|
| |
Online Guest Lecture
Computer Crime and Computer Forensics
This week’s online
lecture is presented by Carol Sciannameo, guest lecturer.
Carol Sciannameo is a licensed
Private Investigator in the State of Florida and the owner of Tampa Bay
Investigations. Carol is a retired NYPD Lieutenant, graduate of the FBI
National Academy in Quantico, Virginia, holds a Master’s Degree in
Organizational Behavior from Polytechnic University in New York. She has
developed and teaches numerous distance learning classes in Computer Crimes for
St. Petersburg College in Florida.
Computer Crime
“Same Old, Same Old”
Computer crime is defined
as any offense involving or related to the use of a computer as the vehicle to
the commission of the offense.
Traditional
computer crimes
are the same old crimes, committed in a new way.
Some of these crimes
include:
·
Email
abuse/Harassment
– prior to email, persons were harassed and are still harassed through regular
mail. Email abuse is the use of a digital medium to commit this harassment.
Many states have charges of aggravated harassment for harassing through
telecommunications or digital medium.
·
Pornography –
Pornography using the internet is the crime that is probably the most
controversial in terms of first amendment and fourth amendment issues. In terms
of first amendment, freedom of speech and freedom of expression protect this
from legislation. The global spectrum is very prevalent in this crime, as in
many places, such as Amsterdam, prostitution, as well as pornography are legal.
Child pornography is an area that is legislated. It is a felony to download
child pornography. There have been many recent celebrity cases that involved
the downloading of these materials, R. Kelly is one of the those who was found
in possession of these materials.
Controversy surrounds the
issue of child pornography in terms of fourth amendment in that governmental
sting operations have seized digital child pornography remotely, and have
occasionally wrongfully charged individuals when child pornography had been
downloaded innocently through a Trojan horse, worm or virus application.
·
Forgery
has been taken to new heights with the usage of the computer. This is a
particular crime that can be perpetrated using the hardware components of the
computer without the usage of the internet. The dawn of high resolution
copiers/scanners have made it possible to replicate high quality forgeries of
documents.
·
Counterfeiting, as forgery, is made much more accessible to “less technical”
individuals for the same reasons and using the same hardware as in forgery.
·
Extortion
traditionally is the demand for money with a promise of future physical harm or
property damage. Different states classify the crime slightly differently, but
is generally classified under Grand Larceny, a theft without the usage of
immediate force. This is a crime that is perfect for the computer and the
internet. It creates an omnipresence that was not as broad as with traditional
extortion.
·
Fraud, on
the internet is most commonly seen in purchasing and auction. Items can be
advertised and either not delivered, not delivered as promised, or not the
quality as advertised. There are many con games that fall under this category,
one in particular is the “Nigerian Banking” scam.
·
Identity
theft, which used to be comprised of an “insider” dissemination information such
as social security numbers, other identifying information and financial
information or needed a physical contact crime, such as pickpocket, or other con
method to physically possess identification is now very common using the
computer. Many people make purchases online, bank online, trade stock on line
and do just about every and all application on line. Modern encryption and
other security enhancements have reduced this crime, but remember, the criminals
are usually one step ahead of those fighting crime!
Non-traditional
computer
crimes are crimes that were not a threat prior to the internet.
Some of these crimes
include:
·
Disruption
of computer supported operations – this occurs when a major function of an
organization is controlled by computer, and at this point in time, most
organizations have many of their functions controlled by computer in one way or
another, is taken off line for a period of time. An example of this would be
air traffic controller monitoring equipment being disrupted and having to go to
manual mode. The impact on travel and safety of travel for the period of time
off line would cause tremendous time and financial losses.
·
Deployment
of malicious code - this occurs when someone with programming capabilities
writes code and “hacks” using one of various methods of entrance into computers
causing damage to an organization’s, an individual’s, a network or unrelated
group of computers.
·
Trojan
horses – this occurs when a seemingly harmless item enters the computer, it
could be in the form of an email attachment, it could come in through a router
with an open port, or other means, and when it enters the computer, it releases
code that causes the computer to do whatever is written in the code.
·
Cyberterrorism and critical infrastructure interruption is very similar to
disruption of computer supported operations but is on a larger scale that could
impact and seriously injure, kill or inconvenience vast numbers of people. An
example of this would be interruption of the computer that controls any one of
the utilities necessary to carry on life as usual, such as water, electric,
internet connectivity, governmental databases or communications.
