CYBER CRIMES IN MALAYSIA AND U.S.A.: WHAT SHOULD WE DO IN MALAYSIA?
1. INTRODUCTION
Webopedia defines Cyber crime as encompasses any criminal act dealing with computers andnetworks (called hacking). Additionally, cyber crime also includes traditional crimes conducted through the Internet. For example; hate crimes, telemarketing and Internet fraud, identity theft, and credit card account thefts are considered to be cyber crimes when the illegal activities are committed through the use of a computer and the Internet.
(Source: http://www.webopedia.com/TERM/C/cyber_crime.html)
Computer Crime Research Centre has define cybercrime as crimes committed on the internet using the computer as either a tool or a targeted victim. It is very difficult to classify crimes in general into distinct groups as many crimes evolve on a daily basis. Even in the real world, crimes like rape, murder or theft need not necessarily be separate. However, all cybercrimes involve both the computer and the person behind it as victims, it just depends on which of the two is the main target.
Hence, the computer will be looked at as either a target or tool for simplicity’s sake. For example, hacking involves attacking the computer’s information and other resources. It is important to take note that overlapping occurs in many cases and it is impossible to have a perfect classification system. (Source: http://www.crime-research.org/articles/joseph06/)
The free dictionary has define cybercrime in a more simple way; cybercrime - crime committed using a computer and the internet to steal a person's identity or sell contraband or stalk victims or disrupt operations with malevolent programs. (Source:
http://www.thefreedictionary.com/cybercrime)
Perhaps the most elaborated definition of cybercrime is from www.techterms.com. It defines cybercrime as criminal activity done using computers and the Internet. This
includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the Internet.
Perhaps the most prominent form of cybercrime is identity theft, in which criminals use the Internet to steal personal information from other users. Two of the most common ways this is done is through phishing and pharming. Both of these methods lure users to fake websites (that appear to be legitimate), where they are asked to enter personal information. This includes login information, such as usernames and passwords, phone numbers, addresses, credit card numbers, bank account numbers, and other information criminals can use to "steal" another person's identity. For this reason, it is smart to always check the URL or Web address of a site to make sure it is legitimate before entering your personal information.
Because cybercrime covers such a broad scope of criminal activity, the examples above are only a few of the thousands of crimes that are considered cybercrimes. While computers and the Internet have made our lives easier in many ways, it is unfortunate that people also use these technologies to take advantage of others. (Source: http://www.techterms.com/definition/cybercrime)
2. CLASSIFICATION OF CYBER CRIMES
Like traditional crime, Cybercrime has many different facets and occurs in a wide variety of cenarios and environments. Current definitions of Cybercrime have evolved experientially. They differ depending on the perception of both observer/protector and victim, and are partly a function of computer-related crimes geographic evolution.
There are four type of cyber crimes: 2.1 Cyber crime against Individual i. Harassment via e-mails.
iii. Dissemination of obscene material. iv. Defamation.
v. Unauthorized control/access over computer system. vi. Indecent exposure
vii. Email spoofing viii. Cheating & Fraud
2.2 Cyber crime against Property i. Computer vandalism.
ii. Transmitting virus. iii. Netrespass
iv. Unauthorized control/access over computer system. v. Intellectual Property crimes
vi. Internet time thefts
2.3 Cyber crime against organisation
i. Unauthorized control/access over computer system ii. Possession of unauthorized information.
iii. Cyber terrorism against the government organization. iv. Distribution of pirated software etc.
2.4 Cyber crime against society
i. Pornography (basically child pornography). ii. Polluting the youth through indecent exposure. iii. Trafficking
iv. Financial crimes v.Sale of illegal articles vi.Online gambling vii. Forgery
Cybercrime could reasonably include a wide variety of criminal offences and activities. The scope of this definition becomes wider with a frequent companion or substitute term 'computer-related crime'. The examples of activities that are considered cybercrime can be found in the United Nations Manual on the Prevention and Control of Computer-Related Crime. The manual includes fraud, forgery, computer sabotage, unauthorised access and copying of computer programs as examples of cyber crime.
