Cybercrime,	
  Digital	
  Inves4ga4on	
  
and	
  Public	
  Private	
  Partnership	
  
2° INFOSEC DAY – OCTOBER 2, 2012 – L...
Agenda
•  What is Cybercrime?
•  The Underground Economy
•  Crimes & Techniques Focus
•  Who are the Criminals?
•  Address...
Every new technology opens the doors to new
criminal approaches
3
CYBERCRIME
WHAT DO YOU KNOW?
CYBERCRIME
WHAT DO YOU WANT TO KNOW?
What is cybercrime?
Many possible definitions - no widely accepted one
Any conduct proscribed by legislation and/or jurisp...
Brazil
United States
China
Germany
India
Italy
Taiwan
Russia
Poland
United Kingdom
Major Threats and Countries Subjected t...
Most Targeted Industry Sector 1° Quarter ‘12
Source APWG - Phishing Activity Trends Report
Top 20 countries with the highest rate
of cybercrime attacks
Source: Symantec - Last update 7/26/12
Complaints of online crime, 2011
at the Internet Crime Complaint Center (USA)
The 2011 IC3 Internet Crime Report reveals b...
Why has Cybercrime become so pervasive?
①  Extremely profitable
②  Very low infrastructure cost and readily available atta...
Trends of organized crime:
Transnational, Adaptive, Multifaceted
A. Drug trafficking
B. Illicit arms trade
C. Trafficking ...
Cybercrime today
Organized Crimes Activities Shift
Original Activity Modern Version
Local numbers gambling Internet gambling (international...
How the black market works
The black market: what they offer6*+,-$($)>-Z8#0-8[,-5# )"G-5#>-"#8%"8#0-8:;1"-#
4.2")0%50660"#7+%80.9#.+%: ;)*<"+,'%="#>)...
Underground Economy Business Model
Organised crime borrows and copies business models from the
legitimate economy sector. ...
Underground Economy Cooperation Model
CRIMES & TECHNIQUES
FOCUS
1. Malware/spam and the underground economy
§  Players in the underground economy include:
Ø  Malware writers and distri...
Hardware,
software
Security
service
providers
Fraudsters,
criminals
ISPs
Individual
users
Business
users
1
2
13
5
3
8 9
4
...
2. Data Theft
(what data are we talking about?)
Personally Identifiable Information (PII):
Identifying information means a...
3. ID Theft
•  ID Theft is the fastest growing crime
in the world.
•  Over 9 million victims a year on
average worldwide
•...
Use of email to trick someone into
providing information or to go to a
malicious Web sites by falsely
claiming to be from ...
5. Botnet Definition
A Botnet is a network of compromised machines (bots) remotely
controlled by an attacker.
B ot
Key
U n...
.
Botnet Breakdowns
Overall messaging botnet growth jumped up sharply from last quarter. Infections rose in Colombia,
Japa...
WHO ARE THE CRIMINALS ?
Who are the criminals?
28
Are financially-motivated cyber-criminals actively working with
traditional organized crime grou...
•  Formed around 2002
•  2008 revenue estimated at $180 million
•  Estimated to employ 200-500 staff (HR, call center oper...
•  The bank is using a OTP system to authorize large transactions
•  A Trojan is used to steal IMEI (international mobile ...
•  An IT company employs some engineers after they resigned from a
competitor; the day before their resignation, they down...
Friend posts
update on FB
You click in to
the update
You’re
redirected to
a website run
by Koobface
“Video can’t
load,
Dow...
•  The botnet master made - namely using his
personal email for registering a domain parked
within Koobface's infrastructu...
HOW TO COMBAT CYBERCRIME?
WHAT DO YOU KNOW ABOUT
DIGITAL FORENSICS?
Digital forensics is concerned with how to store, identify, acquire, record
or interpret the data on a digital device. On ...
During the forensic analysis of modifiable media, the Hash guarantees
the intangible nature of the data that it contains.
...
Anyone wanting to validate the content of an e-mail or an entire
hard-disk has to take a particular type of copy by taking...
Italian Case Law on Digital Forensics
Digital evidence could be altered and can contain countless pieces of
information. T...
The “Garlasco” case: the “IT alibi”
Chiara Poggi died
between 10.30 and
12.00
Stasi voluntarily
hands over his PC to
the P...
HOW TO COMBAT CYBERCRIME?
WHAT DO YOU KNOW ABOUT
DIGITAL INVESTIGATIONS?
 
	
  
Digital Investigation – 6 Steps
With a warrant, the location Is searched, any computer system and
media are seized and the media are examined for any digi...
No connection between what is observed and
what is found in the search and seizure
procedure
Difficult to identify a seize...
Understanding social engineering techniques
means knowing where any digital traces might be
found
Immediate action means m...
1. Identify the Suspect – Solutions?
The results of this investigative activity have been
excellent, but what about Privacy?
Mr Palazzolo a treasurer for the m...
Face	
  Recogni4on	
  
