Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Cybercrime
HIPCAR CAPACITY BUILDING WORKSHOP ON CYBERCRIME
Port of Spain, Trinidad and Tobago
5-7 March.2012
Prof. Dr. Marco Gercke
Page: 1
Cybercrime
STRUCTURE
• Introduction
• New Opportunities
• Challenges of Investigating Cybercrime
• Challenges for Courts
• Challenges related to drafting Cybercrime Legislation
Page: 2
Cybercrime
1. INTRODUCTION
Page: 3
Cybercrime
COUNTERING CYBERCRIME
• Increasing the ability to prevent as well as investigate Cybercrime has become a major concern not only for most states but also for international organisation
• Addressing Cybercrime is challenging for both, lawmakers as well as investigators
• Investigating Cybercrime is going along with challenges that are up to a certain extend different from those discovered within traditional investigation
Page: 4
Cybercrime
CHALLENGES
• Knowing about the challenges is required for drafting legislation as well as investigating Cybercrime
• With regard to legislation the knowledge is required to ensure that the legislation is adequately covering the challenges and gives investigators effective instruments
• With regard to investigations the knowledge is required to be able identify offenders and collect evidence
Page: 5
Cybercrime
2. OPPORTUNITIES
Page: 6
Cybercrime
OPPORTUNITIES
• Availability of computer technology improved the ability of law enforcement to carry out investigations
• DNA sequence analysis and finger print databases are examples for an emerging use of information technology in traditional criminal investigation
Page: 7
Cybercrime
AUTOMATE
• Software tools are available to automate investigations
• Significant reduction of time for an
investigation
• One example is the Software PERKEO
that detects child pornography pictures on the basis of hash values
Page: 8
Cybercrime
AUTOMATE
• Automation techniques can also be used to identify copyright violations
• One example is file-sharing monitoring
where software tools can automatically detect copies of
copyright-protected art-work made
available
• Another example is the automatic
scanning of scientific work (like PhD)
Page: 9
Cybercrime
AUTOMATE
• With regard to file-sharing systems investigators can automate the
process of detecting users that make available copyright protected material
• Ten-thousands of reports submitted to
a single prosecution department within
one year underlines the effectiveness of such investigation method
• However, the following process (especially the court proceedings)
require significantly more time
Page: 10
Cybercrime
OPPORTUNITIES
• Case example 1: Within an investigation of a murder case law enforcement was unable to identify a murder based on search engine history. They were able to use search engine logs on the suspects computer to identify places he was interested in.
Page: 11
Cybercrime
OPPORTUNITIES
• Case example 2: Investigator were able to discover that the suspect was searching for specific terms such as ““undetectable poisons,” “fatal digoxin levels,” “instant poisons,” “toxic insulin levels,” “how to purchase guns illegally,” how to find chloroform,” “fatal insulin doses,” “poisoning deaths,” “where to purchase guns illegally,” “gun laws in PA,” “how to purchase guns in PA,”
Page: 12
Cybercrime
OPPORTUNITIES
• Google searches including '1,000 ways to die', 'how to kill someone' and 'ten
easy ways to kill someone with no trace‘, 'can you kill someone with a
punch?', 'dangerous drugs for the elderly', 'if you hit someone across the
back of the head with a brick will they
die or just get a bruise?' and 'easiest way to kill an old person‘, 'delayed
symptoms of concussion', 'sugar in
petrol tank', 'poisonous salts', 'suffocation symptoms', 'heart attack
symptoms' and 'dying in your sleep'.
Page: 13
Cybercrime
DEVICES PROCESSING DATA
• Devices do often store information that are valuable for traditional
investigation
• The user do not necessary have knowledge about such operation
• One example is the iPhone that stored the geo-location of the user and
thereby enabled the reconstruction of
movements/travel
Page: 14
Cybercrime
TRACES
• “Nobody knows you are a dog” ?
