CYBER CRIMES IN MALAYSIA AND U.S.A.:

WHAT SHOULD WE DO IN MALAYSIA?

1. INTRODUCTION

Webopedia defines Cyber crime as encompasses any criminal act dealing

with computers andnetworks (called hacking). Additionally, cyber crime also

includes traditional crimes conducted through the Internet. For example; hate crimes,

telemarketing and Internet fraud, identity theft, and credit card account thefts are

considered to be cyber crimes when the illegal activities are committed through the

use of a computer and the Internet.

(Source: http://www.webopedia.com/TERM/C/cyber_crime.html)

Computer Crime Research Centre has define cybercrime as crimes committed on the

internet using the computer as either a tool or a targeted victim. It is very difficult to

classify crimes in general into distinct groups as many crimes evolve on a daily

basis. Even in the real world, crimes like rape, murder or theft need not necessarily

be separate. However, all cybercrimes involve both the computer and the person

behind it as victims, it just depends on which of the two is the main target.

 Hence, the computer will be looked at as either a target or tool for simplicity’s sake.

For example, hacking involves attacking the computer’s information and other

resources. It is important to take note that overlapping occurs in many cases and it is

impossible to have a perfect classification system. (Source: http://www.crime-

research.org/articles/joseph06/)

The free dictionary has define cybercrime in a more simple way; cybercrime - crime

committed using a computer and the internet to steal a person's identity or sell

contraband or stalk victims or disrupt operations with malevolent programs. (Source:

http://www.thefreedictionary.com/cybercrime)

Perhaps the most elaborated definition of cybercrime is from www.techterms.com. It

defines cybercrime as criminal activity done using computers and the Internet. This

1

includes anything from downloading illegal music files to stealing millions of dollars

from online bank accounts. Cybercrime also includes non-monetary offenses, such

as creating and distributing viruses on other computers or posting confidential

business information on the Internet.

Perhaps the most prominent form of cybercrime is identity theft, in which criminals

use the Internet to steal personal information from other users. Two of the most

common ways this is done is through phishing and pharming. Both of these methods

lure users to fake websites (that appear to be legitimate), where they are asked to

enter personal information. This includes login information, such as usernames and

passwords, phone numbers, addresses, credit card numbers, bank account numbers,

and other information criminals can use to "steal" another person's identity. For this

reason, it is smart to always check the URL or Web address of a site to make sure it

is legitimate before entering your personal information.

Because cybercrime covers such a broad scope of criminal activity, the examples

above are only a few of the thousands of crimes that are considered cybercrimes.

While computers and the Internet have made our lives easier in many ways, it is

unfortunate that people also use these technologies to take advantage of others.

(Source: http://www.techterms.com/definition/cybercrime)

2. CLASSIFICATION OF CYBER CRIMES

Like traditional crime, Cybercrime has many different facets and occurs in a wide

variety of cenarios and environments. Current definitions of Cybercrime have

evolved experientially. They differ depending on the perception of both

observer/protector and victim, and are partly a function of computer-related crimes

geographic evolution.

There are four type of cyber crimes:

2.1 Cyber crime against Individual

i. Harassment via e-mails.

ii. Cyber-stalking.

2

iii. Dissemination of obscene material.

iv. Defamation.

v. Unauthorized control/access over computer system.

vi. Indecent exposure

vii. Email spoofing 

viii. Cheating & Fraud

2.2 Cyber crime against Property

i. Computer vandalism.

ii. Transmitting virus.

iii. Netrespass

iv. Unauthorized control/access over computer system.

v. Intellectual Property crimes

vi. Internet time thefts

2.3 Cyber crime against organisation

i. Unauthorized control/access over computer system

ii. Possession of unauthorized information.

iii. Cyber terrorism against the government organization.

iv. Distribution of pirated software etc.

2.4 Cyber crime against society

i.     Pornography (basically child pornography).

ii.    Polluting the youth through indecent exposure.

iii.   Trafficking

iv. Financial crimes

v.Sale of illegal articles

vi.Online gambling

vii. Forgery

Cybercrime could reasonably include a wide variety of criminal offences and

activities. The scope of this definition becomes wider with a frequent

3

companion or substitute term 'computer-related crime'. The examples of

activities that are considered cybercrime can be found in the United Nations

Manual on the Prevention and Control of Computer-Related Crime. The

manual includes fraud, forgery, computer sabotage, unauthorised access and

copying of computer programs as examples of cyber crime.

