Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Cybercrime Page: 1
CYBERCRIME – STATUS AND THE IMPORTANCE OF LEGISLATION Stakeholder Consultation
12 Dec 2011, Port of Spain
Prof. Dr. Marco Gercke
Cybercrime Page: 2
TOPICS FOR TODAY
• Topics for policies and legislation
• Stakeholder consultations have proven to
be a very effective measure
• Idea is to collect input for stakeholder
consultations
Cybercrime Page: 3
RELEVANCE FOR THE GOVERNMENT
• Government is intensively using ICT
• Ability to prevent crime as well as
investigate crime that could not be
prevented are therefore issues in the
core interest of any government relying
on ICT
• In addition governments need to protect
businesses as well as Internet users
Cybercrime Page: 4
TOPICS FOR TODAY
• ICT legislation is an area of legislation
with several interconnections between
the different topics
• Cybercrime legislation does for example
in general require legislation dealing
with the admissibility of evidence in court
• Substantive criminal law, procedural law,
international cooperation
• Procedural law might include
interception of (data) communication
Cybercrime Seite: 5
E-EVIDENCE
Cybercrime
DIGITAL DATA
• One explanation for the emerging
importance of digital evidence is the fact
that the number of digital documents are
intensively increasing
• Costs for storing one MB of data was
constantly decreasing during the last
decades
• Today it is cheaper to store information
digitally than to keep physical copies
10 MB
1981
676 MB
1990
10.000.000 MB
1996
70.000.000 MB
2000
2.000.000.000 MB
2009
Page: 6
Cybercrime
E-MAIL FORENSICS
• More and more correspondence is done
electronically
• Uses of Internet-services such as e-mail
leave various traces
• Information contained in an e-mail go
way beyond sender, recipient, subject
and content
• Header information can help law
enforcement to identify the sender of
threatening mails
Picture removed in print version
Bild zur Druckoptimierung entfernt
E-MAIL FORENSICS
Page: 7
Picture removed in print version
Bild zur Druckoptimierung entfernt
ALTERATION OF A MAIL
Cybercrime
ALTERATION
• As valuable e-mails can be for an
investigation as important it is to keep in
mind that e-mails are only text
documents
• Open to alteration
• Courts in some jurisdictions are
therefore restrictive when it comes to the
admissibility of electronic mails
Page: 8
Cybercrime
BACKGROUND
• Emerging relevance of digital evidence
influences the procedures in court
• It is possible to divide between two
different processes:
1. Substitution of traditional evidence
by digital evidence
2. Introduction of digital evidence as
additional evidence
• Influence is not limited to the fact that
courts need to deal with digital evidence
• Even the design of courtrooms is
influenced
Page: 9
Cybercrime Seite: 10
CYBERCRIME
Cybercrime Page: 11
DEFINITION
• No widely accepted definition
• Suggest to avoid definition of Cybercrime
• Instead using typology (CIA, Computer-
related offences, content-related
offences, copyright/trademark offences)
Cybercrime Page: 12
TYPICAL CYBERCRIMES
• Illegal Access
• Data Espionage
• Illegal Interception
• System Interference
• Computer-related Fraud
• Computer-related Forgery
• Identity Theft
• Misuse of Devices
• Copyright-related offences
• Trademark-related offences
• “Terrorist Use of the Internet”
• “Cyberlaundering”
• “Phishing”
• “Warfare involving network technology”
Picture removed in print version
Bild zur Druckoptimierung entfernt
WEBSITE
DEVELOPING COUNTRIES
• It is true that developing countries are
also facing crimes that developed
countries are facing
• However the priorities and capacities
to prevent and investigate offences are
different
• Therefore the legal solutions need to
reflect these different priorities
• Developing a legal framework
therefore needs to reflect two aspects:
International standards and national
(regional) demands
Page: 13 Cybercrime
Cybercrime Page: 14
CYBERCRIME
Picture removed in print version
Bild zur Druckoptimierung entfernt
PEN USB KEY
• Identifying storage devices can be
difficult as the technology is developing
so fast
• Storage devices are getting smaller and
smaller and can be integrated in various
tools
Cybercrime Page: 15
CYBERCRIME
Picture removed in print version
Bild zur Druckoptimierung entfernt
ENCRYPTION
• Today a lot of devices enable the user to
encrypt data
• The use of encryption technology is a key
component to protect information and the
use of encryption technology is
suggested by many Cybersecurity experts
• However, the use of encryption
technology can seriously hinder
investigations
Cybercrime Page: 16
