For each and every lock there is a locksmith.

A discussion of the problems of computer crime and how business is affected.

While I was researching this paper, I thought I would try and find a suitable definition of
“Computer Crime”. Different countries have different laws, so it would be natural to restrict my
discussion to the law as it pertains to the UK because I am studying in the UK. The law in the
UK has 2 acts that were enacted specifically to cover computer related crime; The Computer
Misuse Act 1990 and The Data Protection Act 1998.

The “COMPUTER MISUSE ACT 1990 (chapter c. 18)i” has the following 3 items under the
“Computer misuse offences” section

1) Unauthorised access to computer material.

2) Unauthorised access with intent to commit or facilitate commission of further
offences.
3) Unauthorised modification of computer material.

However, (depending on the type of crime) it may be that something unlawful in the UK is
perfectly legal somewhere else. So, perhaps “legal” definitions are not appropriate.

The most acute problem that computer crime presents for business is financial. It is easy for
any business to identify financial loss. It can be harder to connect cause and effect. Whilst it is
true that the corruption of data due to a virus can cause weeks of headaches if one doesn’t
have a backup, I am assuming that the business is “reasonably competent” and is using some
“common sense practices”
In this article I hope to highlight the types of computer crime that can cause financial problems
to business. Whilst there may be legal arguments as to jurisdiction:- again, I am not
concerning myself with that. I am trying to put myself in the position of the owner/manager of
the business. So, if my business has suffered, or I am out of pocket because of some act
performed by or with the aid of a computer and that act was not illegal in the country from
which the action was commenced; then I am still going to be concerned about the problem.

Computers, like many other tools can be used in connection with a crime, though this does
not necessarily mean that the crime falls within the auspices of a computer related crime law.
For example; fraud can be committed with the aid of a computer. But, that does not mean that
the crime comes under the definition of the Computer Misuse act. Most likely it would be
covered by Section 15, of The Theft Act 1968 which states;
“ A person who by any deception dishonestly obtains property belonging to another,
with the intention of permanently depriving the other of it? For the purposes of this
section 'deception' means any deception (whether deliberate or reckless) by words or
conduct as to fact or as to law, including a deception as to the present intentions of
the person using the deception or any other person”ii

Other laws that are related to computer crime and/or problems for business are;
· The Data protection act
· The Consumer Protection (Distance Selling) Regulations 2000
· The Regulation of Investigatory Powers Act 2000 (RIP Act).

The Data Protection Act has many implications for business. A business must take care of
data that it records otherwise it could find itself being the perpetrator of computer crime and
not the recipient:-The Victoria’s Secret Lingerie company in the US recently agreed to pay a
fine of $50,000 to the State of New York after a problem on its website allowed viewers to
browse other customers’ online ordersiii. Admittedly the US is more litigious than we are in the
UK but, no business can afford to ignore this type of responsibility – if only from the Customer
confidence point of view.

Computers can be used to assist in committing crime. They can even be used to add up the
proceeds of a committed crime. Ignoring physical assault with a keyboard however, I will
confine my discussion to the following types of crime which are “perceived to be” and
“generally known as” computer crimes relating to business. Namely;

Fraud, malware, hacking, cracking, “Denial of Service”, SPAM and Mobile Phones.

Fraudulent purchases - the most easily “felt” and perhaps the most widely publicized form of
computer crime. Because of it’s prominence this area usually has the most attention from
people trying to prevent it; promises arrive regularly from various companies trying to make
credit card purchases more secure. “Identi-Chips”, Iris Scans, fingerprinting – all swear to
relieve the headache of credit card fraud.

According to The Guardian Newspaper’s Home Affairs Editor – Alan Travis “The banking
industry's credit card research group has shown that although the internet was only
responsible for 2% of all credit and debit card transactions it now generated 50% of all
complaints”iv.
So, although computers may be accused, in this case it seems they are only 2% guilty. No
matter how slight the loss may be, business has to look at ways of preventing the erosion of
consumer confidence, particularly if that business uses the internet to make sales.
At present, most businesses are not financially liable for a fraudulently used credit card;
providing they have correctly followed the credit card company’s procedures. So, the effect of
credit card fraud, whilst very important to the credit card companies, has a less direct financial
effect upon business than the media would have you believe.

Hacking is almost as widely known as fraud but, with the intervention of Hollywood and those
of a more romantic nature, hacking is seen as white collar crime that only harms “faceless
corporations”.
However, the small percentages of crimes that are reported in the media, or turned into
mediocre popcorn fodder, are the tip of the iceberg. This is not scare-mongering – it’s just
common sense. The very nature of the crime is that (if you are good at it) you will leave little
or no trace of your handiwork.
Disgruntled employee’s might try and delete or corrupt valid data – this is a direct cost in
recovering from the corruption (once detected)
Firewalls, Bastion hosts, DES encryption schemes and the associated army of installers and
consultants employed to try and prevent disaster have a direct cost. These things and the
personnel associated with them have to scare the business proprietor enough to make he or
she want to install and employ. But, not too scary so that he/she doesn’t think the task futile.
Sales and marketing people capable of achieving this feat often drive expensive cars.
Hackers who use your equipment to masquerade as you whilst causing the US marines to
invade Grenada are another type of problem. Should you be fortunate enough to find the
footprints in the butter, you will still have an enormous PR problem.

