1. Lessons learned in fighting cybercrime and cyber terrorism Albena Spasova International Cyber Investigation Training Academy
2. Evolution of cybercrime Web 1.0 Web 2.0 Web 3.0 What’s the future?
3. The dark side of Web 1.0 Traditional crime moved online
4. Web 1.0 - hacking
5. Web 1.0 - viruses
6. The dark side of Web 2.0 Traditional and dynamic phishing Botnets New tools for organized crime groups New tactics for terrorist groups
7. Cyber tactic 1. Espionage 2. Propaganda 3. Denial of Service (DoS) 4. Data interference 5. Infrastructure manipulation
8. Organized crime?“Old crimes, new tools andnew crimes, new tools”
9. Botnets – What are they? Traditionally controlled through Internet Relay Chat (IRC)
10. Botnets – What are they?
11. Botnets – Chasing New Exploits Constantly looking for new exploits New infections before patch released
12. Botnets – Security Bulletin – 08/08/2006
13. Botnets – DHS Warning – 08/09/2006
14. Botnets – Bot in the Wild by Weekend
15. Botnets – How are they used?Sending SpamDenial of Service AttacksID TheftSpyware Delivery
16. Botnets – How are they used? ID Theft DDoS / SPAM attracted attention – botnets were shut down ISPs and Victims would monitor attacks to find bots Badguys discovered that they could make $$$$ instead
17. Botnets – How are they used? Spyware Spyware / Adware used for advertisement delivery Popups Affiliate programs pay per install Bot Herders will install the spyware on their bots in order to get paid
18. Botnets – How are they used? Spyware
19. Botnets and eCommerce Specificuses of botnets targeted at abusing eCommerce users ID theft combined with proxy Dynamic Phishing Sites
20. Cases Simple case: mule receives money to a bank account and moves the money to an other bank account Complex case: mule receives money via online payment system, transfers the money via bank to an other account to an other mule; next mule transfers the money through online payment system to a different mule – all actions happen in different states
21. Example of Fraudulent Scheme •Fraud groups from set up spoof sites all over the world •They convince victims to send money/goods to Spain, Italy, France, Belgium and more recently the UK • Runners or Arrows collect the money/goods from around the world and send it back to Fraudster Money flows
22. Investigation – challenges for law enforcement Where did the crime happen? Is the crime a crime in the jurisdictions involved? Who will investigate it? Who is behind it? Tracing back…
23. Tracing……… While its happening - where is the illegal activity taking place – who are the parties involved? Using information provided by ISPs and other communications providers – different legal requirements Encrypted communications
24. Tracing… Preservation of data Information kept must be sufficient to allow tracing Fast sharing of information
25. Tracing scheme…
26. Sharing electronic evidence internationally How long does it take to share information between two countries? What other challenges we have in the process?
27. Challenges Legislation and jurisdiction Sufficient resources and personnel Localizing and identifying the “bad guys” Collect and share evidence internationally
28. Legal Instruments CoE Cybercrime Convention - 2001 Council Framework Decision 2005/222/JHA on attacks against information systems; Council Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography.