3 COMPARISON OF CYBER CRIMES IN MALAYSIA AND USA
3.1 Cyber crimes in Malaysia
According to MyCert's manager Solahuddin Shamsuddin, cyber crime in Malaysia include illegal activities done with malicious purposes from electronic hacking to denial of service attacks that cause great loss in monetary terms to the affected victim. The types of cybercrime reported in Malaysia through MyCert include Intrusions - Web defacement, harassment, destruction of computers, denial of service, frauds, forgery, phishing scams, mailbomb and copyright piracy.
According to him, Malaysia was among the first few countries in the world to introduce cyberlaws such as the Computer Crimes Act 1997. This cyber law addresses and looks into areas of cybercrime activities. Despite the lengthy definitions provided by various sources, the definition of cybercrime will change along with the evolution of IT. The latest trends and statistics on cybercrimes in Malaysia, in a recent report noted that cybercrime is on the rise and getting more sophisticated.
There were 117 cases involving RM451,000 in losses were taken to court under the Communications and Multimedia Act 1998 between January and last month compared to 35 last year, while 857 cases were charged in court under the Computer Crime Act 1997 last year, with losses totalling RM2.9
million, while 355 cases have been hauled up to court from January to last month. Among the offences under the Act were hacking, computer virus and fraudulent withdrawals of cash using fake ATM cards.
According Paladion Networks (M) Sdn Bhd's country manager Sreeraj Gopinathan, cybercrime includes a wide range of activities from sending rumours and defamatory messages to sending mails to unsuspecting banking customers and luring them to give out personal details (phishing) to the more "direct" crimes, including transferring money from others' accounts, stealing critical information, etc. He noted that authorities were able to trace the people behind the e-mail scam and the more recent Web log incident.
Despite the current manageable level of cyber crime, CyberSecurity Malaysia has highlighted the need for more trained cyber professionals to deal with the growing problem.
CEO retired Lt. Col. Husin Jazri said, “I do not want to claim we have a lack of experts or our experts are enough to solve problems but we need to collaborate to produce more experts,” according to Mysinchew.
As Internet use continues to rise across the globe, maintaining an adequate number of cyber professionals is essential to keep pace with this growth. During discussions with the press, Jazuri said he was not concerned with banks, but with individual victims.
“I’m not worried about the banks. They have a lot of money to secure their systems. They can have the world’s best consultant to look into their security systems,” he said. “It’s the human part that gets affected, not the technological part. The users become the victims. When the users communicate to the banks, they are exposed to the social engineering, scams and other threats.”
He also highlighted the need to increase cyber education, a growing theme in cybersecurity discussions.
“We need to educate users on this fact which can contribute towards curbing the problem when they aware of this aspect,” he said. “We should share know-how and identify the necessary strategy to address threats such as increasing risk of security breaches, identity theft, phishing and cyber terrorism.”
( http://www.thenewnewinternet.com/2010/02/10/cybersecurity-malaysia-calls-for-more-cyber-experts/)
3.2 Cyber crime in Usa
(Source:http://www.ic3.gov/media/annualreport/2009_ic3report.pdf)
According to the recently released Norton Cyber Crime Report for 2011, 431 million adults worldwide were victims of cyber crime last year. The total cost of those crimes amounts to some $114 billion. This precise statement, however, hides an important problem: We actually lack comprehensive data in assessing the true scale and scope of cyber crime. This is because we primarily rely on businesses to voluntarily self-report incidences of attacks and intrusions
without any means to verify their statements. To turn the tide in the fight against cyber crime, we first need to know its true impact on the world economy. (Source: http://www.symantec.com/content/en/us/home_homeoffice/html/ncr/)
The recently published report, Second Annual Cost of Cyber Crime Study, by the Poneman Institute, a U.S. based information security policy research center, is another good case in point. The report states that "over the past year, the median cost of cyber crime increased by 56 percent and now costs companies an average of $6 million per year." This statistic was compiled using a self-report survey of 50 U.S. based businesses.