CYBERCRIME
Picture removed in print version
Bild zur Druckoptimierung entfernt
ENCRYPTION
• Offenders that want to bring illegal
material in the country do not necessary
have to carry physical storage devices
• Remote storage is very popular
• Various Internet companies such as
Microsoft and Google offer large server
capacities for the storage of data (such as
e-mail, pictures, video) that can be
accessed from any place with an Internet
connection
INSTITUTIONAL CAPACITIES
• Developing institutional capacities as
well as training concepts is therefore
key
Page: 17 Cybercrime
Cybercrime Seite: 18
NEW OPPORTUNITIES
Cybercrime
OPPORTUNITIES
• Availability of computer technology
improved the ability of law
enforcement to carry out investigations
• DNA sequence analysis and finger
print databases are examples for an
emerging use of information
technology in traditional criminal
investigation Picture removed in print version
Bild zur Druckoptimierung entfernt
FINGERPRINT DATABASE
Page: 19
Cybercrime
AUTOMATE
• Software tools are available to
automate investigations
• Significant reduction of time for an
investigation
• One example is the Software PERKEO
that detects child pornography
pictures on the basis of hash values
Page: 20
Picture removed in print version
Bild zur Druckoptimierung entfernt
PERKEO
Cybercrime
AUTOMATE
• Automation techniques can also be
used to identify copyright violations
• One example is file-sharing monitoring
where software tools can
automatically detect copies of
copyright-protected art-work made
available
• Another example is the automatic
scanning of scientific work (like PhD)
Page: 21
Picture removed in print version
Bild zur Druckoptimierung entfernt
GUTTENPLAG
Cybercrime
OPPORTUNITIES
• Case example 1: Within an investigation
of a murder case law enforcement was
unable to identify a murder based on
search engine history. They were able
to use search engine logs on the
suspects computer to identify places
he was interested in.
Page: 22
Picture removed in print version
Bild zur Druckoptimierung entfernt
Informationliberation.com
Cybercrime
OPPORTUNITIES
• Case example 2: Investigator were able
to discover that the suspect was
searching for specific terms such as
““undetectable poisons,” “fatal digoxin
levels,” “instant poisons,” “toxic
insulin levels,” “how to purchase guns
illegally,” how to find chloroform,”
“fatal insulin doses,” “poisoning
deaths,” “where to purchase guns
illegally,” “gun laws in PA,” “how to
purchase guns in PA,”
Page: 23
Picture removed in print version
Bild zur Druckoptimierung entfernt
PCWORLD
Cybercrime
OPPORTUNITIES
• Google searches including '1,000 ways
to die', 'how to kill someone' and 'ten
easy ways to kill someone with no
trace‘, 'can you kill someone with a
punch?', 'dangerous drugs for the
elderly', 'if you hit someone across the
back of the head with a brick will they
die or just get a bruise?' and 'easiest
way to kill an old person‘, 'delayed
symptoms of concussion', 'sugar in
petrol tank', 'poisonous salts',
'suffocation symptoms', 'heart attack
symptoms' and 'dying in your sleep'.
Page: 24
Picture removed in print version
Bild zur Druckoptimierung entfernt
Mail Online
Cybercrime
DEVICES PROCESSING DATA
• Devices do often store information that
are valuable for traditional
investigation
• The user do not necessary have
knowledge about such operation
• One example is the iPhone that stored
the geo-location of the user and
thereby enabled the reconstruction of
movements/travel Picture removed in print version
Bild zur Druckoptimierung entfernt
EXAMPLE: AMAZON CLOUD COMPUTING
Page: 25
Cybercrime
OPPORTUNITIES
• New forensic technology can be very
useful in computer crime and
Cybercrime investigation as well
• Software tools that automatically
search for key-words in text
documents on the suspects computer
or check the hash-values of pictures to
identity child pornography are
examples for highly effective forensic
tools
• Internet can in addition be used to
inform public about the search for
suspects
Picture removed in print version
Bild zur Druckoptimierung entfernt
INTERPOL INVESTIGATION
Page: 26
Picture removed in print version
Bild zur Druckoptimierung entfernt
EXAMPLE CIRCUMVENTION
Cybercrime
POSSIBILITIES
• But by using just very basic techniques
offenders can delay investigations
• Using more sophisticated technology
such as encryption or anonymous
communication can increase the
challenges and in the worst case even
hinder investigation
Page: 27
Picture removed in print version
Bild zur Druckoptimierung entfernt
INFORMATION STORED
Cybercrime
TRACES
• “Nobody knows you are a dog” ?
