There are two problems due this week (each worth 35 points) as follows.

• Case 5-1David L. Miller: Portrait of a White-Collar Criminal (page 144). In comprehensive paragraphs, answerrequirements 1?6. You will have six paragraphs with a total of four to five sentences each.
• Case 6-1 Shadowcrew(page184). In comprehensive paragraphs, answerrequirements1?7. You will have seven paragraphs with a total of four to five sentences each.

CASE 5-1 David L. Miller: Portrait of a WhiteCollar Criminal There is an old saying: Crime doesn't pay. However, for David Miller crime paid for two Mercedes-Benz sedans; a lavish suburban home; a condominium at Myrtle Beach; expensive suits; tailored and monogrammed shirts; diamond, sapphire, ruby, and emerald rings for his wife; and a new car for his father-in-law. Though Miller confessed to embezzling funds from six different employers over a 20-year period, he has never been prosecuted or incarceratedin large part because his employers never turned him in. Miller was fired from his first employer for stealing $200. After an assortment of odd jobs, he worked as an accountant for a local baker. Miller was caught embezzling funds and paid back the $1,000 he stole. Again, law enforcement was not notified, and he was quietly dismissed. Several months after Miller started work at Wheeling Bronze, his third victim, the president discovered a $30,000 cash shortfall and several missing returned checks. An extensive search found the canceled checks, with forged signatures, in an outdoor sand pile. Miller confessed to the scheme and was given the choice of repaying the stolen funds or being prosecuted. When Miller's parents mortgaged their home and repaid the stolen money, he escaped prosecution. Miller's fourth victim was Robinson Pipe Cleaning. When Miller was caught embezzling funds, he again avoided prosecution by promising to repay the $20,000 he stole. Miller's fifth victim was Crest Industries, where he worked as accountant. He was an ideal employeededicated and hard working, doing outstanding work. He was quickly promoted to office manager and soon purchased a new home, car, and wardrobe. Two years later, Crest auditors discovered that $31,000 was missing. Miller had written several checks to himself, recorded them as payments to suppliers, and intercepted and altered the monthly bank statements. With the stolen money, he financed his lifestyle and repaid Wheeling Bronze and Robinson Pipe Cleaning. Once again, Miller tearfully confessed, claiming he had never embezzled funds previously. Miller showed so much remorse that Crest hired a lawyer for him. He promised to repay the stolen money, gave Crest a lien on his house, and was quietly dismissed. Because Crest management did not want to harm Miller's wife and three children, Crest never pressed charges. Miller's sixth victim was Rustcraft Broadcasting Company. When Rustcraft was acquired by Associated Communications, Miller moved to Pittsburgh to become Associated's new controller. Miller immediately began dipping into Associated's accounts. Over a six-year period, Miller embezzled $1.36 million, $450,000 of that after he was promoted to CFO. Miller circumvented the need for two signatures on checks by asking executives leaving on vacation to sign several checks \"just in case\" the company needed to disburse funds while he was gone. Miller used the checks to siphon funds to his personal account. To cover the theft, Miller removed the canceled check from the bank reconciliation and destroyed it. The stolen amount was charged to a unit's expense account to balance the company's books. While working at Associated, Miller bought a new house, new cars, a vacation home, and an extravagant wardrobe. He was generous with tips and gifts. His $130,000 salary could not have supported this lifestyle, yet no one at Associated questioned the source of his conspicuous consumption. Miller's lifestyle came crashing down while he was on vacation and the bank called to inquire about a check written to Miller. Miller confessed and, as part of his out-of-court settlement, Associated received most of Miller's personal property. Miller cannot explain why he was never prosecuted. His insistence that he was going to pay his victims back usually satisfied his employers and got him off the hook. He believes these agreements actually contributed to his subsequent thefts; one rationalization for stealing from a new employer was to pay back the former one. Miller believes his theft problem is an illness, like alcoholism or compulsive gambling, that is driven by a subconscious need to be admired and liked by others. He thought that by spending money, others would like him. Ironically, he was universally well liked and admired at each job, for reasons that had nothing to do with money. In fact, one Associated coworker was so surprised by the thefts that he said it was like finding out that your brother was an ax murderer. Miller claims he is not a bad person; he never intended to hurt anyone, but once he got started, he could not stop. After leaving Associated, Miller was hired by a former colleague, underwent therapy, and now believes he has resolved his problem with compulsive embezzlement. 1. How does Miller fit the profile of the average fraud perpetrator? How does he differ? How did these characteristics make him difficult to detect? 2. Explain the three elements of the Opportunity Triangle (commit, conceal, convert), and discuss how Miller accomplished each when embezzling funds from Associated Communications. What specific concealment techniques did Miller use? 3. What pressures motivated Miller to embezzle? How did Miller rationalize his actions? 4. Miller had a framed T-shirt in his office that said, \"He who dies with the most toys wins.\" What does this tell you about Miller? What lifestyle red flags could have tipped off the company to the possibility of fraud? 5. Why do companies hesitate to prosecute white-collar criminals? What are the consequences of not prosecuting? How could law enforcement officials encourage more prosecution? 6. What could the victimized companies have done to prevent Miller's embezzlement? Source: Based on Bryan Burrough, \"David L. Miller Stole from His Employer and Isn't in Prison,\" The Wall Street Journal, September 19, 1986, 1. CHAPTER 6 Computer Fraud and Abuse Techniques LEARNING OBJECTIVES After studying this chapter, you should be able to: 1. Compare and contrast computer attack and abuse tactics. 2. Explain how social engineering techniques are used to gain physical or logical access to computer resources. 3. Describe the different types of malware used to harm computers. INTEGRATIVE CASE NORTHWEST INDUSTRIES Northwest Industries wants to expand its service area and has been negotiating to buy Remodeling Products Centers (RPC), a competitor that operates in an area contiguous to Northwest. Jason Scott was part of a team sent to look over RPC's books before the deal was finalized. At the end of their first day, RPC's computer system crashed. The team decided to finish up what work they could and to let RPC's information technology (IT) people get the system up that night. The next day, RPC's system was still down, so Jason tried to log into Northwest's computer system. It seemed to take forever to access, and then Jason found that system response was rather slow. His manager called the corporate office and found that there was something wrong with Northwest's system. It was assumed that the problem had something to do with communications with RPC's computers. Jason's team was assigned to do a computer fraud and abuse evaluation of RPC's system while they waited. Since Jason had never participated in such a review, he was told to go back to the hotel where he could get on the Internet and spend the day researching the different ways computer systems could be attacked. Introduction