ECE579S/5 #1 Spring 2011 © 2000-2010, Richard A. Stanley ECE579S: Computer and Network Security 5:...

Spring 2011© 2000-2010, Richard A. Stanley

ECE579S/5 #1

ECE579S: Computer and Network Security

5: Malicious Code and Information Security Law

Professor Richard A. Stanley, P.E.


ECE579S/5 #2

Last time…

• Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful

• There are three basic steps to planning, which is called vulnerability assessment:– Acquire the target (case the joint)– Scan for vulnerabilities (find the entry points)– Identify poorly protected data (enumeration)

• This applies if you are inside or outside the protected perimeter!• TCP/IP was not intended as a secure protocol; as a result, it has

vulnerabilities that can be exploited• There are many types of attacks that can be mounted over network

connections in order to gain unauthorized access to resources• Firewalls can be useful, but are not a panacea


ECE579S/5 #3

Malicious Code

• “Malicious code is any code added, changed, or removed from a software system to intentionally cause harm or subvert the system’s intended function.” G. McGraw & G. Morrisett, Attacking Malicious Code, IEEE

Software, Sep/Oct 2000

• Examples:– Viruses – Java attack applets– Worms – Attack scripts– Trojan Horses – Dangerous ActiveX

controls


ECE579S/5 #4

Malicious Code Issues

• Distinction among categories “bleeding together,” complicating classification

• Networking makes dissemination of malicious code much easier, and does not require physical access to the computer

• Systems are much more complex

• Systems are easily extensible


ECE579S/5 #5

User Experience vs. Security

• Distributed computing has given rise to a huge volume of mobile code being used to perform mundane activities

• Being visually stimulated, people will almost always choose animation over safety

• Development emphasis is on enhanced user experience, NOT on security


ECE579S/5 #6

Malicious Code Examples: It’s Not New

Love Bug 2000 Mobile code virus The fastest spreading virus to that time used VBscript and Microsoft Outlook mail to propagate.Caused estimated $10 billion damage.

Trinoo (and others) 2000 Remote-controlattack script

The highly publicized denial of service attacks ofFebruary 2000 were carried out by remotelyplanted agent programs.

Melissa 1999 Mobile code virus The second fastest spreading virus of all timeused e-mail to propagate. Infected over 1.2million machines in a few hours.

Back Orifice 1998 Offensive code Remote control program installed on Windowsmachines by crackers. Pervasive.

ActiveX (scripting) 1997-today Mobile code Decried by security professionals, Microsoft’sActiveX system introduces grave security risks byrelying on user’s discretion and judgment eventhough digital signatures are used.

Thompson’scompiler trick

1984 Trojan Horse Ken Thompson introduced a Trojan Horse in a Ccompiler that compiled itself into future programs(“Reflections on Trusting Trust,” Comm. ACM,Vol. 27, No. 8, Aug. 1984).

From G. McGraw & G. Morrisett, Attacking Malicious Code, IEEE Software, Sep/Oct 2000


ECE579S/5 #7

Mobile Code• Code that extends or updates code in place• Transferred to user computer, usually via a

network connection, and runs without user actions unless the user has taken prior steps to prevent it happening

• Mobile code is pervasive, and we depend on it for updates, services, and features

• It isn’t going away--that’s not an option


ECE579S/5 #8

We have a security kernel; what’s the problem?

• Kernel provides protection at low levels for primitives (e.g. files)

• Increasingly, attacks occur at application level, where what is passed to the kernel appears to be perfectly acceptable

• Increasingly easy to hide malicious code within applications, thus making kernel-level security difficult to apply


ECE579S/5 #9

Security Problems

• The kernel is critical, but it is not a “one size fits all” solution to the security problem

• There are many issues, technical and procedural, that allow for unexpected access to supposedly secure information and processes.

• The higher up the stack attacks occur, the harder it is for the kernel to defend against them

• Let’s have a look...


