Cybercrime

HIPCAR CAPACITY BUILDING WORKSHOP ON CYBERCRIME

Port of Spain, Trinidad and Tobago

5-7 March.2012

Prof. Dr. Marco Gercke

Page: 1

Cybercrime

STRUCTURE

•  Introduction

•  New Opportunities

•  Challenges of Investigating Cybercrime

•  Challenges for Courts

•  Challenges related to drafting Cybercrime Legislation

Page: 2

Cybercrime

1. INTRODUCTION

Page: 3

Cybercrime

COUNTERING CYBERCRIME

•  Increasing the ability to prevent as well as investigate Cybercrime has become a major concern not only for most states but also for international organisation

•  Addressing Cybercrime is challenging for both, lawmakers as well as investigators

•  Investigating Cybercrime is going along with challenges that are up to a certain extend different from those discovered within traditional investigation

Page: 4

Cybercrime

CHALLENGES

•  Knowing about the challenges is required for drafting legislation as well as investigating Cybercrime

•  With regard to legislation the knowledge is required to ensure that the legislation is adequately covering the challenges and gives investigators effective instruments

•  With regard to investigations the knowledge is required to be able identify offenders and collect evidence

Page: 5

Cybercrime

2. OPPORTUNITIES

Page: 6

Cybercrime

OPPORTUNITIES

•  Availability of computer technology improved the ability of law enforcement to carry out investigations

•  DNA sequence analysis and finger print databases are examples for an emerging use of information technology in traditional criminal investigation

Page: 7

Cybercrime

AUTOMATE

•  Software tools are available to automate investigations

•  Significant reduction of time for an

investigation

•  One example is the Software PERKEO

that detects child pornography pictures on the basis of hash values

Page: 8

Cybercrime

AUTOMATE

•  Automation techniques can also be used to identify copyright violations

•  One example is file-sharing monitoring

where software tools can automatically detect copies of

copyright-protected art-work made

available

•  Another example is the automatic

scanning of scientific work (like PhD)

Page: 9

Cybercrime

AUTOMATE

•  With regard to file-sharing systems investigators can automate the

process of detecting users that make available copyright protected material

•  Ten-thousands of reports submitted to

a single prosecution department within

one year underlines the effectiveness of such investigation method

•  However, the following process (especially the court proceedings)

require significantly more time

Page: 10

Cybercrime

OPPORTUNITIES

•  Case example 1: Within an investigation of a murder case law enforcement was unable to identify a murder based on search engine history. They were able to use search engine logs on the suspects computer to identify places he was interested in.

Page: 11

Cybercrime

OPPORTUNITIES

•  Case example 2: Investigator were able to discover that the suspect was searching for specific terms such as ““undetectable poisons,” “fatal digoxin levels,” “instant poisons,” “toxic insulin levels,” “how to purchase guns illegally,” how to find chloroform,” “fatal insulin doses,” “poisoning deaths,” “where to purchase guns illegally,” “gun laws in PA,” “how to purchase guns in PA,”

Page: 12

Cybercrime

OPPORTUNITIES

•  Google searches including '1,000 ways to die', 'how to kill someone' and 'ten

easy ways to kill someone with no trace‘, 'can you kill someone with a

punch?', 'dangerous drugs for the elderly', 'if you hit someone across the

back of the head with a brick will they

die or just get a bruise?' and 'easiest way to kill an old person‘, 'delayed

symptoms of concussion', 'sugar in

petrol tank', 'poisonous salts', 'suffocation symptoms', 'heart attack

symptoms' and 'dying in your sleep'.

Page: 13

Cybercrime

DEVICES PROCESSING DATA

•  Devices do often store information that are valuable for traditional

investigation

•  The user do not necessary have knowledge about such operation

•  One example is the iPhone that stored the geo-location of the user and

thereby enabled the reconstruction of

movements/travel

Page: 14

Cybercrime

TRACES

•  “Nobody knows you are a dog” ?