Cyber criminals have devised an ever-increasing number of ways to commit computer fraud and abuse. In fact, online crime at well past $100 billion a year, is now bigger than the global illegal drugs trade. Some prolific online criminals boast of making $10,000 a day. This chapter discusses some of the more common computer fraud and abuse techniques in three sections: computer attacks and abuse, social engineering, and malware. These classifications are not distinct; there is a lot of overlap among the categories. For example, social engineering methods are often used to launch computer attacks. Computer Attacks and Abuse All computers connected to the Internet, especially those with important trade secrets or valuable IT assets, are under constant attack from hackers, foreign governments, terrorist groups, disaffected employees, industrial spies, and competitors. These people attack computers looking for valuable data or trying to harm the computer system. In a recent survey, 70% of security professionals expected their organizations to be hit by a cyber-attack in the next six months. This means that preventing attacks is a constant battle. On a busy day, large web hosting farms suffer millions of attack attempts. This section describes some of the more common attack techniques. Hacking is the unauthorized access, modification, or use of an electronic device or some element of a computer system. Most hackers break into systems using known flaws in operating systems or application programs, or as a result of poor access controls. One software-monitoring company estimates there are over 7,000 known flaws in software released in any given year. The following examples illustrate hacking attacks and the damage they cause: hacking - Unauthorized access, modification, or use of an electronic device or some element of a computer system. Russian hackers broke into Citibank's system and stole $10 million from customer accounts. Acxiom manages customer information for credit card issuers, banks, automotive manufacturers, and retailers. A systems administrator for a company doing business with Acxiom exceeded his authorized access, downloaded an encrypted password file, and used a password-cracking program to access confidential IDs. The intrusion cost Acxiom over $5.8 million. During the Iraq war, Dutch hackers stole confidential information, including troop movements and weapons information at 34 military sites. Their offer to sell the information to Iraq was declined, probably because Iraq feared it was a setup. A 17-year-old hacker broke into the Bell Laboratories network, destroyed files, copied 52 proprietary software programs, and published confidential information on underground bulletin boards. Many hackers are young, some as young as 12. A hacker penetrated a software supplier's computer and used its \"open pipe\" to a bank customer to install a powerful Trojan horse in the bank's computer. In the worst security breach in gaming history, 101 million Sony PlayStation accounts were hacked, crashing the network for over a month. More than 12 million credit card numbers, e-mail addresses, passwords, home addresses, and other data were stolen. Focus 6-1 discusses how a professor and his students track down computer criminals. Hijacking is gaining control of a computer to carry out illicit activities without the user's knowledge. A botnet, short for robot network, is a powerful network of hijacked computers, called zombies that are used to attack systems or spread malware. Bot herders install software that responds to the hacker's electronic instructions on unwitting PCs. Bot software is delivered in a variety of ways, including Trojans, e-mails, instant messages, Tweets, or an infected website. Bot herders use the combined power of the hijacked computers, to mount a variety of Internet attacks. Worldwide, there are over 2,000 botnets containing over 10 million computers (10% of online computers), many of them for rent. In one study, the United States led the world in the number of PCs in botnets, with over 2.2 million. And that was after Microsoft, in a single three-month period, cleaned up more than 6.5 million infected computers. hijacking - Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge. botnet - A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware. zombie - A hijacked computer, typically part of a botnet, that is used to launch a variety of Internet attacks. bot herder - The person who creates a botnet by installing software on PCs that responds to the bot herder's electronic instructions. Botnets send out over 90 billion unsolicited e-mails per day, about one-third of all e-mails sent. The botnet Grum, one of the largest-ever shut down, generated 18% of the world's spam. The owner of the Bredolab botnet was reportedly taking in over 80,000 British pounds a month. Bot toolkits and easy-to-use software are available on the Internet showing hackers how to create their own botnets; hacking is now almost as simple as picking and choosing features and clicking on a checkbox. The Mariposa botnet, containing almost 13 million computers in 190 countries, was created by three men without any advanced hacker skills. FOCUS 6-1 Professor and Students Help Track Down Computer Criminals A group of criminals, from the safety of their own homes, stole $70 million from the payroll accounts of 400 American companies using computer malware named Zeus. Zeus is a Trojan horse that infects computers when their users click on certain attachments and e-mail links, such as fake ads on reputable websites, Facebook links that are phishing scams, or counterfeit emails from a bank. After the computer is compromised, Zeus targets the user's banking information by recording keystrokes when a username and password is entered. This information is sent by e-mail or text message to the malware's creators. The hackers make large, unauthorized transfers to accounts run by a network of money mules. In the above-mentioned Trident Breach case, 90 hackers created a complex criminal network involving 3,000 money mules that spanned two continents. At first, the hackers recruited unwitting Americans to be their mules with emails promising work-at-home jobs that required the \"employees\" to open bank accounts. After the banks caught on to this tactic, the hackers recruited students from southern Russia. The students were sent to America with fake passports and work/study visas and told to open multiple bank accounts to receive stolen cash. The students wired the money back to Russia after subtracting an 8% to 10% commission. The hackers and mules managed to avoid detection until Gary Warner got involved. Dr. Warner is a professor of computer forensics and justice studies and a member of InfraGard, a 50,000-person watchdog group that keeps an eye on U.S. infrastructure and the Internet. Using complex data-mining techniques, Warner was able to trace the origins of the Zeus infection and many of the hackers and all but 18 of the mules were caught. After the FBI posted wanted posters of the mules, Warner's students used what they learned in class to track the mules. By searching Facebook and VKontakte (a Russian equivalent of Facebook) they were able to identify at-large mules. Many of the mules had posted pictures of themselves with wads of cash and new cars. All but one was arrested. Zeus can be fine-tuned by its user to record account information for social networking sites, e-mail accounts, or other online financial services. With its versatility and stealth, Zeus is difficult to detect even with up-to-date antivirus software. A Zeus package can be purchased for anywhere from $3,000 to $10,000. An estimated 3.6 million computers in the U.S. are infected with Zeus. Hopefully, with the help of better antiviral software and people like Gary Warner, Zeus will soon be a thing of the past. Botnets