3 COMPARISON OF CYBER CRIMES IN MALAYSIA AND USA

3.1 Cyber crimes in Malaysia

According to MyCert's manager Solahuddin Shamsuddin, cyber crime in

Malaysia include illegal activities done with malicious purposes from

electronic hacking to denial of service attacks that cause great loss in

monetary terms to the affected victim. The types of cybercrime reported in

Malaysia through MyCert include Intrusions - Web defacement, harassment,

destruction of computers, denial of service, frauds, forgery, phishing scams,

mailbomb and copyright piracy.

According to him, Malaysia was among the first few countries in the world to

introduce cyberlaws such as the Computer Crimes Act 1997. This cyber law

addresses and looks into areas of cybercrime activities. Despite the lengthy

definitions provided by various sources, the definition of cybercrime will

change along with the evolution of IT. The latest trends and statistics on

cybercrimes in Malaysia, in a recent report noted that cybercrime is on the

rise and getting more sophisticated.

There were 117 cases involving RM451,000 in losses were taken to court

under the Communications and Multimedia Act 1998 between January and

last month compared to 35 last year, while 857 cases were charged in court

under the Computer Crime Act 1997 last year, with losses totalling RM2.9

million, while 355 cases have been hauled up to court from January to last

4

month. Among the offences under the Act were hacking, computer virus and

fraudulent withdrawals of cash using fake ATM cards.

According Paladion Networks (M) Sdn Bhd's country manager Sreeraj

Gopinathan, cybercrime includes a wide range of activities from sending

rumours and defamatory messages to sending mails to unsuspecting banking

customers and luring them to give out personal details (phishing) to the more

"direct" crimes, including transferring money from others' accounts, stealing

critical information, etc. He noted that authorities were able to trace the

people behind the e-mail scam and the more recent Web log incident.

Despite the current manageable level of cyber crime, CyberSecurity Malaysia

has highlighted the need for more trained cyber professionals to deal with the

growing problem.

CEO  retired Lt. Col. Husin Jazri said, “I do not want to claim we have a lack

of experts or our experts are enough to solve problems but we need to

collaborate to produce more experts,” according to Mysinchew.

As Internet use continues to rise across the globe, maintaining an adequate

number of cyber professionals is essential to keep pace with this growth.

During discussions with the press, Jazuri said he was not concerned with

banks, but with individual victims.

“I’m not worried about the banks. They have a lot of money to secure their

systems. They can have the world’s best consultant to look into their security

systems,” he said. “It’s the human part that gets affected, not the

technological part. The users become the victims. When the users

communicate to the banks, they are exposed to the social engineering, scams

and other threats.”

He also highlighted the need to increase cyber education, a growing theme in

cybersecurity discussions.

5

“We need to educate users on this fact which can contribute towards curbing

the problem when they aware of this aspect,” he said. “We should share

know-how and identify the necessary strategy to address threats such as

increasing risk of security breaches, identity theft, phishing and cyber

terrorism.”

(http://www.thenewnewinternet.com/2010/02/10/cybersecurity-malaysia-

calls-for-more-cyber-experts/)

3.2 Cyber crime in Usa

(Source:http://www.ic3.gov/media/annualreport/2009_ic3report.pdf)

According to the recently released Norton Cyber Crime Report for 2011,

431 million adults worldwide were victims of cyber crime last year. The total

cost of those crimes amounts to some $114 billion. This precise statement,

however, hides an important problem: We actually lack comprehensive data in

assessing the true scale and scope of cyber crime. This is because we primarily

rely on businesses to voluntarily self-report incidences of attacks and intrusions

without any means to verify their statements. To turn the tide in the fight against

cyber crime, we first need to know its true impact on the world economy.