•  Internet users leave traces

•  Access-Provider for example often for a certain period of time keep records

to whom a dynamic IP-address was

assigned

•  Data retention obligations even

increase the volume of data stored (but go along with questions related to the

legality of this investigation instrument)

Page: 15

Cybercrime

AUTOMATE

•  Operating systems and applications today store various information

•  Knowledge about computer processes

can help within investigation •  Example: If an offender is online and law

enforcement is trying to identify him in real time anonymous communication systems might prevent the detection.

However if law enforcement is able to get access to the cookies stored by the suspects browser they might be able to

search for cookies stored during online banking. This could lead them to the

suspect

Page: 16

Cybercrime

E-MAIL FORENSICS

•  Uses of Internet-services such as e-mail leave various traces

•  Information contained in an e-mail go way beyond sender, recipient, subject

and content

•  Header information can help law

enforcement to identify the sender of threatening mails

Page: 17

Cybercrime

3. CHALLENGES INVESTIGATION

Page: 18

Cybercrime

INFORMATION SOCIETY

•  Global development towards Information Societies

•  Characterised by availability and extensive use of Information Technology

•  Society is accepting a number of risks

with regard to the Information Technology (insufficient protection of computer and password, open WLAN,..)

•  If crimes occurs law enforcement plays a crucial role

Page: 19

Cybercrime

DEPENDANCE

•  Threats of internet based attacks against critical infrastructure

•  Energy, Communication,

Transportation, Health, Food supply, Finance, Government services,

Essential manufacturing, …

•  Even military infrastructure is

depending critical technology

Page: 20

Cybercrime

DEPENDANCE

•  Alternative Communication Systems that could be used in cases of

emergency are not able to cover the necessary resources

•  Monoculture with regard to major

technical components of computer

systems, software and network technology

Page: 21

Cybercrime

DEPENDANCE

STUXNET

Page: 22

Cybercrime

STUXNET

•  Malicious software targeting Windows operating system

•  Discovered in June 2010

•  Specifically focussing on Supervisory Control And Data Acquisition (SCADA)

•  SCADA is for example used in Siemens S7 systems that are used to control critical infrastructure such as power plants

Page: 23

Cybercrime

PAYLOAD

•  Researches indicate that the software was capable of manipulating the frequency of the centrifuges at Iran’s enrichment plant

•  Regular speed is between 807 Hz and 1210 Hz

•  The virus might have changed the frequency down to 2Hz and up to 1410Hz

•  High speed and “shaking-effect” has the potential to physical damage the centrifuges

Page: 24

Cybercrime

RELIANCE ON DATA

•  Number of digital documents are intensively increasing

•  Costs for storing one MB of data was constantly decreasing during the last

decades

•  Today it is cheaper to store information

digitally than to keep physical copies

•  In some areas traditional data is substituted

by digital data

10 MB

1981

676 MB

1990

10.000.000 MB

1996

70.000.000 MB

2000

2.000.000.000 MB

2009

Page: 25

Cybercrime

COMPUTER DATA

•  As a consequence computer data is more and more frequently the target of

attacks

•  Digital data is fragile and goes along with the risk of manipulations

(alteration, deletion, ….)

•  In addition risk of illegal access to

computer data by offenders (e.g. “Sony

Hack”)

Page: 26

Picture removed in print version Bild zur Druckoptimierung entfernt

One-to-One Copy

Cybercrime

SWICH TO COMPUTER DATA

•  Additional challenge is the ability to copy information without a loss of quality

•  Enables new forms of copyright violations as well as the acquisition of secret information

Page: 27

Analogue Copy

Digital Copy

Picture removed in print version Bild zur Druckoptimierung entfernt

One-to-One Copy

Cybercrime

SWICH TO COMPUTER DATA

•  Another consequence of the missing loss of quality during the copying process is the fact that whoever obtains a digital file (consumer) could potentially at the same time become a distributor

•  Especially relevant with regard to file-sharing

Page: 28

Analogue Copy

Digital Copy

Potential consumer/distributor

Only potential consumer

Cybercrime

INTERLINKED SYSTEMS

•  On-going process of integrating computer systems and devices into

networks

•  “Internet of things”

•  Every interference with this system

can have side effects

Page: 29

Cybercrime

INTERLINKED SYSTEMS

•  Situation: Company with 400 employees, market leader with regard

to one specific chemical product, large research laboratory

•  Report: System administrator reports

about a massive transfer of data from the company to computer systems in

other countries

•  Solution: ?