are used to perform a denial-of-service (DoS) attack, which is designed to make a resource unavailable to its users. In an e-mail DoS attack, so many e-mails (thousands per second) are received, often from randomly generated false addresses, that the Internet service provider's email server is overloaded and shuts down. Another attack involves sending so many web page requests that the web server crashes. An estimated 5,000 DoS attacks occur per week. The websites of online merchants, banks, governmental agencies, and news agencies are frequent victims. The following examples illustrate DoS attacks and the damage they cause: denial-of-service (DoS) attack - A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the Internet service provider's e-mail server or the web server is overloaded and shuts down. A DoS attack shut down 3,000 websites for 40 hours on one of the busiest shopping weekends of the year. CloudNine, an Internet service provider, went out of business after DoS attacks prevented its subscribers and their customers from communicating. An estimated 1 in 12 e-mails carried the MyDoom virus at its peak. The virus turned its host into a zombie that attacked Microsoft. Other companies, such as Amazon, Yahoo, CNN, and eBay, have all suffered similar DoS attacks. Spamming is simultaneously sending the same unsolicited message to many people at the same time, often in an attempt to sell something. An estimated 250 billion e-mails are sent every day (2.8 million per second); 80% are spam and viruses. The Federal Trade Commission estimates that 80% of spam is sent from botnets. Spams are annoying and costly, and 10% to 15% offer products or services that are fraudulent. In retaliation, some spammers are spammed in return with thousands of messages, causing their e-mail service to fail. Such retaliation affects innocent users and can result in the closure of an e-mail account. Spammers scan the Internet for addresses posted online, hack into company databases, and steal or buy mailing lists. An AOL employee stole the names and e-mail addresses of 92 million people and sold them to spammers. spamming - Simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something. Spammers also stage dictionary attacks (also called direct harvesting attacks). Spammers use special software to guess e-mail addresses at a company and send blank e-mail messages. Messages not returned usually have valid e-mail addresses and are added to spammer e-mail lists. Dictionary attacks are a major burden to corporate e-mail systems and Internet service providers. Some companies receive more dictionary attack e-mail than valid e-mail messages. One day 74% of the e-mail messages that Lewis University received were for nonexistent addresses. Companies use email filtering software to detect dictionary attacks; unfortunately, spammers continue to find ways around the rules used in e-mail filtering software. dictionary attack - Using special software to guess company e-mail addresses and send them blank e-mail messages. Unreturned messages are usually valid e-mail addresses that can be added to spammer e-mail lists. A blog (short for web log) is a website containing online journals or commentary. Hackers create splogs (combination of spam and blog) with links to websites they own to increase their Google PageRank, which is how often a web page is referenced by other web pages. Since websites with high PageRanks appear first in search results pages, splogs are created to artificially inflate paid-ad impressions from visitors, to sell links, or to get new sites indexed. Splogs are annoying, waste valuable disk space and bandwidth, and pollute search engine results. splog - Spam blogs created to increase a website's Google PageRank, which is how often a web page is referenced by other web pages. Spoofing is making an electronic communication look as if someone else sent it to gain the trust of the recipient. Spoofing can take various forms, including the following: spoofing - Altering some part of an electronic communication to make it look as if someone else sent the communication in order to gain the trust of the recipient. E-mail spoofing is making an e-mail appear as though it originated from a different source. Many spam and phishing attacks use special software to create random sender addresses. A former Oracle employee was charged with breaking into the company's computer network, falsifying evidence, and committing perjury for forging an e- mail message to support her charge that she was fired for ending a relationship with the company CEO. Using cell phone records, Oracle lawyers proved that the supervisor who had supposedly fired her and written the e-mail was out of town when the e-mail was written and could not have sent it. The employee was found guilty of forging the email message and faced up to six years in jail. e-mail spoofing - Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source. Caller ID spoofing is displaying an incorrect number (any number the attacker chooses) on a caller ID display to hide the caller's identity. Caller ID spoof attacks on cell phones have increased dramatically because many people use them for online banking. The spoofers trick cellphone users into divulging account information by sending an automated call or text message that appears to come from their bank. Using the obtained information, the fraudsters call the bank, spoofing the victim's phone number, and answer the security questions. They then instruct the bank to transfer cash and/or issue credit cards to addresses the fraudster controls. caller ID spoofing - Displaying an incorrect number on the recipient's caller ID display to hide the caller's identity. IP address spoofing is creating Internet Protocol (IP) packets with a forged source IP address to conceal the identity of the sender or to impersonate another computer system. IP spoofing is most frequently used in DoS attacks. IP address spoofing - Creating Internet Protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system. Address Resolution Protocol (ARP) spoofing is sending fake ARP messages to an Ethernet LAN. ARP is a networking protocol for determining a network host's hardware address when only its IP or network address is known. ARP is critical for local area networking as well as for routing Internet traffic across gateways (routers). ARP spoofing allows an attacker to associate his MAC address (Media Access Control address, a hardware address that uniquely identifies each node on a network) with the IP address of another node. Any traffic meant for the intended IP address is mistakenly sent to the attacker instead. The attacker can sniff the traffic and forward it to its intended target, modify the data before forwarding it (called a man-inthe-middle attack), or launch a DoS attack. Address Resolution Protocol (ARP) spoofing - Sending fake ARP messages to an Ethernet LAN. ARP is a computer networking protocol for determining a network host's hardware address when only its IP or network address is known. MAC address - A Media Access Control address is a hardware address that uniquely identifies each node on a network. SMS spoofing is using the short message service (SMS) to change the name or number a text message appears to come from. In Australia, a woman got a call asking why she had sent the caller multiple adult message texts every day for the past few months. Neither she nor her mobile company could explain the texts, as her account showed that they were not coming from her phone. When she realized there was no way of blocking the messages, she changed her mobile number to avoid any further embarrassment by association. SMS spoofing - Using short message service (SMS) to change the name or number a text message appears to come from. Web-page spoofing, also called phishing, is discussed later in the chapter. Web-page