Criminal Law Perspectives of Contemporary Issues in Computer Security

1
Criminal Law Perspectives ofContemporary Issues
inComputer Security

• Sergio Caltagirone
• 09/02/2004

No analysis, opinion, or statement within this
presentation is, or shall be construed as, legal
advice and should not be relied upon in any
setting as fact
2
Our Story Begins Like Many Others
3
Chapter 1. The Businesses

• Zulu Software
• releases its first product, SecureServe
• Winning Enterprises
• decides to deploy SecureServe as they expand into
  financial application hosting (1M fin and 7M med
  trans. daily)
• Mercy Medical
• Hospitals and clinics access patient history/info
• Goal Financial
• Hosts financial databases, handles all credit
  transaction
• Omega Bank
• Online Banking

4
At A Home Like Many of Ours
5
Chapter 2. Banking Gone Bad

• Paul, an independent security researcher
• Banks with Omega
• While checking his bank balance online, decides
  to sniff the traffic
• Discovers an interesting pattern of traffic that
  he thinks may allow remote administrator access
• Paul writes a script to test his hypothesis and
  finds that it the security vulnerability works as
  advertised

6
Chapter 3. When Researchers Go Bad

• Paul quickly contacts Omega Support repeatedly
  over a week
• No action taken
• Paul then posts his proof-of-concept online
• His stated desire is for the bank to take the
  flaw seriously

7
Meanwhile, In The Dark Recesses Of IRC
8
Chapter 4. The Plot Thickens

• Terry and Jim, two hackers, are chatting in IRC
• Terry informs Jim that he found a script on the
  internet (Pauls script) which could give
  somebody root access to exploit a financial
  service
• Jim asked Terry where he could get it, Terry sent
  him a copy via email and then wished Jim happy
  hunting

9
Chapter 5. Taking Control

• Jim begins searching for a server to exploit
  using the script
• He finds Winning Enterprises, runs the script,
  and finds that he has root access
• He creates a new user
• He logs in as the new user
• He then starts searching for other servers inside
  the Winning network
• He comes upon the financial and medical databases
• He begins to explore the databases, looking at
  actual financial and medical data

10
At Winning Security Central, A Red Light Flashes!
11
Chapter 6. The Crackdown

• An IDS at Winning detects malicious activity and
  alerts staff
• The security staff confirms that an unauthorized
  user is exploring sensitive materials in the
  database
• Winning has a pre-developed plan
• Writes a virus, directed only at Jims IP
• The virus discontinues all network access for 24
  hours
• Jim suddenly losses all network connectivity, and
  the police soon arrive at the door.

12
The Elements of Our Case

• Pauls Script
• Terry and Jim in IRC
• Jims Compromise
• Winnings Response

13
Our Method

• Jims Compromise
• Winnings Response
• Terry and Jim in IRC
• Pauls Script

14
Legal Background

• Using the Model Penal Code (1962)
• An Offense is made of three parts
• Actus Reus voluntary act or omission of a
  person, which causes a result
• Attendant Circumstances a fact surrounding an
  event
• Result The result of conduct of an actor
  following an actus reus
• Each can have zero to more elements

15
Legal Background 2

• Mens Rea applied to each element
• Actors mental state with regard to each element
• A hierarchy of states
• Purposefully conscience object to engage
• Knowingly practically certaincause the
  result
• Recklessly consciously disregards a
  substantial and unjustifiable risk (subjective)
• Negligently when he should be aware of a
  substantial and unjustifiable risk (objective)

16
Underlying Offense Legal Background

• Computer Fraud and Misuse Act (18 USC 1030)
• Short history
• Accesses or exceeds authorization
• Obtains financial records
• Information from any dept. or agency of the USA
• Information from interstate commerce
• Knowingly causes damage

17
18 USC 1030 Significant Case Law

• US vs. Sullivan (2002)
• Damage not need be actual destruction
• US vs. Czubinski (1997)
• Browsing not a crime without intent to commit
  fraud
• US vs. Middleton (2000)
• Applies to corporations and individuals
• 5000 damage threshold for criminal liability
  (broad)
• US vs. Morris (1991)
• Intention is only applies to unauthorized access,
  not damage
• Shurgard vs. Safeguard (2000)
• Applies to any computer connected to the Internet
• Using pre-existing authorization to obtain more
  prohibited

