Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society
Stanford Law SchoolStanford, California USA
http://cyberlaw.stanford.edu
Black Hat Briefings 2004
Legal Liability and Security Incident Investigation
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Intrusion Investigation Tools
• Social Engineering• Wiretap• Sniffing Wireless• Stored Communications• Keystroke Logging• Port Scanning
Intrusion Investigation Tools, con’t
• Vulnerability Scanning• Remote Access• Trojan Horse Programs• Ping, whois, traceroute, finger,
googling• Web Beacons• Strike-Back or “Active Defense”
Technology
Possible Legal Liability/Obstacles
• Fourth Amendment• Fraud• Illegal Interception of/Access to Data
• Computer Crime Laws: Unauthorized Access
• Possessing Illegal Tools/Devices
Fourth Amendment
Protects against unreasonable search and seizure
Constrains government and gov’t agents
Social Engineering
If you have some idea of who attacked your system, or where evidence might be, can you pretend to be someone else to get information (user ids, passwords, etc.) to use in your investigation?
FraudApplies to Social engineering?•Misrepresentation•Fraudulent purpose: “to
deprive another of the intangible right of honest services, money, etc.”?
SniffingCan you monitor in real time
your own system, the suspected intruder’s system, or the system of a third party to get more information about the attack?
Illegal Interception Issues
• Monitoring by:– Intelligence Agency or Law
Enforcement– Service Provider, Business, Employer– Other
• Content of Communications vs. Transactional or Traffic Information
• Real Time vs. In Storage• Rights of Third Parties
Wiretapping/Sniffing
General Rule: No interception (acquisition) of the CONTENTS of communications in transit. – No eavesdropping/sniffing– No using or disclosing
intercepted communications
Exceptions to Rule Against Interception
• Warrant• Computer Trespasser Exception• Consent of a Party to the
Communication Exception• Provider Exception (System
Protection)• Readily accessible to general
public
Wiretap Warrant
• DOJ Approval• Federal Judge• Warrant/Prob. Cause• Predicate Offense• Necessity/No Other Means• Minimization• 30 day authorization
Computer Trespasser Exception
Government may monitor “trespasser” if• No contractual relationship or authority to
be on computer• Provider authorized interception• Government does the monitoring• Only communications to and from
trespasser intercepted and• Reasonable grounds to believe info is
relevant to an ongoing (legitimate) investigation
Party/Consent Exception
Party to a communication can intercept or give consent to intercept–Warning Banners: All activity subject to monitoring
–Terms of Service
Service Provider Exception
• Provider May Monitor to Protect Its Rights or Property
• May intercept communications if inherently necessary to providing the service
• Scope of exception undefined
Accessible to the Public
• 2511(2)(g)(i): It shall not be unlawful under this chapter or chapter 121 of this title for any person - “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public”
• Are open wireless access points accessible to the general public?
Can You Do RT Traffic Analysis?
General prohibition• LE needs a pen/trap and trace order• Service provider need
– Relating to operation of service– Protection of rights or property of
provider– To record fact of completion
• Consent of user
Reviewing Stored Files or Logs
Can you search documents the intruder placed on your system? On an intermediary system? On his/her own system?
Accessing Stored Communications
General Prohibition:Illegal to access stored
communications without or in excess of authorization
Provider’s Right to Review
• Any provider may freely read stored email/files of its customers– Not unauthorized access to the
system
• A non-public provider may also freely disclose that information– for example, an employer
Accessing Stored Subscriber Info
Provider may access and disclose non-content records to anyone except a governmental entity
• Exceptions– to protect provider’s rights/property– threat of death/serious bodily injury– appropriate legal process – consent of subscriber
Accessing Other Computer Systems
Can you disable a system that is sending you malicious code? Can you install monitoring programs on another system? Can you gain remote access to that system to search it?
Computer Fraud and Abuse Act (18 USC 1030)
• Unauthorized access that causes damage to protected computer– loss > $5,000 in value– modification or impairment of the medical
data– physical injury to any person; – a threat to public health or safety; – damage to computer system used in
furtherance of the administration of justice, national defense, or national security
Things That Are Unauthorized
Access/Trespass• SPAM• Domain name search robots• Internet auction information
spiders• Travel agent price aggregators• “Cookies”• Port scanning?
Port Scanning
• Metaphors–Jiggling Doorknobs–Looking at the house
• Moulton v. VC3: Not unauthorized access under 18 USC 1030, no damage
• Attempt?
Trojan Horse• 18 USC 1030(a)(5)(A)(i) :
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer
Strike Back•Unauthorized Access/Transmission
•Defense of self/others?•Justification/Necessity?
Possible to Get in Trouble for Net. Analysis Tools?
• COE: Article 6
• France: LEN
• US: DMCA
COE Article 6
• Criminalizes the production, sale, procurement for use, import, distribution of a device or program designed or adapted primarily for the purpose of committing unauthorized access or data intercept, and possession with criminal intent or such a device.
• No criminal liability if not for the purpose of committing an offence, such as for the authorized testing or protection of a computer system
France: loi pour la confiance dans l'économie numérique
• Art. 323-3-1. - Le fait, sans motif légitime, d'importer, de détenir, d'offrir,de céder ou de mettre à disposition un équipement, un instrument, un programme informatique ou toute donnée conçus ou spécialement adaptés pour commettre une ou plusieurs des infractions prévues par les articles 323-1 à 323-3 est puni des peines prévues respectivement pour l'infraction elle-même ou pour l'infraction la plus sévèrement réprimée.»
• “Sans motif legitime”: Burden on possessor to prove legitimate motive
US: DMCA
• Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work
• Prohibits Manufacturing and Distribution of Any Technology (Tools)– Primarily Designed for the Purpose of
Circumventing Access Controls – Limited Commercially Significant Purpose
OR– Marketed for Use in Circumvention
Talk to a Lawyer Before
• Lying to get account information• Intercepting communications • Doing real time traffic analysis• Accessing, installing code on or
disabling other people’s systems
Jennifer Stisa Granick, Esq. Center for Internet & Society
Stanford Law School
559 Nathan Abbott WayStanford, California 94305 USA
+1 (650) [email protected]
Top Related