(Source: http://www.symantec.com/content/en/us/home_homeoffice/html/ncr/)

6

The recently published report, Second Annual Cost of Cyber Crime Study,

by the Poneman Institute, a U.S. based information security policy research

center, is another good case in point. The report states that "over the past year,

the median cost of cyber crime increased by 56 percent and now costs

companies an average of $6 million per year." This statistic was compiled using

a self-report survey of 50 U.S. based businesses.

The reason businesses routinely under-report incidents of cyber crime is

that most information on cyber crime losses are derived from surveys; that is,

statisticians merely send questionnaires to companies and hope they are

answered in good faith. Businesses have vested self-interests in under-reporting

incidents since they either do not want to lose consumer confidence or be held

accountable by shareholders or boards. Consequently, the data we collect from

such surveys has very low predictive power and cannot serve as a basis for

informed policy formulation.

What most people do not realize is that cyber criminals do not have to be

too sophisticated to inflict major damage. Cheap malware that can be purchased

online often suffices. The real danger to a country's economy arises

from advanced persistent threats (APTs) -- highly sophisticated and long-

planned intrusions often executed with state sponsorship. Jeffrey Carr, a U.S.

based cyber security expert, recently stated that the biggest threat is the theft of

intellectual property in high-value technology and energy assets. Here too

under-reporting is endemic.

One report claims that U.S. intellectual property theft -- an APT -- costs

750,000 jobs annually, much of which is conducted via cyber space. The

validity of this number, however, is questionable since many APT attacks either

are not detected or are kept secret for many years. Most companies do not even

know that they are under attack, and if they do know, companies are not willing

to share data because we lack a trusted identity to collect it.

There are dozens of public- and private-led cyber security data distribution

forums in existence already, but the number, scope, and diversity makes for a

7

complex environment where sharing information is very difficult. What is

needed is the equivalent to the U.S. Center for Disease Control and Prevention,

an umbrella organization coordinating the different activities of forums and

which could conduct broad analysis into cyber space. In the United States

the National Security Telecommunication Advisory Committee provides a good

model for sharing and normalizing threat data that could be generalized to

various initiatives from defense, finance, or information-based industries.

Such a new umbrella organization could induce private sector companies

to voluntarily provide at least a modicum of raw statistical data about their

performance. For example, the data breach reports should be "anonymized,"

which will, from a business perspective, facilitate sharing. With this minimal

data, rudimentary statistics could be compiled and common responses

developed. The main focus here should be on data treatment and distribution.

Data must be usable and accurate enough to enable action and suppress

vulnerabilities in companies.

The significant disconnect within many corporations, where internal security

experts are unable to justify increased security methods or spending due to a

lack of measured information, presents a grave danger to the well-being of our

global economy. Having trusted measures and performance benchmarks will

significantly reduce this information gap between security and executive

leadership in organizations. It will help formulate more cost effective defense

strategies against cyber crime. Better detection rates of attacks, faster responses

to incidents, and sounder policy formulations will make companies more secure

and consequently more competitive in the global market. As Gordon Gekko

stated in Wall Street: "The most valuable commodity I know of is information."

This has never been truer than in the age of cyber space.

 

8

4 SUGGESTIONS

Malaysia has a set of cyberlaws that has been passed by Parliament to

provide a comprehensive framework of societal and commerce -enabling

laws, which encompass aspects concerning security of information and

network integrity and reliability.

These include among others, the Digital Signature Act 1997, Computer

Crime Act 1997, Communications and Multimedia Act 1998, and the Optical

Disk Act 2000.

Meanwhile, Association of Computer and Multimedia Malaysia (Pikom) Info

Security Special Interest Group Chairman Dr Wong Say Ho said the Oxford

Reference Online defines cybercrime as crime committed over the Internet

while the Encyclopaedia Britannica defines cybercrime as any crime that is

committed by means of special knowledge or expert use of computer

technology.

In July 2007, Federal Territory Umno Youth head, Datuk Norzahas urged

government to set up Malaysian Cyber Police unit in order to take action

against the bloggers. In view of the recent numerous arrest of bloggers, we

do need cyber police in Malaysia now.

However the following question will arise: what is the main duty of cyber

police; is our existing enforcement body capable to deal with the cyber

crimes now? 

It is suggested that cyber police unit functioned as a police department

dealing with cyber crimes. The broad definition of cyber crimes is “wrongful

act committed using computer as a tool or a target of the said act or both.”

