Setting Standards in Security

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

Returning from Tokyo a few weeks back prompted me to remember an ongoing problem in the security community. I don’t necessarily mean the computer security community, but this certainly applies to computer/network security as well as anyone else. The reason this is a big concern is not because it directly leaves a gaping hole in your defense, rather it helps to create weak links in your defense. As we all know, your system is only as strong as the weakest link. Looking back to Tokyo, I noticed the standards for which they set security at airports. Specifically, the inspection of individuals before letting them on the plane. The US metal detectors are often the source of jokes or parts of comedic routines.

In Tokyo, I walked through with my pager, a pocketful of coins, a metal belt buckle, dog tags, a second metal necklace, steel toed boots and who knows what else. Most US metal detectors have a problem with the coins, buckle, and boots which cause me to move to a second detector and eventually a hand held detector check. In fact, it happens so frequently in US airports, I don’t even bother removing most metal at the first gate, rather I walk through holding my arms out saying “My boots always set it off.” Without failure, I pass the second detector and hand held check and move on without missing a beat. I started doing that after the inconsistent nature of the US detectors. Some would complain about a pocket full of quarters, while others didn’t like my boots and some didn’t care about any of it. It made me realize that there were no national guidelines for these detectors. Odd.

When you pass your bags through the x-ray machine, do you get stopped for having a laptop? A single time caused them to swab my laptop and put it in the machine that checks for explosives. One out of five trips they ask for me to power it on. Four out of five times I must show my pager can change the display. We all know that a laptop is sufficient room to pack enough C4 and wiring to make a hefty bomb, so why wouldn’t they check it every time? It makes no sense. As much as I hate to say it, the FAA should require ALL electronics to be checked. Anything short of that and all they are doing with the security checkpoints is giving us warm fuzzies, not personal security.

While this seems trivial to many, it means a world more to those in the security field. The fact that all of that metal being carried on a plane without being challenged is an issue. I won’t even bring up the fact that I carry at least one knife on all plane trips. Along with that; extra batteries, computer accessories (including cable/wiring sometimes), computer repair tools, and more. Interestingly enough, everything required to make or piece together explosives almost! I certainly have no intention of blowing up a plane or hijacking one, but I do carry half the gear needed to do just that. And I am never stopped or questioned.

As crazy and disjointed as this sounds, it is true twice over in the computer/network security field. What few standards are proclaimed by industry participants are adopted by an amazingly small percentage of companies. Despite this, I can understand why they wouldn’t be accepted and implemented. To date, the security standards have been set mostly by third party companies with a financial interest in doing so. Worse, set by third party companies that are not recognized leaders in the security field.

These inconsistent metal detectors in our airports are akin to the security mechanisms guarding corporate infrastructures. Strong firewalls protecting the company from the ten to twenty percent of attacks that come from outside. Little to no interior defenses guarding us from the most threatening attackers: employees with internal access. Failing to set a standard level of security for ALL points of entry creates another weak link in your defenses. Case history shows, those weak links are the first to break at the first sign of pressure.

Not Just a Game Anymore

[This was originally published on Hacker News Network (HNN) and mirrored on attrition.org.]

This is a follow-up to a previous article titled Is it worth it? Dispelling the myths of law enforcement and hacking, released on November 22, 1999 via Hacker News Network.

Included with this article are several sanitized copies of various documents pertaining to computer crime investigations. Names, dates and locations have been changed.

Some of the information in this article may be a bit redundant from the last article, but is done in order to present a self standing article that is as complete as possible. Some of the links to agency homepages have been changed to point to their true home page, not just the system hosting the page.

        More on Search and Seizure
                The Search
                The Seizure
        Statute of Limitations
        What exactly is illegal?
        More on Punishment

        Investigating Agencies
                Federal Bureau of Investigations (FBI)
                Defense Criminal Investigative Service (DCIS)
                NASA Office of the Inspector General (NASA OIG)
                Naval Criminal Investigative Service (NCIS)
                U.S. Army Criminal Investigation Command (USACIDC)
                Royal Canadian Mounted Police (RCMP)
                Defense Computer Forensic Laboratory (DCFL)

        Appendix and Additional Information
                A - Search and Seizure Warrant
                B - Search and Seizure Warrant, Attachment A (apartment)
                C - Search and Seizure Warrant, Attachment A (colocated machine)
                D - Search and Seizure Warrant, Attachment C
                E - Warrant for Arrest>
                F - Indictment
                G - USDOJ Press Release  


More on Search and Seizure

Before any Law Enforcement (LE) officer/agent may step foot in your place of living, they must obtain a search warrant that gives them explicit permission to do so. The warrant will list the physical address of the premises to be searched, a description of the establishment, a time frame for the search and seizure, and a list of acceptable material that may be seized. The warrant is likely to be issued by your District Court to the agent in charge of the investigation.

