1. TOPIC FIVE Introduction to Information Security, IT Crimes and Cybercrimes 1

2. Introduction  Development in ICT has paved a new era in communication technology  With this development, new challenges have emerged:  How to deal with threats to electronic communications  How to harmonize traditional laws to cover new sophisticated offences  Redefinition of some of the offences, etc  Electronic privacy is also another issue not only on individual data but even on governmental information  All these are challenges to a new digital/cyber-era 2

3. Computer Crime/ICT Crime  Scholars have distinguished computer crime/ICT crime from Cyber crime  Computer crime is defined as;  Any criminal activities that are committed against a computer or similar device, and data or program therein.  In computer crimes, the computer is the target of criminal activities. 3

4. Continue  The “computer” in this context refers to the hardware, but the crimes, …, more often than not relate to the software and the data or program contained within it.  The criminal activities often relate to the functions of the computer; in particular, they are often facilitated by communications systems that are available and operated through the computer, thereby contributing to a less secure computing environment. 4

5. Continue  It is also defined as;  Computer crime encompasses the use of a computer as a tool in the perpetration of a crime, as well as situations in which there has been unauthorised access to the victim’s computer, or data.  Computer crime also extends to physical attacks on the computer and/or related equipment as well as illegal use of credit cards and violations of automated teller machines, including electronic fund transfer thefts and the counterfeit of hardware and software. 5

6. Continue  Further that;  “Computer crime covers all sets of circumstances where electronic data processing forms the means for the commission and/or the object of an offence and represents the basis for the suspicion that an offence has been committed.” 6

7. Continue  A distinction between Computer crime and cyber crime is explained as: “Computer Crime” encompasses crimes committed against the computer, the materials contained therein such as software and data, and its uses as a processing tool. These include hacking, denial of service attacks, unauthorized use of services and cyber vandalism. 7

8. Continue “Cyber Crime” describes criminal activities committed through the use of electronic communications media. One of the greatest concerns is with regard to cyber- fraud and identity theft through such methods as phishing, pharming, spoofing and through the abuse of online surveillance technology. There are also many other forms of criminal behaviour perpetrated through the use of information technology such as harassment, defamation, pornography, cyber terrorism, industrial espionage and some regulatory offences”. 8

9. Continue  So one may gather from all those definitions that:  Cyber crime is a computer enabled crime  Computer crime is a crime where by the computer is a target  Cyber crime is a criminal activity that involves a computer.  These crimes can be categorized into two:  Crimes that can only be committed which were previously not possible before the advent of the computer such as hacking, cracking, sniffing and the production and decimation of malicious code.  The other category of crimes are much wider and have been in existence for centuries but are now committed in the cyber environment such as internet fraud, possession and distribution of child pornography etc 9

10. Continue  UK author Ian Walden, distinguishes these crimes in the following categories;  “computer-related crimes” (such as fraudulent activity involving the use of computers)  “content-related offences” (such as the distribution of pornographic material involving children by means of computers and cellphones),  “computer integrity offences” (in which the computer itself is the object of an attack).  Suffices to say that, there is no universal accepted classification of computer crimes/cyber crimes  Much will depend on what a particular scholar has intended to say 10

11. Types of Cyber crimes  According to Mumbai Police department; Hacking Phishing Denial of service attack Spoofing Cyber-stalking Virus dissemination 11

12. Continue Software piracy Cyber-defamation Pornography Internet Relay Chat (IRC) Crime credit card fraud Net extortion, Threatening and salami attack 12

13. Continue  According to the Australian Institute of Criminology;  Theft of telecommunication services  Communications in furtherance of criminal conspiracies  Telecommunication piracy  Dissemination of offensive materials  Electronic money laundering and tax evasion  Electronic vandalism  Terrorism and extortion  Sales and investment fraud  Illegal interception of telecommunications and Electronic funds transfer fraud. 13

14. Continue  Therefore, even in classification of cyber crimes scholars do differ in their classification and even authorities responsible in controlling such kinds of crimes differ in the way they classify them  For the purpose of this lecture, the two terms computer crime and cyber crime will be used interchangeably 14

15. Continue  The discussion will cover the following types of cyber crimes:  Computer fraud Simply means any dishonest misrepresentation of fact by using any electronic device intending to induce another to do or refrain from doing something which causes loss or any psychological suffering. Computer fraud include some forms like; Concealing unathorised transactions Electronic funds transfer fraud Identity theft Entering unauthorised instructions or processes in a computer, etc 15

