Dan Richards | Web Engineer

Cybercrime This article was written as part of my University course; Bsc Computing at the University of Plymouth. The article was co-written by myself, Lewis Oaten, Josef Nankivell and Anthony Chudley.

Introduction

Crime itself is defined as “Engaging in conduct that has been outlawed by a particular society” (Karl de Leeuw, J. A. Bergstra, 2007) and cybercrime is defined as “The use of computer technology to engage in socially outlawed conduct” (Karl de Leeuw, J. A. Bergstra, 2007). From these definitions, de Leeuw recognised that “Most cybercrime we see today simply represents the migration of real world crime into cyberspace”.

This definition provides the basis from which we will explore a fuller meaning of cybercrime. This report catalogues key events in the history of cybercrime and investigates how it occurred and evolved over the last 40 years. It also provides information about the current situation and how this affects governments and businesses. Finally it speculates on the future of cybercrime, how it may evolve, and how it could be controlled. This full-spectrum analysis provides a more complete answer to the question, “what is cybercrime?”

Examination of the Historical Context of Cybercrime

During the 1960’s cybercrime was unheard of, due to the fact that the only computers were large mainframes. The first reports of illegal computer usage occurred during this time; involving computer sabotage and manipulation.

Due to the lack of networking technology, access to computers was physically limited. Hence the crimes tended to be committed by insiders. At the time, the legislative system did not recognise computer crime as a separate issue. Those who were caught were tried for traditional crimes; this sets the scene for the next 20 years. It was not for a decade that the term “hacker” was used to describe cybercriminals. The term hacker emerged in the 1950’s at MIT’s artificial intelligence lab; it then started to become used in computer culture. Not for criminal purposes, but in reference to undertaking something creative or intellectual (Karl de Leeuw, J. A. Bergstra, 2007).

In the 1960’s a popular activity of the early “hackers” was phone phreaking. It involved manipulating the telephone system, using a tone emitter, to produce abnormal behaviour e.g. providing free long distance calls. Many “phreakers” moved on to become hackers in later life, for example infamous hacker Kevin Mitnick. Like early mainframe hacking, phone phreaking was not regarded as a distinct category of crime. It was prosecuted under existing law, usually under fraud or theft of services (Karl de Leeuw, J. A. Bergstra, 2007).

In 1969 the US department of defence subdivision, Advanced Research Projects Agency (ARPA), launched the ARPANET. This was the world’s first packet switching network (it would later become the Internet). It linked computers in hundreds of universities, research labs and defence contractors. In doing so it linked hackers all over the USA and led to the emergence of the hacker culture. The early culture was limited to a fairly small group due to the lack of networked personal computers.

Over the next 10 years, the level of cybercrime did not increase greatly. Hacker culture was still confined to intellectuals and those with access to the ARPANET. Towards the end of the 1970’s however, computers started to become more readily available. In 1978 two Chicago computer enthusiasts created the first civilian Bulletin Board system. This caused a revolution in online communication, allowing users to interact with each other and share information. Over the next decade, thousands of bulletin board systems went online. Most of them were innocuous, but some of them engaged in sharing phone phreaking tactics, trading pirated software and stolen credit card information. This appealed to a new type of ‘hacker’ (Karl de Leeuw, J. A. Bergstra, 2007).

These bulletin boards and the emergence of cheap network enabled personal computers in the 1980’s, greatly expanded hacker culture into the mainstream. Perhaps influenced by the 1983 movie “Wargames”, some boards turned their interest towards breaking into government computer systems. The first person to be prosecuted for this new type of “hacking” was Ian Murphy in 1981, also known as “Captain Zap”. Murphy hacked into the AT&T computer system and changed the clocks that metered billing rates. Hence subscribers were being charged late night call rates in the middle of the day. Murphy was not charged for computer crime, but charged for theft. (Karl de Leeuw, J. A. Bergstra, 2007). At this stage cybercrime was still not regarded as a separate problem.