Page: 30

Picture removed in print version Bild zur Druckoptimierung entfernt

Phase 1

Report about massive data transfer

Cybercrime

AUTOMATE

•  Computer and Networks enable offenders to automate attacks

•  Within minutes millions of spam mails

can be send out without generating high costs - sending out one million

regular letters would be very

expensive and take days

•  The fact that millions of approaches to

illegally enter a computer system are detected every day is not a result of the

high number of offenders but the ability to automate attacks

Page: 31

Cybercrime

AUTOMATE

•  Another example for the use of automation is SPAM

•  Currently between 60% and 90% of all

e-mails are SPAM

•  Several billion SPAM e-mails are sent

every single day

•  Can only work on the basis of

automation

Page: 32

Cybercrime

AUTOMATE

•  Software tools are available to automate investigations

•  Significant reduction of time for an

investigation

•  One example is the Software PERKEO

that detects child pornography pictures on the basis of hash values

Page: 33

Cybercrime

AUTOMATE

•  Automation enables offenders to generate high profit by committing

various offences with rather small amounts each

•  Background: Victims that have just lost

rather small amounts tend not to

report the crime Picture removed in print version Bild zur Druckoptimierung entfernt

Reporting

Country specific amount

No reporting

Reporting

Page: 34

Cybercrime

UNCERTAINTY REGARDING EXTENT

•  Lack of reporting leads to uncertainty with regard to the extent of crime

•  This is especially relevant with regard

to the involvement of organized crime

•  Available information from the crime

statistics therefore not necessary reflect the real extent of crime Picture removed in print version

Bild zur Druckoptimierung entfernt

HEISE NEWS 27.10.2007

The United States Federal Bureau of Investigation has requested companies not to

keep quiet about phishing attacks and attacks

on company IT systems, but to inform

authorities, so that they can be better

informed about criminal activities on the Internet. "It is a problem for us that some

companies are clearly more worried about bad

publicity than they are about the

consequences of a successful

hacker attack," explained Mark Mershon, acting head of the FBI's New York office.

Page: 35

Cybercrime

CHANGING TARGETS

•  A significant number of attacks that took place in the past were based on maximising the number of victims

•  Example: Malicious software targeting the Windows operating system

•  This approach is still current (eg. within the process of creating botnets)

•  In addition there are more and more attacks with concrete targets

Page: 36

Cybercrime

TARGETED ATTACK

•  Traditional phishing mails (e.g. phishing mails pretending to be sent out by a financial institution) are today not as they were in the beginning

•  Background is awareness raising and technical protection measure

•  New trends: Sphere-phishing

Page: 37

Cybercrime

TARGETED ATTACK

•  Traditional phishing mails (e.g. phishing mails pretending to be sent out by a financial institution) are today not as they were in the beginning

•  Background is awareness raising and technical protection measure

•  New trends: Sphere-phishing

Page: 38

Cybercrime

AVAILABILITY OF DEVICES

•  In the early days of computer and computer networks offenders committing computer crimes tend to be experts

•  Today a significant number of offences are carried out by using easy-to-use tools that do not require technical knowledge

Page: 39

Cybercrime

AVAILABILITY OF INFORMATION

•  Information that previously were available only to secret service (e.g. satellite pictures) or from very selected sources (e.g. instructions how to build bombs) are today available via the Internet

•  Possibilities to restrict access to such information are limited

Page: 40

Cybercrime

AVAILABILITY OF INFORMATION

•  Industry can play a role in limiting the negative impact of the availability of information about high level targets

