ASCL Cyber Law Bulletin
28th May, 2010
Mitchell L. Frost, a 23-year-old student, pleaded guilty to charges of causing damage to a protected computer system and possessing 15 or more unauthorized access devices.
Frost is from Bellevue, Ohio in USA.
According to court documents, Frost admitted that between August 2006, and March 2007, while enrolled as a student at the University of Akron, he used the University’s computer network to access IRC channels on the Internet to control other computers and computer networks via computers intentionally infected and taken over, known as “BotNet” zombies, which were located throughout the United States and in other countries.
Frost also admitted gaining access to other computers and computer networks by various means, including scanning the Internet searching for computer networks which were vulnerable to attack or unauthorized intrusion, gaining unauthorized access to and control over such computers, and fraudulently obtaining user names and passwords for users on such systems.
Frost admitted using the compromised computers to spread malicious computer codes, commands and information to even more computers, all for the purpose of harvesting and obtaining information and data from the compromised computer networks, including user names, passwords, credit card numbers, and CVV security codes, and for the purpose of launching Distributed Denial of Service (DDoS) attacks on computer systems and Internet websites.
Frost admitted that between August 2006 and March 2007, Frost initiated DDoS attacks on numerous computers connected to the Internet hosting various websites, including www.joinrudy2008.com, www.billoreilly.com, and www.anncoulter.com, among others, temporarily interrupting operation of the websites, which required the site owners to intervene and repair their computer systems.
Frost also admitted initiating denial of service attacks against the University of Akron computer server on or about March 14, 2007, which caused the entire University of Akron computer network to be knocked off-line for approximately 8 ½ hours, preventing all students, faculty and staff members from accessing the network. This denial of service attack required the University of Akron to employ diagnostic and remedial measures to restore computer service causing losses in excess of $10,000.
Frost will be sentenced on August 5, 2010, by U.S. District Judge Lesley Wells. His sentence will be determined by the Court after review of factors unique to this case, including his prior criminal record, if any, his role in the offense and the characteristics of the violation.
Relevant US Law
TITLE 18–CRIMES AND CRIMINAL PROCEDURE
PART I–CRIMES
CHAPTER 47–FRAUD AND FALSE STATEMENTS
Sec. 1030. Fraud and related activity in connection with computers
(a) Whoever–
(1) having knowingly accessed a computer without authorization
or exceeding authorized access, and by means of such conduct having
obtained information that has been determined by the United States
Government pursuant to an Executive order or statute to require
protection against unauthorized disclosure for reasons of national
defense or foreign relations, or any restricted data, as defined in
paragraph y. of section 11 of the Atomic Energy Act of 1954, with
reason to believe that such information so obtained could be used to
the injury of the United States, or to the advantage of any foreign
nation willfully communicates, delivers, transmits, or causes to be
communicated, delivered, or transmitted, or attempts to communicate,
deliver, transmit or cause to be communicated, delivered, or
transmitted the same to any person not entitled to receive it, or
willfully retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or
exceeds authorized access, and thereby obtains–
(A) information contained in a financial record of a
financial institution, or of a card issuer as defined in section
1602(n) of title 15, or contained in a file of a consumer
reporting agency on a consumer, as such terms are defined in the
Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United
States; or
(C) information from any protected computer if the conduct
involved an interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic
computer of a department or agency of the United States, accesses
such a computer of that department or agency that is exclusively for
the use of the Government of the United States or, in the case of a
computer not exclusively for such use, is used by or for the
Government of the United States and such conduct affects that use by
or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and by
means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value of
such use is not more than $5,000 in any 1-year period;
(5)(A)(i) knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer;
(ii) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly causes
damage; or
(iii) intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of
subparagraph (A), caused (or, in the case of an attempted offense,
would, if completed, have caused)–
(i) loss to 1 or more persons during any 1-year period (and,
for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a
government entity in furtherance of the administration of
justice, national defense, or national security;
(6) knowingly and with intent to defraud traffics (as defined in
section 1029) in any password or similar information through which a
computer may be accessed without authorization, if–
(A) such trafficking affects interstate or foreign commerce;
or
(B) such computer is used by or for the Government of the
United States;
(7) with intent to extort from any person any money or other
thing of value, transmits in interstate or foreign commerce any
communication containing any threat to cause damage to a protected
computer;
shall be punished as provided in subsection (c) of this section.