Rather than explain each part of the search and seizure warrant, I have included a sanitized version of one with this article. From my experience and communication with others, the warrant included can be taken as a very typical and standard version used throughout the U.S. Appendix A includes the first page of the warrant which details the premises to be searched, dates, who will conduct the seizure and more. Appendix B is a copy of Attachment A which is a wordy description of the premises to be searched. Appendix C is a copy of Attachment C which lists all material covered under the search and seizure guidelines.

Appendix A – Search and Seizure Warrant
Appendix B – Search and Seizure Warrant, Attachment A (apartment)
Appendix C – Search and Seizure Warrant, Attachment A (colocated machine)
Appendix D – Search and Seizure Warrant, Attachment C

Some notes and observations about the material contained in Appendix A. Outlined on the warrant, the agents may conduct the search and seizure either between the hours of 6:00am – 10:00pm, OR “at any time in the day or night as I find reasonable cause has been established”. One of the two options should be struck through and initialed by the Judicial Officer. Also included is a date that the search must be executed by.

The Search

Being subjected to an FBI search and seizure is an interesting experience to say the least. No official wording on any warrant can come close to explaining the experience. Typically arriving at your residence between 6:00 and 8:00am, almost a dozen agents are ready to toss your apartment to fulfill the warrant. After being greeted at gunpoint and your residence secured, the agents will mark each room with a post-it note and number. These numbers correspond to the receipt they leave you detailing what material was taken from each room.

In keeping with standard search and seizure practice, not much is left unturned. Some of the places you can expect the agents to search:

  • Under the bed, between the sheets, between the frame/box
  • Behind each and every hanging picture, especially framed
  • Under/Behind dressers and furniture
  • In the reservoir of your toilet
  • Any attack or crawl space
  • Every drawer, cupboard, container, shelf or other storage area
  • Inside the refridgerator/freezer
  • Under/Inside any cushion with removable insides
  • Between the pages of books
  • In air vents or other commonly used places to conseal items

If this does not help paint a picture that agents are rather thorough, let me clear it up. They are quite thorough. Do they find everything? Not all the time. In some cases agents even miss items out in the open that they might normally take. To balance this, they almost always take a considerable amount of material that is completely irrelevant or esoteric.

For the most part, you can also dismiss any notions you may have about hiding items before the raid. When they knock on the door, they will not give you time to do anything short of opening the door and complying with their demands. If they have any idea that you may be destroying evidence, they are empowered with the ability to forcibly enter your residence, physically detain you, and carry on.

The search and seizure will not be short by any means. You can expect it to last anywhere from a few hours to a full day. During this time you will be questioned by a number of agents regarding anything and everything they might think to ask. I don’t know if it is intentional and designed to throw you off, but they may ask extremely bizarre questions that lead you to wonder about their intelligence. During this questioning do one of two things.

  • Refuse to answer ALL questions until your lawyer is present.
  • Answer questions honestly.

Lying to law enforcement agents may seem like a clever thing to do at the time, but it is much more likely to hurt you in the long run. If caught in a single lie during questioning, it will further encourage the agents to question you more. They also have the option of charging you with obstruction of justice if so inclined. When an agent gets it through their head that you are guilty, bad news for you regardless of your guilt or innocence.

It is extremely important that you realize your rights. UNDER NO CIRCUMSTANCE do you have to answer questions without the presence of your lawyer. No matter what the LE agent says, suggests, or implies, this is a fundamental right. In many cases, raid victims are not being charged with a crime. Because of this, their rights are not read to them. Just because you aren’t under arrest does not mean those rights are waived! The courts have recently found that police can be sued if they discourage raid victims from consulting a lawyer. More on this ruling can be found in this Washington post article.

The Seizure

What can LE Agents take from you? EVERYTHING. You can’t argue about it either. While they may take material that is not explicitly covered under the warrant and may later be forced to give it back to you, that doesn’t help you when they are rummaging through your house. Re-read the list of material that are covered under Attachment C again and think about how broad it is.

It is safe to say that absolutely anything remotely computer related is covered under the warrant. There are a few things that are also covered under the guidelines that tend to surprise people when confiscated.