• Internet users leave traces
• Access-Provider for example often for a certain period of time keep records
to whom a dynamic IP-address was
assigned
• Data retention obligations even
increase the volume of data stored (but go along with questions related to the
legality of this investigation instrument)
Page: 15
Cybercrime
AUTOMATE
• Operating systems and applications today store various information
• Knowledge about computer processes
can help within investigation • Example: If an offender is online and law
enforcement is trying to identify him in real time anonymous communication systems might prevent the detection.
However if law enforcement is able to get access to the cookies stored by the suspects browser they might be able to
search for cookies stored during online banking. This could lead them to the
suspect
Page: 16
Cybercrime
E-MAIL FORENSICS
• Uses of Internet-services such as e-mail leave various traces
• Information contained in an e-mail go way beyond sender, recipient, subject
and content
• Header information can help law
enforcement to identify the sender of threatening mails
Page: 17
Cybercrime
3. CHALLENGES INVESTIGATION
Page: 18
Cybercrime
INFORMATION SOCIETY
• Global development towards Information Societies
• Characterised by availability and extensive use of Information Technology
• Society is accepting a number of risks
with regard to the Information Technology (insufficient protection of computer and password, open WLAN,..)
• If crimes occurs law enforcement plays a crucial role
Page: 19
Cybercrime
DEPENDANCE
• Threats of internet based attacks against critical infrastructure
• Energy, Communication,
Transportation, Health, Food supply, Finance, Government services,
Essential manufacturing, …
• Even military infrastructure is
depending critical technology
Page: 20
Cybercrime
DEPENDANCE
• Alternative Communication Systems that could be used in cases of
emergency are not able to cover the necessary resources
• Monoculture with regard to major
technical components of computer
systems, software and network technology
Page: 21
Cybercrime
DEPENDANCE
STUXNET
Page: 22
Cybercrime
STUXNET
• Malicious software targeting Windows operating system
• Discovered in June 2010
• Specifically focussing on Supervisory Control And Data Acquisition (SCADA)
• SCADA is for example used in Siemens S7 systems that are used to control critical infrastructure such as power plants
Page: 23
Cybercrime
PAYLOAD
• Researches indicate that the software was capable of manipulating the frequency of the centrifuges at Iran’s enrichment plant
• Regular speed is between 807 Hz and 1210 Hz
• The virus might have changed the frequency down to 2Hz and up to 1410Hz
• High speed and “shaking-effect” has the potential to physical damage the centrifuges
Page: 24
Cybercrime
RELIANCE ON DATA
• Number of digital documents are intensively increasing
• Costs for storing one MB of data was constantly decreasing during the last
decades
• Today it is cheaper to store information
digitally than to keep physical copies
• In some areas traditional data is substituted
by digital data
10 MB
1981
676 MB
1990
10.000.000 MB
1996
70.000.000 MB
2000
2.000.000.000 MB
2009
Page: 25
Cybercrime
COMPUTER DATA
• As a consequence computer data is more and more frequently the target of
attacks
• Digital data is fragile and goes along with the risk of manipulations
(alteration, deletion, ….)
• In addition risk of illegal access to
computer data by offenders (e.g. “Sony
Hack”)
Page: 26
Picture removed in print version Bild zur Druckoptimierung entfernt
One-to-One Copy
Cybercrime
SWICH TO COMPUTER DATA
• Additional challenge is the ability to copy information without a loss of quality
• Enables new forms of copyright violations as well as the acquisition of secret information
Page: 27
Analogue Copy
Digital Copy
Picture removed in print version Bild zur Druckoptimierung entfernt
One-to-One Copy
Cybercrime
SWICH TO COMPUTER DATA
• Another consequence of the missing loss of quality during the copying process is the fact that whoever obtains a digital file (consumer) could potentially at the same time become a distributor
• Especially relevant with regard to file-sharing
Page: 28
Analogue Copy
Digital Copy
Potential consumer/distributor
Only potential consumer
Cybercrime
INTERLINKED SYSTEMS
• On-going process of integrating computer systems and devices into
networks
• “Internet of things”
• Every interference with this system
can have side effects
Page: 29
Cybercrime
INTERLINKED SYSTEMS
• Situation: Company with 400 employees, market leader with regard
to one specific chemical product, large research laboratory
• Report: System administrator reports
about a massive transfer of data from the company to computer systems in
other countries
• Solution: ?
