3. Computer Crime
What is Computer Crime?
– Criminal activity directly related to the use of
computers, specifically illegal trespass into the
computer system or database of another,
manipulation or theft of stored or on-line data, or
sabotage of equipment and data.
– Criminal activity can also comprise the use of
computers to commit other kinds of crime:
harrassment, scams, hate crimes, fomenting
terrorism, etc
3
4. Computer Crime
What is a Computer Crime?
– Stealing trade secrets from a competitor
– Extortion
– Use of a packet sniffer to watch instant messaging
conversations
4
5. Federal Computer Crime Laws
4th Amendment
Computer Fraud and Abuse Act of 1986
Electronic Communications Privacy Act of
1986
5
6. Federal Computer Crime Laws
Electronic Espionage Act of 1996
Communications Decency Act 1996
Child Pornography Prevention Act
Digital Millennium Copyright Act of 1998
COPPA - Children's Online Privacy Protection
Act
HIPAA - Health Insurance Portability And
Accountability Act
Access Device Fraud
USA Patriot Act
6
8. Case Law
What is case law?
– “Created” by the rulings of judges on court cases
Importance of case law?
– Very few laws governing current and emerging
technologies
– Precedents set by case law often become
legislative law
8
10. Computer Fraud and Abuse Act
15 USC §1644 - Fraudulent use of credit cards;
penalties
18 USC §1029 - Fraud and related activity in
connection with access devices
18 USC §1030 - Fraud and related activity in
connection with computers
18 USC §1343 - Fraud by wire, radio, or television
18 USC §1361-2 - Prohibits malicious mischief
10
11. 15 USC §1644
Use, attempt or conspiracy to use card in
transaction affecting interstate or foreign
commerce
Transporting, attempting or conspiring to
transport card in interstate commerce
Use of interstate commerce to sell or
transport card
Furnishing of money, etc., through use of
card
11
12. Crimes and Penalties
Whoever in a transaction affecting interstate
or foreign commerce furnishes money,
property, services, (>$1,000) shall be fined
not more than $10,000 or imprisoned not
more than ten years, or both
12
13. 18 USC §1029
Counterfeit access devices
Telecommunications instrument modified to
obtain unauthorized use of telecommunications
services.
Fraudulent transactions using credit cards
Use of scanning receiver
13
14. Crimes and Penalties
Forfeiture to the United States of any
personal property used or intended to be
used to commit the offense
Fine under this title or imprisonment for not
more than 20 years, or both.
14
15. 18 USC §1030
Accesses a computer without authorization to
obtain restricted data.
Without authorization accesses Federal computers
Conduct fraud and obtains anything of value on
such computers
Traffics in passwords or similar information
15
16. Crimes and Penalties
The United States Secret Service has
authority to investigate offenses
Forfeiture of any personal property used or
intended to be used to commit the offense
Fine under this title or imprisonment for not
more than 20 years, or both.
16
17. 18 USC §1343
Fraud by means of wire, radio, or television
communication in interstate or foreign commerce,
Transmission of digital or analog data in such fraud
17
18. Crimes and Penalties
Fine under this title or imprisonment not more
than five years, or both.
If the violation affects a financial institution,
fine of $1,000,000 or imprisonment of 30
years, or both
18
20. Actual Crimes
Many cases have been prosecuted under the computer
crime statute, 18 U.S.C. § 1030 (unauthorized access). A
few recent sample press releases from actual cases are
available via links below:
Kevin Mitnick Sentenced to Nearly Four Years in Prison;
Computer Hacker Ordered to Pay Restitution to Victim
Companies Whose Systems Were Compromised (August
9, 1999)
Source:
http://www.usdoj.gov/criminal/cybercrime/compcrime.html
20
21. Actual Crimes
Former Chief Computer Network Program
Designer Arraigned for Alleged $10 Million
Computer "Bomb"
Juvenile Computer Hacker Cuts off FAA
Tower At Regional Airport -- First Federal
Charges Brought Against a Juvenile for
Computer Crime
Source:
http://www.usdoj.gov/criminal/cybercrime/compcrime.
html
21
24. Where Can I Find ECPA?
United States Code Title 18 Crimes and Criminal
Procedure
Chapter 119 – Wire and Electronic
Communications Interception and Interception of
Oral Communications
Sections 2510 - 2522
24
25. Overview of ECPA
President Reagan signed ECPA into law in
October 1986
Designed to extend Title III Privacy
Provisions to new technologies such as
electronic mail, cellular phones, private
communication carriers, and computer
transmissions
25
26. “The Wiretap Act”
This law required that enforcement agencies
obtain a warrant before executing a wiretap
(usually used to record voice conversations)
26
27. What Rights Does ECPA Provide?
ECPA protects the transmission and storage of digital
communication such as email
Authorities are forbidden to intercept non-voice
portions of communication, thanks to ECPA
This is defined as "any transfer of signs, signals,
writing, images, sound, data, or intelligence of any
nature transmitted in whole or in part by a wire, radio,
electromagnetic, photoelectric or photo-optical
system."