  • “electronic organizers”: these include ones with mini keyboards like the Sharp organizers, as well as touch screen like Palm Pilots.
  • “personal diaries”: even your little black journal detailing sexual exploits, or a notepad with poetry.
  • “books, newspaper, and magazine articles concerning hacking”: this includes ANY computer book in your residence. Newspapers or magazines that have security or hacker articles are included.
  • “cassette tapes, video cassette tapes, and magnetic tapes”: If it isn’t a store bought tape, it is subject to seizure. Doesn’t matter if it contains episodes of the Beavers or pornography.
  • “fax machines”: despite a fax machine typically not having the ability to store information long term, it is fair game.
  • “indicia of occupancy or tenancy..”: Any paperwork or proof that you own or rent your place. Any sales receipts, billing records or anything else close.
  • “other items … in violation of Title 18..”: Perhaps the worst listing of them all, this allows them to take just about anything else they may deem necessary.

Statute of Limitations

Another often asked question is how long the feds can investigate you. As long as they want. For most cases, LE can investigate a crime for up to five years after it was committed. This is known as the Statute of Limitations and means how long they can investigate and press charges against you for the crime. Hypothetically that is. If the crime is serious, several agents have assured me that the U.S. Government will find a way to stretch that timeframe.

Regardless, if the agents have not made a case against you, the government attorney’s will not press charges. Even so, you can expect them to hold onto any seized equipment until the conclusion of their investigation. If they go so far as seizing equipment and not pressing charges, you can expect to get your stuff back 1,825 days after it was taken, just to spite you.


What exactly is illegal?

Thanks to the vague (or was it intentional?) wording of the Title 18 laws, several actions you may consider harmless could fall into murky legal territory. As a DCIS agent recently said in a conversation about the last article, “Even if you telnet to a machine and type anything in, that can be attempted intrusion!”. As fascist as that may sound, it is true. Any activity or connections to a remote machine without authorization may be illegal. Because it is partially based on intent and partially based on your activities, this is still somewhat uncharted territory. While it is highly unlikely you will be charged for portscanning a machine, repeated poking at an open port could be enough to spark interest in your activities.

Another term often used by agents and lawyers is “illegal access device” (IAD). What has turned into another all encompassing term, this can be used for a wide variety of things in a case against you. Some of the few things that fall into this category:

  • login/passwd: Any login and password for any type of system be it Unix, VAX/VMS, voice mail or something else.
  • ESN/MIN: Cloning cell phones is illegal as you know, but each ESN/MIN pair counts as one IAD.
  • CC/Exp: Each Credit Card w/ Expiration Date. Remember, it takes both pieces to purchase anything.
  • Access keycard: Find an access device in the dumpster? Pick it up after someone dropped it? This allows access (illegally) into a building.
  • Employee ID: Like an access keycard, these are often used to bypass controlled access points or visual checks at guard desks.

Consider that when some hackers are busted, they are caught with a list of thousands of logins and passwords to systems around the world. Disturbing to think that each one can be used as a felony charge against you. When federal agents hold up to a thousand felony charges over your head, it is often enough to make you want to cut a deal. This is one reason that strong encryption is the friend of hackers.


More on Punishment

The punishment for hacking crimes is growing. Convicted hackers five years ago could expect a light slap on the wrist, a few hours of community service, and not much else. These days, a single felony count of computer hacking can lead to 15 months in jail along with restitution in the tens of thousands of dollars.
Looking at a verbose list of restrictions placed on Kevin Mitnick, examine them closely and consider what they really entail.

While the following restrictions may not be applied to every case, consider that they have been applied to one convicted hacker. Further consider that as such, these restrictions may be used as case law in future court hearings. The following restrictions are taken from a larger document concerning Kevin Mitnick and the restrictions.

http://www.kevinmitnick.com/081898writ.html#release_conditions

A. Absent prior express written approval from the Probation Officer, the
Petitioner shall not possess or use, for any purpose, the following:

    1. any computer hardware equipment;

    2. any computer software programs;

    3. modems;

    4. any computer related peripheral or support equipment;

    5. portable laptop computer, 'personal information assistants,'
       and derivatives;

    6. cellular telephones;

    7. televisions or other instruments of communication equipped with
       on-line, internet, world-wide web or other computer network access;

    8. any other electronic equipment, presently available or new
       technology that becomes available, that can be converted to
       or has as its function the ability to act as a computer system
       or to access a computer system, computer network or
       telecommunications network (except defendant may possess a
       'land line' telephone);

B. The defendant shall not be employed in or perform services for any
   entity engaged in the computer, computer software, or
   telecommunications business and shall not be employed in any capacity
   wherein he has access to computers or computer related equipment or
   software;

C. The defendant shall not access computers, computer networks or other
   forms of wireless communications himself or through third parties;

D. The defendant shall not acts as a consultant or advisor to individuals
   or groups engaged in any computer related activity;

E. The defendant shall not acquire or possess any computer codes (including
   computer passwords), cellular phone access codes or other access devices
   that enable the defendant to use, acquire, exchange or alter information
   in a computer or telecommunications database system;

F. The defendant shall not use any data encryption device, program or
   technique for computers;

G. The defendant shall not alter or possess any altered telephone,
   telephone equipment or any other communications related equipment.