spoofing - See phishing. DNS spoofing is sniffing the ID of a Domain Name System (DNS, the \"phone book\" of the Internet that converts a domain, or website name, to an IP address) request and replying before the real DNS server can. DNS spoofing - Sniffing the ID of a Domain Name System (DNS, the \"phone book\" of the Internet that converts a domain, or website name, to an IP address) request and replying before the real DNS server. A zero-day attack (or zero-hour attack) is an attack between the time a new software vulnerability is discovered and the time a software developer releases a patch that fixes the problem. When hackers detect a new vulnerability, they \"release it into the wild\" by posting it on underground hacker sites. Word spreads quickly, and the attacks begin. It takes companies time to discover the attacks, study them, develop an antidote, release the patch to fix the problem, install the patch on user systems, and update antivirus software. One way software developers minimize the vulnerability window is to monitor known hacker sites so they know about the vulnerability when the hacker community does. zero-day attack - An attack between the time a new software vulnerability is discovered and \"released it into the wild\" and the time a software developer releases a patch to fix the problem. patch - Code released by software developers that fixes a particular software vulnerability. Vulnerability windows last anywhere from hours to forever if users do not patch their system. A national retailing firm employee used the server that clears credit card transactions to download music from an infected website. The music contained Trojan horse software that allowed Russian hackers to take advantage of an unpatched, known vulnerability to install software that collected and sent credit card data to 16 different computers in Russia every hour for four months until it was detected. Cybercrooks take advantage of Microsoft's security update cycle by timing new attacks right before or just after \"Patch Tuesday\"the second Tuesday of each month, when the software maker releases its fixes. The term \"zeroday Wednesday\" describes this strategy. Cross-site scripting (XSS) is a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website. Most attacks use executable JavaScript, although HTML, Flash, or other code the browser can execute are also used. XSS flaws are the most prevalent flaws in web applications today and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. The likelihood that a site contains XSS vulnerabilities is extremely high. Finding these flaws is not difficult for attackers; there are many free tools available that help hackers find them, create the malicious code, and inject it into a target site. Many prominent sites have had XSS attacks, including Google, Yahoo, Facebook, MySpace, and MediaWiki. In fact, MediaWiki has had to fix over 30 XSS weaknesses to protect Wikipedia. cross-site scripting (XSS) - A vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website. An example of how XSS works follows. Luana hosts a website that Christy frequently uses to store all her financial data. To use the website, Christy logs on using her username and password. While searching for vulnerable websites, Miles finds that Luana's website has an XSS vulnerability. Miles creates a URL to exploit it and sends it to Christy in an e-mail that motivates Christy to click on it while logged into Luana's website. The XSS vulnerability is exploited when the malicious script embedded in Miles's URL executes in Christy's browser, as if it came directly from Luana's server. The script sends Christy's session cookie to Miles, who hijacks Christy's session. Miles can now do anything Christy can do. Miles can also send the victim's cookie to another server, inject forms that steal Christy's confidential data, disclose her files, or install a Trojan horse program on her computer. Miles can also use XSS to send a malicious script to her husband Jeremy's computer. Jeremy's browser has no way of knowing that the script should not be trusted; it thinks it came from a trusted source and executes the script. Miles could also execute XSS by posting a message with the malicious code to a social network. When Brian reads the message, Miles's XSS will steal his cookie, allowing Miles to hijack Brian's session and impersonate him. Attempting to filter out malicious scripts is unlikely to succeed, as attackers encode the malicious script in hundreds of ways so it looks less suspicious to the user. The best way to protect against XSS is HTML sanitization, which is a process of validating input and only allowing users to input predetermined characters. Companies also try to identify and remove XSS flaws from a web application. To find flaws, companies review their code, searching for all the locations where input from an HTTP request could enter the HTML output. A buffer overflow attack happens when the amount of data entered into a program is greater than the amount of the memory (the input buffer) set aside to receive it. The input overflow usually overwrites the next computer instruction, causing the system to crash. Hackers exploit this buffer overflow by carefully crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system, provide the attacker with full control of the system, access confidential data, destroy or harm system components, slow system operations, and carry out any number of other inappropriate acts. Buffer overflow exploits can occur with any form of input, including mail servers, databases, web servers, and FTPs. Many exploits have been written to cause buffer overflows. The Code Red worm used a buffer overflow to exploit a hole in Microsoft's Internet Information Services. buffer overflow attack - When the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system. In an SQL injection (insertion) attack, malicious code in the form of an SQL query is inserted into input so it can be passed to and executed by an application program. The idea is to convince the application to run SQL code that it was not intended to execute by exploiting a database vulnerability. It is one of several vulnerabilities that can occur when one programming language is embedded inside another. A successful SQL injection can read sensitive data from the database; modify, disclose, destroy, or limit the availability of the data; allow the attacker to become a database administrator; spoof identity; and issue operating system commands. An SQL injection attack can have a significant impact that is limited only by the attacker's skill and imagination and system controls. SQL injection (insertion) attack - Inserting a malicious SQL query in input such that it is passed to and executed by an application program. This allows a hacker to convince the application to run SQL code that it was not intended to execute. Albert Gonzalez used SQL injection techniques to create a back door to corporate systems. He then used packet sniffing and ARP spoofing attacks to steal data on more than 170 million credit cards. At the time, his $200 million fraud was the largest such fraud to ever be reported. He was sentenced to 20 years in prison, the harshest computer crime sentence in American history up to that point in time. Like most fraud perpetrators, he spent his illgotten gains, including a Miami condominium, an expensive car, Rolex watches, and a Tiffany ring for his girlfriend. He threw himself a $75,000 birthday party and stayed in lavish hotels and resorts. He even complained about having to count $340,000 by hand after his currency-counting machine broke. As shown in Figure 6-1, a man-in-the-middle (MITM) attack places a hacker between a client and a host and intercepts network traffic between them. An MITM attack is often called a session hijacking attack. MITM attacks are used to attack public-key