167

Chapter 15
Cybercrime Management: Legal Issues
CHAPTER SUMMARY
Overview
This chapter deals with identifying cybercrimes, developing a basic understanding of how such crimes can
occur over the Internet, and trying to find a way to deal with these criminal activities.

Cybercrimes: An Introduction
The U.S. Attorney Generals Annual Report chronicles cybercrimes related to intellectual property. In addition,
the Bureau of Justice has begun a plan to collect cybercrime statistics and expects to survey 36,000 businesses in the
Spring of 2005. For 2004, cybercrime statistics are available from CSI/FBI Computer Crime and Security Survey
(http://i.cmpnet.com/gocsi/dbarea/pdfs/fbi/FBI2004.pdf). A sampling of the information in the report shows the most
common complaints within the last 12 months from the respondents:
Most common problems:
Virus attacks ................................................................................................................................................ 78%
Insider abuse of net access .......................................................................................................................... 59%
Laptop/Mobile Theft ................................................................................................................................... 49%
Unauthorized access to information ........................................................................................................... 39%
System penetration ...................................................................................................................................... 37%
Denial of service ......................................................................................................................................... 17%
Theft of proprietary information ................................................................................................................. 10%
System sabotage, financial fraud, and telecom fraud were at five percent or lower for the survey group.
Among the survey group, the estimated loss from cybercrimes for 2004 was $141,496,560. The six greatest
losses were attributed to viruses, denial of service attacks, theft of proprietary information, insider Internet abuse,
abuse of wireless network, and financial fraud.
15,001

Net Frauds

Net frauds ensnare unsuspecting Internet users into giving up their resources to an online criminal. The number
and variety of frauds that have occurred on the Internet defy classification. In traditional cases of fraud, the victims
greed and unwariness lead to exploitation by the criminal. Greed and unwariness underlie net frauds also. Net frauds
are based on techniques that have been used in the past with letters and phone calls, but now criminals with no
more technological skill than knowing how to send e-mail are successfully executing these cybercrimes. The frauds
can range from bank fraud, in which a victims bank account number is requested in order to deposit cash in the
perpetrators account, to other schemes requesting a victim to go to a spoofed website to verify personal and account
information. Frequent fraud occurs at online auction sites as well.
15,011

Unauthorized Access to Network Assets

It is somewhat arbitrary to separate cybercrimes into different categories because these crimes are executed in
combination. Yet, unauthorized access to steal proprietary and financial information can be considered a distinct crime
from fraud. Traditional industrial espionage is considered to be the stealing of corporate proprietary information such

2009 CCH. All Rights Reserved.

Chapter 15

168

Forensic and Investigative Accounting

as trade secrets or the willful destruction of information through unauthorized access. The key characteristic of this
crime is unauthorized access, and either employees or hackers can access a system without authorization.
Ransoming Information. One now-classic cybercrime is executed by a criminal group of hackers who breaks
into a businesss computer networks. Once in the system, the hackers collect information such as customers credit
card numbers or unreleased financial reports. Afterwards they contact the business and pose as security consultants
with recommendations as to how to correct the networks holes. They also make it clear that they will not release any
customers account numbers if the business purchases security services. In return for this security service, the business
must deposit money into an untraceable foreign bank account.
Keeping Up with the Criminals. Although Internet financial frauds do not require a high level of technical
skill to implement, fraud schemes that begin with unauthorized system access require a criminal with advanced
technological skills. If the forensic investigator or law enforcement personnel cannot match the criminals tech skills,
the crime will remain unsolved as investigators are left in the dark as to how the crime was committed.
15,021