However, two years later another major incident sparked a change in the attitude of the US government and legislative bodies. A group of teenage hackers formed in Milwaukee and called themselves the “414’s”, after the local area code. They hacked into computer systems at the Los Alamos lab in New Mexico and the Sloan Kettering cancer centre in Manhattan. They claimed to be acting in the original hacker spirit of intellectual curiosity, and that they did not realise they were breaking the law. But they were prosecuted federally for computer trespassing (Karl de Leeuw, J. A. Bergstra, 2007). This was the first time that a major government had recognised computer crime as a real issue. However, as cybercrime had existed for almost 20 years it was a little too late.

The reaction to cybercrime by governments and legislative bodies across the world changed greatly between the 1970’s and 1990’s. This can be attributed to the growth in cybercrime occurrences. Early incidents were uncommon, but it was soon apparent that existing criminal law did not adequately address the problem of cybercrime. Early attempts to criminalise cybercrime included the unsuccessful Federal Cybercrime Bill introduced in the US congress during the 1970’s. As mentioned earlier the introduction of the personal computer and the rise of the Internet caused a large growth in cybercrime. As the technology evolved so did the efforts to address the legal issues brought about. The introduction of cybercrime law happened in waves, firstly on a national three- stage basis.

The first wave of legislation was designed to protect privacy; a direct reaction to the capacity of computer technology to collect, store and transmit data. created for collecting, storing and transmitting data. This legislation was first introduced in Sweden in 1973. This concern for privacy also prompted constitutional amendments in Brazil, the Netherlands, Portugal and Spain.

The second wave addressed property crimes. Brought about by the inadequacy of existing laws dealing with the theft of tangible property. The new laws addressed computer criminals abilities to inflict traditional harm by new methods. Italy was the first to apply these laws in 1978.

The third wave was concerned with the protection of intellectual property (such as computer software and other digital media). By the 1990s many countries, including most western countries, had adopted basic cybercrime legislation that outlawed commonly encountered crimes, such as unauthorised intrusion, distribution of malware, computer theft and computer fraud.

This initial flow of cybercrime law did have an effect in their respective countries. It did not take into account the fact that the Internet now allowed crime to be committed on a global scale. This prompted concern within governments. One effort to combat this was the Council of Europe’s Convention on Cybercrime. This convention recognised that national legislation alone was not enough to deal with cybercrime. As a result several organisations began to develop international solutions to the cybercrime problem.

The first major effort came from the Organisation for Economic Cooperation and Development. The OECD were mainly concerned with harmonising cybercrime legislation to ensure consistency in different countries. It recommended that countries introduced a minimum set of offences. This includes attacks on computer systems, use of computers for fraud/forgery, use of computers to infringe software copyrights and gaining unauthorised access to computer systems.

Around the same time the Council of Europe commissioned a similar report. In 1989 it recommended the harmonisation of cybercrime laws to ensure that countries could respond quickly and adequately to cybercrime. Like the OECD report, this recommendation contained a list of minimum criminal offences to be applied. Throughout the 1980’s and 90’s, several more organisations including the UN and the G8 came to similar conclusions.

The initiative that created the most results was the 1997 Committee of Experts on Crime in Cyberspace, created by the Council of Europe. It was given the task of “Drafting a binding legal instrument” dealing with the need for cybercrime legislation and international cooperation. The convention requires parties to criminalise certain cyber- offences. Like the previous initiatives, it assumed that harmonising legislation would make it harder for cyber- criminals to escape justice. This assumption was quite naïve, due to the fact that even though minimal laws were implemented the punishments for these still varied.

However, it did hold true for some time, particularly in the 1990’s. One good example of this was the 1995 case of a Argentinean hacker named Julio César Ardita who went under the alias “Gritón”. He was thought to be hacking computer systems at Harvard University. He was carrying out these hacks from a personal computer located in his parents apartment. For the first time a federal judge authorised the use of a computer network wiretap.

As a result of this the Federal Bureau of Investigation (FBI) obtained a warrant to monitor network traffic at Harvard using a program called “I-Watch”. This program was installed on a government-owned computer placed at Harvard. It scanned network traffic generated by the legitimate users at Harvard to catch the hacker. The system worked by pinpointing certain words that the government believed that the hacker was using.

