SlideShare a Scribd company logo
Cybercrime,	
  Digital	
  Inves4ga4on	
  
and	
  Public	
  Private	
  Partnership	
  
2° INFOSEC DAY – OCTOBER 2, 2012 – LISBON
Francesca Bosco and Giuseppe Vaciago
Agenda
•  What is Cybercrime?
•  The Underground Economy
•  Crimes & Techniques Focus
•  Who are the Criminals?
•  Addressing the Problem
•  Digital Forensics
•  Digital Investigation
•  Data Retention
•  Cloud Computing
Every new technology opens the doors to new
criminal approaches
3
CYBERCRIME
WHAT DO YOU KNOW?
CYBERCRIME
WHAT DO YOU WANT TO KNOW?
What is cybercrime?
Many possible definitions - no widely accepted one
Any conduct proscribed by legislation and/or jurisprudence that
(a) is directed at computing and communications technologies themselves;
(b) involves the use of digital technologies in the commission of the
offence; or
(c) involves the incidental use of computers with respect to the
commission of other crimes.
Forms
•  crimes against the confidentiality, integrity or availability of computer
systems (e.g. theft of computer services)‫‏‬
•  crimes associated with the modification of data (e.g. theft of data)‫‏‬
•  content-related crimes (e.g. dissemination of illegal and harmful
material, child pornography)‫‏‬
•  relation between terrorism and the Internet (e.g. terrorist propaganda,
recruitment for terrorist organizations)‫‏‬
6
Brazil
United States
China
Germany
India
Italy
Taiwan
Russia
Poland
United Kingdom
Major Threats and Countries Subjected to Attacks
•  Malware (Malicious Code)
•  Botnets
•  Phishing
•  Spam
•  SQL-Injection
Malicious	
  Ac+vity	
   18	
  %	
  