27
28. ECPA Rights (cont.)
Act was designed to protect against electronic
communication service providers from
disclosing any contents of communication to
authorities without lawful consent of the party
that originated the communication
Act provided for coverage of all communication
providers, not just “common carriers” available
to the public
28
29. Cellular Phone Communication
Act also protects cellular phone
conversations; wired privacy extended to
wireless
Penalty for intercepting a non-encrypted call
is only a $500 fine, rather than the normal
maximum of 5 years in prison
Note: This act also explicitly states it does not
protect the “radio portion of a telephone that
is transmitted between the cordless telephone
handset and the base unit."
29
30. Radio Paging
ECPA also protects pagers
Voice and digital display pagers were
determined to be an extension of an original
wired communication
However, tone-only pagers are not protected
by ECPA
30
31. Customer Records
ECPA provides for the protection of
subscriber and customer records belonging to
electronic service providers
Authorities cannot access these records
without a search warrant and court order,
unless otherwise notifying the customer
31
34. Some Perspective
On September 11, 2001, more
Americans were murdered than…
•American battle deaths in the war of
1812
•American battle deaths at Pearl
Harbor
•American battle deaths in the Indian
Wars
•American battle deaths in the
Mexican War
•American battle deaths in Vietnam
prior to 1966
•Union battle deaths at Bull Run
•Police officers killed in the line of
duty since 1984
34 Source: Federal Law Enforcement Training Center
Glynco, Georgia
35. USA Patriot Act – Oct 2001
Provides Tools To Intercept and Obstruct Terrorism
Some believe it was too hasty
– There were few conferences
– The House vote was 357-66
– The Senate vote was 98-1
35
36. USA Patriot Act
Specifically, the Act:
1. Creates several new crimes: bulk cash smuggling,
attacking transportation systems, etc.
2. Expands prohibitions involving biological weapons
3. Lifts the statute of limitations on prosecuting some
terrorism crimes
4. Increases penalties for some crimes
5. Requires background checks for licenses to transport
hazardous materials
6. Expands money laundering laws and places more
procedural requirements on banks
7. Promotes information sharing and coordination of
intelligence efforts
36
37. USA Patriot Act
8. Provides federal grants for terrorism prevention
9. Broadens the grounds for denying aliens admission
10. Alters some domestic security provisions for DoD
Most provisions of the Act shall cease to have effect on
December 31, 2005
However, a USA Patriot Act II is being discussed in
Congress
37
38. Computer Crime
Penalty of 5 years for a first offense and 10 years for
a subsequent offense for damaging a federal
computer system
Damage includes any computer impairment that
causes the loss of at least $5,000 or threatens the
public health or safety.
38
39. Computer Crime
To be found guilty, the person must:
1. Knowingly cause the transmission of a program,
information, code, or command that results in
damage to a protected computer without
authorization
2. Intentionally access a federal computer without
authorization and cause damage (§ 814)
39
40. Computer Crime
The act requires the attorney general to create regional
computer forensic laboratories:
1. Examine seized or intercepted computer evidence
2. Train and educate federal, state, and local law
enforcement and prosecutors
3. Assist federal, state, and local law enforcement in
enforcing computer-related criminal laws
4. Promote sharing of federal expertise
The act also provides funding for these facilities (§ 816)
40
41. Other Crimes / Penalties
Attacks Against Mass Transportation
Systems
– The crime is punishable by a fine, up to 20 years if
the violator traveled or communicated across state
lines or
The crime is punishable by life in prison if the
offense resulted in death
Counterfeiting
– The act makes counterfeiting punishable by up to
20 years in prison
41
42. Other Crimes / Penalties
Harboring or Concealing Terrorists
– This crime is punishable by a fine and 10 years in prison
(§ 803)
Biological Weapons
– This is punishable by a fine, and 10 years in prison
Money Laundering
– This crime is punishable by 5 years in prison
– For Federal employees, the crime is punishable by a fine 3
times the value received, and 15 years in prison, (§ 329)
42
43. Increased Penalties
Arson from 20 years to life
Energy facility damage, from 10 to 20 years
Supporting terrorists, from 10 to 15 years
Supporting designated foreign terrorist
organizations, from 10 to 20 years
Destroying national defense materials, from 10
to 20 years
Sabotaging nuclear facilities from 10 to 20 years
Carrying a weapon or explosive on an aircraft
from 15 to 20 years
Damaging interstate gas or hazardous pipeline
facility, from 15 to 20 years
43
44. Information Sharing
The act:
1. Foreign and national intelleigence surveillance can
exchange information (§ 504)
2. Regional information sharing between federal, state, and
local law enforcement (§ 701)
3. Attorney general can apply to a court for disclosure of
educational records to prosecute a terrorist act
4. Act also provides immunity for people who in good faith
disclose these documents) (§ 507, 508)
44
45. Privacy Implications
American Civil Liberties Union: “The USA Patriot Act allows
the government to use its intelligence gathering power to
circumvent the standard that must be met for criminal
wiretaps. …
The new law allows use of Foreign Intelligence Surveillance
Act surveillance authority even if the primary purpose were a
criminal investigation.
