Open Malicious Source Symantec Security Response Kaoru Hayashi.
ECE579S/5 #1 Spring 2011 © 2000-2010, Richard A. Stanley ECE579S: Computer and Network Security 5:...
-
date post
21-Dec-2015 -
Category
Documents
-
view
214 -
download
1
Transcript of ECE579S/5 #1 Spring 2011 © 2000-2010, Richard A. Stanley ECE579S: Computer and Network Security 5:...
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #1
ECE579S: Computer and Network Security
5: Malicious Code and Information Security Law
Professor Richard A. Stanley, P.E.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #2
Last time…
• Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful
• There are three basic steps to planning, which is called vulnerability assessment:– Acquire the target (case the joint)– Scan for vulnerabilities (find the entry points)– Identify poorly protected data (enumeration)
• This applies if you are inside or outside the protected perimeter!• TCP/IP was not intended as a secure protocol; as a result, it has
vulnerabilities that can be exploited• There are many types of attacks that can be mounted over network
connections in order to gain unauthorized access to resources• Firewalls can be useful, but are not a panacea
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #3
Malicious Code
• “Malicious code is any code added, changed, or removed from a software system to intentionally cause harm or subvert the system’s intended function.” G. McGraw & G. Morrisett, Attacking Malicious Code, IEEE
Software, Sep/Oct 2000
• Examples:– Viruses – Java attack applets– Worms – Attack scripts– Trojan Horses – Dangerous ActiveX
controls
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #4
Malicious Code Issues
• Distinction among categories “bleeding together,” complicating classification
• Networking makes dissemination of malicious code much easier, and does not require physical access to the computer
• Systems are much more complex
• Systems are easily extensible
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #5
User Experience vs. Security
• Distributed computing has given rise to a huge volume of mobile code being used to perform mundane activities
• Being visually stimulated, people will almost always choose animation over safety
• Development emphasis is on enhanced user experience, NOT on security
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #6
Malicious Code Examples: It’s Not New
Love Bug 2000 Mobile code virus The fastest spreading virus to that time used VBscript and Microsoft Outlook mail to propagate.Caused estimated $10 billion damage.
Trinoo (and others) 2000 Remote-controlattack script
The highly publicized denial of service attacks ofFebruary 2000 were carried out by remotelyplanted agent programs.
Melissa 1999 Mobile code virus The second fastest spreading virus of all timeused e-mail to propagate. Infected over 1.2million machines in a few hours.
Back Orifice 1998 Offensive code Remote control program installed on Windowsmachines by crackers. Pervasive.
ActiveX (scripting) 1997-today Mobile code Decried by security professionals, Microsoft’sActiveX system introduces grave security risks byrelying on user’s discretion and judgment eventhough digital signatures are used.
Thompson’scompiler trick
1984 Trojan Horse Ken Thompson introduced a Trojan Horse in a Ccompiler that compiled itself into future programs(“Reflections on Trusting Trust,” Comm. ACM,Vol. 27, No. 8, Aug. 1984).
From G. McGraw & G. Morrisett, Attacking Malicious Code, IEEE Software, Sep/Oct 2000
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #7
Mobile Code• Code that extends or updates code in place• Transferred to user computer, usually via a
network connection, and runs without user actions unless the user has taken prior steps to prevent it happening
• Mobile code is pervasive, and we depend on it for updates, services, and features
• It isn’t going away--that’s not an option
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #8
We have a security kernel; what’s the problem?
• Kernel provides protection at low levels for primitives (e.g. files)
• Increasingly, attacks occur at application level, where what is passed to the kernel appears to be perfectly acceptable
• Increasingly easy to hide malicious code within applications, thus making kernel-level security difficult to apply
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #9
Security Problems
• The kernel is critical, but it is not a “one size fits all” solution to the security problem
• There are many issues, technical and procedural, that allow for unexpected access to supposedly secure information and processes.
• The higher up the stack attacks occur, the harder it is for the kernel to defend against them
• Let’s have a look...