•  Example is the restriction of resolution in satellite pictures

•  Such measures can only have an impact if they are coordinated

Page: 41

Cybercrime

AVAILABILITY OF INFORMATION

Services like Google Earth were reported to be used in several attacks:

•  In attacks against British troops in Afghanistan

•  In the planning of attacks against an airport in the US

•  In attacks against British troops in Iraq

•  In attacks against Israel

Picture removed in print version Bild zur Druckoptimierung entfernt

WWW.TELEGRAPH.CO.UK (13.01.2007)

Terrorists attacking British bases in Basra are using aerial footage displayed by the Google

Earth internet tool to pinpoint their attacks,

say Army intelligence sources. Documents

seized during raids on the homes of

insurgents last week uncovered print-outs from photographs taken from Google.

Picture removed in print version Bild zur Druckoptimierung entfernt

GUARDIAN (25.10.2007)

Palestinian militants are using Google Earth to help plan their attacks on the Israeli military

and other targets, the Guardian has learned.

Members of the al-Aqsa Martyrs Brigade, a

group aligned with the Fatah political party,

say they use the popular internet mapping tool to help determine their targets for rocket

strikes.

Page: 42

Cybercrime

AVAILABILITY OF INFORMATION

•  Robots used by Search-engines can lead the disclosure of secret information

•  Handbooks on how to build explosives and construct chemical and even nuclear devices are available

•  Internet sources have been used by the offenders in a number of recent attacks

Page: 43

Cybercrime

AVAILABILITY OF INFORMATION

•  Information regarding the construction of weapons were available long time before the Internet was developed

•  Ragnar‘s Action Encyclopaedia of Practical Knowledge and Proven Techniques

•  Approaches to criminalise the publication of information that can be used to

Page: 44

Cybercrime

RESOURCES

•  Current analysis indicate that up to a quarter of all private computer

connected to the internet could be used by criminals as they belong to

“botnets” Souce: BBC report “Criminals 'may overwhelm the web�

•  Despite the fact that the estimation is not based on a scientifically reliable