Many of the
commonalities between traditional crime and computer crime still exist and these
are:
·
issues of
jurisdiction
·
lack of
standardization in prosecution
·
civil
liberties issues
·
issues of
search and seizure (Fourth Amendment) and
·
issues of
freedom of speech and expression
First and Fourth
Amendment Issues
Two of the “same old”
standards apply to the First and Fourth Amendments of the Constitution that are
contained in the Bill of Rights.
First
Amendment:
The right to
freedom of religion and freedom of expression from government interference.
Freedom of expression consists of the rights to freedom of speech, press,
assembly and to petition the government for a redress of grievances, and the
implied rights of association and belief.
This
particular amendment is very important when considering government intervention
in crimes such as pornography and applies specifically to freedom of speech and
expression.
Fourth
Amendment
The right of the
people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no Warrants shall
issue, but upon probable cause, supported by Oath or affirmation, and
particularly describing the place to be searched, and the persons or things to
be seized.
This
particular amendment is very important in being able to search and seize
evidence in traditional as well as computer crime.
Crime and Cyberspace
Computer crimes are
generally the same old crimes that have existed forever, just using the computer
to commit them. The permeation of the crime on a global level is the main
difference.
When I was a Transit
Police Officer back in the 1980’s, I would receive a “post.” My post was
generally 42nd Street and 8th Avenue, known back then as
probably the worst crime ridden area of Manhattan. It was know for
prostitution, pornography, identity theft, robbery, grand larceny, con games,
crimes against children and almost every other criminal activity that you can
imagine.
Let us think of this
post as a microcosm of the internet. Let us look at the differences and
similarities in order to understand the depth of crimes perpetrated on the
internet.
The “same old crimes”
that occurred on my post occur on the internet. Give some real thought to
this. As wild as 42/8 was in those days, it existed in physical space. It was
comprised of 8 city blocks, an underground subway system housing the “A” train,
a passageway to Times Square and concession stands, stores in the subway.
Upstairs there were some convenience stores, “flea bag” hotels, X rated stores
and X rated movie theatres, all of which were in great disrepair. For any of
you who might have read any of Kellings’ work on the “Broken Windows” theory of
policing, or are versed in CEPTED (Crime Prevention Through Environmental
Design,” this area was “ripe and ideal” for the permeation of crime. Continue
to keep in mind that at least it was in a pre-existing “physical space.” There
were no jurisdictional issues, as the post existed in the Midtown South
Precinct. All criminal cases were prosecuted by the New York County District
Attorney. Although I was a Transit Police Officer and was assigned to a Transit
District, all cases were assigned a Transit Police case number that corresponded
to an NYPD 61# (complaint number). Fairly easy to keep track of, yet crime
still festered.
In later years, after a
concerted effort under the leadership of William Bratton, circa 1992, using the
theories of Compstat (a theory of which I am personally proud as I had much
input), 42/8 became the home to Disney, New York.
Let us digress here a
bit, and I will tell a little “war story.” After having been assigned to
District One as a uniformed police officer and having been elevated to
“anti-crime” and then transferred to a career path unit, Citywide Anti-Crime (a
unit from which detectives are made) I had occasion to work for Jack Maple.
(Jack Maple is widely known for his creation of the television show “The
District.” Jack passed away in August of 2001, and is still my mentor. He is
very colorful character known for wearing spats, seemingly crazy schemes, and
other quirks and depicted in the show in the character “Jack Mannion.”) In his
book, Crimefighter, Putting the Bad Guys Behind Bars, I am credited on
page two with saving his life. Many people have ribbed me about that saying
that life would have been easier without him, but without him 42/8 would not now
be New York’s Disney Center, it would still be the crime ridden area it once
was.
In any event, getting
back to the story, while working for Jack Maple, by now I was a Sergeant and we
were in the Repeat Offender Robbery Strike Force. The purpose of the unit was
to apprehend violent predicate felons in a non-threatening environment, and put
them away for a long, long time. The way that we did this was through Decoy
operations. In 1985, our unit was featured as the cover story in New York
Magazine (and in the magazine are pictures of a much younger and slimmer me!).
While in this unit,
Jack had us create “the maps of the future” as he would call them. We had a
small 12 foot by 10 foot office, and around the office we had old fashioned dot
matrix print outs of subway stations and we put colored shapes all over these
maps to indicate crimes, and times of crimes, and types of crimes, and we had
colors and shapes galore. We all thought he was nuts, we did it anyway. We
humored him, while he sat at his desk smoking a cigar, wearing spats (with no
socks) and rinsing his mouth with Scope mouthwash that he spit back into the
bottle.
Well, these maps of
the future and Jack’s strategies, which amount to no more than doing your job,
and being accountable for your area of control, became Compstat. Compstat was
very similar to strategies found in the private sector, but had never been used
in policing.