For a period of THREE years, being subjected to these restrictions. Not only does your primary hobby go away, your means for stable income are at serious risk. Think of every job you could hold with these restrictions and life does not look so pleasant. Even working at Taco Bell requires the use of computerized registers. Telemarketing and other menial tasks that once were viable methods of income also go away. Jobs that consist mostly of physical labor become about the only option left to you. Don’t forget, many companies will not hire convicted felons, even for physical labor.

Court ordered restitution will be a new world of difficulty. Many people fail to realize that not only are restitution amounts fairly significant, but they must be paid back in a timely fashion. Oh yeah, remember that you are not likely to hold a job that pays more than six bucks an hour. So how much is US$50,000 when it comes down to it? Consider that you might be able to earn US$25,000 a year if you are fortunate. Giving up your entire salary would allow you to pay it off in two years. If you can live off of US$15,000 (poverty level), you could then pay back the restitution in only five years. Five years of living at a poverty level.

Is defacing a web page and putting up a message “hackerX 0wnz j00” REALLY worth it?


Investigating Agencies

After the previous article, many people wrote in to add more information regarding the various agencies that investigate computer crime. Using reader feedback and a little more searching, I have compiled a better profile of each agency that covers computer crime as well as their jurisdiction. Once again, please mail me if you have further information, or find error in the material below.


Federal Bureau of Investigations (FBI)
http://www.fbi.gov
Jurisdiction: Computer crime involving the crossing of U.S. state lines

More information: http://www.fbi.gov/pressrm/congress/97archives/compcrm.htm

In February 1992, the FBI completed an assessment of the national computer crime problem and established the National Computer Crimes Squad (NCCS) in the Washington D.C. field office. The NCCS was staffed with Agents knowledgeable and competent in computer systems who were available to investigate computer crimes throughout the United States. In view of the fact that many computer crimes are international in scope, the FBI planned and hosted the first International Computer Crimes Conference in Charleston, S. C. , in May 1992, which was attended by investigators from seven countries.

Also in 1992, the FBI established the Computer Analysis and Response Team (CART). CART is a specialized group of forensic examiners with the technical expertise and resources to examine computers, networks, storage media and computer-related materials in support of FBI investigations.

The FBI is creating computer investigation teams in each of its 56 field offices that will respond to computer incidents within their geographical area of responsibility.

The FBI has established the Computer Investigations and Infrastructure Threat Assessment Center (CITAC) with the mission of managing computer investigations and infrastructure threat assessment matters. On July 15, 1996, President Clinton signed Executive Order 13010 establishing, on an interim basis, an Infrastructure Protection Task Force (IPTF) within the Department of Justice, chaired by the FBI. The IPTF includes representatives of the Department of Defense, National Security Agency and other agencies. A unit within CITAC performs analysis and manages the FBI’s coordinating role in the IPTF. The CITAC Watch Office proactively monitors threats to the U.S. Critical Infrastructures, provides front-end analysis of threats, and acts as a Crisis Action Team. CITAC manages the FBI’s computer-related investigations and provides advice and assistance to all investigations within the FBI that involve the computer as a tool for committing a crime.

Computer and Internet crimes are investigated by the FBI utilizing many criminal statutes under our jurisdiction. The Computer Fraud and Abuse statute was amended during the prior Congress and is a comprehensive tool to address computer crimes. Internet crimes conducted to defraud consumers are addressed with myriad statutes including Fraud By Wire, Mail Fraud, Interstate Transportation of Stolen Property, and Money Laundering to name only a few. Other computer related crimes involving Intellectual Property can be addressed utilizing Copyright laws and the recently enacted Economic Espionage statute.


Defense Criminal Investigative Service (DCIS)
http://www.dodig.mil/DCIS/index.html
Jurisdiction: Computer crime occuring against Department of Defense computers

More information: http://www.dodig.osd.mil/DCIS/mission.htm

The DCIS mission is to detect, investigate and prevent fraud waste and abuse committed against or within the Department of Defense, involving its programs, operations and assets, and to address other matters as directed.

