DefCamp 2013 - A few cybercrime cases that could make us think...

Uploaded on


More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Este infractiunea de access
  • Bresa de securitate
    O bresa in sistemele de securitate ale serverelor Ministerului Finatelor Publice permite oricarui utilizator al unui calculator conectat la Internet sa acceseze baza de date administrata de Agentia Nationala de Administrare Fiscala. In acest fel, se pot obtine informatii complete despre persoane fizice. Ne referim aici la nume, prenume, adresa completa, cod numeric personal si obligatiile financiare pe care o persoana fizica le are in raport cu Ministerul Finantelor Publice. In mod normal, o astfel de baza de date trebuie protejata atat prin folosirea unor softuri specializate de protectie si limitare a accesarii neautorizate cat si prin montarea unor dispozitive hardware, tip firewall. Se pare ca acest lucru nu exista in sistemul informatic de la Finante sau daca a fost instalat nu e administrat corect. Ca urmare, serverele pe care se gasesc informatii cu caracter secret sunt foarte usor de accesat. Acest lucru permite celor interesati sa afle date confidentiale despre o anumita persoana si, folosind aceste date, sa influneteze anumite decizii sau sa supuna santajului persoana respectiva. Ne referim aici la datele de identificare ale oricarui contribuabil, adresa de domiciliu, codul numeric personal si informatii despre obligatiile platii unor impozite si taxe catre bugetul de stat.


  • 1. A few cybercrime cases that could make us think... Bogdan Manolea Defcamp 30 noiembrie 2013 - București
  • 2. About me ● Writing for over 10 years about Laws & Internet ● Some minimal programming skills (from BASIC to HTML) or Internet tools (including Gopher and Telnet :p) ● ● Don't feesasssakjd the INTERNET ! XXXXXXXXX Interested in digital civil rights (Executive Director ApTI, member EDRi, supporter EFF) – Freedom of Expression – Privacy online – Open copyright (e.g. Creative Commons, Open data, Open Education Resources)
  • 3. What is this?
  • 4. Fork and Cybercrime
  • 5. New law ? Using a fork with an ATM is a crime and is punished with 3 years imprisonment
  • 6. Current law Law 161/2003 Art.42 – (1) The access, without right, to a computer system is a crime and is punished with imprisonment from 6 months to 3 years. Accesul, fãrã drept, la un sistem informatic constituie infractiune si se pedepseste cu închisoare de la 3 luni la 3 ani sau cu amendã.
  • 7. CoE Cybercrime convention ● There will be considered a criminal offense “when committed intentionally, the access to the whole or any part of a computer system without right.” ● For this crime it is not necessary to by-pass security measure
  • 8. EU Directive ● Article 3 (...)when committed intentionally, the access without right, to the whole or to any part of an information system, is punishable as a criminal offence where committed by infringing a security measure, at least for cases which are not minor.
  • 9. Computer system ● "computer system" means any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data;
  • 10. Without right ● Current Romanian law For the purpose of this title, a person acts without right in the following situations: a) is not authorised, in terms of the law or a contract; b) exceeds the limits of the authorisation; c) has no permission from the qualified person to give it, according to the law, to use, administer or control a computer system or to carry out scientific research in a computer system.
  • 11. What is “without right” ● ● EU directive "without right" means conduct referred to in this Directive, including access, interference, or interception, which is not authorised by the owner or by another right holder of the system or of part of it, or not permitted under national law.
  • 12. What does access means? ● ● ● "Access" comprises the entering of the whole or any part of a computer system (hardware, components, stored data of the system installed, directories, traffic and content-related data). However, it does not include the mere sending of an e-mail message or file to that system. "Access" includes the entering of another computer system, where it is connected via public telecommunication networks, or to a computer system on the same network, such as a LAN (local area network) or Intranet within an organisation. The method of communication (e.g. from a distance, including via wireless links or at a close range) does not matter. Unauthorized access – term used in US
  • 13. Definitie Kerr - Acces ● ● ● The user accesses a computer each time the user sends a command to that computer, command which is being executed. Access is any successful interaction with the computer Kerr, Orin S., "Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes" . NYU Law Review, Vol. 78, No. 5, pp. 15961668, November 2003 Available at SSRN:
  • 14. Practical cases
  • 15. Practical cases
  • 16. Practical Cases ● ● A user looks over the should of another user A user accesses the files in a network
  • 17. Practical Cases ● ● ● Data breach at the Blueair website in 2006 Directly accessible via a link Information published on several blogs: tul-e-vorba-doar-de-cine-invinge-si-cinepierde/  –
  • 18. Electronic Passport ● ● Who owns it? Who has the right to access it?
  • 19. Access to an IT system ● ● ● ● A system administrator is hired by a company as an technical administrator (for tax purposes) In practice, he has access to all its IT systems with a root access Legally, there is no document which says the rights of this person in relation to the IT system One day the company decides to give up to his services and acuses him of access without right to its computer system
  • 20. These are just a few cybercrime cases that could make us think.... ● ● ● The definition of the illegal access to an information system can be very large... It is up to the law enforcement and judges to make the distinction between real and fake cases. But a stupid criminal case is a hassle for anyone involved...
  • 21. But it should be wiser... ● To try change the law – – Maybe it needs to be a crime only if security measures are is by-passed – Maybe we need to have a research exemption – ● Maybe it needs to be a crime only if there is a financial damage involved (like in R. Moldova) Maybe the computer system admins need to have obligations (or be more responsible) as well in regards to keeping their systems secure It can be done! But first we need to identify publicly the problems
  • 22. Bogdan Manolea Multumesc !!!