Using this method the FBI found that he had first accessed a system located in Harvard’s faculty of arts and science. Using a password sniffer, he obtained credentials for other systems and then accessed them. He used this method repeatedly to obtain access to computers at the Defence Department, Caltech, Northeastern University, the University of Massachusetts and many other high level systems. Two years later, in May 1988, Ardita pleaded guilty to two counts of intercepting and damaging government files. He was fined $5,000 and sentenced to three years’ probation (David Kravets, 2009).

The mid 90’s were a good time for the government to prosecute hackers that they had been monitoring for some time. But now they had the legal power to catch them. In February 1995 Kevin Mitnick was arrested by the FBI on charges of wire fraud and breaking into the systems of several major corporations. Mitnick started hacking at the age of 12, when he accessed the Los Angeles public transport system to ride the buses for free. By the 1990s Mitnick was regularly hacking into the systems of large companies like Sun and Motorola. Eventually the FBI caught up with Ardita and he was sentenced to five years in prison (Tony Long, 2007).

The culmination of the governments new-found power against cybercrime came in the year 2000. The US president at the time, Bill Clinton, requested a record budget for the 2001 fiscal year ($1.84 trillion). It asked Congress for more money for wiretapping, police databases, antitrust enforcement, and computer crime forensics. One of the heftiest increases, from $15 million to $240 million, was to pay telephone companies to rewire their networks to facilitate federal and state wiretapping (Declan McCullagh, 2000). This event is indicative of the huge change in the attitude toward cybercrime, from a sheer lack of acknowledgement to the dedication of hundreds of millions of dollars to combat it.

Analysis of Current Cybercrime Threats

Despite the efforts of the International organisations to create laws ensuring that the acts of cybercrime are covered by jurisdiction, there remains today, variance in the levels of punishment that can be applied, based on the country in which the crime is being tried. Whilst under European jurisdiction the maximum time that can be served for a cybercrime offence is 10 years, in the United States of America a repeat offender can be punished with 20 years for an offence. The weighting of the sentencing, and classification of crime, has been shown in recent years in the case of Gary McKinnon, who has been challenging against his extradition to the United States. Within the United Kingdom he would be charged with obtaining “Unauthorised access with intent” (BBC News, 2009a) whereas, in the United States he would be charged under the more serious crimes of “fraud and criminal damage” (BBC News, 2009a), for the same crime. Whilst some of this is based on the availability of evidence being more substantial within the US, it clearly indicates that in an area where geographical location is no boundary to the ability to commit a cybercrime, the punishment of such offence can still vary deeply.

This area is unlikely to see any change, with Europe following guidelines for computer-related crimes, and the United States with their own system. Whilst the two similar there are significant differences. On a global scale it is a technical impossibility to have a uniform law, and scales of punishment, due to the political and cultural differences of the world.

The advent of computers becoming a global and commonly used resource has led to the current waves of cybercrime to be on a scale that was rarely seen in history, as of 2008 there were in excess of 1 million new malicious code threats, in comparison to 20,547 in 2002. (Symantec, 2009). This shows the explosion that has occurred with the popularity of the Internet, and the availability for financial gain using the web as the main interface. Since the turn of the new millennium malware has become more prevalent, in its many guises, with new forms of attack taking advantage of the changing use of the Internet.

Denial of Service (DoS) attacks have become prevalent since the turn of the millennium, the first key events occurring in the year 2000 with a series of attacks against some of the most famous websites on Internet, namely Yahoo, CNN.com, Amazon.com and eBay. (Karl de Leeuw, J. A. Bergstra, 2007) This was a high profile start for the denial of service attack. These early attacks had widespread effects beyond the simple unavailability of the sites and immediate impact on the revenue. The publicity caused by these attacks would shape consumers' views of these sites, showing them as vulnerable and untrustworthy, an image that is particularly negative to e- commerce sites such as eBay and Amazon, where the confidentiality of the information is important. Since this high profile start there have been numerous attacks against many websites, be them e-commerce or information based sites, although their newsworthiness has lessened with the increased frequency of attacks. Now it is now only key attacks that become news articles. One significant article with relation to denial of service attacks surfaced in March 2009, with the BBC acquiring the services of a bot-net, and conducting a Distributed Denial of Service Attack (DDoS). The significance of this was that it showed the ease with which an attack could be conducted, whilst also causing significant interest about the legality of the BBC’s research.