Project	
  Alessandro	
  
Acquis/	
  
CCTV	
  
Fair	
  Fax	
  Media	
  
1. Identify the Suspect – S...
2. Detecting Illegal Contents
An investigating tool most frequently used for carrying out an on line
investigation is hash...
What happens if I just change the file in an infinitesimal way?
Ferrari.jpg Ferrari_copy2.jp
g
HASH:
051ed4dbdb9bcd7957aa7...
For this reason, there are techniques (i.e. fuzzy hashing) or
various types of algorithms that allow a “certain degree of
...
2. Detecting Illegal Contents - Solutions
The more complex techniques have a 20% degree of error
What does it means?
No pr...
2. Detecting Illegal Contents - Solutions
Internet Surveillance Plans
On December 20, 2006: Article 5.2(11) of the Law
on the Protection of the Constitution in North
Rhine-WestFalia was amende...
On February 27, 2008 The German Constitutional Court determined
that the amendment of NordWestfalia Law was unconstitution...
Just three years after the ruling by the German Constitutional
Court, Germany’s Justice Minister has called for an
investi...
3. Validating Digital Evidence
In order for digital data to be admitted as evidence at trial, law
enforcement officers han...
3. Validating Digital Evidence - Challenge
The new challenge with Cloud computing is a loss of data
location due to:
-­‐ “...
3. Validating Online Digital Evidence - Solution
How is it possible to validate online digital evidence and
immediately sh...
4. Chain of Custody of the digital evidence
•  When digital evidence can be used in court, it must be
handled in a careful...
5. Analysis of Digital Evidence
•  Text searches: aimed at scanning files, directories and even
entire file systems for sp...
6. Reporting of Digital Evidence Findings
This stage is of key importance for Prosecutors, Judges and
lawyers, as the outc...
HOW TO COMBAT CYBERCRIME?
DATA RETENTION AND ROLE OF
ISP PROVIDERS
Data Retention - Definition
•  Data retention (or data preservation) generally refers to
the storage of call detail record...
Data Retention – Legal Framework
•  In the wake of the terrorist attacks in Madrid and London
(2004 and 2005 respectively)...
Data Retention – Directive 2006/24/EC
•  Scope of application: serious crime
•  Retention period: from 6 month to 24 month...
Data Retention – Open Issues
1)  There is no consistent approach across the EU of the
period of retention among Member Sta...
Data Retention – Retention Period
Of the twenty-two Member States that have implemented the Directive:
•  Thirteen MS have...
Data Retention – Serious Crime
Of the twenty-two Member States that have implemented the Directive:
•  Ten MS (Bulgaria, E...
Data Retention – Reimburse of Cost and ISP Role
•  The cost of setting up a system for retaining data for an internet
serv...
Data Retention – Conclusions
•  The practical repercussion of this scenario is the following: when
faced with a U.S., Germ...
CLOUD COMPUTING
Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable resources (e...
And it has four
deployment models:
Definition
It has three service
models:
From a Legal Standpoint Cloud Computing services have to face these two
distinct issues:
1)  Jurisdiction: The “loss of lo...
•  August, 23, 2011, Vivian Reding
(E-006901/2011 – Answer to
parliamentary question):
•  “In accordance with internationa...
1. Jurisdiction – “The Patriot Act” issue
•  The Patriot Act is extraterritorial in
application (Section 215 and
Section 5...
•  “CloudSigma is operated and controlled by
a Swiss AG, which is not subject to direct
or indirect U.S. control”
•  “City...
December 6, 2011 Vivian Reding -
2nd Annual European Data Protection and
Privacy Conference - Brussels:
“I am reading in t...
We have 4 different possible principle to solve the “loss of location” in a cloudy
world:
•  Territorial principle: the Co...
Lack of
control
over the
data
Lack of
Integrity
caused by the
sharing of
resources
Lack of
availability
due to lack of
int...
1.  Compliance with basic data protection principles
2.  Transparency
3.  Purpose specification and limitation (isolation)...
Article 25 and 26 of the Directive 95/46/EC provide for free flow of personal
data to countries located outside the EEA on...
2. Privacy – Possible solutions
Proposal of
Regulation
on Data
Protection
The right to be
forgotten
EU citizens are to be
...
HOW TO COMBAT CYBERCRIME?
PUBLIC PRIVATE PARTNERSHIP
Addressing the Problem-I
•  Fighting cybercrime has always been a complex problem due to
the number of ICT network users, ...
Addressing the Problem-II
•  In addition to strengthening the current legal frameworks,
updating old legislation, harmonis...
How to develop an effective PPP
Main examples:
•  operational cooperation in specific cases,
•  cooperation in case of web...
Questions?
Contacts
Mr. Giuseppe Vaciago,
University of Insubria,
giuseppe.vaciago@uninsubria.it
Ms. Francesca Bosco,
UNICRI Project ...
Cybercrime, Digital Investigation and Public Private Partnership by Francesca Bosco e Giuseppe Vaciago
Upcoming SlideShare
Loading in …5
×

Cybercrime, Digital Investigation and Public Private Partnership by Francesca Bosco e Giuseppe Vaciago

2,403 views
2,185 views

Published on

www.techandlaw.net

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,403
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cybercrime, Digital Investigation and Public Private Partnership by Francesca Bosco e Giuseppe Vaciago