Types of Unauthorized Access

Unauthorized access can come from inside the company as a disgruntled employee collects proprietary data with
the intention of selling it to competitors. Just as easily, the attack can come from outside the company. Outside attacks
may come from individuals in other countries where such cyber activities are legal. The five traditional methods that
can be used to gain access to a system without authorization are modem attack, software bugs, trusted server, social
engineering and wardriving.
Access Using Wardialers in Modem Attacks. Unauthorized modems may be installed on computer networks
by employees to allow them to access files while they are traveling. These modems are not secured by anything other
than a password.
A wardialer is a downloadable software program that allows a modem attacker to rapidly dial and check all
phone numbers within a given range. The wardialer produces a log to identify those numbers that are tied to a modem.
Once a modem is identified, the next step is to uncover the password used to access the modem. Once access is gained,
the specifics of further access to the network will vary greatly from site to site.
Access Via Buggy or Unpatched Software. The next method used to gain access to a system is to exploit a
software bug. Web servers have 65,535 possible access ports. The task of the attacker is to find the active ports and
determine the software that is used on these ports. Port scans are used to identify potential targets for gaining network
access. Once it is determined that a port is running software with a known bug, the attacker downloads the published
exploit (i.e., code to implement the attack), compiles the code, and uses the compiled program to enter the system.
Once inside the network, there are various actions that might be taken to collect proprietary information.
Access Via Trusted Server. Another traditional method for gaining access to a network is with zone transfers
and IP spoofing. The normal purpose of a zone transfer is to provide automatic, periodic updates of information about
changing network data for all trusted servers on that network. The attacker may decide that the best way to gain access
is to find the trusted servers of the targeted system. The attacker spoofs the trusted servers IP address and then gains
access to the targeted system.
There is a limited time period for the attacker to get into the targeted system. Consequently, the attacker will
place software on the targeted system to allow reentry at a later date. This process creates a backdoor. At a later date,
the attacker can come back and download proprietary information or take other actions.
Access Via Social Engineering. Another method in gaining unauthorized access is called social engineering,
which is any technique that is used to deceive an employee into revealing a password or access code.
Wardriving. Wardriving is the process of using an exploit to gain unauthorized access to a wireless system.

Criminality of Cybercrimes
15,031

When Is a Cybercrime Really a Cybercrime?

The previous section described activities that might be cybercrimes, but what is really a cybercrime is an
activity that has been made clearly illegal by the jurisdiction in which the crime was committed. Internet criminal

Chapter 15

2009 CCH. All Rights Reserved.

Textbook Solutions

169

activities can come from anywhere in the world. The laws of different countries do not uniformly consider every
activity described in the previous section as an illegal act.
Intangible Assets. Criminal codes are written to prevent fraud or protect tangible assets or intangible rights
such as intellectual property. Tangible assets have a physical presence and intellectual properties have legal property
rights attached to them. Information on the Internet and in computer databases represents intangible assets composed
of bits and bytes.
The most valued assets in a network are the bits and bytes that flow within it. Data in a computer or on the
Internet consists of electronic representations or pulses. Data needs to be analyzed before it becomes information and
receives protections under property statutes. The destruction of electronic representations may not be considered the
destruction of information or stealing because information is legally another formation that was not affected.
If the data is accessed but not used for any purpose, then no crime has been committed. Additionally, the
appropriation of the data for different purposes than it was originally collected is not considered a significant event
compared to the misappropriation or misuse of physical assets. Unauthorized access to data may not include the
interception of wireless transmission that go through the walls of a building or that can be received off-site with
special detection equipment.
The unauthorized use of tangible assets means that the criminal had to be physically present on the owners
property, i.e., a building or home. When computer data is misused or misappropriated, the criminal may only have an
electronic presence within the owners property. Statutes may not provide for the recognition of criminal trespass, a
property crime, based on a virtual presence.
OECD Recommendations. In 1986, the Organization for Economic Cooperation and Development (OECD)
wrote a series of recommendations for their member states (listed in 15,031). The OECD defined the computer
crimes listed as illegal acts and recommended that member states adopt similar definitions in their national legislation.
Since 1986, there have been numerous new technologies used to attack computer networks.
Spoofing. Spoofing occurs when one misappropriates the identity of another. The entity whose identity is stolen
does not know misappropriation has occurred. Due to the ways the OECD recommendations were written, it is
questionable whether spoofing would be considered a crime.
Bots. Electronic robots (or bots) act as agents for a person to help make decisions based on information the
bots collect. Bots potentially can interact with other bots independently to make decisions without input from their
human user. Bots may be a violation of the OECD recommendations because they do not have the authorization of
the person responsible for the system to make these searches.
Technologies Not Foreseen by OECD. The OECDs recommendations were effective for the technology that
was available in 1986. Nineteen years later, these recommendations are not effective. All computer crime statutes face
a similar situation: they can become quickly outdated by new technologies.
When the laws are focused on specific activities, they become easier to circumvent. An example of an attempt
to circumvent a recently enacted law occurred when the Regulation of Investigatory Powers Act was passed in the
United Kingdom in 2000. The section dealing with the Investigation of Electronic Data Protected by Encryption
provides the government with authority to demand disclosure of any protected information traveling in the United
Kingdom as well as the key needed to decrypt any encrypted data in order to protect national security, detect crime,
or for economic well-being.
Chaffing. Chaffing is a term that is used to describe an Internet-based methodology for sending hidden messages.
It is a technique whereby the packets that route data over the Internet use hidden files in their headers. Chaffing mixes
packets of real information with random packets of white noise (i.e., mixtures of wheat with the chaff). Message
authentication codes (MACs) are used to identify all real information in the packets, but only the recipient can
separate the real packets from random packets using the authentication codes.
Chaffing hides information in plain sight, and the information does not have to be encrypted. As such, it is already in
an intelligible format and may not violate the encryption provisions of the Regulation of Investigatory Powers Act.
Steganography. With steganography an unencrypted file can be hidden in a digital photo or wave file. The file
is compressed. Chaffing is just another form of steganography.