Whilst being a separate form of attack, Malware is a contributor to the rise in DDoS attacks. One of the effects that Malware can have on an infected machine is to cause the machine to become part of a bot-net; a remotely controlled network of infected machines. These networks can, as highlighted by the BBC click investigation (BBC News, 2009b), be hired to perform a DDoS attack against a site, or actions such as the sending of spam email. The numbers of machines that make up these networks is vast, and hard to calculate. Estimates can be placed once a bot-net has been brought down, as with the Srizbi bot-net, and the Mega-D bot- net. They are believed to have had around 500,000 and 250,000 machines respectively. These 2 networks were accountable for large volumes of spam, with Srizbi responsible for an estimated 40% of the worlds spam (Dan Goodin, 2009), and the Mega-D network responsible for around a third of the global output. (Dan Goodin, 2008).

Malware is the catch-all description for a range of malicious code, including viruses, worms and Trojan horses. Whilst this is the technical term, it is quite common for the media to use virus as their catch-all term. Each of the types of malware has unique characteristics that affect their use and behaviour. The most commonly occurring form of malware is the Trojan Horse variety. It accounting for 83% of the malware detected in the first 6 months of 2009 (BitDefender, 2009). The Trojan Horse variety of malware imitates its namesake, and is often installed by an end user who has been deceived by a disguise for the application, with it appearing to be completing a task for the user, whilst also allowing access to the system. Trojan horses have a number of uses, with one of them being the inclusion on a bot-net. They can also be used as a component when committing theft and fraud over the Internet. On the 16/11/2009 the Police Central e-crime Unit, along with UK banks, managed to sentence a group, who, by using a Trojan, had managed to obtain £600,000 from infected machines. The trojan worked by creating additional dialogue boxes on banking pages. This enabled the perpetrators to obtain confidential information, allowing them to defraud the targeted accounts (UKPA, 2009).

Worms are different to Trojans in many aspects. Most crucially of all, they are self replicating, meaning that they can, and have, spread very quickly, without the need for user intervention. Worms are also, on the whole, more damaging than a Trojan. Due to the fact that worms are spread over the network, they will have an impact on the bandwidth of a network. Unsurprisingly worms can travel the web at an alarming rate, causing mass infection, regardless of geographical boundaries. Not all worms were created with the intent of being damaging, for example, the “Welchia” worm used the DCOM RPC vulnerability to spread itself. Unlike many worms though, the payload for this was to attempt to patch the vulnerability, and restart the machine, as well as trying to remove the Blaster worm. It would then scan to find other vulnerable machines, and the cycle would continue. Whilst this is obviously a rare case for a virus, it also can be deemed as damaging, as these acts were performed without user authorisation, and greatly increased network activity (Frederic Perriot, 2009).

This example of “White Hat” cybercrime is one that is falling in proportion with the more damaging forms of attack. As the Internet has expanded to be a worldwide hub for trade and banking, the opportunity for a financial gain has rose, something that is being exploited on a daily basis. When looking at cybercrime cases it becomes clear that a number are also being tried alongside charges of fraud. This combination of a modern crime, with one that is easily conducted over the Internet, shows a real shift from the past, where a number of cases were done without damaging intent, let alone using elements of traditional crime. The rise of cybercrime, has led to the issue being widely broadcast on national news programmes, with many people being aware of it, purely for the defrauding of online banking.