(b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this section is–
(1)(A) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(1) of this section which does not occur after a conviction for
another offense under this section, or an attempt to commit an
offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than
twenty years, or both, in the case of an offense under subsection
(a)(1) of this section which occurs after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph;
(2)(A) except as provided in subparagraph (B), a fine under this
title or imprisonment for not more than one year, or both, in the
case of an offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii),
or (a)(6) of this section which does not occur after a conviction
for another offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5
years, or both, in the case of an offense under subsection (a)(2),
or an attempt to commit an offense punishable under this
subparagraph, if–
(i) the offense was committed for purposes of commercial
advantage or private financial gain;
(ii) the offense was committed in furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000;
and
(C) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(2), (a)(3) or (a)(6) of this section which occurs after a
conviction for another offense under this section, or an attempt to
commit an offense punishable under this subparagraph;
(3)(A) a fine under this title or imprisonment for not more than
five years, or both, in the case of an offense under subsection
(a)(4) or (a)(7) of this section which does not occur after a
conviction for another offense under this section, or an attempt to
commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after
a conviction for another offense under this section, or an attempt
to commit an offense punishable under this subparagraph;
(4)(A) except as provided in paragraph (5), a fine under this
title, imprisonment for not more than 10 years, or both, in the case
of an offense under subsection (a)(5)(A)(i), or an attempt to commit
an offense punishable under that subsection;
(B) a fine under this title, imprisonment for not more than 5
years, or both, in the case of an offense under subsection
(a)(5)(A)(ii), or an attempt to commit an offense punishable under
that subsection;
(C) except as provided in paragraph (5), a fine under this
title, imprisonment for not more than 20 years, or both, in the case
of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an
attempt to commit an offense punishable under either subsection,
that occurs after a conviction for another offense under this
section; and
(5)(A) if the offender knowingly or recklessly causes or
attempts to cause serious bodily injury from conduct in violation of
subsection (a)(5)(A)(i), a fine under this title or imprisonment for
not more than 20 years, or both; and
(B) if the offender knowingly or recklessly causes or attempts
to cause death from conduct in violation of subsection (a)(5)(A)(i),
a fine under this title or imprisonment for any term of years or for
life, or both.
(d)
(1) The United States Secret Service shall, in addition to any
other agency having such authority, have the authority to investigate
offenses under this section.
(2) The Federal Bureau of Investigation shall have primary authority
to investigate offenses under subsection (a)(1) for any cases involving
espionage, foreign counterintelligence, information protected against
unauthorized disclosure for reasons of national defense or foreign
relations, or Restricted Data (as that term is defined in section 11y of
the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses
affecting the duties of the United States Secret Service pursuant to
section 3056(a) of this title.
(3) Such authority shall be exercised in accordance with an
agreement which shall be entered into by the Secretary of the Treasury
and the Attorney General.