2009 CCH. All Rights Reserved.

Chapter 15

170
15,041

Forensic and Investigative Accounting

Legislation as Lagging Technology

It is difficult to enact legislation to incorporate specific restrictions for technologies that are continually changing.
It is expected that as legislation becomes specific in defining illegal activities, programmers will write code to attempt
to circumvent such statutes. On the other hand, broad-scoped legislative rules may entrap legitimate businesses.

Cybercrime Statutes
15,051

International Law

Although over 240 countries currently have IP domain registrations, the countries with cybercrime statutes are
fewer. A survey by Schjolberg found that some countries had no legislation, other countries had limited provisions,
and still other countries incorporated broader provisions for computer crime such as unlawful access, computer fraud,
taking computer data, releasing code that causes damage, or hindering access. When the attack on a companys
website is launched from one of the countries without cybercrime statutes but with IP domain registrations, the
forensic investigator may find little hope in providing a victimized company with restitution.
On November 23, 2001, the Council of Europe Convention on Cybercrime issued a model law for its member
states including transactional cooperation recommendations. The Councils model law has 48 sections for incorporation
into national laws on cybercrime. The Councils recommendations provide the most recent definitions of cybercrime
and calls for international cooperation in prosecuting cybercriminals.
15,061

Federal Legislation

A number of federal statutes deal with cybercrime. The statutes outlaw counterfeit access devices that are
used for fraudulent purposes, and deal with fraud in connection with computers, communication lines, interception
of electronic communications, unlawful access to stored communications, the disclosure of confidential information
obtained as a provider of communication services, and disclosure of information to government agencies.
USA Patriot Act. The USA Patriot Act (Act), enacted by Congress in 2001, has strengthened U.S. cyber laws
and expanded cybercrime definitions. Under the Act, an activity covered by the law is considered a crime if it causes
a loss exceeding $5,000, impairment of medical records, harm to a person, or threat to public safety. The definition
of losses from computer attacks has been codified to include the losses of responding to the attack, conducting a
damage assessment, restoring the system to its previous condition, and any loss of revenue or costs incurred due to
the interruption.
Additionally, the dollar losses from an attack are described as aggregated losses, where they were not in the
past. Amendments make it easier for an ISP to make disclosures about unlawful customer actions without the threat
of civil liability to the ISP. Also of interest to forensic investigators are the revisions made by the Act whereby victims
of hackers can request law enforcement help in monitoring trespassers on their computer systems.
15,071

