Crime and Law in Cyberspace - DOJ/FBI Training Session
By Kevin
Fu Special Agent Richard Ress of the FBI Computer Crime Squad and Peter Toren of the Computer Crime Unit of the Department of Justice presented their respective agencies' perspectives on computer crime problems in a CFP96 tutorial about crime and law.
The FBI considers computer crime a global threat, not solely a U.S. problem, Ress said.
According to the Computer Emergency Response Team, there were 773 recorded break-ins in 1992, rising to 2300 break-ins in 1994. Each year saw an increase of over 70 percent in intrusion reports. However, less that 5 percent of affected sysops realize their systems have been penetrated. Who could be a victim? Basically anyone who has plugged into the wall and connected to the Internet.
The Internet has become the most rapidly developed communications infrastructure, Ress said.. It is the "strongest socially driving force today." It is not singularly regulated or managed. The U.S. is now the slowest growing user base -- Europe and Asia have become the fastest growing Internet communities. Many extremists use the Internet and anonymity may encourage extremist views, commented Ress.
There are several trends that are affecting the PSN (Public "Switch" Network) including the magnitude of computing power, increased sophistication, more linkage via LANs and WANs, a greater number of users and disparity of knowledge, he said.
Typical hacker tools include SATAN (a security analysis program), utilization of GUI's, RootKit, and others. Criminals use state of the art equipment while law enforcement is at least five years behind. But the easiest method of breaking in is social engineering, Ress said. For example, a hacker could go "dumpster diving" and collect a large quantity of information about a corporation. A hacker could then pose as an employee and refer to various people within the company. This method has been used to obtain much non-public information. With these methods in mind, the FBI Computer Crime Squad has distinguished 5 types of "hackers":
Intruders/pure hackers tend to be the most visible because of their public bragging and ego-driven tendencies. They represent the majority of the computer crime cases. Intruders usually work with low cost equipment and operate in a low risk area. These hackers create the most volume of problems.
Insiders are the real corporate threat. These often self-motivated hackers are the most dangerous of hackers. Typical insiders can be disgruntled employees, telephone repair service workers or people with inside access. Because of the nature of insider corporate computer crime, these incidents usually go unreported and represent the least number of referrals to law enforcement.
Criminals are able to use anonymity and the speed of the communication to conduct illegal activities. Typical criminals include drug dealers, white color criminals and transnational criminals.
Industrial espionage hackers prey on the increasing vulnerability of corporate America as more information becomes valuable.
Foreign intelligence-sponsored computer crime can destroy "enemy lines" of communication and strike deep into a nation from far away.
A member of the audience voiced his opinion that computer hackers can be thought of useful people to find holes in the system before the "real criminals" can exploit the security holes. Ress responded that these hackers cause too much damage to be useful and that their criminal activities should not be considered a service.
Ress emphasized that the ultimate goal of a law enforcement official is not to become a techie, but to bring "the bad guys" to justice. Law enforcement personnel must stay focused on this goal, he said.
Ress advised officials not to deal with hackers in their own environment. Almost all hackers lack social skills, he said, so moving the hacker into the physical world makes the fight on the officer's turf.
Toren (of the Department of Justice) spoke mainly on how to go about approaching computer crime incidents. There are many resources on the Internet that can be found on law enforcement BBS's and via search engines such as Yahoo, Excite, or Alta Vista, Toren said.
Toren emphasized the investigative process. The Internet is a good resource, but it has a lack of confidentiality. Web sites usually keep logs of connections and often record the source of requests and usernames. Confidential communication should be transmitted in an encrypted format.
A common question is how to conduct a proper investigation when logging into a service such as a BBS. It is fine to access a BBS if permission is granted or implied, Toren said. Banners that deny access to law enforcement are handled differently from agency to agency. Proper action depends on agency policy and the ECPA. Ress added that his agency's policy allows up to 3 instances of communication before considering the contact more than a preliminary inquiry.
The first person to contact is the system operator. The sysop is usually the best expert available, Toren said.
Information in transit and information stored on a person's own computer are treated differently. Electronic storage is "temporary, intermediate storage...incidental to transmission," Toren said. An example is email spooled on a server. However email stored on a person's personal machine is not considered temporary storage. If the information has been temporarily stored for less than 180 days, a warrant is needed to obtain the contents. After 180 days, a grand jury subpoena or special order with a notice to the sender and receiver (which may be delayed) is required to obtain the content.
Toren advised law enforcement officials on what procedures to use in certain circumstances. If there is probable cause, use a search warrant. Otherwise consider using the delayed notice method. If the data is located abroad, stop immediately!.
Toward the end of the session, because time was running short, Toren quickly mentioned the Privacy Protection Act, BBSs claiming to be a publisher (Steve Jackson Games v. U.S. Secret Service), key stroke monitoring as a wiretap, public chat rooms and IRC.
Relavant Links to other resources:
[ CFP96 Newsletter | CFP96 | CFP | general info ]
Comments and bug reports to Daniel C. Stevenson