Threat Rank
Malware 1	
  
Spam 10	
  
Phishing 1	
  
Botnets 1	
  
SQL-injection 2	
  
Malicious	
  Ac+vity	
   7	
  %	
  
Threat Rank
Malware 8	
  
Spam 1	
  
Phishing 9	
  
Botnets 3	
  
SQL-injection 6	
  
Malicious	
  Ac+vity	
   7	
  %	
  
Threat Rank
Malware 3	
  
Spam 9	
  
Phishing 4	
  
Botnets 5	
  
SQL-injection 1	
  
Malicious	
  Ac+vity	
   6	
  %	
  
Threat Rank
Malware 15	
  
Spam 7	
  
Phishing 3	
  
Botnets 6	
  
SQL-injection 5	
  
Malicious	
  Ac+vity	
   5	
  %	
  
Threat Rank
Malware 2	
  
Spam 2	
  
Phishing 18	
  
Botnets 19	
  
SQL-injection n/a	
  
Malicious	
  Ac+vity	
   4	
  %	
  
Threat Rank
Malware 13	
  
Spam 12	
  
Phishing 12	
  
Botnets 4	
  
SQL-injection n/a	
  
Malicious	
  Ac+vity	
   3	
  %	
  
Threat Rank
Malware 22	
  
Spam 20	
  
Phishing 16	
  
Botnets 2	
  
SQL-injection 7	
  
Malicious	
  Ac+vity	
   3	
  %	
  
Threat Rank
Malware 11	
  
Spam 4	
  
Phishing 7	
  
Botnets 13	
  
SQL-injection n/a	
  
Malicious	
  Ac+vity	
   3	
  %	
  
Threat Rank
Malware 19	
  
Spam 5	
  
Phishing 10	
  
Botnets 7	
  
SQL-injection n/a	
  
Malicious	
  Ac+vity	
   3	
  %	
  
Threat Rank
Malware 4	
  
Spam 22	
  
Phishing 6	
  
Botnets 15	
  
SQL-injection 4	
  
Most Targeted Industry Sector 1° Quarter ‘12
Source APWG - Phishing Activity Trends Report
Top 20 countries with the highest rate
of cybercrime attacks
Source: Symantec - Last update 7/26/12
Complaints of online crime, 2011
at the Internet Crime Complaint Center (USA)
The 2011 IC3 Internet Crime Report reveals both the scope of online crime and IC3’s battle against it. The most common
victimcomplaintsincludedFBI-relatedscams,identitytheftandadvancefeefraud.2
IC3receivedandprocessedmorethan
26,000 complaints per month. Based on victim complaints, the top five states were California (34,169), Florida (20,034),
Texas (18,477), New York (15,056) and Ohio (12,661). Victims in California reported the highest dollar losses with a total
of $70.5 million. For victims reporting financial losses, the average was $4,187.
IC3servesasapowerfulconduitforlawenforcementtoshareinformationandpursuecasesthatoftenspanjurisdictional
boundaries.Collaborationwithinthispartnershiphasproducedanumberoftechnologicaladvancementstostreamline
how the public’s complaints are processed and referred to investigators. Initially established as simply a convenient
method for citizens to report Internet crime information, IC3 has evolved into a vital resource for both victims of
online crime and for law enforcement across the country that investigate and prosecute a wide range of cases.
1
Methodology of evaluating loss amounts: FBI IC3 Unit staff reviewed for validity all complaints that reported a loss of more than $100,000. Analysts also converted losses reported
in foreign currencies to dollars. The final amounts of all reported losses above $100,000 for which the complaint information did not support the loss amount were excluded from
the statistics.
2
Complaint category statistics that are based on the perceptions of the complaints are not typically accurate for statistical purposes. The statistics pulled from the complaints
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
16,838
50,412
75,064
124,449
207,449
231,493
207,492 206,884
275,284
336,655
303,809
314,246
314,246
336,655
Yearly Comparison of Complaints3
Total loss in 2011: $ 485.253,871
Source: Internet Compliant Centre
Why has Cybercrime become so pervasive?
①  Extremely profitable
②  Very low infrastructure cost and readily available attack
tools
③  Barriers to prosecution combined with weak laws and
sentencing
④  Anonymity and financial lure has made cyber-crime
more attractive
⑤  Separation between the physical and virtual world
⑥  Organized cybercrime groups can conduct operations
without ever making physical contact with each other
Trends of organized crime:
Transnational, Adaptive, Multifaceted
A. Drug trafficking
B. Illicit arms trade
C. Trafficking and smuggling of human beings
D. Traffic of human organs
E. Counterfeiting
F. Environmental-related crimes
G. Maritime piracy
H. Cyber crime
I. Financial crimes: corruption, money laundering
Cybercrime today
Organized Crimes Activities Shift
Original Activity Modern Version
Local numbers gambling Internet gambling (international
sites)
Street prostitution Internet prostitution
Heroin, cocaine trafficking Synthetic drugs (less vulnerable to
supply problem)
Extortion of local businesses for
protection
Extortion of corporations,
kidnappings
Loansharking Money laundering, precious
stones, commodities.
Fencing stolen property Theft of intellectual property
How the black market works
The black market: what they offer6*+,-$($)>-Z8#0-8[,-5# )"G-5#>-"#8%"8#0-8:;1"-#
4.2")0%50660"#7+%80.9#.+%: ;)*<"+,'%="#>)"?
-.,"#2<*,+#. &'()"%1M0,W ;,"0,)C+)?%%%%%%%%%%%%4"+?+.C%-??<)? ;*).0"+#?
Underground Economy Business Model
Organised crime borrows and copies business models from the
legitimate economy sector. Cyber-criminals employ models similar to
the B2B (business-to-business) for their operations, such as the
highly sophisticated C2C (criminal-to-criminal) models, which use very
effective crime tools available through digital networks.
Underground Economy Cooperation Model
CRIMES & TECHNIQUES
FOCUS
1. Malware/spam and the underground economy
§  Players in the underground economy include:
Ø  Malware writers and distributors (trojans, spyware,
keyloggers, adware, riskware, …)
Ø  Spammers, botnet owners, drops
Ø  Various middlemen
§  Emergence of institutional arrangements to enhance
“trust” in the underground economy
Ø  Service level agreements, warranties, etc.
§  Steady stream of new attacks
E.g.: spear-phishing, chained exploits, exploitation of social
media.
Hardware,
software
Security
service
providers
Fraudsters,
criminals
ISPs
Individual
users
Business
users
1
2
13
5
3
8 9
4
10
1211
67
Government
Society at large
1. Example of possible financial flows
14
Society at large
1:
Extortion payments, click fraud,
compensated costs of ID theft and phishing
2:
Uncompensated costs of ID theft and
phishing, click through, pump and dump
schemes, Nigerian 419 scams, and other
forms of consumer fraud
3, 4, 5, 6:
Hardware purchases by criminals,
corporate and individual users
7, 8, 9, 10:
Security service purchases by hardware
manufacturers, corporate and
individual users, ISPs
11, 12, 13:
ISP services purchased by corporate and
individual users, criminals
14:
Payments to compensate consumers for
damages from ID theft (if provided)
Legal financial flows
Potentially illegal financial flows
2. Data Theft
(what data are we talking about?)
Personally Identifiable Information (PII):
Identifying information means any name or
number that may be used alone or with other
information to identify a specific person:
Name, social security number, date of birth,
official State or government issued driver’s
license or identification number, alien
registration number, government passport
number, employer or taxpayer identification
number, biometric data, etc.
Likely one of the most valuable assets that we
have and one that businesses need to protect.
Why? Information is exponential and reusable.
Information can be sold to multiple buyers and
be can be used in many profitable ways.
3. ID Theft
•  ID Theft is the fastest growing crime
in the world.
•  Over 9 million victims a year on
average worldwide
•  Studies on the total cost of identity
theft vary. One study indicates that
identity theft cost U.S. businesses
and consumers $50 to $60 billion
dollars a year
•  Individual victims lose an average of
$1,500.00 each in out of pocket
expenses and require tens or
hundreds of hours to recover – some
never do.
Use of email to trick someone into
providing information or to go to a
malicious Web sites by falsely
claiming to be from a known entity.
These attacks are becoming more
and more sophisticated. Use of
social networking sites will become
an issue.
4. Phishing
5. Botnet Definition
A Botnet is a network of compromised machines (bots) remotely
controlled by an attacker.
B ot
Key
U ncompromised
Host
B
Attacker
B
B
B
U
U
Commands
Commands
Attacks
Attacks
.
Botnet Breakdowns
Overall messaging botnet growth jumped up sharply from last quarter. Infections rose in Colombia,
Japan, Poland, Spain, and the United States. Indonesia, Portugal, and South Korea continued to de
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
MAR
2012
FEB
2012
JAN
2012
DEC
2011
NOV
2011
OCT
2011
SEP
2011
AUG
2011
JUL
2011
JUN
2011
MAY
2011
APR
2011
Global Botnet Infections
New Botnet Senders
40,000
45,000
50,000
Argentina
12,000
14,000
16,000
Australia
5. Botnet Statistics
Source: McAfee Threats Report: First Quarter 2012
WHO ARE THE CRIMINALS ?
Who are the criminals?
28
Are financially-motivated cyber-criminals actively working with
traditional organized crime groups?
Or are they opportunistically organizing among themselves?
Or, still, are they simply passively working with O.C. groups for
support tasks eg: money laundering?
Four case-studies
•  Formed around 2002
•  2008 revenue estimated at $180 million
•  Estimated to employ 200-500 staff (HR, call center operators to dissuade
victims and avoid credit complaints, malware & scareware developers,
etc…) in Ukraine, India, and the United States
•  Criminal activities: Scareware (or “Ransomware”, meant to frighten users
into providing their credit card data in order not to lose their data), Adware,
Credit Card Fraud (Reselling of the credit cards “customers” were
ransomed into providing to IMU). Early activities included the selling of
pirated media (music, pornography) and software as well as
pharmaceuticals such as Viagra
•  2010: F.T.C. persuades a U.S. federal judge to fine IMU and two associated
individuals $163 million USD
Case Study:
1. Innovative Marketing Ukraine
29
•  The bank is using a OTP system to authorize large transactions
•  A Trojan is used to steal IMEI (international mobile equipment identity)
numbers from account holders when they login to their online banking
application
•  Once they have acquired the IMEI number, the criminals contact the victim’s
wireless service provider, report the mobile device as lost or stolen, and
request a new SIM card.
•  With this new SIM card, all OTPs intended for the victim’s phone are sent to
the fraudster-controlled device.
Case Study:
2. Banking Fraud Scheme
30
•  An IT company employs some engineers after they resigned from a
competitor; the day before their resignation, they download some
confidential files from competitor’s laptops
•  The mere existence of industrial secrets and their potential access by a
former employee is not sufficient to raise civil and/or criminal responsibility.
In both cases you need to prove the transfer of documents or the disclosure
of info’s directly to the competitor
•  The crime of unlawful access to an IT system is made by the person who
violates owner’s prescriptions and limits to access and maintain himself on
the system, no matter what is the aim or target of the unlawful access, but in
this case the access was made the day before the resignation, so that
engineers were still in right to access the files.
Case Study:
3. Mix between cyber and non-cyber crime
31
Friend posts
update on FB
You click in to
the update
You’re
redirected to
a website run
by Koobface
“Video can’t
load,
Download
latest version
of flash
You
download/
install the
software
Case Study:
4. Koobface – The value of “Big Data”
32
•  Social Networks are so attractive as they potentially contain information useful for:
cyber stalking, industrial espionage, private data used in a Pay per Click (PPC)
system, cyber terrorims.
•  Koobface is a worm that targeted Facebook and other social media sites. Its goal
was to gather login information for purposes of building a peer to peer botnet
•  Originally appeared in May 2008, after 2 year the Koobface botnet was composed of
400.000 to 800.000 PCs worldwide and earned more that 4 million dollar
•  The mechanism was very simple:
•  The botnet master made - namely using his
personal email for registering a domain parked
within Koobface's infrastructure
•  The same email krotreal@gmail.com was used
to advertise the sale of Egyptian Sphynx kittens
on 05.09.2007.
•  The following telephone belonging to the
suspected person was provided. The interesting
part is that the same telephone was also used in
another advertisement, this time for the sale of a
BMW
•  The final result was that Facebook on January
2012 identified Anton Nikolaevich Korotchenko
and other 4 subject as the authors of Koobface.
Case Study:
4. Koobface – The investigation
HOW TO COMBAT CYBERCRIME?
WHAT DO YOU KNOW ABOUT
DIGITAL FORENSICS?
Digital forensics is concerned with how to store, identify, acquire, record
or interpret the data on a digital device. On a general level it’s about
finding the best way to:
•  get hold of evidence without modifying the IT system in which that
evidence is found;
•  ensure that the evidence acquired in another medium is identical to
the original;
•  analyse data without modifying it.
Corporate forensics is nothing more than the steps taken in order to
preserve any digital evidence to be submitted in court proceedings and
to ensure that it isn’t modified when the techniques of digital forensics
are put into play.
Digital Forensics - Definition
During the forensic analysis of modifiable media, the Hash guarantees
the intangible nature of the data that it contains.
The Hash is a unique function that operates in one direction
(meaning that it cannot be reversed), by means of which a document
of random length is converted into a limited and fixed length string.
This string represents a sort of ‘digital fingerprint’ of the non-encrypted
text, and is called the Hash Value or the Message Digest.
If the document is modified even to the slightest extent, then the
fingerprint changes as well. In other words, by calculating and
recording the fingerprint, and then recalculating it, it can be shown
beyond all doubt whether the contents of the file, or the medium, have
been altered, even accidentally.
Two Rules for Digital Forensics:
Hash Functions
Anyone wanting to validate the content of an e-mail or an entire
hard-disk has to take a particular type of copy by taking a bit-
stream image that can ‘clone’ the entire hard-disk.
The bit-stream copy is a particular form of duplication in which
the content of the physical unit is read sequentially loading the
minimum quantity of data that can from time to time be
directed, then recording it in the same sequence on a standard
binary file, generating a physical image of the original medium.
Two Rules for Digital Forensics:
Bit-Stream Copy
Italian Case Law on Digital Forensics
Digital evidence could be altered and can contain countless pieces of
information. The “Garlasco” case is a clear example of this.
Alberto Stasi was acquitted of murder of his girlfriend, Chiara Poggi, by the Court
of first Instance In December 2009 and the judgement was confirmed in the
Appeal court in December 2011.
The “Garlasco” case: the “IT alibi”
Chiara Poggi died
between 10.30 and
12.00
Stasi voluntarily
hands over his PC to
the Police
After working on the PC the
Police hands it over to the
Scientific Investigation Group
Judge Vitelli
acquits Stasi of
murder
14/08/07 29/08/07 17/12/0913/08/07
-­‐ Stasi wakes up at 9
-­‐ Telephones Chiara Poggi
-­‐ Works on his thesis
13/08/07
The expert report requested by the judge
shows that Stasi was working on his thesis
during the period when Chiara Poggi was killed
17/03/09
HOW TO COMBAT CYBERCRIME?
WHAT DO YOU KNOW ABOUT
DIGITAL INVESTIGATIONS?
 
	
  
Digital Investigation – 6 Steps
With a warrant, the location Is searched, any computer system and
media are seized and the media are examined for any digital evidence
With the IP address, the Law Enforcement can obtain customer’s
address from the Access Provider
The Law Enforcement uses the court system to compel an ISP to
obtain IP address del suspected user
1. Identify the Suspect
When investigating cybercrimes committed online, the “traditional”
approach is as follows:
No connection between what is observed and
what is found in the search and seizure
procedure
Difficult to identify a seized machine as the
same on that was investigated remotely
Difficult to identify a user (multiple User ID or
multiple IP Address over time, particularly
driving around open Wifi, proxy, botnet, TOR)
1. Identify the Suspect – Challenges
The challenges are as follows:
Understanding social engineering techniques
means knowing where any digital traces might be
found
Immediate action means more information being
gathered (data retention)
Public-Private Partnership between Law
Enforcement/ISPs/Internet Companies/Academia
can be of enormous help in complex investigations
You cannot (always…) identify a cybercriminal on Google ;)
1. Identify the Suspect – Solutions?
1. Identify the Suspect – Solutions?
The results of this investigative activity have been
excellent, but what about Privacy?
Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was
discovered by monitoring his facebook profile.
1. Identify the Suspect – Solutions?
Face	
  Recogni4on	
  
