UN Web Site | UN Website Locator
           Home Site Map Contact
  Search 
ICSTD : 
  More Options | Search Tips
UNESCAP > ICSTD > ICT Policy Section > Internet use for business development > Module 3
<< Previous module: Legislative and Policy options to Promote e-Commerce and Expand Internet Use | Table of contents | Next module: Other key issues to be addressed in creating an enabling legal and regulatory framework to encourage internet use for business development >>
Print version (PDF 365 Kb)

Module 3: Cyber crime and Security

The huge potential for e-business brings with it a dark side that SMEs – and policymakers – should not ignore. Just as the Internet opens opportunities for entrepreneurs and SMEs to engage in e-commerce and transact with ever growing numbers of clients, so too does it create chances for mischief or worse damage.

Just as in the “real” world, there are those who would exploit the Internet for their own selfish interests. This type of conduct makes users vulnerable to a host of possible attacks that compromise the confidentiality, integrity and availability of information that they exchange through the Internet. As a result of such illicit activities, people tend to lose trust on the security of doing business in the Internet and thus forego its huge potential for business, as well as its potential as a tool to promote social justice and equality.

It is therefore necessary that security measures be set in place to thwart would-be attackers who make Internet use unsafe and insecure. Along this line, it becomes of paramount import to establish mechanisms about the standards, policies, rules, and enforcement and dispute resolution procedures to apply to global internetworking activities in order to make the Internet free, fair, reliable, transparent and accessible to all.

e-Commerce can never prosper unless a secured environment for doing business exists. But this can only happen if the correct policies for securing the Internet are put in place.

Box 8. Dynamic and Vulnerable

The nature of the Internet – open, interconnected and fast-growing – makes it attractive and vulnerable to certain types of security risks. Many of the protocols that form part of the Internet infrastructure were designed without security in mind. Likewise, the Internet is an extremely dynamic environment, in terms of both topology and emerging technology. Because of this inherent openness, Internet attacks, in general, are quick, easy, inexpensive and often difficult to detect or trace.

This is especially true for developing countries. As the level of technological sophistication needed to penetrate (and deter such penetration of) networks in developed countries continues to rise, would-be attackers are shifting their focus to networks found in developing countries. In many cases, developing countries do not yet possess a general awareness of security issues, much less the legal and regulatory issues, nor the technical capability to effectively deter cyber threats.

Is your country equipped to deal with cyber crime, and if not, how is this lack of capability affecting your country’s ability to attract investments and encourage Internet use for business development?

The same technology that allows us to block spam and set firewalls to prevent unauthorized access to our networks is also available to unscrupulous individuals who manipulate the same technology in order to find cracks in the system that allow them access.

Moreover, the tools available to launch an attack have become more effective, easier to use, and more accessible even to people without an in-depth knowledge of computer systems. Then, too, sophisticated programmers intent on online mischief often embed an attack procedure in their programs and widely distribute the same to the intruder community. Thus, people who have the desire but not the technical skill are increasingly able to break into systems.

Below is a list of observable trends in Internet attacks listed in the Open Regional Dialogue on Internet Governance research paper “Network Stability and Security”.

Trend 1 – Automation; speed of attack tools

The level of automation in attack tools continues to increase. Automated attacks commonly involve four phases, each of which is changing.

Trend 2 – Increasing sophistication of attack tools

Attack tool developers are using more advanced techniques than previously. Attack tool signatures are more difficult to discover through analysis and more difficult to detect through signature-based systems such as antivirus software and intrusion detection systems. Three important characteristics are the anti forensic nature, dynamic behaviour, and modularity of the tools.

As an example of the difficulties posed by sophisticated attack tools, main common tools use protocols like IRC or HTTP (Hypertext Transfer Protocol) to send data or commands from the intruder to compromised hosts. As a result, it has become increasingly difficult to distinguish attack signatures from normal, legitimate network traffic.

Trend 3 – Faster discovery of vulnerabilities

The number of newly discovered vulnerabilities reported to the CERT Coordination Centre (CERT/CC) continues to more than double each year. It is difficult for administrators to keep up to date with patches. Additionally, new classes of vulnerabilities are discovered each year. Subsequent reviews of existing code for examples of the new vulnerability class often lead over time to the discovery of examples in hundreds of different software products. Intruders are often able to discover these exemplars before the vendors are able to correct them. Because of the trend toward the automated discovery of new vulnerabilities in technologies, the so-called “time to patch” is becoming increasingly small.

