The Department of Justice has released a 137-page "Investigations Involving the Internet and Computer Networks" manual aimed at local (and unsophisticated in fighting cybercrime) law enforcement units. The DoJ’s concern seems to be that local law enforcement who lack the resources to train/employ forensic analysts may either miss entirely cybercrimes or wrongfully prosecute.

This manual comes after several local law enforcement agencies bungled  some high-tech investigations.  The Pennsylvania Supreme Court rejected prosecutors’ attempts to seize newspaper reporters’ hard drives, and the 8th Circuit Court of Appeals ruled that police illegally seized a computer in a methamphetamine investigation. A federal judge permitted an Internet service provider to sue police after it was raided because of Usenet posts its employees knew nothing about.  Also, in a dawn raid, Arizona police stormed into the house of a 16-year-old boy named Matthew Bandy and accused him of downloading child pornography–which carried a maximum penalty of 90 years in prison — only to later find out that his computer was thoroughly infected by malware.

The manual is not only aimed at local law enforcement agencies.It should also prove to be useful to small organizations, schools, or small IT departments who do not have the resources to hire a forensic analyst but want to get a very basic idea of what may be happening. Having said that, it is very important to understand that if you suspect you are a victim of cybercrime, it is imperative that you 1) report the crime to the appropriate law enforcement agency; and 2) do not touch the original media, do not boot the computer, or do anything that may otherwise affect the storage media which contains the possible evidence - failure to do so may render law enforcement unable to prosecute if they discover useful, but tampered with evidence.

Information security and privacy professionals use a variety of tools in their day-to-day work to help identity vulnerabilities, analyze a computer forensically, scan a machine locally or remotely, etc. We will try to start a collection of the most useful information security and privacy tools with links and short descriptions. If your favorite tools is not listed here, please let us know by posting a comment on this page or emailing us.

Active Ports [free] [Windows]. A tool allowing you to monitor all open TCP/IP and UDP ports on the local machine. Also displays remote IP address for each connection and allows terminating it. Useful for detecting malware.

Nessus [free][cross-platform] Perform system vulnerability scans using this free tool. You have to obtain a free registration to get the latest plugins (with a week delay; pay to register and get them in real-time). Very useful for evaluating potential vulnerabilities on machines - servers or workstations. Make sure to have permission or authority before you run scans because the scans may be very intrusive and trigger IDSes.

SenfTrac [free][cross-platform]. Sensitive Number Finder - scans local or network drives for files containing sensitive numbers. Run this against your computer or network to easily determine whether you store SSN, etc. in plain text readable to anyone. Although this tool is not 100% accurate, it is a good starting point.

Steganography [free][cross-platform]. A variety of tools for using steganography to embed secret images in other files.

TrueCrypt [free/open source] [cross-platform]. On-the-fly encryption of drives. Extremely useful for protecting any sensitive content. Allows strong encryption with almost no degradation of performance.

It is not fiction – you can securely delete information. However, there are many caveats.

First of all, if you know or have a reason to know that the information in question is or will be involved in litigation – securely deleting (or just deleting) any information that may be needed will adverse your position very negatively. This point cannot be stressed enough.

Second, unless you use tools that overwrite the deleted information multiple times (30, for instance), there is always a pretty good chance that a skilled forensics expert would restore at least some of what you have erased. Anecdotal evidence shows that some government agencies can restore information overwritten many times by using sophisticated magnetic analysis on a particular disk sector. This is probably difficult and expensive to do, but it may be possible.

Third, mind the information that you did not intentionally create. Memory swap files, printer spool files, or Windows hibernation swap files – all of these files contain information that, on its face, resides in memory, but is stored (often unencrypted) on disk. For instance, if you typed a secret document on your computer, printed it, and then discarded the document without saving it, chances are that there is a copy of the document (printer spool file) somewhere on your hard drive that is waiting to be recovered and read. Also, if you use an encryption program and you ‘Hibernate’ your computer, chances are that your encryption password is stored in plain text in the hibernation swap file.

Finally, see #1 again.

A more detailed report can be found here.

