BUSINESS AND CYBER LAW (LAW 243)
ASSIGNMENT
Prepared for: Pn. Siti Asishah bt Hassan Lecturer of LAW 243
PREPARED BY: Siti Norfatin Afiqah bt Ismail 2008208582 ACD4Az
TABLE OF CONTENT
1
Acknowledgement
2
Digital Signature
3
How Digital Signature Works?
4
The Effects of Digital Signature Act
5
Computer Crime
6
Type of Properties
7
Computer Crime Related to Physical Property
8
Computer Crime Cases
9
Appendices
10
References
ACKNOWLEDGEMENT
Alhamdulillah, finally I manage to complete this assignment on the deadline given. I would like to express my thank you to the beloved be loved LAW 243 lecturer, Pn Siti Asishah Bt Hassan for helping me in completing this assignment. Thank you also for the guidelines and information given to aid in preparing this assignment. Hopefully, with the completion of this assignment, I am able to understand about Digital Signature and Computer Crime better.
WHAT IS DIGITAL SIGNATURE?
Digital signature is binary code that, like a handwritten signature, authenticates and executes a document and identifies the signatory. A digital signature is practically impossible to forge and cannot be sent by itself but only as a part of an electronic document or message. Example, in the US, electronic confirmation of signatures is legally acceptable from October 1, 2000 under the 'Electronic Signatures in Global and National Commerce Act' (also called 'E-sign Act'). The act gives full legal weight to electronic technologies that ensure authentication, confidentiality, data integrity, and non-repudiation, and directs courts to consider the electronic records on the same legal footing as the paper records. It also called electronic seal or electronic signature. DIGITAL SIGNATURE ACT 1997 (ACT 562)
This Act provides the necessary conditions for using digital signatures and the procedure for exercising supervision over the provision of certification services and timestamping services. The Digital Signature Act was enforced on the 1st October 1998. The Digital Signature Act 1997 aims at promoting the processing of transactions especially commercial transactions, electronically through the use of digital signatures.
This Act is an enabling law that allows for the development of , amongst others, e-commerce by providing an avenue for secure on-line transactions through the use of digital signatures. The Act provides a framework for the licensing and regulation of Certification Authorities, and the recognition of digital signatures. The Controller of Certification Authority who has authority to monitor and license recognized Certification Authorities was appointed on 1st of October 1998. "Digital Signature" is defined by the Act as a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key and whether the message has been altered since the transformation was made.
Essentially, what this means is that a digital signature is an electronic version of a conventional signature. It is a pair of keys created with the use of asymmetric cryptosystem and involves the use of algorithm or a specific series of algorithm. The pair of keys is made up of a private key as well as a public key. The private key is used to create the digital signature while the public key is used to verify the digital signature. While the private key cannot be known by anyone else except the subscriber, the public key is known to the public and noted in the certificate issued by the certification authority and may be retrieved from the repository. The transaction of a digitally signed message begins with the preparation of the message. The message is then transformed or hashed into message digest with the use of a one-way hash function. The signer signs this message digest using his private key. The result of using a private key on a message digest is called digital signature.
The original message is sent through an electronic line to the receiver. The recipient of the message uses the signer's public key to verify the digital signature - only the signer's public key will verify a digital signature created with the signer's private key. The recipient may also verify if the message has been modified, by changing/hashing the received message with the use of the same algorithm (one way hash function).
If the value of the message digest is the same as the value of the message digest in the digital signature received, then no modification has been made to the message since its transformation. Digital signature is similar to the auto teller machine (ATM) card system.
HOW DIGITAL SIGNATURE WORKS?