basis the growing size of detected

botnets highlight the challenge

•  Debate about legal response just started

Page: 45

Picture removed in print version Bild zur Druckoptimierung entfernt

BACKGROUND: BOTNET

Cybercrime

BOTNET

•  Short term for Robot-Network

•  Botnets are very powerful instruments

•  Main use: SPAM, DoS

•  Computers are in most cases infected

by malicious software

•  Software is taking over part of the

control

Consumption by user

Prior to infection After infection

Consumption by Botnet

Page: 46

Page: 47

CONNECTION VIRTUAL-REAL WORLD

•  Computer technology reached an intensive level of interconnection

•  While in the past real-world crime and

Cybercrime were separated the increasing links enable the use of ICT

in real world crime

Cybercrime

Page: 48

EXAMPLE: LIVE SHOT

•  Computer controlled gun

•  The gun can be completely controlled via the network

•  Example for a combination of real

world threat (gun) and network

technology

•  This enables the offender to benefit

from the possibility of anonymous communication and hide his/her

identity

Cybercrime

Page: 49

EXAMPLE: BITCOIN

•  Bitcoin is a digital currency that enables pseudonymous, real time

transactions

•  The currency uses encryption technology and decentralized services

to ensure that the currency can not be

falsified

•  Transactions can be carried out

without any centralized control

•  Therefore traditional control instruments do not apply

Cybercrime

Cybercrime

DECENTRALISED SERVICES

•  Availability of high-speed Internet connections and server infrastructure

today enables the development of storage concepts that are not anymore

based on local but decentralised storage

•  „cloud computing“ and „cloud storage“

Picture removed in print version Bild zur Druckoptimierung entfernt

EXAMPLE: AMAZON CLOUD COMPUTING

Page: 50

Cybercrime

DECENTRALISED SERVICES

Local storage

Page: 51

Illegal Access

Insider Attacks

Cybercrime

DECENTRALISED SERVICES

Local storage

Cloud Services

Page: 52

Illegal Access

Insider Attacks

Cybercrime

RISKS

Local storage

Page: 53

Illegal Access

Hindering Transfer Interception of communication

Cloud Services

Illegal Access

Insider Attacks

„Legal“ Access

System Interference

Cybercrime

DEPRIVATION DATA/EVIDENCE

•  General challenges related to digital evidence

•  Presentation of evidence in court

•  Anonymous communication

•  Encryption

•  Steganography

•  Deletion of data

•  Reliability of Digital Evidence

Page: 54

Cybercrime

GENERAL CHALLENGES

•  Quantitative aspects

•  Reliance on expert statements

•  Risk of manipulation or alteration

•  Fragile nature of digital evidence

•  Layer of abstraction

•  Changing technical environment

Page: 55

Cybercrime

E-MAIL FORENSICS

•  More and more correspondence is done electronically

•  Uses of Internet-services such as e-mail leave various traces

•  Information contained in an e-mail go way beyond sender, recipient, subject

and content

•  Header information can help law

enforcement to identify the sender of threatening mails

Page: 56

Cybercrime

ALTERATION

•  As valuable e-mails can be for an investigation as important it is to keep in mind that e-mails are only text

documents

•  Open to alteration

•  Courts in some jurisdictions are

therefore restrictive when it comes to the admissibility of electronic mails

Page: 57

Cybercrime

BACKGROUND

•  Emerging relevance of digital evidence influences the procedures in court

•  It is possible to divide between two different processes:

1.  Substitution of traditional evidence by digital evidence

2.  Introduction of digital evidence as additional evidence

•  Influence is not limited to the fact that courts need to deal with digital evidence

•  Even the design of courtrooms is influenced

Page: 58

Cybercrime

DIGITAL DATA

•  One explanation for the emerging importance of digital evidence is the fact that the number of digital documents are

intensively increasing

•  Costs for storing one MB of data was constantly decreasing during the last decades

•  Today it is cheaper to store information digitally than to keep physical copies

Page: 59

Cybercrime

GLOBAL PHENOMENON

•  Availability of encryption technology is a global challenge

•  Powerful software tools that are available on a large scale in the

Internet

•  Some of the latest versions of

operating systems contain encryption technology

Page: 60

Cybercrime

BREAKING A KEY

•  Brute Force Attack: Method of defeating a cryptographic scheme by

trying a large number of possibilities; for example, exhaustively working

through all possible keys in order to decrypt a message

•  Gaps in the encryption software

•  Dictionary-based attack

•  Social Engineering

•  Classic search for hints

•  Need for legislative approaches?

Page: 61

Cybercrime

1.048.576 1 1 sec.

20 BIT ENCRYPTION

1.099.511.627.776 1 305 hours

40 BIT ENCRYPTION

7.2 e+30 1 2284 years

56 BIT ENCRYPTION

7.2 e+30 100.000 200 hours

56 BIT ENCRYPTION

3.4 e+52 100.000 1079028307080602 e+25 years

128 BIT ENCRYPTION

Page: 62

Cybercrime

SOLUTION

•  Technical solutions (with legal component)

•  Magic Lantern (US)

•  Remote Forensic Software (Germany)

•  Legal solution

•  Various restrictions on import/export

and use of encryption technology

•  UK: Obligation to disclose password

(Sec. 49 of the UK Investigatory Powers Act 2000)

Page: 63

Cybercrime

WEBSITES AND SOFTWARE USED

Page: 64

Information available to operator of websites http://cqcounter.com/whois/what_is_my_ip.php

Public Proxy Server http://www.publicproxyservers.com/proxy/list1.html

WayBackMachine http://www.archive.org/

Truecypt http://www.truecrypt.org/

TOR Network http://www.torproject.org/

Cybercrime Page: 65

Cybercrime Research Institute Prof. Dr. Marco Gercke

Niehler Str. 35

D-50733 Cologne, Germany

gercke@cybercrime.de

www.cybercrime-institute.com