ECE579S/5 #10

A Caveat

• The common perception is that security exists to protect against deliberate attacks

• That is true, BUT...• Security must also protect the system

against problems arising from accidental or incidental misuse, misconfiguration, or other such non-malicious but equally threatening events


ECE579S/5 #11

Ways Things Go Wrong

• Change in Environment

• Bound/syntax checking

• Hazardous design features

• Escape from controlled invocation

• Bypass at lower levels

• Protocol implementation flaws

• Pure malevolence


ECE579S/5 #12

Virus Targets

Hardware

OS Kernel

Operating System

Services

Applications

Virus

Virus


ECE579S/5 #13

Virus Taxonomy

• Virus infects a computer– self-replicating code with a payload– resident– transient

• Worm is alive, replicates but does not infect

• Trojan Horse is program with unseen effect

• Logic bomb executes on trigger condition


ECE579S/5 #14

How Does a PC Boot?• Fixed ROM call seeks master boot sector• Master boot sector

– Standard location– Contains partition table and executables– Points to DOS boot sector

• DOS boot table– Contains executable code and the FAT– Loads io.sys, msdos.sys

– Passes control to shell (command.com)


ECE579S/5 #15

How to Exploit Boot Sequence?• Bootstrap virus

– Machine specific– Uses BIOS functions only

• Master boot sector virus– Stoned virus relocates master boot sector

• DOS boot sector virus– Same technique, different boot sector (brain)

• Later stage virus


ECE579S/5 #16

Application Viruses

• Parasitic virus attaches to an executable, usually inserts jump table to virus

• Companion virus exploits the PATH

• Macro viruses exploit the (often useful) features of powerful macro languages– Attaches to a data file, not an executable– Platform independent, high-level code


ECE579S/5 #17

Ebola on the Computer• Interrupt redirection

– TSR virus triggers on specified interrupt– Can totally avoid integrity checks

• FAT virus -- very similar to above• Knowing where the virus lives is key to

finding and eradicating it– As a result, the “bad guys” spend a lot of effort

to disguise their products to fool virus checkers


ECE579S/5 #18

Hidden Viruses

• Polymorphic• Stealth

– DOS virus, Brain

– Size and read stealth

• Slow• Retro• Multipartite• Phage


ECE579S/5 #19

Taxonomy

• A true virus is not an executable--it must infect something to do its damage

• Malicious code is usually more than a virus; it frequently consists of free-standing executables (programs, DLLs, etc.)

• Recent usage blurs the distinction between a virus and everything else--all malicious code now tends to be called a virus.

• We probably can’t change this loose usage, but you need to be aware of what is what


ECE579S/5 #20

Hoaxes: the Virtual Virus

• A virus hoax can have the same effect as a real virus

• A hoax can be used to desensitize users to a real virus that follows (e.g. AOL4free.com: once a hoax, now a Trojan Horse)

• To check on possible hoaxes:– http://hoaxbusters.ciac.org/HoaxBustersHome.html– http://www.symantec.com/avcenter/hoax.html– http://urbanlegends.about.com/science/urbanlegends/

msubvir.html


ECE579S/5 #21

Macro Viruses

• Fast-growing class because of wide variety of applications that will execute them

• Easy to create by semi-skilled individuals• Quick to spread• Can generate multipartite viruses when

executed• Virtually every common application today

enables macro or VB use!


ECE579S/5 #22

Worms--They’re Alive!

• A worm is a real program, not a virus

• They crash computers by replicating without control until they consume all the available computer resources

• Often used to link automatically to other computers, thereby spreading without user intervention


ECE579S/5 #23

Macro Worms: “Virus” du Jour• Arguably greatest malicious code threat

today• Easy to create, even by minimally skilled

individuals• They garner much press, most of it from a

press corps that doesn’t understand the technology

• Cleanup costs are huge


ECE579S/5 #24

A Macro Worm• Anna Kournikova hits the Internet

– Email worm spread via Outlook address book

– Hits millions of users, over 20 large corporations in Australia alone

– Why?• Is Kournikova a common name?

• Are people that curious?

• Did someone suspect the picture was off-color?

– You are a systems administrator--how do you protect against this sort of thing?


ECE579S/5 #25

Who Did It?• Kournikova hacker

– Traced by Exite@home

– Lives in Friesland, Netherlands

– 20-year old male

– “Wanted to demonstrate how easy it was to write a virus.”

– Maximum sentence guideline in Netherlands is 4 years, prosecutor can ask for more

• How did he do it?