• Internet users leave traces
• Access-Provider for example often for
a certain period of time keep records
to whom a dynamic IP-address was
assigned
• Data retention obligations even
increase the volume of data stored (but
go along with questions related to the
legality of this investigation
instrument)
Page: 28
Cybercrime
E-MAIL FORENSICS
• Uses of Internet-services such as e-mail
leave various traces
• Information contained in an e-mail go
way beyond sender, recipient, subject
and content
• Header information can help law
enforcement to identify the sender of
threatening mails Picture removed in print version
Bild zur Druckoptimierung entfernt
E-MAIL FORENSICS
Page: 29
Cybercrime Seite: 30
NEW CHALLENGES
Cybercrime
DEPENDANCE
• Threats of internet based attacks
against critical infrastructure
• Energy, Communication,
Transportation, Health, Food supply,
Finance, Government services,
Essential manufacturing, …
• Even military infrastructure is
depending critical technology
Picture removed in print version
Bild zur Druckoptimierung entfernt
CRITICAL INFRASTRUCTURE
Page: 31
Picture removed in print version
Bild zur Druckoptimierung entfernt
SASSER COMPUTER WORM
Cybercrime
DEPENDANCE
• Alternative Communication Systems
that could be used in cases of
emergency are not able to cover the
necessary resources
• Monoculture with regard to major
technical components of computer
systems, software and network
technology
Page: 32
Cybercrime
STUXNET
• Malicious software targeting Windows
operating system
• Discovered in June 2010
• Specifically focussing on Supervisory
Control And Data Acquisition (SCADA)
• SCADA is for example used in Siemens
S7 systems that are used to control
critical infrastructure such as power
plants
Picture removed in print version
Bild zur Druckoptimierung entfernt
Siemens S7-300
Page: 33
Stuxnet - Legal implications
PAYLOAD
• Researches indicate that the software
was capable of manipulating the
frequency of the centrifuges at Iran’s
enrichment plant
• Regular speed is between 807 Hz and
1210 Hz
• The virus might have changed the
frequency down to 2Hz and up to
1410Hz
• High speed and “shaking-effect” has
the potential to physical damage the
centrifuges
Page: 34
Picture removed in print version
Bild zur Druckoptimierung entfernt
APA Website
Cybercrime
PHYSICAL DAMAGE VIA NETWORKS
• Stuxnet underlined again that the
impact of a network attacks does not
need to limited to hindering data
transmissions
• Various possible threat scenarios of
attacks against targets that are more
difficult to protect than critical
infrastructure
• Recovery of hardware failure of hard
drives can go along significant costs
Picture removed in print version
Bild zur Druckoptimierung entfernt
Technology News
Average cost of logical recover is $400 to $600,
average cost of physical recovery is $1,200 -
$2,000 and up to $15,000 for complex systems.
Page: 35
Picture removed in print version
Bild zur Druckoptimierung entfernt
Hard Drive
Cybercrime
AUTOMATE
• Computer and Networks enable
offenders to automate attacks
• Within minutes millions of spam mails
can be send out without generating
high costs - sending out one million
regular letters would be very
expensive and take days
• The fact that millions of approaches to
illegally enter a computer system are
detected every day is not a result of the
high number of offenders but the
ability to automate attacks
Picture removed in print version
Bild zur Druckoptimierung entfernt
WWW.HACKERWATCH.COM
Page: 36
Cybercrime
AUTOMATE
• Another example for the use of
automation is SPAM
• Currently between 60% and 90% of all
e-mails are SPAM
• Several billion SPAM e-mails are sent
every single day
• Can only work on the basis of
automation
Page: 37
Picture removed in print version
Bild zur Druckoptimierung entfernt
NORTON CYBERCRIME INDEX
Cybercrime
AUTOMATE
• Automation enables offenders to
generate high profit by committing
various offences with rather small
amounts each
• Background: Victims that have just lost
rather small amounts tend not to
report the crime Picture removed in print version
Bild zur Druckoptimierung entfernt
Reporting
Page: 38
Cybercrime
UNCERTAINTY REGARDING EXTENT
• Lack of reporting leads to uncertainty
with regard to the extent of crime
• This is especially relevant with regard
to the involvement of organized crime
• Available information from the crime
statistics therefore not necessary
reflect the real extent of crime Picture removed in print version
Bild zur Druckoptimierung entfernt
HEISE NEWS 27.10.2007
Page: 39
Cybercrime
RESOURCES
• Current analysis indicate that up to a
quarter of all private computer
connected to the internet could be
used by criminals as they belong to
“botnets”
Souce: BBC report “Criminals 'may overwhelm the web�
• Despite the fact that the estimation is
not based on a scientifically reliable