State Legislation

When new state computer crime statutes are enacted, they are usually added to that states existing property
offense or criminal statutes. Such cybercrimes are viewed as part of traditional crime. Table 15.3 (see 15,071)
highlights computer crime statutes for the 50 states. Many of the states have separately-enacted money laundering,
identity theft, online gambling, cyberstalking and other Internet statutes in their codes. The statutes listed in the table
are state laws that are related to computer crimes. These statutes do not refer to cybercrimes as the statutes were
originally enacted when there was no Internet. Thus, legislative oversight in the acts tends to focus on computer
crimes, unlawful access, or property crimes.
The penalties and the dollar amount of loss recognized under the statutes vary considerably from state to state.
States appear to be revising their statutes to incorporate the prevailing criminal activity being used on the Internet, but
contemporary cybercrimes would not be considered illegal in a number of jurisdictions. The nature of computer crime
state legislation creates a network of problems for the forensic investigator in determining the legality of an activity
and whether it is jurisdictionally covered under a states laws.

Chapter 15

2009 CCH. All Rights Reserved.

Textbook Solutions

171

Guidelines for Cybercrime Management

Due to the borderless nature of Internet crimes, the forensic investigator faces a quandary in trying to identify
where and if a cybercrime has been committed within a legal jurisdiction. Further complicating the issue is that
law enforcement agencies may not have enough trained personnel to adequately investigate the majority of Internet
crimes.
15,081

KSAs for Fighting Cybercrime

The forensic accountant needs a set of basic technological knowledge, skills, and abilities (KSAs) in order to
help an employer or client who has been victimized. IT personnel cannot be relied upon for assistance because they
are not trained to investigate such crimes. The investigator needs to rely on a skill set that allows for the successful
tracing of the perpetrator, collection of meaningful information and courtroom evidence about the act, valuation of the
loss, and development of recommendations in security policy changes. A list of skills needed is provided in 15,081.
Without this basic skill set, the forensic accountant is at a loss in: (1) providing assistance to an employer
or client regarding the steps to take in securing a site; (2) collecting creditable evidence and loss valuations for
presentation to a law enforcement agency; (3) mounting a successful disciplinary action against an internal attacker;
and (4) recommending and guiding reasonable legal actions.
15,091

Filing Reports of Cybercrimes

In addition to collecting evidence of the cybercrime, the investigator should know where, besides law
enforcement, such crimes can be reported. There are a number of websites that collect information about events that
may be cybercrimes. Among businesses, however, there may be a concern that reporting such incidents will create
adverse publicity.
15,101

Conclusion

International organizations are beginning to call for reforms that allow the borderless Internet to come under
a more systemic set of laws and regulations. Additionally, revisions are taking place in existing laws to make them
compatible with new Internet technologies. Yet in order for the revisions and new laws to become effective they have
to be written in a way to prevent innocent actions from becoming illegal activities. At the same time, it cannot be
easy for criminals to circumvent the law.

SOLUTIONS TO CHAPTER EXERCISES

1. There is no one definition for cybercrime that everyone will agree upon. A possible definition might be
electronic crimes conducted over the Internet. This definition covers the range of crimes from traditional
crimes conducted over the Internet to newly created criminal activities that could not exist without the
Internet.
2. Because technology plays such an important role in committing a modern-day crime, the forensic accountant
needs to be familiar with the wide variety of methods that are used in these crimes. In order to protect a
clients assets from harm or damage, todays forensic accountant needs to be able to make technological
recommendations to secure those assets whether they are physical or electronic assets. Being familiar with
viruses, denial of service attacks, faked e-mails, and the laws of unauthorized access give the forensic accountant
the background to intelligently discuss these attacks with experts and make the necessary recommendations
to protect a clients assets. In addition, the existing cybercrime statutes are always behind the cutting-edge
methods used by cyber criminals. Therefore, the forensic accountant needs to be able to fill that gap for their
clients.
3. The best step to stop well-known bugs from being used on a system is to keep the systems software updated
with the most recent software patches for preventing these exploits. Continually updating means that the
system administrator needs to continually monitor new hacker exploits in order to download the patches to
stop these exploits. All this information is available from a number of sites on the Internet.