ECE579S/5 #26

How He Did It

Rocket science, this is not


ECE579S/5 #27

Malicious Code• Modern computing has gotten used to

running mobile code without asking• Controls are weak and easily evaded

– Does your system support Java? JavaScript?– Is it feasible to turn off mobile code?

• “You don’t know where it’s been”• Even the most helpful-looking code can do

damage behind the scenes


ECE579S/5 #28

Consider the Dancing Pigs

• Users have been conditioned to click “OK” on all dialog boxes

• People are visually stimulated

• Dancing pigs trump security every time!


ECE579S/5 #29

Trojan Horses

• Program that does something “extra” and unexpected, usually something hostile

• Typical acts:– Keystroke logging– Opening back doors into the machine

• Just like their namesake, masquerade as something truly useful

Picture © Microsoft Encarta


ECE579S/5 #30

Some Trojan Horses

• Back Orifice– Written by the Cult of the Dead Cow– Provides remote control of computer via high

order port– Similar features to PCAnywhere, but better

• AOL4Free– Captures passwords– Destroys hard drives


ECE579S/5 #31

Defense Against Malevolence• Physical and administrative controls

– Practice safe computing– Be realistic

• Integrity protection (e.g., checksums)• Scanner software

– Not a panacea, but a good practice– Lots of viruses exist that are not in the wild– Beware virus warnings from virus catchers– False positives are a problem

• Bounties?


ECE579S/5 #32

Malicious Code Summary

• What you don’t know can hurt you

• Many ways to sneak into the computer -- not all of them viruses -- and cause havoc

• Many goals and objectives, from mischief to espionage

• Tools exist to help manage the problem

• POLICY!


ECE579S/5 #33

Disclaimer

• This class is intended to provide an introduction to the law as it pertains to information security

• Nothing in this class should be interpreted as constituting legal advice; those seeking legal advice should consult an attorney.


ECE579S/5 #34

Information Security Law? I’m a Techie!

• Modern computer technology has changed the rules about where value resides

• Once upon a time, valuable things -- like money -- were kept in bank vaults and banks were a major target of thieves

• Today, valuable things -- like money and information -- are reduced to bits and are kept in computers

• Analogy: today’s interbank courier is a network connection


ECE579S/5 #35

Bottom Line...

• If you are going to be involved with computers, you are going to be involved with the law, one way or another

• Better to know what it is all about before you get hurt


ECE579S/5 #36

Why Do You Care?• Computer crime is one of -- if not THE --

fastest growing crime categories• “That’s where the money is”• Fraud loss in Southern NY area alone,

Jan ‘95 to Jan ‘03: nearly $800,000,000• This isn’t just victimless, white-collar

crime: nearly 2/3 of those arrested were carrying automatic weapons


ECE579S/5 #37

It Isn’t Just Crime• If you operate a network service, you may

face civil liability if civil codes are violated– Copyright protection– Trademark protection– Other intellectual property

• Pressure from various entities– Privacy– Content


ECE579S/5 #38

Knowing what is illegal is key• Example: until late 1998, it was NOT

illegal in the U.S. to steal someone else’s identity

• Where you are defines what is illegal– OK to use another name in US if not to defraud– Illegal in U.K.

• You WILL be involved in this if you are involved in computer security


ECE579S/5 #39

Caution!

• You are NOT a law enforcement officer!

• You need to know about computer law to be an effective computer security person, just as you need to know about motor vehicle law to be an effective driver

• Ignorance of the law is not an excuse for breaking it


ECE579S/5 #40

U. S. Law• Criminal

– Charges brought by state in name of the people– No private prosecutions (cf. U.K. law)– No double jeopardy (what does this mean?)– Penalties: incarceration, death and/or fines

• Civil– Action brought by one party against another– Penalties: deprivation of property

NB: There are other ways to classify law. We’ll talk about them next time.


ECE579S/5 #41

Basis of U.S. Law

• English Common Law (except Louisiana)– Statutes (enacted by legislatures)– Case law– Precedents

• State/local vs. Federal law– Jurisdiction– Pre-emption


ECE579S/5 #42

A Quick Taxonomy of the Law

• Just like engineering, they have a language• 18 USC § 2319 decodes as “Title 18,

United States Code, Section 2319”• State laws have their own abbreviations, but

follow the same pattern:– In New York: PL = Penal Law– In Mass: MGL = Mass. General Laws– In Conn: CGS = Conn. General Statutes, etc.


