More Related Content

More from DefCamp(20)


DefCamp 2013 - Cops hacking into computers to investigate crimes

  1. Cops hacking into computers to investigate crimes What could go wrong?
  2. Panel Moderator: • Lucian Constantin, Romania Correspondent for IDG News Service (PCWorld, Computerworld etc.) Participants: • Carsten Eiram, Chief Research Officer at Risk Based Security , vulnerability research and management expert with a 10-year experience, led the research team at Secunia • Raoul “Nobody” Chiesa, Founder & President The Security Brokers, Member of the European Network & Information Security Agency (ENISA) Permanent Stakeholders’ Group (PSG), UN agency “UNICRI” (United Nations Interregional Crime and Justice Research Institute), working on “HPP”, the Hackers Profiling Project run by ISECOM and UNICRI; in 2005 he has been officially recognized as a cybercrime advisor. • Bogdan Manolea, Executive Director of Association for Technology and Internet, legal advisor, IT&C law expert, Editor of EDRi-gram, a biweekly newsletter on digital civil rights in Europe. • Silviu Sofronie, Forensics Specialist at Bitdefender, acts as liason with law enforcement
  3. What we know so far • In October 2012, the Dutch Minister of Justice proposed a law that would allow law enforcement (police) to remotely infiltrate computers and install surveillance software and gather evidence. • The new legislation will provide strict safeguards for the proposed investigative powers, Opstelten said. Law enforcement authorities will only be able to exercise such powers when investigating offenses that carry a maximum prison sentence of four years or more and only after obtaining authorization from a judge, he said. Furthermore, all such actions will be automatically logged and the logs will be accessible for later review.
  4. What we know so far • Draft presented in May 2013 (obviously in Dutch) • Some highlights: • The Dutch proposal allows police "lawful intrusion" into computers located in the Netherlands or computers whose location cannot be established (like those running Tor hidden services). If the computer is clearly in another country, the intrusion shouldn't take place. • The Dutch proposal is not limited to cybercrime. It does seek to restrict the use of such intrusions only for serious offenses -- offenses that carry a certain minimum prison sentence. • It's not only about hacking to gather evidence, but also to disrupt/stop attacks or crimes in progress.
  5. What we know so far • We don’t call it hacking, and we definitely don’t call it hacking back, because we won’t be waiting until we are hacked. The more appropriate term would be “lawful intrusion,” - Peter Zinn, a senior cybercrime adviser for the Dutch National High Tech Crime Unit (NHTCU) • Lawful interception and intrusion, done in a very strict and transparent manner, will be necessary because in many cases cybercriminals will not be from neighboring countries and may not even be from the European Union. They will be from areas where it will be very hard to gather evidence from, and we might not even be able to call the police force that has the capacity to help us. - Troels Oerting, the head of the European Cybercrime Centre (EC3) at Europol • There are already similar agreements in the physical world. The Schengen Area agreement, an agreement among 25 European countries that abolishes passport and immigration control at their common borders, allows police officers from one country to follow suspects into another country while in hot pursuit - Troels Oerting, the head of the European Cybercrime Centre (EC3) at Europol
  6. What we know so far • In the physical world, a police officer has the power to detain suspects for 24 hours, search their bodies for evidence, search their houses for evidence, use violence against suspects if they don’t comply with orders and even shoot them in certain circumstances, Oerting said. “We accept this because we have a transparent system, we have rules and we have the rule of law.” • Why is it, then, that if they do some of those same things on a computer, it suddenly becomes such a big privacy issue and those actions should be banned? he asked. “I think that we need to have a balance between privacy, which I think we should respect, and anonymity, which I think is dangerous.”
  7. What can go wrong? • - How will this influence the market for zero-day vulnerabilities and overall security of software? What are the implications of police joining intelligence agencies in buying 0days? Will this create an incentive to keep those vulnerabilities unpatched? Will it decrease overall software security or keep it from improving? - Legal and privacy considerations? Will Dutch police violate the laws of other countries? Should they be arrested if they travel there? If a lawyer claims police planted the evidence obtained in this way, can police disprove giving how computers work and the computer environment? - Who will help police do this? Should the police hire ethical hackers (consultants) or should they train their own people? - How will security vendors respond? Will they differentiate between police attacks and malicious attacks? - Ethical considerations.
  8. Q&A Thank you Previus coverage: • nt_Seeks_to_Let_Law_Enforcement_Hack_Foreign_Co mputers • tch_bill_would_give_police_hacking_powers?taxonom yId=82&pageNumber=1 •