cybersecurity attacks critical legal and investigation aspects you must know
TRANSCRIPT
1
SINGAPORE POLYTECHNIC
(EMOG) FORUM 2014
Security & Talent
Management
2
By Zaid Hamzah
4 June 2014
Email: [email protected] www.cybersecuritylaw.asia
Workshop 4
Cybersecurity Attacks Critical Legal & Investigation Aspects
You Must Know
Objectives
1. Equip participants with the concepts and principles of computer crime laws and regulations
2. Understand investigative measures, methods and techniques which can be used to determine if a computer crime has been committed.
3. Understand methods to gather, preserve and present evidence of a computer crime
4. Provide an overview of the cybersecurity law in Singapore (Computer Misuse and Cybersecurity Act (Chapter 50A).
3
What we will cover 1. Learn how to identify legal risk issues in the design,
development and management of information technology security systems
2. Understand key legal risk management principles and strategies that organizations should adopt as part of their information security policy;
3. Know how to carry out investigation processes and techniques when a computer crime is suspected to have been committed;
4. Understand how to manage digital evidence to ensure that such evidence meets the legal standards and requirements in court proceedings;
5. Learn how they can better deal with legal and regulatory compliance in information security arena including understanding criminal prosecution procedures under Singapore’s cybersecurity law.
4
5
• Advocate & Solicitor, Singapore
• Solicitor, England & Wales
• Author of 9 books including “E-security Law &
Strategy” (other 8 books on Strategic Legal Risk
Management, Information Technology Contracts,
Biotechnology, Biomedical Science Law, Private Equity
and Venture Capital, IP Law and Strategy”)
Over 26 years of professional work experience including:
• Director for Intellectual Property at Microsoft, Asia Pacific,
• Chief Legal, Regulatory & Compliance Officer, Telekom
Malaysia
• Founder of software company, i-Knowledge Technologies
• Principal, SLG Consultants (regional business &
investment consultancy)
• Lawyer, Khattar Wong & Partners (law firm in Singapore)
• Singapore Government Service
About Zaid Hamzah
Present Role: Advisor to governments, enterprises, research institutions on IPR,
technology commercialization, IP-based financing, intellectual capital management
Entrepreneur: www.intellectualfutures.com
6
E-Security Law & Strategy by Zaid Hamzah
Publisher Lexis Nexis, 2005
www.lexisnexis.com.my
ISBN 967-962-632-6 (paperback)
E-Security Law and Strategy provides a concise and management-oriented legal guide on key aspects of information security and computer forensics, an emerging practice area that deals primarily with the management of digital evidence. Aimed at IT professionals and business executives in corporations, organizations and government agencies as well as lawyers seeking an
introduction to this emerging practice area.
7
1. Cyber-attacks harm national security and business interests -
usually considered criminal acts in most jurisdictions.
2. In managing the security aspects of the networked
environment, understanding how the law and legal process
operates is critical to cybercrime management
3. Knowing how digital evidence should be managed is critical
to successful prosecution in the courts.
4. Creating a robust legal framework and prosecution regime is
an essential building block in the fight against cybersecurity
breaches – this should be part of a proactive and structured
risk management framework.
KEY TAKE-AWAYS
GENERAL PRINCIPLES
8
9
Cybercrime – The Legal Aspects
The law operates in all aspects – You must understand legal issues &
ramifications
Chain of
Custody
Integrity of
Evidence
Burden of Proof
Admissibility of
Evidence
10
The Legal & Investigation Cycle
Intrusion
Detection
Evidence Preservation
& Analysis Investigation
Prosecution
Legal Aspects
are Integral
Parts of Cycle
11
Strategies to Manage Legal Aspects
Compliance with the law
Evidence produced must meet legal standards
Collection of evidence must comply with laws of criminal
procedures
• For successful criminal prosecution: – Must acquire the evidence while preserving the
integrity of the evidence • No damage during collection, transportation, or storage • Document everything • Collect everything the first time
– Establish a chain of custody
• What to watch out for……. – Don’t work on original evidence! – Can perform analysis of evidence on exact copy! – Make many copies and investigate them without
touching original – Can use time stamping/hash code techniques to
prove evidence has not been compromised
Key Aspects
DIGITAL FORENSICS
13
14
Digital Forensics & the Law
Computer Forensics: An autopsy of a computer or network to uncover digital evidence of a crime Role of Evidence in the Court Evidence must be preserved and hold up in a court of law
HOW THE LAW OPERATES
15
16
1. Need to determine if it is a crime or a
civil wrong
2. All depends on the laws of the country –
so if hacking is not a criminal offence in a
particular country, cybercriminals cant
be put in jail in that country
3. Most cybercrimes are cross border in
nature – so one needs to know how to
deal with cross border legal issues
Types of Offences & Civil Wrongs
WHAT IS A CYBERCRIME?