Intelligence surveillance merely needs to be only for a
"significant" purpose.
Law enforcement may search primarily for evidence of crime,
without establishing probable cause
This provision authorizes unconstitutional physical searches
and wiretaps
45
46. Privacy Implications
“In allowing for "nationwide service" of pen register and trap
and trace orders, the law further marginalizes the role of the
judiciary.
It authorizes what would be the equivalent of a blank warrant
in the physical world: the court issues the order, and the law
enforcement agent fills in the places to be searched.
This is not consistent with the important Fourth Amendment
privacy protection of requiring that warrants specify the place
to be searched.”
In short, the USA Patriot Act assumes no “expectation of
privacy”
46
47. Case Study: Carnivore
TCP/IP packet sniffer developed by the FBI that has
the ability to store all traffic on a network
Intended Uses: Terrorism, Espionage, Child
Pornography/Exploitation, Information
Warfare/Hacking, Organized Crime/Drug Trafficking,
Fraud
Reassembles your e-mail, webpages, files and
searches for keywords
47
48. Case Study: Carnivore
Legitimate use vs. invasion of privacy
– Find out which web sites you visit
deathtoamerica.com
girlsgonewild.com
– Read your e-mail
bomb making instructions
love letters
– Save a copy of files you download
shoebomb.zip
transactions.zip
48
49. Case Study: Carnivore
Pre-USA Patriot Act realities:
– FBI suspects you of criminal activity
– Requests court order to use Carnivore
– Installs Carnivore at your ISP
– Carnivore grabs all of your packets authorized in the court
order
– Carnivore must not grab anyone else’s packets
– Data physically collected once a day
– Court order expires in 30 days
Post-USA Patriot Act fears:
– The FBI can use Carnivore to go fishing for personal
information
49
50. Related Cases
John Walker Lindh – sentenced to 20 years in federal prison
Conspiracy to Murder U.S. Nationals (18 U.S.C. § 2332(b)) (Count One)
Conspiracy to Provide Material Support & Resources to Foreign Terrorist
Organizations (18 U.S.C. Defendant. ) § 2339B) (Counts Two & Four)
Providing Material Support & Resources to Foreign Terrorist
Organizations (18 U.S.C. §§ 2339B ) & 2) (Counts Three & Five)
Conspiracy to Contribute Services to al Qaeda (31 C.F.R. §§ 595.205 &
595.204 & 50 U.S.C. § 1705(b)) (Count Six)
Contributing Services to al Qaeda (31 C.F.R. §§ 595.204 & 595.205, 50
U.S.C. § 1705(b) & 18 U.S.C. § 2) (Count Seven)
Conspiracy to Supply Services to the Taliban (31 C.F.R. §§ 545.206(b) &
545.204 & 50 U.S.C. § 1705(b)) (Count Eight)
Supplying Services to the Taliban (31 C.F.R. §§ 545.204 & 545.206(a),
50 U.S.C. § 1705(b) & 18 U.S.C. § 2) (Count Nine)
Using and Carrying Firearms and Destructive Devices During Crimes ) of
Violence (18 U.S.C. §§ 924(c) & 2) (Count Ten)
50
51. Related Cases
Zacarias Moussaoui – awaiting twice-delayed trial
Conspiracy to Commit Acts of Terrorism
Transcending National Boundaries
(18 U.S.C. §§ 2332b(a)(2) & (c)) (Count One)
Conspiracy to Commit Aircraft Piracy
(49 U.S.C. §§ 46502(a)(1)(A) and (a)(2)(B)) (Count Two)
Conspiracy to Destroy Aircraft
(18 U.S.C. §§ 32(a)(7) & 34) (Count Three)
Conspiracy to Use Weapons of Mass Destruction
(18 U.S.C. § 2332a(a)) (Count Four)
Conspiracy to Murder United States Employees
(18 U.S.C. §§ 1114 & 1117) (Count Five)
Conspiracy to Destroy Property
(18 U.S.C. §§ 844(f), (i), (n)) (Count Six)
51
52. Related Cases
Interesting topics in Moussaoui case:
– U.S. District Court Judge Leonie Brinkema released a detailed
government report on the computers and e-mail search in the
case
– The evidence includes 140 computer hard drives, four of which
used by Moussaoui
– FBI investigators copied their hard drives using Safeback and
Logicube software
– Computer forensics experts were unable to find any trace of
Moussaoui's "xdesertman@hotmail.com" account or some 27
variations of that address
– A search of computers Moussaoui may have used at a Kinko's in
Eagan, Minnesota, also came to a dead end because Kinko's
cleans out the hard drives on its public computers once every
week
52
55. Privacy
What is privacy?