1. Hashing, Message Digest A hash-value of the message (often called the message digest) is calculated by applying some cryptographic hashing algorithm (for example, MD2, MD4, MD5, SHA1, or other). The calculated hash-value of a message is a sequence of bits, usually with a fixed length, extracted in some manner from the message. 2. Encrypting Message The information obtained in the first step hash-value of the message (the message digest) is encrypted with the private key of the person who signs the message and thus an encrypted hash-value, also called digital signature, is obtained. For this purpose, some mathematical cryptographic encrypting algorithm for calculating digital signatures from given message digest is used. The most often used algorithms are RSA (based on the number theory), DSA (based on the theory of the discrete logarithms), and ECDSA (based on the elliptic curves theory). Often, the obtained digital signature is attached to the message in a special format to be verified later if it is necessary. 3. Digital Signature Verification Digital signature technology allows the recipient of given signed message to verify its real origin and its integrity. The process of digital signature verification is purposed to ascertain if a given message has been signed by the private key that corresponds to a given public key. The digital signature verification cannot ascertain whether the given message has been signed by a given person. If we need to check whether some person has signed a given message, we need to obtain his real public key in some manner. This is possible either by getting the public key in a secure way (for example, on a floppy disk or CD) or with the help of the Public Key Infrastructure by means of a digital certificate. Without having a secure way to obtain the real public key of given person, we don't have a possibility to check whether the given message is really signed by this person.
REASONS FOR INVALID SIGNATURE
There are three possible reasons for getting an invalid digital signature:
If the digital signature is adulterated (it is not real) and is decrypted with the public key, the obtained original value will not be the original hash-value of the original message but some other value.
If the message was changed (adulterated) after its signing, the current hash-value calculated from this adulterated message will differ from the original hash-value because the two different messages correspond to different hash-values.
If the public key does not correspond to the private key used for signing, the original hash-value obtained by decrypting the signature with an incorrect key will not be the correct one.
If the verification fails, in spite of the cause, this proves only one thing: The signature that is being verified was not obtained by signing the message that is being verified with the private key that corresponds to the public key used for the verification. Unsuccessful verification does not always mean that an attempt for digital signature adulteration is detected. Sometimes, verification could fail because an invalid public key is used. Such a situation could be obtained when the message is not sent by the person who was expected to send it or when the signature verification system has an incorrect public key for this person. It is even possible for one person to own several different valid public keys along with valid
certificates for each of them and the system attempted to verify a message received from this person with some of these public keys but not with the correct one (the key corresponding to the private key used for signing the message). In order for such problems to be avoided, avo ided, most often when a signed document is sent, the certificate of the signer is also sent along with this document and the corresponding digital signature. Thus, during the verification, the public key contained in the received certificate is used for signature verification; if the verification is successful, it is considered that the document is signed by the person who owns the certificate. Of course, it is always necessary that, when certificates are used, we should believe the certificate only if its validity is verified or the certificate is self-signed but is obtained from the sender in a secure way (not from the Internet).
THE EFFECTS OF DIGITAL SIGNATURE ACT 1997 (ACT 56 2) Section 62. Satisfaction of signature requirements.
(1) Where a rule of law requires a signature or provides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature where (a) that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
(b) that digital signature was affixed by the signer with the intention of signing the message; and
(c) the recipient has no knowledge or notice that the signer(i) has breached a duty as a subscriber; or
(ii) does not rightfully hold the private key used to affix the digital signature. (2) Notwithstanding any written law to the contrary(a) a document signed with a digital signature in accordance with this Act shall be as legally binding as a document signed with a hand written signature, an affixed thumb-print or any other mark; and
(b) a digital signature created in accordance with this Act shall be deemed to be a legally binding signature. (3) Nothing in this Act shall preclude any symbol from being valid as a signature under any other applicable law.
Section 63. Unreliable digital signatures.
(1) Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. circumstances.
(2) Where the recipient determines not to rely on a digital signature under this section, the recipient shall promptly notify the signer of its determination not to rely on a digital signature and the grounds for that determination.
Section 64. Digitally signed si gned message deemed to be written document.
(1) A message shall be as valid, enforceable and effective as if it had been written on paper if(a) It bears in its entirety a digital signature; and
(b) that digital signature is verified by the public key listed in a certificate which(i) Was issued by a licensed certification authority; and
(ii) was valid at the time the digital d igital signature was created.
(2) Nothing in this Act shall preclude any message, document or record from being considered written or in writing under any other applicable law.
Section 65. Digitally signed si gned message deemed to be original document.
