international telecommunication union itu-ec hipssa project support for harmonization of the ict...
TRANSCRIPT
InternationalTelecommunicationUnion
ITU-EC HIPSSA ProjectITU-EC HIPSSA Project
Support for Harmonization of the ICT Policies Support for Harmonization of the ICT Policies in Sub-Sahara Africa in Sub-Sahara Africa
Workshop on Namibia National Transposition of SADC Model Workshop on Namibia National Transposition of SADC Model Laws on Cybersecurity, Lusaka, 20 August 2013Laws on Cybersecurity, Lusaka, 20 August 2013
Cybercrime Training (Needs and Topics)Cybercrime Training (Needs and Topics)
Presenter: Prof Dr Marco GerckePresenter: Prof Dr Marco Gercke
Cybercrime
TRAINING IN THE CONTEXT OF A COMPREHENSIVE APPROACH
TO FIGHT CYBERCRIME
Page: 2
Cybercrime
page: 3
INTERDEPENDENCEAssessment Nat. ICT Strategy
Assessment of Cybercrime
Assessment Cybercrime Policy
Assessment of Legislation
Asm. Cybersecurity Strategy
Asm. Institutional Capacities
Stakeholder Consultations
Anti-Cybercrime Policy
Building Institutional Capacities
Ministries / Government Inst.General Public
Media / Education
Civil Liberty Groups
Drafing Legislation
Drafting Crime Prevention S.
Drafting Int. Coop. StrategyDeveloping Monitoring S.
Drafting Policy Drafting PPP Strategy
Explanatory Notes
Training for Jud./Pros./Law.
Material for Press
Curriculum for Schools
Supplying Free Tools Media Campaigns
Equipment Police/Customs
Complain Center
Coord
inato
r w
ith
au
thori
ty
Som
eb
od
y
doin
gth
e w
ork
Som
eb
od
y
doin
gth
e w
ork
Ch
am
pio
nC
ham
pio
n
Assessment
Consultation
Drafting
Implement.
Cybercrime
page: 4
COMPONENT 1: TECHNOLOGY
Cybercrime
Page: 5
TECHNOLOGY
• Training should include training on technology
• Level of detail of the training on technology is depending on the target audience. While judges and prosecutors might only need an overview Cybercrime investigators will need in depth training
Cybercrime
NETWORK CONCEPTAccess Provider
Page: 6
Provides an IP Address that is required to communicate. Allows upload and download of data
User
Wants to download From www.xxx.com
124.222.121.1
Domain Name Server
Translates domain names (like www.xxx.com into an IP Addressxxx.com = 85.1.3.44
Routers
Forward the request to the right server
Hosting Provider
Stores data for a content provider
Content Provider
Anybody who produces data
85.1.3.44
211.1.3.88
Cybercrime
page: 7
PHENOMENA
Cybercrime
Page: 8
PHENOMENA
• Training should include training on phenomena of Cybercrime
• Area with great dynamics
• Such training could also be interesting for the press and the general public in order for them to understand how such crime is committed
• The following slides contain some examples (excerpts)
Cybercrime
Page: 9
DATA ESPIONAGE
• Valuable and secret information are often stored without adequate protection
• Lack of self-protection especially with regard to small businesses and private computer users
• Development of protection-plans
are often inadequate (eg. change of hard-drive without deleting sensible information in advance)
Picture removed in print versionBild zur Druckoptimierung entfernt
KEYLOGGER
Cyberwarfare
page: 10
INTRODUCTION
09 10 11 12
StuxnetFlame
Iran Oil Terminal
Duqu
Picture removed in print versionBild zur Druckoptimierung entfernt
GROOMING CHAT
Cybercrime
page: 11
GROOMING• The ultimate aim of the offender
is often to meet and sexually abuse the child – which requires the presence of the offender at the location of the child
ADULT:
CHILD:
ADULT:
CHILD:
ADULT:
CHILD:
‘Shortly described you have THREE options to earn money through us: 1-Images (you can earn between 50-200 for each series, i.e. 16 images) 2-Web shows [...]it sounds ok, but I think I start with the images... send a couple of images of yourself so I can get a better understanding of how you look ...because then we can start with the fun: namely to discuss prices ;)
[Child sending over images]
more .. any in full figure? more?