Project	
  Alessandro	
  
Acquis/	
  
CCTV	
  
Fair	
  Fax	
  Media	
  
1. Identify the Suspect – Solutions?
2. Detecting Illegal Contents
An investigating tool most frequently used for carrying out an on line
investigation is hashing techniques.
For example, starting with a file containing ille, it is possible to convert
it into a message digest and to carry out a fast search inside a
storage support (hard drive, flash disk) or within the network (P2P
networks).
Ferrari.jpg Ferrari_copy.jp
g
HASH SHA-1
051ed4dbdb9bcd7957
aa7cbb5dfd0e94605cd
887
What happens if I just change the file in an infinitesimal way?
Ferrari.jpg Ferrari_copy2.jp
g
HASH:
051ed4dbdb9bcd7957aa7cbb5df
d0e94605cd887
HASH:
a9fa2933484f828b95c1dde824dea
28f35b509d6
The hash does not match and the search will not generate
results
2. Detecting Illegal Contents - Challenge
For this reason, there are techniques (i.e. fuzzy hashing) or
various types of algorithms that allow a “certain degree of
similarity” to be identified.
A good software used is SSDEEP written by Andrew Tridgell
and used for detecting spamming.
Online is available: pHash (The open source perceptual hash
library)
2. Detecting Illegal Contents – Solutions?
2. Detecting Illegal Contents - Solutions
The more complex techniques have a 20% degree of error
What does it means?
No problem if there are false positives. Human checking is
sufficient.
But in the case of false
negatives?
False Negative=
(i.e., illegal content incorrectly deemed as non-illegal
False positives=
(i.e., non-illegal content incorrectly deemed as illegal
2. Detecting Illegal Contents - Solutions
Internet Surveillance Plans
On December 20, 2006: Article 5.2(11) of the Law
on the Protection of the Constitution in North
Rhine-WestFalia was amended with the
introduction of provisions on remote intelligence-
gathering, both online and by accessing
information technology systems.
Private computer systems could be covertly
accessed “remotely”, thanks to software
(keylogger and sniffer programs) installed on the
target system without the owner’s knowledge, for
instance, in the form of Trojans incorporated within
or disguised as harmless content, by convincing
the owner to voluntarily upload the relevant
spyware or disclose passwords through cleverly
devised social engineering initiatives.
2. Detecting Illegal Contents - Solutions
On February 27, 2008 The German Constitutional Court determined
that the amendment of NordWestfalia Law was unconstitutional as it
violated:
The Constitutional Court establishes a new “Right to the
Confidentiality and Integrity of Information Technology
Systems” (right to the free development of one’s personality), read in
conjunction with Article 1.1 GG (right to human dignity).
2. Detecting Illegal Contents - Solutions
Just three years after the ruling by the German Constitutional
Court, Germany’s Justice Minister has called for an
investigation after authorities in at least four German states
acknowledged using computer spyware to conduct surveillance
on citizens (Bavaria, Baden-Wurttemberg, Brandenburg and
Lower Saxony)
2. Detecting Illegal Contents - Solutions
3. Validating Digital Evidence
In order for digital data to be admitted as evidence at trial, law
enforcement officers handling the same must respect the “two
fundamental digital forensics rules” mentioned above
But, what happens if the digital data is in the Cloud?
Bitstream Copy
Hash function
3. Validating Digital Evidence - Challenge
The new challenge with Cloud computing is a loss of data
location due to:
-­‐ “Data at rest” does not reside on the device.
-­‐ “Data in transit” cannot be easily analysed because of
encryption.
-­‐ “Data in execution” will be present only in the cloud instance
The investigator who wants to capture the bit-stream data of a
given suspect image will be in the same situation as someone
who has to complete a puzzle, whose pieces are scattered
randomly across the globe
3. Validating Online Digital Evidence - Solution
How is it possible to validate online digital evidence and
immediately show that a particular piece of data on a particular
online site is certain?
4. Chain of Custody of the digital evidence
•  When digital evidence can be used in court, it must be
handled in a careful manner to avoid later allegations of
tampering or misconduct which can compromise the case.
•  Digital storage media last less than analogue media and
devices to read such media last even less.
•  Domesday Book (1086): legible after over 900 years.
•  Domesday Book 2 (1983): LaserDisc: illegible after 15
years.
5. Analysis of Digital Evidence
•  Text searches: aimed at scanning files, directories and even
entire file systems for specific text terms
•  Image searches: aimed at identifying image files in various
formats, and at generating still frames of digitally stored
video
•  Data recovery and identification: this technique is aimed
to recover all files stored, including deleted or damaged data
•  Data discovery: it is targeted at accessing hidden,
encrypted or otherwise protected data
•  Data carving: it focused on reconstructing damaged files by
retrieving portions of their content.
•  Metadata recovery and identification: this digital forensic
tool is particularly useful for retracing the timeline of web
accesses and file changes
6. Reporting of Digital Evidence Findings
This stage is of key importance for Prosecutors, Judges and
lawyers, as the outcome of the trial will depend not only on
results achieved, but also the degree of clarity and
comprehension of the report.
HOW TO COMBAT CYBERCRIME?
DATA RETENTION AND ROLE OF
ISP PROVIDERS
Data Retention - Definition
•  Data retention (or data preservation) generally refers to
the storage of call detail records (CDRs) of telephony and
internet traffic and transaction data (IPDRs) by
governments and commercial organisations.
•  The digital data usually requested from ISPs during
investigations can generally be divided up between data
identifying a potential offender (the IP address) and data
demonstrating activity on line (the log files).
Data Retention – Legal Framework
•  In the wake of the terrorist attacks in Madrid and London
(2004 and 2005 respectively), the European Parliament
issued Directive 2006/24/EC.
•  Legislating over data retention, the Directive sets out how
traffic data can be stored by the providers and the grounds
on which the courts can access that data.
Directive 97/66/EC
Directive 2002/58/EC
Directive 2006/24/EC
Data Retention – Directive 2006/24/EC
•  Scope of application: serious crime
•  Retention period: from 6 month to 24 months
•  Type of data:
a)  data necessary to trace and identify the source, destination of
a communication
b)  data necessary to identify the date, time, duration type of a
communication:
c)  data necessary to identify users' communication equipment
d)  data necessary to identify the location of mobile
communication equipment:
Data Retention – Open Issues
1)  There is no consistent approach across the EU of the
period of retention among Member States
2)  No defined list of parties entitled to request such data
3)  ‘Serious crime’ is a generic term
It is for these reasons that the Constitutional Court in certain
Member States (Germany, Romania and the Czech Republic)
have declared national law implementing the Directive to be
unconstitutional, resulting in a legislative lacuna that does
absolutely nothing to assist investigations. In addition, Austria
and Sweden have decided against implementing the Directive,
with heavy penalties being imposed by the European
Commission as a result.
Data Retention – Retention Period
Of the twenty-two Member States that have implemented the Directive:
•  Thirteen MS have decided that data may be kept for twelve months
•  Five MS have established a longer period
•  Four MS have gone for a shorter time limit
***
•  Seven MS have established two periods of time for which data may
be held: one for telephone traffic and the other for electronic data
Data Retention – Serious Crime
Of the twenty-two Member States that have implemented the Directive:
•  Ten MS (Bulgaria, Estonia, Ireland, Greece, Spain, Lithuania,
Luxembourg, Hungary, Netherlands, Finland) have defined 'serious
crime', with reference to a minimum prison sentence, to the
possibility of a custodial sentence being imposed, or to a list of
criminal offences defined elsewhere in national legislation.
•  Eight MS (Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia,
Slovenia) require data to be retained not only for investigation,
detection and prosecution in relation to serious crime, but also in
relation to all criminal offences
•  Four MS (Cyprus, Malta, Portugal, United Kingdom) refers to
‘serious crime’ or ‘serious offence’ without defining it.
Data Retention – Reimburse of Cost and ISP Role
•  The cost of setting up a system for retaining data for an internet
service provider serving half a million customers to be around €
375.240 in the first year and € 9.870 in operational costs per
month thereafter. The costs of setting up a data retrieval system to
be € 131.190, with operational costs of € 28.960 per month
•  The Directive does not regulate the reimbursement of costs incurred
by operators as a result of the data retention requirement.
•  Of the twenty-two countries that have implemented the Directive only
2 Member States reimburse both operational and capital
expenditure (Finland, United Kingdom) and 6 Member States
reimburse only operational expenditure (Belgium, Denmark, Estonia,
France, Lithuania, Netherlands)
Data Retention – Conclusions
•  The practical repercussion of this scenario is the following: when
faced with a U.S., German, Austrian or Romanian ISP, law
enforcement officers could never be sure if the data they are
after has long been cancelled or is still in storage.
•  The conflict is even more acute in this case, since law
enforcement not only insist that the Data Retention Directive is
crucial to digital investigation, but would also like to see it
applied to non-EU ISPs offering internet services in Europe.
•  In light of this, Directive 2006/24/EC should be put under review,
in full compliance with Articles 7 and 8 of the Charter of
Fundamental Rights of the European Union
CLOUD COMPUTING
Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable resources (e.g.,
networks, servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal effort or
management service provider interaction
Cloud computing has five essential characteristics: (i) On-
demand self-service, (ii) Broad network access, (iii) Resource
pooling, (iv) Rapid elasticity, (v) Measured service
Definition
And it has four
deployment models:
Definition
It has three service
models:
From a Legal Standpoint Cloud Computing services have to face these two
distinct issues:
1)  Jurisdiction: The “loss of location” of digital evidence in the cloud world
creates problem of jurisdiction. With cloud computing, are the documents
governed by the law of the state in which they are physically located or by
the location of the company possessing them or by the laws of the state
where a person resides? Over the last few years, various approaches have
been offered to solve this problem.
2)  Privacy: The “lack of control” over the data (cloud clients may no longer
be in exclusive control of this data and cannot deploy the technical and
organisational measures necessary to respect Data Protection Law), and
the “absence of transparency” (insufficient information regarding the
processing operation itself) are the main data protection risk of cloud
computing
Legal Aspect of the Cloud
•  August, 23, 2011, Vivian Reding
(E-006901/2011 – Answer to
parliamentary question):
•  “In accordance with international
public law, and in the absence of a
recognised jurisdictional link, a
foreign law or statute cannot directly
impose legal obligations on
organisations or undertakings
established in a third country
regarding the activities performed
within the territory of that third
country”
1. Jurisdiction – “The Patriot Act” issue
Viviane Reding - Vice-President of the
European Commission
1. Jurisdiction – “The Patriot Act” issue
•  The Patriot Act is extraterritorial in
application (Section 215 and
Section 505).
•  Under this Act, U.S. authorities are
entitled to subpoena personal data
related to non-US citizen from any
company that has “minimum
contacts” with the U.S.
The Director of the Federal Bureau of
Investigation or a designee of the Director
(whose rank shall be no lower than Assistant
Special Agent in Charge) may make an
application for an order requiring the
production of any tangible property (including
books, records, papers, documents, and other
items) for an investigation for protecting
against international terrorism or clandestine
intelligence activities, provided that such
investigation of a United States person is not
conducted solely upon the basis of activities
protected by the first amendment of the
Constitution [...]
Patriot Act, Sec. 215. Access To Records And
Other Items Under The FISA
•  “CloudSigma is operated and controlled by
a Swiss AG, which is not subject to direct
or indirect U.S. control”
•  “City Cloud and Several Nines offer a
partnership safe-haven from the Patriot
Act in Sweden”
•  Amazon Web Services (AWS) is subject to
the US Patriot Act but the chief technology
officer, Werner Vogels, encrypts private
data for transit to the Cloud — and for
employing best practice when it comes to
classifying data
1. Jurisdiction – “The Patriot Act” issue
December 6, 2011 Vivian Reding -
2nd Annual European Data Protection and
Privacy Conference - Brussels:
“I am reading in the press about a Swedish
company whose selling point is that they
shelter users from the US Patriot Act and
other attempts by third countries to access
personal data”
“I do encourage cloud computing centres in
Europe, but this cannot be the only solution.
We need free flow of data between our
continents. And it doesn't make much sense
for us to retreat from each other”
1. Jurisdiction – “The Patriot Act” issue
We have 4 different possible principle to solve the “loss of location” in a cloudy
world:
•  Territorial principle: the Court in the place where the data is located
has jurisdiction
•  Nationality principle by virtue of which the nationality of the perpetrator is
the factor used to establish criminal jurisdiction.
•  “Flag principle”, which basically states that crimes committed on ships,
aircraft and spacecraft are subject to the jurisdiction of the flag state.
•  “Power of Disposal Approach”. From a practical point of view, a
regulation based on the power of disposal approach would make it feasible
for law enforcement to access a suspect’s data within the cloud.
1. Jurisdiction – “The Patriot Act” issue
Lack of
control
over the
data
Lack of
Integrity
caused by the
sharing of
resources
Lack of
availability
due to lack of
interoperability
Lack of
intervenability
due to the
complexity and
dynamics of
the outsourcing
chain
Lack of
information on
processing
(transparency)
Lack of isolation
A cloud provider
may use its
physical control
over data from
different clients to
link personal data.
Lack of
confidentiality
in terms of law
enforcement
requests made
directly to a
cloud provider
Lack of
intervenability
(data subjects’
rights)
2. Privacy – The WP29 Opinion
1.  Compliance with basic data protection principles
2.  Transparency
3.  Purpose specification and limitation (isolation)
4.  Erasure of data
5.  Technical and organisational measures of data protection and
data security
6.  Availability
7.  Integrity
8.  Confidentiality
2. Privacy – Possible solutions
Article 25 and 26 of the Directive 95/46/EC provide for free flow of personal
data to countries located outside the EEA only if that country has an
adequate level of data protection. The instruments are:
1.  Safe Harbor: US organizations adhering to the principles can take place
lawfully under EU law since the recipient organizations are deemed to
provide an adequate level of protection to the transferred data. and
adequate countries
2.  Binding Corporate Rules: constitute a code of conduct for companies
which transfer data within their group
3.  Exemptions: that exemptions shall apply only where transfers are neither
recurrent, nor massive or structural
4.  Standard Contractual clauses: adopted by the EU Commission for the
purpose of framing international data transfers between two controllers or
one controller and a processor are based on a bilateral approach.
2. Privacy – Possible solutions
2. Privacy – Possible solutions
Proposal of
Regulation
on Data
Protection
The right to be
forgotten
EU citizens are to be
entitled to require
information online to
be deleted
Privacy Officer
Public bodies and
businesses having a
minimum number of
employees are obliged
to establish a data
protection officer
Security
Where information is
lost (which is described
as a serious breach),
this will have to be
reported, and even
more complex security
models will be required
One-Stop-Shop
Businesses and
individuals must be
able to deal with one
single point of contact
Cookies
The use of cookies on
line is regulated further,
in line with the recent
Cookies Law directive.
Privacy by design:
The regulation
introduces an
obligation to use
technological means to
ensure that personal
data is automatically
processed only to the
extent that is
absolutely necessary.
HOW TO COMBAT CYBERCRIME?
PUBLIC PRIVATE PARTNERSHIP
Addressing the Problem-I
•  Fighting cybercrime has always been a complex problem due to
the number of ICT network users, the transnational nature of the
Internet and its decentralised architecture. Cyber-criminals, and
especially organised criminal groups, have been and probably
would always remain several steps ahead of legislators and law
enforcement agencies.
•  Criminal to criminal (C2C) networks benefit from anonymous
communications, automation of attacks and the difficulties that law
enforcement agencies experience in determining the location:
servers with crime-ware could be in one country, while members
of the network could be in another one, targeting victims across
the world
Addressing the Problem-II
•  In addition to strengthening the current legal frameworks,
updating old legislation, harmonising laws on an
international level, what is needed is also the cross-sector
cooperation on national level as well as international
cooperation in detecting, investigating and preventing e-
crimes committed by organised criminal groups.
•  Law enforcement agencies often find it difficult to keep
abreast of the dynamic technical knowhow &
toolsèEffective “Public Private Partnership” is
recommended to circumvent this problem.
How to develop an effective PPP
Main examples:
•  operational cooperation in specific cases,
•  cooperation in case of websites containing illegal
content such as child pornography or hate speech,
•  private self-regulation through codes of conduct,
•  sharing of necessary and relevant information across
the private and public sector,
•  setting up networks of contact points in both the
private and the public sector.
Questions?
Contacts
Mr. Giuseppe Vaciago,
University of Insubria,
giuseppe.vaciago@uninsubria.it
Ms. Francesca Bosco,
UNICRI Project Officer
bosco@unicri.it