Not from the Bible of Information Security, but vey useful nonetheless. Comments in italics added by yours truly.

1. Patch early and often
   (or are you running fossil OS?)
2. Enforce (sane) password policies
   (or have your employees tattoo their 64-character password on their forearms)
3. Mind your VPN
   (or your home PC’s critters will teleVPN themselves onto your corporate network)
4. Watch your wireless
   (when you go wireless, go VPN. See also point #3.)
5. Never make promises you can’t keep
   (this doesn’t apply only to information security, does it?)
   
6. Hack yourself
   (but even if you do, patch yourself quickly afterwards)
7. Sequester sensitive data
   (and employees who have access to it)
8. Encrypt it
   (if in doubt whether you should encrypt it - do, or do not store it at all)
9. Collect only what you need (and delete what you don’t)
   (but when you delete, delete securely)
10. Phear the phishers
    (if your emails or other communications do not look legitimate, then your customers and employees wouldn’t know when they receive a non-legitimate email)

Original ideas by Business 2.0.

I am attending a what turns out to be a wonderful conference so far, "Emerging Trends in Information Security and the Law: Plausible Deniability is Dead" organized by Georgetown CLE. The opening by Paul Kurtz of the Cyber Security Alliance was interesting and set the table for the conference - what information security legal frameworks are out there and what should companies do to protect themselves.

Thomas Smedinghoff of Wildman Harrold went through a great overview of the new developments and trends in the law of Information Security. It was interesting to see how the playing field is shifting from approaching information security and security breaches reactively to adopting security measures and proactively seeking to protect an organization from liability in case of a breach. Also, the balance between the increased push by law enforcement for increased data retention (for preventing counter-terrorism, online child abuse, etc.) on one hand and the security issues on the other hand is becoming very tricky. Many organizations find themselves under an affirmative duty to protect a piece of sensitive information they have, and at the same time there are requirements to preserve more.

Evidentiary Issues

An interesting case related to affirmative duties to properly protect information (especially within litigation context) is American Express v. Vinhnee, 9th Cir. (2005).   In this case, American Express sought to prevent Vinhnee’s debts’ cancellation under bankruptcy proceeding. During a hearing in front of the Bankruptcy Court, American Express brought an expert witness who introduced American Express computer records collected within the regular course of business about Vinhnee’s financial affairs. Vinhnee did not attend the proceeding and the court, after hearing AmEx’s witness, declined to admit the records under the business records exception to the hearsay rule because AmEx’s lawyers could not prove that the information was properly secured.

Although this is one of the rare cases where a party goes to court, unopposed, and still manages to lose, the holding is important in another important way - it shows that the you need to show not only that business records were collected and kept in the regular course of business, but also that they were properly secured. Granted, a corporation such as AmEx would most likely (we all hope) have proper security mechanisms and as long as its lawyers are on notice that they need to present evidence to the court, things should be ok. However, litigants who know that their records are not properly secured may need to do more if they want to prevail in court.

Before you wipe clean your hard drive, and especially if you are in Texas, read this! A file-sharing defendant in Texas decided to "wipe" the computer hard drive containing allegedly incriminating evidence in a pending case. The U.S. District Court for the Western District of Texas held in Arista Records LLC v. Tschirhart, SA-05-CA-372 (8/21/06), that the defendant is subject to default judgment by "destroying the best evidence relating to the central issue in the case" and "inflict[ing] the ultimate prejudice upon plaintiffs."

During a forensic analysis it was discovered that the defendant, Delina Tschirhart, erased data on at least two occasions: once in December 2006 after the recording industry had served a complaint, and again on January 26, 2007, the day after the court issued an order for the hard drive to be imaged (presumably to create a "snapshot" to be examined forensically.) During the analysis some residual data was discernible, such as the presence of iMesh, a file-sharing program, and the presence of the same username that investigators had linked to illegal file-sharing on the iMesh network.

Under the Federal Rules of Civil Procedure, a court may impose the most severe sanctions available under the Rule 37(b) — striking pleadings or dismissing a case — upon finding of bad faith or willful conduct. The court found that Tschirhart’s conduct was both willful and in bad faith and "substantially prejudiced" the plaintiff, the recording industry, in its case.