[Child sending over images]
Cybercrime
page: 12
DEVELOPMENT
Cybercrime
Page: 13
PHENOMENA
• Training should include training the development of Cybercrime
• Computer crime and Cybercrime is known for more than 50 years
• A lot of important things can be learned by studying the past developments
Cybercrime
page: 14
196oth • Introduction of transistor
based computer systems lead to an increasing use of computers
• Offences at this time were focusing on the physical damage of computer systems and data
• Example: Student riot cause a fire that destroyed computer systems at a university in Canada
Picture removed in print versionBild zur Druckoptimierung entfernt
Source: Wikipedia with ref. to US Gov.
COMPUTER ATTACK / BOTNET
Page: 15
Cybercrime
9897 99 00 01 02 0403 05 06 07 08 09 10
Attacks against computer systemsin Estonia during political conflicts
Growing number of users of the Internet goes along with a growing number of hacking attacks
Hacking attack againstairport control system
11
Attacks against computer systemsin Georgia during armed conflict
Largest botnets: 100.000 bots
Largest botnets: 12.000.000 bots
Legal Response
Phenomena
Cybercrime
page: 16
EXTENT OF CRIME
Cybercrime
UNCERTAINTY REGARDING EXTENT
• Lack of reporting leads to uncertainty with regard to the extent of crime
• This is especially relevant with regard to the involvement of organized crime
• Available information from the crime statistics therefore not necessary reflect the real extent of crime
Page: 17
Picture removed in print versionBild zur Druckoptimierung entfernt
HEIISE NEWS 27.10.2007
The United States Federal Bureau of Investigation has requested companies not to keep quiet about phishing attacks and attacks on company IT systems, but to inform authorities, so that they can be better informed about criminal activities on the Internet. "It is a problem for us that some companies are clearly more worried about bad publicity than they are about the consequences of a successfulhacker attack," explained Mark Mershon, acting head of the FBI's New York office.
Cybercrime
page: 18
LATEST TRENDS
Cybercrime
Page: 19
LATEST TRENDS
• The training should include training in relation to latest trends
• A regular update on the latest developments will not only be important for investigators but also the general public
• Example: Liberty Reserve (Money Laundering), AP Twitter Account Hack and stock market manipulation
Cybercrime
page: 20
TRAINING FOR JUDGES
Cybercrime
Page: 21
TRAINING FOR JUDGES
• Training for judges may include an overview about technology and investigation techniques
• The focus will most likely be on substantive criminal law
• Training may also include components on electronic evidence
CYBERCRIME
page: 22
DEFAMATION AND LIBEL• Internet enables possibilities to
anonymously post information on websites
• This enables the offender to publish defamatory content and make it much more difficult for investigators to identify the offender
Picture removed in print versionBild zur Druckoptimierung entfernt
SEC 265 CC OF QUEENSLAND
365 Criminal defamation(1) Any person who, without lawful excuse, publishes matter defamatory of another living person (the relevant person)—(a) knowing the matter to be false or without having regard to whether the matter is true or false;and(b) intending to cause serious harm to the relevant person or any other person or without havingregard to whether serious harm to the relevant person or any other person is caused; commits amisdemeanour. Maximum penalty—3 years imprisonment.
Cybercrime
• Emerging relevance of digital evidence influences the procedures in court
• Influence is not limited to the fact that courts need to deal with digital evidence
• Even the design of courtrooms is influenced
Page: 23
ELECTRONIC EVIDENCE
Cybercrime
page: 24
TRAINING FOR CYBERCRIME INVESTIGATORS
Cybercrime
Page: 25
TRAINING FOR INVESTIGATORS
• Cybercrime investigators may require a very intensive training due to the complexity of the subject matter
• This especially includes technology and investigation techniques
• Training should include practical elements and simulations
Picture removed in print versionBild zur Druckoptimierung entfernt
US FIRST RESPONDER GUIDE 3RD ED.