More Related Content

What's hot

Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
anilinvns
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
Sagar Rahurkar
 

What's hot (20)

Digital Forensics Projects Assistance
Digital Forensics Projects Assistance Digital Forensics Projects Assistance
Digital Forensics Projects Assistance
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics Workshop
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
An insight view of digital forensics
An insight view of digital forensicsAn insight view of digital forensics
An insight view of digital forensics
 
Digital&amp;computforensic
Digital&amp;computforensicDigital&amp;computforensic
Digital&amp;computforensic
 
I want to be a cyber forensic examiner
I want to be a cyber forensic examinerI want to be a cyber forensic examiner
I want to be a cyber forensic examiner
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
 
Secure Computer Forensics and its tools
Secure Computer Forensics and its toolsSecure Computer Forensics and its tools
Secure Computer Forensics and its tools
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
 

Viewers also liked

Digital investigation
Digital investigationDigital investigation
Digital investigation
laurencowey
 
Digital technology investigation
Digital technology investigationDigital technology investigation
Digital technology investigation
rachel17lloyd
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation Model
CSCJournals
 
Sws learning systems update
Sws learning systems updateSws learning systems update
Sws learning systems update
Dean Finch
 
Spinal muscular atrophyppt
Spinal muscular atrophypptSpinal muscular atrophyppt
Spinal muscular atrophyppt
Genevia Vincent
 

Viewers also liked (19)

Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Digital technology investigation
Digital technology investigationDigital technology investigation
Digital technology investigation
 
Systematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation ModelSystematic Digital Forensic Investigation Model
Systematic Digital Forensic Investigation Model
 
Sws learning systems update
Sws learning systems updateSws learning systems update
Sws learning systems update
 
View from the top. A board-level perspective of current business risks
View from the top. A board-level perspective of current business risksView from the top. A board-level perspective of current business risks
View from the top. A board-level perspective of current business risks
 
Presentation on quantum computers
Presentation on quantum computersPresentation on quantum computers
Presentation on quantum computers
 
Quantum Computing - Basic Concepts
Quantum Computing - Basic ConceptsQuantum Computing - Basic Concepts
Quantum Computing - Basic Concepts
 
DNA FORENSIC ANALYSIS
DNA FORENSIC ANALYSISDNA FORENSIC ANALYSIS
DNA FORENSIC ANALYSIS
 
Spinal muscular atrophyppt
Spinal muscular atrophypptSpinal muscular atrophyppt
Spinal muscular atrophyppt
 
Quantum computing - Introduction
Quantum computing - IntroductionQuantum computing - Introduction
Quantum computing - Introduction
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Touch screen technology
Touch screen technologyTouch screen technology
Touch screen technology
 
Dna forensic
Dna forensicDna forensic
Dna forensic
 
Touchscreen technology
Touchscreen technologyTouchscreen technology
Touchscreen technology
 
Quantum Computers
Quantum ComputersQuantum Computers
Quantum Computers
 
Dna fingerprinting
Dna fingerprintingDna fingerprinting
Dna fingerprinting
 
Quantum computer ppt
Quantum computer pptQuantum computer ppt
Quantum computer ppt
 
Touch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATIONTouch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATION
 

Similar to Cybercrime, Digital Investigation and Public Private Partnership by Francesca Bosco e Giuseppe Vaciago

State of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in BankingState of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in Banking
IJSRED
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
mharbpavia
 
Global Commision on Internet Governance
Global Commision on Internet GovernanceGlobal Commision on Internet Governance
Global Commision on Internet Governance
Dominic A Ienco
 
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE  1 .docxRunning head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE  1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
wlynn1
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
write12
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
bkbk37
 

Similar to Cybercrime, Digital Investigation and Public Private Partnership by Francesca Bosco e Giuseppe Vaciago (20)

"Cyber crime", or computer-oriented crime..!!
"Cyber crime", or computer-oriented crime..!!"Cyber crime", or computer-oriented crime..!!
"Cyber crime", or computer-oriented crime..!!
 