Page: 30
Picture removed in print version Bild zur Druckoptimierung entfernt
Phase 1
Report about massive data transfer
Cybercrime
AUTOMATE
• Computer and Networks enable offenders to automate attacks
• Within minutes millions of spam mails
can be send out without generating high costs - sending out one million
regular letters would be very
expensive and take days
• The fact that millions of approaches to
illegally enter a computer system are detected every day is not a result of the
high number of offenders but the ability to automate attacks
Page: 31
Cybercrime
AUTOMATE
• Another example for the use of automation is SPAM
• Currently between 60% and 90% of all
e-mails are SPAM
• Several billion SPAM e-mails are sent
every single day
• Can only work on the basis of
automation
Page: 32
Cybercrime
AUTOMATE
• Software tools are available to automate investigations
• Significant reduction of time for an
investigation
• One example is the Software PERKEO
that detects child pornography pictures on the basis of hash values
Page: 33
Cybercrime
AUTOMATE
• Automation enables offenders to generate high profit by committing
various offences with rather small amounts each
• Background: Victims that have just lost
rather small amounts tend not to
report the crime Picture removed in print version Bild zur Druckoptimierung entfernt
Reporting
Country specific amount
No reporting
Reporting
Page: 34
Cybercrime
UNCERTAINTY REGARDING EXTENT
• Lack of reporting leads to uncertainty with regard to the extent of crime
• This is especially relevant with regard
to the involvement of organized crime
• Available information from the crime
statistics therefore not necessary reflect the real extent of crime Picture removed in print version
Bild zur Druckoptimierung entfernt
HEISE NEWS 27.10.2007
The United States Federal Bureau of Investigation has requested companies not to
keep quiet about phishing attacks and attacks
on company IT systems, but to inform
authorities, so that they can be better
informed about criminal activities on the Internet. "It is a problem for us that some
companies are clearly more worried about bad
publicity than they are about the
consequences of a successful
hacker attack," explained Mark Mershon, acting head of the FBI's New York office.
Page: 35
Cybercrime
CHANGING TARGETS
• A significant number of attacks that took place in the past were based on maximising the number of victims
• Example: Malicious software targeting the Windows operating system
• This approach is still current (eg. within the process of creating botnets)
• In addition there are more and more attacks with concrete targets
Page: 36
Cybercrime
TARGETED ATTACK
• Traditional phishing mails (e.g. phishing mails pretending to be sent out by a financial institution) are today not as they were in the beginning
• Background is awareness raising and technical protection measure
• New trends: Sphere-phishing
Page: 37
Cybercrime
TARGETED ATTACK
• Traditional phishing mails (e.g. phishing mails pretending to be sent out by a financial institution) are today not as they were in the beginning
• Background is awareness raising and technical protection measure
• New trends: Sphere-phishing
Page: 38
Cybercrime
AVAILABILITY OF DEVICES
• In the early days of computer and computer networks offenders committing computer crimes tend to be experts
• Today a significant number of offences are carried out by using easy-to-use tools that do not require technical knowledge
Page: 39
Cybercrime
AVAILABILITY OF INFORMATION
• Information that previously were available only to secret service (e.g. satellite pictures) or from very selected sources (e.g. instructions how to build bombs) are today available via the Internet
• Possibilities to restrict access to such information are limited
Page: 40
Cybercrime
AVAILABILITY OF INFORMATION
• Industry can play a role in limiting the negative impact of the availability of information about high level targets
• Example is the restriction of resolution in satellite pictures
• Such measures can only have an impact if they are coordinated
Page: 41
Cybercrime
AVAILABILITY OF INFORMATION
Services like Google Earth were reported to be used in several attacks:
• In attacks against British troops in Afghanistan
• In the planning of attacks against an airport in the US
• In attacks against British troops in Iraq
• In attacks against Israel
Picture removed in print version Bild zur Druckoptimierung entfernt
WWW.TELEGRAPH.CO.UK (13.01.2007)
Terrorists attacking British bases in Basra are using aerial footage displayed by the Google
Earth internet tool to pinpoint their attacks,
say Army intelligence sources. Documents
seized during raids on the homes of
insurgents last week uncovered print-outs from photographs taken from Google.