Cybercrime
Seite: 26
IMPORTANCE OF UPDATES
• Constant training is necessary as technology is changing
• Experts working in this field need to be aware about the consequences of the latest technical trends for investigations
• Example: Advice to unplug cord from computer can lead to an encryption of the hard drive if the suspect activated whole disc encryption
Picture removed in print versionBild zur Druckoptimierung entfernt
US FIRST RESPONDER GUIDE 3RD ED.
Cybercrime
IMPORTANCE OF UPDATES
• If the suspect is using encryption technology disconnecting the computer system from electricity could hinder access to evidence
• Live forensics may be required
• In addition to technical capacities to undertake live forensics (e.g. software, hardware) there might be a need for a solid legal foundation as live forensics might interfere with the integrity of evidence
Page: 27
Cybercrime
page: 28
TRAINING FOR
POLICE
Cybercrime
Page: 29
GENERNAL TRAINING FOR POLICE
• In addition to the special training for Cybercrime investigators a general training for the police should be organized
• Background: Electronic evidence is becoming more and more relevant not only in Cybercrime cases but also when it comes to traditional crimes (such as murder cases)
Cybercrime
page: 30
TRAINING FOR LEGAL DRAFTERS
Cybercrime
Page: 31
LEGAL DRAFTERS
• In order to finalize the draft Bills and implement them into the national legislation legal drafters might require additional training
• This will especially help them to understand differences between the SADC model law and some international standards
• Some differences are a result of correcting mistakes in older international standards (see next slide)
EXAMPLE: CHILD PORNOGRAPHY
• As cooperation requires legislation gaps can have significant impact
• In the early discussion about legal response to an online distribution of child pornography the drafter of regulations focused on digital images
• Today not only images and videos but also audio recordings of the sexual abuse of children are distributed online
• Older approaches often use language (such as “visually” or “image”) that excludes such material
Page: 32
Cybercrime
Picture removed in print versionBild zur Druckoptimierung entfernt
Convention on Cybercrime
2. For the purpose of paragraph 1 above, the term “child pornography” shall include pornographic material that visually depicts:a. a minor engaged in sexually explicit conduct;b. a person appearing to be a minor engaged in sexually explicit conduct;c. realistic images representing a minor engaged in sexually explicit conduct.
Picture removed in print versionBild zur Druckoptimierung entfernt
EU Directive Child Pornography 2011
(c) ‘child pornography’ means: (i) any material that visually depicts a child engaged in real or simulated sexually explicit conduct;
EXAMPLE: CHILD PORNOGRAPHY
• As cooperation requires legislation gaps can have significant impact
• In the early discussion about legal response to an online distribution of child pornography the drafter of regulations focused on digital images
• Today not only images and videos but also audio recordings of the sexual abuse of children are distributed online
• Older approaches often use language (such as “visually” or “image”) that excludes such material
Page: 33
Cybercrime
Picture removed in print versionBild zur Druckoptimierung entfernt
IOL News 2011
Picture removed in print versionBild zur Druckoptimierung entfernt
US Training Manual
EXAMPLE: CHILD PORNOGRAPHY
• SADC Model Law consequently avoids the term “visually”
• In addition the definition of the model legislative text contains a clarification that audio material is included
Page: 34
Cybercrime
Picture removed in print versionBild zur Druckoptimierung entfernt
SADC MODEL LAW
(8) Child pornography means pornographic material that depicts presents or represents: (a) a child engaged in sexually explicit conduct; (b) a person appearing to be a child engaged in sexually explicit conduct; or (c) images representing a child engaged in sexually explicit conduct; this includes, but is not limited to, any audio, visual or text pornographic material.
Cybercrime
page: 35
GENERAL PUBLIC
Cybercrime
Page: 36
GENERAL PUBLIC
• As part of a crime prevention strategy general training could be organized for the general public
• Such training could include an overview about how crimes are committed and how to prevent becoming victim of such crime
• This may include a special training for schools and universities
Cybercrime
Seite: 37
Understanding Cybercrime
ITU
Thank you for your Thank you for your attention!attention!
INTERNATIONAL TELECOMMUNICATION UNIONINTERNATIONAL TELECOMMUNICATION UNION
38