The reason businesses routinely under-report incidents of cyber crime is that most information on cyber crime losses are derived from surveys; that is, statisticians merely send questionnaires to companies and hope they are answered in good faith. Businesses have vested self-interests in under-reporting incidents since they either do not want to lose consumer confidence or be held accountable by shareholders or boards. Consequently, the data we collect from such surveys has very low predictive power and cannot serve as a basis for informed policy formulation.
What most people do not realize is that cyber criminals do not have to be too sophisticated to inflict major damage. Cheap malware that can be purchased online often suffices. The real danger to a country's economy arises from advanced persistent threats (APTs) -- highly sophisticated and long-planned intrusions often executed with state sponsorship. Jeffrey Carr, a U.S. based cyber security expert, recently stated that the biggest threat is the theft of intellectual property in high-value technology and energy assets. Here too under-reporting is endemic.
One report claims that U.S. intellectual property theft -- an APT -- costs 750,000 jobs annually, much of which is conducted via cyber space. The validity of this number, however, is questionable since many APT attacks either are not detected or are kept secret for many years. Most companies do not even know that they are under attack, and if they do know, companies are not willing to share data because we lack a trusted identity to collect it.
There are dozens of public- and private-led cyber security data distribution forums in existence already, but the number, scope, and diversity makes for a complex environment where sharing information is very difficult. What is needed is the equivalent to the U.S. Center for Disease Control and Prevention, an umbrella organization coordinating the different activities of forums and which could conduct broad analysis into cyber space. In the United States the National Security Telecommunication Advisory Committee provides a good model for sharing and normalizing threat data that could be generalized to various initiatives from defense, finance, or information-based industries.
Such a new umbrella organization could induce private sector companies to voluntarily provide at least a modicum of raw statistical data about their performance. For example, the data breach reports should be "anonymized," which will, from a business perspective, facilitate sharing. With this minimal data, rudimentary statistics could be compiled and common responses developed. The main focus here should be on data treatment and distribution. Data must be usable and accurate enough to enable action and suppress vulnerabilities in companies.
The significant disconnect within many corporations, where internal security experts are unable to justify increased security methods or spending due to a lack of measured information, presents a grave danger to the well-being of our global economy. Having trusted measures and performance benchmarks will significantly reduce this information gap between security and executive leadership in organizations. It will help formulate more cost effective defense strategies against cyber crime. Better detection rates of attacks, faster responses to incidents, and sounder policy formulations will make companies more secure and consequently more competitive in the global market. As Gordon Gekko stated in Wall Street: "The most valuable commodity I know of is information." This has never been truer than in the age of cyber space.
4 SUGGESTIONS
Malaysia has a set of cyberlaws that has been passed by Parliament to provide a comprehensive framework of societal and commerce -enabling laws, which encompass aspects concerning security of information and network integrity and reliability.
These include among others, the Digital Signature Act 1997, Computer Crime Act 1997, Communications and Multimedia Act 1998, and the Optical Disk Act 2000.
Meanwhile, Association of Computer and Multimedia Malaysia (Pikom) Info Security Special Interest Group Chairman Dr Wong Say Ho said the Oxford Reference Online defines cybercrime as crime committed over the Internet while the Encyclopaedia Britannica defines cybercrime as any crime that is committed by means of special knowledge or expert use of computer technology.
In July 2007, Federal Territory Umno Youth head, Datuk Norzahas urged government to set up Malaysian Cyber Police unit in order to take action against the bloggers. In view of the recent numerous arrest of bloggers, we do need cyber police in Malaysia now.
However the following question will arise: what is the main duty of cyber police; is our existing enforcement body capable to deal with the cyber crimes now?
