Lecture122011

advertisement
Internet Vulnerabilities &
Criminal Activity
Investigation & Prosecution
12.2
December 5, 2011
Profiling
“Differentiate behavior
patterns in order to narrow
the range of suspects in a
given crime.”
Three Basic Components
of a Crime
• Motive - What made the offender
act
• Opportunity - Why did the offender
chose a particular victim
• Means - What are the details of
how the crime was committed
Profiling Aim
• Identify personal & behavioral
characteristics of unknown
perpetrator
• Examine actions taken before,
during, and after crime
• Isolate identifiable behaviors of
actions of how a physical or
psychological need is fulfilled
Two Types of Profiling
• Inductive
– Current perpetrator share
characteristics with those who have
previously committed same type of
crime
• Deductive
– Explicit conclusions drawn from actual
evidence
Five Stages of Cyber
Criminal Profiling
• Evidence gathering
– Collection of forensic evidence
• Behavioral analysis
– Derive a meaningful set of characteristic
behaviors from facts of the crime
• Victimology
– Victim profile tell a lot about type of
perpetrator
– Well-known signatures associated with
different types of crimes
Five Stages of Cyber
Criminal Profiling cont.
• Crime pattern analysis
– “what and how”
– Working hypothesis about the
execution of the crime
• Profile development
– Deductive reasoning from facts of
crime
– Generalized inductive typologies
Twelve Cyber Criminal
Profiles
• Kiddies
•
•
•
•
•
Technologically inept
Intent to trespass
Motivation - ego
Maybe any age, but are outsiders
New to crime
• Cyberpunk hackers
•
•
•
•
•
•
Counterculture member
Ego-driven, motivated by exposure
Crimes: trespass, invasion
Theft & sabotage against legitimate targets
Responsible for viruses & DOS attacks
Young, technologically proficient, outsider
Twelve Cyber Criminal
Profiles cont.
• Old-time hackers
•
•
•
•
Most technologically proficient
Improve art by trespassing
Web site defacement
Middle aged or older, long history
• Code warriors
•
•
•
•
•
Driven by monetary gain
Theft or sabotage
Crime built around code exploits
Technologically superior, long hacking history
30 - 50 age range, degree in technology,
unemployed
• Socially inept, show signs of social deviance
Twelve Cyber Criminal
Profiles cont.
• Cyberthieves
•
•
•
•
•
•
Motivated by monetary gain
Surreptitious network attacks, sniffing, spoofing
Use simple tools rather than targeted code
Social engineers, running classic con games
Younger than code warriors
Organizational insiders, maybe outsiders
• Cyberhucksters
•
•
•
•
Spammers, malware purveyors
Motivation monetary gain
Social engineers, older business types
Known to local law enforcement
Twelve Cyber Criminal
Profiles cont.
• Unhappy Insiders
•
•
•
•
•
•
Most dangerous profile
Motivated by revenge, monetary gain
Uses extortion, exposure of secrets, theft, sabotage
Logic bombs, malicious acts
Any age or employment level
Unhappy with organization
• Ex-Insiders
• Motivation extortion, revenge, sabotage,
disinformation
• Make use of insider information to harm company
from the outside
• Any age or employment level
Twelve Cyber Criminal
Profiles cont.
• Cyberstalker
• Motivation - ego & deviance
• Invasion of privacy to learn something to satisfy
personal need
• Use key loggers & sniffers
• Invasion driven by psychological needs
• Identification of need like a fingerprint
• Con Man
•
•
•
•
Motivation - monetary gain
Theft, illicit commercialization
Con games, phishing, Nigerian 419’s
Attacks untargeted & anonymous
Twelve Cyber Criminal
Profiles cont.
• Mafia soldier
•
•
•
•
•
Organized crime member
Purposeful, highly organized
Motivation - monetary gain
Theft, extortion, blackmail
Always work in highly organized group
• Warfighter
•
•
•
•
•
Not a criminal when on your side
Motivated by Infowar
Help friends, harm enemy
Technologically superior, dangerous
Any age, highly organized, best & brightest
Search & Seizure
Legal procedure whereby police or other
authorities and their agents, who suspect that
a crime has been committed, do a search of a
person's property and confiscate any relevant
evidence to the crime.
The Fourth Amendment
The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall
not be violated, and no Warrants shall issue,
but upon probable cause, supported by Oath
or affirmation, and particularly describing the
place to be searched, and the persons or
things to be seized
Parts of the Fourth
Amendment
• Three protections/limitations
– Substantial justification to search
– Search cannot extend beyond justification
– No blanket warrants
• First clause - “reasonableness clause”
– Unreasonable searches and seizures are
forbidden
• Second clause - “warrant clause”
– Limits on search & arrest warrants
• Probable cause
• Define location of search
• Define who or what is to be seized
Reasonable Expectation of
Privacy
• No violation to the Fourth Amendment if:
– Government’s conduct does not violate a person’s
“reasonable expectation of privacy”
– Established exception to the warrant requirement
Warrant Exceptions
Search that violates reasonable privacy may be
conducted if they fall within established
exceptions
1.
2.
3.
4.
5.
6.
7.