A copy of a digitally signed message shall be as valid, enforceable and effective as the original of the message unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, enforceable and effective message.
Section 66. Authentication of digital signatures. si gnatures.
A certificate issued by a licensed certification authority shall be an acknowledgement of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgement appear with the digital signature and regardless of whether the signer physically appeared before the licensed certification authority when the digital signature was created, if that digital signature is(a) Verifiable by that certificate; and
(b) affixed when that certificate was valid.
Section 67. Presumptions in adjudicating disputes.
In adjudicating a dispute involving a digital signature, a court shall presume(a) That a certificate digitally signed by a licensed certification authority and(i) published in a recognized repository; or
(ii) made available by the issuing licensed certification authority or by the subscriber listed in the certificate, Is issued by the licensed certification authority which digitally signed it and is accepted by the subscriber listed in it;
(b) That the information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate;
(c) That where a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority-
(i) That digital signature is the digital signature of the subscriber listed in that certificate;
(ii) that digital signature was affixed by that subscriber with the intention of signing the message; and
(iii) the recipient of that digital signature has no knowledge or notice that the signer(A) Has breached a duty as a subscriber
(B) Does not rightfully hold the private key u sed to affix the digital signature; and (d) That a digital signature was created before it was time-stamped by a recognized date/time stamp service utilizing a trustworthy system.
ADVANTAGES OF DIGITAL SIGNATURE
-
It prevents disclosure of sensitive sens itive information to unauthorized third parties.
-
Encryption allows for the authentication of the information sent.
-
Authentication allows the recipient of the message to confirm that the message was actually sent by the sender, and not someone impersonating the sender, and that the message is genuine and has not been modified in any way.
-
They prevent unauthorized individuals from accessing a computer or a particular file.
WHAT IS COMPUTER CRIME?
Computer crimes are criminal activities, which involve the use of information technology to gain an illegal or an unauthorized access to a computer system with intent of damaging, deleting or altering computer data. Computer crimes also include the activities such as electronic frauds, misuse of devices, identity theft and data as well as system interference. Computer crimes may not necessarily involve damage to physical property. They rather include the manipulation of confidential data and critical information. Computer crimes involve activities of software theft, wherein the privacy of the users is hampered. These criminal activities involve the breach of human and information privacy, as also the theft and illegal alteration of system critical information. The different types of o f computer crimes have necessitated the introduction and use of newer and more effective security measures. COMPUTER CRIME ACT 1997
The Act aims to provide for offenses relating to the misuse of computers. Amongst other things, it deals with unauthorized access to computer material, unauthorized access with intent to commit other offenses and unauthorized modification of computer contents. It also makes provisions to facilitate investigations for the enforcement of the Act. Under the Act, there is a rebuttable presumption that a person who has in his custody or control, a program, data or other information held in a computer or retrieved from a computer and which he is not authorized to have in his custody or control, is deemed to have obtained unauthorized access to it. If an offense is committed by any person outside Malaysia, he may be dealt with as if he had committed the offense within Malaysia, if for that offense the computer program or data was in Malaysia or capable of being connected, sent or used by or with a computer in Malaysia. Enforcement is in the hands of the police.
The Act criminalizes some acts and provides for punishment as follows: Offences
Penalty
Unauthorized access to computer material
Fine not exceeding RM50,000 or imprisonment not exceeding 5 years or both
Unauthorized access with intent to commit
Fine not exceeding RM150,000 or
or facilitate commission of further offense
imprisonment not exceeding 10 years or both.
Unauthorized modification of the contents of
(a) Find not exceeding RM100,000 or
any computer
imprisonment not exceeding 7 years or both
(b) Find not exceeding RM150,000 or imprisonment not exceeding 10 years or both if the act done is with intention of causing injury as defined in the Penal Code. Wrongful Communication
Fine not exceeding RM25,000 or imprisonment not exceeding 3 years or both.
Abetments and attempts
Fine to be as for the principal offense but imprisonment not to exceed one half of the maximum term for the principal offense.