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #10
A Caveat
• The common perception is that security exists to protect against deliberate attacks
• That is true, BUT...• Security must also protect the system
against problems arising from accidental or incidental misuse, misconfiguration, or other such non-malicious but equally threatening events
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #11
Ways Things Go Wrong
• Change in Environment
• Bound/syntax checking
• Hazardous design features
• Escape from controlled invocation
• Bypass at lower levels
• Protocol implementation flaws
• Pure malevolence
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #12
Virus Targets
Hardware
OS Kernel
Operating System
Services
Applications
Virus
Virus
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #13
Virus Taxonomy
• Virus infects a computer– self-replicating code with a payload– resident– transient
• Worm is alive, replicates but does not infect
• Trojan Horse is program with unseen effect
• Logic bomb executes on trigger condition
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #14
How Does a PC Boot?• Fixed ROM call seeks master boot sector• Master boot sector
– Standard location– Contains partition table and executables– Points to DOS boot sector
• DOS boot table– Contains executable code and the FAT– Loads io.sys, msdos.sys
– Passes control to shell (command.com)
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #15
How to Exploit Boot Sequence?• Bootstrap virus
– Machine specific– Uses BIOS functions only
• Master boot sector virus– Stoned virus relocates master boot sector
• DOS boot sector virus– Same technique, different boot sector (brain)
• Later stage virus
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #16
Application Viruses
• Parasitic virus attaches to an executable, usually inserts jump table to virus
• Companion virus exploits the PATH
• Macro viruses exploit the (often useful) features of powerful macro languages– Attaches to a data file, not an executable– Platform independent, high-level code
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #17
Ebola on the Computer• Interrupt redirection
– TSR virus triggers on specified interrupt– Can totally avoid integrity checks
• FAT virus -- very similar to above• Knowing where the virus lives is key to
finding and eradicating it– As a result, the “bad guys” spend a lot of effort
to disguise their products to fool virus checkers
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #18
Hidden Viruses
• Polymorphic• Stealth
– DOS virus, Brain
– Size and read stealth
• Slow• Retro• Multipartite• Phage
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #19
Taxonomy
• A true virus is not an executable--it must infect something to do its damage
• Malicious code is usually more than a virus; it frequently consists of free-standing executables (programs, DLLs, etc.)
• Recent usage blurs the distinction between a virus and everything else--all malicious code now tends to be called a virus.
• We probably can’t change this loose usage, but you need to be aware of what is what
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #20
Hoaxes: the Virtual Virus
• A virus hoax can have the same effect as a real virus
• A hoax can be used to desensitize users to a real virus that follows (e.g. AOL4free.com: once a hoax, now a Trojan Horse)
• To check on possible hoaxes:– http://hoaxbusters.ciac.org/HoaxBustersHome.html– http://www.symantec.com/avcenter/hoax.html– http://urbanlegends.about.com/science/urbanlegends/
msubvir.html
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #21
Macro Viruses
• Fast-growing class because of wide variety of applications that will execute them
• Easy to create by semi-skilled individuals• Quick to spread• Can generate multipartite viruses when
executed• Virtually every common application today
enables macro or VB use!
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #22
Worms--They’re Alive!
• A worm is a real program, not a virus
• They crash computers by replicating without control until they consume all the available computer resources
• Often used to link automatically to other computers, thereby spreading without user intervention
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #23
Macro Worms: “Virus” du Jour• Arguably greatest malicious code threat
today• Easy to create, even by minimally skilled
individuals• They garner much press, most of it from a
press corps that doesn’t understand the technology
• Cleanup costs are huge
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #24
A Macro Worm• Anna Kournikova hits the Internet
– Email worm spread via Outlook address book
– Hits millions of users, over 20 large corporations in Australia alone
– Why?• Is Kournikova a common name?
• Are people that curious?
• Did someone suspect the picture was off-color?
