ࡱ> *.,/+RdO)sPicturesPowerPoint Document(`SummaryInformation(t&w  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvxyz{|}~      !"#$%&'()|I( z/ 0DTimesan Typew r'P FDPalatinoTypew r'P F DTimes New Roman r'P F0DTimes-Italican r'P F@DTimes-Boldcan r'P FPDArialMTldcan Tp jL%n&3OB6B6XxϏGkH)!$?("2,{GX$e;ZI87pB٩NuW=]w6NuOzU]-/ ֛3q!w*7bƷԫ\}*B|lV?sjׯ>?/_~ysoۃ+<9/W1 :Fmm3@?j mn_@cX}MtѶۀM4t`(^tc0kc~N3HHġnA\9m/rJXp dpg bfZRh^ r* BܱƚxY2&) ofEYjhT+C>B>VbwWkO B? Q%};@Fm{ض@ݼuEWEx!ߢdz.G4lV2PoB&`` @tto%M s<ƒ YLuu1Ax#!1~zNZѯkOAu %6\ Xd.i,~ I4 ڐl(4<*TH7087*g{2A?nPaDjbMTEiC6ػ# ްvn7y PT&i^XB`.Cن'%?j6 ɖ=Jj M rK 0=WՎ^6!ZCA&]*!ͫcv ׼#0T#Lr!avHC(*+ f]"-ÕQ_RA{waCM47@W\N1tش)#I`JprV>ʠM]hZ0._4*!,0~3&4X%a ?leJdlP);t0y[ŅH֔j҇C(>8/@DURdԁuua}ג>zX ZIvq=ZH*p'0L03HYw~G-].Z7 ʻ,^ r4$Y' BQ! C _jg!$%DL !QQvWphΗvZ(n=B/KM`$b=!BޞQČ Z*}bxTJRv\j _a< gG?nN; KHZ<쑘./4S(J7'Iұ;jOxeQv|vvՓ:y`tMF={4K,w'ݴ~?^}NI&Q`Ft.KTj>cFČ C6dth+$eQɕg`I.}R{9;Ui:$yozM/QpQ%$}!jCYۼk:gg/$$nuLV0[DMa%377Ipq}'x Hj Iޛy(3aTQS,ց06]15TMaS5 J,GgbSibUi߽ 'XƧN <ܖxC)l#J|xˁ z01Q[*ZȮ\[}.ӹ6>黯PNo=BY0y_CN#Fn}`xd-wYQuHQzAֆm H̫Z Fu T&d%nq\fyTDL xD| IXRo -ء<2RQ2IUOi(jC']ƒ:Y B*I0Muu(vdGM䚘ZG֢wJvC]< 9"u>Ւ<ڣu nҙQc+6wQK 3ߣBRUTdPYQ3qKQ-3TuYvPl :xT2;%:6ԉÿԽ=,2(c%l^жGZҐT˲ ZK nbNCRCX(w+Q'ˣjHD"W(wCSuGt* Y5Q4JD=J%dWJ5R;Yu`DպQ$gTV)*"iaIUu49Ak)JO|*QoyU*9*[av=N:͛O ȌJOV41 _;Jn)D=xzWBlj#SHGvSF"Q3S)3aR:>$%m;s䕨m|rv F+qyxtspIQexJUJr;7Յ>. W2*Q-SeSdW1EԎ3 >3$jO%}*6Y;Mij,]jCATHwt|ݝ,?0Sa4S$ I$bVܯm IgFi^{Hx~O\ng.chSNT C RmX-$ͬ$P}xV ia \ Nv =:;a7}b6Msm8)4~AV}V>U^m+-#Ś!ih%85Uyf44EG8Ǧe%'5ѹ!ɝJc&Ӵ *uLHKG._'Цݥt!E0,:C%V^]H6$9ǒN\ޠ&`MsRoHaw$_$B æQ+QRH/ F =$eIs߃%BRh*.qA x&J'z+/XÂQƃ#Fcdt]ydDaS%R3$rκTSn dt dwWW;Hewn26ak[H|%2=ҳ;C%i{:^悄zI0;[^d!H7fjw:2:12KUG=3zdHB;A1$28[3D(Ah|G ɨ0;qͣÉť[o[t֎Tt5V9z8V* $Z(YO偡 *"Ql5mX&qm[I pE%KV͌WB: V Tk$B( P Qv*! H]ؒuYF Q^thU"kkvL\W^JF n:Dbp+t*L 4 aO0*Č)5 AA`*kB.WJ)*ACI$N QHZ 5e8U}X'@&&ش ްæp`c6wk$ -bpٴަXMt1̂'ʖc!Ħf()uX C(q}> P}Fz' d0MVVi \HSTa|9> 3fg̒s;CF+kX7cv6eFe @&\qyûo?_R}G\|x\뇏?W??|<ϻR7{_oW<CG<_?/='>O.޿?z{^~WOO}#~Wϯ^?zիzų'xyë?05 r'P F`DVerdanaldcan r'P FpDTimes-Romanan r'P FDVerdana-Boldan r'P FDAmerican Typewriter'P F ` .  @n?" dd@  @@`` (E  01D 8 :;9<>@  !#"&%45*+ $'(),-.236AB/7=?CE/X$B$p jL%n&3Oc $@uʚ;4!ʚ;g4CdCd {@',xppp@ <4!d!d`P%gʚ;<4dddd`P%gʚ; <4dddd`P%ʚ; ___PPT9 .h___PPT2001D<4X? %O =s9  Intrusion Investigation ToolsbSocial Engineering Wiretap Sniffing Wireless Stored Communications Keystroke Logging Port ScanningccHIntrusion Investigation Tools, con t %$$6Vulnerability Scanning Remote Access Trojan Horse Programs Ping, whois, traceroute, finger, googling Web Beacons Strike-Back or  Active Defense Technology>A  7"Possible Legal Liability/Obstacles #"0Fourth Amendment Fraud Illegal Interception of/Access to Data Computer Crime Laws: Unauthorized Access Possessing Illegal Tools/Devices." Z$g!S*Fourth Amendment 6Protects against unreasonable search and seizure Constrains government and gov t agents ,XW,KSocial Engineering BIf you have some idea of who attacked your system, or where evidence might be, can you pretend to be someone else to get information (user ids, passwords, etc.) to use in your investigation?Z(i:Fraud B$Applies to Social engineering? Misrepresentation Fraudulent purpose:  to deprive another of the intangible right of honest services, money, etc. ?&t (j;Sniffing <.Can you monitor in real time your own system, the suspected intruder s system, or the system of a third party to get more information about the attack?"(Illegal Interception Issues (Monitoring by: Intelligence Agency or Law Enforcement Service Provider, Business, Employer Other Content of Communications vs. Transactional or Traffic Information Real Time vs. In Storage Rights of Third PartiesJ ZRZt ZRt,z1%-"Wiretapping/SniffingGeneral Rule: No interception (acquisition) of the CONTENTS of communications in transit. No eavesdropping/sniffing No using or disclosing intercepted communications.\L\L , 'Exceptions to Rule Against Interception ('(Warrant Computer Trespasser Exception Consent of a Party to the Communication Exception Provider Exception (System Protection) Readily accessible to general public "  U-Wiretap Warrant|DOJ Approval Federal Judge Warrant/Prob. Cause Predicate Offense Necessity/No Other Means Minimization 30 day authorization 2|ZZ{#VV.Computer Trespasser ExceptionhGovernment may monitor  trespasser if No contractual relationship or authority to be on computer Provider authorized interception Government does the monitoring Only communications to and from trespasser intercepted and Reasonable grounds to believe info is relevant to an ongoing (legitimate) investigation>'!" 