Consent
Exigent circumstances
Plain view
Incident to a lawful arrest
Inventory searches
Border searches
Workplace searches
No Reasonable
Expectation of Privacy
• Items that appear on the screen/obtained
through shoulder surfing
• Contents has been made openly available
– P2P
– E-mail
• Stolen computer
• Control of computer relinquished to a 3rd
party
• Electronic storage - statutory coverage
Probable Cause
• Must reasonably establish:
1. A crime has been committed
2. Evidence of the crime exists
3. Evidence presently exists in place to be searched
• Location to be searched must be described
• Evidence of specific crime must be named
Evidence Issues & Internet
Crime
• Right to search a computer
• Proving venue
• Criminal intent
Rules of Evidence
• Purpose
– To secure a defendant’s constitutional
right to a fair trial
• Evolved from decisional law
• Decisions codified
• Federal Rules of Evidence
– Most influential codification
– Criminal & civil
Search Warrant Problems
• Computers - file cabinet /
repository
– Innocent, personal materials
– Evidence of crime
– Must protect privacy while seeking
evidence
– Must describe that which is sought
– Scope should not be overly broad
Exceeding Scope
• Can only search for evidence of
crime described in warrant
• If evidence of another crime is
discovered, another warrant is
needed
– Child pornography found during a
search for credit card fraud crime
Plain View
• Lawful position to view object
• Objects incriminating character is
immediately apparent
• Lawful right to access the object
Third Person Consent
• Agree to a search without a
warrant
• Two criteria for third party consent
to be effective
– Third party must have authority to
consent
– Third party’s consent must be
voluntary
Evidence Establishing
Venue
• Crime must be committed in venue of the
court
• How to determine where a network crime was
committed
• Venue may be where agent connected to
Internet & viewed defendant’s behavior
• Multidistrict offenses “may be ... prosecuted in
any district in which such offense was begun,
continued, or completed.”
• http://www.cybercrime.gov/ccmanual/ccmanu
al.pdf
Proving Criminal Intent
• Must prove defendant had criminal
intent - mens rea
• Four categories of mens rea
– Intentionally
– Knowingly
– Recklessness / willful blindness
– Criminal negligence
Federal Statutes
Assist law enforcement in
obtaining & seizing evidence of a
digital crime
Federal Statutes
• Do not necessarily deal just with digital
crime
– Pen/Trap Statute 18 U.S.C. §3121-27
– Wiretap Statute (Title III) 18 U.S.C.
§2510-22
– Electronic Communications Privacy Act
(ECPA) 18 U.S.C. §2701-11
– USA Patriot Act
Pen/Trap Statute 18
U.S.C. §3121-27
• Regulates collection of address
information from wire communications
• Pen Register
– Records outgoing phone numbers
• Trap & Trace
– Records incoming phone numbers
• Includes computer network
communications (IP numbers)
Pen/Trap Statute 18
U.S.C. §3121-27
• To obtain a court order
– Identify self
– Identify agency conducting the investigation
– Certify belief information to be obtained is relevant
to investigation
• Authorization for 60 days
• May request extension for additional 60 day
period
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• Regulates collection of communication
content
• Real-time electronic communications
• Third party cannot intercept private
communications unless statutory
exception applies
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• Interception pursuant to a Title II
court order
– May intercept communication with a court
order
– Interception for up to 30 days
– More stringent requirement than for search
warrant
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• The consent exception
– Law enforcement obtains prior consent
from one party
– Some states require both parties’ consent
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• The provider exception
– Employees/agents of communication
provider may intercept communication to
protect providers’ rights/property
– Network administrator can monitor
hacker’s activity
– Privilege to provider alone
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• Computer trespasser exception
– Victim of attack may authorize law
enforcement to intercept communications
of trespasser
– Interceptor must be investigated trespass
– Must believe the intercepted
communication will aid investigation
– Applies only to trespasser’s
communications
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• The extension telephone exception
– Monitoring of call from an extension phone
– Originally, monitoring employee-customer
call
– Includes calls to and from police stations
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• The inadvertently obtained criminal
evidence exception
– Provider unintentionally overhears
something related to a crime
– Information can be released to law
enforcement
Wiretap Statute (Title III)
18 U.S.C. §2510-22
• The accessible to the public
exception
– Interception of unscrambled/encrypted
information broadcast over public
frequency
– Public computer forums/chat rooms
– Not a violation of wiretap statute
Electronic Communications
Privacy Act
• Regulates how government can
obtained stored electronic
communications from a service provider
• Creates statutory privacy rights for
customers for stored communications
• Affirms higher level of protection for
communications in transit
Electronic Communications
Privacy Act
• Protects wire, oral, and electronic
communications while in transit
• Sets down requirements for search warrants
• Protects communication held in electronic
storage
• Prohibits the use of pen register and/or trap
and trace in the process of transmitting wire or
electronic communications without a search
warrant
Electronic Communications
Privacy Act
• Three categories of information - each
requires greater showing of cause
• Basic subscriber information
–
–
–
–
–
Name
Address
Local & long distance phone billing records
Telephone/other ID numbers
Length & type of service
Electronic Communications
Privacy Act
• Records or logs pertaining to subscriber
–
–
–
–
–
Contents of relative log files
All basic subscriber info
Cell site data for call made
Destination of outgoing e-mails
Any other non-content records
• Contents of communications
Electronic Communications
Privacy Act
• Five instruments may be required to obtain
information
• Subpoena
• Basic subscriber information
• Subpoena with notice
• Opened e-mail stored over 180 days
• Court order
• Log files
• All other relevant records of communications, but not the
contents
Electronic Communications
Privacy Act
• Court Order with notice
• All unopened e-mail or voicemail stored for 180 days or
less
• Search Warrant
• All information in an account
• No required notice to customer
• Nonpublic providers not bound by ECPA
US Patriot Act
• Seize of voicemail messages over 180 days
old with order
• Seize voicemail messages less than 180
days old with search warrant
• Expands basic subscriber information
• Emergency disclosure of providers to protect
life & limb or regarding terrorism
• Delay of required notice of search warrant if
notice may have adverse results
• Makes warrants & pen/trace orders national
Download