conducting the preliminary interview about a computer-assisted crime or cybercrime, which of the following should investigators establish?
Who owns the computers?
The existence of a(n) _____ should alert investigators to the possibility that evidence may also be located on devices located away from the primary crime scene, such as in another room or a garage.
Wireless network
Which of the following terms refers to a computer that has been hijacked or taken over by another?
Zombie
A _____ uses malware to hijack hundreds to tens of thousands of computers and is able to remotely control them all, including the ability to update the malware and to introduce other programs such as spyware.
botmaster
A(n) _____ is a network of zombies or bots.
botnet
An attack that is intended to overwhelm a person's email account by surreptitiously subscribing it to dozens or even hundreds of mailing lists is called _____.
email bomb attack
A metamorphic virus, such as Virut, encrypts its replicant into an alternate form, but it must then decrypt itself back into its original form to execute.
false
A virus is a small program that sends itself to other computers, rather than relying on user actions.
false
In the context of the taxonomy of cybercriminals, cyberpunks are known to have a high tolerance for risk.
false
The investigator should put digital evidence in regular plastic bags to protect it from moisture.
false
Computer hackers or computer security experts who may violate the law or at least violate ethical business standards, but who do not have the malicious or criminal intent of a black hatter, are often called _____.
gray hatters
There were two prerequisites for the emergence of cybercrime: (1) computers had to be commonplace, and (2) they had to be _____ in a network.
linked
An infostealer Trojan horse can also be categorized as spyware.
true
Oftentimes the would-be buyers of cybercrime tools are themselves scammed out of their money.
true
One motivation for the activities of an old guard hacker is the need for a challenge.
true
The denial-of-service (DoS) attack occurs when the service provider suspends service after the subscriber's email account is flooded by thousands of emails in a short period of time.
true
The first electronic computer was built in 1942.
true
The term "social engineering" refers to the process of deceiving people into giving away access or confidential information.
true
While computer-assisted crimes are may be thought of as any crime that uses a computer, in cybercrime, the computer itself is the target.
true
If no destructive processes are running and no items of evidentiary value on the screen, one step in seizing computer crime evidence is to _____.
unplug the computer
A _____ is defined as a malicious program that attacks a computer system directly, rather than infecting a host program, and spreads rapidly through the Internet or email.
worm