'W/Party/Consent ExceptionParty to a communication can intercept or give consent to intercept Warning Banners: All activity subject to monitoring Terms of ServiceHDFC($E$X0Service Provider ExceptionProvider May Monitor to Protect Its Rights or Property May intercept communications if inherently necessary to providing the service Scope of exception undefinedY1Accessible to the Public2511(2)(g)(i): It shall not be unlawful under this chapter or chapter 121 of this title for any person -  to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public Are open wireless access points accessible to the general public?uu]3Can You Do RT Traffic Analysis? General prohibition LE needs a pen/trap and trace order Service provider need Relating to operation of service Protection of rights or property of provider To record fact of completion Consent of userX:k:k^2Reviewing Stored Files or Logsp Can you search documents the intruder placed on your system? On an intermediary system? On his/her own system?"qp(pn<Accessing Stored Communications c General Prohibition: Illegal to access stored communications without or in excess of authorizationddcc94Provider s Right to ReviewAny provider may freely read stored email/files of its customers Not unauthorized access to the system A non-public provider may also freely disclose that information for example, an employer A&@%% 4o= Accessing Stored Subscriber Info!!Provider may access and disclose non-content records to anyone except a governmental entity Exceptions to protect provider s rights/property threat of death/serious bodily injury appropriate legal process consent of subscriber^\Z Z}Z? }s> Accessing Other Computer Systems!!Can you disable a system that is sending you malicious code? Can you install monitoring programs on another system? Can you gain remote access to that system to search it? "$*Computer Fraud and Abuse Act (18 USC 1030)$+*(A Unauthorized access that causes damage to protected computer loss > $5,000 in value modification or impairment of the medical data physical injury to any person; a threat to public health or safety; damage to computer system used in furtherance of the administration of justice, national defense, or national security ^> ZZ Z>t?,Things That Are Unauthorized Access/Trespass -,(SPAM Domain name search robots Internet auction information spiders Travel agent price aggregators  Cookies Port scanning? }}d8 Port Scanning  0Metaphors Jiggling Doorknobs Looking at the house Moulton v. VC3: Not unauthorized access under 18 USC 1030, no damage Attempt? R Z(ZQZ $($P$v@ Trojan Horse <18 USC 1030(a)(5)(A)(i) : knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer% Strike Back <SUnauthorized Access/Transmission Defense of self/others? Justification/Necessity?  TQ,3$3Possible to Get in Trouble for Net. Analysis Tools?44&COE: Article 6 France: LEN US: DMCA "&'$ 8& COE Article 6Criminalizes the production, sale, procurement for use, import, distribution of a device or program designed or adapted primarily for the purpose of committing unauthorized access or data intercept, and possession with criminal intent or such a device. No criminal liability if not for the purpose of committing an offence, such as for the authorized testing or protection of a computer system"9'7France: loi pour la confiance dans l'conomie numrique 87($%Art. 323-3-1. - Le fait, sans motif lgitime, d'importer, de dtenir, d'offrir,de cder ou de mettre disposition un quipement, un instrument, un programme informatique ou toute donne conus ou spcialement adapts pour commettre une ou plusieurs des infractions prvues par les articles 323-1 323-3 est puni des peines prvues respectivement pour l'infraction elle-mme ou pour l'infraction la plus svrement rprime.  Sans motif legitime : Burden on possessor to prove legitimate motiveZ:#     G  2:(US: DMCA >Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work Prohibits Manufacturing and Distribution of Any Technology (Tools) Primarily Designed for the Purpose of Circumventing Access Controls Limited Commercially Significant Purpose OR Marketed for Use in Circumvention .xATalk to a Lawyer Before@Lying to get account information Intercepting communications Doing real time traffic analysis Accessing, installing code on or disabling other people s systems  /02567 G KLZ[\_efghklmpqru y!{"|#~$%&'()sx,, g(HH(d!h R  ` 33` Sf3f` 33g` f` www3PP` ZXdbmo` \ғq>9y`Ӣ` 3f3ff` 3f3FKf` hk]wwwfܹ` ff>>\`Y{ff` R>&- {p_/̴>?" dd@,|?" dd@   " @ ` n?" dd@   @@``PR    @ ` ` p>> f(    60 P  T Click to edit Master title style! !  0   RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  0 ``  >*  0 `   @*  0 `   @*H  0޽h ? 33  Blank zrP  (     0 P    P*    00     R*  d  c $ ?    0  @  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6 `P   P*    6@ `   R*  H  0޽h ? 33  `(    0 P    P*    0`     R*    6 `P   P*    6 `   R*  H  0޽h ? 33: " 0z( ,1Pm \  0PP  Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society Stanford Law School Stanford, California USA http://cyberlaw.stanford.edu Black Hat Briefings 2004 Legal Liability and Security Incident Investigation 8 KM8K2( 0 x3 PeP~  0 s   X  0A? pH  0޽h ? 33  p (   l  C  P   l  C   H  0޽h ? 33  \$(  \r \ S P   r \ S ),  H \ 0޽h ? 33  (  l  C P   l  C   H  0޽h ? 33  0( R 0l 0 C  P   l 0 C   H 0 0޽h ? 33   h(  hl h C @ P   l h C    H h 0޽h ? 33  $(  r  S  P   r  S    H  0޽h ? 33 # 0(  l  C P|P   l  C |  H  0޽h ? 33  Pl( - ll l C p}P   l l C ~  H l 0޽h ? 33  p$(  r  S ЀP   r  S p  H  0޽h ? 33  $(  r  S `P   r  S @a  H  0޽h ? 33  <:(  <r < S cP    < S c  "p`PpH < 0޽h ? 33  @$( :=u @r @ S @gP   r @ S g  H @ 0޽h ? 