30. 1. Definition of cyber-crime Technology is rapidly evolving Definition – open, flexible, vague Balance between open legal requirements and national constitutional prohibitions Technology neutral language
31. Definition CoE Convention – technology neutral language - Art 1 Computer system Computer data Service provider
32. Definition No universally accepted definition Crimes related to cyberspace: no longer computer and internet crime “Information systems” – any device or a group of interconnected or related devices “Data” E.g. Personal digital assistant, modern car, mobile phone
33. Chapter II, Measures to be taken at the national level - Substantive criminal law Title I – Offences against the confidentiality, integrity and availability of data – illegal access, illegal interception, data interference, system interference, misuse of devices Title II – Computer-related offences – forgery, fraud; Title III - Content-related offences - child pornography/ Protocol – hate speech Title IV – Offences related to the infringements of copyright and related rights – copyright and related rights
34. Council Framework Decision 2005/222/JHA on attacks against information systems Approximation of criminal law systems: Illegal access to information systems Illegal system interference Illegal data interference
35. Example – cyber terrorism case Large scale attack against information systems – E.g. terrorist would attack information systems essential for international capital markets and break them down A computer-related offence – E.g. terrorist would take over an information system managing a nuclear facility and trigger a nuclear meltdown A content-related offence – E.g. terrorist disseminate propaganda/blueprints for bombs
36. Example Criminal Hate speech: Drafted in one place, transmitted Through other and uploaded on a server in a third, viewed by the whole world State BState State A C
37. 2. Determining Jurisdiction CoE Cybercrime Convention: Territoriality principle Personality principle Protection principle Council Framework Decision 2005/222/JHA on attacks against information systems Territoriality principle Nationality principle When several MS have jurisdiction – decide Council Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography Territoriality principle Active personality principle The offence committed for the benefit of a legal person established in the territory of that MS
38. Problems Dual criminality Dual illegality Legal harmonization – for extraterritorial or universal jurisdiction
39. Toben Case – dual criminality/illegality Site was viewed byIn 1999 Australian national Neo-Nazis Created a website in Australia, in EnglishWhich included a statementThat Shoa never happened Auschwitz denial is a crime In Germany Under territoriality principle
40. Counter example Advertisement of beer in GermanyCan be accessed in Islamic countries
41. Counter example German Internet Blog critical of a dictatorship In the Far East Blog is accessible in these countriesConclusion: Degree of legal harmonization is necessary for legitimateExtraterritorial or even universal jurisdiction
42. 3. Investigation: CoE Cybercrime Convention provisions Title 2 – Expedited preservation of stored computer data – “quick freeze” Title 3 – Production order Title 4 – Search and Seizure of stored computer data Title 5 – Real-time collection of computer data
44. Problems The use of remote forensic software to carry out remote search procedures, record VOIP communications, log keystrokes and passwords, identify IP addresses Data retention/data privacy Data Retention Directive – telecommunication service providers - anybodies traffic for up to 6 months Production order – produce specific data – passwords, encryption codes Proportional measures
45. 4. International Cooperation “Loopholes of jurisdiction” Cooperation is necessary: Extradition – serious crime offenses Mutual legal assistance Minimum of harmonization on substantive and procedural laws Private-public partnerships
46. 4. International Cooperation – CoE Convention Cooperation: Art. 24 Extradition Art. 25 Mutual Legal Assistance Art. 26 Spontaneous information Coordination: which state should do what – points of contact Harmonization: Substantive Procedural
47. Solutions: Adopt adequate legislation Assure sufficient law enforcement personnel with adequate training and resources Partnerships with industry Public awareness
48. Crime in a virtual world? Should we be concerned? Do worlds collide?
49. Virtual worlds In worlds populations: Second Life (with over 16 million) Warcraft (12 million paid subscribers) Disney Club Penquin (expected to attract over 30 million participants) Together the population of these three virtual worlds alone exceeds the real- world populations of Canada, Australia and Ireland combined
50. Life in a virtual world: What can you do?
51. Life in a virtual world:
52. Interesting stats 567 mil. $ user to user transactions in 2009 65% jump from 2008 770.000 unique users made repeat visits to SL in December 2009 Residents cashed 55 mil. $ transferring to PayPal Land barons make 12 mil. $ untidily per year Users control IPRs of what they build Average price per island is 1000 $
53. Virtual money Money launderers can now move illicit cash through the growing number of virtual reality role-playing games, and convert that cash into real currency before withdrawing it from ATMs worldwide. One wonders just how many laundrymen have tumbled to this cyberlaundering opportunity. Compliance officers at financial institutions please note that their banks may be guilty of money laundering if it facilitates deposits or payments in these virtual worlds, for there is no functional due diligence on players or recipients.
54. Scenario LD$
55. Imagine this scenarioAll account with counterfeit identification
56. Policing the virtual world: Real Police
57. In conclusion… EU Regulations are coming Take a step at a time Thank you!
58. Conclusions Prevention: Increase Internet culture Protection: people and infrastructures Cooperation: law enforcement and judiciary Responsibility: national, regional, global Financing…
59. Albena SpasovaPresident of the Management Board,International Cyber Investigation Training AcademySofia, BulgariaAssociate Professor,Technical University, Lille – 1, Francewww.cybersafetyblog.euаspasova@firstname.lastname@example.orgTeл. 0887 30 32 89