  1. 1. Cybercrime,  Digital  Inves4ga4on   and  Public  Private  Partnership   2° INFOSEC DAY – OCTOBER 2, 2012 – LISBON Francesca Bosco and Giuseppe Vaciago
  2. 2. Agenda •  What is Cybercrime? •  The Underground Economy •  Crimes & Techniques Focus •  Who are the Criminals? •  Addressing the Problem •  Digital Forensics •  Digital Investigation •  Data Retention •  Cloud Computing
  3. 3. Every new technology opens the doors to new criminal approaches 3
  4. 4. CYBERCRIME WHAT DO YOU KNOW?
  5. 5. CYBERCRIME WHAT DO YOU WANT TO KNOW?
  6. 6. What is cybercrime? Many possible definitions - no widely accepted one Any conduct proscribed by legislation and/or jurisprudence that (a) is directed at computing and communications technologies themselves; (b) involves the use of digital technologies in the commission of the offence; or (c) involves the incidental use of computers with respect to the commission of other crimes. Forms •  crimes against the confidentiality, integrity or availability of computer systems (e.g. theft of computer services)‫‏‬ •  crimes associated with the modification of data (e.g. theft of data)‫‏‬ •  content-related crimes (e.g. dissemination of illegal and harmful material, child pornography)‫‏‬ •  relation between terrorism and the Internet (e.g. terrorist propaganda, recruitment for terrorist organizations)‫‏‬ 6
  7. 7. Brazil United States China Germany India Italy Taiwan Russia Poland United Kingdom Major Threats and Countries Subjected to Attacks •  Malware (Malicious Code) •  Botnets •  Phishing •  Spam •  SQL-Injection Malicious  Ac+vity   18  %   Threat Rank Malware 1   Spam 10   Phishing 1   Botnets 1   SQL-injection 2   Malicious  Ac+vity   7  %   Threat Rank Malware 8   Spam 1   Phishing 9   Botnets 3   SQL-injection 6   Malicious  Ac+vity   7  %   Threat Rank Malware 3   Spam 9   Phishing 4   Botnets 5   SQL-injection 1   Malicious  Ac+vity   6  %   Threat Rank Malware 15   Spam 7   Phishing 3   Botnets 6   SQL-injection 5   Malicious  Ac+vity   5  %   Threat Rank Malware 2   Spam 2   Phishing 18   Botnets 19   SQL-injection n/a   Malicious  Ac+vity   4  %   Threat Rank Malware 13   Spam 12   Phishing 12   Botnets 4   SQL-injection n/a   Malicious  Ac+vity   3  %   Threat Rank Malware 22   Spam 20   Phishing 16   Botnets 2   SQL-injection 7   Malicious  Ac+vity   3  %   Threat Rank Malware 11   Spam 4   Phishing 7   Botnets 13   SQL-injection n/a   Malicious  Ac+vity   3  %   Threat Rank Malware 19   Spam 5   Phishing 10   Botnets 7   SQL-injection n/a   Malicious  Ac+vity   3  %   Threat Rank Malware 4   Spam 22   Phishing 6   Botnets 15   SQL-injection 4  
  8. 8. Most Targeted Industry Sector 1° Quarter ‘12 Source APWG - Phishing Activity Trends Report
  9. 9. Top 20 countries with the highest rate of cybercrime attacks Source: Symantec - Last update 7/26/12
  10. 10. Complaints of online crime, 2011 at the Internet Crime Complaint Center (USA) The 2011 IC3 Internet Crime Report reveals both the scope of online crime and IC3’s battle against it. The most common victimcomplaintsincludedFBI-relatedscams,identitytheftandadvancefeefraud.2 IC3receivedandprocessedmorethan 26,000 complaints per month. Based on victim complaints, the top five states were California (34,169), Florida (20,034), Texas (18,477), New York (15,056) and Ohio (12,661). Victims in California reported the highest dollar losses with a total of $70.5 million. For victims reporting financial losses, the average was $4,187. IC3servesasapowerfulconduitforlawenforcementtoshareinformationandpursuecasesthatoftenspanjurisdictional boundaries.Collaborationwithinthispartnershiphasproducedanumberoftechnologicaladvancementstostreamline how the public’s complaints are processed and referred to investigators. Initially established as simply a convenient method for citizens to report Internet crime information, IC3 has evolved into a vital resource for both victims of online crime and for law enforcement across the country that investigate and prosecute a wide range of cases. 1 Methodology of evaluating loss amounts: FBI IC3 Unit staff reviewed for validity all complaints that reported a loss of more than $100,000. Analysts also converted losses reported in foreign currencies to dollars. The final amounts of all reported losses above $100,000 for which the complaint information did not support the loss amount were excluded from the statistics. 2 Complaint category statistics that are based on the perceptions of the complaints are not typically accurate for statistical purposes. The statistics pulled from the complaints 0 50,000 100,000 150,000 200,000 250,000 300,000 350,000 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 16,838 50,412 75,064 124,449 207,449 231,493 207,492 206,884 275,284 336,655 303,809 314,246 314,246 336,655 Yearly Comparison of Complaints3 Total loss in 2011: $ 485.253,871 Source: Internet Compliant Centre
  11. 11. Why has Cybercrime become so pervasive? ①  Extremely profitable ②  Very low infrastructure cost and readily available attack tools ③  Barriers to prosecution combined with weak laws and sentencing ④  Anonymity and financial lure has made cyber-crime more attractive ⑤  Separation between the physical and virtual world ⑥  Organized cybercrime groups can conduct operations without ever making physical contact with each other
  12. 12. Trends of organized crime: Transnational, Adaptive, Multifaceted A. Drug trafficking B. Illicit arms trade C. Trafficking and smuggling of human beings D. Traffic of human organs E. Counterfeiting F. Environmental-related crimes G. Maritime piracy H. Cyber crime I. Financial crimes: corruption, money laundering
  13. 13. Cybercrime today
  14. 14. Organized Crimes Activities Shift Original Activity Modern Version Local numbers gambling Internet gambling (international sites) Street prostitution Internet prostitution Heroin, cocaine trafficking Synthetic drugs (less vulnerable to supply problem) Extortion of local businesses for protection Extortion of corporations, kidnappings Loansharking Money laundering, precious stones, commodities. Fencing stolen property Theft of intellectual property
  15. 15. How the black market works
  16. 16. The black market: what they offer6*+,-$($)>-Z8#0-8[,-5# )"G-5#>-"#8%"8#0-8:;1"-# 4.2")0%50660"#7+%80.9#.+%: ;)*<"+,'%="#>)"? -.,"#2<*,+#. &'()"%1M0,W ;,"0,)C+)?%%%%%%%%%%%%4"+?+.C%-??<)? ;*).0"+#?