encryption systems where sensitive and valuable information is passed back and forth. For example, Linda sniffs and eavesdrops on a network communication and finds David sending his public key to Teressa so that they can communicate securely. Linda substitutes her forged public key for David's key and steps in the middle of their communications. If Linda can successfully impersonate both David and Teressa by intercepting and relaying the messages to each other, they believe they are communicating securely. Once an MITM presence is established, the hacker can read and modify client messages, mislead the two parties, manipulate transactions, and steal confidential data. To prevent MITM attacks, most cryptographic protocols authenticate each communication endpoint. Many of the spoofing techniques discussed in the chapter are used in MITM attacks. man-in-the-middle (MITM) attack - A hacker placing himself between a client and a host to intercept communications between them. FIGURE 6-1 Man-in-the-Middle Cyber-Attack Masquerading or impersonation is pretending to be an authorized user to access a system. This is possible when the perpetrator knows the user's ID number and password or uses her computer after she has logged in (while the user is in a meeting or at lunch). masquerading/impersonation - Gaining access to a system by pretending to be an authorized user. This requires that the perpetrator know the legitimate user's ID and passwords. Piggybacking has several meanings: piggybacking - (1) Tapping into a communications line and electronically latching onto a legitimate user who unknowingly carries the perpetrator into the system. (2) The clandestine use of a neighbor's Wi-Fi network. (3) An unauthorized person following an authorized person through a secure door, bypassing physical security controls. 1. The clandestine use of a neighbor's Wi-Fi network; this can be prevented by enabling the security features in the wireless network. 2. Tapping into a communications line and electronically latching onto a legitimate user before the user enters a secure system; the legitimate user unknowingly carries the perpetrator into the system. 3. An unauthorized person following an authorized person through a secure door, bypassing physical security controls such as keypads, ID cards, or biometric identification scanners. Password cracking is penetrating a system's defenses, stealing the file containing valid passwords, decrypting them, and using them to gain access to programs, files, and data. A police officer suspected his wife of an affair and believed the lovers communicated by e-mail. He asked a former police officer to break into his wife's password-protected corporate e-mail account and print her e-mails. The hacker used a wireless access point to penetrate the network and download her e-mails. It took 3 days to crack her password and confirm the husband's suspicions. password cracking - When an intruder penetrates a system's defenses, steals the file containing valid passwords, decrypts them, and uses them to gain access to programs, files, and data. War dialing is programming a computer to dial thousands of phone lines searching for dial-up modem lines. Hackers break into the PC attached to the modem and access the network to which it is connected. This approach got its name from the movie War Games. Much more problematic in today's world is war driving, which is driving around looking for unprotected wireless networks. One enterprising group of researchers went war rocketing. They used rockets to let loose wireless access points attached to parachutes that detected unsecured wireless networks in a 50-square-mile area. war dialing - Programming a computer to dial thousands of phone lines searching for dial-up modem lines. Hackers hack into the PC attached to the modem and access the network to which it is connected. war driving - Driving around looking for unprotected home or corporate wireless networks. war rocketing - Using rockets to let loose wireless access points attached to parachutes that detect unsecured wireless networks. Phreaking is attacking phone systems. The most common reason for the attack is to obtain free phone line access, to transmit malware, and to steal and destroy data. One telephone company lost $4.5 million in 3 days when details on how to use its phone lines for free were published on the Internet. Phreakers also break into voice mail systems, as the New York Police Department learned. The hackers changed the voice mail greeting to say that officers were too busy drinking coffee and eating doughnuts to answer the phone and to call 119 (not 911) in case of an emergency. The owner of two small voice-over-IP (VoIP) phone companies hacked into a larger VoIP provider and routed over $1 million of calls through one of its systems. To keep the rerouting from being discovered, they broke into a New York firm's system, set up a server, and made it look like the calls came from many third parties. Other hackers have hijacked calls, rerouted them to their own call centers, and asked callers to identify themselves by divulging confidential information. To protect a system from phreakers, companies use a voice firewall that scans inbound and outbound voice traffic, terminates any suspicious activity, and provides real-time alerts. phreaking - Attacking phone systems to obtain free phone line access, use phone lines to transmit malware, and to access, steal, and destroy data. Data diddling is changing data before or during entry into a computer system in order to delete, alter, add, or incorrectly update key system data. Examples include forging or changing documents used for data entry and replacing files containing input data with modified files. A clerk for a Denver brokerage altered a transaction to record the sale of 1,700 shares of Loren Industries stock worth $2,500 as shares in Long Island Lighting worth more than $25,000. data diddling - Changing data before or during entry into a computer system in order to delete, alter, add, or incorrectly update key system data. Data leakage is the unauthorized copying of company data. Ten Social Security employees stole 11,000 Social Security numbers and other identifying information and sold them to identity theft fraudsters. Acxiom suffered a data loss when, over a year and a half, an individual used a company's FTP client to steal 8.2 GB of data. data leakage - The unauthorized copying of company data, often without leaving any indication that it was copied. Podslurping is using a small device with storage capacity, such as an iPod or Flash drive, to download unauthorized data. Security expert Abe Usher created slurp.exe and copied all document files from his computer in 65 seconds. Usher now makes a version of his program for security audits that does not copy files but generates a report of the information that could have been stolen in a real attack. podslurping - Using a small device with storage capacity (iPod, flash drive) to download unauthorized data from a computer. The salami technique is used to embezzle money a \"salami slice\" at a time from many different accounts. A disgruntled employee programmed the company computer to increase all production costs by a fraction of a percent and place the excess in the account of a dummy vendor he controlled. Every few months, the fraudulent costs were raised another fraction of a percent. Because all expenses were rising together, no single account would call attention to the fraud. The perpetrator was caught when a teller failed to recognize the payee name on a check the perpetrator was trying to cash. The salami scheme was part of the plot line in several films, including Superman III, Hackers, and Office Space. salami technique - Stealing tiny slices of money from many different accounts. One salami technique has been given a name. In a round-down