How is it determined?
– To determine and define what privacy is, we must
look at current law, case precedence, and public
opinion
55
56. Constitutional Search
4th Amendment of the U.S. Constitution
“The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon
probable cause, supported by Oath or
affirmation, and particularly describing the place to
be searched, and the persons or things to be
seized. ”
56
57. Privacy
What websites are you visiting?
– Wireless internet
Where are you?
– GPS cell phones, vehicles with OnStar
What and where are you purchasing?
– Credit cards
Bluetooth- and RFID-enabled devices and
clothing
57
58. Security and Privacy
Security is a wider Concept
Security of Information embraces:
– Confidentiality
– Integrity
– Availability
Achieving Security involves People,
Procedures, and Technology
The same is true for Privacy
58
59. Laws and Policies govern Privacy
Privacy is no longer a vague concept
It has been legislated
A body of case law exists
Federal laws, State Laws, Supra-national
laws
Even the US Constitution has a bearing
Lastly, companies have Policies
59
60. Topical Relevance
Massive on-line databases of people
Extensive on-line interactions between
companies
Millions of daily transactions between
companies and customers
Who owns all this, and who has a need to know?
60
61. Motivation for Companies
Maintain competitive edge
Ensure legal compliance
Enhance company image
Privacy is a requirement – not a customer delight
61
62. Many Privacy Rights are embedded in
Criminal Statutes
US Mail
Telephone conversation
Library borrowing
Bank records
Student records
Etc.
Federal and States
62
63. Plethora of Laws
FERPA
– Student records
ECPA Electronic Communications Privacy Act
– Most basic act for access, use, disclosure, interception
and privacy of electronic communications
Section 208 of The E-Government Act
– Federal agencies should protect PII collected
63
64. Plethora of Laws
HIPAA Health Information Portability and Accountability
Act
– Medical records
Gramm-Leach Bliley Act
– protects consumers’ personal financial information held by
financial institutions.
The (Federal) Privacy Act of 1974
– FTC approved “fair information practices” that are widely accepted
principles of privacy protection
64
65. Plethora of Laws
Section 208 of The E-Government Act
– Federal agencies should protect PII (personally Identifiable
Information) collected
Sarbanes-Oxley
– accounting fraud
– securities-law violations
– Enhanced penalties for white collar crime
– executives directly responsible for problems
– Accurate records to be maintained for 5 years
Basel II
65
66. Plethora of Laws
CAN-SPAM Act
– Has not yet succeeded in reducing unwanted e-mail
– New measures being agreed on by MS, Amazon,
Brightmail, etc to filter spam
Massachusetts court decided that ISPs may read
subscribers’ messages
– But all major ISPs disavowed any desire to read e-mail
66
67. Patriot Act
USA Patriot Act
– Negates almost every privacy prescription heretofore
stated, under special circumstances
– The circumstances are not tightly defined
– Hence, Governmental abuse is expected & has
happened
– Not only allows the Government to violate Privacy, but
mandates that companies collude in this
Is this the anti-law of Privacy?