33  D$(  Dr D S `kP   r D S k  H D 0޽h ? 33  L$(  Lr L S ՄP   r L S `Մ  H L 0޽h ? 33  0P(  Pl P C لP   l P C ل  H P 0޽h ? 33   `(  `l ` C P   l ` C D  H ` 0޽h ? 33  `\(  \l \ C 0P   l \ C   H \ 0޽h ? 33  $(  r  S pP   r  S 0  H  0޽h ? 33  $(  r  S P   r  S   H  0޽h ? 33  (  l  C P   l  C ބ  H  0޽h ? 33 $ ( a`| # l  C pP   l  C   H  0޽h ? 33  4(  4l 4 C P   l 4 C  @  H 4 0޽h ? 33    ( # l  C ѨP   l  C @Ѩ  H  0޽h ? 33  @|$(  |r | S  ӨP   r | S Ҩ  H | 0޽h ? 33 % `(  l  C ʨP   l  C ʨ  H  0޽h ? 33   (  l  C ~P   l  C 0  H  0޽h ? 33  (  l  C ЄP   l  C 0  H  0޽h ? 33 & ( ` l  C P   l  C   H  0޽h ? 33 ' $(  r  S KP   r  S pK  H  0޽h ? 33 ! ( 0 - l  C UP   l  C T  H  0޽h ? 33 (  ( # l  C PP   l  C PP  H  0޽h ? 33( ) @Xh( 1 X0 X 0ЃF   Jennifer Stisa Granick, Esq. Center for Internet & Society Stanford Law School 559 Nathan Abbott Way Stanford, California 94305 USA +1 (650) 724-0014 Jennifer@law.stanford.eduU8 <( c8 F O  a@H X 0޽h ? 33p  0 ( 8( \, 8R 8 3     . 8 C @Ȩ  @   SINGAPORE Chapter 50A: Computer misuse Act. Unauthorised access to computer material. Section 3 - (1) Any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offense and shall be liable on conviction to a fine not exceeding $ 5.000 or to imprisonment for a term not exceeding 2 years or to both and, in case of a second or subsequent conviction, to a fine not exceeding $ 10.000 or to imprisonment for a term not exceeding 3 years or to both. AUSTRALIA Federal legislation: THE CYBERCRIME ACT 2001 The Cybercrime Act 2001 amended the Criminal Code Act 1995 to replace existing oudated computer offences. 478.1 Unauthorised access to, or modification of, restricted data (1) A person is guilty of an offence if: (a) the person causes any unauthorised access to, or modification of, restricted data; and (b) the person intends to cause the access or modification; and (c) the person knows that the access or modification is unauthorised; and (d) one or more of the following applies: (i) the restricted data is held in a Commonwealth computer; (ii) the resticted data is held on behalf of the Commonwealth; (iii) the access to, or modification of, the resticted data is caused by means of a telecommunications service. Penalty: 2 years imprisonment. COE Cybercrime Treaty, Art. 2: A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system. V  O  T   +\ C u x X b H 8 0޽h ? 33" x( <&~F R  3     ~  C   @   HUS: Title III and ECPA: 18 U.S.C. 2510 et. seq. No unauthorized sniffers COE: Article 3  Illegal interception Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system. 0 U / !3,* [H  0޽h ? 33} =5(  R  3     ;  C   @   Purpose of Talk: To highlight and explain legal principles that may constrain or regulate tools and techniques you can use in investigation an intrusion. Go into rather great detail, important thing to take away may be when its time to talk to a lawyer. International Law/Domestic law of other countries where computer servers may be located? AUS: Privacy Act European Union Data Protection Directive( oA)H  0޽h ? 33$ qi(  R  3     o  C   @   (loi pour la confiance dans l'conomie numrique), the article 34 with his 323-3-1 says : - having or distributing exploit code and/or detailed vulnerability information and/or information about hacking techniques, is ILLEGAL. - having or distributing hacking/security tools, scanners, pen testers, or technical white papers is ILLEGAL. - magazines and websites distributing security information about vulnerabilities or exploits are ILLEGAL. 6$H  0޽h ? 33< (  R  3       C   @    SCENARIO: Come into work, webpage is hacked. Or there s a strange file on your system that wasn t there before. TIP: DON T read these, discuss scenario while showing this and NEXT slide. Ping: A utility to determine whether a specific IP address is accessible. It works by sending a packet to the specified address and waiting for a reply. PING is used primarily to troubleshoot Internet connections. There are many freeware and shareware Ping utilities available for personal computers Port scanning: The act of systematically scanning a computer's ports . Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks , but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. Types of port scans: vanilla: the scanner attempts to connect to all 65,535 ports strobe: a more focused scan looking only for known services to exploit fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall UDP: the scanner looks for open UDP ports sweep: the scanner connects to the same port on more than one machine FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan stealth scan: the scanner blocks the scanned computer from recording the port scan activities. Port scanning in and of itself is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system. |   3  ffK 30  3 3H  0޽h ? 33 B:( 95 R  3     @  C   @   Phttp://www.gcwf.com/gcc/GrayCary-C/News--Arti/Journal/0703_JIL.doc_cvt.htm?COM=Pt  H  0޽h ? 33  =(   R   3        C `   @   K  H   0޽h ? 