In this case, defendant’s conduct shows such blatant contempt for this Court and a fundamental disregard for the judicial process that her behavior can only be adequately sanctioned with a default judgment. No lesser sanction will adequately punish this behavior and adequately deter its repetition in other cases.

The bottom line of the story is - do not wipe your hard drive right after you are served as defendant where you know that what is on your hard drive will be material to the case, and again, after the court has ordered you to produce the hardware for forensic inspection. This would not sit well with the court. And by all means - if you wipe your drive, wipe it well and don’t leave traces behind.

The court order can be read here.

An interesting article on CNET describes U.K. police’s attempts to seize encryption keys used by suspects to encrypt data which may help the police solve the crimes. According to a "senior police officer,"

Because British law enforcement officers don’t have the authority to seize encryption keys, an increasing number of criminals are able to evade justice.
..
There are more than 200 PCs sitting in property cupboards which contain encrypted data, for which we have considerable evidence that they contain data that relates to a serious crime. Not one of those suspects has claimed that the files are business-related, and in many cases, the names of the files indicate that they are important to our investigations.

A controversy was stirred earlier this summer when the British government announced that it planned to activate Part 3 of the Regulations of Investigatory Powers (RIP) Act, which allows the police, in some circumstances, to demand an encryption key from a suspect.  Under Part 3 of the RIP Act, if  the police suspected someone had encrypted incriminating data, officers could issue an order under Section 49 of the Act, ordering the suspect to hand over the key. Failure to do so could lead to a prosecution under Section 53 of the Act.

Critics of the Act point out that the law is dangerous, is badly written, and cannot be properly implemented. For example, under the Act, defendants could be prosecuted for simply losing an encryption key. Furthermore, critics point that the code of practice lacks clear powers against use of the RIP Act to obtain private data. Because of clear procedures, businesses may take their encryption keys out of U.K. jurisdiction so that their secret business information is not in jeopardy of being revealed by an overzealous prosecutor or one with an improper agenda.

On the other hand, the British Home Office has defended law enforcement’s position that the time is right to activate Part 3 of the Act because law enforcement are finding that an increasing number of their investigations are thwarted by encryption. It is easy for police officers to point to cases where child abuse victims remain unidentified because a suspect has encrypted information.

The Draft Code of Practice for the Investigation of Protected Electronic Information - Part III of the Regulation of Investigatory Powers Act 2000 is open to review and comment until August 31, 2006.

It is interesting how a similar proposal would fare under U.S. law. The Fifth Amendment of the U.S. Constitution may in fact prevent seizing encryption keys if the ‘actions which would render testimony against oneself’ are considered covered under the protections of the Fifth Amendment. It can be argued that there is no difference between the demand for someone to surrender their encryption key and their ‘giving testimony or surrendering evidence against themselves.’  Many would point to the example of the safe combination and whether law enforcement can force someone to divulge the combination to the safe where incriminating evidence would be found. Although the Framers did not specifically envision complicated encryption keys being used to protect incriminating evidence, they certainly sought to protect one from having to serve on a silver platter information to law enforcement which would then be used to obtain conviction.

On August 3, the U.S. Senate ratified the Council of Europe Convention on Cybercrime, a treaty aimed at facilitating international cooperation in the prevention, investigation, and prosecution of crimes involving electronic evidence. The U.S. is the 16th country to ratify the convention which has been in force since July 1, 2004, among the 15 nations that have ratified it so far (Albania, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Denmark, Estonia, France, Hungary, Lithuania, Macedonia, Norway, Romania, Slovenia and Ukraine.)

International Sharing of Electronic Evidence

The treaty is not just about cybercrime - it provides for international sharing of electronic evidence of all crimes … whether they involve computers or not. Thus, the treaty may come into play in a robbery case as long as there is evidence stored in an electronic form in a country which is a signatory to the treaty. Essentially, the treaty provides a tool for foreign governments to request interception of electronic communications and the sharing of electronic data in the United States and allows the U.S. to request the same from other countries which are parties to the treaty.