  17. 17. Underground Economy Business Model Organised crime borrows and copies business models from the legitimate economy sector. Cyber-criminals employ models similar to the B2B (business-to-business) for their operations, such as the highly sophisticated C2C (criminal-to-criminal) models, which use very effective crime tools available through digital networks.
  18. 18. Underground Economy Cooperation Model
  19. 19. CRIMES & TECHNIQUES FOCUS
  20. 20. 1. Malware/spam and the underground economy §  Players in the underground economy include: Ø  Malware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …) Ø  Spammers, botnet owners, drops Ø  Various middlemen §  Emergence of institutional arrangements to enhance “trust” in the underground economy Ø  Service level agreements, warranties, etc. §  Steady stream of new attacks E.g.: spear-phishing, chained exploits, exploitation of social media.
  21. 21. Hardware, software Security service providers Fraudsters, criminals ISPs Individual users Business users 1 2 13 5 3 8 9 4 10 1211 67 Government Society at large 1. Example of possible financial flows 14 Society at large 1: Extortion payments, click fraud, compensated costs of ID theft and phishing 2: Uncompensated costs of ID theft and phishing, click through, pump and dump schemes, Nigerian 419 scams, and other forms of consumer fraud 3, 4, 5, 6: Hardware purchases by criminals, corporate and individual users 7, 8, 9, 10: Security service purchases by hardware manufacturers, corporate and individual users, ISPs 11, 12, 13: ISP services purchased by corporate and individual users, criminals 14: Payments to compensate consumers for damages from ID theft (if provided) Legal financial flows Potentially illegal financial flows
  22. 22. 2. Data Theft (what data are we talking about?) Personally Identifiable Information (PII): Identifying information means any name or number that may be used alone or with other information to identify a specific person: Name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, biometric data, etc. Likely one of the most valuable assets that we have and one that businesses need to protect. Why? Information is exponential and reusable. Information can be sold to multiple buyers and be can be used in many profitable ways.
  23. 23. 3. ID Theft •  ID Theft is the fastest growing crime in the world. •  Over 9 million victims a year on average worldwide •  Studies on the total cost of identity theft vary. One study indicates that identity theft cost U.S. businesses and consumers $50 to $60 billion dollars a year •  Individual victims lose an average of $1,500.00 each in out of pocket expenses and require tens or hundreds of hours to recover – some never do.
  24. 24. Use of email to trick someone into providing information or to go to a malicious Web sites by falsely claiming to be from a known entity. These attacks are becoming more and more sophisticated. Use of social networking sites will become an issue. 4. Phishing
  25. 25. 5. Botnet Definition A Botnet is a network of compromised machines (bots) remotely controlled by an attacker. B ot Key U ncompromised Host B Attacker B B B U U Commands Commands Attacks Attacks
  26. 26. . Botnet Breakdowns Overall messaging botnet growth jumped up sharply from last quarter. Infections rose in Colombia, Japan, Poland, Spain, and the United States. Indonesia, Portugal, and South Korea continued to de 0 1,000,000 2,000,000 3,000,000 4,000,000 5,000,000 MAR 2012 FEB 2012 JAN 2012 DEC 2011 NOV 2011 OCT 2011 SEP 2011 AUG 2011 JUL 2011 JUN 2011 MAY 2011 APR 2011 Global Botnet Infections New Botnet Senders 40,000 45,000 50,000 Argentina 12,000 14,000 16,000 Australia 5. Botnet Statistics Source: McAfee Threats Report: First Quarter 2012
  27. 27. WHO ARE THE CRIMINALS ?
  28. 28. Who are the criminals? 28 Are financially-motivated cyber-criminals actively working with traditional organized crime groups? Or are they opportunistically organizing among themselves? Or, still, are they simply passively working with O.C. groups for support tasks eg: money laundering? Four case-studies
  29. 29. •  Formed around 2002 •  2008 revenue estimated at $180 million •  Estimated to employ 200-500 staff (HR, call center operators to dissuade victims and avoid credit complaints, malware & scareware developers, etc…) in Ukraine, India, and the United States •  Criminal activities: Scareware (or “Ransomware”, meant to frighten users into providing their credit card data in order not to lose their data), Adware, Credit Card Fraud (Reselling of the credit cards “customers” were ransomed into providing to IMU). Early activities included the selling of pirated media (music, pornography) and software as well as pharmaceuticals such as Viagra •  2010: F.T.C. persuades a U.S. federal judge to fine IMU and two associated individuals $163 million USD Case Study: 1. Innovative Marketing Ukraine 29
  30. 30. •  The bank is using a OTP system to authorize large transactions •  A Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application •  Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. •  With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device. Case Study: 2. Banking Fraud Scheme 30
  31. 31. •  An IT company employs some engineers after they resigned from a competitor; the day before their resignation, they download some confidential files from competitor’s laptops •  The mere existence of industrial secrets and their potential access by a former employee is not sufficient to raise civil and/or criminal responsibility. In both cases you need to prove the transfer of documents or the disclosure of info’s directly to the competitor •  The crime of unlawful access to an IT system is made by the person who violates owner’s prescriptions and limits to access and maintain himself on the system, no matter what is the aim or target of the unlawful access, but in this case the access was made the day before the resignation, so that engineers were still in right to access the files. Case Study: 3. Mix between cyber and non-cyber crime 31