Table 2. Vulnerabilities reported by CERT/CC
Year 1995 1996 1997 1998 1999 2000

2001

2002

2003

2004

2005

Q1-Q2,2006
Vulnerabilities 171 345 311 262 417 1,090 2,437

4,129

3,784

3,780

5,990

3,997

Total vulnerabilities reported (1995 - Q2, 2006): 26,713.

Trend 4 – Increasing permeability of firewalls

Firewalls are often relied upon to provide primary protection from intruders. However, they are not as secure as before:

Trend 5 – Increasingly asymmetric threats

Security on the Internet is, by its very nature, highly interdependent. Each Internet system’s exposure to attack depends on the state of security of the rest of the systems attached to the global Internet. Owing to advances in attack technology, a single attacker can relatively easily employ a large number of distributed systems to launch devastating attacks against a single victim. As the automation of deployment and the sophistication of attack tool management both increase, the asymmetric nature of the threat will continue to grow.

Trend 6 – Increasing threat from infrastructure attacks

Infrastructure attacks are attacks that broadly affect key components of the Internet. They are of increasing concern because of the number of organizations and users on the Internet and their increasing dependency on the Internet to carry out day-to-day business. Four types of infrastructure attacks are briefly described below.

Attack 1 – Distributed denial of service

Denial-of-service attacks use multiple systems to attack one or more victim systems with the intent of denying service to legitimate users of the victim systems. The degree of automation in attack tools enables a single attacker to install the tools and control tens of thousands of compromised systems for use in attacks. Intruders often search address blocks known to contain high concentrations of vulnerable systems with high-speed connections. Cable modem, digital subscriber lines (DSL), and university address blocks are increasingly targeted by intruders planning to install their attack tools. Denial-of-service attacks are effective because the Internet is comprised of limited and consumable resources, and Internet security is highly interdependent.

Attack 2 – Worms

A worm is self-propagating malicious code. Unlike a virus, which requires a user to do something to continue the propagation, a worm can propagate by itself. The highly-automated nature of the worms coupled with the relatively widespread nature of the vulnerabilities they exploit allows a large number of systems to be compromised within a matter of hours. (Code Red infected more than 250,000 systems in just 9 hours on July 19, 2001.)

Some worms include built-in denial-of-service attack payloads (Code Red) or website defacement payloads (sadmind/IIS, Code Red); and others have dynamic configuration capabilities (W32/Leaves). However, the biggest impact of these worms is that their propagation effectively creates a denial of service in many parts of the Internet because of the huge amounts of scan traffic generated. They also cause much collateral damage (examples include DSL routers that crash; cable modem ISPs whose networks are completely overloaded, not by the scanning itself but by the burst of underlying network management; traffic that the scanning triggers; and printers that crash or print reams of junk output).

Attack 3 – Attacks on the Internet Domain Name System

The Internet Domain Name System (DNS) is the distributed, hierarchical global directory that translates names (www.example.com) to numeric IP addresses (192.168.13.2). The top two layers of the hierarchy are critical to the operation of the Internet. In the top layer are 13 “root” name servers. Next are the “top-level domain” (TLD) servers, which are authoritative for “.com”, “.net” and others, as well as the country code top level domains (ccTLDs – “.us”, “.uk”, “.ru” and so forth.)

Threats to the Domain Name System:

  1. Cache poisoning. If DNS is made to cache bogus information, the attacker can redirect traffic intended for a legitimate site to a site under the attacker’s control. A recent survey by CERT/CC shows that over 80 per cent of the TLD domains are running on servers that are potentially vulnerable to this form of attack.
  2. Compromised data. Attackers compromise vulnerable DNS servers, giving them the ability to modify the data served to users. Many of the TLD servers run a software program called BIND, in which vulnerabilities are discovered regularly. A CERT/CC survey indicates that at least 20 per cent of TLD domains are running on vulnerable servers; another 70 per cent are “status unknown”.
  3. Denial of service. A large denial-of-service attack on some of the name servers for a TLD (for example, “.com”) could cause widespread Internet slowdowns or effective outages.
  4. Domain hijacking. By leveraging insecure mechanisms used by customers to update their domain registration information, attackers can co-opt the domain registration processes to take control of legitimate domains.

Attack 4 – Attacks against or using routers

Routers are specialized computers that direct traffic on the Internet (similar to mail routing facilities in the postal service). Threats fall into the following categories:

As a result of these vulnerabilities, it would be relatively easy for an attacker to modify, delete, or inject routes into the global Internet routing tables to redirect traffic destined for one network to another, effectively causing a denial of service to both (one because no traffic is being routed to them, and the other because they are getting more traffic than they should). Although the technology has been widely available for some time, many networks (Internet service providers and large corporations) do not protect themselves with the strong encryption and authentication features available on the routers.