ECE579S/5 #43

What is illegal?

• Can’t cover everything, so will concentrate on US federal law, with added local & foreign examples

• US Code can be found on the Web at: www4.law.cornell.edu/uscode

• Title 18 is the criminal title: it defines federal crimes and criminal procedure

• All the laws of the United States are found (somewhere) in the Code


ECE579S/5 #44

What the laws will tell you

• What is prohibited, often in excruciating detail

• What must be proven to prove the crime (often by inference)

• What the penalty is for violating the law


ECE579S/5 #45

US Code Overview - 1Title 1 General Provisions

Title 2 The Congress

Title 3 The President

Title 4 Flag and Seal, Seat Of Government, and the States

Title 5 Government Organization and Employees

Title 6 Surety Bonds (repealed)

Title 7 Agriculture

Title 8 Aliens and Nationality

Title 9 Arbitration

Title 10 Armed Forces


ECE579S/5 #46

US Code Overview -2Title 11 Bankruptcy

Title 12 Banks and Banking

Title 13 Census

Title 14 Coast Guard

Title 15 Commerce and Trade

Title 16 Conservation

Title 17 Copyrights

Title 18 Crimes and Criminal Procedure

Title 19 Customs Duties

Title 20 Education


ECE579S/5 #47

US Code Overview -3Title 21 Food and Drugs

Title 22 Foreign Relations and Intercourse

Title 23 Highways

Title 24 Hospitals and Asylums

Title 25 Indians

Title 26 Internal Revenue Code

Title 27 Intoxicating Liquors

Title 28 Judiciary and Judicial Procedure

Title 29 Labor

Title 30 Mineral Lands and Mining


ECE579S/5 #48

US Code Overview -4Title 31 Money and Finance

Title 32 National Guard

Title 33 Navigation and Navigable Waters

Title 34 Navy (repealed)

Title 35 Patents

Title 36 Patriotic Societies and Observances

Title 37 Pay and Allowances Of the Uniformed Services

Title 38 Veterans' Benefits

Title 39 Postal Service

Title 40 Public Buildings, Property, and Works


ECE579S/5 #49

US Code Overview -5Title 41 Public Contracts

Title 42 The Public Health and Welfare

Title 43 Public Lands

Title 44 Public Printing and Documents

Title 45 Railroads

Title 46 Shipping

Title 47 Telegraphs, Telephones, and Radiotelegraphs

Title 48 Territories and Insular Possessions

Title 49 Transportation

Title 50 War and National Defense


ECE579S/5 #50

Where You Stand Depends on Where You Sit

• What is illegal depends on:– where the crime occurred– who has jurisdiction

• this is not always determined by geography (e.g., bank robbery is always a federal crime in the U.S.A.)

• there may be overlapping jurisdiction

• prosecutors may decide to proceed in one jurisdiction because of penalties available


ECE579S/5 #51

For Example...

• Consider privacy• The European Union has a very different

view of how data on individuals may be collected and handled than does the U.S.

• This difference in laws has a significant effect on cross-border electronic commerce– How can you tell when E-commerce is cross-

border? It isn’t easy?


ECE579S/5 #52

Directive 95/46/EC of the European Parliament

and of the Council of 24 October 1995, Article 6

1. Member States shall provide that personal data must be:(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.


ECE579S/5 #53

Directive 95/46/EC of the European Parliament

and of the Council of 24 October 1995, Article 8

The processing of special categories of data1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. {absent specific consent of the data subject as provided in other sections of this article}

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.


ECE579S/5 #54

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Article 10

Information in cases of collection of data from the data subjectMember States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:(a) the identity of the controller and of his representative, if any;(b) the purposes of the processing for which the data are intended;(c) any further information such as- the recipients or categories of recipients of the data,- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,- the existence of the right of access to and the right to rectify the data concerning himin so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.


ECE579S/5 #55


Information where the data have not been obtained from the data subject1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:{same as Article 10 disclosures}

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.


ECE579S/5 #56


Right of accessMember States shall guarantee every data subject the right to obtain from the controller:(a) without constraint at reasonable intervals and without excessive delay or expense:- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.


ECE579S/5 #57

The Point?