More information: http://www.dodig.osd.mil/

The Department of Defense (DoD) Inspector General serves as an independent and objective official in DoD responsible for conducting, supervising, monitoring and initiating audits and investigations relating to the programs and operations of the DoD. The Inspector General provides leadership and coordination and recommends policies for activities designed to promote economy, efficiency, and effectiveness in the administration of, and to prevent and detect fraud and abuse in, such programs and operations. The Inspector General is also responsible for keeping the Secretary of Defense and the Congress fully and currently informed about problems and deficiencies relating to the administration of such programs and operations and the necessity for, and progress of, corrective action.


NASA Office of the Inspector General (NASA OIG)
http://www.hq.nasa.gov/office/oig/hq/
Jurisdiction: Computer crime occuring against N.A.S.A. computers

More information: http://www.hq.nasa.gov/office/oig/hq/mission.html

Public Law 95-452, known as the Inspector General Act of 1978, created independent audit and investigative units, called Offices of Inspector General (OIGs) at 61 Federal agencies.

The mission of the OIGs, as spelled out in the Act, is to:

  • Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
  • Promote economy, effectiveness and efficiency within the agency.
  • Prevent and detect fraud, waste and abuse in agency programs and operations.
  • Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
  • Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.

The NASA OIG serves as an independent and objective audit and investigative organization to assist NASA by performing audits and investigations. The OIG prevents and detects fraud, waste and abuse and assists NASA Management in promoting economy, efficiency, and effectiveness in its programs and operations. The OIG auditors and agents are located at NASA Headquarters and all NASA Centers.


Air Force Office of Special Investigations (AFOSI)
http://www.dtic.mil/afosi/
Jurisdiction: Computer crime occuring against Air Force computers

More information: http://www.defensedaily.com/progprof/usaf/Air_Force_Office_of_Special_I.html

The United States Air Force Office of Special Investigations is a field operating agency with headquarters at Bolling Air Force Base, Washington, D.C. It has been the Air Force’s major investigative service since August 1, 1948.

Mission

The primary responsibilities of the Air Force Office of Special Investigations are criminal investigative and counterintelligence services. The organization seeks to identify, investigate and neutralize espionage, terrorism, fraud and other major criminal activities that may threaten Air Force and Department of Defense resources. AFOSI provides professional investigative service to commanders of all Air Force activities.

Personnel and Resources

AFOSI has about 2,000 personnel, of whom two-thirds are special agents. Eighty-eight percent of the special agents are military and 12 percent are civilian. AFOSI consists of seven regional offices, seven overseas squadrons and more than 160 detachments using a worldwide network of agents at all major Air Force installations and a variety of special operating locations.


Naval Criminal Investigative Service (NCIS)
http://www.ncis.navy.mil/
Jurisdiction: Computer crime occuring against Navy computers

The Naval Criminal Investigative Service (NCIS) is a worldwide organization responsible for conducting criminal investigations and counterintelligence for the Department of the Navy and for managing naval security programs.

More information: http://www.ncis.navy.mil/about.htm

Like all other elements of the Department of Defense (DoD) and the Department of the Navy (DoN), NCIS has had to bear its share of personnel and budget cuts, too. For example, in 1991, NCIS had 2,281 total personnel including 1,167 special agents assigned to more than 200 offices worldwide. Today, NCIS has 1,603 personnel of whom 877 are civilian special agents assigned to 150 offices worldwide. In addition, 51 military agents, mostly from the Marine Corps, are assigned to NCIS.

Despite these and other changes, however, the NCIS mission remains the same — “To Protect and Serve” the men and women of the Navy and Marine Corps, their families and DoN civilian employees by conducting felony criminal investigations and counterintelligence for the Department of the Navy, and managing Navy security programs.


U.S. Army Criminal Investigation Command (USACIDC)
http://www.belvoir.army.mil/cidc/
Jurisdiction: Computer crime occuring against Army computers

As the Army’s primary criminal investigative organization, the “CID” is responsible for the conduct of criminal investigations in which the Army is, or may be, a party of interest. Headquartered at Fort Belvoir, Virginia and operating throughout the world, the CID conducts criminal investigations that range from death to fraud, on and off military reservations, and, when appropriate, with local, state and other federal investigative agencies. We support the Army through the deployment, in peace and conflict, of highly trained soldier and government service special agents and support personnel, the operation of a certified forensic laboratory, a protective services unit, computer crimes specialists, polygraph services, criminal intelligence collection and analysis, and a variety of other services normally associated with law enforcement activities.

More information: http://www.lewis.army.mil/6thcid/cidhist1.htm

The U.S. Army Criminal Investigation Command (USACIDC) was organized as a major command of the Army to provide investigative services to all levels of the Army. Using modern investigative techniques, equipment and systems, USACIDC concerns itself with every level of the Army throughout the world in which criminal activity can or has occurred. Unrestricted, CID searches out the full facts of a situation, organizes the facts into a logical summary of investigative data, and presents this data to the responsible command or a United States attorney as appropriate. The responsible command or the U.S. attorney then determines what action will be taken. Ultimately, the commander of USACIDC answers only to the Chief of Staff of the Army and the Secretary of the Army.