67
68. Cookies and Privacy
Simply surfing makes you the target of spyware
Cookies placed on your computer can
– Profile your on-line behavior
– Track websites you have visited
– Trigger targeted pop-up ads
– Record search terms and form entries
Security scanners like Spybot and Zone Labs can detect
and remove such intrusive cookies
Try a free scan on your computer and see what you get:
– http://download.zonelabs.com/bin/free/cm/index4.html
68
69. Surfing Dangers
Simply surfing can have your browser‑driven online
financial security information stolen:
– http://www.eweek.com/article2/0,1759,1618052,00.asp
The attacker uploaded a small file with JavaScript to
infected Web sites and altered the Web server
configuration to append the script to all files served by the
Web server (IIS).
– No anti-virus program would stop it,
– no firewall would slow it down and
– no shipping IE security patch would even notice it.
– Visit the page, get the infection. It was that simple.
69
70. Surfing Dangers - Solution
Use Firefox (browser component of Mozilla, open
source)
That’s the recommendation of CERT
– http://www.mozilla.org/products/firefox/
You may not enjoy Active X (MS specific code in
some web-sites)
70
71. ISO/IEC 17799
Standard based on BS 7799
– Important, detailed, complex standard
– Covers People, Process and Technology
– A wide-ranging document on Information Security
– Has numerous recommendations in detail
– Companies can be certified against this standard
71
72. Understanding and Implementng ISO/IEC
17799
Start with Toolkit
– Full ISO17799 compliant information security policies
– Disaster recovery planning kit
– Road map for certification
– Audit kit (checklists, etc) for a modern network system
– Comprehensive glossary of information security
– Business impact analysis questionnaire
http://www.iso17799-made-easy.com/
72
73. Privacy Under Fire
Patriot Act
– 6 month wiretap without court order
“Patriot Act 2”
– More expansive laws than Patriot Act
Privacy vs. Freedom of Information Act
– School and University e-mails
Privacy vs. general public good
– Your best interests vs. 10 million+ peoples’
73
74. Laws Protecting Privacy
4th Amendment of the U.S. Constitution
Electronic Communications Privacy Act
HIPAA
Intellectual Property laws
– Copyright
– Trademark
74
75. Search Warrants
Obtained by law enforcement by testifying to
an uninvolved public agent of judicial review
naming
– The crime being investigated under probable
cause
– The specific location(s) to be searched
– The items and names of persons to be seized
75
76. Search Warrants
Search warrants do not solely apply to
physical domains
Also apply to wire taps, either phone or
network
Patriot Act expands the powers of law
enforcement, allowing for easier granting of
warrants requesting wire tap access
76
77. Search Warrants
Must be clear and concise
Items seized must be listed or at least
covered in the text of the warrant
Errors or omissions may result in evidence
being thrown out of court
77
78. Subpoenas
Subpoena –The process by which a court
orders a witness to appear (and sometimes
present evidence) at a judicial proceeding
and produce certain evidence for purposes of
discovery
For example, using ISP connection logs to
determine a particular subscriber’s identity
78
79. Court Orders
Court Orders – Official judge’s proclamation
requiring or authorizing the carrying out of
certain steps by one or more parties to a case
For example, using a packet-sniffer on an
ISP’s router to collect all packets coming from
a particular IP address to reconstruct an AIM
session.
79
80. Chain of Custody
Begins with seizure of items during the
execution of the search warrant
Accounts for every minute the items are in
custody
Must be maintained from seizure through
court appearance
Failure to maintain chain of custody may
result in inadmissibility of evidence
80
81. Chain of Custody
Important for businesses as a case may end
up in court
Failure to adequately show computer or item
did not have an opportunity to be tampered
with may result in an unfavorable judgment
81
83. Summary
Many legal issues facing technology and
computer forensics from start of investigation
through court testimony
Complexities and adaptability of technology
also potentially create a myriad of issues
Following well-documented procedures for
obtaining and handling evidence
83
84. References
US Department of Labor / Office of Administrative Law Judges
www.oalj.dol.gov/faq19.htm - Supoena Form
Cyberlaw: Problems of Policy and Jurisprudence in the Information Age – Patricia L. Bellia,
Paul Schiff Berman, David G. Post, Thomson/West 2003
4th Amendment
http://caselaw.lp.findlaw.com/data/constitution/amendment04/
IEEE Code of Ethics
http://www.ieee.org/portal/index.jsp?pageID=corp_level1&path=about/whatis&file=code.xml&xsl=gener
COPS.org Code of Ethics
http://www.cops.org/ethics.htm
Court Order
http://www.wordiq.com/definition/Court_order
84
Notes de l'éditeur
Paraphrase these laws on the slides following Check and see if CDA was struck down Check Patriot Act