To catch a cybercriminal
Date: October 15, 2003Source: Computer Crime Research Center
By:
... he may be dealt with in respect of such offence as if it was committed at a place within Malaysia. Section 9 goes on to state that the Act shall apply if, for the offence in question, the computer, program or data was in Malaysia or capable of being connected to or sent to or used by or with a computer in Malaysia at the material time.
NextThis practically means that the Computer Crimes Act has extra-territorial jurisdiction – the law can be enforced against an alleged offender even if he is in another country.
One more interesting thing about the Act is that Section 10 gives the power to any police officer to arrest without warrant any person whom he (the police officer) reasonably believes to have committed or is committing an offence under the Act.
Thus, the police have sweeping powers of arrest with regards to cybercrime and reflects the legislature’s consideration that it viewed the offences in the Act as pretty serious.
Some people may argue that there is a difference between hackers who break into a website to deface its homepage and cyberterrorists who go to these same websites with the purpose of causing harm to people and damage to databases and information systems (see for instance Lee, M.K.O. (1995) above). However, if you look at Section 5 of the Act carefully, Malaysian law does not make a distinction between a harmless hacker who defaces a webpage and a cyberterrorist who desires to cause injury – both will be guilty of offences under the Act, and both will be punishable, although by different sections of the Act.
Practical examples of cybercrimes include but are not limited to:
Some examples of computer harassment are:
- Live chat obscenities and harassment;
- Unsolicited and threatening e-mail;
- Hostile postings about someone;
- Spreading vicious rumours about someone;
- Leaving abusive messages on a website’s guest books.
Cases where the crime can occur even if there was no computer – however, the use of technology makes the commission of the crime faster and permits the processing of larger amounts of information. Examples would be credit card fraud, drug trafficking, criminal breach of trust, forgery, cheating, illegal betting or gambling, forgery of valuable documents (money, cheques, passports and identification cards) and money laundering. In the past, the Malaysian Police has investigated rumour mongering and defamation on the Internet.
The reproduction and distribution of copyright protected material and software piracy.
Cyberattacks on financial systems. This includes electronic banking and payment systems.
Pyramid schemes on the Internet.
E-mail abuse. This includees malicious or false e-mail.
Who are the local enforcers – what type of enforcement do we have in Malaysia?
Cyberlaw enforcers face several challenges:
Firstly, there is the identification of the criminal – Internet investigations are equipment- and labour-intensive. It is not that easy to identify cybercriminals.
This is because they operate in a virtual world and do not leave physical clues and paper trails behind, like the more traditional criminals do. Although they do leave their digital fingerprints now and then, enforcers need to move quickly before evidence fades away. Furthermore, with encryption, route relay and other types of technology and processes, they can make themselves almost undetectable by cyberenforcers.
Secondly, if the cybercriminal was in another country and he perpetrated his crimes against information systems here in Malaysia, how do you prosecute and ultimately impose the sentence against him?
This is where the harmonisation of a framework of cyberlaw globally will undoubtedly help (this was discussed in the Cyberlaws column in In.Tech, April 22. It is also the objective in respect to cyberlaw in the second phase of the MSC's development from 2003 to 2010), as the Internet is borderless and does not have regard to the laws of sovereign nations.
Besides legal differences, there are practical differences in terms of enforcement and co-ordination efforts between nations.
There may not be enough trained personnel or sufficient equipment to detect and to bring cybercriminals to book.
Finally, technology always evolves and the enforcers must keep up with changes.
Even in the United States as recently as 2000, it was noted that American law enforcement agencies, including the Justice Department, lacked the staff to investigate and prosecute cybercrimes like digital break-ins, data destruction and viruses. As a result of this, cybercriminals were breaking into or paralysing US-based websites with little fear of retribution, costing the private sector hundreds of millions of dollars.
Even Interpol, the organisation set up to track fugitives and investigate international crime and of which Malaysia is a member of, considered letting a Silicon Valley computer security company, AtomicTangerine, help it to protect businesses from hackers. This is after it acknowledged that international law enforcers were unable to combat computer crime effectively and also after acknowledging that governments found it difficult to coordinate cross-border efforts to combat this new phenomenon. Its secretary general at the time, Raymond Kendall stated that “... there's a limit to how you can transform police officers or detectives into technicians” (http://lists.insecure.org/lists/isn/2000/Jul/0056.html).
In Malaysia, the Malaysian Police formed the Technology Crime Investigation Branch (TCIB) in October 1998. It is under the Commercial Crime Investigation Division. The officers in the TCIB are specially trained in cybercriminal investigation methods. The TCIB also lends its assistance to overseas enforcement agencies in investigating online gambling, hacking and illegal distribution of pirated software.
Here are a couple of tips on how to prevent cybercrime:
- Install hardware and software that will recognise hacker attacks, data spying and data altering, like firewalls, encryption (for e-mail, the encryption program called Pretty Good Privacy can be used), virus detection and smartcards. An Intrusion Detection System can protect your information systems in the event of the failure of the firewall and from internal attacks. An Incident Handling System will be able to identify hacker attacks as they happen. Full backups are important so that evidence like damaged or altered files, files left by the intruder, the relevant IP address and login times can be collected. A police report should then be made.
- Assess your information systems to identify weaknesses.
- Ensure that computers that run critical infrastructure are not physically connected to any other computer that is possibly connected to the Internet.
- Maintain clear and consistent security policies and procedures.
- Use alphanumeric passwords (i.e. passwords with letters and numbers in them). Login passwords should be changed frequently.
- Employees have to be trained to understand security risks – this practically means that they must know that they should never give out PINs, passwords and calling card numbers of the company without proper third party verification.
Notorious hacker, Kevin Mitnick, who was the most wanted hacker at one time in the United States, told of how he accessed the information systems of the US’ Department of Motor Vehicles by simply calling up an officer, disguising himself as an officer from another government agency and obtaining the appropriate username and passwords from her.
- Correct identified problems – although this may seem straightforward and logical, I have seen many cases where security of certain information systems were compromised because problems were not fixed.
- Report attacks to the National ICT Security and Emergency Response Centre (Niser) so that any pattern of cybercrime in Malaysia can be detected and large-scale attacks prevented.
- There must exist incident response capabilities so that there is appropriate action taken against impending attacks.
- When an employee resigns or is terminated, employers must always ensure that the former does not have access to their computers anymore. The 1997 UN Manual on the Prevention and Control of Computer-Related Crime noted that 90% of economic crimes such as theft of information and fraud were committed by the relevant company’s employees. Even the Malaysian Police’s Technology Crime Investigation Branch is of the opinion that “more often than not, unauthorised access, hacking or e-mail abuse cases involve disgruntled employees taking advantage of ineffective security policies.”
- Maintain backups of all important data.
- When external persons service your system, save confidential information on other media before the service. Observe them during the service. Never let external people take computers or servers with confidential information from your site.
In a...
Add comment
Email to a Friend