Picture removed in print version Bild zur Druckoptimierung entfernt
GUARDIAN (25.10.2007)
Palestinian militants are using Google Earth to help plan their attacks on the Israeli military
and other targets, the Guardian has learned.
Members of the al-Aqsa Martyrs Brigade, a
group aligned with the Fatah political party,
say they use the popular internet mapping tool to help determine their targets for rocket
strikes.
Page: 42
Cybercrime
AVAILABILITY OF INFORMATION
• Robots used by Search-engines can lead the disclosure of secret information
• Handbooks on how to build explosives and construct chemical and even nuclear devices are available
• Internet sources have been used by the offenders in a number of recent attacks
Page: 43
Cybercrime
AVAILABILITY OF INFORMATION
• Information regarding the construction of weapons were available long time before the Internet was developed
• Ragnar‘s Action Encyclopaedia of Practical Knowledge and Proven Techniques
• Approaches to criminalise the publication of information that can be used to
Page: 44
Cybercrime
RESOURCES
• Current analysis indicate that up to a quarter of all private computer
connected to the internet could be used by criminals as they belong to
“botnets” Souce: BBC report “Criminals 'may overwhelm the web�
• Despite the fact that the estimation is not based on a scientifically reliable
basis the growing size of detected
botnets highlight the challenge
• Debate about legal response just started
Page: 45
Picture removed in print version Bild zur Druckoptimierung entfernt
BACKGROUND: BOTNET
Cybercrime
BOTNET
• Short term for Robot-Network
• Botnets are very powerful instruments
• Main use: SPAM, DoS
• Computers are in most cases infected
by malicious software
• Software is taking over part of the
control
Consumption by user
Prior to infection After infection
Consumption by Botnet
Page: 46
Page: 47
CONNECTION VIRTUAL-REAL WORLD
• Computer technology reached an intensive level of interconnection
• While in the past real-world crime and
Cybercrime were separated the increasing links enable the use of ICT
in real world crime
Cybercrime
Page: 48
EXAMPLE: LIVE SHOT
• Computer controlled gun
• The gun can be completely controlled via the network
• Example for a combination of real
world threat (gun) and network
technology
• This enables the offender to benefit
from the possibility of anonymous communication and hide his/her
identity
Cybercrime
Page: 49
EXAMPLE: BITCOIN
• Bitcoin is a digital currency that enables pseudonymous, real time
transactions
• The currency uses encryption technology and decentralized services
to ensure that the currency can not be
falsified
• Transactions can be carried out
without any centralized control
• Therefore traditional control instruments do not apply
Cybercrime
Cybercrime
DECENTRALISED SERVICES
• Availability of high-speed Internet connections and server infrastructure
today enables the development of storage concepts that are not anymore
based on local but decentralised storage
• „cloud computing“ and „cloud storage“
Picture removed in print version Bild zur Druckoptimierung entfernt
EXAMPLE: AMAZON CLOUD COMPUTING
Page: 50
Cybercrime
DECENTRALISED SERVICES
Local storage
Page: 51
Illegal Access
Insider Attacks
Cybercrime
DECENTRALISED SERVICES
Local storage
Cloud Services
Page: 52
Illegal Access
Insider Attacks
Cybercrime
RISKS
Local storage
Page: 53
Illegal Access
Hindering Transfer Interception of communication
Cloud Services
Illegal Access
Insider Attacks
„Legal“ Access