As such, it seems that the basic requirement to join cyber police unit is IT

savyiness. As they may be required to hack into certain system or

tracking the source of the visitors/users and so on.

However, in view of the alleged offences committed by the bloggers in

Malaysia, most of them are in relation to making defamatory/seditious

9

statement via computer.  This falls under the broad definition of the

abovementioned “cyber crime”. In view of the rapid development of e-

commerce in Malaysia, we still need cyber police to handle other cyber

crimes like fraudulent online payment case, illegal hacking activities and

others.  

5 CONCLUSION

Cyber crime definitely must be taken seriously. Attacks can come from a computer

across the room or computers located in another country. The threat could be external or it

could be internal. It may have financial impact, it may deal with child pornography or it may

be related to cyber terrorism. Because of the number of computer crime cases that has

increased over the years (and many more unreported), the development of computer crime

laws and policing initiatives must grow in tandem. Tackling computer crime is similar to

tackling computer security; we have to start from the basics and address one thing at a time.

As long as there is a system in place to punish the wrongdoers, as long as there is public

awareness of the potential seriousness of such crimes, I believe that there will be much

headway in computer crime law and investigation in the coming years in Malaysia and around

the world. One important element that I found to be similar between most of the cases was

the strength of the investigation team and the support it has received from its counterparts

whether locally or internationally.

2521 words

10

REFERENCESCompile your references. Collect at least 5 major references for this paper.

4.1 Parker, D.B., Fighting Computer Crime, New York 1983

4.2 David S. Wall (ed.), Crime and the Internet, London: Routledge, 2001

4.3 Department of Justice’s (US) Computer Crime and Intellectual Property Section of the Criminal Division of the U.S. Department of Justice.

4.4 Fafinski, Stefan, Dutton, William H. and Margetts, Helen Zerlina, Mapping and Measuring Cybercrime (June 1, 2010). OII Working Paper No. 18. Available at SSRN: http://ssrn.com/abstract=1694107

4.5 http://www.usdoj.gov/criminal/cybercrime/index.html

4.6 http://www.justice.gov/criminal/cybercrime/cyberstalking.htm

4.7 http://www.symantec.com/content/en/us/home_homeoffice/html/ncr/

4.8 http://www.thenewnewinternet.com/2010/02/10/cybersecurity-malaysia- calls-for-more-cyber-experts/

11

Appendix

The 10 Most Mysterious Cyber CrimesThe best criminal hacker is the one that isn't caught—or even identified. These are 10 of the most infamous unsolved computer crimes (that we know about).

By Corinne Iozzio

September 26, 2008

Contents Crimes 1 - 5

Crimes 6 - 10

The most nefarious and crafty criminals are the ones who operate completely under the radar. In the computing world security breaches

happen all the time, and in the best cases the offenders get tracked down by the FBI or some other law enforcement agency.

But it's the ones who go uncaught and unidentified (those who we didn't highlight in our Cyber Crime Hall Fame that are actually the best.

Attempting to cover your tracks is Law-Breaking 101; being able to effectively do so, that's another story altogether.

When a major cyber crime remains unsolved, though, it probably also means that those of us outside the world of tech crime solving may never

even know the crime occurred.

These are some of the top headline-worthy highlights in the world of unsolved computing crime—cases in which the only information available

is the ruin left in their wake.

The WANK Worm (October 1989)Possibly the first "hacktivist" (hacking activist) attack, the WANK worm hit NASA offices in Greenbelt, Maryland. WANK (Worms Against Nuclear

Killers) ran a banner (pictured) across system computers as part of a protest to stop the launch of the plutonium-fueled, Jupiter-bound Galileo

probe. Cleaning up after the crack has been said to have cost NASA up to a half of a million dollars in time and resources. To this day, no one is

quite sure where the attack originated, though many fingers have pointed to Melbourne, Australia-based hackers.

Ministry of Defense Satellite Hacked (February 1999)

A small group of hackers traced to southern England gained control of a MoD Skynet military satellite and signaled a security intrusion

characterized by officials as "information warfare," in which an enemy attacks by disrupting military communications. In the end, the hackers

managed to reprogram the control system before being discovered. Though Scotland Yard's Computer Crimes Unit and the U.S. Air Force

worked together to investigate the case, no arrests have been made.