It is suggested that cyber police unit functioned as a police department dealing with cyber crimes. The broad definition of cyber crimes is “wrongful act committed using computer as a tool or a target of the said act or both.” As such, it seems that the basic requirement to join cyber police unit is IT savyiness. As they may be required to hack into certain system or tracking the source of the visitors/users and so on.
However, in view of the alleged offences committed by the bloggers in Malaysia, most of them are in relation to making defamatory/seditious statement via computer. This falls under the broad definition of the abovementioned “cyber crime”. In view of the rapid development of e-commerce in Malaysia, we still need cyber police to handle other cyber crimes like fraudulent online payment case, illegal hacking activities and others.
5 CONCLUSION
Cyber crime definitely must be taken seriously. Attacks can come from a computer across the room or computers located in another country. The threat could be external or it could be internal. It may have financial impact, it may deal with child pornography or it may be related to cyber terrorism. Because of the number of computer crime cases that has increased over the years (and many more unreported), the development of computer crime laws and policing initiatives must grow in tandem. Tackling computer crime is similar to tackling computer security; we have to start from the basics and address one thing at a time. As long as there is a system in place to punish the wrongdoers, as long as there is public awareness of the potential seriousness of such crimes, I believe that there will be much headway in computer crime law and investigation in the coming years in Malaysia and around the world. One important element that I found to be similar between most of the cases was the strength of the investigation team and the support it has received from its counterparts whether locally or internationally.
2521 words REFERENCES
Compile your references. Collect at least 5 major references for this paper.
4.1 Parker, D.B., Fighting Computer Crime, New York 1983
4.2 David S. Wall (ed.), Crime and the Internet, London: Routledge, 2001 4.3 Department of Justice’s (US) Computer Crime and Intellectual Property
Section of the Criminal Division of the U.S. Department of Justice.
4.4 Fafinski, Stefan, Dutton, William H. and Margetts, Helen Zerlina, Mapping and Measuring Cybercrime (June 1, 2010). OII Working Paper No. 18. Available at SSRN: http://ssrn.com/abstract=1694107
4.5 http://www.usdoj.gov/criminal/cybercrime/index.html
4.6 http://www.justice.gov/criminal/cybercrime/cyberstalking.htm 4.7 http://www.symantec.com/content/en/us/home_homeoffice/html/ncr/ 4.8
Appendix
The 10 Most Mysterious Cyber Crimes
The best criminal hacker is the one that isn't caught—or even identified. These are 10 of the most infamous unsolved computer crimes (that we know about). By Corinne Iozzio September 26, 2008 Contents • Crimes 1 - 5 • Crimes 6 - 10
The most nefarious and crafty criminals are the ones who operate completely under the radar. In the computing world security breaches happen all the time, and in the best cases the offenders get tracked down by the FBI or some other law enforcement agency.
But it's the ones who go uncaught and unidentified (those who we didn't highlight in our Cyber Crime Hall Fame that are actually the best. Attempting to cover your tracks is Law-Breaking 101; being able to effectively do so, that's another story altogether.
When a major cyber crime remains unsolved, though, it probably also means that those of us outside the world of tech crime solving may never even know the crime occurred.
These are some of the top headline-worthy highlights in the world of unsolved computing crime—cases in which the only information available is the ruin left in their wake.
The WANK Worm (October 1989)
Possibly the first "hacktivist" (hacking activist) attack, the WANK worm hit NASA offices in Greenbelt, Maryland. WANK (Worms Against Nuclear Killers) ran a banner (pictured) across system computers as part of a protest to stop the launch of the plutonium-fueled, Jupiter-bound Galileo probe. Cleaning up after the crack has been said to have cost NASA up to a half of a million dollars in time and resources. To this day, no one is quite sure where the attack originated, though many fingers have pointed to Melbourne, Australia-based hackers.
Ministry of Defense Satellite Hacked (February 1999)
A small group of hackers traced to southern England gained control of a MoD Skynet military satellite and signaled a security intrusion characterized by officials as "information warfare," in which an enemy attacks by disrupting military communications. In the end, the hackers managed to reprogram the control system before being discovered. Though Scotland Yard's Computer Crimes Unit and the U.S. Air Force worked together to investigate the case, no arrests have been made.