16. Continue  Hacking This simply means unathorised access to a computer system. In telecommunication services, this practice is called ‘phone phreaking’. It is an illegal intrusion into a computer system without the permission of the computer owner/user  Unathorised modification of data Data need to be set in a systemic form so that the system can function effectively. Any unauthorized alteration or modification of such information or data may render the entire system to be ineffective or produce undesired outcomes. 16

17. Continue A person may gain access to the computer system and without permission may modify the data kept in a computer and rendering the whole or part of the system to stop functioning This can also be done through sending of malicious code which may render the computer system ineffective. 17

18. Continue Dissemination of malicious code-use of viruses and other nasty computer programs Computer virus simply means a malicious software which is capable of replicating itself Not all computer viruses are harmful-some are essential in the programming processes, e.g Computer bugs This crime can be committed through dissemination of malicious code or virus dissemination which attaches itself to other software and renders alteration in its functioning system. 18

19. Continue This kind of dissemination may include; Virus-These infect computers or other electronic devices and are passed on by user activity, for example by opening an email attachment or opening any document or device that contains them Worms-These are self-propagate malware using an internet connection to access vulnerabilities on other computers and to install copies of them. They are often used as a conduit to grant attackers to the computer. Masquerade 19

20. Continue Trojan horse-These are malware masquerading (impersonating) as something the user may want to download or install, that may then perform hidden or unexpected actions, such as allowing external access to the computer. Other forms of malicious software like time bomb, logic bomb, etc Malicious software can be transmitted from one computer to another through network sharing, sharing of hard drives, flash disks, etc. 20

21. Continue ◦ Denial of service attack  This is an act by the criminal who floods the bandwidth of the victim’s network or fills his e- mail box with spam mail depriving him of the services he is entitled to access or provide.  The main purpose is to create such a surge in the volume of email traffic in order to degrade network performance 21

22. Continue  It is often aimed at businesses engaging in e- commerce the aim being to generate such a volume of spurious messages that the victim site becomes clogged up and is unable to accept messages from genuine users wishing to place orders for goods or services.  Denial of service attack may cause both financial loss and loss in goodwill  Customers who are unable to access services may lose confidence in a certain service provider or businessman 22

23. Continue  For example, on February 2000 denial of service attacks was initiated by a single man (teenager!) in Canada, who slowed down dramatically the most famous e-commerce servers like amazon.com, ebay, yahoo.  These servers could not sell their products any more for some few days. They claimed to have globally endured more than $1 billion in damages 23

24. Continue ◦ Unauthorised interception  Development in telecommunications provides new opportunities for electronic eavesdropping.  Interception of communications has not been used only for surveillance of an unfaithful spouse, but it has developed to be used against politicians and for industrial espionage.  The electromagnetic signals emitted by a computer may be intercepted.  Cyber criminals often obtain valuable information by intercepting and monitoring communications sent via the internet or other information networks. 24

25. Continue  Electronic mail messages can easily be intercepted by third parties, thereby enabling them to obtain bank account numbers, password, access codes and various other forms of data.  While interception of communication may be legal if permitted by the law, unlawful interception is illegal and is one of the cyber crimes.  The challenges that exist in regulating interception of electronic communication is the need to balance unathorised interception and the question of freedom of expression. 25

26. Continue ◦ Extortion  Extortion is a process from which criminal intruders disrupt the information system in order to execute any bad motive behind such disruption.  Such intrusion in a computer system may cause damage in storage system and loss of some important data.  The act also can be used to disrupt the security system so as to facilitate the commission of other crimes. 26

27. Continue ◦ Pornography, cyber-obscenity and cyber- stalking  Pornography is the first consistently successful e-commerce product  By using deceptive marketing tactics and mouse trapping technologies pornography has been a tool for encouraging customers to access certain websites.  The access of this kind of materials is open to both children and adults who uses the Internet 27

28. Continue  One of the impacts of pornography is a crime known as paedophilia.  Paedophilia is criminal activity involving sexual offences against children by adults, including the production and distribution of child pornography.  A paedophile is a person who is sexually attracted to children  Most of the countries now have criminalized child pornography 28