According to Jeffrey Price, of counsel to the Washington, DC office of Steptoe & Johnson who has worked on the treaty since its inception in 2001, the treaty will not require changes in U.S. law, but it may not permit changes in U.S. law either, because substantive provisions of the law of cybercrime will now be internationalized. Thus, the treaty becomes a major piece of legislation in the area of cybercrime and electronic evidence sharing between law enforcement agencies in different countries.  One of the first things that U.S. ISPs and other network operators may anticipate is increase volume of requests for intercepts and data from foreign law enforcement agencies because the main sources of electronic information are in the U.S.

Dual Criminality Lacking?

Some critics claim that the treaty lacks a "dual criminality" requirement so that Americans may be investigated in the United States for things that are not crimes in the U.S. Professor Orin Kerr, formerly with the Department of Justice’s Computer Crimes Division and now prominent scholar on cybercrime, has suggested that the "dual criminality" is a traditional requirement of extradition, but not of international evidence collection. He suggests that the U.S. approach has been "to help a foreign country investigate foreign offenses even if the same conduct is not a crime in the U.S. as long as cooperation does not raise any constitutional difficulties." According to Prof. Kerr, the cybercrime treaty maintains this traditional approach.

A new emerging cyber-threat  has been reported by antivirus and computer security vendors - installation of ‘ransomware’ on victims’ computers or servers which encrypts information on the affected machines and the subsequent demand of payment by attackers to release the information. The folks at Kaspersky Labs claim that they have seen an increase in ransomware but they deny that this problem has reached ‘epidemic’ levels. Among the main concerns is the increased encryption strength that has been noted over the past months - previously attackers used relatively weak encryption (56-bit) but recent ransomware has started using 660-bit encryption key, making any information recovery practically impossible.

A recent ransomware incident in Great Britain indicated the growing trend of ransomware attacks and the inability of law enforcement to deal properly with such incidents. Earlier this year, a Manchester woman unintentionally downloaded a trojan program which encrypted her files with a 30-character password and placed a note suggesting that she should not go to the police but instead buy pharmaceutical products in order to get the password and restore her files.

When she decided to report the incident to the police, her claim was met with shrug and an inadequate explanation by law enforcement,

We aren’t investigating the incident as it’s an Internet crime, and not within the GMP area — technically it’s international. Trying to find who did this it would be a monumental task. [statement by Greater Manchester Police spokeswoman]

Although the difficulties in tracking and prosecuting this case are enormous, it is very wrong for law enforcement to send the message that tracking the criminals is difficult or impossible. In groundbreaking and novel cases such as this one, law enforcement should put extra time and effort in making sure the trend stops, and not unintentionally encourage it.

Recent reports of the Bush Administration’s subpoenas against major search engines are not without a strategy. BBC reports on increased efforts of the Attorney General Gonzales to push for measures that would allow law enforcement to combat what the AG has called epidemic" of child pornography.

Gonzales has proposed changes in the law under the Child Pornography and Obscenity Prevention Amendments of 2006 (COPA’s earlier version was declared unconstitutional by the Supreme Court) where ISPs would be required to report child pornography and bolster penalties for those parties who fail to do so. In addition, Gonzales also wants to find ways to require ISPs to retain records (logs) of user’s activities for longer period of time so that law enforcement can have a longer trail when tracking an alleged offender.

The European Union’s Directive on Data Retention mandates ISPs in Europe to preserve call and Internet records for a period of 6 to 24 months (as specified by each EU country’s government). It seems that AG Gonzales seeks to impose similar obligations to US ISPs which, under current law, are not required to maintain any records of ordinary activity (unless of course they are served with a timely subpoena.) Attorney General’s statement on these new proposed requirements included,

The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of internet service providers.
…
Unfortunately, the failure of some internet service providers to keep records has hampered our ability to conduct investigations in this area.

The debate in the US as to ISP data retention requirements has already started, and Gonzales’ statements will definitely help fuel the conversation. At stake are vital interests to subscriber privacy and law enforcement’s ability to prevent and catch among some of the most heinous crimes.

« Previous entries Next entries »