There are four tenets
to Compstat and they are:
·
Accurate
and Timely Intelligence
·
Effective
Tactics
·
Rapid
Deployment of Personnel and Resources
·
Relentless
Follow Up and Assessment (I liked this part so much that my license plate was
RELENTLS)
For those of you who
may have studied management, these are very similar to the tenets of Total
Quality Management (TQM) that was formulated by the father of TQM, W. Edwards
Deming.
This brings me back to
the “same old” theory when speaking to the issue of crime, the handling of
crime, doing your job, and being relentless about doing it. It also brings me
back to my comparison of 42/8 and the internet as crime locations. It took
approximately 15 years and concerted effort to turn 42/8 into a respectable
location, and it is a physical location with no jurisdictional issues.
For all of the “samenesses,”
the internet is nebulous, non-physical, enormous and comprised of many of the
same circumstances that supported crime on 42/8. I constantly remind my
students that these “same old” crimes committed digitally will need even more
commitment and concerted effort similar to what we undertook when using Compstat
to bring about change at 42/8.
The challenge is great.
The issues are many.
Extent of Computer
Crime
It is important to
estimate how much crime is actually being committed in cyberspace. From a
costing perspective an estimate is instrumental in calculating the budget to be
allocated for cyber-security.
Security experts
estimate annual losses of between $555,000,000 to $13 billion but as with most
crime, the actual statistics are difficult to discern as many crimes may go
unreported, underreported, or falsely reported. Different sectors of business
stand more to lose, while others have very little to lose. For example, banking
and other financial institutions such as online stock brokerage houses need to
spend the most money to invest in the latest encryption and other security
measures to ensure that funds are not taken from accounts.
The suggested method for
business is to conduct individualized risk assessments to allocate appropriate
spending resources to reduce risks to acceptable levels.
Even with the dawn
of Compstat, or using other methods of crime forecasting and prediction, crime
is still somewhat unpredictable in many cases. We cannot always predict future
unknown behavior or misbehavior and link this behavior to unknown perpetrators
and unknown times, under a variety of circumstances complicated by the usage of
the internet and the globalization of crime. Add to this equation the
jurisdictional issues and non-standardized legislation.
Media Sensationalism
Without risk assessment
data, media sensationalism can cause panic and "knee jerk" reaction to
cybercrime. Imagine that you are the security head of a major software
manufacturer and the news sensationalizes one headline of a particular software
manufacturer who has gone under due to a stealth of trade secrets.
Imagine that your CEO
calls you into a meeting and insists that you, as director of security, explain
how this is being addressed in your particular firm. Your CEO is not impressed
with your risk assessment and demands that you address the problem more
aggressively. You, as security director, make a proposal to add state of the
art security measures to your firm. Your proposal takes about two weeks to
design. In that time, it has been discovered that the loss from the
sensationalized story was a mere case of an employee leaking advance copies of
software to another manufacturer. You were too busy addressing your own crisis
that you missed recent developments. You have now made a proposal for the
spending of large sums of money to invest in this new equipment, when in
essence, the problem is a human resources problem and not a security problem at
all.
You have now wasted
countless hours concentrating on an issue that is not even relevant to your
firm. It does make a point for cross functional teams in a firm, whereby
security input is included in the development of interviewing techniques for the
human resources department, but it does not make up for the loss of confidence
you as the security head or the CEO's poor reaction to a sensationalized story.
Media perception causes
scenarios like this every day in every walk of life, as a security person, it is
your responsibility to be aware of current events in your field, be prepared to
answer the questions when your CEO calls upon you to overreact, and have a valid
risk assessment current to quell fears. If you are prepared with the right
answers, a costly "knee jerk" reaction can be avoided.
Summary
When looking at crime,
any crime, the main things to remember are:
·
Crime remains
the same, only the means to commit the crimes change
·
Do not
operate in a vacuum, be aware of social, political, technological and economic
factors when considering solutions
·
Do your job,
do it well, be accountable for the decisions you make.
·
Share
information, work in a concerted effort utilizing the resources of every
available agency to solve the problem
·
Strive for
“standardization” in legislation and jurisdictional prosecution
·
Be open
minded to new ideas even if they seem to come from a guy as eccentric as Jack
Maple
·
Think out of
the box
·
Be Prepared
Young Turn to Web Sites Without Rules
Hideki Kishioka, left, chief executive of
Stickam, with Andy Bower, an employee.