Royal Canadian Mounted Police (RCMP)
http://www.rcmp-grc.gc.ca/frames/rcmp-grc1.htm
Jurisdiction: Computer crime occuring against Canadian computers

The Royal Canadian Mounted Police (RCMP) works with communities to ensure the safety of all Canadians. It enforces federal laws, provides contract policing to most provinces, many municipalities and First Nations communities. The RCMP participates in peacekeeping efforts and supplies world-leading expertise in areas like forensics and criminal intelligence to Canadian and international police.

More information: http://www.rcmp-grc.gc.ca/html/cpu-cri.htm

There are RCMP Commercial Crime Sections is every major city in Canada. Each one of these units has at least one investigator who has received specialized training in the investigation of computer crimes. These investigators are supported by the RCMP Computer Investigative Support Unit (CISU) located at RCMP Headquarters in Ottawa. CISU can provide technical guidance and expertise to all Canadian police departments and federal government agencies in relation to computer and telecommunication crime investigation.

The Criminal Code of Canada and the Copyright Act contain provisions that deal with computer and telecommunication crime.

  • Criminal Code: Section 342.1 – Section 430(1.1) – Section 326
  • Copyright Act: Section 42

Defense Computer Forensic Laboratory (DCFL)
http://www.dcfl.com
Jurisdiction: Forensic/Technical support for DOD computer crime investigation
The Department of Defense Computer Forensics Laboratory provides digital and analog evidence processing (analysis and diagnostics) for DoD counterintelligence, criminal, fraud investigations, operations and programs. The DCFL sets DoD standards in digital and analog forensic analysis. The Lab develops and manages DoD forensic media analysis research and development projects. Also, conducts liaison with counterpart law enforcement, computer security and intelligence agencies.

[See attrition.org copy for appendices.]

Special thanks to:

  • the many people who wrote in with positive feedback on the first article
  • cyberdiva (cyberdiva@MailAndNews.com)
  • the AFOSI agent who mailed in with additional (public) information
  • travis and mark w/ DCIS

Computer Crime Legal Resources

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

Not a day goes by without someone asking me where to find specific information. After a smart ass response about the value of a search engine, I can usually come up with a link or starting place for them. Because of recent articles on HNN and OSALL, I have received more requests for information on laws regarding computer crime.

To satisfy the law enforcement types as well as the hackers asking for the information, hopefully this article will do it. This is a quick compilation of some of my computer law bookmarks. Along with each site I will include some additional information about the site so you can determine if you really want to visit the site. I know that visiting two dozen sites in a day can get really old.


http://www.epic.org/security/computer_search_guidelines.txt
FEDERAL GUIDELINES FOR SEARCHING AND SEIZING COMPUTERS

“These Guidelines are the product of an interagency group, informally called the Computer Search and Seizure Working Group. Its members were lawyers, agents, and technical experts from the Federal Bureau of Investigation; the United States Secret Service; the Internal Revenue Service; the Drug Enforcement Administration; the United States Customs Service; the Bureau of Alcohol, Tobacco, and Firearms; the United States Air Force; the Department of Justice; and United States Attorneys’ offices.”

http://www.usdoj.gov/criminal/cybercrime/supplement/ssgsup.htm
SUPPLEMENT TO FEDERAL GUIDELINES FOR SEARCHING AND SEIZING COMPUTERS

“This Supplement is intended to update the Federal Guidelines for Searching and Seizing Computers that was published in July 1994. The Supplement describes relevant federal and state cases decided since July 1994 as well as a number of additional earlier decisions.(1) The cases in this Supplement are organized according to the sections in the Guidelines.(2) Where a case relates to more than one section, it is discussed in more than one place.”

http://www.ifs.univie.ac.at/~pr2gq1/rev4344.html
International review of criminal policy – United Nations Manual on the prevention and control of computer-related crime.

