CIS2750 - Securing Information Systems


Chapter 3, Cyber Stalking, Fraud, and Abuse; Chapter 4, Denial of Service Attacks

Objectives:

Chapter 3 presents a lot of material about criminal activities involving computers. Objectives important to this lesson:

  1. Investment and auction frauds
  2. Avoiding frauds
  3. Identity theft
  4. Cyber stalking
  5. Privacy settings on a web browser
  6. Laws regarding computer crime
Concepts:
Chapter 3

The chapter begins with a reminder that the Internet is like a frontier. I think he is right, but his metaphor is a little off. You don't need to have a frontier to have a criminal element. Every city has a police force, regardless of the age of the city. Crime exists where you find people. Crime exists on the Internet and the author talks about several types. He begins with investment fraud. Let's start just before that. What is fraud?

Fraud is not robbery. Robbery is physically forcing something from someone else, taking it from their person, home, or business. Fraud is defined as deception that includes the following seven elements:

  1. A representation (you tell them the tale)
  2. about a material point, (you make it clear that something important happens)
  3. which is false, (and you lie about the the important thing)
  4. and intentionally or recklessly so, (your lie is meant to fool, or you have no regard for the truth)
  5. which is believed  (the mark believes your tale)
  6. and acted upon by the victim (and the mark gives you money, or access to it)
  7. to the victimís damage. (which may be all the money the mark has)

To avoid confusion, the word "fraud" can refer to either the crime itself or to the person carrying out the crime. When reading material on this subject, you will have to determine how the word in being used by its context. To make it easier, in common language the person presenting the fraud is the con artist or the grifter, the person believing the proposition is the mark, and the story told to the mark is the tale. In the clip below from House of Games, a con man teaches his student how to tell a tale to a mark.


Movies about such things.

Since your text does not appear to have a discussion on the history of fraud, give me a minute.

Photo of Carlo Charles PonziFurther research into the topic a fraud will lead you to the story of Carlo (Charles) Ponzi, who was made famous by his invention of several variations on pyramid schemes. His picture is shown on the right.

In his schemes, he promised a return on investment that was not possible to deliver, but he delivered it to several customers by paying them with the investments of subsequent customers. This made his companies seem legitimate, until the fraud was discovered, at which time he owed more money to the outstanding investors than he had assets to pay. He did this several ways in several states. Each time he was caught, he moved on to a new location and did it again. Had he operated in the age of the Internet, Mr. Ponzi would not have had to relocate, but might not have stayed one step ahead of the law when he did. He was so successful that a pyramid investment scheme is often called a Ponzi scheme.

The chapter turns to a discussion of two kinds of online fraud. The first is about investments. In the example commonly called the Nigerian Prince or the Nigerian Bank Manager Scam, the prospective mark receive an email with a proposal to share a large amount of money if the mark will be good enough to give his/her bank information to the grifter. A person who believes this tale gives the grifter the keys to a bank account that is quickly looted of all its contents. In case you have never seen such an email, you may enjoy this article on the Snopes website about how the tale may be told to you. As an interesting aside, the Nigerian email scheme seems to work best on people who are in need, who are greedy, or who want to steal from the unsuspecting email sender. If you can convince a mark that he is the con artist, the mark is less likely to notice that he is being conned.

The text goes on to explain that investment fraud is also common on the Internet. Newsletters and tip sheets promote investment in companies that may or may not exist. If the stocks do exist, the author explains that the fraud may be a pump and dump scheme. The fraudster is trying to get people to invest in a stock, which will increase its price, and the fraudster then sells the shares he already owns, making a profit. Whatever happens to the mark's shares is their problem.

Another type of fraud discussed is auction fraud. It is not uncommon to find some imaginary goods for sale on sites that allow auctions. Of course, it does not have to be an auction, it may simply be an offer to sell something. An offer to sell does not prove that the goods exist. Reputable sites try to keep this from happening, but it happens often enough that the text provides advice about detecting auctions (or simply goods for sale) that are fraudulent offers. This is a link to the same information found in your text, advice from eBay about detecting seller fraud.