By BRAD STONE
Published: January 2, 2007
SAN FRANCISCO, Jan. 1 — Popular Web sites like
YouTube and MySpace have hired the equivalent of
school hallway monitors to police what visitors
to their sites can see and do by cracking down
on piracy and depictions of nudity and violence.
So where do the young thrill-seekers go?
Increasingly, to new Web sites like
Stickam.com, which is building a business by
going where others fear to tread: into the realm
of unfiltered live broadcasts from Web cameras.
The site combines elements of more popular
sites, but with a twist. In addition to
designing their own pages and uploading video
clips, its users broadcast live video of
themselves and conduct face-to-face video chats
with other users, often from their bedrooms and
all without monitoring by any of Stickam’s 35
employees.
Other social networks have decided against
allowing conversations over live video because
of the potential for abuse and opposition from
child-safety advocates. “The only thing you get
from the combination of Web cams and young
people are problems,” said Parry Aftab,
executive director of the child protection
organization
WiredSafety.org. “Web cams are a magnet for
sexual predators.”
The larger Internet companies have come under
increasing pressure to make their sites safer
for children and friendlier to copyright
holders, so start-ups like Stickam are pursuing
their own slices of the market, often at the
price of taste, ethics and perhaps even child
safety.
“Letting people do whatever they want is one
way for these sites to differentiate
themselves,” said Josh Bernoff, a
Forrester Research analyst. “It is the race
to the bottom.”
Video-sharing sites in particular are filling
niches abandoned by YouTube, which is now owned
by
Google and had more than 25 million visitors
last month. Since its inception in 2005, YouTube
has banned nudity and taken down copyrighted
material when rights holders file specific
complaints.
Last March, under additional pressure from
copyright holders, YouTube placed a 10-minute
limit on clips.
Smaller start-ups who are not able, or
willing, to be as diligent are seeing their
audiences explode as users seek the more
freewheeling environment that typified YouTube’s
early days. Users post 9,000 new videos a day to
Dailymotion, which had more than 1.3 million
visitors in November, up more than 100 percent
since May, according to the tracking firm
ComScore Media Metrix.
A recent search on Dailymotion, which is
based in Paris, found hours of copyrighted
material: entire episodes of NBC’s “Heroes” and
CBS’s “Without a Trace,” recordings of
Beatles concerts and plenty of nudity. The
firm places no length restrictions on uploaded
video.
Benjamin Bejbaum, the chief executive of
Dailymotion, said the firm’s 30 employees move
quickly to take down video when users or
rights-holders flag it as inappropriate or
illegal. Mr. Bejbaum’s company is seeking the
kinds of revenue-sharing deals with copyright
holders that Google has struck, he said.
Dailymotion currently shows ads to its users
in France, which make up 40 percent of visitors
to the service, and is studying an entry into
the United States.
Another new video-sharing site, LiveLeak,
based in London, has positioned itself as a
source for reality-based fare like footage of
Iraq battle scenes and grisly accidents. Last
week, popular clips on the site included one of
an agitated man in Muslim dress on a fast-moving
treadmill and video of an American A-20 aircraft
bombing
Taliban forces in Afghanistan.
Hayden Hewitt, a co-owner of LiveLeak, said
that people who have been barred from YouTube
for uploading explicit footage of the Iraq war
have migrated to his site. LiveLeak “won’t ban
anyone for showing the truth,” Mr. Hewitt said.
The site also features ample sexual content that
would never make it onto YouTube or MySpace.
To support itself, LiveLeak runs ads from the
syndicated ad network Adbrite. Mr. Hewitt said
the company was not trying to get rich or
dethrone YouTube, but to create a place on the
Web for unvarnished reality.
Few of these new video sites, though, worry
child-safety advocates as much as Stickam, which
mostly attracts young people comfortable with
the idea of a continuous self-produced reality
TV show starring themselves. Stickam, based in
Los Angeles, says it has 260,000 registered
users — 50,000 of them say their age is 14 to 17
— and is adding 2,000 to 3,000 each day.
Advanced Video Communications, a Los Angeles
company that builds video conferencing systems
for companies, founded Stickam (pronounced
stick-cam) late last year to demonstrate its
technology. Its first product was a program that
let users bring a live Web cam feed directly
onto their MySpace pages and other social
networks and bulletin boards.
In October, MySpace blocked the Stickam
service. MySpace’s chief security officer,
Hemanshu Nigam, said the firm “has not
implemented video chat features, given the
safety implications for our users.”
By then, Stickam was testing its own social
networking service to compete directly with
MySpace. The new site prohibits anyone under 14
from joining, and its terms of service forbid
“obscene, profane and indecent” behavior. But
since the company does not verify a user’s age,
and because users’ broadcasts are live, even the
firm’s chief executive, Hideki Kishioka,
concedes those rules are unenforceable. The
company is “relying on users to monitor each
other,” he said.