– You are a systems administrator--how do you protect against this sort of thing?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #25
Who Did It?• Kournikova hacker
– Traced by Exite@home
– Lives in Friesland, Netherlands
– 20-year old male
– “Wanted to demonstrate how easy it was to write a virus.”
– Maximum sentence guideline in Netherlands is 4 years, prosecutor can ask for more
• How did he do it?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #27
Malicious Code• Modern computing has gotten used to
running mobile code without asking• Controls are weak and easily evaded
– Does your system support Java? JavaScript?– Is it feasible to turn off mobile code?
• “You don’t know where it’s been”• Even the most helpful-looking code can do
damage behind the scenes
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #28
Consider the Dancing Pigs
• Users have been conditioned to click “OK” on all dialog boxes
• People are visually stimulated
• Dancing pigs trump security every time!
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #29
Trojan Horses
• Program that does something “extra” and unexpected, usually something hostile
• Typical acts:– Keystroke logging– Opening back doors into the machine
• Just like their namesake, masquerade as something truly useful
Picture © Microsoft Encarta
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #30
Some Trojan Horses
• Back Orifice– Written by the Cult of the Dead Cow– Provides remote control of computer via high
order port– Similar features to PCAnywhere, but better
• AOL4Free– Captures passwords– Destroys hard drives
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #31
Defense Against Malevolence• Physical and administrative controls
– Practice safe computing– Be realistic
• Integrity protection (e.g., checksums)• Scanner software
– Not a panacea, but a good practice– Lots of viruses exist that are not in the wild– Beware virus warnings from virus catchers– False positives are a problem
• Bounties?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #32
Malicious Code Summary
• What you don’t know can hurt you
• Many ways to sneak into the computer -- not all of them viruses -- and cause havoc
• Many goals and objectives, from mischief to espionage
• Tools exist to help manage the problem
• POLICY!
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #33
Disclaimer
• This class is intended to provide an introduction to the law as it pertains to information security
• Nothing in this class should be interpreted as constituting legal advice; those seeking legal advice should consult an attorney.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #34
Information Security Law? I’m a Techie!
• Modern computer technology has changed the rules about where value resides
• Once upon a time, valuable things -- like money -- were kept in bank vaults and banks were a major target of thieves
• Today, valuable things -- like money and information -- are reduced to bits and are kept in computers
• Analogy: today’s interbank courier is a network connection
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #35
Bottom Line...
• If you are going to be involved with computers, you are going to be involved with the law, one way or another
• Better to know what it is all about before you get hurt
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #36
Why Do You Care?• Computer crime is one of -- if not THE --
fastest growing crime categories• “That’s where the money is”• Fraud loss in Southern NY area alone,
Jan ‘95 to Jan ‘03: nearly $800,000,000• This isn’t just victimless, white-collar
crime: nearly 2/3 of those arrested were carrying automatic weapons
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #37
It Isn’t Just Crime• If you operate a network service, you may
face civil liability if civil codes are violated– Copyright protection– Trademark protection– Other intellectual property
• Pressure from various entities– Privacy– Content
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #38
Knowing what is illegal is key• Example: until late 1998, it was NOT
illegal in the U.S. to steal someone else’s identity
• Where you are defines what is illegal– OK to use another name in US if not to defraud– Illegal in U.K.
• You WILL be involved in this if you are involved in computer security
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #39
Caution!
• You are NOT a law enforcement officer!
• You need to know about computer law to be an effective computer security person, just as you need to know about motor vehicle law to be an effective driver
• Ignorance of the law is not an excuse for breaking it
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #40
U. S. Law• Criminal
– Charges brought by state in name of the people– No private prosecutions (cf. U.K. law)– No double jeopardy (what does this mean?)– Penalties: incarceration, death and/or fines
• Civil– Action brought by one party against another– Penalties: deprivation of property
NB: There are other ways to classify law. We’ll talk about them next time.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #41
Basis of U.S. Law
• English Common Law (except Louisiana)– Statutes (enacted by legislatures)– Case law– Precedents
• State/local vs. Federal law– Jurisdiction– Pre-emption
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #42
A Quick Taxonomy of the Law
• Just like engineering, they have a language• 18 USC § 2319 decodes as “Title 18,
United States Code, Section 2319”• State laws have their own abbreviations, but
follow the same pattern:– In New York: PL = Penal Law– In Mass: MGL = Mass. General Laws– In Conn: CGS = Conn. General Statutes, etc.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #43
What is illegal?