The number of cybercrime incidents is only set to increase with the advent of more powerful mobile devices. With the sale of mobile devices that have full Internet browsers, and unlimited data plans, the start of crime within mobile devices has recently reared its head, possibly showing the signs of things to come. With Apple’s iPhone being one of the most popular phones on the market in this point of time, it’s a worrying start that the first worm has been written specifically for the iPhone, and again what started off with a supposedly innocent attack, purely highlighting the vulnerability in a way that is not crippling to the phone (Graham Cluley, 2009), although it is fair to assume that a more damaging variant is likely to be developed.

The Future Evolution of Cybercrime

Cybercrime is entering an era in which the number and severity of major risks are increasing rapidly. The battle between attacking and defending, where attackers appear to be more advanced in creativeness and dynamism, is exaggerated in the world of information technology. The attacker is autonomous, with no fixed operation location and time requirements and often has new means of attack at their disposal. The complexity and frequency of attack techniques, is staggering even now and growing rapidly.

Attacks will grow in frequency as time goes on, particularly against governments. With targeted cyber attacks by nations against government systems becoming increasingly successful, demonstrating the need for continuous advancements in cybercrime security. Attacks on businesses will focus on military contractors and those with valuable customer information, such as social media sites.

The Internet will forever be a primary target in the future, almost certainly to a larger degree than it is today. The main reason for this is due to the, functionality that the Internet creates, providing numerous opportunities for cyber-criminals to compromise an individual or even a corporation.

The majority of theses opportunities arise from the fact that the web is very public, there exists a vast number of applications with little quality control for web related security problems, resulting in malicious activity being triggered by unauthenticated and often anonymous users. It is not unusual for web applications to be developed by small businesses and individuals, many of which have little or no knowledge of the security problems that can manifest in web environments. Although, this is changing somewhat due to increased education for the development community, web developers are at a disadvantage because Web frameworks and technologies evolve so rapidly and the rate of evolution will only continue to grow as time goes on.

A very common example of cybercrime that is targeted against high-profile sites is “Spear Phishing”. Spear phishing is the process of sending emails to the employees of an organisation. The email appears to come from a manager within the company and demands each user to unknowingly install spyware or to provide log-in information, allowing the attackers access to potentially confidential information. Security vulnerability researchers often exploit the holes they discover before they sell them to software vendors. These “zero-day” vulnerabilities will result in major outbreaks resulting in many thousands of PCs being infected worldwide.

Voice and video over Internet protocol (VoIP) systems will almost certainly become more of a target of cybercrime in the future, with VoIP technology allowing an attacker to have a local phone number in any area they choose, despite their actual physical location. VoIP technology is still in it’s infancy and is usually installed in a rushed fashion by organisations that do not understand the security challenges they might meet in the future.

Another technology that will reveal new risks in the future is radio-frequency-identification (RFID). Even though RFID has been around for years it is only now starting to gain popularity, with integration into our personal lives still on the rise.

The United Kingdom has starting including RFID chips in new biometric passports, called “ePassports”, that uses smart card technology to authenticate the identity of travellers. It is likely that the inclusion of biometrics in passports could improve national security, however, biometrics is also used in the corporate world. However, in some countries legislation has been approved that prevents employers from using RFID implantations, despite this, we can expect the public to interact with RFID technology daily. Some corporations have chosen to implant chips under the skin of employees. In the coming years, RFID technology will be widely integrated into our everyday lives, such as food and health care.

Today RFID technology is susceptible to eavesdropping and forgery. The UK Passport Service (UKPS) conducted a trial (Computer Weekly, 2004) in 2004 using a system that involved facial recognition, iris scanning and fingerprinting. This trial was a feasibility study on the potential implementation in the United Kingdom of legislation enabling the introduction of biometrics identity cards. The report on this trial features quite heavily in this article, because it is the biggest such trial to date and it highlights some potentially serious flaws with biometrics systems.

RFID readers could contain security holes that would allow cyber-criminals to steal confidential information from the associated databases. Demonstrations of the feasibility of attacks are becoming much more frequent, this combined with the decrease in the cost of RFID technology due to mass production, creates the perfect environment for attackers to launch malicious attacks to acquire personal or sensitive information.