“The burgeoning of the world of information technologies has, however, a negative side: it has opened the door to antisocial and criminal behavior in ways that would never have previously been possible. Computer systems offer some new and highly sophisticated opportunities for law-breaking, and they create the potential to commit traditional types of crimes in non-traditional ways. In addition to suffering the economic consequences of computer crime, society relies on computerized systems for almost everything in life, from air, train and bus traffic control to medical service coordination and national security. Even a small glitch in the operation of these systems can put human lives in danger. Society’s dependence on computer systems, therefore, has a profound human dimension. The rapid transnational expansion of large-scale computer networks and the ability to access many systems through regular telephone lines increases the vulnerability of these systems and the opportunity for misuse or criminal activity. The consequences of computer crime may have serious economic costs as well as serious costs in terms of human security.”

http://www.usdoj.gov/03press/03_1_1.html
Depart of Justice: Office of Public Affairs Press Releases

For the most part, some of these are rather dry and they tend to pat themselves on the back a bit much. However, a rare few actually give interesting information about computer related crimes and the DOJ response to them. Some of the more interesting ones recently:

http://www.usdoj.gov/opa/pr/1999/August/387crm.htm
WISCONSIN HACKER CHARGED WITH MILITARY BREAK-IN

http://www.usdoj.gov/usao/cac/pr/1998/98-161.htm
“PHONE PHREAKER” SENTENCED TO 18 MONTHS IN PRISON FOR DEFRAUDING PHONE COMPANIES, HARRASSING USERS

http://www.usdoj.gov/usao/ma/pr/prev98/arditasnt.htm
Argentine Computer Hacker Agrees to Waive Extradition and Returns to Plead Guilty to Felony Charges in Boston

http://www.usdoj.gov/opa/pr/1998/March/125.htm.html
ISRAELI CITIZEN ARRESTED IN ISRAEL FOR HACKING UNITED STATES AND ISRAELI GOVERNMENT COMPUTERS

http://www.leolinks.com/
Law Enforcement Links Directory & Police Search Engine

While not very comprehensive yet, this search engine promises to be an extremely valuable resource in the near future. My quick searches for various computer crime fighting LE agencies yielded most of the results I needed.

http://www.privacyrights.org/

“The PRC offers consumers a unique opportunity to learn how to protect their personal privacy. Our publications provide in-depth information on a variety of informational privacy issues, as well as practical tips on safeguarding personal privacy.”

http://www.pimall.com/nais/n.tel.tape.law.html ONE PARTY/TWO PARTY TELEPHONE TAPE RECORDING LAWS

Also includes: STATE BY STATE LIST & STATE LAW FOOTNOTES

An example of the footnotes that make this page extremely helpful:

ARIZONIA UPDATE
AZ is a one party state, ARS 13-3005.A(1)(2), AND also permits a telephone “subscriber” (the person who orders the phone service and whose name is on the bill) to tape (intercept) calls without being a party to the conversation and without requiring any notification to any parties to the call, ARS 13-3012(5)(c).

http://www.yashy.com/docs/cce.txt
Canadian Criminal Code

The downside to this URL is the entire set of codes is in a single ASCII file. This is good for those of you who like to parse out specific information, but living hell on those who like to read consistently.

http://www.access.gpo.gov/nara/cfr/cfr-table-search.html
Code of Federal Regulations

Fully searchable Code of Regulations. Quite handy for those of you doing a little more in depth research into the law.

http://uscode.house.gov/usc.htm
The U.S. House of Representatives Internet Law Library U.S. Code (searchable)

Another good site for searching the US Legal codes.

http://www4.law.cornell.edu/uscode/
Cornell US Code Server

My personal favorite for searching through US Law. Their frame system is easy to navigate and allows for easy to determine absolute URLs. This is great when you want to find a specific law, and give someone a URL that points directly to the right text.

http://165.212.243.216/stat99/
Example of State Statutes

Many people ask me about looking up their state statutes. I don’t have a single answer to help everyone, but this site shows a good example of what a little searching can do. Your state regulations ARE up on the web somewhere. You may have to dig a bit to find them.

Statute Manager
The Colorado Statute Manager Web Site allows search access to the 1999 Colorado Statutes and Court Rules. This information is easily accessed by typing in keywords or numbers. The Statute Manager program is supplied by Intellinet as a free public information service. Intellinet also offers a paid subscription service which provides Annotations for the Statutes and Court Rules as well as a hyperlinked Table of Contents and Popular Names Index. These are available via the Internet on an annual subscription or on a “Daily Pass” basis.

http://www-sul.stanford.edu/cpyright.html
Copyright Law and Fair Use

While not comprehensive, this is a great primer for those just getting started on learning the legal aspects of copyright and fair use.

http://fairuse.stanford.edu/
Search the Copyright & Fair Use Site

http://www.findlaw.com/
Huge legal search engine

http://www.findlaw.com/casecode/state.html
State Cases and Codes

Not only US Code, but more importantly, past State Cases. This is ideal for searching for case law.

http://www.richmond.edu/~jolt/v2i1/sergienko.html
Self Incrimination and Cryptographic Keys

Answer that age old question “do I have to give up my pass phrase?!”.