Even enthusiastic Stickam users say the site
often feels lawless. “People are very vulgar and
like to ‘get their jollies’ from harassing
people, mainly girls, to take off their
clothes,” said Chelsey, a 17-year-old user from
Saskatchewan in Canada, who signed up after her
13-year-old sister violated the site’s age rules
and joined the service.
“I’m pretty sure none of their parents know
or even think about the things that they are
doing on this site,” said Chelsey, who said in
an e-mail message that she did not feel
comfortable using her last name in an interview.
Other companies that offer Web cam chats say
that the technology seems to attract abuse.
“There are just some people who, if you give
them a Web cam, are going to take off their
clothes,” said Jason Katz, founder of PalTalk,
an eight-year-old service that lets users
converse over Web cams on various topics. Unlike
Stickam, PalTalk asks for a credit card and
charges a monthly fee, which it says prevents
minors from signing up.
At least one major media company has embraced
Stickam. Last month, Warner Brothers Records
opened a page on the service for two of its
artists, Jamie Kennedy and Stu Stone, and
trained a Web cam on them as they recorded a
music video. More than 9,500 users watched the
event and chatted with the performers during
breaks in filming.
Robin Bechtel, Warner’s vice president for
new media, said she thinks Stickam “could be the
next MySpace” and that people would migrate to
even controversial video sites if they have
features that MySpace and YouTube did not.
“People are going to go where the content is,”
Ms. Bechtel said. “If Stickam has celebrities
and is entertaining, they will go there.”
Mr. Kihioka of Stickam said that in some
respects, his site was actually safer than other
social networks. Live video feeds let users
“know who they are talking to,” he said. “Unlike
MySpace, it is hard to disguise yourself.” But
he added that his company had the same concerns
about child safety as MySpace and was working on
an automated system that would monitor live
video feeds for indecency.
Child-safety experts are not convinced. They
say that sites like Stickam are the motivation
for them to work closely with sites like MySpace
and YouTube to create safeguards.
“If we discourage the use of the more
corporately responsible social networking sites,
kids will go underground to more edgier ones,”
said Donna Rice Hughes, president of the
Internet safety organization Enough Is Enough in
Virginia. “Then we’ll have more of a problem.”
|
A Lively Market, Legal and Not, for Software
Bugs
Published: January 30, 2007
Microsoft says its new operating system,
Windows Vista, is the most secure in the
company’s history. Now the bounty hunters will
test just how secure it is.When its
predecessor, Windows XP, was released five years
ago, software bugs were typically hunted by
hackers for fame and glory, not financial
reward. But now software vulnerabilities — as
with stolen credit-card numbers and spammable
e-mail addresses — carry real financial value.
They are commonly bought, sold and traded
online, both by legitimate security companies,
which say they are providing a service, and by
nefarious hackers and thieves.
Vista, which will be installed on millions of
new PCs starting today, provides the latest
target.
This month, iDefense Labs, a subsidiary of
the technology company
VeriSign, said it was offering $8,000 for
the first six researchers to find holes in
Vista, and $4,000 more for the so-called
exploit, the program needed to take advantage of
the weakness.
IDefense sells such information to
corporations and government agencies, which have
already begun using Vista, so they can protect
their own systems.
Companies like Microsoft do not endorse such
bounty programs, but they have even bigger
problems: the willingness of Internet criminals
to spend large sums for early knowledge of
software flaws that could provide an opening for
identity-theft schemes and spam attacks.
The Japanese security firm
Trend Micro said in December that it had
found a Vista flaw for sale on a Romanian Web
forum for $50,000. Security experts say that the
price is plausible, and that they regularly see
hackers on public bulletin boards or private
online chat rooms trying to sell the holes they
have discovered, and the coding to exploit them.
Especially prized are so-called zero-day
exploits, bits of disruption coding that spread
immediately because there is no known defense.
Software vendors have traditionally asked
security researchers to alert them first when
they find bugs in their software, so that they
could issue a fix, or patch, and protect the
general public. But now researchers contend that
their time and effort are worth much more.
“To find a vulnerability, you have to do a
lot of hard work,” said Evgeny Legerov, founder
of a small security firm, Gleg Ltd., in Moscow.
“If you follow what they call responsible
disclosure, in most cases all you receive is an
ordinary thank you or sometimes nothing at all.”
Gleg sells vulnerability research to a dozen
corporate customers around the world, with fees
starting at $10,000 for periodic updates. Mr.
