Message

Forensics is often thought of as reconstructing the past from evidence gathered in the present. Reconstructing the evidence of computer and network crimes is difficult. It is estimated in the Jan 30, 2003, NY Times that over the last 7 days that there were 52 million suspicious incidents and further more that the reported incidents only represent 1% of the total. There could be over 5 billion incidents or attempts a day, and these only represent actual attempts to cause damage. There could be thousands of additional attempts that are preparations for a break-in, but that in themselves are just the normal transmission of data or files.

Our concern here may seem hysterical. Our belief is that there is almost nothing that we could say that is more frightening or provocative than the truth. Today, if all patches are implemented, all virus signatures are in place, and vigilant competent system managers are on-duty, systems may be safe from teen hackers. In our opinion there is no defense against professional determined attackers who are inventing new forms of subversion.

Computer related crimes most publicized today consist of DoS or Denial of Service1 attacks and identify theft which typically involves the miss-use of credit cards. Theft of proprietary material either through attack or careless disclosure is also a very important and common crime. While statistics are important to decide how to focus security improvements, some attacks are sufficiently devastating that knowing they are possible due to risks in code that they will need to be fixed even if no attack has happened.

* DoS attacks
* Identity Theft
* Inappropriate disclosure of private individual information
* Inappropriate disclosure of private corporate information
* Theft of proprietary plans
* Theft of proprietary intellectual property
* Disruption of production processes
* Disruption of critical services
* Shut down of critical commercial services affecting income
* Shut down of critical services affecting life and/or limb
* Attacks on public databases affecting in-state operations
* Attacks on public databases affecting multi-state operations
* Disruption of financial networks
* Disruption of service networks affecting public utilities
* Disruption of service networks affecting public safety systems including police operations, military operations, air traffic controls, and other public transport systems
* Disruption of news and entertainment networks

The list of crimes or problems could get much much longer. Most assume that computing and network attacks happen outside of a system and have effect at the moment of instantiation. In fact a lot of future attacks will be from within an environment and will be events that are planned and executed over an extended period of time.

An early attack on a UNIX distribution from a large university started with the modification of a compiler to send passwords to an off-site address in addition to using them for computer access. The actual event of the system compromise, the sending of passwords to a 3rd party, happened long after the compiler was compromised.

1.3 Legal Evidence
1.4 Technical Issues
1.5 Resources
1.5.1 Within Law Enforcement
1.5.2 Within Private Organizations
1.6 Multinational Issues
1.6.1 Evidence can be stored outside US jurisdiction
1.6.2 What can be gathered depends upon multinational treaties
2 Types of Crimes
2.1 Theft
2.1.1 Direct Theft
2.1.2 Exposure of Private Information
2.1.2.1 Medical Records
2.1.2.2 Financial Records
2.1.2.3 Financial Instruments
2.1.3 Espionage
2.2 Pornography
2.2.1 Child Porn
2.2.2 Adult Solicitation
2.3 Defacing
2.4 Destruction of Capabilities
2.5 Defamation of Character
2.6 Grand Interruption of Public Services
2.6.1 911 Systems
2.6.2 Air Traffic Control
2.6.3 Power Grids
2.6.4 National Defense Grids
2.7 Terror Activities
2.7.1 Coordination of Grand Attacks
2.7.2 Recruitment
2.7.3 Fund Raising
3 Detection
3.1 Detection of a Crime Committed often External to Computers
3.1.1 False Credit Card Charges
3.1.2 Parties meet after Chat Room solicitation
3.1.3 Report from child or former child of sexual abuse
3.1.4 Act of Terror committed
3.2 Detection of activities about the intent to commit a crime is mostly reseach
3.2.1 When punishment is not a deterrent, prevention may become the goal
3.2.2 What are the symptoms
The problem with any set of frequency related symptoms is that skilled terrorists will know how to block the detection system. For instance, by increasing traffic a long time in advance of the actual "act" the symptoms of the "act" can be masked.

3.2.2.1 Latent worms or viruses
3.2.2.2 Increase in Probes
3.2.2.3 Increase in email traffic between suspicious parties
3.2.3 Where is the right place to look
3.2.4 How are symptoms assembled?
3.2.4.1 Speculation on form of attack and creation of potential warning symptoms?
3.2.4.2 Can a "honeypot" be developed to attract symptoms
3.2.5 Detection work may block prosecution
Evidence often needs a warrant which has to be specific about the reasons for the search. The type of fishing for information needed to prevent attacks could make it hard to use the information gathered in court.

3.3 Balance of surveillance vs Civil Rights
3.3.1 Civil Rights Advocates argue against use of new technologies
3.3.1.1 Dershowitz argues
3.3.1.1.1 Some use of new technologies may actually reduce the use of broad profiles
3.3.1.2 Scott Meely argues that privacy is dead so "get over it".
3.3.2 Dershowitz argues that rights have to be in context.
What was OK prior to 9/11 may not be OK today given the experience of society. For instance, would we now agree to more invasive monitoring?

1 DoS or Denial of Service attacks are those which somehow prevent legitimate users from accessing a legitimate service to which they are authorized. DoS attacks are often done by flooding an installation with bogus network traffic, using bandwidth and connection resources for no good purpose.

Steve Teicher

Visiting Instructor Digital Media

UCF

407-227-4265 cell

407-599-4015 home