II. Incidents/attacks – their sources and types

The following diagram describes the sources of threats.

figure 5
Figure 5. Sources of threats

Incidents can be broadly classified into several kinds: the probe, scan, account compromise, root compromise, packet sniffer, denial of service, exploitation of trust, malicious code, and Internet infrastructure attacks.

1. Probe

A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. One example is an attempt to log in to an unused account. Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry. Probes are sometimes followed by a more serious security event, but they are often the result of curiosity or confusion.

2. Scan

A scan is simply a large number of probes done using an automated tool. Scans can sometimes be the result of a misconfiguration or other errors. Nonetheless, they are often a prelude to a more directed attack on systems that the intruder has found to be vulnerable.

3. Account Compromise

An account compromise is the unauthorized use of a computer account by someone other than the account owner, without involving system-level or root-level privileges (privileges a system administrator or network manager has). An account compromise might expose the victim to serious data loss, data theft or theft of services. The lack of root-level access means that the damage can usually be contained, but a user-level account is often an entry point for greater access to the system.

4. Root Compromise

A root compromise is similar to an account compromise, except that the account that has been compromised has special privileges on the system. The term root is derived from an account on UNIX systems that typically has unlimited, or "super-user" privileges. Intruders who succeed in a root compromise can do just about anything on the victim's system, including run their own programs, change how the system works, and hide traces of their intrusion.

5. Packet Sniffer

A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travel over the network in clear text. With perhaps hundreds or thousands of passwords captured by the sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require privileged access. For most multi-user systems, however, the presence of a packet sniffer implies there has been a root compromise.

6. Denial of Service

The goal of denial-of-service attacks is not to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A denial-of-service attack can come in many forms. Attackers may "flood" a network with large volumes of data or deliberately consume scarce or limited resources, such as process control blocks or pending network connections. They may also disrupt physical components of the network or manipulate data in transit, including encrypted data.

7. Exploitation of Trust

Computers on networks often have trust relationships with one another. For example, before executing some commands, the computer checks a set of files that specify which other computers on the network are permitted to use those commands. If attackers can forge their identity, appearing to be using the trusted computer, they may be able to gain unauthorized access to other computers.

8. Malicious Code

Malicious code is a general term for programs that, when executed, would cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage. Malicious code includes Trojan horses, viruses and worms. Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected. Worms are self-replicating programs that spread with no human intervention after they are started. Viruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems. These sorts of programs can lead to serious data loss, downtime, denial of service, and other types of security incidents.

9. Internet Infrastructure Attacks

These rare but serious attacks involve key components of the Internet infrastructure rather than specific systems on the Internet. Examples are network name servers, network access providers, and large archive sites on which many users depend. Widespread automated attacks can also threaten the infrastructure. Infrastructure attacks affect a large portion of the Internet and can seriously hinder the day-to-day operation of many sites.

III. Legislative and policy considerations in efforts to address cyber crime and security issues

Is there a need to establish laws, policies or rules to govern cyber crime and security issues?