TYPE OF PROPERTIES
-
Physical properties A physical property is any measurable any measurable property the value of which describes a physical system's system's state at any given moment in time. For that reason the changes in the physical properties of a system can be used to describe its transformations (or evolutions between its momentary states).
-
Intellectual properties Intellectual property (IP) refers to creations of the mind: inventions, literary and artistic works, and symbols, names, images, and designs used in commerce. IP is divided into two categories:
o
Industrial property, which includes inventions (patents), trademarks,
industrial designs, and geographic indications of source; and Copyright, which includes literary o
Artistic works such as novels, poems and plays, films, musical works, artistic
works such as drawings, paintings, photographs and sculptures, and architectural designs. Rights related to copyright include those of performing artists in their performances, producers of phonograms in their recordings, and those of broadcasters in their radio and television programs
TYPES OF COMPUTER CRIME RELATED TO PHYSICAL PROPERTIES Hacking: The activity of breaking into a computer system to gain an unauthorized access is
known as hacking. The act of defeating the security capabilities of a computer system in order to obtain an illegal access to the information stored on the computer system i s called hacking. The unauthorized revelation of passwords with intent to gain an unauthorized access to the private communication of an organization of a user is one of the widely known computer crimes. Another highly dangerous computer crime is the hacking of IP addresses in order to transact with a false identity, thus remaining anonymous while carrying out the criminal activities.
Phishing: Phishing is the act of attempting to acquire sensitive information like usernames,
passwords and credit card details by disguising as a trustworthy source. Phishing is carried out through emails or by luring the users to enter p ersonal information through fake websites. Criminals often use websites that have a look and feel of some popular website, which makes the users feel safe to enter their details there.
Computer Viruses: Computer viruses are computer programs that can replicate themselves
and harm the computer systems on a network without the knowledge of the system users. Viruses spread to other computers through network file system, through the network, Internet or by the means of removable devices dev ices like USB drives and CDs. Computer viruses are after all, forms of malicious codes written with an aim to harm a computer system and destroy information. Writing computer viruses is a criminal activity as virus infections can crash computer systems, thereby destroying great amounts of critical data.
Cyberstalking: The use of communication technology, mainly the Internet, to torture other
individuals is known as cyberstalking. cyber stalking. False accusations, transmission of threats and damage to data and equipment fall under the class of cyberstalking activities. Cyberstalkers often target the users by means of chat rooms, online forums and social networking websites to gather user information and harass the users on the basis of the information gathered. Obscene emails, abusive phone calls and other such serious effects of cyberstalking have made it a type of computer crime.
Identity Theft: This is one of the most serious frauds as it involves stealing money and
obtaining other benefits through the use of a false identity. It is the act of pretending to be someone else by using someone else's identity as one's own. Financial identity theft involves the use of a false identity to obtain goods and services and a commercial identity theft is the using of someone else’s business name or credit card details for commercial purposes.
Identity cloning is the use of another user's information to pose as a false user. Illegal migration, terrorism and blackmail are often made possible by means of identity theft. Data Transfer Theft: Thieves can take your personal information by tapping into your phone
line outside your house and run the line directly into their own computer. This can often be done without even you knowing it through split lines. Some thieves will even take this a step further. When you’re done using your computer and sign off the network, they simply
remain online and continue using the system as if it were actually you. Computer Output Theft: This is probably one of the easiest computer crimes today. Thieves
steal information that came from your personal or company computer for the sake of finding out secret or personal information. They do this by taking computer printouts, mailing lists, customer lists and etc. Desktop Forgery: This is becoming increasingly common in corporate America. With
computer technology and desktop publishing programs, thieves copy official letterhead, documents, passports, birth certificates, cash receipts for personal gain. Wrongful Programming: This is a complicated computer crime. Wrongful programming
crimes occur when someone alter a computer program and directs it to manipulate information on the network or someone’s personal information.
