cybercrime richard warner [email protected]. what is cybercrime? most broadly, cybercrime...
TRANSCRIPT
What Is Cybercrime? Most broadly, cybercrime consists of any
crime committed using computers. Such crimes divide into two groups:
Crimes that merely use computers; Crimes that harm computers.
Identity theft, online fraud, and IP theft are examples of the first; denial of service attacks and viruses are examples of the second.
Viruses Worms Trojans Denial of
Service
Computer Intrusions
Crimes of the Second Type
Crimes of the First Type Theft of Information Data Loss or Manipulation Phone Phreaking Child Pornography Copyright Violations Theft of Trade Secrets Identity Theft Credit Cards
HighHigh
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUI
automated probes/scans
DoS
www attacks
ToolsTools
AttackersAttackers
IntruderKnowledgeIntruderKnowledge
AttackSophisticationAttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
Sophistication Versus Knowledge
Liability under the CFAA 1030(a)(2)(C) imposes liability on whoever
“intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” Computers used in “interstate or foreign
commerce or communication” are “protected.” 1030(e)(2).
Liability under the CFAA 1030(a)(5) imposes liability on anyone who
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.
Liability Under The CFAA 1030(g): “Any person who suffers damage or
loss by reason of a violation of the section, may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”
Damage Defined 1030 (e)(8): the term "damage" means any
impairment to the integrity or availability of data, a program, a system, or information, that-- (A) causes loss aggregating at least $5,000 in value during
any 1-year period to one or more individuals; (B) modifies or impairs, or potentially modifies or
impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;
(C) causes physical injury to any person; or (D) threatens public health or safety
United States v. Morris United States v. Morris applies the CFAA. Morris was a Cornell university computer
science doctoral student. He released a worm over the Internet.
A worm is a self-replicating computer program designed to spread over the Internet without any further human interaction with the program once it is released.
Purpose of the Morris Worm Morris did not intend his worm to cause any
harm. As the court notes, “The goal of this program
was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers.”
The Design of the Worm Morris designed the worm to copy itself from
Internet system to Internet system; however, before it copied itself, the worm first asked the computer if it already had a copy of the worm.
Point: multiple copies would slow the computer down and make the computer owner aware of the worm’s presence.
Morris wanted to show that the worm could spread undetected.
The Design of the Worm The worm did not copy itself if it got a “yes”
answer. However, Morris also worried that system
owners who became aware of the worm would stop its spread by programming their computers to answer “yes.”
So he programmed the worm to copy itself every seventh time it received a “yes” from the same computer.
The Error Morris greatly underestimated the number of
times a computer would be asked if it had the worm.
The worm spread with great rapidity over the Internet causing computer slowdowns and shutdowns and imposing on system owners the cost of removing the worm.
Morris was prosecuted criminally under the Computer Fraud and Abuse Act.
The Issues The court: “The issues raised are (1) whether
the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of ‘access without authorization.’”
The Ruling The court holds that the only intent required is
the intent to access the system. The authorization issue: Morris was
authorized to access the computers he initially accessed.
He exceeded the use he was authorized to make.
Is this enough to make his access unauthorized?
The court answers that it is.
Electronic Communications Privacy Act (18 USC 121, Sec. 2701) The Act imposes liability on anyone who
“intentionally accesses without authorization a facility through which an electronic communication service is provided; or
intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.”
Exceptions Liability is not imposed if the access is
authorized “by the person or entity providing a wire or
electronic communications service; [or] by a user of that service with respect to a
communication of or intended for that user.” Note, if a one party to the communication
agrees to access, liability is avoided.
Federal Wiretap Act(18 U.S.C. § 2510, et seq . ) The Act provides for criminal punishment and
a private right of action against "any person who--(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept wire, oral, or electronic communication [except as provided in the statute]." Section 2511.
Exception "It shall not be unlawful under this chapter for a
person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or any State." § 2511(2)(d); § 2511(2)(d)
EU Convention on Cybercrime: Access The convention directs the member states to
criminalize intentional unauthorized access to computer systems, where the states may require that
“the offence be committed by infringing security measures,
with the intent of obtaining computer data or other dishonest intent,
or in relation to a computer system that is connected to another computer system.”
CFAA, ECPA.
Interception States are to criminalize the intentional
unauthorized interception of data transferred between computers, where they may require that “the offence be committed with dishonest intent, or in relation to a computer system that is
connected to another computer system.” Wiretap Act.
Interference The states are to criminalize, when
intentional, “the damaging, deletion, deterioration, alteration or suppression of computer data without right [without authorization].”