Ict forensics and audit bb
Ict forensics and  audit bbIct forensics and  audit bb
Ict forensics and audit bb
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
A Contextual Framework For Combating Identity Theft
A Contextual Framework For Combating Identity TheftA Contextual Framework For Combating Identity Theft
A Contextual Framework For Combating Identity Theft
 
cyber crime
 cyber crime  cyber crime
cyber crime
 
Rp economic-impact-cybercrime2
Rp economic-impact-cybercrime2Rp economic-impact-cybercrime2
Rp economic-impact-cybercrime2
 
A Review Paper On Cyber Crime
A Review Paper On Cyber CrimeA Review Paper On Cyber Crime
A Review Paper On Cyber Crime
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
State of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in BankingState of Cyber Crime Safety and Security in Banking
State of Cyber Crime Safety and Security in Banking
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business Ready
 
Global Commision on Internet Governance
Global Commision on Internet GovernanceGlobal Commision on Internet Governance
Global Commision on Internet Governance
 
A Survey On Cyber Crime Information Security
A Survey On  Cyber Crime   Information SecurityA Survey On  Cyber Crime   Information Security
A Survey On Cyber Crime Information Security
 
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE  1 .docxRunning head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE  1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
 
87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime
 
Cyber crime
Cyber  crimeCyber  crime
Cyber crime
 
Cyber crime
Cyber  crimeCyber  crime
Cyber crime
 
Cyber crime and forensic
Cyber crime and forensicCyber crime and forensic
Cyber crime and forensic
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
 

More from Tech and Law Center

Andrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
Andrea Molino: Applicazione delle tecnologie ICT al settore AgricoloAndrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
Andrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
Tech and Law Center
 
Emanuela Pala: Internet of Things & Smart Agriculture
Emanuela Pala: Internet of Things & Smart Agriculture Emanuela Pala: Internet of Things & Smart Agriculture
Emanuela Pala: Internet of Things & Smart Agriculture
Tech and Law Center
 
Tommaso De Gregorio: Growing Hazelnuts
Tommaso De Gregorio: Growing Hazelnuts Tommaso De Gregorio: Growing Hazelnuts
Tommaso De Gregorio: Growing Hazelnuts
Tech and Law Center
 
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
Tech and Law Center
 
The Death Of Computer Forensics: Digital Forensics After the Singularity
The Death Of Computer Forensics: Digital Forensics After the SingularityThe Death Of Computer Forensics: Digital Forensics After the Singularity
The Death Of Computer Forensics: Digital Forensics After the Singularity
Tech and Law Center
 

More from Tech and Law Center (15)

One step further in the surveillance society the case of predictive policing
One step further in the surveillance society the case of predictive policingOne step further in the surveillance society the case of predictive policing
One step further in the surveillance society the case of predictive policing
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
 
Andrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
Andrea Molino: Applicazione delle tecnologie ICT al settore AgricoloAndrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
Andrea Molino: Applicazione delle tecnologie ICT al settore Agricolo
 
Emanuela Pala: Internet of Things & Smart Agriculture
Emanuela Pala: Internet of Things & Smart Agriculture Emanuela Pala: Internet of Things & Smart Agriculture
Emanuela Pala: Internet of Things & Smart Agriculture
 
Tommaso De Gregorio: Growing Hazelnuts
Tommaso De Gregorio: Growing Hazelnuts Tommaso De Gregorio: Growing Hazelnuts
Tommaso De Gregorio: Growing Hazelnuts
 
Smart intelligence
Smart intelligenceSmart intelligence
Smart intelligence
 
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
 
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
Cybersecurity & Digital Forensics / Dronitaly - 25 Ottobre 2014
 
Giuseppe Vaciago: From Crime to privacy-oriented crime prevention in the Big ...
Giuseppe Vaciago: From Crime to privacy-oriented crime prevention in the Big ...Giuseppe Vaciago: From Crime to privacy-oriented crime prevention in the Big ...
Giuseppe Vaciago: From Crime to privacy-oriented crime prevention in the Big ...
 
SECURITY OF THE DIGITAL NATIVES - Italian version
SECURITY OF THE DIGITAL NATIVES - Italian versionSECURITY OF THE DIGITAL NATIVES - Italian version
SECURITY OF THE DIGITAL NATIVES - Italian version
 
SECURITY OF THE DIGITAL NATIVES - English version
SECURITY OF THE DIGITAL NATIVES - English versionSECURITY OF THE DIGITAL NATIVES - English version
SECURITY OF THE DIGITAL NATIVES - English version
 
Android malware overview, status and dilemmas
Android malware  overview, status and dilemmasAndroid malware  overview, status and dilemmas
Android malware overview, status and dilemmas
 
Digital Native Privacy (Francesca Bosco & Giuseppe Vaciago)
Digital Native Privacy (Francesca Bosco & Giuseppe Vaciago)Digital Native Privacy (Francesca Bosco & Giuseppe Vaciago)
Digital Native Privacy (Francesca Bosco & Giuseppe Vaciago)
 
The Death Of Computer Forensics: Digital Forensics After the Singularity
The Death Of Computer Forensics: Digital Forensics After the SingularityThe Death Of Computer Forensics: Digital Forensics After the Singularity
The Death Of Computer Forensics: Digital Forensics After the Singularity
 
Legal Aspect of the Cloud by Giuseppe Vaciago
Legal Aspect of the Cloud by Giuseppe VaciagoLegal Aspect of the Cloud by Giuseppe Vaciago
Legal Aspect of the Cloud by Giuseppe Vaciago
 

Recently uploaded

Recently uploaded (20)

Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Motion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyMotion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in Technology
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 

Cybercrime, Digital Investigation and Public Private Partnership by Francesca Bosco e Giuseppe Vaciago