  32. 32. Friend posts update on FB You click in to the update You’re redirected to a website run by Koobface “Video can’t load, Download latest version of flash You download/ install the software Case Study: 4. Koobface – The value of “Big Data” 32 •  Social Networks are so attractive as they potentially contain information useful for: cyber stalking, industrial espionage, private data used in a Pay per Click (PPC) system, cyber terrorims. •  Koobface is a worm that targeted Facebook and other social media sites. Its goal was to gather login information for purposes of building a peer to peer botnet •  Originally appeared in May 2008, after 2 year the Koobface botnet was composed of 400.000 to 800.000 PCs worldwide and earned more that 4 million dollar •  The mechanism was very simple:
  33. 33. •  The botnet master made - namely using his personal email for registering a domain parked within Koobface's infrastructure •  The same email krotreal@gmail.com was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007. •  The following telephone belonging to the suspected person was provided. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW •  The final result was that Facebook on January 2012 identified Anton Nikolaevich Korotchenko and other 4 subject as the authors of Koobface. Case Study: 4. Koobface – The investigation
  34. 34. HOW TO COMBAT CYBERCRIME? WHAT DO YOU KNOW ABOUT DIGITAL FORENSICS?
  35. 35. Digital forensics is concerned with how to store, identify, acquire, record or interpret the data on a digital device. On a general level it’s about finding the best way to: •  get hold of evidence without modifying the IT system in which that evidence is found; •  ensure that the evidence acquired in another medium is identical to the original; •  analyse data without modifying it. Corporate forensics is nothing more than the steps taken in order to preserve any digital evidence to be submitted in court proceedings and to ensure that it isn’t modified when the techniques of digital forensics are put into play. Digital Forensics - Definition
  36. 36. During the forensic analysis of modifiable media, the Hash guarantees the intangible nature of the data that it contains. The Hash is a unique function that operates in one direction (meaning that it cannot be reversed), by means of which a document of random length is converted into a limited and fixed length string. This string represents a sort of ‘digital fingerprint’ of the non-encrypted text, and is called the Hash Value or the Message Digest. If the document is modified even to the slightest extent, then the fingerprint changes as well. In other words, by calculating and recording the fingerprint, and then recalculating it, it can be shown beyond all doubt whether the contents of the file, or the medium, have been altered, even accidentally. Two Rules for Digital Forensics: Hash Functions
  37. 37. Anyone wanting to validate the content of an e-mail or an entire hard-disk has to take a particular type of copy by taking a bit- stream image that can ‘clone’ the entire hard-disk. The bit-stream copy is a particular form of duplication in which the content of the physical unit is read sequentially loading the minimum quantity of data that can from time to time be directed, then recording it in the same sequence on a standard binary file, generating a physical image of the original medium. Two Rules for Digital Forensics: Bit-Stream Copy
  38. 38. Italian Case Law on Digital Forensics Digital evidence could be altered and can contain countless pieces of information. The “Garlasco” case is a clear example of this. Alberto Stasi was acquitted of murder of his girlfriend, Chiara Poggi, by the Court of first Instance In December 2009 and the judgement was confirmed in the Appeal court in December 2011.
  39. 39. The “Garlasco” case: the “IT alibi” Chiara Poggi died between 10.30 and 12.00 Stasi voluntarily hands over his PC to the Police After working on the PC the Police hands it over to the Scientific Investigation Group Judge Vitelli acquits Stasi of murder 14/08/07 29/08/07 17/12/0913/08/07 -­‐ Stasi wakes up at 9 -­‐ Telephones Chiara Poggi -­‐ Works on his thesis 13/08/07 The expert report requested by the judge shows that Stasi was working on his thesis during the period when Chiara Poggi was killed 17/03/09
  40. 40. HOW TO COMBAT CYBERCRIME? WHAT DO YOU KNOW ABOUT DIGITAL INVESTIGATIONS?
  41. 41.     Digital Investigation – 6 Steps
  42. 42. With a warrant, the location Is searched, any computer system and media are seized and the media are examined for any digital evidence With the IP address, the Law Enforcement can obtain customer’s address from the Access Provider The Law Enforcement uses the court system to compel an ISP to obtain IP address del suspected user 1. Identify the Suspect When investigating cybercrimes committed online, the “traditional” approach is as follows:
  43. 43. No connection between what is observed and what is found in the search and seizure procedure Difficult to identify a seized machine as the same on that was investigated remotely Difficult to identify a user (multiple User ID or multiple IP Address over time, particularly driving around open Wifi, proxy, botnet, TOR) 1. Identify the Suspect – Challenges The challenges are as follows:
  44. 44. Understanding social engineering techniques means knowing where any digital traces might be found Immediate action means more information being gathered (data retention) Public-Private Partnership between Law Enforcement/ISPs/Internet Companies/Academia can be of enormous help in complex investigations You cannot (always…) identify a cybercriminal on Google ;) 1. Identify the Suspect – Solutions?
  45. 45. 1. Identify the Suspect – Solutions?
  46. 46. The results of this investigative activity have been excellent, but what about Privacy? Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was discovered by monitoring his facebook profile. 1. Identify the Suspect – Solutions?
  47. 47. Face  Recogni4on   Project  Alessandro   Acquis/   CCTV   Fair  Fax  Media   1. Identify the Suspect – Solutions?
  48. 48. 2. Detecting Illegal Contents An investigating tool most frequently used for carrying out an on line investigation is hashing techniques. For example, starting with a file containing ille, it is possible to convert it into a message digest and to carry out a fast search inside a storage support (hard drive, flash disk) or within the network (P2P networks). Ferrari.jpg Ferrari_copy.jp g HASH SHA-1 051ed4dbdb9bcd7957 aa7cbb5dfd0e94605cd 887
