Presentation on theme: "Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society Stanford Law School Stanford, California USA Black."— Presentation transcript:
Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society Stanford Law School Stanford, California USA http://cyberlaw.stanford.edu Black Hat Briefings 2004 Legal Liability and Security Incident Investigation
Intrusion Investigation Tools Social Engineering Wiretap Sniffing Wireless Stored Communications Keystroke Logging Port Scanning
Intrusion Investigation Tools, cont Vulnerability Scanning Remote Access Trojan Horse Programs Ping, whois, traceroute, finger, googling Web Beacons Strike-Back or Active Defense Technology
Possible Legal Liability/Obstacles Fourth Amendment Fraud Illegal Interception of/Access to Data Computer Crime Laws: Unauthorized Access Possessing Illegal Tools/Devices
Fourth Amendment Protects against unreasonable search and seizure Constrains government and govt agents
Social Engineering If you have some idea of who attacked your system, or where evidence might be, can you pretend to be someone else to get information (user ids, passwords, etc.) to use in your investigation?
Fraud Applies to Social engineering? Misrepresentation Fraudulent purpose: to deprive another of the intangible right of honest services, money, etc.?
Sniffing Can you monitor in real time your own system, the suspected intruders system, or the system of a third party to get more information about the attack?
Illegal Interception Issues Monitoring by: –Intelligence Agency or Law Enforcement –Service Provider, Business, Employer –Other Content of Communications vs. Transactional or Traffic Information Real Time vs. In Storage Rights of Third Parties
Wiretapping/Sniffing General Rule: No interception (acquisition) of the CONTENTS of communications in transit. –No eavesdropping/sniffing –No using or disclosing intercepted communications
Exceptions to Rule Against Interception Warrant Computer Trespasser Exception Consent of a Party to the Communication Exception Provider Exception (System Protection) Readily accessible to general public
Wiretap Warrant DOJ Approval Federal Judge Warrant/Prob. Cause Predicate Offense Necessity/No Other Means Minimization 30 day authorization
Computer Trespasser Exception Government may monitor trespasser if No contractual relationship or authority to be on computer Provider authorized interception Government does the monitoring Only communications to and from trespasser intercepted and Reasonable grounds to believe info is relevant to an ongoing (legitimate) investigation
Party/Consent Exception Party to a communication can intercept or give consent to intercept –Warning Banners: All activity subject to monitoring –Terms of Service
Service Provider Exception Provider May Monitor to Protect Its Rights or Property May intercept communications if inherently necessary to providing the service Scope of exception undefined
Accessible to the Public 2511(2)(g)(i): It shall not be unlawful under this chapter or chapter 121 of this title for any person - to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public Are open wireless access points accessible to the general public?
Can You Do RT Traffic Analysis? General prohibition LE needs a pen/trap and trace order Service provider need –Relating to operation of service –Protection of rights or property of provider –To record fact of completion Consent of user
Reviewing Stored Files or Logs Can you search documents the intruder placed on your system? On an intermediary system? On his/her own system?
Accessing Stored Communications General Prohibition: Illegal to access stored communications without or in excess of authorization
Providers Right to Review Any provider may freely read stored email/files of its customers –Not unauthorized access to the system A non-public provider may also freely disclose that information –for example, an employer
Accessing Stored Subscriber Info Provider may access and disclose non- content records to anyone except a governmental entity Exceptions –to protect providers rights/property –threat of death/serious bodily injury –appropriate legal process –consent of subscriber
Accessing Other Computer Systems Can you disable a system that is sending you malicious code? Can you install monitoring programs on another system? Can you gain remote access to that system to search it?
Computer Fraud and Abuse Act (18 USC 1030) Unauthorized access that causes damage to protected computer –loss > $5,000 in value –modification or impairment of the medical data –physical injury to any person; –a threat to public health or safety; –damage to computer system used in furtherance of the administration of justice, national defense, or national security
Things That Are Unauthorized Access/Trespass SPAM Domain name search robots Internet auction information spiders Travel agent price aggregators Cookies Port scanning?
Port Scanning Metaphors –Jiggling Doorknobs –Looking at the house Moulton v. VC3: Not unauthorized access under 18 USC 1030, no damage Attempt?
Trojan Horse 18 USC 1030(a)(5)(A)(i) : knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer
Strike Back Unauthorized Access/Transmission Defense of self/others? Justification/Necessity?
Possible to Get in Trouble for Net. Analysis Tools? COE: Article 6 France: LEN US: DMCA
COE Article 6 Criminalizes the production, sale, procurement for use, import, distribution of a device or program designed or adapted primarily for the purpose of committing unauthorized access or data intercept, and possession with criminal intent or such a device. No criminal liability if not for the purpose of committing an offence, such as for the authorized testing or protection of a computer system
France: loi pour la confiance dans l'économie numérique Art. 323-3-1. - Le fait, sans motif légitime, d'importer, de détenir, d'offrir,de céder ou de mettre à disposition un équipement, un instrument, un programme informatique ou toute donnée conçus ou spécialement adaptés pour commettre une ou plusieurs des infractions prévues par les articles 323- 1 à 323-3 est puni des peines prévues respectivement pour l'infraction elle-même ou pour l'infraction la plus sévèrement réprimée.» Sans motif legitime: Burden on possessor to prove legitimate motive
US: DMCA Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work Prohibits Manufacturing and Distribution of Any Technology (Tools) –Primarily Designed for the Purpose of Circumventing Access Controls –Limited Commercially Significant Purpose OR –Marketed for Use in Circumvention
Talk to a Lawyer Before Lying to get account information Intercepting communications Doing real time traffic analysis Accessing, installing code on or disabling other peoples systems
Jennifer Stisa Granick, Esq. Center for Internet & Society Stanford Law School 559 Nathan Abbott Way Stanford, California 94305 USA +1 (650) 724-0014 Jennifer@law.stanford.edu