Author(s):Sunil Thacker

From coding a logic bomb to malicious hacking and from the formation of ransomware gangs to spear phishing, no computer in the cyber world is today immune from an electronic misdeed that continues to grow and develop and at the same time survive criminal prosecution in many instances. The year 2013 witnessed a new trend of cyber-attacks ranging from blackhole web malware, TDOS (telephony denial of service) and bad DDOS (distributed denial of service) attacks, advanced banking Trojans, proliferation of PUAs (potentially unwanted applications), invention of Tor network designed to hide user identity, advanced botnets, exploit kitsandcrypters. Cybercriminals recently went as far as setting up open market-place to sell drugs, illegal goods and harmful substances misusing the Tor network.

Cyber threat laboratories around the world treat blackhole exploit kits (the Blackhole)amongst the top 50 malware in the world. A Blackhole is a bundle of maliciously coded software that permits its creator to create security risks, manage networks, obtaining analytical information of victims such as victim’s location information, operating system, running applications, and system related information. The creators of such malware generally use a polymorphic engine (or; mutation engine) that converts software into various other versions with different code but are still capable of operating with the same functionality as original software. For this reason, anti-virus software generally cannot detect a Blackhole at the early stage.

Banks are being targeted almost every minute of the day and it is anticipated that very soon, mobile services could be the next wave of cyber crimes. Cybercriminals resort to a range of cyber-attacks to target banks and financial institutions. One such attack is a denial of service (DOS) attack whereby overwhelming requests are made to the bank’s server leading to temporary or indefinite interruption or suspension of services. Similarly, a bank’s security may be compromised by adopting telephone denial of service (TDOS) attacks. Scammers make use of caller ID spoofing whereby the number appearing on recipient’s caller id or phone screen is not the same as of the person making the call. For instance, the scammer may contact a bank representing itself as the bank’s customer and request for a wire transfer. In return, the bank attempts to reach its customer for verification purposes but fails to reach as customer’s lines are being flooded with fake calls. A recent trend of such frauds and bad practices is ransomware. Ransomware gangs work in union to create a ‘fix’ or malware that freezes victim’s computer making it impossible for the victim to access any part of his computer. The victim has only displayed a message demanding the ransom to be paid to ransomware gang to remove the restrictions placed on the victim’s computer.

Growing use of interconnected network systems has heightened criminal opportunities and expert computer criminals pose a threat to law enforcement. Although new techniques and malware are being developed rapidly, legal development has not been able to maintain the pace. Computer or internet crimes are generally very complex and it is difficult to prove and/or nab the criminals. Unless incriminating evidence exists, it is generally difficult to prove) that the computer was in fact compromised or hacked; ii) difficult to prove the creator or the hacker; iii)issues such as access, intent, and jurisdictional difficulties. For instance, a person possessing hacked information and person hacking the computer may be two different people. Document management in today’s global economy is much different than earlier when we had record trails. It is practically possible to commit a crime and destroy all the evidence.

Computer forensic experts, however, play a major role in technical matters involving cyber-crime. Forensics is a scientific method of examining questions of interest to a judge. Computer forensic experts employ advanced scientific techniques and tools that detect steganography (steganography is the science of encoding hidden messages), cryptographic messages, concealment, read slack area, detect encryption, remote attacks, and using advanced tools such as Nmap, Nessus, and computer online forensic evidence extractor.

In the United Arab Emirates, the Federal Law number 5 of 2012 (the UAECyber Crimes Law)combating cyber-crimes aims at preventing cyber-crimes. The UAE Cyber Crimes Law replaces and repeals its predecessor Federal Law number 2 of 2006 and dated 1 March 2006. The UAE Cyber Crimes Law is perhaps the most recent and advanced piece of legislation. A wide range of offenses that may be committed using the World Wide Web has been codified under the UAE Cyber Crimes Law. The law aims at criminalizing persons who gain unlawful access (the Access)to a website, electronic information system, computer network, or information technology (the System and collectively, the Systems) and also those who indulge in deleting, omitting, destructing, modifying deteriorating, altering, copying, publishing or republishing any data or information (the Violation). The basic features of the UAE Cyber Crimes Law can briefly be summarized as under:-

Article 1 to Article 11 – Persons posing threat to the security of any Systems, Phishing, and Forgery

Article 12 to Article 27 – aim at punishing offenders involved in more serious cybercrimes such as gaining access to bank accounts, credit cards, extortion, slander, eavesdropping, etc.

Article 28 and remaining articles – cover matters relating to public order, state security and other provisions.