• Can’t cover everything, so will concentrate on US federal law, with added local & foreign examples
• US Code can be found on the Web at: www4.law.cornell.edu/uscode
• Title 18 is the criminal title: it defines federal crimes and criminal procedure
• All the laws of the United States are found (somewhere) in the Code
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #44
What the laws will tell you
• What is prohibited, often in excruciating detail
• What must be proven to prove the crime (often by inference)
• What the penalty is for violating the law
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #45
US Code Overview - 1Title 1 General Provisions
Title 2 The Congress
Title 3 The President
Title 4 Flag and Seal, Seat Of Government, and the States
Title 5 Government Organization and Employees
Title 6 Surety Bonds (repealed)
Title 7 Agriculture
Title 8 Aliens and Nationality
Title 9 Arbitration
Title 10 Armed Forces
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #46
US Code Overview -2Title 11 Bankruptcy
Title 12 Banks and Banking
Title 13 Census
Title 14 Coast Guard
Title 15 Commerce and Trade
Title 16 Conservation
Title 17 Copyrights
Title 18 Crimes and Criminal Procedure
Title 19 Customs Duties
Title 20 Education
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #47
US Code Overview -3Title 21 Food and Drugs
Title 22 Foreign Relations and Intercourse
Title 23 Highways
Title 24 Hospitals and Asylums
Title 25 Indians
Title 26 Internal Revenue Code
Title 27 Intoxicating Liquors
Title 28 Judiciary and Judicial Procedure
Title 29 Labor
Title 30 Mineral Lands and Mining
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #48
US Code Overview -4Title 31 Money and Finance
Title 32 National Guard
Title 33 Navigation and Navigable Waters
Title 34 Navy (repealed)
Title 35 Patents
Title 36 Patriotic Societies and Observances
Title 37 Pay and Allowances Of the Uniformed Services
Title 38 Veterans' Benefits
Title 39 Postal Service
Title 40 Public Buildings, Property, and Works
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #49
US Code Overview -5Title 41 Public Contracts
Title 42 The Public Health and Welfare
Title 43 Public Lands
Title 44 Public Printing and Documents
Title 45 Railroads
Title 46 Shipping
Title 47 Telegraphs, Telephones, and Radiotelegraphs
Title 48 Territories and Insular Possessions
Title 49 Transportation
Title 50 War and National Defense
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #50
Where You Stand Depends on Where You Sit
• What is illegal depends on:– where the crime occurred– who has jurisdiction
• this is not always determined by geography (e.g., bank robbery is always a federal crime in the U.S.A.)
• there may be overlapping jurisdiction
• prosecutors may decide to proceed in one jurisdiction because of penalties available
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #51
For Example...
• Consider privacy• The European Union has a very different
view of how data on individuals may be collected and handled than does the U.S.
• This difference in laws has a significant effect on cross-border electronic commerce– How can you tell when E-commerce is cross-
border? It isn’t easy?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #52
Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995, Article 6
1. Member States shall provide that personal data must be:(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #53
Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995, Article 8
The processing of special categories of data1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. {absent specific consent of the data subject as provided in other sections of this article}
3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #54
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Article 10
Information in cases of collection of data from the data subjectMember States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:(a) the identity of the controller and of his representative, if any;(b) the purposes of the processing for which the data are intended;(c) any further information such as- the recipients or categories of recipients of the data,- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,- the existence of the right of access to and the right to rectify the data concerning himin so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #55
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Article 11
Information where the data have not been obtained from the data subject1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:{same as Article 10 disclosures}
2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #56
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Article 12
Right of accessMember States shall guarantee every data subject the right to obtain from the controller:(a) without constraint at reasonable intervals and without excessive delay or expense:- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #57
The Point?