  49. 49. What happens if I just change the file in an infinitesimal way? Ferrari.jpg Ferrari_copy2.jp g HASH: 051ed4dbdb9bcd7957aa7cbb5df d0e94605cd887 HASH: a9fa2933484f828b95c1dde824dea 28f35b509d6 The hash does not match and the search will not generate results 2. Detecting Illegal Contents - Challenge
  50. 50. For this reason, there are techniques (i.e. fuzzy hashing) or various types of algorithms that allow a “certain degree of similarity” to be identified. A good software used is SSDEEP written by Andrew Tridgell and used for detecting spamming. Online is available: pHash (The open source perceptual hash library) 2. Detecting Illegal Contents – Solutions?
  51. 51. 2. Detecting Illegal Contents - Solutions The more complex techniques have a 20% degree of error What does it means? No problem if there are false positives. Human checking is sufficient. But in the case of false negatives? False Negative= (i.e., illegal content incorrectly deemed as non-illegal False positives= (i.e., non-illegal content incorrectly deemed as illegal
  52. 52. 2. Detecting Illegal Contents - Solutions Internet Surveillance Plans
  53. 53. On December 20, 2006: Article 5.2(11) of the Law on the Protection of the Constitution in North Rhine-WestFalia was amended with the introduction of provisions on remote intelligence- gathering, both online and by accessing information technology systems. Private computer systems could be covertly accessed “remotely”, thanks to software (keylogger and sniffer programs) installed on the target system without the owner’s knowledge, for instance, in the form of Trojans incorporated within or disguised as harmless content, by convincing the owner to voluntarily upload the relevant spyware or disclose passwords through cleverly devised social engineering initiatives. 2. Detecting Illegal Contents - Solutions
  54. 54. On February 27, 2008 The German Constitutional Court determined that the amendment of NordWestfalia Law was unconstitutional as it violated: The Constitutional Court establishes a new “Right to the Confidentiality and Integrity of Information Technology Systems” (right to the free development of one’s personality), read in conjunction with Article 1.1 GG (right to human dignity). 2. Detecting Illegal Contents - Solutions
  55. 55. Just three years after the ruling by the German Constitutional Court, Germany’s Justice Minister has called for an investigation after authorities in at least four German states acknowledged using computer spyware to conduct surveillance on citizens (Bavaria, Baden-Wurttemberg, Brandenburg and Lower Saxony) 2. Detecting Illegal Contents - Solutions
  56. 56. 3. Validating Digital Evidence In order for digital data to be admitted as evidence at trial, law enforcement officers handling the same must respect the “two fundamental digital forensics rules” mentioned above But, what happens if the digital data is in the Cloud? Bitstream Copy Hash function
  57. 57. 3. Validating Digital Evidence - Challenge The new challenge with Cloud computing is a loss of data location due to: -­‐ “Data at rest” does not reside on the device. -­‐ “Data in transit” cannot be easily analysed because of encryption. -­‐ “Data in execution” will be present only in the cloud instance The investigator who wants to capture the bit-stream data of a given suspect image will be in the same situation as someone who has to complete a puzzle, whose pieces are scattered randomly across the globe
  58. 58. 3. Validating Online Digital Evidence - Solution How is it possible to validate online digital evidence and immediately show that a particular piece of data on a particular online site is certain?
  59. 59. 4. Chain of Custody of the digital evidence •  When digital evidence can be used in court, it must be handled in a careful manner to avoid later allegations of tampering or misconduct which can compromise the case. •  Digital storage media last less than analogue media and devices to read such media last even less. •  Domesday Book (1086): legible after over 900 years. •  Domesday Book 2 (1983): LaserDisc: illegible after 15 years.
  60. 60. 5. Analysis of Digital Evidence •  Text searches: aimed at scanning files, directories and even entire file systems for specific text terms •  Image searches: aimed at identifying image files in various formats, and at generating still frames of digitally stored video •  Data recovery and identification: this technique is aimed to recover all files stored, including deleted or damaged data •  Data discovery: it is targeted at accessing hidden, encrypted or otherwise protected data •  Data carving: it focused on reconstructing damaged files by retrieving portions of their content. •  Metadata recovery and identification: this digital forensic tool is particularly useful for retracing the timeline of web accesses and file changes
  61. 61. 6. Reporting of Digital Evidence Findings This stage is of key importance for Prosecutors, Judges and lawyers, as the outcome of the trial will depend not only on results achieved, but also the degree of clarity and comprehension of the report.
  62. 62. HOW TO COMBAT CYBERCRIME? DATA RETENTION AND ROLE OF ISP PROVIDERS
  63. 63. Data Retention - Definition •  Data retention (or data preservation) generally refers to the storage of call detail records (CDRs) of telephony and internet traffic and transaction data (IPDRs) by governments and commercial organisations. •  The digital data usually requested from ISPs during investigations can generally be divided up between data identifying a potential offender (the IP address) and data demonstrating activity on line (the log files).
  64. 64. Data Retention – Legal Framework •  In the wake of the terrorist attacks in Madrid and London (2004 and 2005 respectively), the European Parliament issued Directive 2006/24/EC. •  Legislating over data retention, the Directive sets out how traffic data can be stored by the providers and the grounds on which the courts can access that data. Directive 97/66/EC Directive 2002/58/EC Directive 2006/24/EC