  • 1. Cybercrime,  Digital  Inves4ga4on   and  Public  Private  Partnership   2° INFOSEC DAY – OCTOBER 2, 2012 – LISBON Francesca Bosco and Giuseppe Vaciago
  • 2. Agenda •  What is Cybercrime? •  The Underground Economy •  Crimes & Techniques Focus •  Who are the Criminals? •  Addressing the Problem •  Digital Forensics •  Digital Investigation •  Data Retention •  Cloud Computing
  • 3. Every new technology opens the doors to new criminal approaches 3
  • 5. CYBERCRIME WHAT DO YOU WANT TO KNOW?
  • 6. What is cybercrime? Many possible definitions - no widely accepted one Any conduct proscribed by legislation and/or jurisprudence that (a) is directed at computing and communications technologies themselves; (b) involves the use of digital technologies in the commission of the offence; or (c) involves the incidental use of computers with respect to the commission of other crimes. Forms •  crimes against the confidentiality, integrity or availability of computer systems (e.g. theft of computer services)‫‏‬ •  crimes associated with the modification of data (e.g. theft of data)‫‏‬ •  content-related crimes (e.g. dissemination of illegal and harmful material, child pornography)‫‏‬ •  relation between terrorism and the Internet (e.g. terrorist propaganda, recruitment for terrorist organizations)‫‏‬ 6
  • 7. Brazil United States China Germany India Italy Taiwan Russia Poland United Kingdom Major Threats and Countries Subjected to Attacks •  Malware (Malicious Code) •  Botnets •  Phishing •  Spam •  SQL-Injection Malicious  Ac+vity   18  %   Threat Rank Malware 1   Spam 10   Phishing 1   Botnets 1   SQL-injection 2   Malicious  Ac+vity   7  %   Threat Rank Malware 8   Spam 1   Phishing 9   Botnets 3   SQL-injection 6   Malicious  Ac+vity   7  %   Threat Rank Malware 3   Spam 9   Phishing 4   Botnets 5   SQL-injection 1   Malicious  Ac+vity   6  %   Threat Rank Malware 15   Spam 7   Phishing 3   Botnets 6   SQL-injection 5   Malicious  Ac+vity   5  %   Threat Rank Malware 2   Spam 2   Phishing 18   Botnets 19   SQL-injection n/a   Malicious  Ac+vity   4  %   Threat Rank Malware 13   Spam 12   Phishing 12   Botnets 4   SQL-injection n/a   Malicious  Ac+vity   3  %   Threat Rank Malware 22   Spam 20   Phishing 16   Botnets 2   SQL-injection 7   Malicious  Ac+vity   3  %   Threat Rank Malware 11   Spam 4   Phishing 7   Botnets 13   SQL-injection n/a   Malicious  Ac+vity   3  %   Threat Rank Malware 19   Spam 5   Phishing 10   Botnets 7   SQL-injection n/a   Malicious  Ac+vity   3  %   Threat Rank Malware 4   Spam 22   Phishing 6   Botnets 15   SQL-injection 4  
  • 8. Most Targeted Industry Sector 1° Quarter ‘12 Source APWG - Phishing Activity Trends Report
  • 9. Top 20 countries with the highest rate of cybercrime attacks Source: Symantec - Last update 7/26/12
  • 10. Complaints of online crime, 2011 at the Internet Crime Complaint Center (USA) The 2011 IC3 Internet Crime Report reveals both the scope of online crime and IC3’s battle against it. The most common victimcomplaintsincludedFBI-relatedscams,identitytheftandadvancefeefraud.2 IC3receivedandprocessedmorethan 26,000 complaints per month. Based on victim complaints, the top five states were California (34,169), Florida (20,034), Texas (18,477), New York (15,056) and Ohio (12,661). Victims in California reported the highest dollar losses with a total of $70.5 million. For victims reporting financial losses, the average was $4,187. IC3servesasapowerfulconduitforlawenforcementtoshareinformationandpursuecasesthatoftenspanjurisdictional boundaries.Collaborationwithinthispartnershiphasproducedanumberoftechnologicaladvancementstostreamline how the public’s complaints are processed and referred to investigators. Initially established as simply a convenient method for citizens to report Internet crime information, IC3 has evolved into a vital resource for both victims of online crime and for law enforcement across the country that investigate and prosecute a wide range of cases. 1 Methodology of evaluating loss amounts: FBI IC3 Unit staff reviewed for validity all complaints that reported a loss of more than $100,000. Analysts also converted losses reported in foreign currencies to dollars. The final amounts of all reported losses above $100,000 for which the complaint information did not support the loss amount were excluded from the statistics. 2 Complaint category statistics that are based on the perceptions of the complaints are not typically accurate for statistical purposes. The statistics pulled from the complaints 0 50,000 100,000 150,000 200,000 250,000 300,000 350,000 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 16,838 50,412 75,064 124,449 207,449 231,493 207,492 206,884 275,284 336,655 303,809 314,246 314,246 336,655 Yearly Comparison of Complaints3 Total loss in 2011: $ 485.253,871 Source: Internet Compliant Centre
  • 11. Why has Cybercrime become so pervasive? ①  Extremely profitable ②  Very low infrastructure cost and readily available attack tools ③  Barriers to prosecution combined with weak laws and sentencing ④  Anonymity and financial lure has made cyber-crime more attractive ⑤  Separation between the physical and virtual world ⑥  Organized cybercrime groups can conduct operations without ever making physical contact with each other
  • 12. Trends of organized crime: Transnational, Adaptive, Multifaceted A. Drug trafficking B. Illicit arms trade C. Trafficking and smuggling of human beings D. Traffic of human organs E. Counterfeiting F. Environmental-related crimes G. Maritime piracy H. Cyber crime I. Financial crimes: corruption, money laundering
  • 14. Organized Crimes Activities Shift Original Activity Modern Version Local numbers gambling Internet gambling (international sites) Street prostitution Internet prostitution Heroin, cocaine trafficking Synthetic drugs (less vulnerable to supply problem) Extortion of local businesses for protection Extortion of corporations, kidnappings Loansharking Money laundering, precious stones, commodities. Fencing stolen property Theft of intellectual property
  • 15. How the black market works
  • 16. The black market: what they offer6*+,-$($)>-Z8#0-8[,-5# )"G-5#>-"#8%"8#0-8:;1"-# 4.2")0%50660"#7+%80.9#.+%: ;)*<"+,'%="#>)"? -.,"#2<*,+#. &'()"%1M0,W ;,"0,)C+)?%%%%%%%%%%%%4"+?+.C%-??<)? ;*).0"+#?
  • 17. Underground Economy Business Model Organised crime borrows and copies business models from the legitimate economy sector. Cyber-criminals employ models similar to the B2B (business-to-business) for their operations, such as the highly sophisticated C2C (criminal-to-criminal) models, which use very effective crime tools available through digital networks.
  • 20. 1. Malware/spam and the underground economy §  Players in the underground economy include: Ø  Malware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …) Ø  Spammers, botnet owners, drops Ø  Various middlemen §  Emergence of institutional arrangements to enhance “trust” in the underground economy Ø  Service level agreements, warranties, etc. §  Steady stream of new attacks E.g.: spear-phishing, chained exploits, exploitation of social media.
  • 21. Hardware, software Security service providers Fraudsters, criminals ISPs Individual users Business users 1 2 13 5 3 8 9 4 10 1211 67 Government Society at large 1. Example of possible financial flows 14 Society at large 1: Extortion payments, click fraud, compensated costs of ID theft and phishing 2: Uncompensated costs of ID theft and phishing, click through, pump and dump schemes, Nigerian 419 scams, and other forms of consumer fraud 3, 4, 5, 6: Hardware purchases by criminals, corporate and individual users 7, 8, 9, 10: Security service purchases by hardware manufacturers, corporate and individual users, ISPs 11, 12, 13: ISP services purchased by corporate and individual users, criminals 14: Payments to compensate consumers for damages from ID theft (if provided) Legal financial flows Potentially illegal financial flows
  • 22. 2. Data Theft (what data are we talking about?) Personally Identifiable Information (PII): Identifying information means any name or number that may be used alone or with other information to identify a specific person: Name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, biometric data, etc. Likely one of the most valuable assets that we have and one that businesses need to protect. Why? Information is exponential and reusable. Information can be sold to multiple buyers and be can be used in many profitable ways.
  • 23. 3. ID Theft •  ID Theft is the fastest growing crime in the world. •  Over 9 million victims a year on average worldwide •  Studies on the total cost of identity theft vary. One study indicates that identity theft cost U.S. businesses and consumers $50 to $60 billion dollars a year •  Individual victims lose an average of $1,500.00 each in out of pocket expenses and require tens or hundreds of hours to recover – some never do.
  • 24. Use of email to trick someone into providing information or to go to a malicious Web sites by falsely claiming to be from a known entity. These attacks are becoming more and more sophisticated. Use of social networking sites will become an issue. 4. Phishing
  • 25. 5. Botnet Definition A Botnet is a network of compromised machines (bots) remotely controlled by an attacker. B ot Key U ncompromised Host B Attacker B B B U U Commands Commands Attacks Attacks
  • 26. . Botnet Breakdowns Overall messaging botnet growth jumped up sharply from last quarter. Infections rose in Colombia, Japan, Poland, Spain, and the United States. Indonesia, Portugal, and South Korea continued to de 0 1,000,000 2,000,000 3,000,000 4,000,000 5,000,000 MAR 2012 FEB 2012 JAN 2012 DEC 2011 NOV 2011 OCT 2011 SEP 2011 AUG 2011 JUL 2011 JUN 2011 MAY 2011 APR 2011 Global Botnet Infections New Botnet Senders 40,000 45,000 50,000 Argentina 12,000 14,000 16,000 Australia 5. Botnet Statistics Source: McAfee Threats Report: First Quarter 2012
  • 27. WHO ARE THE CRIMINALS ?
  • 28. Who are the criminals? 28 Are financially-motivated cyber-criminals actively working with traditional organized crime groups? Or are they opportunistically organizing among themselves? Or, still, are they simply passively working with O.C. groups for support tasks eg: money laundering? Four case-studies
  • 29. •  Formed around 2002 •  2008 revenue estimated at $180 million •  Estimated to employ 200-500 staff (HR, call center operators to dissuade victims and avoid credit complaints, malware & scareware developers, etc…) in Ukraine, India, and the United States •  Criminal activities: Scareware (or “Ransomware”, meant to frighten users into providing their credit card data in order not to lose their data), Adware, Credit Card Fraud (Reselling of the credit cards “customers” were ransomed into providing to IMU). Early activities included the selling of pirated media (music, pornography) and software as well as pharmaceuticals such as Viagra •  2010: F.T.C. persuades a U.S. federal judge to fine IMU and two associated individuals $163 million USD Case Study: 1. Innovative Marketing Ukraine 29
  • 30. •  The bank is using a OTP system to authorize large transactions •  A Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application •  Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. •  With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device. Case Study: 2. Banking Fraud Scheme 30
  • 31. •  An IT company employs some engineers after they resigned from a competitor; the day before their resignation, they download some confidential files from competitor’s laptops •  The mere existence of industrial secrets and their potential access by a former employee is not sufficient to raise civil and/or criminal responsibility. In both cases you need to prove the transfer of documents or the disclosure of info’s directly to the competitor •  The crime of unlawful access to an IT system is made by the person who violates owner’s prescriptions and limits to access and maintain himself on the system, no matter what is the aim or target of the unlawful access, but in this case the access was made the day before the resignation, so that engineers were still in right to access the files. Case Study: 3. Mix between cyber and non-cyber crime 31