18
Computer Tresspass

• How about when no damage?
• As stated in Shurguard, Congress limited itself
  and left States to enact their own laws
• Rhode Island 11-52-3
• intentionally and without authorizationexamines
  
• Virginia Computer Crime Act 18.2-152.5
• intentionally examines
• University of Dayton School of Law Model Computer
  Crime Code
• purposefully, knowingly, or recklessly gain
  access to or cause access to be gained to any
  computer

19
Jims Compromise Analysis

• First stepwas his action voluntary?
• First acts
• Scanning exposed computers, executing script,
  entering the computerany crime?
• Must satisfy by Dayton (1) Access to or cause
  access to be gained to (2) any computer
  system(3) without authorization
• Under 18 USC 1030, any crime with no damage?
  Morris?
• Second act
• Accessing Winnings financial and medical
  dbsany crime? Under 18 USC 1030 and Czubinski,
  simply browsing is no crime.
• Mens Rea
• Required intentional access must show intent.
  Which actions show intent? Morris damages not
  intentional.

20
Winnings Response Legal Background

• Necessity Defense (MPC Choice of Evils)
• When faced with a number of horrible decisions, a
  person may choose the least horrible regardless
  of legality
• MPC conduct which the actor believes to be
  necessary to avoid a harm or evil to himself or
  another is justified if
• The harm to be avoided is greater than that
  sought to be protected by the law
• Neither code nor law defining offence provides
  exceptions
• A legislative purpose to exclude the
  justification does not plainly appear
• The actor cannot have been reckless or negligent
  in bringing about the situation requiring a
  choice of harms

21
Winnings Response Case Law

• US v. Schoon (1992)
• To invoke necessity defense, must show that
• They were faced with a choice of evils, and they
  choose the lesser evil
• They acted to prevent imminent harm
• They reasonably anticipated a direct causal
  relationship between their conduct and the harm
  to be averted
• They had no legal alternatives to violating the
  law

22
Winnings Response Analysis

• Does Winning Break the Law?
• 18 USC 1030?
• Obtained unauthorized access (through use of
  exploit)
• Transmitted code causing damage to a protected
  computer
• Is Jims computer considered protected?
• Mens Rea Intentional?
• Can they assert the necessity defense under the
  Shoon Standard?
• Number of choices, lesser one?
• Act to prevent imminent harm?
• Direct relationship between their action and
  harm?
• Any lawful alternatives?

23
Terry and Jim Legal Background

• Conspiracy
• The agreement (spoken or unspoken) of two or more
  persons to commit a crime, which is followed by
  an act to actually commit the crime
• Pinkerton v. US (1946)
• The result of the conspiracy must be forseeable
  to the conspirators

24
Terry and Jim Legal Background

• Aiding and Abetting
• Any conduct that encourages or facilitates the
  offense
• US v. Peoni (1938)
• Necessary that defendant in some sort associate
  himself with the venture
• As in something that he wishes to bring about
• He seek by his action to make it succeed
• People v. Luparello (1987)
• If you aid and abet one unlawful act, but another
  occurs, you had to only be negligent W.R.T. the
  other

25
Terry and Jim Analysis

• Did Terry commit a crime during his interaction
  with Jim?
• Assume Jim is guilty of computer trespass
• The Facts
• Terry knew of Jims previous illegal computer
  activity
• Terry informed Jim of the new exploit
• Terry informed Jim of the purpose of the script
• Terry gave Jim a copy of the script (think
  selling a gun to a criminal)
• Terry said happy hunting to Jim
• Jim used the script received from Terry to commit
  the crime

26
Pauls Script Analysis(no legal background
required)

• Is publishing exploit scripts aiding and
  abetting?
• What is the purpose of releasing them since
  releasing scripts is not itself illegal, by
  Peoni, is the hacker activity what the researcher
  wishes to bring about?
• Public Pressure on a company to fix
• Public outcry over the mere existence of a
  vulnerability
• Make the company beat the hackers to the punch
• Make the situation so difficult on the public
  (viruses) that the company has no choice