33b "`( # R  3        C P  @   "Criminal penalties (five-year felony) [ 2511(4)] exception for first offense, wireless comms. Civil damages of $10,000 per violation* plus attorney s fees USA Patriot added new language specifically imposing liability on government agents Statutory suppression `<-=T<-=TaH  0޽h ? 33l  ,$( # R  3     *  C b  @   Does thiDocumentSummaryInformation8Current User0s mean you can t ever have a sniffer? No, there are exceptions. %H  0޽h ? 33/ F>H(  HX HC    > HS ӄ @   lBanners an imperfect solution: Consent to pass information on to law enforcement? Third parties don t see baners. Heavy reliance on banners for consent. When is honeypot a partyPk( H H 0޽h ? 33c0 # T( L TR T 3     ! T C ք  @   CHoneypot problem: no service, rights or property at stake? For the purpose of criminal investigation? Normal course of employment, no random monitoring. It shall not be unlawful under this chapter [18 USCS 2510 et seq.] for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks. Disclosure of communications Ok: which were inadvertently obtained by the service provider and which appear to pertain to the commission of a crime, if such divulgence is made to a law enforcement agency.  D333: aH T 0޽h ? 33J.  X( }2~23# XR X 3      X C i  @   >New with the USAPA. Limits of the New  Computer Trespasser Exception Interception under this exception has several prerequisites consent of the owner under color of law relevant to an official investigation, and cannot acquire communications other than those to/from the trespasser NSEH X 0޽h ? 333 PdO( $iB dR d 3      d C ܄  @   ] Provider can use; 18 USC 3121 provider of electronic or wire communication service-- (1) relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or (2) to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service; or (3) where the consent of the user of that service has been obtained. Need to show for order: Certification that info likely to be obtained is relevant to an ongoing criminal investigation. 18 usc 3122(b). Court shall enter the order 3123. Can do an emergency pen/trap and trace: (1) an emergency situation exists that involves-- (A) immediate danger of death or serious bodily injury to any person; (B) conspiratorial activities characteristic of organized crime; (C) an immediate threat to a national security interest; or (D) an ongoing attack on a protected computer (as defined in section 1030)    QH d 0޽h ? 338 P(  X C     S  ʨ @    H  0޽h ? 33/9 (  R  3       C   @   ]Any provider may freely read stored email/files of its customers Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996) (pager messages) US v. Councilman General rule: a public provider (e.g., an ISP) may not freely disclose customer content to others [18 U.S.C. 2702] Exceptions: consent necessary to protect rights or property of service provider to law enforcement if contents inadvertently obtained, pertains to the commission of a crime imminent threat of death/serious injury* Theofal v. Farey-Jones: Ninth Circuit. Patently unlawful subpoena. Emails stored w/ ISP. Violation of act. A\t%F"<tb@&`bH  0޽h ? 33 |(  R  3       C @*,  @   "Web beacon: Also called a Web bug or a pixel tag or a clear GIF . Used in combination with cookies , a Web beacon is an often- transparent graphic image, usually no larger than 1 pixel x 1 pixel, that is placed on a Web site or in an e-mail that is used to monitor the behavior of the user visiting the Web site or sending the e-mail. When the HTML code for the Web beacon points to a site to retrieve the image, at the same time it can pass along information such as the IP address of the computer that retrieved the image, the time the Web beacon was viewed and for how long, the type of browser that retrieved the image and previously set cookie values. Web beacons are typically used by a third-party to monitor the activity of a site. A Web beacon can be detected by viewing the source code of a Web page and looking for any IMG tags that load from a different server than the rest of the site. Turning off the browser's cookies will prevent Web beacons from tracking the user's activity. The Web beacon will still account for an anonymous visit, but the user's unique information will not be recorded Traceroute: Autility that traces a packet from your computer to an Internet host , showing how many hops the packet requires to reach the host and how long each hop takes. If you're visiting a Web site and pages are appearing slowly, you can use traceroute to figure out where the longest delays are occurring. The original traceroute is a UNIX utility, but nearly all platforms have something similar. Windows includes a traceroute utility called tracert . In Windows 95 , you can run tracert by selecting Start->Run& , and then entering tracert followed by the domain name of the host. For example: tracert www.pcwebopedia.com Traceroute utilities work by sending packets with low time-to-live (TTL) fields. The TTL value specifies how many hops the packet is allowed before it is returned. When a packet can't reach its destination because the TTL value is too low, the last host returns the packet and identifies itself. By sending a series of packets and incrementing the TTL value with each successive packet, traceroute finds out who all the intermediary hosts are. Finger:AUNIX program that takes an e-mail address as input and returns information about the user who owns that e-mail address . On some systems, finger only reports whether the user is currently logged on . Other systems return additional information, such as the user's full name, address, and telephone number. Of course, the user must first enter this information into the system. Many e-mail programs now have a finger utility built into them.I        3' 3  3 3  3 3 3 3  3  3 3 36 3 3 3  3 3R   C W -6  x H  0޽h ? 