Legerov says he regularly turns down the
criminals who send e-mail messages offering big
money for bugs they can use to spread malicious
programs like spyware.
Misusing such information to attack computers
or to aid others in such attacks is illegal, but
there appears to be nothing illegal about the
act of discovering and selling vulnerabilities.
Prices for such software bugs range from a
couple of hundred dollars to tens of thousands.
Microsoft is not
the only target, of course. Legitimate security
researchers and underground hackers look for
weaknesses in all commonly used software,
including
Oracle databases and
Apple’s Macintosh operating system. The more
popular a program, the higher the price for an
attacking code.
The sales of Vista faults will therefore
continue to trail the sale of flaws in more
widely used programs, even Windows XP, for the
foreseeable future.
“Of course it concerns us,” Mark Miller,
director of the Microsoft Security Response
Center, said of the online bazaar in software
flaws, which it has declined to enter. “With the
underground trading of vulnerabilities, software
makers are left playing catch-up to develop
updates that will help protect customers.”
Throughout the 1990s, software makers and
bug-hunters battled over the way researchers
disclosed software vulnerabilities. The software
vendors argued that public disclosure gave
attackers the blueprints to create exploitative
programs and viruses. Security researchers
charged that the vendors wanted to hide their
mistakes, and that making them public allowed
companies and individual computer users to
protect their systems.
The two sides reached an uneasy compromise.
Security researchers would inform vendors of
vulnerabilities, and as long as the vendor was
responsive, wait for the release of an official
patch before publishing code that an attacker
could use. Vendors would give public credit to
the researcher. The détente worked when most
researchers were motivated by acclaim and a
desire to improve security.
But “in the last five years the glory seekers
have gone away,” said David Perry, global
education director at Trend Micro. “The people
who are drawn to it to make a living are not the
same people who were drawn to it out of
passion.”
In 2002, iDefense Labs became one of the
first companies to pay for software flaws,
offering just a few hundred dollars for a
vulnerability. It administered the program
quietly for a few years, then answered early
critics by arguing that it was getting those
bugs out into the open and informing software
makers, at the same time as clients, before
announcing them to the general public.
“We give vendors
ample time to react, and then we try to
responsibly release them,” said Jim Melnick, the
director of threat intelligence at iDefense.
In 2005, TippingPoint, a division of the
networking giant
3Com, joined iDefense in the nascent
marketplace with its “Zero-Day Initiative”
program, which last year bought and sold 82
software vulnerabilities. IDefense said its
freelance researchers discovered 305 holes in
commonly used software during 2006 — up from 180
in 2005 — and paid $1,000 to $10,000 for each,
depending on the severity.
Security researchers warmed to the idea that
vulnerabilities were worth real dollars. In
December 2005, a hacker calling himself
“Fearwall” tried to sell on
eBay a program to disrupt computers through
Excel, Microsoft’s spreadsheet program. Bidding
reached a paltry $53 before the auction site
pulled it.
Nevertheless, several Internet attacks in the
following months exploited flaws in Excel,
suggesting to security experts that its creator
ultimately found other ways to sell it.
In January 2006, a Moscow-based security
company, Kaspersky Labs, found more evidence of
an emerging marketplace for software bugs.
Russian hacking gangs, it disclosed at the time,
had sold a “zero-day” program aimed at the
Microsoft graphics file format, Windows Metafile
or WMF. The price: $4,000.
The program was widely used that month and
allowed criminals to plant spyware and other
malicious programs on the computers of tens of
thousands of unsuspecting Internet users.
Microsoft rushed out a patch.
It had to distribute another patch in
September, to counter one more malicious
program, which involved a flaw in the vector
graphics engine of Internet Explorer, that
enabled further cyber mischief.
Marc Maiffret, co-founder of eEye Digital
Security, a computer security company, said
prices in the evolving black market quickly
proved higher than what legitimate companies
would pay. “You will always make more from bad
guys than from a company like 3Com,” he said.
Even ethical researchers feel that companies
like iDefense and TippingPoint do not adequately
compensate for the time and effort needed to
discover flaws in complex, relatively secure
software.
And some hackers have little ethical
compunction about who buys their research, or
what they use it for. In a phone interview last
week arranged by an intermediary in the security
field, a hacker calling himself “Segfault,” who
said he was a college-age student in New York
City, led a reporter on an online tour of a
public Web site,
ryan1918.com, where one forum is
provocatively titled “Buy-Sell-Trade-0day.”