CD Universe Credit Card Breach (January 2000)
A blackmail scheme gone wrong, the posting of over 300,000 credit card numbers by hacker Maxim on a Web site entitled "The Maxus Credit Card Pipeline" has remained unsolved since early 2000. Maxim stole the credit card information by breaching CDUniverse.com; he or she then demanded $100,000 from the Web site in exchange for destroying the data. While Maxim is believed to be from Eastern Europe, the case remains as of yet unsolved.
Military Source Code Stolen (December 2000)
If there's one thing you don't want in the wrong hands, it's the source code that can control missile-guidance systems. In winter of 2000, a hacker broke into government-contracted Exigent Software Technology and nabbed two-thirds of the code for Exigent's OS/COMET software, which is responsible for both missile and satellite guidance, from the Naval Research Lab in Washington, D.C. Officials were able to follow the trail of the intruder "Leaf" to the University of Kaiserslautern in Germany, but that's where the trail appears to end.
Anti-DRM Hack (October 2001)
In our eyes, not all hackers are bad guys (as evidenced by our list of the Ten Greatest Hacks of All Time); often they're just trying to right a wrong or make life generally easier for the tech-consuming public. Such is the case of the hacker known as Beale Screamer, whose FreeMe program allowed Windows Media users to strip digital-rights-management security from music and video files. While Microsoft tried to hunt down Beale, other anti-DRM activists heralded him as a crusader.
Dennis Kucinich on CBSNews.com (October 2003)
As Representative Kucinich's presidential campaign struggled in the fall of 2003, a hacker did what he could to give it a boost. Early one Friday morning the CBSNews.com homepage was replaced by the campaign's logo. The page then automatically redirected to a 30-minute video called "This is the Moment," in which the candidate laid out his political philosophy. The Kucinich campaign denied any involvement with the hack, and whoever was responsible was not identified.
Hacking Your MBA App (March 2006)
Waiting on a college or graduate school decision is a nail-biting experience, so when one hacker found out how to break into the automated ApplyYourself application system in 2006, it was only natural that he wanted to share the wealth. Dozens of top business schools, including Harvard and Stanford, saw applicants exploiting the hack in order to track their application statuses. The still-unknown hacker posted the ApplyYourself login process on Business Week's online forums; the information was promptly removed and those who used it were warned by schools that they should expect rejection letters in the mail.
The 26,000 Site Hack Attack (Winter 2008)
MSNBC.com was among the largest of the thousands of sites used by a group of unknown hackers earlier this year to redirect traffic to their own JavaScript code hosted by servers known for malware. The malicious code was embedded in areas of the sites where users could not see it, but where hackers could activate it.
Supermarket Security Breach (February 2008)
Overshadowed only by a T.J Maxx breach in 2005, the theft of at least 1,800 credit and debit card numbers (and the exposure of about 4.2 million others) at supermarket chains Hannaford and Sweetbay (both owned by the Belgium-based Delhaize Group) in the Northeast United States and Florida remains unsolved more than six months later. Chain reps and security experts are still unclear as to how the criminals gained access to the system; the 2005 T.J.Maxx breach took advantage of a vulnerability in the chain's wireless credit transfer system, but Hannaford and Sweetbay do not use wireless transfers of any sort. Without more information, the difficulty in tracking down those responsible grows exponentially.
Comcast.net Gets a Redirect (May 2008)
A devious hack doesn't always mean finding a back door or particularly crafty way into a secure network or server; sometimes it just means that account information was compromised. Such was the case earlier this year when a member of the hacker group Kryogeniks gained unauthorized access to Comcast.net's registrar, Network Solutions. The domain name system (DNS) hack altered Comcast.net's homepage to redirect those attempting to access webmail to the hackers' own page (pictured). Spokespeople for Comcast and Network Solutions are still unclear as to how the hackers got the username and password.