33* N(  R  3       C   @   \LE or working with LE, 4th doesn t apply. Important to notice that there are different rules for government, different rules again for national security investigations. Search and seizure without a warrant (unless exception applies) Exceptions that are relevant may include: Exigent circumstances: evidence about to be destroyed Heckenkamp: No REOP in computer system -- attached own computer to school network. Gov t argued did not have REOP in files stored on connected computer. &> HCH  0޽h ? 33:  Q(  X  C       S y  @   SSocial engineering: misrepresent to obtain property/information or other advantage? Mitnick case: deceived employees of victim companies inot providing him and co D with user accounts and passwords. 18 USC 1343. OK for cops to lie: U.S. v. Gorshkov/Ivanov: No REOP in Invita computers. 4th Am. does not apply to non-US computers. Got warrant to view data downloaded to US. :tU ,^  gH  0޽h ? 33- nf( # R  3     l  C e  @   |Warrant only available to LE in criminal investigation for certain offenses. Keystroke logger? US v. Scarfo case: 180 F.S.2d 572 (NJ 2001): With a search warrant, installed a keystroke logger to decypher the passphrase to an encrypted file. How this logger works was a secret, but court was satisfied that did not operate while modem was activated. Therefore, it wasn t a wiretap, which can not be authorized by a simple search warrant. . v I>hV  H  0޽h ? 331 @(  R  3       C `ۄ  @   +Can you sniff wireless?H  0޽h ? 332 pH(  R  3       C   @   V & H  0޽h ? 33< jb(  X  C     b  S   @   a facility through which electronic communication services are provided and thereby obtain, alter, or prevent access to a wire or electronic communication; while in electronic storage &H  0޽h ? 33^ =    (  R  3        C   @   This means, you can access and you can ask another entity to give to you and they can do so. For LE to get (A) name; (B) address; (C) local and long distance telephone connection records, or records of session times and durations; (D) length of service (including start date) and types of service utilized; (E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and (F) means and source of payment for such service (including any credit card or bank account number) they need a subpoena from a grand jury or and administrative subpoena. There's basically no court review for subpoenas. 18 usc 2703(c) For LE to get other non-content subscriber information, they need (A) a warrant ; (B) a 2703 (d) court order or (C) consent of the subscriber or customer The 2703(d) order "shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." For LE to get stored content information (emails, messages, etc.) they need (a) a warrant if stored for less than 180 days or (b) a warrant if stored for more than 180 days and they want to give no notice to subscriber or (c) an administrative or grand jury subpoena ; or (d) a 2703(d) court order and they can ask the court to approve no notice to the subscriber.xm   333  333 d 333 K 333  333 d 333   B   333  333  ) 333  ' 333 333 333 L  1  _  1 333  333 C , RH  0޽h ? 33? jb0( ) R  3     h  C Ш  @   (18 USC 1030 SPAM (America Online v. National Health Care Discount, 121 F.Supp.2d 1255, 1273 (N.D. Iowa 2000) Automated search programs (Register.com v. Verio, Inc., 126 F.Supp.2d 238, 251 (S.D.N.Y. 2000) [domain name information] eBay v. Bidder s Edge, 100 F.Supp.2d 1058 (N.D.Cal. 2000) [internet auction information] EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) [travel agent prices]  Cookies (In re Intuit Privacy Litig., 138 F Supp 2d 1272 (CD Cal 2001) Register.com v. Verio, Inc., 126 F.Supp.2d 238, 251 (S.D.N.Y. 2000) eBay v. Bidder s Edge, 100 F.Supp.2d 1058 (N.D.Cal. 2000) Intel v. Hamidi American Airlines v. FareChase P ZZ   l Z4q H  0޽h ? 33( &( # R  3       C R  @   4HP v. SnoSOFT RIAA v. Felten 2600 case: DeCSS Fear that can be greatly expanded to any security tool, access to files stored, these are all CR. Question whether definition of prohibited devices is sufficient safeguard> H  0޽h ? 33 tl@(  R  3     r  #   @    H  0޽h ? 33; tl@(  R  3     r  # }  @    H  0޽h ? 33> tl(  R  3     r  #   @    H  0޽h ? 33@ tlp(  R  3     r  # p~  @    H  0޽h ? 33& tl(  R  3     r  # PJ  @    H  0޽h ? 33' tl(  R  3     r  # U  @    H  0޽h ? 33A tl0(  R  3     r  # N  @    H  0޽h ? 33 tlP (   R   3     r   #   @    H   0޽h ? 33dxp^RЀ3ÿ lHbP  @AL G@;b `B&V@  !#"&%45*+ $'(),-.236AB/7=?CE/X$B$p jL%n&3Oc $@uʚ;4!