(e) As used in this section–
(1) the term “computer” means an electronic, magnetic,
optical, electrochemical, or
other high speed data processing device performing logical,
arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating
in conjunction with such device, but such term does not include an
automated typewriter or typesetter, a portable hand held calculator,
or other similar device;
(2) the term “protected computer” means a computer–
(A) exclusively for the use of a financial institution or
the United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial institution
or the United States Government and the conduct constituting the
offense affects that use by or for the financial institution or
the Government; or
(B) which is used in interstate or foreign commerce or
communication, including a computer located outside the United
States that is used in a manner that affects interstate or
foreign commerce or communication of the United States;
(3) the term “State” includes the District of Columbia, the
Commonwealth of Puerto Rico, and any other commonwealth, possession
or territory of the United States;
(4) the term “financial institution” means–
(A) an institution, with deposits insured by the Federal
Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve
including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National
Credit Union Administration;
(D) a member of the Federal home loan bank system and any
home loan bank;
(E) any institution of the Farm Credit System under the Farm
Credit Act of 1971;
(F) a broker-dealer registered with the Securities and
Exchange Commission pursuant to section 15 of the Securities
Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are
defined in paragraphs (1) and (3) of section 1(b) of the
International Banking Act of 1978); and
(I) an organization operating under section 25 or section
25(a)
(5) the term “financial record” means information derived from
any record held by a financial institution pertaining to a
customer’s relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a
computer with authorization and to use such access to obtain or
alter information in the computer that the accesser is not entitled
so to obtain or alter;
(7) the term “department of the United States” means the
legislative or judicial branch of the Government or one of the
executive departments enumerated in section 101 of title 5;
(8) the term “damage” means any impairment to the integrity or
availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of
the United States, any State or political subdivision of the United
States, any foreign country, and any state, province, municipality,
or other political subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under
the law of any State for a crime punishable by imprisonment for more
than 1 year, an element of which is unauthorized access, or
exceeding authorized access, to a computer;
(11) the term “loss” means any reasonable cost to any victim,
including the cost of responding to an offense, conducting a damage
assessment, and restoring the data, program, system, or information
to its condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service; and
(12) the term “person” means any individual, firm,
corporation, educational institution, financial institution,
governmental entity, or legal or other entity.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a
State, or of an intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable
relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).
TITLE 18–CRIMES AND CRIMINAL PROCEDURE
PART I–CRIMES
CHAPTER 47–FRAUD AND FALSE STATEMENTS
Sec. 1029. Fraud and related activity in connection with access
devices
(a) Whoever–
(1) knowingly and with intent to defraud produces, uses, or
traffics in one or more counterfeit access devices;
(2) knowingly and with intent to defraud traffics in or uses one
or more unauthorized access devices during any one-year period, and
by such conduct obtains anything of value aggregating $1,000 or more
during that period;
(3) knowingly and with intent to defraud possesses fifteen or
more devices which are counterfeit or unauthorized access devices;
(4) knowingly, and with intent to defraud, produces, traffics
in, has control or custody of, or possesses device-making equipment;
(5) knowingly and with intent to defraud effects transactions,
with 1 or more access devices issued to another person or persons,
to receive payment or any other thing of value during any 1-year
period the aggregate value of which is equal to or greater than
$1,000;
(6) without the authorization of the issuer of the access
device, knowingly and with intent to defraud solicits a person for
the purpose of–
(A) offering an access device; or
(B) selling information regarding or an application to
obtain an access device;
(7) knowingly and with intent to defraud uses, produces,
traffics in, has control or custody of, or possesses a
telecommunications instrument that has been modified or altered to
obtain unauthorized use of telecommunications services;
(8) knowingly and with intent to defraud uses, produces,
traffics in, has control or custody of, or possesses a scanning
receiver;
(9) knowingly uses, produces, traffics in, has control or
custody of, or possesses hardware or software, knowing it has been
configured to insert or modify telecommunication identifying
information associated with or contained in a telecommunications
instrument so that such instrument may be used to obtain
telecommunications service without authorization; or
(10) without the authorization of the credit card system member
or its agent, knowingly and with intent to defraud causes or
arranges for another person to present to the member or its agent,
for payment, 1 or more evidences or records of transactions made by an access device;
shall, if the offense affects interstate or foreign commerce, be
punished as provided in subsection (c) of this section.
(b)(1) Whoever attempts to commit an offense under subsection (a) of
this section shall be subject to the same penalties as those prescribed
for the offense attempted.
(2) Whoever is a party to a conspiracy of two or more persons to
commit an offense under subsection (a) of this section, if any of the
parties engages in any conduct in furtherance of such offense, shall be
fined an amount not greater than the amount provided as the maximum fine
for such offense under subsection (c) of this section or imprisoned not
longer than one-half the period provided as the maximum imprisonment for
such offense under subsection (c) of this section, or both.