Article Particulars Comments 2 criminalizes persons who gain unlawful Access to System and this includes persons who abuse their position and act in excess of their permitted authorizations. Persons who indulge in Violation (this includes corporate as well as personal data) shall face criminal prosecution. Imprisonment and/or a fine between AED 1,000 to 3,000/- for unlawful Access (term of imprisonment has not been provided); Imprisonment for at least six months and/or fine between AED 100,000/- to AED 750,000/- to persons engaging in any Violation; and Imprisonment for at least one year and/or fine between AED 250,000/- to AED 1 million if the individual’s Violation relates to personal data . 3 Punishes persons who engage in both – gaining unlawful Access to System and indulges in Violation. Imprisonment for a term of one year and/or fine between AED 250,000/- to AED 1 million. This clearly suggests that the Law aims at punishing offender violating personal data with the same punishment as the person committing gaining access to a system and disabling, copying or publishing it. 4 Seeks to punish persons who gain unlawful Access to System with the intention of gaining government data, or confidential information relating to the financial, economic or commercial facility. Imprisonment for a term of five years and a fine between AED 500,000/- to AED 2 million towards the Violation. 5 Offends persons who participate in any Violation and consequently gaining access to a website Imprisonment and/or a fine between AED 100,000 to 300,000/- (term of imprisonment has not been provided). 6. Persons committing forgery of an electronic document of the federal or local government or authorities or federal or local public establishments Persons committing forgery of an electronic document of authorities other than those mentioned in part (A) above Persons knowingly using forged documents Temporary imprisonment and/or a fine between AED 100,000 to 300,000/- imprisonment and/or a fine between AED 100,000 to 300,000/- imprisonment and/or a fine between AED 100,000 to 300,000/- 7 to 11 Persons engaging in Violation of any data or information relating to medical examinations, medical diagnosis, medical treatment or care or medical records; persons who hinder or obstructs access to any System; whoever uses a fraudulent computer network protocol address by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery; whoever runs a malicious software that renders and system inoperable; Persons without legal right or those who fraudulently misrepresent themselves and steal personal information, property or deed for itself or others. Temporary imprisonment; Imprisonment and/or a fine between AED 1,000 to 3,000/- for unlawful Access (term of imprisonment has not been provided); Imprisonment and/or a fine between AED 150,000 to 500,000/- for unlawful Access (term of imprisonment has not been provided); Imprisonment for a term of five years and/or a fine between AED 500,000/- to AED 3 million towards the Violation if System becomes inoperable and imprisonment and/or fine of AED 500,000/- if the System survives and is operable; Imprisonment for a term of one year and/or a fine between AED 250,000/- to AED 1 million.

Article 12 to Article 16 cover a wide range of serious offenses including unlawful access by persons to bank accounts, credit or electronic card numbers, persons resorting to counterfeiting or reproducing credit cards, persons attempting to hack Systems to obtain codes or passwords, intercepting communications through the computer network, and resorting to extortion. Article 17 and 27 punishes offenders who establish, manage or run pornographic or gambling activities on the website or those who deliberately acquire pornographic material involving juveniles using any System. Article 19 to Article 30 cover crimes relating to morality and public order and these include provisions criminalizing persons who establish, manage or run prostitution or lewdness, engaging in crime of slander as determined by Islamic Sharia, acts of eavesdropping, photographing others, or illegally disclosing any confidential information, prompt riot, hatred, racism, sectarianism, or damage, trading or promoting fire weapons, ammunition, or persons accepting donations without license.



Article 28 to Article [ ] aim at maintaining the security of the UAE, public order and peace. These provisions prohibit persons who engage in inciting acts, publishing or transmitting information, drawings or pictures that may endanger national security and higher interests of the State or afflict its public order, operating a website providing information on or relating to any terrorist group or any unauthorized group, information, news or rumours with intent of sarcasm to damage reputation and prestige of State, any of its institutions or rulers, whoever runs website aiming or calling to overthrow, change the ruling system of the State, or seize it or to disrupt the provisions of the constitution, persons planning, organizing, promoting or calling for demonstrations or protests, persons running a website dealing in trafficking of antiquities or archaeological artifacts, any conduct or act that is disrespectful to Islam, resorts to money laundering, and persons who save or makes available any illicit content available on their website.

Conclusion

The UAE Cyber Crimes Law addresses dominant areas of paramount concern. Any activity on the cyberspace which poses a threat to the state security and political stability disturbs the Islamic principles of social and moral behavior or is financial criminal activity is punishable under the said law. Persons so acquitted are liable to pay penalties as specified under the law. While acting in conformity with the law, a court can pass a custodial sentence or deportation of the accused. The authorities have been provided the right to seize and destroy the equipment used in the process of such crime.

With Saudi Arabian oil giant Aramco’s claim of cyber attack, the UAE Government’s activity to combat cyber crimes has gained momentum. Experts argue that with the rollout of new projects and massive economic growth, the increase in sophisticated cyber crimes in the Middle East will be witnessed. In light of recent legislation in place and active involvement by authorities, UAE seems to be geared up for the challenge.