2009 CCH. All Rights Reserved.

Chapter 15

172

Forensic and Investigative Accounting

4. Today there are numerous websites that provide the latest information and software for web hacking. It is not
illegal to put this information and downloadable hacker software on websites. The U.S. Constitution allows
for freedom of information. It may be illegal to use such software against a website. Yet, law enforcement
may gain information they could not otherwise obtain if it drove all these sites underground.
5. If a network attack was begun with social engineering, it is not necessary for the attacker to have any tech
skills. Access was gained because an employee revealed confidential information. Such an employee was not
properly trained in how to handle confidential network information, i.e., passwords, etc. Is it the employees
fault? If no training about how to handle such situations exists, it is the fault of management not the employee.
After a company has been accessed with social engineering methods, it needs to set up a training program for
its employees as well as policy statements about the proper procedures to follow in these situations.
6. When unauthorized access is viewed as a traditional property crime, it means that many of the legal
assumptions that underlie a property crime are being transferred into the electronic arena. Yet, if an attacker
has only a virtual presence, how can there be a property crime because the attacker was not physically there
as would be necessary in many property crimes? Consequently, the legal foundation upon which a cybercrime
is based is vital in determining if a crime has been committed.
Cybercrime statutes needed to be developed with a clearer understanding that these crimes cannot readily fit
under the traditional blanket of property, robbery, or racketeering statutes.
7. OECDs recommendation No. 3 states:
The input, alteration, erasure and/or suppression of computer data and/or computer
programmes, or other interference with computer systems, made willfully with the intent
to hinder the functioning of a computer and /or telecommunication system;

8.
9.

10.

11.

The first qualification in the recommendation is that it must be a willful act. Harmless hacking, i.e., visiting
a site without changing anything or causing interference may not be viewed as a willful act. This is the
first step in IP spoofing. If someone enters your network without causing damage only to gain access to a
second targeted network, they probably have not violated the recommendation. The recommendation was
written in 1986 when there were no wireless networks. It could be argued that any interference with wireless
networks was not considered to be a violation of the recommendation even in the face of the statement
about telecommunication system. If an attacker is only collecting information without interference, is it a
violation of the recommendation? Wireless attacks of any sort can likely be exploited without violating the
recommendation.
See the chapter section on Federal Legislation and the following website: http://www.usdoj.gov/criminal/
cybercrime/PatriotAct.htm.
The state statutes in Alaska are largely ineffective against cybercrimes. The students should check the Alaskan
state statutes to see if they have been updated (see site listed in Table 15.3). If the states statutes have not been
updated, then the best choice is to try to interest federal law enforcement authorities in the crime against the
business. The threshold loss for a crime is $5,000, but unless it is a major crime, federal law enforcement is
not likely to be very interested or have the resources to pursue the criminal.
15,031 provides a description of steganography and how it can be used. It is very difficult to detect a hidden
message in a cover file such as a digital photo. Analysis of hidden message is called steganalysis. The students
should search for information on steganalysis on the Internet or get a copy of the entire paper, Steganography
and its Derivatives: Steganalysis and Chaffing. Steganalysis is a statistical technique that attempts to look
for an abnormal variance in the data of the cover file. If such a variance is detected, it does not mean that the
hidden information can be revealed as the data is usually encrypted. To be able to decrypt the data, a password
is needed. The password may be unrecoverable.
Students are expected to use the websites listed in Table 15.3 to check beyond the computer crime statutes
of the states of Nevada and Alaska. The students should be looking for statutes that deal with more specific
types of cybercrimes such as cyber stalking, Internet pornography, viruses, spam, electronic fraud, exploit
descriptions, encryption, and electronic espionage, for example.