  • 32. Friend posts update on FB You click in to the update You’re redirected to a website run by Koobface “Video can’t load, Download latest version of flash You download/ install the software Case Study: 4. Koobface – The value of “Big Data” 32 •  Social Networks are so attractive as they potentially contain information useful for: cyber stalking, industrial espionage, private data used in a Pay per Click (PPC) system, cyber terrorims. •  Koobface is a worm that targeted Facebook and other social media sites. Its goal was to gather login information for purposes of building a peer to peer botnet •  Originally appeared in May 2008, after 2 year the Koobface botnet was composed of 400.000 to 800.000 PCs worldwide and earned more that 4 million dollar •  The mechanism was very simple:
  • 33. •  The botnet master made - namely using his personal email for registering a domain parked within Koobface's infrastructure •  The same email krotreal@gmail.com was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007. •  The following telephone belonging to the suspected person was provided. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW •  The final result was that Facebook on January 2012 identified Anton Nikolaevich Korotchenko and other 4 subject as the authors of Koobface. Case Study: 4. Koobface – The investigation
  • 34. HOW TO COMBAT CYBERCRIME? WHAT DO YOU KNOW ABOUT DIGITAL FORENSICS?
  • 35. Digital forensics is concerned with how to store, identify, acquire, record or interpret the data on a digital device. On a general level it’s about finding the best way to: •  get hold of evidence without modifying the IT system in which that evidence is found; •  ensure that the evidence acquired in another medium is identical to the original; •  analyse data without modifying it. Corporate forensics is nothing more than the steps taken in order to preserve any digital evidence to be submitted in court proceedings and to ensure that it isn’t modified when the techniques of digital forensics are put into play. Digital Forensics - Definition
  • 36. During the forensic analysis of modifiable media, the Hash guarantees the intangible nature of the data that it contains. The Hash is a unique function that operates in one direction (meaning that it cannot be reversed), by means of which a document of random length is converted into a limited and fixed length string. This string represents a sort of ‘digital fingerprint’ of the non-encrypted text, and is called the Hash Value or the Message Digest. If the document is modified even to the slightest extent, then the fingerprint changes as well. In other words, by calculating and recording the fingerprint, and then recalculating it, it can be shown beyond all doubt whether the contents of the file, or the medium, have been altered, even accidentally. Two Rules for Digital Forensics: Hash Functions
  • 37. Anyone wanting to validate the content of an e-mail or an entire hard-disk has to take a particular type of copy by taking a bit- stream image that can ‘clone’ the entire hard-disk. The bit-stream copy is a particular form of duplication in which the content of the physical unit is read sequentially loading the minimum quantity of data that can from time to time be directed, then recording it in the same sequence on a standard binary file, generating a physical image of the original medium. Two Rules for Digital Forensics: Bit-Stream Copy
  • 38. Italian Case Law on Digital Forensics Digital evidence could be altered and can contain countless pieces of information. The “Garlasco” case is a clear example of this. Alberto Stasi was acquitted of murder of his girlfriend, Chiara Poggi, by the Court of first Instance In December 2009 and the judgement was confirmed in the Appeal court in December 2011.
  • 39. The “Garlasco” case: the “IT alibi” Chiara Poggi died between 10.30 and 12.00 Stasi voluntarily hands over his PC to the Police After working on the PC the Police hands it over to the Scientific Investigation Group Judge Vitelli acquits Stasi of murder 14/08/07 29/08/07 17/12/0913/08/07 -­‐ Stasi wakes up at 9 -­‐ Telephones Chiara Poggi -­‐ Works on his thesis 13/08/07 The expert report requested by the judge shows that Stasi was working on his thesis during the period when Chiara Poggi was killed 17/03/09
  • 40. HOW TO COMBAT CYBERCRIME? WHAT DO YOU KNOW ABOUT DIGITAL INVESTIGATIONS?
  • 42. With a warrant, the location Is searched, any computer system and media are seized and the media are examined for any digital evidence With the IP address, the Law Enforcement can obtain customer’s address from the Access Provider The Law Enforcement uses the court system to compel an ISP to obtain IP address del suspected user 1. Identify the Suspect When investigating cybercrimes committed online, the “traditional” approach is as follows:
  • 43. No connection between what is observed and what is found in the search and seizure procedure Difficult to identify a seized machine as the same on that was investigated remotely Difficult to identify a user (multiple User ID or multiple IP Address over time, particularly driving around open Wifi, proxy, botnet, TOR) 1. Identify the Suspect – Challenges The challenges are as follows:
  • 44. Understanding social engineering techniques means knowing where any digital traces might be found Immediate action means more information being gathered (data retention) Public-Private Partnership between Law Enforcement/ISPs/Internet Companies/Academia can be of enormous help in complex investigations You cannot (always…) identify a cybercriminal on Google ;) 1. Identify the Suspect – Solutions?
  • 45. 1. Identify the Suspect – Solutions?
  • 46. The results of this investigative activity have been excellent, but what about Privacy? Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was discovered by monitoring his facebook profile. 1. Identify the Suspect – Solutions?
  • 47. Face  Recogni4on   Project  Alessandro   Acquis/   CCTV   Fair  Fax  Media   1. Identify the Suspect – Solutions?
  • 48. 2. Detecting Illegal Contents An investigating tool most frequently used for carrying out an on line investigation is hashing techniques. For example, starting with a file containing ille, it is possible to convert it into a message digest and to carry out a fast search inside a storage support (hard drive, flash disk) or within the network (P2P networks). Ferrari.jpg Ferrari_copy.jp g HASH SHA-1 051ed4dbdb9bcd7957 aa7cbb5dfd0e94605cd 887
  • 49. What happens if I just change the file in an infinitesimal way? Ferrari.jpg Ferrari_copy2.jp g HASH: 051ed4dbdb9bcd7957aa7cbb5df d0e94605cd887 HASH: a9fa2933484f828b95c1dde824dea 28f35b509d6 The hash does not match and the search will not generate results 2. Detecting Illegal Contents - Challenge
  • 50. For this reason, there are techniques (i.e. fuzzy hashing) or various types of algorithms that allow a “certain degree of similarity” to be identified. A good software used is SSDEEP written by Andrew Tridgell and used for detecting spamming. Online is available: pHash (The open source perceptual hash library) 2. Detecting Illegal Contents – Solutions?
  • 51. 2. Detecting Illegal Contents - Solutions The more complex techniques have a 20% degree of error What does it means? No problem if there are false positives. Human checking is sufficient. But in the case of false negatives? False Negative= (i.e., illegal content incorrectly deemed as non-illegal False positives= (i.e., non-illegal content incorrectly deemed as illegal
  • 52. 2. Detecting Illegal Contents - Solutions Internet Surveillance Plans
  • 53. On December 20, 2006: Article 5.2(11) of the Law on the Protection of the Constitution in North Rhine-WestFalia was amended with the introduction of provisions on remote intelligence- gathering, both online and by accessing information technology systems. Private computer systems could be covertly accessed “remotely”, thanks to software (keylogger and sniffer programs) installed on the target system without the owner’s knowledge, for instance, in the form of Trojans incorporated within or disguised as harmless content, by convincing the owner to voluntarily upload the relevant spyware or disclose passwords through cleverly devised social engineering initiatives. 2. Detecting Illegal Contents - Solutions
  • 54. On February 27, 2008 The German Constitutional Court determined that the amendment of NordWestfalia Law was unconstitutional as it violated: The Constitutional Court establishes a new “Right to the Confidentiality and Integrity of Information Technology Systems” (right to the free development of one’s personality), read in conjunction with Article 1.1 GG (right to human dignity). 2. Detecting Illegal Contents - Solutions
  • 55. Just three years after the ruling by the German Constitutional Court, Germany’s Justice Minister has called for an investigation after authorities in at least four German states acknowledged using computer spyware to conduct surveillance on citizens (Bavaria, Baden-Wurttemberg, Brandenburg and Lower Saxony) 2. Detecting Illegal Contents - Solutions
  • 56. 3. Validating Digital Evidence In order for digital data to be admitted as evidence at trial, law enforcement officers handling the same must respect the “two fundamental digital forensics rules” mentioned above But, what happens if the digital data is in the Cloud? Bitstream Copy Hash function
  • 57. 3. Validating Digital Evidence - Challenge The new challenge with Cloud computing is a loss of data location due to: -­‐ “Data at rest” does not reside on the device. -­‐ “Data in transit” cannot be easily analysed because of encryption. -­‐ “Data in execution” will be present only in the cloud instance The investigator who wants to capture the bit-stream data of a given suspect image will be in the same situation as someone who has to complete a puzzle, whose pieces are scattered randomly across the globe
  • 58. 3. Validating Online Digital Evidence - Solution How is it possible to validate online digital evidence and immediately show that a particular piece of data on a particular online site is certain?
  • 59. 4. Chain of Custody of the digital evidence •  When digital evidence can be used in court, it must be handled in a careful manner to avoid later allegations of tampering or misconduct which can compromise the case. •  Digital storage media last less than analogue media and devices to read such media last even less. •  Domesday Book (1086): legible after over 900 years. •  Domesday Book 2 (1983): LaserDisc: illegible after 15 years.
  • 60. 5. Analysis of Digital Evidence •  Text searches: aimed at scanning files, directories and even entire file systems for specific text terms •  Image searches: aimed at identifying image files in various formats, and at generating still frames of digitally stored video •  Data recovery and identification: this technique is aimed to recover all files stored, including deleted or damaged data •  Data discovery: it is targeted at accessing hidden, encrypted or otherwise protected data •  Data carving: it focused on reconstructing damaged files by retrieving portions of their content. •  Metadata recovery and identification: this digital forensic tool is particularly useful for retracing the timeline of web accesses and file changes
  • 61. 6. Reporting of Digital Evidence Findings This stage is of key importance for Prosecutors, Judges and lawyers, as the outcome of the trial will depend not only on results achieved, but also the degree of clarity and comprehension of the report.
  • 62. HOW TO COMBAT CYBERCRIME? DATA RETENTION AND ROLE OF ISP PROVIDERS
  • 63. Data Retention - Definition •  Data retention (or data preservation) generally refers to the storage of call detail records (CDRs) of telephony and internet traffic and transaction data (IPDRs) by governments and commercial organisations. •  The digital data usually requested from ISPs during investigations can generally be divided up between data identifying a potential offender (the IP address) and data demonstrating activity on line (the log files).
  • 64. Data Retention – Legal Framework •  In the wake of the terrorist attacks in Madrid and London (2004 and 2005 respectively), the European Parliament issued Directive 2006/24/EC. •  Legislating over data retention, the Directive sets out how traffic data can be stored by the providers and the grounds on which the courts can access that data. Directive 97/66/EC Directive 2002/58/EC Directive 2006/24/EC