  65. 65. Data Retention – Directive 2006/24/EC •  Scope of application: serious crime •  Retention period: from 6 month to 24 months •  Type of data: a)  data necessary to trace and identify the source, destination of a communication b)  data necessary to identify the date, time, duration type of a communication: c)  data necessary to identify users' communication equipment d)  data necessary to identify the location of mobile communication equipment:
  66. 66. Data Retention – Open Issues 1)  There is no consistent approach across the EU of the period of retention among Member States 2)  No defined list of parties entitled to request such data 3)  ‘Serious crime’ is a generic term It is for these reasons that the Constitutional Court in certain Member States (Germany, Romania and the Czech Republic) have declared national law implementing the Directive to be unconstitutional, resulting in a legislative lacuna that does absolutely nothing to assist investigations. In addition, Austria and Sweden have decided against implementing the Directive, with heavy penalties being imposed by the European Commission as a result.
  67. 67. Data Retention – Retention Period Of the twenty-two Member States that have implemented the Directive: •  Thirteen MS have decided that data may be kept for twelve months •  Five MS have established a longer period •  Four MS have gone for a shorter time limit *** •  Seven MS have established two periods of time for which data may be held: one for telephone traffic and the other for electronic data
  68. 68. Data Retention – Serious Crime Of the twenty-two Member States that have implemented the Directive: •  Ten MS (Bulgaria, Estonia, Ireland, Greece, Spain, Lithuania, Luxembourg, Hungary, Netherlands, Finland) have defined 'serious crime', with reference to a minimum prison sentence, to the possibility of a custodial sentence being imposed, or to a list of criminal offences defined elsewhere in national legislation. •  Eight MS (Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia, Slovenia) require data to be retained not only for investigation, detection and prosecution in relation to serious crime, but also in relation to all criminal offences •  Four MS (Cyprus, Malta, Portugal, United Kingdom) refers to ‘serious crime’ or ‘serious offence’ without defining it.
  69. 69. Data Retention – Reimburse of Cost and ISP Role •  The cost of setting up a system for retaining data for an internet service provider serving half a million customers to be around € 375.240 in the first year and € 9.870 in operational costs per month thereafter. The costs of setting up a data retrieval system to be € 131.190, with operational costs of € 28.960 per month •  The Directive does not regulate the reimbursement of costs incurred by operators as a result of the data retention requirement. •  Of the twenty-two countries that have implemented the Directive only 2 Member States reimburse both operational and capital expenditure (Finland, United Kingdom) and 6 Member States reimburse only operational expenditure (Belgium, Denmark, Estonia, France, Lithuania, Netherlands)
  70. 70. Data Retention – Conclusions •  The practical repercussion of this scenario is the following: when faced with a U.S., German, Austrian or Romanian ISP, law enforcement officers could never be sure if the data they are after has long been cancelled or is still in storage. •  The conflict is even more acute in this case, since law enforcement not only insist that the Data Retention Directive is crucial to digital investigation, but would also like to see it applied to non-EU ISPs offering internet services in Europe. •  In light of this, Directive 2006/24/EC should be put under review, in full compliance with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union
  71. 71. CLOUD COMPUTING
  72. 72. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal effort or management service provider interaction Cloud computing has five essential characteristics: (i) On- demand self-service, (ii) Broad network access, (iii) Resource pooling, (iv) Rapid elasticity, (v) Measured service Definition
  73. 73. And it has four deployment models: Definition It has three service models:
  74. 74. From a Legal Standpoint Cloud Computing services have to face these two distinct issues: 1)  Jurisdiction: The “loss of location” of digital evidence in the cloud world creates problem of jurisdiction. With cloud computing, are the documents governed by the law of the state in which they are physically located or by the location of the company possessing them or by the laws of the state where a person resides? Over the last few years, various approaches have been offered to solve this problem. 2)  Privacy: The “lack of control” over the data (cloud clients may no longer be in exclusive control of this data and cannot deploy the technical and organisational measures necessary to respect Data Protection Law), and the “absence of transparency” (insufficient information regarding the processing operation itself) are the main data protection risk of cloud computing Legal Aspect of the Cloud
  75. 75. •  August, 23, 2011, Vivian Reding (E-006901/2011 – Answer to parliamentary question): •  “In accordance with international public law, and in the absence of a recognised jurisdictional link, a foreign law or statute cannot directly impose legal obligations on organisations or undertakings established in a third country regarding the activities performed within the territory of that third country” 1. Jurisdiction – “The Patriot Act” issue Viviane Reding - Vice-President of the European Commission
  76. 76. 1. Jurisdiction – “The Patriot Act” issue •  The Patriot Act is extraterritorial in application (Section 215 and Section 505). •  Under this Act, U.S. authorities are entitled to subpoena personal data related to non-US citizen from any company that has “minimum contacts” with the U.S. The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible property (including books, records, papers, documents, and other items) for an investigation for protecting against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment of the Constitution [...] Patriot Act, Sec. 215. Access To Records And Other Items Under The FISA