• Under U.S. law, data about individuals belongs to the collector of the data– Hard to know what was collected & by whom– Hard/impossible to access, correct
• Under E.U. law, data about individuals belongs to the individual– Data collector must advise individual of details
of data collected and what is being done with it
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #58
I Still Don’t Get It
• OK. Do you know where all your data originates and whose laws apply to it?
• Because of the E.U. privacy laws, multinational companies based in the U.S. may no longer maintain E. U. employee data in U.S. databases, and cannot process payrolls for E.U. citizens on U.S. computers
• Could this impact your business?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #59
Language is Important• Regulations are not laws -- they describe
details of how to comply with the law• Annotations in laws trace the history of the
law’s development--what was illegal yesterday may not be illegal today (e.g. Prohibition), and vice versa
• You need a lawyer or a law enforcement agent to help with the details
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #60
Where Do Regulations Fit?
• Regulations provide detailed information on how laws are to be applied– Code of Federal Regulations (CFR) [44 USC § 1510]– Code of Massachusetts Regulations (CMR)– Similar taxonomy to statutes
• Regulations are not laws, but failure to observe their requirements can often lead to serious problems (e.g., losing a contract)
• In some few cases, violation of a regulation can be a violation of a statute
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #61
Who Does What?• Law enforcement agencies
– Investigate crimes, collect evidence
• Prosecutors– Evaluate evidence, decide whether to prosecute– Represent state in criminal matters
• Courts– Hear evidence, reach conclusion on guilt
• Defense attorneys– Represent the accused
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #62
Prosecutorial Peculiarities• All crimes are not prosecuted• The likelihood of prosecution depends on
– Magnitude of the crime– Likelihood of conviction
• Will the jury understand the crime?• How good is the evidence?
• You can improve probability of prosecution by knowing what you are doing and keeping the evidence sound
• Prosecutors get performance reviews, too
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #63
Basic Theorem• It is not permissible to break the law in
order to enforce it– IRC sessions and law enforcement– Automatic actions to counter hacking– Eavesdropping (but not always)
• Depending on your point of view, this is a basic preservation of constitutional liberty or a gift to law breakers. But it is the law!
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #64
So, Who Enforces the Laws?
• Law enforcement officers!!• Who, as we all know from television and
the newspapers, are– overweight– addicted to doughnuts and coffee– oversexed– not too bright
• BUNK!!!
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #65
Some observations about law enforcement
• For the most part, law enforcement agents are intelligent, honest, and hard-working
• Pay scales are far below private industry, so finding agents with technology skills is hard, especially CURRENT technology– Detectives median earnings in 2009: $55,000 – FBI agents start at GS-10 ($47,297 + locality pay for 2010)
• They want to do a good job -- taking criminals off the street is what they do
• You need their help, and they need yours.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #66
Federal Agency Snapshots - 1
• FBI– Federal Bureau of Investigation– Part of US Department of Justice– Charged with enforcement of federal laws– Other counterparts
• Canada: RCMP (but not exactly)
• Germany: Bundeskriminalpolizei
• Many nations have no counterpart
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #67
Federal Agency Snapshots - 2
• USSS– United States Secret Service– Best known for protecting the President– Part of the Homeland Security Department– Primary jurisdiction in electronic crime,
currency and counterfeiting (all sorts)– Foreign counterparts: no exact ones. RCMP in
Canada has many of same roles
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #68
Federal Agency Snapshots - 3
• US Customs & Border Protection– Responsible for immigration control, collecting
duties and preventing smuggling– Primary enforcement agency protecting US
borders– If it comes into the US, it is their business– Part of the Homeland Security Department– Nearly every nation has an equivalent agency
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #69
USA Patriot Act
• Actually an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001”– Title fairly self-explanatory
• Text can be found at EPIC:– http://www.epic.org/privacy/terrorism/hr3162.html
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #70
New York Electronic Crimes Task Force (NYECTF)
• Flagship law enforcement effort to protect the public from electronic crimes
• Formed in 1995 by the US Secret Service New York Field Office
• Unique partnership among government, industry, and academia
• Now numbers over 250 members
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #71
Some ECTF Members
• Federal law enforcement (FBI, USSS, etc.)• State law enforcement (NY State Police, etc.)• Local law enforcement (NYPD, PAPD, etc.)• Federal prosecutors (USA for So. Dist. Of NY,
USA for NJ, USA for CT, etc.)• Academia (Fordham, CCNY, Dartmouth, etc.)• Industry partners (telephone companies, banks,
consultants, etc.)