fraud, all interest calculations are truncated at two decimal places and the excess decimals put into an account the perpetrator controls. No one is the wiser, since all the books balance. Over time, these fractions of a cent add up to a significant amount, especially when interest is calculated daily. round-down fraud - Instructing the computer to round down all interest calculations to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer's account. Economic espionage is the theft of information, trade secrets, and intellectual property. Losses are estimated to be $250 billion a year, with losses increasing by 323% during one five-year period. Almost 75% of losses are to an employee, former employee, contractor, or supplier. The FBI is investigating about 800 separate incidents of economic espionage at any point in time. Reuters Analytics allegedly broke into the computers of Bloomberg, a competitor, and stole code that helps financial institutions analyze stock market data. Toshiba paid $465 million to Lexar Media as compensation for trade secrets provided by a member of Lexar's board of directors. economic espionage - Theft of information, trade secrets, and intellectual property. DesignerWare developed software to help rent-to-own companies track the location of the computers they rented, recover them when stolen, and disable them if renters ceased to make payments. The software could also log key strokes, capture screen shots, and take photographs using the computer's webcam. The software had a fake registration screen that tricked consumers into providing their personal contact information. The software, which was installed without their customers' knowledge or permission, allowed the rental company to capture private and confidential details such as user names, passwords, Social Security numbers, bank and credit card balances, medical records and private e-mails to doctors, and social media websites visited. It also allowed the stores to activate the webcams and take pictures of people in the privacy of their own homes. When these activities became known, the companies were sued by the FTC and charged with breaking the law by secretly collecting consumers' confidential and personal information and using it to try to collect money from them. Cyber-extortion is threatening to harm a company or a person if a specified amount of money is not paid. The owner of a credit card processor received an e-mail listing his clients as well as their credit card numbers. The e-mail told him to pay $50,000 in six payments, or the data would be sent to his clients. An investigation showed that his system had been successfully penetrated and that customer data had been copied. Not believing the attacker, the owner did nothing. The extortionists released the data, and he spent weeks trying to reassure his irate customers. His efforts were futile; his customers abandoned him, and within six months, he shut down his business. Diana DeGarmo, the runner-up from the third season of American Idol, was stalked by an obsessive fan who wanted to \"become\" Diana. The fan broke into Diana's MySpace account, stole her identity, and sent e-mails to her friends and fans. The fan phoned, e-mailed, and texted Diana more than 100 times a day. When Diana finally asked her what she wanted, she replied that she wanted $1 million. cyber-extortion - Threatening to harm a company or a person if a specified amount of money is not paid. Cyber-bullying is using the Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person. Cyber-bullying is especially prevalent among young people; research shows that almost half of all teens and preteens report some form of cyber-bullying. Legislation penalizing cyber-bullying has been passed in many states. cyber-bullying - Using computer technology to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person. Sexting is exchanging sexually explicit text messages and revealing pictures, usually by means of a phone. One particularly degrading form of cyber-bullying is posting or sharing these pictures and messages with people who were never intended to see or read them. An estimated 88% of all selfmade sexual images and videos sent by young people to friends are uploaded to other websites. Parasite porn sites constantly comb the Internet and social media sites for such materials, as their business is displaying sexually explicit images and videos of young people. Anyone involved in transmitting nude pictures of someone under the age of 18 can be charged with dealing in child pornography. sexting - Exchanging sexually explicit text messages and revealing pictures with other people, usually by means of a phone. Internet terrorism is using the Internet to disrupt electronic commerce and communications and to harm computers. A Massachusetts man hired hackers to attack the WeaKnees.com website because WeaKnees turned down a business deal with him. The six-week-long attack used a botnet of 10,000 hijacked computers and caused $2 million in damage. Internet terrorism - Using the Internet to disrupt electronic commerce and harm computers and communications. Internet misinformation is using the Internet to spread false or misleading information. McDonald's spent seven years fighting false accusations on websites. After 313 days of testimony and a cost of $16 million, McDonald's won and was awarded $94,000. A website mocked the verdict, called its campaign \"unstoppable,\" and set up shop under a new name. Another form of Internet misinformation is pretending to be someone else and posting web-based messages that damage the reputation of the impersonated person. Even subtler is entering bogus information in legitimate news stories. One young man broke into Yahoo's news pages and replaced the name of an arrested hacker with that of Bill Gates. Internet misinformation - Using the Internet to spread false or misleading information. Perpetrators also send unsolicited e-mail threats. Global Communications sent messages threatening legal action if an overdue amount was not paid within 24 hours. The court action could be avoided by calling an 809 area code (the Caribbean). Callers got a clever recording that responded to the caller's voice. The responses were designed to keep callers on the phone as long as possible because they were being billed at $25 per minute. e-mail threats - Threats sent to victims by e-mail. The threats usually require some follow-up action, often at great expense to the victim. Internet auction fraud is using an Internet auction site to defraud another person. According to the FBI, 45% of the complaints they receive are about Internet auction fraud. Internet auction fraud can take several forms. For example, a seller can use a false identity or partner with someone to drive up the bid price. A person can enter a very high bid to win the auction and then cancel his bid, allowing his partner, who has the next highest, and much lower, bid to win. The seller can fail to deliver the merchandise, or the buyer can fail to make the agreed-upon payment. The seller can deliver an inferior product or a product other than the one sold. In a recent case, three art dealers were convicted of casting bids in over 1,100 of each other's eBay auctions to drive up the price of their merchandise over a five-year period. Many of the 120 defrauded consumers paid thousands of dollars more than they would have without the fake bids. Internet auction fraud - Using an Internet auction site to defraud another person. Internet pump-and-dump fraud is using the Internet to pump up the price of a stock and then selling it. Pump-and-dump fraudsters do three things. First, they buy a significant number of shares in small, low-priced, thinly traded penny stocks without driving up their price. Second, they use spam emails, texts, Tweets, and Internet postings to disseminate overly optimistic or