  77. 77. •  “CloudSigma is operated and controlled by a Swiss AG, which is not subject to direct or indirect U.S. control” •  “City Cloud and Several Nines offer a partnership safe-haven from the Patriot Act in Sweden” •  Amazon Web Services (AWS) is subject to the US Patriot Act but the chief technology officer, Werner Vogels, encrypts private data for transit to the Cloud — and for employing best practice when it comes to classifying data 1. Jurisdiction – “The Patriot Act” issue
  78. 78. December 6, 2011 Vivian Reding - 2nd Annual European Data Protection and Privacy Conference - Brussels: “I am reading in the press about a Swedish company whose selling point is that they shelter users from the US Patriot Act and other attempts by third countries to access personal data” “I do encourage cloud computing centres in Europe, but this cannot be the only solution. We need free flow of data between our continents. And it doesn't make much sense for us to retreat from each other” 1. Jurisdiction – “The Patriot Act” issue
  79. 79. We have 4 different possible principle to solve the “loss of location” in a cloudy world: •  Territorial principle: the Court in the place where the data is located has jurisdiction •  Nationality principle by virtue of which the nationality of the perpetrator is the factor used to establish criminal jurisdiction. •  “Flag principle”, which basically states that crimes committed on ships, aircraft and spacecraft are subject to the jurisdiction of the flag state. •  “Power of Disposal Approach”. From a practical point of view, a regulation based on the power of disposal approach would make it feasible for law enforcement to access a suspect’s data within the cloud. 1. Jurisdiction – “The Patriot Act” issue
  80. 80. Lack of control over the data Lack of Integrity caused by the sharing of resources Lack of availability due to lack of interoperability Lack of intervenability due to the complexity and dynamics of the outsourcing chain Lack of information on processing (transparency) Lack of isolation A cloud provider may use its physical control over data from different clients to link personal data. Lack of confidentiality in terms of law enforcement requests made directly to a cloud provider Lack of intervenability (data subjects’ rights) 2. Privacy – The WP29 Opinion
  81. 81. 1.  Compliance with basic data protection principles 2.  Transparency 3.  Purpose specification and limitation (isolation) 4.  Erasure of data 5.  Technical and organisational measures of data protection and data security 6.  Availability 7.  Integrity 8.  Confidentiality 2. Privacy – Possible solutions
  82. 82. Article 25 and 26 of the Directive 95/46/EC provide for free flow of personal data to countries located outside the EEA only if that country has an adequate level of data protection. The instruments are: 1.  Safe Harbor: US organizations adhering to the principles can take place lawfully under EU law since the recipient organizations are deemed to provide an adequate level of protection to the transferred data. and adequate countries 2.  Binding Corporate Rules: constitute a code of conduct for companies which transfer data within their group 3.  Exemptions: that exemptions shall apply only where transfers are neither recurrent, nor massive or structural 4.  Standard Contractual clauses: adopted by the EU Commission for the purpose of framing international data transfers between two controllers or one controller and a processor are based on a bilateral approach. 2. Privacy – Possible solutions
  83. 83. 2. Privacy – Possible solutions Proposal of Regulation on Data Protection The right to be forgotten EU citizens are to be entitled to require information online to be deleted Privacy Officer Public bodies and businesses having a minimum number of employees are obliged to establish a data protection officer Security Where information is lost (which is described as a serious breach), this will have to be reported, and even more complex security models will be required One-Stop-Shop Businesses and individuals must be able to deal with one single point of contact Cookies The use of cookies on line is regulated further, in line with the recent Cookies Law directive. Privacy by design: The regulation introduces an obligation to use technological means to ensure that personal data is automatically processed only to the extent that is absolutely necessary.
  84. 84. HOW TO COMBAT CYBERCRIME? PUBLIC PRIVATE PARTNERSHIP
  85. 85. Addressing the Problem-I •  Fighting cybercrime has always been a complex problem due to the number of ICT network users, the transnational nature of the Internet and its decentralised architecture. Cyber-criminals, and especially organised criminal groups, have been and probably would always remain several steps ahead of legislators and law enforcement agencies. •  Criminal to criminal (C2C) networks benefit from anonymous communications, automation of attacks and the difficulties that law enforcement agencies experience in determining the location: servers with crime-ware could be in one country, while members of the network could be in another one, targeting victims across the world
  86. 86. Addressing the Problem-II •  In addition to strengthening the current legal frameworks, updating old legislation, harmonising laws on an international level, what is needed is also the cross-sector cooperation on national level as well as international cooperation in detecting, investigating and preventing e- crimes committed by organised criminal groups. •  Law enforcement agencies often find it difficult to keep abreast of the dynamic technical knowhow & toolsèEffective “Public Private Partnership” is recommended to circumvent this problem.
  87. 87. How to develop an effective PPP Main examples: •  operational cooperation in specific cases, •  cooperation in case of websites containing illegal content such as child pornography or hate speech, •  private self-regulation through codes of conduct, •  sharing of necessary and relevant information across the private and public sector, •  setting up networks of contact points in both the private and the public sector.
  88. 88. Questions?
  89. 89. Contacts Mr. Giuseppe Vaciago, University of Insubria, giuseppe.vaciago@uninsubria.it Ms. Francesca Bosco, UNICRI Project Officer bosco@unicri.it

×