  • 65. Data Retention – Directive 2006/24/EC •  Scope of application: serious crime •  Retention period: from 6 month to 24 months •  Type of data: a)  data necessary to trace and identify the source, destination of a communication b)  data necessary to identify the date, time, duration type of a communication: c)  data necessary to identify users' communication equipment d)  data necessary to identify the location of mobile communication equipment:
  • 66. Data Retention – Open Issues 1)  There is no consistent approach across the EU of the period of retention among Member States 2)  No defined list of parties entitled to request such data 3)  ‘Serious crime’ is a generic term It is for these reasons that the Constitutional Court in certain Member States (Germany, Romania and the Czech Republic) have declared national law implementing the Directive to be unconstitutional, resulting in a legislative lacuna that does absolutely nothing to assist investigations. In addition, Austria and Sweden have decided against implementing the Directive, with heavy penalties being imposed by the European Commission as a result.
  • 67. Data Retention – Retention Period Of the twenty-two Member States that have implemented the Directive: •  Thirteen MS have decided that data may be kept for twelve months •  Five MS have established a longer period •  Four MS have gone for a shorter time limit *** •  Seven MS have established two periods of time for which data may be held: one for telephone traffic and the other for electronic data
  • 68. Data Retention – Serious Crime Of the twenty-two Member States that have implemented the Directive: •  Ten MS (Bulgaria, Estonia, Ireland, Greece, Spain, Lithuania, Luxembourg, Hungary, Netherlands, Finland) have defined 'serious crime', with reference to a minimum prison sentence, to the possibility of a custodial sentence being imposed, or to a list of criminal offences defined elsewhere in national legislation. •  Eight MS (Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia, Slovenia) require data to be retained not only for investigation, detection and prosecution in relation to serious crime, but also in relation to all criminal offences •  Four MS (Cyprus, Malta, Portugal, United Kingdom) refers to ‘serious crime’ or ‘serious offence’ without defining it.
  • 69. Data Retention – Reimburse of Cost and ISP Role •  The cost of setting up a system for retaining data for an internet service provider serving half a million customers to be around € 375.240 in the first year and € 9.870 in operational costs per month thereafter. The costs of setting up a data retrieval system to be € 131.190, with operational costs of € 28.960 per month •  The Directive does not regulate the reimbursement of costs incurred by operators as a result of the data retention requirement. •  Of the twenty-two countries that have implemented the Directive only 2 Member States reimburse both operational and capital expenditure (Finland, United Kingdom) and 6 Member States reimburse only operational expenditure (Belgium, Denmark, Estonia, France, Lithuania, Netherlands)
  • 70.
  • 71. Data Retention – Conclusions •  The practical repercussion of this scenario is the following: when faced with a U.S., German, Austrian or Romanian ISP, law enforcement officers could never be sure if the data they are after has long been cancelled or is still in storage. •  The conflict is even more acute in this case, since law enforcement not only insist that the Data Retention Directive is crucial to digital investigation, but would also like to see it applied to non-EU ISPs offering internet services in Europe. •  In light of this, Directive 2006/24/EC should be put under review, in full compliance with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union
  • 73. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal effort or management service provider interaction Cloud computing has five essential characteristics: (i) On- demand self-service, (ii) Broad network access, (iii) Resource pooling, (iv) Rapid elasticity, (v) Measured service Definition
  • 74. And it has four deployment models: Definition It has three service models:
  • 75. From a Legal Standpoint Cloud Computing services have to face these two distinct issues: 1)  Jurisdiction: The “loss of location” of digital evidence in the cloud world creates problem of jurisdiction. With cloud computing, are the documents governed by the law of the state in which they are physically located or by the location of the company possessing them or by the laws of the state where a person resides? Over the last few years, various approaches have been offered to solve this problem. 2)  Privacy: The “lack of control” over the data (cloud clients may no longer be in exclusive control of this data and cannot deploy the technical and organisational measures necessary to respect Data Protection Law), and the “absence of transparency” (insufficient information regarding the processing operation itself) are the main data protection risk of cloud computing Legal Aspect of the Cloud
  • 76. •  August, 23, 2011, Vivian Reding (E-006901/2011 – Answer to parliamentary question): •  “In accordance with international public law, and in the absence of a recognised jurisdictional link, a foreign law or statute cannot directly impose legal obligations on organisations or undertakings established in a third country regarding the activities performed within the territory of that third country” 1. Jurisdiction – “The Patriot Act” issue Viviane Reding - Vice-President of the European Commission
  • 77. 1. Jurisdiction – “The Patriot Act” issue •  The Patriot Act is extraterritorial in application (Section 215 and Section 505). •  Under this Act, U.S. authorities are entitled to subpoena personal data related to non-US citizen from any company that has “minimum contacts” with the U.S. The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible property (including books, records, papers, documents, and other items) for an investigation for protecting against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment of the Constitution [...] Patriot Act, Sec. 215. Access To Records And Other Items Under The FISA
  • 78. •  “CloudSigma is operated and controlled by a Swiss AG, which is not subject to direct or indirect U.S. control” •  “City Cloud and Several Nines offer a partnership safe-haven from the Patriot Act in Sweden” •  Amazon Web Services (AWS) is subject to the US Patriot Act but the chief technology officer, Werner Vogels, encrypts private data for transit to the Cloud — and for employing best practice when it comes to classifying data 1. Jurisdiction – “The Patriot Act” issue
  • 79. December 6, 2011 Vivian Reding - 2nd Annual European Data Protection and Privacy Conference - Brussels: “I am reading in the press about a Swedish company whose selling point is that they shelter users from the US Patriot Act and other attempts by third countries to access personal data” “I do encourage cloud computing centres in Europe, but this cannot be the only solution. We need free flow of data between our continents. And it doesn't make much sense for us to retreat from each other” 1. Jurisdiction – “The Patriot Act” issue
  • 80. We have 4 different possible principle to solve the “loss of location” in a cloudy world: •  Territorial principle: the Court in the place where the data is located has jurisdiction •  Nationality principle by virtue of which the nationality of the perpetrator is the factor used to establish criminal jurisdiction. •  “Flag principle”, which basically states that crimes committed on ships, aircraft and spacecraft are subject to the jurisdiction of the flag state. •  “Power of Disposal Approach”. From a practical point of view, a regulation based on the power of disposal approach would make it feasible for law enforcement to access a suspect’s data within the cloud. 1. Jurisdiction – “The Patriot Act” issue
  • 81. Lack of control over the data Lack of Integrity caused by the sharing of resources Lack of availability due to lack of interoperability Lack of intervenability due to the complexity and dynamics of the outsourcing chain Lack of information on processing (transparency) Lack of isolation A cloud provider may use its physical control over data from different clients to link personal data. Lack of confidentiality in terms of law enforcement requests made directly to a cloud provider Lack of intervenability (data subjects’ rights) 2. Privacy – The WP29 Opinion
  • 82. 1.  Compliance with basic data protection principles 2.  Transparency 3.  Purpose specification and limitation (isolation) 4.  Erasure of data 5.  Technical and organisational measures of data protection and data security 6.  Availability 7.  Integrity 8.  Confidentiality 2. Privacy – Possible solutions
  • 83. Article 25 and 26 of the Directive 95/46/EC provide for free flow of personal data to countries located outside the EEA only if that country has an adequate level of data protection. The instruments are: 1.  Safe Harbor: US organizations adhering to the principles can take place lawfully under EU law since the recipient organizations are deemed to provide an adequate level of protection to the transferred data. and adequate countries 2.  Binding Corporate Rules: constitute a code of conduct for companies which transfer data within their group 3.  Exemptions: that exemptions shall apply only where transfers are neither recurrent, nor massive or structural 4.  Standard Contractual clauses: adopted by the EU Commission for the purpose of framing international data transfers between two controllers or one controller and a processor are based on a bilateral approach. 2. Privacy – Possible solutions
  • 84. 2. Privacy – Possible solutions Proposal of Regulation on Data Protection The right to be forgotten EU citizens are to be entitled to require information online to be deleted Privacy Officer Public bodies and businesses having a minimum number of employees are obliged to establish a data protection officer Security Where information is lost (which is described as a serious breach), this will have to be reported, and even more complex security models will be required One-Stop-Shop Businesses and individuals must be able to deal with one single point of contact Cookies The use of cookies on line is regulated further, in line with the recent Cookies Law directive. Privacy by design: The regulation introduces an obligation to use technological means to ensure that personal data is automatically processed only to the extent that is absolutely necessary.
  • 85. HOW TO COMBAT CYBERCRIME? PUBLIC PRIVATE PARTNERSHIP
  • 86. Addressing the Problem-I •  Fighting cybercrime has always been a complex problem due to the number of ICT network users, the transnational nature of the Internet and its decentralised architecture. Cyber-criminals, and especially organised criminal groups, have been and probably would always remain several steps ahead of legislators and law enforcement agencies. •  Criminal to criminal (C2C) networks benefit from anonymous communications, automation of attacks and the difficulties that law enforcement agencies experience in determining the location: servers with crime-ware could be in one country, while members of the network could be in another one, targeting victims across the world
  • 87. Addressing the Problem-II •  In addition to strengthening the current legal frameworks, updating old legislation, harmonising laws on an international level, what is needed is also the cross-sector cooperation on national level as well as international cooperation in detecting, investigating and preventing e- crimes committed by organised criminal groups. •  Law enforcement agencies often find it difficult to keep abreast of the dynamic technical knowhow & toolsèEffective “Public Private Partnership” is recommended to circumvent this problem.
  • 88. How to develop an effective PPP Main examples: •  operational cooperation in specific cases, •  cooperation in case of websites containing illegal content such as child pornography or hate speech, •  private self-regulation through codes of conduct, •  sharing of necessary and relevant information across the private and public sector, •  setting up networks of contact points in both the private and the public sector.
  • 90. Contacts Mr. Giuseppe Vaciago, University of Insubria, giuseppe.vaciago@uninsubria.it Ms. Francesca Bosco, UNICRI Project Officer bosco@unicri.it