ʚ;g4CdCd ',xppp@ <4!d!d `P%gʚ;<4dddd `P%gʚ; <4dddd `P%ʚ;g4\d\d 'xp@ pp ___PPT9 .h___PPT2001D<4X? %O =s9  Intrusion Investigation ToolsbSocial Engineering Wiretap Sniffing Wireless Stored Communications Keystroke Logging Port ScanningccHIntrusion Investigation Tools, con t %$$6Vulnerability Scanning Remote Access Trojan Horse Programs Ping, whois, traceroute, finger, googling Web Beacons Strike-Back or  Active Defense Technology>A  7"Possible Legal Liability/Obstacles #"0Fourth Amendment Fraud Illegal Interception of/Access to Data Computer Crime Laws: Unauthorized Access Possessing Illegal Tools/Devices." Z$g!S*Fourth Amendment 6Protects against unreasonable search and seizure Constrains government and gov t agents ,XW,KSocial Engineering BIf you have some idea of who attacked your system, or where evidence might be, can you pretend to be someone else to get information (user ids, passwords, etc.) to use in your investigation?Z(i:Fraud B$Applies to Social engineering? Misrepresentation Fraudulent purpose:  to deprive another of the intangible right of honest services, money, etc. ?&t (j;Sniffing <.Can you monitor in real time your own system, the suspected intruder s system, or the system of a third party to get more information about the attack?"(Illegal Interception Issues (Monitoring by: Intelligence Agency or Law Enforcement Service Provider, Business, Employer Other Content of Communications vs. Transactional or Traffic Information Real Time vs. In Storage Rights of Third PartiesJ ZRZt ZRt,z1%-"Wiretapping/SniffingGeneral Rule: No interception (acquisition) of the CONTENTS of communications in transit. No eavesdropping/sniffing No using or disclosing intercepted communications.\L\L , 'Exceptions to Rule Against Interception ('(Warrant Computer Trespasser Exception Consent of a Party to the Communication Exception Provider Exception (System Protection) Readily accessible to general public "  U-Wiretap Warrant|DOJ Approval Federal Judge Warrant/Prob. Cause Predicate Offense Necessity/No Other Means Minimization 30 day authorization 2|ZZ{#VV.Computer Trespasser ExceptionhGovernment may monitor  trespasser if No contractual relationship or authority to be on computer Provider authorized interception Government does the monitoring Only communications to and from trespasser intercepted and Reasonable grounds to believe info is relevant to an ongoing (legitimate) investigation>'!" 'W/Party/Consent ExceptionParty to a communication can intercept or give consent to intercept Warning Banners: All activity subject to monitoring Terms of ServiceHDFC($E$X0Service Provider ExceptionProvider May Monitor to Protect Its Rights or Property May intercept communications if inherently necessary to providing the service Scope of exception undefinedY1Accessible to the Public2511(2)(g)(i): It shall not be unlawful under this chapter or chapter 121 of this title for any person -  to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public Are open wireless access points accessible to the general public?uu]3Can You Do RT Traffic Analysis? General prohibition LE needs a pen/trap and trace order Service provider need Relating to operation of service Protection of rights or property of provider To record fact of completion Consent of userX:k:k^2Reviewing Stored Files or Logsp Can you search documents the intruder placed on your system? On an intermediary system? On his/her own system?"qp(pn<Accessing Stored Communications c General Prohibition: Illegal to access stored communications without or in excess of authorizationddcc94Provider s Right to ReviewAny provider may freely read stored email/files of its customers Not unauthorized access to the system A non-public provider may also freely disclose that information for example, an employer A&@%% 4o= Accessing Stored Subscriber Info!!Provider may access and disclose non-content records to anyone except a governmental entity Exceptions to protect provider s rights/property threat of death/serious bodily injury appropriate legal process consent of subscriber^\Z Z}Z? }s> Accessing Other Computer Systems!!Can you disable a system that is sending you malicious code? Can you install monitoring programs on another system? Can you gain remote access to that system to search it? "$*Computer Fraud and Abuse Act (18 USC 1030)$+*(A Unauthorized access that causes damage to protected computer loss > $5,000 in value modification or impairment of the medical data physical injury to any person; a threat to public health or safety; damage to computer system used in furtherance of the administration of justice, national defense, or national security ^> ZZ Z>t?,Things That Are Unauthorized Access/Trespass -,(SPAM Domain name search robots Internet auction information spiders Travel agent price aggregators  Cookies Port scanning? }}d8 Port Scanning  0Metaphors Jiggling Doorknobs Looking at the house Moulton v. VC3: Not unauthorized access under 18 USC 1030, no damage Attempt? R Z(ZQZ $($P$v@ Trojan Horse <18 USC 1030(a)(5)(A)(i) : knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer% Strike Back <SUnauthorized Access/Transmission Defense of self/others? Justification/Necessity?  