Segfault, who said he did not want to reveal
his name because he engages in potentially
illegal activity, said the black market for
zero-days “just exploded” last year after the
damaging Windows Metafile attack.
He claims he earned $20,000 last year from
selling his own code — mostly on private chat
channels, not public forums like Ryan1918 —
making enough to pay his tuition.
Although he conceded that Microsoft had made
significant strides with Vista’s security, he
said underground hacker circles now had a
powerful financial incentive to find its weak
links.
“Vista is going to get destroyed,” he said.
That may be an exaggeration. Microsoft has
taken precautions such as preventing
unauthorized programs from running at the most
central part of the system, called the kernel,
and creating an extra level of protection
between the operating system and the browser.
Microsoft appears to wish the open market for
flaws in their products would simply disappear.
“Our practice is to explicitly acknowledge and
thank researchers when they find an issue in our
software,” said Mike Reavey, operations manager
of the company’s security response center.
“While that’s not a monetary reward, we think
there is value in it.”
But independent security analysts say those
days are over. Raimund Genes, the Trend Micro
researcher who found the Vista bug for sale on a
Romanian Web site, said, “The driving force
behind all this now is cash.”
|
Computer Crime Links
Ethics in Computing
CyberLaw
Cybercrimes
National Criminal Justice Reference
Service
ACLU Big Brother In the Wires
Information Security Magazine
Computer Crimes
Hacking Laws
Secure Florida
Child Pornography
Computer Forensics
Forensics in General
Forensic Science or Medical Jurisprudence,
also called forensics is the application of science to law.
Forensic science uses highly developed technologies to uncover
scientific evidence in a variety of fields.
Computer forensics is a specific field and uses its own set of highly developed
technologies.
Modern forensic science has a broad range of
applications. We are familiar with many of the applications as we all fall
victim to television and watch “buff” shows such as CSI, Law and Order, NYPD
Blue, and others. These shows illustrate the commonly investigated criminal
cases involving a victim, such as assault, robbery, kidnapping, rape, or
murder. By now, we are all versed in DNA and its capabilities as well as many
of the techniques used to collect DNA from our viewing. Some of the shows and
movies are highlighting computer crimes and occasionally we see some computer
forensics.
Computers too, have their own DNA. The
computer DNA does not necessarily consist of blood, hair samples and “human”
based physical evidence, but has many aspects of “digital” evidence that can be
analyzed. There may be some human evidence in and about the immediate area of
the computer’s hardware, such as fingerprints, hair, dried body fluids but these
are used to tie the computer to a specific user or usesr, but not for much
else. In the same way that traditional DNA looks at blood to see the components
of the blood, computer forensics specialists looking into the hard drive of the
computer for evidence, logs, files and transfer chains.
In traditional forensics, the
medical examiner is the central figure in the forensic investigation of crimes
involving a victim. It is the responsibility of the medical examiner to visit
the crime scene, conduct an autopsy (an examination of the body) in cases
of death, examine the medical evidence and laboratory reports, study the
victim's medical history, and put all this information together in a report to
the district attorney. You will be reading an article on IT Autopsy that draws parallels
from computer forensics to traditional forensics.
Medical examiners are usually physicians
specializing in forensic pathology, the study of structural and
functional changes in the body as a result of injury. Their training and
qualifications most often include a medical degree and an apprenticeship in a
medical examiner's office. Depending on the requirements of the particular
state, city, or county, the medical examiner may also be required to be
certified as a forensic pathologist by the American Board of Pathology. At
present, the United States has no national system of medical examiners and has
no federal law requiring that coroners be licensed physicians.
In traditional forensics are also, the forensic
scientists, some are pathologists
(examining body tissues and fluids), toxicologist (the studying poisons,
including drugs), odontologists (the studying teeth), psychiatrists
and anthropologists (the studying human beings and their behavior),
biologists, and chemists. These are the specialists that the medical examiner
may call upon. For example, whenever it is suspected that drugs or poisons are
involved in a crime, the medical examiner must obtain the services of a
toxicologist. Toxicologists detect and identify any drugs or poisons present in
a person's body fluids, tissues, and organs. This type of investigation is
conducted not only on the victim but, when possible, also on the suspected
perpetrator of the crime.
Forensic odontologists examine and
characterize the teeth of unidentified bodies when fingerprints or other
identification is not available. The dental charts of missing individuals can
then be compared with the forensic odontologist's report to identify the body.
Forensic anthropologists are trained to
determine the sex, height, weight, and ethnic group of a deceased person from an
incomplete body. Marks on the bones often indicate past injuries, diseases, and
occupational stresses suffered by the individual. Investigators can identify a
body by comparing old X rays and the medical history of a missing person with
the findings of the forensic anthropologist.