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #72
NYECTF Results
• Has brought more than 800 indictments– The Gambino crime family– Crooks selling counterfeit hardware & software– Cellular telephone fraud
• Value of crimes exceeds $800 million– Real, not opportunity costs
• Looked to by law enforcement and industry worldwide as the model to be emulated
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #73
The NYECTF Secret
• Deal with law enforcement as if it were a business activity– Don’t focus on numbers of arrests to measure
success– Instead, focus on the change you bring to the
community– Put differently, what is the return on
investment? (ROI)
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #74
The Ultimate Compliment: USA PATRIOT ACT OF 2001
SEC. 105. EXPANSION OF NATIONAL ELECTRONIC CRIME TASK FORCE INITIATIVE.The Director of the United States Secret Service shall take appropriate actions to develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States, for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.
(Italics and colored text not in original.)
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #76
Unauthorized Computer Access
• Federal law– 18 USC § 1030 -- Fraud, use of computers for
economic espionage, computer intrusions
• Massachusetts law– 266 MGL § 33A. Intent to defraud commercial computer
service; penalties
– 266 MGL § 120F. Unauthorized access to computer system; penalties
• Canadian Law– Criminal Code of Canada, 342.1
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #77
18 USC § 1030
• Knowing, intentional unauthorized access or access beyond authorization is a crime, depending on the computer and what is accessed
• Trafficking in computer access information is a crime
• Severe punishments provided– As much as 10 years imprisonment
• USA Patriot Act of 2001 expands US Secret Service jurisdiction in this area (§506)
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #78
USA Patriot Act § 506• (a) Concurrent Jurisdiction Under 18 U.S.C. 1030- Section 1030(d) of title 18, United
States Code, is amended to read as follows: • `(d)(1) The United States Secret Service shall, in addition to any other agency having
such authority, have the authority to investigate offenses under this section. • `(2) The Federal Bureau of Investigation shall have primary authority to investigate
offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.
• `(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.'.
• (b) Reauthorization of Jurisdiction under 18 U.S.C. 1344- Section 3056(b)(3) of title 18, United States Code, is amended by striking `credit and debit card frauds, and false identification documents or devices' and inserting `access device frauds, false identification documents or devices, and any fraud or other criminal or unlawful activity in or against any federally insured financial institution'.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #79
MGL CHAPTER 266. CRIMES AGAINST PROPERTY.
Chapter 266: Section 120F. Unauthorized access to computer system; penalties.
Section 120F. Whoever, without authorization, knowingly accesses a computer system by any means, or after gaining access to a computer system by any means knows that such access is not authorized and fails to terminate such access, shall be punished by imprisonment in the house of correction for not more than thirty days or by a fine of not more than one thousand dollars, or both.