As with all things, this is by no means a complete list of legal resources. In fact, most of these have been collected over the past year or more. All of the URLs listed here worked as of 12/06/99. I can’t emphasize enough the value of a good search engine. You would be amazed at the amounts of resources out there just waiting to be used.

The Wrong Approach

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

Inside of one month, myself or thousands of other security consultants could eradicate over 90% of the vulnerabilities plaguing Unix systems today. Sound far fetched? It isn’t as crazy as it sounds. More crazy as that notion is why it hasn’t been done years ago. In a complicated world, sometimes the most simple of solutions really are simple. Despite vendor claims or excuses, serious thought should be given to their modus operandi as far as default installations.

When the average user installs a new Operating System (OS), they get all the features and robust utilities for power computing. Along with this power and flexibility, they inherent every security problem in the OS. The end user is potentially at risk every time they dial into their ISP to connect to the Internet. Business users put themselves at risk 24/7 as their machines are connected to corporate networks, often with little protection.

The current philosophy of ‘out of box’ OS installs is “start open, close what you don’t need”. The immediate question and subject of many security papers is, “What do I need?” New users to Solaris or Linux must make decisions about what services to shut down. There are two problems with this approach. How does the end user know what they need, and more importantly, how do they know what is installed in order to make the decision? Reading through pages of documentation is not the first thing a new user wants to do. Downloading tools to perform their own security audit is even more preposterous. Yet vendors expect their users to do just that.

In a recent article, Carole Fennelly addresses this same point in talking about securing the Operating System a Firewall will be run on. Why should an administrator go through this level of additional work to achieve security?

Sun Microsystems, Hewlett-Packard and other Unix vendors advertise ‘secure’ operating platforms. The catch to this claim is, you get to do the dirty work in making that claim true. How can any vendor make such wild claims when they all suffer from a history of huge bugs? More insulting to their users is making these claims all the while maintaining the worst philosophy of security imaginable. Rather than start out with an open system that must be locked down, why not take a different approach? Begin with a closed and highly secure operating system. As users need functionality, they turn on these services rather than turn off the unneeded ones. Yes, it is that simple.

The problem with Unix

Almost every flavor of Unix comes with 50 to 100 SUID binaries. For those of you unfamiliar with ‘SUID’, it means a program that operates under a higher privilege than the person running it. In layman’s terms, each SUID binary represents on possible way for someone to gain increased access because of bugs or misconfiguration. Almost every single administrative tool on these systems is designed so that any user can run it, and worse, run it under higher privilege. Why?! Each Unix system comes with at least one (often many) administrative accounts. Shouldn’t these tools be exclusive to accounts with higher privilege? After setup and install, most of my Unix machines have between 3 and 10 SUID binaries. Yet Solaris 2.6 comes with almost 100 SUID files! RedHat Linux comes in at close to 40, while AIX is the most baffling; Over 200 SUID files, but many of which are not accessible to the average user. It appears they had the right idea in mind, but did not follow through with the entire system.

The second problem plaguing most flavors of Unix is the abundance of insecure services that any network user can access. Relying on twenty year old protocols like telnet, rsh and rcp, it puts users at risk from transmitting secure information via insecure channels. Further, installing services for calendar management, remote file system sharing and other network features, they open up a user’s machine to a world of potential problems. In many cases, these services are never used and often forgotten.

Solution with Harmony

Not only is this solution a better practice in general, it is more in tune to how the world of computers work. Experienced administrators are familiar with their systems. They know the ins and outs, what services are required and how to tweak the system. On a closed system, they would have the knowledge to open the necessary services in order to meet user demands. On the flip side, newcomers to Unix are not familiar with the details. They do not know that you can shut off NFS, FTP and other services on many home systems. This lends to the problem of open and insecure machines littering the Internet. Starting out with a more closed system would help eradicate these vulnerabilities.

Despite its lack of use, OpenBSD stands out as one platform that has adopted this approach. With a reputation of strong security, the development team has taken a keen interest in pro-active security and addressed many issues that bite most vendors. As a result of their work, OpenBSD continues to be perhaps the most secure version of Unix out there.

What would it take?

In the opening, I say it could be done in one month. In reality, most Unix vendors could sit down and change their default settings in a matter of days. The trick is that all the documentation needs to be updated to reflect the changes. Worse, insecure software that previously relied on these open systems would have to be modified to maintain a smoothly working system. These catches no doubt prevent vendors from taking a new approach. What they fail to realize is that the time spent taking in various bug reports and fixing them surpasses the time required to do pro-active security auditing. When will they realize this?