Title: Criminal Law Perspectives of Contemporary Issues in Computer Security
1Criminal Law Perspectives ofContemporary Issues
inComputer Security
- Sergio Caltagirone
- 09/02/2004
No analysis, opinion, or statement within this
presentation is, or shall be construed as, legal
advice and should not be relied upon in any
setting as fact
2Our Story Begins Like Many Others
3Chapter 1. The Businesses
- Zulu Software
- releases its first product, SecureServe
- Winning Enterprises
- decides to deploy SecureServe as they expand into
financial application hosting (1M fin and 7M med
trans. daily) - Mercy Medical
- Hospitals and clinics access patient history/info
- Goal Financial
- Hosts financial databases, handles all credit
transaction - Omega Bank
- Online Banking
4At A Home Like Many of Ours
5Chapter 2. Banking Gone Bad
- Paul, an independent security researcher
- Banks with Omega
- While checking his bank balance online, decides
to sniff the traffic - Discovers an interesting pattern of traffic that
he thinks may allow remote administrator access - Paul writes a script to test his hypothesis and
finds that it the security vulnerability works as
advertised
6Chapter 3. When Researchers Go Bad
- Paul quickly contacts Omega Support repeatedly
over a week - No action taken
- Paul then posts his proof-of-concept online
- His stated desire is for the bank to take the
flaw seriously
7Meanwhile, In The Dark Recesses Of IRC
8Chapter 4. The Plot Thickens
- Terry and Jim, two hackers, are chatting in IRC
- Terry informs Jim that he found a script on the
internet (Pauls script) which could give
somebody root access to exploit a financial
service - Jim asked Terry where he could get it, Terry sent
him a copy via email and then wished Jim happy
hunting
9Chapter 5. Taking Control
- Jim begins searching for a server to exploit
using the script - He finds Winning Enterprises, runs the script,
and finds that he has root access - He creates a new user
- He logs in as the new user
- He then starts searching for other servers inside
the Winning network - He comes upon the financial and medical databases
- He begins to explore the databases, looking at
actual financial and medical data
10At Winning Security Central, A Red Light Flashes!
11Chapter 6. The Crackdown
- An IDS at Winning detects malicious activity and
alerts staff - The security staff confirms that an unauthorized
user is exploring sensitive materials in the
database - Winning has a pre-developed plan
- Writes a virus, directed only at Jims IP
- The virus discontinues all network access for 24
hours - Jim suddenly losses all network connectivity, and
the police soon arrive at the door.
12The Elements of Our Case
- Pauls Script
- Terry and Jim in IRC
- Jims Compromise
- Winnings Response
13Our Method
- Jims Compromise
- Winnings Response
- Terry and Jim in IRC
- Pauls Script
14Legal Background
- Using the Model Penal Code (1962)
- An Offense is made of three parts
- Actus Reus voluntary act or omission of a
person, which causes a result - Attendant Circumstances a fact surrounding an
event - Result The result of conduct of an actor
following an actus reus - Each can have zero to more elements
15Legal Background 2
- Mens Rea applied to each element
- Actors mental state with regard to each element
- A hierarchy of states
- Purposefully conscience object to engage
- Knowingly practically certaincause the
result - Recklessly consciously disregards a
substantial and unjustifiable risk (subjective) - Negligently when he should be aware of a
substantial and unjustifiable risk (objective)
16Underlying Offense Legal Background
- Computer Fraud and Misuse Act (18 USC 1030)
- Short history
- Accesses or exceeds authorization
- Obtains financial records
- Information from any dept. or agency of the USA
- Information from interstate commerce
- Knowingly causes damage
1718 USC 1030 Significant Case Law
- US vs. Sullivan (2002)
- Damage not need be actual destruction
- US vs. Czubinski (1997)
- Browsing not a crime without intent to commit
fraud - US vs. Middleton (2000)
- Applies to corporations and individuals
- 5000 damage threshold for criminal liability
(broad) - US vs. Morris (1991)
- Intention is only applies to unauthorized access,
not damage - Shurgard vs. Safeguard (2000)
- Applies to any computer connected to the Internet
- Using pre-existing authorization to obtain more
prohibited
18Computer Tresspass
- How about when no damage?