• Under U.S. law, data about individuals belongs to the collector of the data– Hard to know what was collected & by whom– Hard/impossible to access, correct

• Under E.U. law, data about individuals belongs to the individual– Data collector must advise individual of details

of data collected and what is being done with it


ECE579S/5 #58

I Still Don’t Get It

• OK. Do you know where all your data originates and whose laws apply to it?

• Because of the E.U. privacy laws, multinational companies based in the U.S. may no longer maintain E. U. employee data in U.S. databases, and cannot process payrolls for E.U. citizens on U.S. computers

• Could this impact your business?


ECE579S/5 #59

Language is Important• Regulations are not laws -- they describe

details of how to comply with the law• Annotations in laws trace the history of the

law’s development--what was illegal yesterday may not be illegal today (e.g. Prohibition), and vice versa

• You need a lawyer or a law enforcement agent to help with the details


ECE579S/5 #60

Where Do Regulations Fit?

• Regulations provide detailed information on how laws are to be applied– Code of Federal Regulations (CFR) [44 USC § 1510]– Code of Massachusetts Regulations (CMR)– Similar taxonomy to statutes

• Regulations are not laws, but failure to observe their requirements can often lead to serious problems (e.g., losing a contract)

• In some few cases, violation of a regulation can be a violation of a statute


ECE579S/5 #61

Who Does What?• Law enforcement agencies

– Investigate crimes, collect evidence

• Prosecutors– Evaluate evidence, decide whether to prosecute– Represent state in criminal matters

• Courts– Hear evidence, reach conclusion on guilt

• Defense attorneys– Represent the accused


ECE579S/5 #62

Prosecutorial Peculiarities• All crimes are not prosecuted• The likelihood of prosecution depends on

– Magnitude of the crime– Likelihood of conviction

• Will the jury understand the crime?• How good is the evidence?

• You can improve probability of prosecution by knowing what you are doing and keeping the evidence sound

• Prosecutors get performance reviews, too


ECE579S/5 #63

Basic Theorem• It is not permissible to break the law in

order to enforce it– IRC sessions and law enforcement– Automatic actions to counter hacking– Eavesdropping (but not always)

• Depending on your point of view, this is a basic preservation of constitutional liberty or a gift to law breakers. But it is the law!


ECE579S/5 #64

So, Who Enforces the Laws?

• Law enforcement officers!!• Who, as we all know from television and

the newspapers, are– overweight– addicted to doughnuts and coffee– oversexed– not too bright

• BUNK!!!


ECE579S/5 #65

Some observations about law enforcement

• For the most part, law enforcement agents are intelligent, honest, and hard-working

• Pay scales are far below private industry, so finding agents with technology skills is hard, especially CURRENT technology– Detectives median earnings in 2009: $55,000 – FBI agents start at GS-10 ($47,297 + locality pay for 2010)

• They want to do a good job -- taking criminals off the street is what they do

• You need their help, and they need yours.


ECE579S/5 #66

Federal Agency Snapshots - 1

• FBI– Federal Bureau of Investigation– Part of US Department of Justice– Charged with enforcement of federal laws– Other counterparts

• Canada: RCMP (but not exactly)

• Germany: Bundeskriminalpolizei

• Many nations have no counterpart


ECE579S/5 #67


• USSS– United States Secret Service– Best known for protecting the President– Part of the Homeland Security Department– Primary jurisdiction in electronic crime,

currency and counterfeiting (all sorts)– Foreign counterparts: no exact ones. RCMP in

Canada has many of same roles


ECE579S/5 #68


• US Customs & Border Protection– Responsible for immigration control, collecting

duties and preventing smuggling– Primary enforcement agency protecting US

borders– If it comes into the US, it is their business– Part of the Homeland Security Department– Nearly every nation has an equivalent agency


ECE579S/5 #69

USA Patriot Act

• Actually an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001”– Title fairly self-explanatory

• Text can be found at EPIC:– http://www.epic.org/privacy/terrorism/hr3162.html


ECE579S/5 #70

New York Electronic Crimes Task Force (NYECTF)

• Flagship law enforcement effort to protect the public from electronic crimes

• Formed in 1995 by the US Secret Service New York Field Office

• Unique partnership among government, industry, and academia

• Now numbers over 250 members


ECE579S/5 #71

Some ECTF Members

• Federal law enforcement (FBI, USSS, etc.)• State law enforcement (NY State Police, etc.)• Local law enforcement (NYPD, PAPD, etc.)• Federal prosecutors (USA for So. Dist. Of NY,

USA for NJ, USA for CT, etc.)• Academia (Fordham, CCNY, Dartmouth, etc.)• Industry partners (telephone companies, banks,

consultants, etc.)