System Interference
Cybercrime
DEPRIVATION DATA/EVIDENCE
• General challenges related to digital evidence
• Presentation of evidence in court
• Anonymous communication
• Encryption
• Steganography
• Deletion of data
• Reliability of Digital Evidence
Page: 54
Cybercrime
GENERAL CHALLENGES
• Quantitative aspects
• Reliance on expert statements
• Risk of manipulation or alteration
• Fragile nature of digital evidence
• Layer of abstraction
• Changing technical environment
Page: 55
Cybercrime
E-MAIL FORENSICS
• More and more correspondence is done electronically
• Uses of Internet-services such as e-mail leave various traces
• Information contained in an e-mail go way beyond sender, recipient, subject
and content
• Header information can help law
enforcement to identify the sender of threatening mails
Page: 56
Cybercrime
ALTERATION
• As valuable e-mails can be for an investigation as important it is to keep in mind that e-mails are only text
documents
• Open to alteration
• Courts in some jurisdictions are
therefore restrictive when it comes to the admissibility of electronic mails
Page: 57
Cybercrime
BACKGROUND
• Emerging relevance of digital evidence influences the procedures in court
• It is possible to divide between two different processes:
1. Substitution of traditional evidence by digital evidence
2. Introduction of digital evidence as additional evidence
• Influence is not limited to the fact that courts need to deal with digital evidence
• Even the design of courtrooms is influenced
Page: 58
Cybercrime
DIGITAL DATA
• One explanation for the emerging importance of digital evidence is the fact that the number of digital documents are
intensively increasing
• Costs for storing one MB of data was constantly decreasing during the last decades
• Today it is cheaper to store information digitally than to keep physical copies
Page: 59
Cybercrime
GLOBAL PHENOMENON
• Availability of encryption technology is a global challenge
• Powerful software tools that are available on a large scale in the
Internet
• Some of the latest versions of
operating systems contain encryption technology
Page: 60
Cybercrime
BREAKING A KEY
• Brute Force Attack: Method of defeating a cryptographic scheme by
trying a large number of possibilities; for example, exhaustively working
through all possible keys in order to decrypt a message
• Gaps in the encryption software
• Dictionary-based attack
• Social Engineering
• Classic search for hints
• Need for legislative approaches?
Page: 61
Cybercrime
1.048.576 1 1 sec.
20 BIT ENCRYPTION
1.099.511.627.776 1 305 hours
40 BIT ENCRYPTION
7.2 e+30 1 2284 years
56 BIT ENCRYPTION
7.2 e+30 100.000 200 hours
56 BIT ENCRYPTION
3.4 e+52 100.000 1079028307080602 e+25 years
128 BIT ENCRYPTION
Page: 62
Cybercrime
SOLUTION
• Technical solutions (with legal component)
• Magic Lantern (US)
• Remote Forensic Software (Germany)
• Legal solution
• Various restrictions on import/export
and use of encryption technology
• UK: Obligation to disclose password
(Sec. 49 of the UK Investigatory Powers Act 2000)
Page: 63
Cybercrime
WEBSITES AND SOFTWARE USED
Page: 64
Information available to operator of websites http://cqcounter.com/whois/what_is_my_ip.php
Public Proxy Server http://www.publicproxyservers.com/proxy/list1.html
WayBackMachine http://www.archive.org/
Truecypt http://www.truecrypt.org/
TOR Network http://www.torproject.org/
Cybercrime Page: 65
Cybercrime Research Institute Prof. Dr. Marco Gercke
Niehler Str. 35
D-50733 Cologne, Germany
www.cybercrime-institute.com