- As stated in Shurguard, Congress limited itself
and left States to enact their own laws - Rhode Island 11-52-3
- intentionally and without authorizationexamines
- Virginia Computer Crime Act 18.2-152.5
- intentionally examines
- University of Dayton School of Law Model Computer
Crime Code - purposefully, knowingly, or recklessly gain
access to or cause access to be gained to any
computer
19Jims Compromise Analysis
- First stepwas his action voluntary?
- First acts
- Scanning exposed computers, executing script,
entering the computerany crime? - Must satisfy by Dayton (1) Access to or cause
access to be gained to (2) any computer
system(3) without authorization - Under 18 USC 1030, any crime with no damage?
Morris? - Second act
- Accessing Winnings financial and medical
dbsany crime? Under 18 USC 1030 and Czubinski,
simply browsing is no crime. - Mens Rea
- Required intentional access must show intent.
Which actions show intent? Morris damages not
intentional.
20Winnings Response Legal Background
- Necessity Defense (MPC Choice of Evils)
- When faced with a number of horrible decisions, a
person may choose the least horrible regardless
of legality - MPC conduct which the actor believes to be
necessary to avoid a harm or evil to himself or
another is justified if - The harm to be avoided is greater than that
sought to be protected by the law - Neither code nor law defining offence provides
exceptions - A legislative purpose to exclude the
justification does not plainly appear - The actor cannot have been reckless or negligent
in bringing about the situation requiring a
choice of harms
21Winnings Response Case Law
- US v. Schoon (1992)
- To invoke necessity defense, must show that
- They were faced with a choice of evils, and they
choose the lesser evil - They acted to prevent imminent harm
- They reasonably anticipated a direct causal
relationship between their conduct and the harm
to be averted - They had no legal alternatives to violating the
law
22Winnings Response Analysis
- Does Winning Break the Law?
- 18 USC 1030?
- Obtained unauthorized access (through use of
exploit) - Transmitted code causing damage to a protected
computer - Is Jims computer considered protected?
- Mens Rea Intentional?
- Can they assert the necessity defense under the
Shoon Standard? - Number of choices, lesser one?
- Act to prevent imminent harm?
- Direct relationship between their action and
harm? - Any lawful alternatives?
23Terry and Jim Legal Background
- Conspiracy
- The agreement (spoken or unspoken) of two or more
persons to commit a crime, which is followed by
an act to actually commit the crime - Pinkerton v. US (1946)
- The result of the conspiracy must be forseeable
to the conspirators
24Terry and Jim Legal Background
- Aiding and Abetting
- Any conduct that encourages or facilitates the
offense - US v. Peoni (1938)
- Necessary that defendant in some sort associate
himself with the venture - As in something that he wishes to bring about
- He seek by his action to make it succeed
- People v. Luparello (1987)
- If you aid and abet one unlawful act, but another
occurs, you had to only be negligent W.R.T. the
other
25Terry and Jim Analysis
- Did Terry commit a crime during his interaction
with Jim? - Assume Jim is guilty of computer trespass
- The Facts
- Terry knew of Jims previous illegal computer
activity - Terry informed Jim of the new exploit
- Terry informed Jim of the purpose of the script
- Terry gave Jim a copy of the script (think
selling a gun to a criminal) - Terry said happy hunting to Jim
- Jim used the script received from Terry to commit
the crime
26Pauls Script Analysis(no legal background
required)
- Is publishing exploit scripts aiding and
abetting? - What is the purpose of releasing them since
releasing scripts is not itself illegal, by
Peoni, is the hacker activity what the researcher
wishes to bring about? - Public Pressure on a company to fix
- Public outcry over the mere existence of a
vulnerability - Make the company beat the hackers to the punch
- Make the situation so difficult on the public
(viruses) that the company has no choice