CD Universe Credit Card Breach (January 2000)

A blackmail scheme gone wrong, the posting of over 300,000 credit card numbers by hacker Maxim on a Web site entitled "The Maxus Credit

Card Pipeline" has remained unsolved since early 2000. Maxim stole the credit card information by breaching CDUniverse.com; he or she then

demanded $100,000 from the Web site in exchange for destroying the data. While Maxim is believed to be from Eastern Europe, the case

remains as of yet unsolved.

Military Source Code Stolen (December 2000)If there's one thing you don't want in the wrong hands, it's the source code that can control missile-guidance systems. In winter of 2000, a

hacker broke into government-contracted Exigent Software Technology and nabbed two-thirds of the code for Exigent's OS/COMET software,

which is responsible for both missile and satellite guidance, from the Naval Research Lab in Washington, D.C. Officials were able to follow the

trail of the intruder "Leaf" to the University of Kaiserslautern in Germany, but that's where the trail appears to end.

Anti-DRM Hack (October 2001)

In our eyes, not all hackers are bad guys (as evidenced by our list of the Ten Greatest Hacks of All Time); often they're just trying to right a

wrong or make life generally easier for the tech-consuming public. Such is the case of the hacker known as Beale Screamer, whose FreeMe

program allowed Windows Media users to strip digital-rights-management security from music and video files. While Microsoft tried to hunt

down Beale, other anti-DRM activists heralded him as a crusader.

Dennis Kucinich on CBSNews.com (October 2003)

As Representative Kucinich's presidential campaign struggled in the fall of 2003, a hacker did what he could to give it a boost. Early one Friday

morning the CBSNews.com homepage was replaced by the campaign's logo. The page then automatically redirected to a 30-minute video

called "This is the Moment," in which the candidate laid out his political philosophy. The Kucinich campaign denied any involvement with the

hack, and whoever was responsible was not identified.

Hacking Your MBA App (March 2006)

Waiting on a college or graduate school decision is a nail-biting experience, so when one hacker found out how to break into the automated

ApplyYourself application system in 2006, it was only natural that he wanted to share the wealth. Dozens of top business schools, including

Harvard and Stanford, saw applicants exploiting the hack in order to track their application statuses. The still-unknown hacker posted the

12

ApplyYourself login process on Business Week's online forums; the information was promptly removed and those who used it were warned by

schools that they should expect rejection letters in the mail.

The 26,000 Site Hack Attack (Winter 2008)

MSNBC.com was among the largest of the thousands of sites used by a group of unknown hackers earlier this year to redirect traffic to their

own JavaScript code hosted by servers known for malware. The malicious code was embedded in areas of the sites where users could not see

it, but where hackers could activate it.

Supermarket Security Breach (February 2008)Overshadowed only by a T.J Maxx breach in 2005, the theft of at least 1,800 credit and debit card numbers (and the exposure of about 4.2

million others) at supermarket chains Hannaford and Sweetbay (both owned by the Belgium-based Delhaize Group) in the Northeast United

States and Florida remains unsolved more than six months later. Chain reps and security experts are still unclear as to how the criminals

gained access to the system; the 2005 T.J.Maxx breach took advantage of a vulnerability in the chain's wireless credit transfer system, but

Hannaford and Sweetbay do not use wireless transfers of any sort. Without more information, the difficulty in tracking down those responsible

grows exponentially.

Comcast.net Gets a Redirect (May 2008)A devious hack doesn't always mean finding a back door or particularly crafty way into a secure network or server; sometimes it just means

that account information was compromised. Such was the case earlier this year when a member of the hacker group Kryogeniks gained

unauthorized access to Comcast.net's registrar, Network Solutions. The domain name system (DNS) hack altered Comcast.net's homepage to

redirect those attempting to access webmail to the hackers' own page (pictured). Spokespeople for Comcast and Network Solutions are still

unclear as to how the hackers got the username and password.

(Source: http://www.pcmag.com/article2/0,2817,2331226,00.asp#fbid=6e3tLx45MzL)

13