17
18
Example of a Criminal Offence
3.—(1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.
Unauthorised access to computer material
Criminal intention + Action = CRIME
THE LEGISLATIVE FRAMEWORK IN
SINGAPORE
19
20
Part I PRELIMINARY
Part II OFFENCES
3 Unauthorised access to computer material
4 Access with intent to commit or facilitate commission of offence
5 Unauthorised modification of computer material
6 Unauthorised use or interception of computer service
7 Unauthorised obstruction of use of computer
8 Unauthorised disclosure of access code
9 Enhanced punishment for offences involving protected computers
10 Abetments and attempts punishable as offences
Part III MISCELLANEOUS AND GENERAL
11 Territorial scope of offences under this Act
12 Jurisdiction of Courts
12A Composition of offences
13 Order for payment of compensation
14 Saving for investigations by police and law enforcement officers
15 (Repealed)
15A Cybersecurity measures and requirements
16 Arrest by police without warrant
COMPUTER MISUSE AND CYBERSECURITY ACT
21
Part II OFFENCES
3 Unauthorised access to computer material
4 Access with intent to commit or facilitate commission of offence
5 Unauthorised modification of computer material
6 Unauthorised use or interception of computer service
7 Unauthorised obstruction of use of computer
8 Unauthorised disclosure of access code
9 Enhanced punishment for offences involving protected computers
10 Abetments and attempts punishable as offences
COMPUTER MISUSE AND CYBERSECURITY ACT
MANAGING DIGITAL EVIDENCE
22
23
Integrity of Evidence
Admissibility of Evidence
Weightage of Evidence
Concepts
Burden of Proof Beyond reasonable doubt
Cannot be illegally obtained
If not strong, not so useful (but you can try)
Tampered evidence cannot be used
24
1. Physical evidence
2. Digital Evidence
Evidence Management Lifecycle
Identify Evidence
Collect Evidence
Process Evidence
Analyze Evidence
Present in report
IP addresses are
like the digital
fingerprint
COMPUTER MISUSE AND CYBERSECURITY ACT
25
Additional slides provided by Mr Benjamin Ang
Part 2
Computer Misuse and Cyber Security Act
CMA Crimes – committed against computers
• ”for securing computer material against unauthorised access or modification”
• Deals largely with “pure” computer crimes i.e. crimes against computer systems e.g. Hacking, stealing information
Other Crimes (or Torts) – committed using computers
• Spreading pornography
• Spreading sedition
• Running illegal gambling operations
• Defamation
• Fraud e.g. scam emails
26
Computer Misuse Act offences
Section Offence
S. 3 Unauthorised access
S. 4 Access with intent to commit further offence
S. 5 Unauthorised modification
S. 6 Unauthorised use of computer service
S. 7 Unauthorised obstruction of use
S. 8 Unauthorised disclosure of access codes
S. 9 Enhanced Punishment for Protected computers
27
Section 3 - Unauthorised access
• Where a person, without authority, accesses the data or a program stored in a computer.