As there is already a large risk to information security, spyware is a huge concern, and is growing at an alarming rate. Spyware creates so many different revenue streams for the developers that spyware centres could be established around the globe, allowing spyware to be created and distributed.

Mobile “smart” phones are growing more powerful all of the time, people are relying on these devices for all aspects of their lives and will continue to do so, making them ideal targets for cybercrime. As such, malicious code will infect hundreds of thousands of smart phones, while using wireless networks to propagate from one phone to another. In the future this will lead to a greater number of phishing attacks, spyware and inevitably ID theft. This will mean that it is only a matter of time before the annoying messages that people despise on their PCs will also flood mobile devices. This type of mobile spam could spread rapidly as creators of Trojans and hackers are likely to benefit largely from this. According to In-Stat, this type of attack is predicted to cost more than $250 billion in 2011 (In-Stat, 2006).

As time goes on these types of costs associated with each attack will rise along with their pace and aggressiveness. To manage this we clearly need a strong legal framework, together with appropriate and effective policing and public awareness. There is no doubt that law enforcement agencies have begun to create expertise in managing cybercrime during the last decade, however, this must be developed further.

Governments will need to approve an increasing amount of legislation that will regulate the protection of public information. If the government reduces the imposed data- breach notification requirements substantially, legal advisors and legislatures will begin to establish severe penalties for organisations that lose or leak delicate information. Data- breach notification policies and laws work, and make a huge difference as company executives consider computer security very carefully when there is a chance of being named and shamed in the media. However, business lobbyists have used their political influences to convince leaders that disclosure laws are purely a burden. For example, the United States have issued federal laws that remove most of the responsibility of business to information disclosure loss. The future outcome of this worrying, and could result in a drastic decline in business concern about security and therefore, a decline in security itself.

Law enforcement, however, is only part of the solution. We also need to ensure that individuals and businesses understand the risks and have the knowledge and tools to minimise their exposure to cybercrime. This is particularly important for individuals who are often technically inexperienced and have little understanding of the potential problems associated with online shopping, Internet banking and social networking. This problem is exacerbated by the growing number of people accessing the Internet for the first time. Society must find imaginative and varied ways of raising public awareness about cybercrime and about methods which can be used to mitigate therisks.

To be successful at reducing cybercrime, law enforcement needs to be combined with the advancement in technological areas of computing. Quantum cryptography is one such technology and it will play a crucial role in combating cybercrime in the future.

As it stands for any two parties in a network to securely communicate they must first be authorised. This means that the identities of the individuals must first be authenticated. The problem that quantum cryptography aims to solve is that of how to authenticate parties while reducing the amount of cryptographic keys that must be shared.

If quantum cryptography is to be practical at solving these issues in the future, it will need to operate along-side current networks. Also, it will need to offer improvements in cost and features that cannot be obtained currently. If quantum technology is incorporated with key distribution, it is possible that the resulting Quantum Key Distribution (QKD) will be able to distribute one-time pads, providing the currently impossible scenario of unbreakable encryption. Another advantage of quantum technology is that it is able to notice eavesdropping in communications creating a level of integrity and authentication that is not possible with classical methods.

Despite any legal and technological advancements, it is obvious that cybercrime is not going to go away any time in the near future, in fact it can only grow. While cybercrime is an unpleasant result of the information age, it also belongs to a much larger crime landscape. If something has a use, there will always exist the opportunity to abuse it, with computer technology and Internet connectivity being no exception. Therefore, crime can never be eradicated, so the future of cybercrime is less about winning, and more about trying to avoid the risks and reducing the impact of cyber attacks.

Conclusion

To sum up, cybercrime has played an influential role throughout the history of the information age. It has grown out of the egotistical lust for self-development which is possessed by a sub-culture of computer professionals and academics. As the culture went underground, the legalities of hacking became more questionable and soon evolved into cybercrime.

The ability to exploit systems grew in line with the scale and popularity of such systems. With new systems being developed to provide solutions for more problems, the rewards that were sought by hackers also grew. This rapidly became a serous corporate problem as they were the victims of some of the most costly attacks.