false information about the company to create a buying frenzy that drives up the stock price. Third, they sell their shares to unsuspecting investors at inflated prices and pocket a handsome profit. Once they stop touting the stock, its price crumbles, and investors lose their money. In a recent fraud, fraudsters quietly acquired shares in 15 thinly traded public companies. They used sophisticated hacking and identity fraud techniques, such as installing keystroke-logging software on computers in hotel business centers and Internet cafes, to gain access to online brokerage accounts. The hackers sold the securities in those accounts, used the money to purchase large quantities of the 15 companies' stock to pump up their share prices, and sold their stock for a $732,941 profit. The pump-and-dump operation, which was perpetrated in a few hours, cost U.S. brokerage firms an estimated $2 million. Internet pump-and-dump fraud - Using the Internet to pump up the price of a stock and then sell it. Companies advertising online pay from a few cents to over $10 for each click on their ads. Click fraud is manipulating click numbers to inflate advertising bills. As many as 30% of all clicks are not legitimate. That is no small sum, given that total revenues from online advertising exceed $15 billion dollars a year. Examples of how click fraud is perpetrated include (1) companies clicking on a competitor's ad to drive up their advertising costs, (2) web page owners who get a commission to host a pay-per-click ad clicking to boost commissions, and (3) ad agencies inflating the number of clicks to make an ad campaign appear more effective. Most click fraudsters are cyber criminals who create websites with nothing on them but ads and use their botnets to repeatedly click on the ads. Some porn sites increase their revenues by perpetrating click fraud. When a person clicks on the site, software causes (1) dozens of hidden-to-the-user pages to appear that are filled with links to sites that pay a referral commission and (2) the user's computer to click on the links. The porn operator later receives payment for sending their users to the sites. click fraud - Manipulating the number of times an ad is clicked on to inflate advertising bills. Web cramming is offering a free website for a month, developing a worthless website, and charging the phone bill of the people who accept the offer for months, whether they want to continue using the website or not. Web cramming has been in the top 10 of online scams for the past few years, and there are no signs that it is going away. Law enforcement has cracked down on this for the past few years with no apparent permanent success. web cramming - Offering a free website for a month, developing a worthless website, and charging the phone bill of the people who accept the offer for months, whether they want to continue using the website or not. Software piracy is the unauthorized copying or distribution of copyrighted software. Three frequent forms of software piracy include: (1) selling a computer with preloaded illegal software, (2) installing a single-license copy on multiple machines, and (3) loading software on a network server and allowing unrestricted access to it in violation of the software license agreement. software piracy - The unauthorized copying or distribution of copyrighted software. It is estimated that for every legal software sale, between seven and eight illegal copies are made. Within days of being released, most new software is on the Internet and available free to those who want to download it illegally. An estimated 43% of software is pirated; in some countries, over 90% is pirated. The software industry estimates the economic losses due to software piracy exceed $50 billion a year. The Business Software Alliance, which files lawsuits against software pirates, found 1,400 copies of unlicensed software at an adult vocational school in Los Angeles and claimed $5 million in damages. Individuals convicted of software piracy are subject to fines of up to $250,000 and jail terms of up to five years. However, they are often given more creative punishments. A Puget Sound student was required to write a 20-page paper on the evils of software piracy and copyright infringement and perform 50 hours of community service wiring schools for Internet usage. Failure to comply would subject him to a $10,000 fine and a copyright infringement lawsuit. Social Engineering Social engineering refers to techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or networkusually to get the information needed to access a system and obtain confidential data. Often, the perpetrator has a conversation with someone to trick, lie to, or otherwise deceive the victim. Often the perpetrator has information, knowledge, authority, or confidence that makes it appear that he belongs or knows what he is doing. social engineering - The techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or network. It is usually to get the information needed to obtain confidential data. Cisco reported that fraudsters take advantage of the following seven human traits in order to entice a person to reveal information or take a specific action: 1. CompassionThe desire to help others who present themselves as really needing your help. 2. GreedPeople are more likely to cooperate if they get something free or think they are getting a once-in-a-lifetime deal. 3. Sex AppealPeople are more likely to cooperate with someone who is flirtatious or viewed as \"hot.\" 4. SlothFew people want to do things the hard way, waste time, or do something unpleasant; fraudsters take advantage of our lazy habits and tendencies. 5. TrustPeople are more likely to cooperate with people who gain their trust. 6. UrgencyA sense of urgency or immediate need that must be met leads people to be more cooperative and accommodating. 7. VanityPeople are more likely to cooperate if you appeal to their vanity by telling them they are going to be more popular or successful. Establishing the following policies and proceduresand training people to follow themcan help minimize social engineering: 1. Never let people follow you into a restricted building. 2. Never log in for someone else on a computer, especially if you have administrative access. 3. Never give sensitive information over the phone or through e-mail. 4. Never share passwords or user IDs. 5. Be cautious of anyone you do not know who is trying to gain access through you. Focus 6-2 discusses how social engineering is used on Facebook to perpetrate fraud. FOCUS 6-2 Facebook: The New Fraud Frontier The websites that are the most dangerous fraud and security risks are porn sites and software-sharing sites. Close behind are social networks such as Facebook, making social media the new fraud frontier for the following reasons. First, people are more likely to disclose personal information to \"friends\" on social networks. Second, many people do not properly protect the information they post on social network sites. Third, people use the same password since remembering separate passwords for every site is too much hassle. Because of the first two items, it is easier for fraudsters to get access to your personal information than through other means. And when they have it, they have the information needed to defraud you. Facebook fraudsters also use a variety of phishing attempts disguised as Facebook games or widgets that require personal information to be disclosed. For example, suppose someone challenged you to find out who knows you best by posting: I want to know which one of you knows me best. What is my middle name; birthday; favorite food, soda, and color; pet's name; eye and hair color, Mom's maiden name; and grandma's and grandpa's names. What was my first car? Who is my best friend? Who is the love of my life? As your friends answer, they disclose many of the facts your financial institutions ask when they verify your identity. This allows your \"friends\" to try to access your accounts and credit cards. Another approach is to send a message that says, \"Look at the funny video I found of you.