COMPUTER CRIME CASES
a. U.S. v. Ventimiglia (M.D. FL). This case is about an ex-employee intentionally damaging his company’s computers. How does he get in to the computer facility you
may ask? Well, pretty simple if you are still buddy with an existing employee. This clearly shows that you may have the best door access system or security cameras in the world, but when there is collusion with internal or “trusted” employees, you can
hardly do much to stop the crimes from taking place. However, what can be done is probably to allow strict disciplinary action against employees violating policies such as allowing unauthorized persons to restricted areas. This will at the very least result in an individual thinking twice before committing any rash acts.
b. U.S. v. Morch (N.D. CA). This is another example of an internal threat. Basically, an employee on his last day of duty copies out proprietary information and was caught. This brings up a couple of precautionary measures that may be considered when dealing with staff resignation. i.
Consider removing or limiting access to staff that has tendered their resignation; or
ii.
Monitor the action of the staff from the period he/she tenders their resignation letter.
iii.
Where possible, change password to the administrator or other IDs that is known by the staff leaving.
c. U.S. v. Oquendo (S.D. NY). In this particular case, a computer security expert was found guilty of computer hacking and electronic eavesdropping. This case once again shows that Internet threat can come from within an organization. In this particular case, the employee does the damage while still with the company and began exploiting his earlier efforts remotely. i.
The challenge to system administrators is to basically know what is supposed to be on their systems. This knowledge along with regular review of the software applications on the system will ensure that any new or unknown software or rogue files are detected and scrutinized.
d. U.S. v. Smith (D. NJ). Unlike the previous 3 cases highlighted above, which were internal threats, this case dealt with threats coming from and infecting through the Internet. David L. Smith pleaded guilty for fo r creating the “Melissa” virus and causing
millions of dollar worth of damage. One thing to learn from this case is that fighting computer criminals, especially those which leverages on the Internet as a medium of attack, requires collaboration between multiple parties. In this p articular scenario, America Online and ICSA.net were amongst the key contributors to the successful investigation of the case. Although this was more of an availability attack, Smith could be faced with a 5-year federal prison sentence.
e. U.S. v. Gregory (N.D. TX). This case is classified as a telecommunication fraud and computer hacking. The case was chosen for discussion, as it is different from the four cases above. Among other things, it includes use of stolen access devices, PIN obtained from other hacking organization and stolen credit card information. With access to these equipment and information, Gregory could make free teleconferences at the expense of the Telecommunication Service Provider. An important lesson or reminder that that we can take from this case is that the hacker hacker network is large and they are willing to trade information amongst themselves. To me there are both pros and cons about this situation. The obvious disadvantage against the authorities is that they are fighting against a very large network of cyber criminals. The advantage for the authorities is that there are more leads to follow up on. The more people who are involved or know about a crime, the higher the likelihood of obtaining useful leads to the criminals.
APPENDICES
Digital Signature
Digital signature procedures
Digital Signature Information
Add Digital Signature to Document
Hacking
Phishing
Computer Viruses
Cyberstalking
Identity Theft
Identity theft happen to anyone
Types of identity theft
Desktop Forgery
REFERENCES
-
Computer Crime, retrieved at 1 April 2010 from: http://www.techiwarehouse.com/cms/engine.php?page_id=2d06df97
-
Computer Crime Act 1997, retrieved at 24 March 2010 from: www.lawyerment.com
-
Digital Signature Act, retrieved at 24 March 2010 from: www.lawyerment.com
-
Digital Signature Act 1997, retrieved at 1 April 2010 from: http://www.esis.ee/ist2004/101.html
-
Effects of Digital Signature, retrieved at 1 April 2010 from: http://www.msc.com.my/cyberlaws/act_digital.asp
-
How Digital Signature Works, retrieved at 31 March 2010 from: http://www.developer.com/java/ent/article.php/3092771/How-Digital-SignaturesWork-Digitally-Signing-Messages.htm
-
Intellectual Property Theft, retrieved at 1 April 2010 from: http://law.jrank.org/pages/11992/Cyber-Crime-Intellectual-property-theft.html
-
Malaysian Law and Computer Crime, retrieved at 1 April 2010 from: http://www.sans.org/reading_room/whitepapers/legal/malaysian-law-computercrime_670
-
Types of Computer Crime, retrieved at 1 April 2010 from: http://www.buzzle.com/articles/types-of-computer-crimes.html