TQ,3$3Possible to Get in Trouble for Net. Analysis Tools?44&COE: Article 6 France: LEN US: DMCA "&'$ 8& COE Article 6Criminalizes the production, sale, procurement for use, import, distribution of a device or program designed or adapted primarily for the purpose of committing unauthorized access or data intercept, and possession with criminal intent or such a device. No criminal liability if not for the purpose of committing an offence, such as for the authorized testing or protection of a computer system"9'7France: loi pour la confiance dans l'conomie numrique 87($%Art. 323-3-1. - Le fait, sans motif lgitime, d'importer, de dtenir, d'offrir,de cder ou de mettre disposition un quipement, un instrument, un programme informatique ou toute donne conus ou spcialement adapts pour commettre une ou plusieurs des infractions prvues par les articles 323-1 323-3 est puni des peines prvues respectivement pour l'infraction elle-mme ou pour l'infraction la plus svrement rprime.  Sans motif legitime : Burden on possessor to prove legitimate motiveZ:#     G  2:(US: DMCA >Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work Prohibits Manufacturing and Distribution of Any Technology (Tools) Primarily Designed for the Purpose of Circumventing Access Controls Limited Commercially Significant Purpose OR Marketed for Use in Circumvention .xATalk to a Lawyer Before@Lying to get account information Intercepting communications Doing real time traffic analysis Accessing, installing code on or disabling other people s systems  /02567 G KLZ[\_efghklmpqru y!{"|#~$%&'()sx,, g(HH(d!h  2(  R  3       C   @   @ 3 H  0޽h ? 33rjC6]FCGՠI( z/ 0DTimesan Typewxr'PxтDD"FDPalatinoTypewxr'PxтDD"F DTimes New Romanr'PxтDD"F0DTimes-Italicanr'PxтDD"F@DTimes-Boldcanr'PxтDD"FPDArialMTldcanr'PxтDD"F`DVerdanaldcanr'PxтDD"FpDTimes-Romananr'PxтDD"FDVerdana-Boldanr'PxтDD"FDAmerican Typewriter'PxтDD"F ` .  @n?" dd@  @@`` (E  01D 8 :;9<>@  !#"&%45*+ $'(),-.236AB/7=?CE/X$B$p jL%n&3Oc $@uʚ;4!ʚ;g4CdCd ',xppp@ <4!d!d `P%gʚ;<4dddd `P%gʚ; <4dddd `P%ʚ;g4\d\d 'xp@ pp ___PPT9 .h___PPT2001D<4X? %O =s9  Intrusion Investigation ToolsbSocial Engineering Wiretap Sniffing Wireless Stored Communications Keystroke Logging Port ScanningccHIntrusion Investigation Tools, con t %$$6Vulnerability Scanning Remote Access Trojan Horse Programs Ping, whois, traceroute, finger, googling Web Beacons Strike-Back or  Active Defense Technology>A  7"Possible Legal Liability/Obstacles #"0Fourth Amendment Fraud Illegal Interception of/Access to Data Computer Crime Laws: Unauthorized Access Possessing Illegal Tools/Devices." Z$g!S*Fourth Amendment 6Protects against unreasonable search and seizure Constrains government and gov t agents ,XW,KSocial Engineering BIf you have some idea of who attacked your system, or where evidence might be, can you pretend to be someone else to get information (user ids, passwords, etc.) to use in your investigation?Z(i:Fraud B$Applies to Social engineering? Misrepresentation Fraudulent purpose:  to deprive another of the intangible right of honest services, money, etc. ?&t (j;Sniffing <.Can you monitor in real time your own system, the suspected intruder s system, or the system of a third party to get more information about the attack?"(Illegal Interception Issues (Monitoring by: Intelligence Agency or Law Enforcement Service Provider, Business, Employer Other Content of Communications vs. Transactional or Traffic Information Real Time vs. In Storage Rights of Third PartiesJ ZRZt ZRt,z1%-"Wiretapping/SniffingGeneral Rule: No interception (acquisition) of the CONTENTS of communications in transit. No eavesdropping/sniffing No using or disclosing intercepted communications.\L\L , 'Exceptions to Rule Against Interception ('(Warrant Computer Trespasser Exception Consent of a Party to the Communication Exception Provider Exception (System Protection) Readily accessible to general public "  U-Wiretap Warrant|DOJ Approval Federal Judge Warrant/Prob. Cause Predicate Offense Necessity/No Other Means Minimization 30 day authorization 2|ZZ{#VV.Computer Trespasser ExceptionhGovernment may monitor  trespasser if No contractual relationship or authority to be on computer Provider authorized interception Government does the monitoring Only communications to and from trespasser intercepted and Reasonable grounds to believe info is relevant to an ongoing (legition  Fonts Used Design Template Slide Titles! 8@ _PID_HLINKS'Alhttp://www.stanford.edu/(_<Jennifer Granickimate) investigation>'!" 