The text presents three shady tactics that may be found in an online auction offer:

  • the shill - a shill is a person who works for the auctioneer to drive up the prices being bid; this is not unique to online auctions, it has happened in real life auctions, medicine show, and sideshows for generations; see this article on Wikipedia for more background
  • bid shielding - again, this is not just online; it is a tactic in which a bidder makes a large bid to scare away other bidders, the bid is retracted, and as time runs out, the bidder makes a low bid to get the goods
  • bid siphoning - this tactic has the presenter of an auction provide links to what are often external, scam auctions that are meant to draw interest away from the reputable site to the one the scammer has set up to defraud potential customers; as presented, this would only happen online, and would be most dangerous for people who do not read address lines on their browsers

The text begins another major discussion of identity theft. The text does not to into great detail. For your viewing pleasure and your education, watch the following video made by a guy who is a good presenter, has good advice, and was actually a victim, all or which make him worth watch and hearing.


The text makes a special point of telling us to avoid phishing scams, which also try to harvest information from us, from our computers, and from our links to others on the Internet. It isn't just the information the phisher ask for that is damaging, it is the mining of your accounts and your devices that can take place if you click the poisoned link in the email.

The next topic in the chapter is cyber stalking which can be a lot like bullying. The text defines cyber stalking as using the Internet to harass, threaten, or intimidate another person. This may be too specific: it would still be cyber stalking if you were only using an internal email product or another form of communication that did not involve the Internet. The real point is that you are using a computer (or computer-like device) to carry out your unwelcome acts. Don't forget that stalking can take place without a computer, and that is also a crime. The text points out that legal definitions vary, and it may not be cyber stalking if you are just getting email trying to sell you something. If you are in doubt, consult your local police, who may point you to another authority.

The text offers several examples of cyber stalking cases that can be enlightening. One thing I got from them was that no real case is going to match a textbook definition exactly. From that lesson, please take this advice: cases in real life have to be based on real laws, real proof, and real actions. Just because a textbook says "this is what we call X" does not mean that you can arrest or prosecute someone for it.

The text continues with a section about crimes against children. As you might expect, this kind of crime is very specific and it angers many people that it can take place. The video you can reach with this link is a news story from a Texas TV station about a sting operation that took place in February of 2023.

The text returns to a discussion of fraud with a mention of some laws and a longer section of advice about protecting yourself from fraud and identity theft.


Chapter 4, Denial of Service Attacks

Objectives:
  1. What are DoS attacks?
  2. Understand SYN flood, Smurf, and DDoS attacks
  3. Understand general defense advice
  4. Specific attack defenses
Concepts:
Chapter 4

DoS Attacks

This chapter opens with a discussion of Denial of Service attacks, followed by a separate discussion of Distributed Denial of Service attacks. Both have the same goal: to prevent users from accessing services. If users of an eCommerce site, for example, cannot establish connection to that site, there will be no reason for that site to exist and its customers will go elsewhere.

DoS attacks in several categories, such as these:

  • consumption of bandwidth - Attacks in this category attempt to choke the system by sending enough traffic to prevent legitimate traffic from being processed. This includes ICMP floods (Smurf attack), UDP floods (Fraggle attack), and Chargen attacks, which use an old (1983) protocol that was meant to be used when testing networks.
  • consumption of resources - Attacks in this category focus on individual systems. Flood attacks, discussed in the text, will have effects on other devices on the same network. Despite this, the intention is to target particular computers, so these attacks can be harder to spot.
  • exploitation of programming defects - Attacks in this category exploit particular faults in programs or operating systems. The text lists three types that are pretty obsolete. Years ago, I actually diagnosed a ping of death event, which was caused by sending packets of an illegal size to a server. That was patched long ago, so we should consider this category the bucket to catch any new attack on a newly discovered or unpatched vulnerability.

The text lists a handful of tools for DoS attacks, then goes on to consider DDoS attacks, which are typically carried out by an army of co-opted machines, which may number in the hundreds or thousands, depending on the success of the attacker in organizing an attack group, often called a botnet. This probably means a robot network, but the term has been around so long that the original longer form doesn't appear to be used any longer. The text discusses the elements involved:

  • daemon software - Software that turns a computer into a member of the attacking army, variously called a bot or a zombie.
  • target - The network, system, or device being attacked
  • master system, bot-master, or control system - The device from which the attacker coordinates the attack

Page 99 offers a list of attack software, some of which can be used for DoS or DDoS attacks.

This video from Network Chuck tells how he conducted a DDoS attack. Chuck did this so you don't have to. DON'T DO IT!!!

The text discusses several types of DDoS attacks, each of them sending a slightly different kind of packet as the attack ammunition, but each attempting to overwhelm what the target computer can handle. You can generally defend against these attacks with some creative firewall rules and filters, but this is not always done on all systems, which leaves them vulnerable.

For some ideas about preventing such attacks, take a look that this article. It discusses some of the tools in the text, as well as some others.