ECE579S/5 #72

NYECTF Results

• Has brought more than 800 indictments– The Gambino crime family– Crooks selling counterfeit hardware & software– Cellular telephone fraud

• Value of crimes exceeds $800 million– Real, not opportunity costs

• Looked to by law enforcement and industry worldwide as the model to be emulated


ECE579S/5 #73

The NYECTF Secret

• Deal with law enforcement as if it were a business activity– Don’t focus on numbers of arrests to measure

success– Instead, focus on the change you bring to the

community– Put differently, what is the return on

investment? (ROI)


ECE579S/5 #74

The Ultimate Compliment: USA PATRIOT ACT OF 2001

SEC. 105. EXPANSION OF NATIONAL ELECTRONIC CRIME TASK FORCE INITIATIVE.The Director of the United States Secret Service shall take appropriate actions to develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States, for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.

(Italics and colored text not in original.)


ECE579S/5 #75

What About Unauthorized Computer Access?


ECE579S/5 #76

Unauthorized Computer Access

• Federal law– 18 USC § 1030 -- Fraud, use of computers for

economic espionage, computer intrusions

• Massachusetts law– 266 MGL § 33A. Intent to defraud commercial computer

service; penalties

– 266 MGL § 120F. Unauthorized access to computer system; penalties

• Canadian Law– Criminal Code of Canada, 342.1


ECE579S/5 #77

18 USC § 1030

• Knowing, intentional unauthorized access or access beyond authorization is a crime, depending on the computer and what is accessed

• Trafficking in computer access information is a crime

• Severe punishments provided– As much as 10 years imprisonment

• USA Patriot Act of 2001 expands US Secret Service jurisdiction in this area (§506)


ECE579S/5 #78

USA Patriot Act § 506• (a) Concurrent Jurisdiction Under 18 U.S.C. 1030- Section 1030(d) of title 18, United

States Code, is amended to read as follows: • `(d)(1) The United States Secret Service shall, in addition to any other agency having

such authority, have the authority to investigate offenses under this section. • `(2) The Federal Bureau of Investigation shall have primary authority to investigate

offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.

• `(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.'.

• (b) Reauthorization of Jurisdiction under 18 U.S.C. 1344- Section 3056(b)(3) of title 18, United States Code, is amended by striking `credit and debit card frauds, and false identification documents or devices' and inserting `access device frauds, false identification documents or devices, and any fraud or other criminal or unlawful activity in or against any federally insured financial institution'.


ECE579S/5 #79

MGL CHAPTER 266. CRIMES AGAINST PROPERTY.

Chapter 266: Section 120F. Unauthorized access to computer system; penalties.

Section 120F. Whoever, without authorization, knowingly accesses a computer system by any means, or after gaining access to a computer system by any means knows that such access is not authorized and fails to terminate such access, shall be punished by imprisonment in the house of correction for not more than thirty days or by a fine of not more than one thousand dollars, or both.

The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users.


ECE579S/5 #80

Criminal Code of Canada342.1 (1) Every one who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.


ECE579S/5 #81

Some Other Computer Crimes

• 18 USC § 1028 -- Identity theft • 18 USC § 1029 -- Fraud and related activity

in connection with access devices• 18 USC § 471 -- Counterfeiting US notes• 18 USC § 2252 -- Kiddy pornography• 18 USC § 2318 -- Counterfeit computer

labels, program documentation, packaging• 18 USC § 2319 -- Copyright infringement


ECE579S/5 #82

Identity Fraud

• Deals with “false identification document”– Making, transfer, use, possession all crimes– Identity documents covered

• Any identification document issued under by or under the authority of the United States

– Includes federal, state, local, foreign government, international quasi-governmental organization