When governments started to tackle the issue of cybercrime, the costs to corporations continued to be significant. It took many iterations of legislation before a solution was produced which had a positive impact on the victims. With the crackdown on cybercrime, many of the original hackers took on legitimate roles, as consultants, in the industry; and the remaining perpetrators shifted their methods and motives.

Governments and international bodies will need to work together to tackle the problem in a pre-emptive way, as oppose to introducing legislation in a retrospective manner which they have done previously. This, however, will be difficult, as the future of cybercrime is an uncertain one. What is known, is that the possibility for exploits to be found, and the field on which they can be utilised, will grow in proportion to new technology being formed. With that said, the problem is not going to go away.

References

Karl de Leeuw, J. A. Bergstra (2007), The history of information security: a comprehensive handbook [2] David Kravets (2009),Oct. 23, 1995: First Computer-Network

Wiretap, http://www.wired.com/thisdayintech/2009/10/1023first- computer-wiretap, Date accessed 02/11/09

Tony Long (2007), Feb. 15, 1995: Mitnick Arrested, http://www.wired.com/science/discoveries/news/2007/02/72647, Date accessed 02/11/09

Declan McCullagh (2000), Clinton’s Wiretap-Heavy Budget, http://www.wired.com/politics/law/news/2000/02/34164, Date accessed 02/11/09

BBC News (2009)a, Hacker step closer to extradition, http://news.bbc.co.uk/1/hi/uk/7912538.stm, Date accessed 26/11/09

Symantec (2009), Symantec Report: Rogue Security Software, Available at http://www.symantec.com/business/theme.jsp? themeid=threatreport, Date accessed 26/11/09

BBC News (2009)b, BBC team exposes cyber crime risk, http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm, Date accessed 26/11/09

Dan Goodin (2009), Spam net snared a quarter million bots, says conqueror, http://www.theregister.co.uk/2009/11/16/mega_d_size_estimate/, Date accessed 26/11/09

Dan Goodin (2008), Srizbi spam botnet in failed resurrection, http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/ Date accessed 26/11/09 [10] BitDefender (2009), BitDefender Malware and Spam Survey finds E-

Threats Adapting to Online Behavioral Trends, http://news.bitdefender.com/NW1094-en--BitDefender-Malware-and- Spam-Survey-finds-E-Threats-Adapting-to-Online-Behavioral- Trends.html, Date accessed 26/11/09

UKPA (2009), Gang jailed for web banking fraud, http://www.google.com/hostednews/ukpress/article/ALeqM5hOOyBQ xdsqcFLDeKCmoxiTMSH4CA, Date accessed 26/11/09

Frederic Perriot (2009), W32.Welchia.Worm, http://www.symantec.com/security_response/writeup.jsp?docid=2003- 081815-2308-99, Date accessed 26/11/09

Graham Cluley (2009), First iPhone worm discovered - ikee changes wallpaper to Rick Astley photo, http://www.sophos.com/blogs/gc/g/2009/11/08/iphone-worm- discovered-wallpaper-rick-astley-photo/, Date accessed 26/11/09

Computer Weekly (2004), UK passport agency begins trial on biometric IDs, http://www.computerweekly.com/Articles/2004/04/27/202067/uk- passport-agency-begins-trial-on-biometric-ids.htm, Date accessed 08/11/09

In-Stat (2006), Global Wireless Handset Market Grows 23% in 2006 and Will Reach $250 Billion by 2011, http://www.instat.com/press.asp? ID=1666&sku=IN0602922WH, Date accessed 08/11/09

Ross J. Anderson (2008), Security Engineering: A Guide to Building Dependable Distributed Systems

Jack G. Albright (2002), The Basics of an IT Security Policy, Available at http://www.giac.org/practical/Caroline_Reyes_GSEC.doc, Date accessed 06/11/09

Caroline Reyes (2005), What makes a good security policy, and why is one necessary?, Available at http://www.giac.org/practical/jack_albright_gsec.doc, Date accessed 06/11/09

What is CyberCrime?