29. Continue ◦ Cyber stalking is a technologically-based “attack” on one person who has been targeted specifically for that attack for reasons of anger, revenge or control.  Using this technique a criminal follows a victim by harassing or persecuting him/her with unwanted and obsessive attention through sending emails, forum chat, etc 29

30. Continue  Cyber stalking may take forms of;  harassment, embarrassment and humiliation of the victim,  emptying bank accounts or other economic control such as ruining the victim's credit score, harassing family, friends and employers to isolate the victim,  scare tactics to instill fear, etc. 30

31. Cyber-Stalking 31

32. Continue ◦ Cyber obscenity is closely associated with cyber stalking.  In this techniques, a criminal causes a transmission of distasteful, obscene or offensive materials through the Internet to another person  Distribution of indecent/obscene materials is largely criminalized by most of the countries-such prohibition extends on the Internet 32

33. Continue  Publication of offensive materials is an offence and may also be defamatory  However what is offensive in one country may not be the same in another country.  This causes a great disparity in laws regulating offensive materials on the Internet 33

34. Continue ◦ Software piracy  This encompasses a range of forms of conduct like;  Unlawful Multiple installation  End-User Piracy  Client/Server Piracy  Online Piracy  Software piracy infringes IPR and mostly raises civil liability other than criminal liability  However, IPR has also criminal sanctions which may also relate to software piracy 34

35. Continue ◦ Use of unlawful devices and unlawful programs  Because of various threats posed by electronic technology, companies and governments have developed some security measures to help in preventing unauthorised access or use of certain information  Criminals frequently use sophisticated technology to intrude in these protected systems so as to commit crimes 35

36. Continue  More often, criminals use some devices or programs which can disrupt the security system or any protected material  E.g, Criminals may use skimming devices to capture all the data contained on the magnetic strip and thereafter, with assistance of a computer terminal, download such data and use them for any unlawful activity including credit card fraud acts 36

37. 37

38. Continue ◦ Spoofing and phishing  Phishing is a pulling out of confidential information from the bank/financial institutional account holders by deceptive means.  Phishing is a general term for e-mails, text messages and websites fabricated and sent by criminals and designed to look like they come from well-known and trusted businesses, financial institutions and government agencies in an attempt to collect personal, financial and sensitive information. It’s also known as brand spoofing. 38

39. Continue E.g, A Criminal may send scams, which may be in form of an email, to a victim informing him that his email has won a certain sum of money and that the email has been randomly selected from several emails following the draw conducted on a certain date. Characteristics ◦ The content of a phishing e-mail or text message is intended to trigger a quick reaction from you. It can use upsetting or exciting information, demand an urgent response or employ a false pretense or statement. 39

40. Continue ◦ Typically, phishing messages will ask you to "update," "validate," or "confirm" your account information or face dire consequences. They might even ask you to make a phone call. ◦ Often, the message or website includes official-looking logos and other identifying information taken directly from legitimate websites. 40

41. Continue  The criminal may ask the victim to verify his email details (pretending that it is for security purposes) and send back all his full details including bank account details and that the money will be deposited to that account as soon as all correct details are received.  Sometimes the criminal may link a victim to a certain website pretending that it is for security reasons 41

42. Continue Brand Spoofing is a technique of getting one computer on a network to pretend to have the identity of another computer, usually one which has special access privileges, so as to obtain access to other computers on the network Government, financial institutions and online payment services are common targets of brand spoofing. 42

43. 43

44. Legislative Measures In TZ-before 2010, no specific law that was enacted to regulate cyber crimes ◦ The LRC-prepared a proposed Bill  Computer and Computer-related Crimes Bill:  That was aimed at regulating;  Illegal access and interfering with computer systems  Use of illegal devices  Interfering with data and computer system 44

45. Continue  Publication of immoral materials (eg. obscenity, inciting hatred, harmful to children, etc.)  Production of computer viruses, worms, logic bombs, etc.  Powers of authorised officers to search & seize computer systems/e-devices and access data  Powers of authorised officers to prosecute cyber-crimes 45

46. Continue The response of the Government was the recent enactment and passing by the parliament of the Electronic and Postal Communications Act, 2010 (Act no.3 of 2010) Part VI of the Act establishes offences and penalties in relation to; ◦ Electronic communications-ss 116-124 ◦ SIM Cards-ss125-137 ◦ Postal communications-ss 138-150 ◦ Additional offences and penalties-ss 151-160 The new law has made a number of amendments to the TCRA Act and the Fair Competition Act 46