Chapter 15

2009 CCH. All Rights Reserved.

Textbook Solutions

173

12. Unauthorized Access. Texas computer crime statutes have provisions for unauthorized access that results in
damages to a computer system (see Table 15.3). The question that needs to be determined is whether Ted did
anything while he was logged into the network. It would be useful to learn how he logged into the network.
If he logged in using FTP, then those logs would need to be reviewed.
The skill set of the forensic investigator should allow for the investigation. Assuming that Texas Shipping
maintains a complete set of logs on its servers, the first step would be to review copies of those logs to
determine what Ted had been doing when he accessed the network. Help from the systems administrator at
Texas Shipping should be sought in getting copies of the logs. In addition, the event view files from the server
should be copied. If this preliminary investigation indicates that Ted may have altered files, then his act of
accessing the network is a more serious breach and potentially illegal.
If Texas Shipping insists that a legal action be filed, the forensic adviser should seek technical expertise to
image the drives rather than copy them. The size of the drives may make imaging an expensive process, but
in order for the evidence to be of courtroom quality the files will have to be imaged rather than copied. Once
the drives are imaged, files will have to be studied to determine any actions that Ted took while logged into
the system.
13. Computer Fraud? Marcie and Fred would be guilty of a federal crime if they took advantage of the
vulnerability in the system. They would not be guilty of unauthorized access, as described in the California
code (see Table 15.3), because they had access to the ACE system as employees at Save-Lot. They would be
guilty of exceeding their access to the computer system under state laws. Under United States Code (U.S.C.),
Title 18, Section 1030, they also would be guilty of interstate computer fraud.
Under other criminal statutes, not listed in the chapter, they would be guilty of wire fraud, as they would need
to use the phone lines to transmit the forged faxes.
14. Cybercrimes and Cybercrimes. The Convention on Cyber-Crime has a wider focus than the states computer
crime legislation. The Convention tried to incorporate all cybercrime acts in its recommendations. State
legislation of a similar nature would not be contained within any states computer crime laws. Instead these
acts would be found in several state statutes related to pornography, property, and criminal laws.
a. The Convention lists the following as cybercrimes:
Unauthorized access of any part of a computer system.
Infringing security measures.
Unauthorized interception of nonpublic transmission of computer data including electromagnetic
emissions.
Data interference through the damaging, deletion, deterioration, alteration or suppression of computer
data.
Use of a device designed to commit any of the above crimes.
Disclosing of passwords or access codes.
Computer forgery is recognized as using inauthentic data with the intent that it will be considered for
legal purposes. The data can be encrypted data or other unintelligible form.
Computer fraud is the fraudulent alteration, deletion, suppression, or interference of data or a computer
system.
Distribution of child pornography through a computer system.
Infringement of copyrights and other related rights such as movie and music rights.
The aiding in the commission of these activities will also be considered a cybercrime.
Legal persons and corporations will be liable for criminal offenses committed by an employee or other
for the benefit of the corporation.
b. The legislation shown in Table 15.3 is directly related to computer crimes, and other state statutes are not
reviewed. Still, the following provisions in the Convention are not found in state laws on computer crime.