– Hacking
– Snooping around
– Accessing commercially sensitive information e.g. financial database of bank
– Accessing someone else’s email, social media
28
Section 4 - Access with intent to commit further offence
• Where a person uses a computer with intent to commit an offence (theft, cheating/fraud or bodily injury) – Setting up online transactions to transfer money from
another person’s account
– Credit-card skimming to make purchases
– Credit-card skimming to create counterfeit cards
– Illegal altering of stored value of cinema smart cards
• The ACCESS is an offence even if the final offence (theft, fraud etc) was no completed
29
Section 5 - Unauthorised modification
• Where a person causes unauthorised modification (changes, erases, copies, moves, uses) of the contents of any computer.
– Intentionally introducing a virus
– Deleting someone else’s data
– Changing someone else’s data
30
What offences were committed?
• Lim Siong Khee v PP: Lim and victim broke up their relationship; three of victim’s friends received an e-mail sent from her account giving lurid details of her relationship with Lim
• PP v. Lim Boon Hong: Skimmed data stored on the magnetic strips of credit cards for the purpose of the cheating credit card companies
• Law Aik Meng v PP: Skimmed data from genuine ATM cards to manufacture cloned ATM cards
• Navaseelan Balasingam v PP: Used cloned ATM cards to withdraw money
31
Section 6 - Unauthorised use of computer service
• Where a person gains access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service.
– Using someone else’s account without permission
– Using someone else’s wi-fi without permission
32
Section 7 - Unauthorised obstruction of use
• Where a person interferes with, or interrupts or obstructs the lawful use of a computer.
– Email bombs, ‘ping’ attacks, viruses
– All kinds of Denial of Service (DOS) attacks
33
Section 8 - Unauthorised disclosure of access codes
• Where a person knowingly and without authority, discloses
– any password,
– access code or
– any other means of gaining access to any program or data held in any computer.
34
What offences were committed?
• PP v Mohd Nuzaihan: Reconfigured a company’s server to create an IRC account for himself; then used the company’s high speed link to download files from the Internet
• PP v Kendrick Tan: Sent 2,500 e-mail to 3 different addresses at the HDB, asking for a response
• Sicknet case: 2 hackers obtained the passwords of several Singnet subscribers and posted them on a US-based website called Sicknet
35
Section 9 – “Protected” computers
• The offender gets an enhanced sentence if he/she knew that the computer is used for – – Security, defence, international relations;
– confidential source of information relating to the enforcement of a criminal law;
– communications infrastructure, banking and finance, public utilities, public transportation or public key infrastructure;
– public safety, essential emergency services (police, civil defence and medical services)
36
SEARCH & SEIZURE OF DIGITAL EVIDENCE
37
SEARCH AND SEIZURE CRIMINAL PROCEDURE CODE
38 Power of court to impound document or other thing produced
39 Power to access computer
40 Power to access decryption information
38 Power of court to impound document or other thing produced
• A court may, if it thinks fit, impound any document or other thing taken under this Code and produced before it.
39
39 Power to access computer
• 39.—(1) A police officer or an authorised person, investigating an arrestable offence, may at any time —
• (a) access, inspect and check the operation of a computer that he has reasonable cause to suspect is or has been used in connection with the arrestable offence; or
• (b) use or cause to be used any such computer to search any data contained in or available to such computer.
40
39 Power to access computer
• (3) Any person who obstructs the lawful exercise by a police officer or an authorised person of the powers under subsection (1), or who fails to comply with any requirement of the police officer or authorised person under subsection (2), shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.
41
40 Power to access decryption information
• (2) The police officer or authorised person referred to in subsection (1) shall be entitled to —
• (a) access any information, code or technology which has the capability of retransforming
• or unscrambling encrypted data into readable and comprehensible format or text for the purposes of investigating the arrestable offence;
42
40 Power to access decryption information
• (b) A police officer can also require —
• any person … having charge of, or otherwise concerned with the operation of, such computer, to provide him with such reasonable technical and other assistance as he may require; and
• require any person whom he reasonably suspects to be in possession of any decryption
• information to grant him access to such decryption information as may be necessary
43
CONFIDENTIAL INFORMATION
44
Elements of Confidence
• The following information will be protected
– The information was confidential to the business/company;
– The information has been revealed in breach of a promise of confidence;
– The information was used in an improper way that has resulted in financial damage to the business/company.
• The owner of the information can sue for an injunction or damages
END
46