47. Continue It is significant to note that, some of commonly known cyber-crimes have been criminalized under the new law; These include; ◦ Offences relating to interception of electronic communication-s.120 ◦ Offences relating to interference of electronic communication-s.123 ◦ Fraudulent use of electronic services-s.122 ◦ Unauthorised access or use of computer system- s.124 ◦ Transmission of obscene materials-s.118 47

48. Continue S.124(1) of the Act establishes a National Computer Emergency Response Team (CERT) whose role is; ◦ To coordinate response to cyber security incidents at the national level ◦ Cooperate with regional and international entities involved with the management of cyber security incidents. With hardly one year of its operation, it hard to start assessing the effectiveness of this new law 48

49. Continue However, one can clearly see the challenges of this new law on for instance; ◦ Penalties imposed to some of the offences, eg unauthorised access or use of computer system  A sentence not exceeding 3months or fine not less than Tsh 500,000/= or both  While the fine is left without stating the maximum limit, the sentence also should have been set by minimum not by maximum ◦ The enforcement of the law in a society where there still few number of computer literates is also another problem. 49

50. Continue Other Jurisdiction The Council of Europe’s Convention on Cybercrime ◦ In the absence of a more International instrument to regulate and criminalize cyber crimes, this Regional instrument has proved to be a leading international instrument in this field 50

51. Continue ◦ The Convention criminalizes cyber crimes in four categories  Offences against the confidentiality, integrity and availability of computer data and systems;  Illegal access  Illegal interception  Data and system interference  Computer-related offences  Computer-related forgery  Computer-related fraud 51

52. Continue  Content-related offences  Computer pornography and other obscene materials  Offences related to infringements of copyright and related rights  Software piracy, etc Other countries have molded their laws largely from this Convention, e.g; ◦ The Computer Misuse Act (UK) ◦ The Electronic Communications and Transactions Act (SA) 52

53. Case law analysis Unauthorised access to computer systems (hacking)  McKinnon v Government of the USA and another [2008] UKHL 59  Accessed 97 US Navy, Army, Nasa and Pentagon computers  Read para 11-16 of the case to see the facts of this case.  The order for his extradition from UK to US was granted and the appellant was challenging that order  The House of Lord dismissed his appeal against extradition. 53

54. Continue Unauthorised access/use by authorized user  S v Douvenga (2003)  A Secretary tried to e-mail certain information obtained from a database and give it to a competitor  The Secretary had authorisation to access data (password)  The issue was whether a person who is authorized to access certain information can be liable for unauthorised access if he accesses information for unlawful purpose.  The Court found that to be unauthorised access. 54

55. Continue  DPP v Bignall (1998) 1 Cr App R 1  Police officers obtained access to data held on the police national computer for private purposes  No crime – was entitled to authorised use to gain access to data  R v Bow Street Magistrates’ Court, ex p Allison [1999] 4 All ER 1  Authorised access to certain data but this enabled access to other data  The Court held that Authorisation does not only relate to type of data but also to type of access (i.e. purpose of access) 55

56. Continue ◦ Denial of service (DoS) attacks  Flood servers with multiple requests or congest communication links  DPP v Lennon [2006] EWHC 1201 (Admin)  The accused downloaded mail-bombing program and used it to bombard his former employer with e-mails  The Court held-A person does not consent to receive e-mails which are sent to disrupt the proper operation and use of the system 56

57. Continue ◦ Extortion and Malicious damage to property ◦ In S v Howard (Unreported case no. 41/258/02), Johannesburg regional magistrates’ court  One of the issues was whether the erasure of digital data in a computer system amounts to malicious damage to property. 57

58. Continue  The court answered this issue in affirmative because of the fact that the hard drive of a network server was damaged after it had attempted to reboot 256 times and the file loadtrm.exe had been altered, both as a result of interference with the system by the hacker.  The court found that because the point of sale systems were rendered unusable for a sometime, temporary damage had been done to corporeal property 58

59. Conclusion The main challenge facing states in regulating ICT related crimes is lack of universal guidelines on legislative measures which can be used to combat such crimes. It remains to be within domestic and regional initiatives to deal with these modern threats. Thus, until when there will be uniform standards, these threats will live with us. 59