The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #80
Criminal Code of Canada342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)
is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #81
Some Other Computer Crimes
• 18 USC § 1028 -- Identity theft • 18 USC § 1029 -- Fraud and related activity
in connection with access devices• 18 USC § 471 -- Counterfeiting US notes• 18 USC § 2252 -- Kiddy pornography• 18 USC § 2318 -- Counterfeit computer
labels, program documentation, packaging• 18 USC § 2319 -- Copyright infringement
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #82
Identity Fraud
• Deals with “false identification document”– Making, transfer, use, possession all crimes– Identity documents covered
• Any identification document issued under by or under the authority of the United States
– Includes federal, state, local, foreign government, international quasi-governmental organization
– Birth certificate, driver’s license, personal ID card
– Penalties up to 15 years imprisonment
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #83
Other Areas of Concern
• Intellectual property of all types– Copyrights– Patents– Trade secrets
• Your responsibility for the actions of others
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #84
Legal Issues in Computer Security
• Copyrights [17 USC]– Protect expression of ideas, not the idea itself
– Gives author exclusive rights to copy & sell
– Can cover “any tangible medium of expression”
– Work must be original to the author
– Subject to “fair use”
– Marking required
– Lasts for 50 years after death of last author (moving target)
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #85
Copyrights Again
• Copyright valid without registration, but registering helps insure protection
• Infringement resolved in the courts
• U. S. Govt. works in public domain, but not all governments (cf. Crown Copyright)
• Programs can be copyrighted, but…
• Copyright limits distribution, not use
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #86
More About Copyrights
• Fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means :– criticism– comment– news reporting– teaching (including multiple copies for
classroom use)
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #87
Copyright Infringement
• Basic statute is 17 USC § 506– Title 17 deals with copyrights– Section 506 treats remedies for infringement– For legal consistency, penalties are in the
criminal title, Title 18
• Up to 3 years imprisonment, first offense• Up to 6 years imprisonment, second or
subsequent offense
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #88
More Legal Considerations
• What if…– One of your employees is using your computer
system to do something illegal?– Someone outside the organization is using your
computer resources for illicit purposes?– Your system is broken into and important
information goes missing or becomes public?
Are You Liable?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #89
What Is Your Responsibility?• For intellectual property?
• For personal data?
• For financial data?
• For proper operation of the network?
• How and where are these things defined?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #90
The Other “P” Word• Privacy
– What is it?– How to protect it?– What do customers and employees expect?– What do they have a right to expect?– Where is the Constitutional right to privacy
found?
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #91
What Are You Gonna Do?
• Know the applicable law where you operate• When you determine a violation has
probably occurred:– Save the audit logs and any other documentary
evidence of the offense– Notify your supervisor– Call the authorities– Keep your suspicions close hold
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #92
Whom to Call?
• First, call the local police – Describe what you think you have– Ask for advice– Announce intention to call federal law agency
• Call the feds– USSS– FBI
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #93
Before You Call• Get to know the cognizant law enforcement
agents, local and federal• Find out if you can help them
– Low investment, high payoff– They’ll be more responsive if they know you
• Don’t cry wolf– Be sure you know what you are talking about– Have the information to support your claim
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #94
Above All...• Be certain your organization intends to pursue the
criminal case to the end; otherwise, you are wasting everyone’s time and they won’t thank you
• Keep your mouth shut except to the police; the libel laws are still in full effect– Libel is a written defamation; slander is a spoken
defamation– You can be sued for either
• Don’t forget you don’t carry the badge• Don’t talk down to the police
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #95
Is That All?
• No!
• Many additional laws covering areas such as information privacy, corporate governance, etc. – More about these to come
• Practicing law without a license is also a crime; get professional assistance
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #96
Summary
• Computer crime is a fast-growing area of illegal activity
• “That’s where the money is”• Computers (and networks) are regulated by
a large and growing body of law• Both civil and criminal issues involved• Liability is a major consideration for any
business or practitioner
Spring 2011© 2000-2010, Richard A. Stanley
ECE579S/5 #97
Homework - 1
• 1. Identify a computer security incident that is being, or -- in your view -- should be treated as a crime. Describe the incident and its impact. Identify the crime(s) that you believe was (were) committed. In what jurisdiction should action be pursued? What would you have done to prevent this incident? To mitigate the effects of the investigation on continuing business?