(c) Penalties.–
(1) Generally.–The punishment for an offense under subsection
(a) of this section is–
(A) in the case of an offense that does not occur after a
conviction for another offense under this section–
(i) if the offense is under paragraph (1), (2), (3),
(6), (7), or (10) of subsection (a), a fine under this title
or imprisonment for not more than 10 years, or both; and
(ii) if the offense is under paragraph (4), (5), (8), or
(9) of subsection (a), a fine under this title or
imprisonment for not more than 15 years, or both;
(B) in the case of an offense that occurs after a conviction
for another offense under this section, a fine under this title
or imprisonment for not more than 20 years, or both; and
(C) in either case, forfeiture to the United States of any
personal property used or intended to be used to commit the
offense.
(2) Forfeiture procedure.–The forfeiture of property under this
section, including any seizure and disposition of the property and
any related administrative and judicial proceeding, shall be
governed by section 413 of the Controlled Substances Act, except for
subsection (d) of that section.
(d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
(e) As used in this section–
(1) the term “access device” means any card, plate, code,
account number, electronic serial number, mobile identification
number, personal identification number, or other telecommunications
service, equipment, or instrument identifier, or other means of
account access that can be used, alone or in conjunction with
another access device, to obtain money, goods, services, or any
other thing of value, or that can be used to initiate a transfer of
funds (other than a transfer originated solely by paper instrument);
(2) the term “counterfeit access device” means any access
device that is counterfeit, fictitious, altered, or forged, or an
identifiable component of an access device or a counterfeit access
device;
(3) the term “unauthorized access device” means any access
device that is lost, stolen, expired, revoked, canceled, or obtained
with intent to defraud;
(4) the term “produce” includes design, alter, authenticate,
duplicate, or assemble;
(5) the term “traffic” means transfer, or otherwise dispose
of, to another, or obtain control of with intent to transfer or
dispose of;
(6) the term “device-making equipment” means any equipment,
mechanism, or impression designed or primarily used for making an
access device or a counterfeit access device;
(7) the term “credit card system member” means a financial
institution or other entity that is a member of a credit card
system, including an entity, whether affiliated with or identical to
the credit card issuer, that is the sole member of a credit card
system;
(8) the term “scanning receiver” means a device or apparatus
that can be used to intercept a wire or electronic communication in
violation of chapter 119 or to intercept an electronic serial
number, mobile identification number, or other identifier of any
telecommunications service, equipment, or instrument;
(9) the term “telecommunications service” has the meaning
given such term in section 3 of title I of the Communications Act of
1934 (47 U.S.C. 153);
(10) the term “facilities-based carrier” means an entity that
owns communications transmission facilities, is responsible for the
operation and maintenance of those facilities, and holds an
operating license issued by the Federal Communications Commission
under the authority of title III of the Communications Act of 1934;
and
(11) the term “telecommunication identifying information”
means electronic serial number or any other number or signal that
identifies a specific telecommunications instrument or account, or a
specific communication transmitted from a telecommunications
instrument.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, or any activity authorized under chapter 224 of this title. For purposes of this subsection, the term “State” includes a State of the United States, the District of Columbia, and any commonwealth, territory, or
possession of the United States.
(g)(1) It is not a violation of subsection (a)(9) for an officer,
employee, or agent of, or a person engaged in business with, a
facilities-based carrier, to engage in conduct (other than trafficking)
otherwise prohibited by that subsection for the purpose of protecting
the property or legal rights of that carrier, unless such conduct is for
the purpose of obtaining telecommunications service provided by another
facilities-based carrier without the authorization of such carrier.
(2) In a prosecution for a violation of subsection (a)(9), (other
than a violation consisting of producing or trafficking) it is an
affirmative defense (which the defendant must establish by a
preponderance of the evidence) that the conduct charged was engaged in
for research or development in connection with a lawful purpose.
(h) Any person who, outside the jurisdiction of the United States, engages in any act that, if committed within the jurisdiction of the United States, would constitute an offense under subsection (a) or (b) of this section, shall be subject to the fines, penalties, imprisonment, and forfeiture provided in this title if–
(1) the offense involves an access device issued, owned,
managed, or controlled by a financial institution, account issuer,
credit card system member, or other entity within the jurisdiction
of the United States; and
(2) the person transports, delivers, conveys, transfers to or
through, or otherwise stores, secrets, or holds within the
jurisdiction of the United States, any article used to assist in the
commission of the offense or the proceeds of such offense or
property derived therefrom.