basis the growing size of detected
botnets highlight the challenge
• Debate about legal response just
started
Picture removed in print version
Bild zur Druckoptimierung entfernt
WWW.SHADOWSERVER.ORG
Page: 40
Cybercrime
RESOURCES
• Critical mass is already reached
• Attacks in the context of the Wikileaks
discussion highlight that a relatively
small number of people can affect
large businesses
• This underlines the threat level
Page: 41
Cybercrime
CONSIDERATION
• With regard to Internet-related attacks
the most powerful resources are not
necessary under control of state,
military and law enforcement
• Debate about continuing attacks
against government computer systems
and the inability of states to control
secret information published online
underlines this
Page: 42
Picture removed in print version
Bild zur Druckoptimierung entfernt
BACKGROUND: BOTNET
Cybercrime
BOTNET
• Short term for Robot-Network
• Botnets are very powerful instruments
• Main use: SPAM, DoS
• Computers are in most cases infected
by malicious software
• Software is taking over part of the
control
Page: 43
Cybercrime
CHEN CASE
• The Edison Chen case shows that the
identification of the offender does not
necessary enable law enforcement to
remove illegal content and thereby
bring the offence to an end
Page: 44
Cybercrime
WIKILEAKS
• Another example highlighting the
limited ability of governments to
control information is the platform
WIKILEAKS
• Controversial discussion about the
advantages and disadvantages of such
platforms
• Approaches of major governments to
remove the website from the web in
2010 failed
Picture removed in print version
Bild zur Druckoptimierung entfernt
WIKILEAKS
Page: 45
Cybercrime
AVAILABILITY OF INFORMATION
• Industry can play a role in limiting the
negative impact of the availability of
information about high level targets
• Example is the restriction of resolution
in satellite pictures
• Such measures can only have an
impact if they are coordinated
Picture removed in print version
Bild zur Druckoptimierung entfernt
GOOGLE EARTH
Page: 46
Cybercrime
AVAILABILITY OF INFORMATION
• Industry can play a role in limiting the
negative impact of the availability of
information about high level targets
• Example is the restriction of resolution
in satellite pictures
• Such measures can only have an
impact if they are coordinated
Picture removed in print version
Bild zur Druckoptimierung entfernt
MAP 24
Page: 47
Internetkriminalität Seite: 48
DECENTRALIZED SERVICES
• Cloud computing enables the use of
complex applications on rather simple
devices
• Example: speech recognition services
Picture removed in print version
Bild zur Druckoptimierung entfernt
IPHONE CLOUD
Internetkriminalität Seite: 49
DECENTRALIZED SERVICES
• Examples: Google Maps, Navigation
solutions
Picture removed in print version
Bild zur Druckoptimierung entfernt
GOOGLE MAPS
Gercke, Cybercrime
RISKS
Local storage
Page: 50
Illegal Access
Hindering Transfer Interception of communication
Cloud Services
Illegal Access
Insider Attacks
„Legal“ Access
System Interference
Cybercrime
NEW DEVELOPMENTS
Page: 51
Gercke - Cybercrime Page: 52
BLACKMAILING
• Information made available online can
influence consumer decion
• Offenders are using search engine
manipulations to make false
information about companies easily
accessible
• Blackmailing the companies
Picture removed in print version
Bild zur Druckoptimierung entfernt
Beiispiel
Cybercrime
„NEW“ APPROACHES
Page: 53
Gercke - Cybercrime Page: 54
FOLLOW THE MONEY
• One approach that is more an more
intensively followed is tracing money
flows
• Limited to offences involving
transactions
• Leads to a more intensive involvement
to financial institutions in
investigations
Picture removed in print version
Bild zur Druckoptimierung entfernt
Financial Coalition
Cybercrime Page: 55
DEFINITION
• This is going beyond computer-related
fraud and other typical economic crimes
• Example: SPAM, child pornography,
copyright violations
• Even indirect approaches are taken into
consideration
Cybercrime
TERRORIST FINANCING
Page: 56
TERRORIST USE OF THE INTERNET page: 57
TERRORIST FINANCING
• Most terrorist networks depend up to a
large degree on donations
• Internet supports the global fundraising
• Information about accounts that can be
used for donations are published
throughout the internet
• Specialised software tools and SPAM-
Databases are used to identify potential
supporters that should be contacted
individually
• Virtual currencies (e-gold) and online
payment services (PayPal) can be used to
hide the identity of the donators
Picture removed in print version
Bild zur Druckoptimierung entfernt
WEB SHOP
Cybercrime
TERRORIST / STATE INVOLVEMENT
Page: 58
Cybercrime Page: 59
Cybercrime Research Institute Prof. Dr. Marco Gercke
Niehler Str. 35
D-50733 Cologne, Germany
www.cybercrime-institute.com