Cracking is not often mentioned or is otherwise confused with hacking however, costs to
business due to this practice are, perhaps, the most invidious. Cracking and Copyright
violation go “hand in hand”.
Ignoring the cries of the Free Software foundation, one can’t help notice how much the large
(and largest) software companies charge business for their products. This is often justified by
the loss of potential revenue due to cracking and stealing. (Note. Stealing (covered by
criminal law)is the way a number of Software manufacturers choose to term Copyright
violation (covered by civil law) Business doesn’t get educational discount; business pays full
price. Admittedly, if the business is large enough, it can negotiate bulk discounts. But, most
small businesses have little knowledge of how to obtain the best price for computer
equipment and software. Purchases made from the retail white-goods-related outlets are
invariably at close to full retail price. Just as others breaking windows cause the price of glass
to rise – so too the Software manufacturers use this as one of their justifications in holding
their prices high.

Malware encompasses viruses, worms and Trojans:- types of software or programming

targeted at and intending to hurt the computer itself.
It’s easy to see that a malware that corrupts data can be expensive to recover from – if only in
the time it takes to recover from the backup. However, the astute business will have on hand
(at the least) virus scanning software. Even if the business decides to not process its email
locally and uses a web based email program; the business still is potentially vulnerable;
“San Jose, Calif.-based Finjan Software said Wednesday that it told Microsoft of the
flaw Oct. 8 and that the software giant fixed the problem within 24 hours. The
vulnerability could have allowed an attacker to use the interactions between Hotmail
components to expose a user's address book and send e-mails. The two functions
could have been married to make a Hotmail worm that would have spread whenever
a user opened up an infected e-mail, said Menashe Eliezer, manager of Finjan's virus
research lab.”v

The more sophisticated the business (or the more wary) the more tools there will be employed
in the protection of the computer system/s. The costs associated with maintaining virus
pattern files, backups, firewalls, specialist security staff, etc. adds to the premium. Speaking of
which, I could find no insurance company which would offer protection against damage or loss
of business due to a virus.

Sometimes it isn’t “Denial of service” – it’s just “very long delay” – which can be just as bad
and from the end-user perspective the effect is the same as a DOS. Denials of Service
attacks are becoming popular with perpetrators. As more and more connect to the internet so,
more and more use email and e-services. Software manufacturers of email readers (in an
effort to allow open-ended extensibility) have implemented programming languages as an
integral part of the email reader. Giving the “potential extender” and equally, the potential
perpetrator, the ability to have a program execute the moment a piece of mail is viewed.
(Microsoft’s WSHvi supports two(2) languages that allow extensions to be made to the
Outlook® program) As witnessed by the ‘ILOVEYOU’ virus a couple of years ago – many
businesses ground to a halt being unable to send/receive email or stop their PC’s from
opening multiple windows until they ran out of resources. As more features and facilities are
added to software applications to try and convince an intending purchaser to buy; so the
complexity leads to flaws that in turn lead to loopholes.
“In the case of this most recent Hotmail flaw, the service's active content filter, which
polices the activities of ActiveX controls, did not adequately block all scripts,
according to Finjan. ActiveX controls are Internet programs that add interactivity to
Web sites and run on a computer as if they were the user of that machine. Any
system that accessed Hotmail e-mail messages could be affected by the flaw” vii

But, Denial of Service doesn’t have to be aimed directly at your computer systems. The recent
scheme of targeting Microsoft’s update/patch servers would have caused many technicians to
be unable to install, update or repair certain Microsoft products on machines right around the
globe. The more systems interconnect for functionality – the more interdependent they
become.

SPAM is Unsolicited "junk" e-mail sent to large numbers of people to promote products or
services. Sexually explicit unsolicited e-mail is called "porn spam." At a minimum this is just
like any other form of rubbish received in the post: it wastes space to store and time to ignore.
However, just as opening a package from a malicious sender could cause potential harm to
yourself. So, too could opening a spam sent with similar intent. Because of the “Extension
language” facilities, simply opening the “envelope” could cause problems. Many of us find it
easy to recognize junk mail at a glance because the sender is not someone we know.
However, some peoples business requires that they communications from potential
customers who (by definition) are people that they don’t already know. For these sorts of
business, the process of reading email is extremely hazardous and potentially very costly.
Whilst one can purchase protective “spam prevention” programs. it must be born in mind that
a lot of these programs work from lists of already known offenders. Though they may be
exceptionally quick at keeping the lists up to date (via the internet) if you are the first to
receive from a new “Spamer” then you will be the first to suffer. One must also consider those
programs that pretend to be virus update lists:- the Trojans that purport to be something
useful but, in fact, conceal something that can corrupt and/or steal and transmit the
businesses data. The latter being more dangerous because the unsuspecting operator may
not be aware that data has been stolen until they check their credit card or bank balance.

Even Mobile phones equipped with “Bluetooth®” technology are open to computer crime.
“Bluesniff” and “Redfang” are tools used to discover and enumerate data from Bluetooth
devices. This could mean as little as private phone numbers to as much as all information
contained within a combination phone/pda.

With so many potential crimes lurking in every corner, the poor businessman will get neck
ache from having to look over his shoulder all the time. The direct costs of prevention, the
safety nets and procedures that “one should employ”, the regular check-ups and the contract
or permanent staff that may be needed to perform the tasks all add to the financial burden.
Having purchased and employed, checked and double checked, having built the perimeter
fences and gates with the best quality locks that are the firewalls, virus scanners, and spam
protectors of the modern IT world; business still needs to bear in mind the old saying “For
every Lock there is locksmith”.
i
www.legislation.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

ii
The law on the misuse of computers and networks Written by Paul Mobbs for the
GreenNet Civil Society Internet Rights Project, 2002 (quoting the 1968 Theft act) "http://www.internetrights.org.uk/"

iii
October 22, 2003 AP Online

iv
http://www.guardian.co.uk/Archive/Article/0,4273,3952316,00.html

v
2003-10-15, CNET Networks via NewsEdge Corporation
vi
http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28001

vii
2003-10-15, CNET Networks via NewsEdge Corporation