2009 CCH. All Rights Reserved.

Chapter 15

174

Forensic and Investigative Accounting

Infringing security measures: Provisions in state legislation do not mention infringing security measures
such as breaking firewall protections on a computer system.
Unauthorized interception of nonpublic transmission of computer data including electromagnetic
emissions: The Conventions recommendations prevent the interception of wireless transmissions.
Such a restriction is not found in any state computer crime law. Interception of wireless transmissions
when not on company property, i.e., in a street outside the companys offices, would be considered
illegal under the Conventions guidelines.
Computer forgery is an issue in state codes, but these codes do not specifically mention files in unintelligible
form such as encrypted data or steganographic pictures. The Conventions recommendations would
clearly extend the criminal statutes to information formatted as unintelligible data.
Distribution of child pornography through a computer system: Within the states, such statutes would
be contained in laws specifically related to pornography. These unlawful acts would not be found in
computer crime statutes.
Infringement of copyrights and other related rights: It is likely that states would have such laws but
they are not found in the state computer crimes statutes. It can be argued that all computer crime laws
should be aggregated into one comprehensive cybercrime statute for each state. Examples of copyright
infringements are at Warez sites where stolen copies of top-rated Hollywood movies are available for
free download.
Legal persons liability: None of the state statutes include legal person liability. A single individual
committing a cybercrime is included under the state statutes. If the individual commits the crime for
the benefit of the company where he is employed, the company would not be directly liable under state
statutes. An example of such a crime would be stealing business plans from Competitors A computer
system by a Company B employee in order to help Company B.
15. In-flight Crime. Article 22 in the Convention on Cyber-Crime deals with jurisdiction issues. The criminal
act is punishable under criminal law where it was committed [Art. 22(1)(d)]. Nicole committed the act on an
Air India plane. Assuming the plane flies under an Indian registry, then the crime would be prosecuted under
Indian laws.
16. Cyber Skill Set. There are a number of organizations that have training programs for learning the basic skills
listed in the chapter. Two organizations that provide such training are:
Foundstone (http://www.foundstone.com)
Sans Institute (http://www.sans.org)
In addition, there are a number of programs conducted by regional computer forensic crime groups or security
professionals. These programs are usually offered at modest prices.
17. Backdoors. The product loss on the cybercrime has been $4,000. The total loss for correcting the break-in
is going to go above another $1,000. Thus, a total loss of $5,000 makes the act a federal crime. It is unlikely
that any federal officials would be interested in investigating this cybercrime although the Patriot Act allows
for such investigations.
Higher Associates has several choices including:
a. Shut down the entire ordering system until they can determine how the hacker is able to continually reenter the system. After making that determination, Higher Associates can plug the hole in the system or
they can use it to try to catch the hacker.
b. A digital security firm can be hired to correct the problem and trap the hacker.
c. Contact local law enforcement to ask for assistance. Depending on who received the flowers, local law
enforcement may be able to determine who entered the system by using traditional law enforcement methods.
As the hacker has returned a number of times, a backdoor may have been placed on the system that allows
for easily repeated access. If so, the signature of software that can be used as a backdoor needs to be searched
for on Lotus Flowers systems.

Chapter 15

2009 CCH. All Rights Reserved.

Textbook Solutions

175

18. Sniffing Around. Bring up WinDump in a command line DOS prompt, not by clicking on its icon on your
desktop. It should be in your program files, which you can enter from the C:
The command line code for using WinDump with Dice is:
windumpw windump.acps 1518
This command will save all the data into a file on your desktop. After a few minutes of allowing WinDump
to run, stop the program with Ctrl-C. You have now saved a mass of data into your WinDump file on your
desktop. Use Dice to open the file and the mass of data will be neatly categorized into columns and graphs
for your review. It is interesting to see the information that has been collected. It should also be realized that
sniffer programs, if left to run, could easily fill up a hard drive and crash the computer.
The information that has been collected can be used by a hacker to help them gain access to a network. In
order for an outside hacker to place the sniffer on a computer, they would already have complete access to
the system.
19. Hot Tip. This is a chance for the students to demonstrate how well they can write a letter-memo to a client.
a. The student should use the term pump and dump in their memo to Dan.
b. The student should explain the nature of a pump and dump scam. For example, they should indicate that
this is a common stock fraud whereby recipients of the e-mail buy the stock as the sender of the e-mail
sells their shares when stock prices begin to sharply rise in price. It should be indicated that this e-mail has
been sent to thousands of e-mail addresses in order to manipulate the price of this shallowly traded stock
over a short-term period.
c. The stock in the e-mail is usually one that only has a small market and typically limited trading occurs in
the stock.
d. The student should provide the URL for the SEC website where such security frauds can be reported and
volunteer to report it for their client.
e. If Dan is unconvinced, ask him to at least check the e-mail address from where he received the hot stock
tip. The e-mail address is not shown in the example, but in the real e-mail, the address is non-existent.
20. The answers are as follows:
(1) The purpose to the exercise is to see how dependent we are on digital communications in order for
the nation to keep operating. The students can do part (1) in the classroom and then assign students
separate infrastructure to submit later. The nations critical infrastructures that could be separately or
jointly subjected to a cyberattack beyond the Internet include: (a) cell phone connectivity, (b) electric grid,
(c) stock markets, (d) travel connectivity (landing planes, scheduling trains), (e) transportation systems
(trucks, planes, ships), (f) law enforcement coordination, and (g) defense department actions.
(2) Today, the Internet is used for education, phone calls; e-agents to communicate with each other to solve
problems such as scheduling; just-it-time (JIT) ordering and on time product deliveries are conducted on
the Internet; e-retailers sell almost everything on the Internet; back and forth sending of debit and credit
card information occurs; private health information is sent; ATM transactions occur over the Internet
rather than with dedicated lines; stock trading and banking transactions are easily settled on the Net; option
trading, ticket sales, music downloads, and accounting data are pouring out over the Internet; auctions are
completed; travel bookings are finalized; e-mails are sent; software products are distributed and updated;
daily gambling and sport betting occurs; tax, license, tuition, and parking tickets are paid over the Internet;
chat rooms operate day and night; online medical diagnostic services are provided; students can register
for classes; e-voting is completed; nonbank bill payment websites have sprung up; WiFi is used to run
driverless trains; Internet-based security controls are used; even e-money is in use; social networking;
paperless business deals; texting, and research and online surveys are executed. Students can explain what
would happen if such services were shutdown.
If the cyber attack shuts down the electric grid, the only way the accounting firm can keep operating
is with an alternative source of power such as a generator. Without an alternative source of power, the