Table 3. Countries that have enacted cyber crime statutes
Country Law(s)
Australia Crimes Act 1914 (Part VIA), Sections 76B, 76D
Austria Privacy Act 2000 (effective as of January 1, 2000)
Belgium The Belgian Parliament in November 2000 adopted new articles in the Criminal Code (effective from 13 February 2001) Article 550(b)
Brazil Law no. 9,983 of 14 July 2000, Art. 313-A & B
Canada Canadian Criminal Code Section 342.1
Chile Law on Automated Data Processing Crimes no. 19.223, published 7 June 1993
China Decree No. 147 of State Council of the Peoples Republic of China, 18 February 1994. Computer Information Network and Internet Security, Protection and Management Regulations, (approved by State Council 11 December 1997, and published 30 December 1997)
Hong Kong, China Telecommunication Ordinance
Denmark Penal Code (Section 263)
Estonia Estonian Criminal Code (Sections 269 to 273)
Finland Penal Code Chapter 38 (Section 8)
France New Penal Code, in effect since 1 March 1993 Chapter III (Articles 323-1 to 323-4)
Germany Penal Code Section 202a, 303a, Section 303b
Greece Criminal Code Article 370C§2
Hungary Penal Code (Section 300 C)
Ireland Criminal Damage Act, 1991
Iceland Penal Code (§ 228 Section 1)
India Information Technology Act 2000 (No. 21 of 2000)
Israel The Computer Law of 1995,
Italy Penal Code (Article 615)
Japan Unauthorized Computer Access Law, Law No. 128 of 1999 (in effect from 3 February 2000)
Latvia The Criminal Law (Section 241)
Luxembourg The Act of 15 July 1993, relating to the reinforcement of the fight against financial crime and computer crime
Malaysia Computer Crimes Act 1997
Malta Electronic Commerce Act (Sections 337 (C) (1) to 337 (F) (1)
Mauritius Information Technology (Miscellaneous Provision) Act 1998 (Act No. 18 of 1998), Penal Code (Section 369A)
Mexico Penal Code Part 9 (Chapter II)
Netherlands Criminal Code (Article 138a)
New Zealand Crimes Amendment (No. 6) Bill is introduced (Section 305ZE & 305ZF)  
Norway Penal Code (§ 145, 151 b, § 261 & § 291)
Pakistan Electronic Transactions Ordinance 2002
Poland Penal Code (Article 267 to 269)
Portugal Criminal Information Law of 17 August 1991
Philippines Republic Act No. 8792, or the e-Commerce Law
Singapore Computer misuse Act
South Africa The South African Law Commission published a Discussion Paper on Computer-related crime. 
Sweden The Data Act of 1973 (amendments in 1986 and 1990)
Switzerland Penal Code (Article 143bis)
Turkey Penal Code (Section 525/a)
United Kingdom of Great Britain And Northern Ireland Computer Misuse Act 1990
United States of America Federal legislation (updated 15 April 2002) US code: title 18
Venezuela Special Statute Against Computer Related Crimes (Published in Official Gazette of Bolivarian Republic of Venezuela, 30 October 2001)

Do existing laws support the preservation and use of electronic evidence of cyber crimes? Is procedural law aligned with substantive law? What challenges face cyber crime enforcers?

Note the challenges to international as well as State prosecution of cyber crimes, as classified by the United States Department of Justice:

Innovative practices for combating cyber crime can be found everywhere. Here are a few:

The transnational nature of cyber-crimes requires international cooperation on laws and jurisdiction. International cooperation is important because cyber crimes do not respect State, sovereign or national borders.

Annex: Tips on how to avoid becoming a victim of a cyber crime

Auction Fraud

Counterfeit Cashier's Check

Credit Card Fraud

Debt Elimination

DHL and UPS

Employment/Business Opportunities

Escrow Services Fraud

Identity Theft

Internet Extortion

Investment Fraud

Lotteries

Nigerian Letter or "419"

Phishing and Spoofing

Ponzi or Pyramid

Re-shipping

Spam

Third-Party Receiver of Funds

Summary: module 3 in a nutshell

The module on cyber crime and security identifies the broad challenges we all face as we attempt to make Internet use safe and secure. It provides a basic description and explanation of some key concepts, as well as a discussion of important key issues, hopefully in order to enable the participants have a better grasp of the realities of misconduct in the Internet and make available to them the technical, legal and regulatory tools to help prevent or minimize these attacks.

Specifically, the module deals with the following:

Additional information on cyber crime and security

APEC Cyber Crime Survey.
A survey commissioned by the APEC to identify offences and cyber crimes in the Asia-Pacific region. http://www.apectelwg.org/e-securityTG/Downloads
CERT.
A centre of Internet security expertise, located at the Software Engineering Institute. A federally funded research and development centre operated by Carnegie Mellon University. It studies Internet security vulnerabilities, researches long-term changes in networked systems, and develops information and training to help improve security: http://www.cert.org.
Cyber Security and Cyber Crime
Information on news, cyber laws, cyber alert systems, vulnerability resources, attacks, policies, laws and statistics. Available online in the following websites: http://www.us-cert.gov/; http://www.staysafeonline.info/; https://www.csialliance.org/home/; http://www.cpi.seas.gwu.edu/; http://www.cyberpartnership.org/; http://www.symantec.com/enterprise/library/article.jsp?aid=internet_security_threat_report_cybercrime; http://www.infosecwriters.com/text_resources/pdf/Mal_Codes_in_Depth.pdf
International Telecommunications Union.
Provides information and resources on cyber security, ICT laws, Internet governance, and articles on network security: http://www.itu.int
<< Previous module: Legislative and Policy options to Promote e-Commerce and Expand Internet Use | Table of contents | Next module: Other key issues to be addressed in creating an enabling legal and regulatory framework to encourage internet use for business development >>

ICT Policy Section Focus Areas

Other Activities of the Section

Workshops and Seminars Organised by the Section

Copyright (©) 2008 UNESCAP  |   Legal Notice