Forensic scientists may choose to be certified
by the American Board of Criminalistics, a professional organization that has
developed examinations to certify individual forensic scientists in their
particular area of expertise.
Computer Forensics as a Branch of Forensics
After having read the
prior definition and history of forensics, one can imagine all the commonalities
and differences that exist between physical evidence and computer (data)
forensics. Discovering data that resides in a computer system, or recovering
deleted, encrypted or damaged file information can make or break the legal
prosecution of the case.
Computer forensics is a
fairly new and emerging field, as is the field of technology. With each
technological development criminals find new and creative ways to pull the same
old scams and cons using this highly effective medium. The benefit to them is
that they have global access to effectuate these scams, creating a much large
range of execution.
In the same way that the
medical examiner calls upon specialists to assist in the analysis of evidence,
the computer forensics examiner will call upon various forensic software and
digital tools to assist in the investigations.
Definition: Computer forensics is use of
computer investigative and analysis techniques to determine potential or
relevant data. There are five (5) components to computer forensics:
Acquisition
Acquisition is
the collection of data. Collection can be accomplished through usage of the
computer in the form of data evidence, as well as physical evidence, such as
logs and or other paper evidence used in the crime.
Preservation
Timely and
technologically sound methods of securing the evidence. This begins upon
acquisition and continues through the entire chain of custody until final
presentation at a legal proceeding.
Analysis
Analysis is
the usage of proven technological and investigative techniques and tools in
concluding to a reasonable degree of certainty the relevance of the data.
Critical thinking is utilized and also includes the determination of the
sequence of development of evidence in the commission of the crime.
Documentation
In the
preparation of a data evidentiary case, the data from the computer and remote
data sources as well as paper logs and records can serve to support the strength
of the case.
Legal Presentation
Legal
presentation is an element of the investigation that should begin at the time
the first notification or suspicion of the crime. If the end result, the
prosecution, is kept in sight from the onset, and all precautions are made to
properly acquire, preserve, analyze and document the case, the legal
presentation will be sound. Another issue to be considered in this area is the
expertise of the investigator and the reliability of the evidentiary tools and
techniques used in the investigation.
Differences between Physical Evidence and Data Evidence
Physical evidence, for the
investigator, is a virtual “no brainer” for a seasoned or properly guided novice
investigator. Years of handling evidence have set out clearly delineated
procedures for its effective handling and processing. Of course, incompetent or
untrained investigators can easily unwittingly circumvent the procedures, and
the easiest cases could be lost on an evidentiary basis. From my many years in
police work, I find that laziness and carelessness are the two biggest threats
to the preservation of physical evidence. Laziness on the part of the
investigators to properly handle evidence and carelessness in processing a crime
scene are major issues. There is no difference when processing data evidence.
An investigator needs to
follow a structured and clearly delineated set of procedures and cannot deviate
from these rules. An investigator cannot become lazy or careless (sloppy) as
with physical evidence. Investigation, as a rule is a highly organized and
systematic method of reaching a conclusion. If the investigator is thorough in
his/her performance of this organized and systematic method, there is really no
difference between the handling of physical and data evidence.
Preservation of Forensic Evidence
Preservation of
Forensics is the proper handling, chain of custody and processing of data
materials.
Just as in a non-data criminal investigation, the least number of people
involved in the chain of custody, handling and processing, the better the case
for the prosecution. More investigators equates to more people that the defense
attorneys can attempt to trip up. Defense attorneys thrive on causing
investigators and police to appear incompetent enough that they could have
damaged or destroyed evidence. If they cannot prove incompetence, their next
strategy is to have the investigators and police appear to be devious enough to
have purposely mishandled, changed or altered evidence. As we know from recent
police trials, personnel records, reputations, and job record (including
civilian complaints and other indicators) are all fair game for the defense
attorney. Police officers and investigators suffer in this arena because their
job tenure usually stretches over a substantial number of years. During the
many years, it is rare for an officer or investigator to have a totally unmarred
record. Defense attorneys thrive on this, so if one lesson is learned from this
section, it should be that diligent handling
and preservation of evidence by the least number of required investigators is
paramount for the successful prosecution of any and all forensic related cases.
Forensic Links
FBI Bulletin, July, 2003, Obtaining Admissible Evidence from Computers
CIO Magazine, IT Autopsy
Ethics In Computing
- http://ethics.csc.ncsu.edu/
Computer Forensics
DOJ Manual on Searching and Seizing Computers
PBS Frontline Movie Cyberwar
EnCase Software
|