2009 CCH. All Rights Reserved.

Chapter 15

176

Forensic and Investigative Accounting

firm will not be able to backup any of its data. If cell phones stop working, the firm needs to be certain
its landline phones will continue to work. This assumes the phone company has an alternative source of
power for landline phones.
In terms of treasury operations, it will be difficult to determine the status clients working capital. All
internal invoices, price quotes, shipping documents, and purchase orders will cease to be received or
generated. Company cell phones are dead and e-mail will not work so communications among far-flung
staff will become intermittent. Staff who are not onsite will be unreachable. All electronic data will have
to be warehoused until systems are repaired, as will all cash flow data. The seriousness of the crash will
grow as the downtime increases. Snail mail will not work because the post office is dependent on the same
connectivity shared by all businesses. Students can put such effects into a timeline.
Even if this problem is partially overcome with emergency measures, those emergency measures will start
to fail the longer infrastructure is down.
(3) Standard preventive recommendations in case of an Internet outage include:
a. Arranging for backup carriers
b. Backing up data
c. Identifying non-Internet, hard-line connection capacity and its flexibility
d. Clearly identifying data processes dependent on Internet connectivity and prioritize their
importance.
Prioritizing data processes allow the companys critical operations to be identified and therefore emphasize
their continuation, at all costs, during an Internet breakdown. The following view is suggested as a means
to begin identifying a companys most critical data processes.
Customer Interfaces
Vendor Interfaces
Employee Interfaces
Human Interfaces, i.e., nonelectronic
21. Digital assets are also called virtual assets. They do not have a physical form and are recognizable as 0s and
1s. Traditional examples are software coding and online courses conducted by for-profit universities. Nontraditional examples are islands and clothes for avatars on Second Life both of which sells for thousands
or hundreds of dollars. Second Life has millions of U.S. dollars in digital assets on its website. Designer
clothes for avatars sell in virtual retail outlets that make hundreds of thousands in annual sales. These clothes
are on racks like in a traditional clothing store. The FASB has an island on Second Life where it conducts
online seminars. Other non-traditional items are weapon systems that are sold to online gamers who use these
systems to increase their potential to kill their virtual opponents. Many of these assets only have value in the
virtual world. Virtual tokens are given to reviewers of various websites or those who will complete Internet
surveys. The tokens only have value on the Internet, but they can be used to purchase physical products.
The characteristic of all these digital assets is that they have a future value inside the virtual world. Most of
these virtual assets can be converted into real U.S. dollars; therefore they are similar to physical assets. The
interesting question is whether the virtual future value is real if they are never or cannot be converted into a
physical world asset and only have a future value in a virtual world. Does such an asset have protections under
computer crime statutes?

Chapter 15

2009 CCH. All Rights Reserved.