– Birth certificate, driver’s license, personal ID card

– Penalties up to 15 years imprisonment


ECE579S/5 #83

Other Areas of Concern

• Intellectual property of all types– Copyrights– Patents– Trade secrets

• Your responsibility for the actions of others


ECE579S/5 #84

Legal Issues in Computer Security

• Copyrights [17 USC]– Protect expression of ideas, not the idea itself

– Gives author exclusive rights to copy & sell

– Can cover “any tangible medium of expression”

– Work must be original to the author

– Subject to “fair use”

– Marking required

– Lasts for 50 years after death of last author (moving target)


ECE579S/5 #85

Copyrights Again

• Copyright valid without registration, but registering helps insure protection

• Infringement resolved in the courts

• U. S. Govt. works in public domain, but not all governments (cf. Crown Copyright)

• Programs can be copyrighted, but…

• Copyright limits distribution, not use


ECE579S/5 #86

More About Copyrights

• Fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means :– criticism– comment– news reporting– teaching (including multiple copies for

classroom use)


ECE579S/5 #87

Copyright Infringement

• Basic statute is 17 USC § 506– Title 17 deals with copyrights– Section 506 treats remedies for infringement– For legal consistency, penalties are in the

criminal title, Title 18

• Up to 3 years imprisonment, first offense• Up to 6 years imprisonment, second or

subsequent offense


ECE579S/5 #88

More Legal Considerations

• What if…– One of your employees is using your computer

system to do something illegal?– Someone outside the organization is using your

computer resources for illicit purposes?– Your system is broken into and important

information goes missing or becomes public?

Are You Liable?


ECE579S/5 #89

What Is Your Responsibility?• For intellectual property?

• For personal data?

• For financial data?

• For proper operation of the network?

• How and where are these things defined?


ECE579S/5 #90

The Other “P” Word• Privacy

– What is it?– How to protect it?– What do customers and employees expect?– What do they have a right to expect?– Where is the Constitutional right to privacy

found?


ECE579S/5 #91

What Are You Gonna Do?

• Know the applicable law where you operate• When you determine a violation has

probably occurred:– Save the audit logs and any other documentary

evidence of the offense– Notify your supervisor– Call the authorities– Keep your suspicions close hold


ECE579S/5 #92

Whom to Call?

• First, call the local police – Describe what you think you have– Ask for advice– Announce intention to call federal law agency

• Call the feds– USSS– FBI


ECE579S/5 #93

Before You Call• Get to know the cognizant law enforcement

agents, local and federal• Find out if you can help them

– Low investment, high payoff– They’ll be more responsive if they know you

• Don’t cry wolf– Be sure you know what you are talking about– Have the information to support your claim


ECE579S/5 #94

Above All...• Be certain your organization intends to pursue the

criminal case to the end; otherwise, you are wasting everyone’s time and they won’t thank you

• Keep your mouth shut except to the police; the libel laws are still in full effect– Libel is a written defamation; slander is a spoken

defamation– You can be sued for either

• Don’t forget you don’t carry the badge• Don’t talk down to the police


ECE579S/5 #95

Is That All?

• No!

• Many additional laws covering areas such as information privacy, corporate governance, etc. – More about these to come

• Practicing law without a license is also a crime; get professional assistance


ECE579S/5 #96

Summary

• Computer crime is a fast-growing area of illegal activity

• “That’s where the money is”• Computers (and networks) are regulated by

a large and growing body of law• Both civil and criminal issues involved• Liability is a major consideration for any

business or practitioner


ECE579S/5 #97

Homework - 1

• 1. Identify a computer security incident that is being, or -- in your view -- should be treated as a crime. Describe the incident and its impact. Identify the crime(s) that you believe was (were) committed. In what jurisdiction should action be pursued? What would you have done to prevent this incident? To mitigate the effects of the investigation on continuing business?


ECE579S/5 #98

Homework - 2

• 2. What effect does the body of computer law have on your company’s computer security policy? How can / should you make these congruent? Cite facts to support your argument, not just your opinion.

ECE579S/5 #1 Spring 2011 © 2000-2010, Richard A. Stanley ECE579S: Computer and Network Security 5:...

Documents

Transcript of ECE579S/5 #1 Spring 2011 © 2000-2010, Richard A. Stanley ECE579S: Computer and Network Security 5:...