\" When the link is clicked, a message tells you to update your video player. Without adequate security software, clicking on the update installs malware that captures data on the websites you visit and your sign-in and password information. Again, the fraudster has the information needed to defraud you. The \"we are stuck\" e-mail used to perpetrate identity theft has migrated to instant messaging on Facebook. It is so effective because it preys on people's desires to help a friend in need. Instead of helping, you lose money or give away the information needed to defraud you. Facebook is aware of these and other schemes to defraud you. You can learn how Facebook is combatting them by visiting Facebook's security page. The remainder of this section discusses various social engineering issues and techniques. Identity theft is assuming someone's identity, usually for economic gain, by illegally obtaining and using confidential information, such as a Social Security number or a bank account or credit card number. A recent report showed that more than 12 million victims had more than $21 billion stolen in a recent calendar year. The report also said that there is a new victim of identity fraud once every three seconds and that one in four consumers who received a data breach notice from a company also became a victim of identity theft. identity theft - Assuming someone's identity, usually for economic gain, by illegally obtaining confidential information such as a Social Security number or a bank account or credit card number. Identity thieves empty bank accounts, apply for credit cards, run up large debts, and take out mortgages and loans. By carefully covering his tracks and having all bills sent to an address he controls, the identity thief can prolong the scheme because the victim will not know what is happening until considerable damage has been caused. Victims can usually prove they are not responsible for the debts or missing funds, but it takes significant time to clean up credit records and restore reputations. Until the identity theft is cleared up, victims often are denied loans and credit cards, refused phone contracts, and chased by debt collectors for money they do not owe. A convicted felon incurred $100,000 of credit card debt, took out a home loan, purchased homes and consumer goods, and filed for bankruptcy in the victim's name. He phoned and mocked his victim because the victim could not do anything, because identity theft was not a crime at the time. The victim spent four years and $15,000 to restore his credit and reputation. The identity thief served a brief sentence for lying while buying a gun and did not have to make restitution. This and similar cases resulted in Congress making identity theft a federal offense in 1998. Pretexting is using an invented scenario (the pretext) to increase the likelihood that a victim will divulge information or do something. The pretext is more than a just simple lie; it usually involves creating legitimacy in the target's mind that makes impersonation possible. One approach pretexters use is to pretend to conduct a security survey and lull the victim into disclosing confidential information by asking 10 innocent questions before asking the confidential ones. They also call help desks and claim to be an employee who has forgotten a password. They call users and say they are testing the system and need a password. They pose as buyers, prospective employees, or salespeople to get plant tours. They use voice-changing devices to make a male voice sound like a female voice or use spoofing devices to make it appear they are phoning from the intended victim's phone. pretexting - Using an invented scenario (the pretext) that creates legitimacy in the target's mind in order to increase the likelihood that a victim will divulge information or do something. The chairwoman of Hewlett-Packard (H-P) was forced to resign after H-P hired a private investigator to catch H-P directors who had leaked confidential information to reporters. The private investigator pretended to be someone he was not to get private phone records and other confidential information of directors and journalists. As a result, Congress passed a bill making the use of pretexting to obtain a person's phone records illegal. A hacker tricked a T-Mobile employee into disclosing the information needed to hack into Paris Hilton's phone by answering the question \"What is your favorite pet's name?\" Tinkerbell, the name of her dog, was well known. The hacker accessed her phone and posted the contents of her address book, notes, and some very embarrassing photos on the Internet. Posing is creating a seemingly legitimate business (often selling new and exciting products), collecting personal information while making a sale, and never delivering the product. Fraudsters also create Internet job listing sites to collect confidential information. posing - Creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering the product. Phishing is sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of some negative consequence if it is not provided. The recipient is asked to either respond to the bogus request or visit a web page and submit data. The message often contains a link to a web page that appears legitimate. The web page has company logos, familiar graphics, phone numbers, and Internet links that appear to be those of the victimized company. It also has a form requesting everything from a home address to an ATM card's PIN. phishing - Sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim's account. In the early days, each phishing e-mail resulted in tens of thousands of calls to bank call centers, disrupted business, and cost hundreds of thousands of dollars to handle the deluge of calls. An estimated 2 million Americans have been fooled by phishing scams, with yearly losses exceeding $3.2 billion. It is easy to launch a phishing attack because hackers sell inexpensive kits that lead people through the process. Phishers are becoming more sophisticated. Early phishing scams sent messages to everyone. Targeted versions of phishing, called spear phishing, have emerged. For example, they may target known customers of a specific company, as they are more likely to open an e-mail from a company they know than from a stranger. These spear phishing messages often look identical to authentic e-mails, including the use of company e-mail addresses, logos, and electronic watermarks. Furthermore, they usually do not include typos and poor English, which were trademarks of earlier phishing e-mails. Phishers are also using additional tactics, such as advertisements that link to a malicious site, an e-mail that pretends to be an important work file, a job posting on a legitimate job board, a fake LinkedIn request, a fake auction, and a fake IRS request for information. Some phishing e-mails secretly install software that spies on or hijacks the user's computer. The software captures log-on names or takes pictures of the user's screen when he logs into his financial institution. The IRS has set up a website and an e-mail address (phishing@irs.gov) where people can forward suspicious e-mails that purport to be from the IRS. In a recent IRS phishing attack, e-mail recipients were told that they were due a refund and were directed to a website that looked just like the IRS website and contained forms that looked just like IRS forms. To claim the refund, the taxpayer had to enter confidential information that facilitated identity theft. Voice phishing, or vishing, is like phishing except that the victim enters confidential data by phone. Among oth