CFAA, ECPA.
Functioning The states are to criminalize, when
intentional, “serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.”
CFAA, ECPA?
Devices The states are to make criminal, when intentional,
the possession or “the production, sale, procurement for use, import, distribution or otherwise making available of” devices (including passwords, data, and computer programs) designed primarily for the purpose of committing the foregoing offenses, with the intent that it be use to commit one of those offenses.
The Digital Millennium Copyright Act.
17 USC 1201 (2) No person shall manufacture, import, offer to the public,
provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that -
(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
In Addition States are to criminalize acts involving
computer-related forgery, fraud, offenses involving child pornography, and offenses related to the infringement of intellectual property rights.
Victim Liability to Third Parties ATT v. Jiffy Lube (F. Supp. 1164 (1993). ATT supplied Jiffy Lube with long-distance
telephone service which included the ability for remote access to the service.
Remote uses dialed an 800 number, entered a password (“lube”), and were then able to place long-distance calls.
A hacker obtained the 800 number and password and then published both on a BBS.
Jiffy Lube Must Pay The court held that Jiffy Lube was
contractually liable for the approximately $55,000 in charges.
The court—of course!—rejected Jiffy Lube’s argument that making it pay violated public policy. Jiffy Lube is the party that controls who calls
through remote access to the 800 number.
Compare Maine Public Utilities Commission v. Verizon-Maine Verizon-Maine provides wholesale Internet access to
local telecommunications companies--Competitive Local Exchange Carriers (CLECs).
On January 25th, 2003, the Slammer worm invaded the Verizon network.
To contain the worm, Verizon shut down its interfaces with all the CLECs, which had no Internet access through Verizon until late in the day on the 26th.
The Maine Public Utilities Commission awarded a rebate of $62,000 from Verizon.
Non-Contractual Cases
There are none—yet. But there will be: whoever undertakes to do
something must do it in the manner that a reasonable person would.
Internet systems that undertake to provide security are no exception to this principle.
Given the importance of the Internet to the critical infrastructure of the United States, courts will not hesitate to impose negligence liability and legislators will pass relevant statutes.
Outsourcing Issues If you outsource to another entity, and your
client or another relevant third party is harmed by their lack of security, what is your liability?
It will depend on contractual provisions, but note in HIPAA CFR § 164.308(b)(1) and CFR § 164.314(a)(1)) require that business associates implement certain security procedures.
Cooperating with the Investigation What the FBI wants you to do:
Attempt to identify source Stop the attack Enable logging Retrieve and secure Logs Start the “Sniffers” Call the FBI
What you must do.
Victim SiteVictim Site
Looping SitesLooping Sites.edu, .com, .gov.edu, .com, .gov
Source ISPSource ISP
Logs
Trap/Trace
Monitoring
Subpoena
Search Warrant
The Traditional Three Levels of 4th Amendment Protection First level: Non-exigent searches and seizures
typically require a warrant based on probable cause. Second level: Some less invasive actions (stopped on
the street by a police officer) are permissible on reasonable suspicion (specific, articulable facts that criminal activity is occurring).
Third level: Where the government seeks records from a third party, it can use a subpoena. This does not require reasonable suspicion, only a finding
that the information sought is relevant to an investigation. The target of the subpoena can challenge it, before the
records are handed over, on grounds of irrelevance or overbreadth.
Examples: credit reports, financial and medical records.
Beyond the Three Levels Delayed notice subpoena: requires danger that
notice might frustrate the investigation; used to obtain financial records.
Ex parte subpoena: challengeable by the third party holding the records; used to obtain e-mail.
Relevance order: issued by a court on grounds of relevance; used to obtain phone records.
Beyond the Three Levels Certification order: issued by a court based on a
claim of relevance by the police; the court does not make an independent judgment of relevance. Used to intercepted transaction information about calls and e-mails.
Extrajudicial Certification: Issued by police based on police claim of relevance. Used to obtain federal public records and records related to terrorism.
No requirement: All other public records not protected by state laws.
Private Enforcement Private companies and organizations police
the Internet in order to detect cybercrimes. Private enforcement is critical in controlling
cybercrime. Simply consider eBay: it has over 22 million
members and over 6 million items for sale a day. Public law enforcement cannot monitor all this activity on a daily basis.
Private Detectives and Watchdog Groups eBay retains private detectives to police its site. There are also watchdog organizations:
The Internet Fraud Watch Enforces laws privately
The Software Publishers Association Prosecutes copyright violations and piracy
International Chamber of Commerce Polices financial and IP crimes
Various statutes create private rights of action.