'W/Party/Consent ExceptionParty to a communication can intercept or give consent to intercept Warning Banners: All activity subject to monitoring Terms of ServiceHDFC($E$X0Service Provider ExceptionProvider May Monitor to Protect Its Rights or Property May intercept communications if inherently necessary to providing the service Scope of exception undefinedY1Accessible to the Public2511(2)(g)(i): It shall not be unlawful under this chapter or chapter 121 of this title for any person -  to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public Are open wireless access points accessible to the general public?uu]3Can You Do RT Traffic Analysis? General prohibition LE needs a pen/trap and trace order Service provider need Relating to operation of service Protection of rights or property of provider To record fact of completion Consent of userX:k:k^2Reviewing Stored Files or Logsp Can you search documents the intruder placed on your system? On an intermediary system? On his/her own system?"qp(pn<Accessing Stored Communications c General Prohibition: Illegal to access stored communications without or in excess of authorizationddcc94Provider s Right to ReviewAny provider may freely read stored email/files of its customers Not unauthorized access to the system A non-public provider may also freely disclose that information for example, an employer A&@%% 4o= Accessing Stored Subscriber Info!!Provider may access and disclose non-content records to anyone except a governmental entity Exceptions to protect provider s rights/property threat of death/serious bodily injury appropriate legal process consent of subscriber^\Z Z}Z? }s> Accessing Other Computer Systems!!Can you disable a system that is sending you malicious code? Can you install monitoring programs on another system? Can you gain remote access to that system to search it? "$*Computer Fraud and Abuse Act (18 USC 1030)$+*(A Unauthorized access that causes damage to protected computer loss > $5,000 in value modification or impairment of the medical data physical injury to any person; a threat to public health or safety; damage to computer system used in furtherance of the administration of justice, national defense, or national security ^> ZZ Z>t?,Things That Are Unauthorized Access/Trespass -,(SPAM Domain name search robots Internet auction information spiders Travel agent price aggregators  Cookies Port scanning? }}d8 Port Scanning  0Metaphors Jiggling Doorknobs Looking at the house Moulton v. VC3: Not unauthorized access under 18 USC 1030, no damage Attempt? R Z(ZQZ $($P$v@ Trojan Horse <18 USC 1030(a)(5)(A)(i) : knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer% Strike Back <SUnauthorized Access/Transmission Defense of self/others? Justification/Necessity?  TQ,3$3Possible to Get in Trouble for Net. Analysis Tools?44&COE: Article 6 France: LEN US: DMCA "&'$ 8& COE Article 6Criminalizes the production, sale, procurement for use, import, distribution of a device or program designed or adapted primarily for the purpose of committing unauthorized access or data intercept, and possession with criminal intent or such a device. No criminal liability if not for the purpose of committing an offence, such as for the authorized testing or protection of a computer system"9'7France: loi pour la confiance dans l'conomie numrique 87($%Art. 323-3-1. - Le fait, sans motif lgitime, d'importer, de dtenir, d'offrir,de cder ou de mettre disposition un quipement, un instrument, un programme informatique ou toute donne conus ou spcialement adapts pour commettre une ou plusieurs des infractions prvues par les articles 323-1 323-3 est puni des peines prvues respectivement pour l'infraction elle-mme ou pour l'infraction la plus svrement rprime.  Sans motif legitime : Burden on possessor to prove legitimate motiveZ:#     G  2:(US: DMCA >Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work Prohibits Manufacturing and Distribution of Any Technology (Tools) Primarily Designed for the Purpose of Circumventing Access Controls Limited Commercially Significant Purpose OR Marketed for Use in Circumvention .xATalk to a Lawyer Before@Lying to get account information Intercepting communications Doing real time traffic analysis Accessing, installing code on or disabling other people s systems  /02567 G KLZ[\_efghklmpqru y!{"|#~$%&'()sx,, g(HH(d!h  8.( \, 8R 8 3      8 C @Ȩ  @   <  H 8 0޽h ? 33" 2( <&~F R  3       C   @   @  H  0޽h ? 33 4(  R  3       C   @   B  H  0޽h ? 33$ (  R  3       C   @   (  H  0޽h ? 33 x( 95 R  3     ~  C   @    H  0޽h ? 33 x`( # R  3     ~  C P  @    H  0޽h ? 33  x( # R  3     ~  C b  @    H  0޽h ? 33/ H(  HX HC     HS ӄ @    H H 0޽h ? 330  T0( L TR T 3      T C ք  @   >333 H T 0޽h ? 33. X,( }2~23# XR X 3      X C i  @   : H X 0޽h ? 333 Pd.( $iB dR d 3      d C ܄  @   <  H d 0޽h ? 339 (  R  3       C   @   '  H  0޽h ? 33 2(  R  3       C @*,  @   @ 3 H  0޽h ? 33* x(  R  3     ~  C   @    H  0޽h ? 33:  8(  X  C       S y  @   : H  0޽h ? 33- x( # R  3     ~  C e  @    H  0޽h ? 331 x@(  R  3     ~  C `ۄ  @    H  0޽h ? 33< T(  X  C       S   @   V & H  0޽h ? 33= 2(  R  3       C   @   @  H  0޽h ? 33? 0I( ) R  3       C Ш  @   W (Z  H  0޽h ? 33( x( # R  3     ~  C R  @    H  0޽h ? 33rv0\2F527K Z0\0_f0k0eUq uy_ՠRdO)}PicturesPowerPoint Document(`SummaryInformation(t&      !"#$%&'()-  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvxyz{|}~DocumentSummaryInformation8Current User) 0ion  Fonts Used Design Template Slide Titles! 8@ _PID_HLINKS'Alhttp://www.stanford.edu/!_< *tPing Look