Post on 28-Nov-2014
description
Lessons learned in fighting
cybercrime and cyber
terrorism
Albena Spasova
International Cyber Investigation
Training Academy
Evolution of cybercrime
Web 1.0
Web 2.0
Web 3.0
What’s the future?
The dark side of Web 1.0
Traditional crime moved online
Web 1.0 - hacking
Web 1.0 - viruses
The dark side of Web 2.0
Traditional and dynamic phishing
Botnets
New tools for organized crime groups
New tactics for terrorist groups
Cyber tactic
1. Espionage
2. Propaganda
3. Denial of Service (DoS)
4. Data interference
5. Infrastructure manipulation
Organized crime?
“Old crimes, new
tools and
new crimes, new
tools”
Botnets – What are they?
Traditionally controlled through Internet
Relay Chat (IRC)
Botnets – What are they?
Botnets – Chasing New Exploits
Constantly looking for new
exploits
New infections before patch
released
Botnets – Security Bulletin –
08/08/2006
Botnets – DHS Warning –
08/09/2006
Botnets – Bot in the Wild by
Weekend
Botnets – How are they used?
Sending Spam
Denial of Service Attacks
ID Theft
Spyware Delivery
Botnets – How are they used?
ID Theft DDoS / SPAM attracted attention –
botnets were shut down
ISPs and Victims would monitor attacks
to find bots
Badguys discovered that they could make
$$$$ instead
Botnets – How are they used?
Spyware
Spyware / Adware used for
advertisement delivery
Popups
Affiliate programs pay per install
Bot Herders will install the spyware
on their bots in order to get paid
Botnets – How are they used?
Spyware
Botnets and eCommerce
Specific uses of botnets targeted
at abusing eCommerce users
ID theft combined with proxy
Dynamic Phishing Sites
Cases
Simple case: mule receives money to a bank account and moves the money to an other bank account
Complex case: mule receives money via online payment system, transfers the money via bank to an other account to an other mule; next mule transfers the money through online payment system to a different mule – all actions happen in different states
Example of Fraudulent Scheme
Money flows
•Fraud groups from set up
spoof sites all over the
world
•They convince victims to
send money/goods to
Spain, Italy, France,
Belgium and more
recently the UK
• Runners or Arrows
collect the money/goods
from around the world
and send it back to
Fraudster
Investigation – challenges for law
enforcement
Where did the crime happen?
Is the crime a crime in the jurisdictions
involved?
Who will investigate it?
Who is behind it?
Tracing back…
Tracing………
While its happening - where is the illegal
activity taking place – who are the parties
involved?
Using information provided by ISPs and
other communications providers – different
legal requirements
Encrypted communications
Tracing…
Preservation of data
Information kept must be sufficient to allow
tracing
Fast sharing of information
Tracing scheme…
Sharing electronic evidence
internationally
How long does it take to share information
between two countries?
What other challenges we have in the
process?
Challenges
Legislation and jurisdiction
Sufficient resources and personnel
Localizing and identifying the “bad guys”
Collect and share evidence internationally
Legal Instruments
CoE Cybercrime Convention - 2001
Council Framework Decision
2005/222/JHA on attacks against
information systems;
Council Framework Decision 2004/68/JHA
on combating the sexual exploitation of
children and child pornography.
Legal Challenges
Definition
Jurisdiction
Investigation
International Cooperation
Public-private Partnerships
Prevention
1. Definition of cyber-crime
Technology is rapidly evolving
Definition – open, flexible, vague
Balance between open legal requirements
and national constitutional prohibitions
Technology neutral language
Definition
CoE Convention – technology neutral
language - Art 1
Computer system
Computer data
Service provider
Definition
No universally accepted definition
Crimes related to cyberspace: no longer
computer and internet crime
“Information systems” – any device or a
group of interconnected or related devices
“Data”
E.g. Personal digital assistant, modern
car, mobile phone
Chapter II, Measures to be taken at
the national level - Substantive
criminal law Title I – Offences against the confidentiality,
integrity and availability of data – illegal
access, illegal interception, data interference,
system interference, misuse of devices
Title II – Computer-related offences – forgery,
fraud;
Title III - Content-related offences - child
pornography/ Protocol – hate speech
Title IV – Offences related to the
infringements of copyright and related rights
– copyright and related rights
Council Framework Decision 2005/222/JHA
on attacks against information systems
Approximation of criminal law systems:
Illegal access to information systems
Illegal system interference
Illegal data interference
Example – cyber terrorism case
Large scale attack against information
systems – E.g. terrorist would attack information
systems essential for international capital
markets and break them down
A computer-related offence – E.g. terrorist
would take over an information system
managing a nuclear facility and trigger a nuclear
meltdown
A content-related offence – E.g. terrorist
disseminate propaganda/blueprints for bombs
Example
State A
State B
State C
Criminal Hate speech: Drafted in one place, transmitted Through other and uploaded on a server in a third, viewed by the whole world
2. Determining Jurisdiction
CoE Cybercrime Convention: Territoriality principle
Personality principle
Protection principle
Council Framework Decision 2005/222/JHA on attacks against information systems Territoriality principle
Nationality principle
When several MS have jurisdiction – decide
Council Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography Territoriality principle
Active personality principle
The offence committed for the benefit of a legal person established in the territory of that MS
Problems
Dual criminality
Dual illegality
Legal harmonization – for extraterritorial or
universal jurisdiction
Toben Case – dual
criminality/illegality
In 1999 Australian national Created a website in Australia, in English
Which included a statement That Shoa never happened
Auschwitz denial is a crime In Germany
Site was viewed by Neo-Nazis
Under territoriality principle
Counter example
Advertisement of beer in Germany
Can be accessed in Islamic countries
Counter example
German Internet Blog critical of a dictatorship In the Far East
Blog is accessible in these countries
Conclusion: Degree of legal harmonization is necessary for legitimate Extraterritorial or even universal jurisdiction
3. Investigation: CoE Cybercrime Convention provisions
Title 2 – Expedited preservation of stored computer data – “quick freeze”
Title 3 – Production order
Title 4 – Search and Seizure of stored computer data
Title 5 – Real-time collection of computer data
Observations
Crimes committed “without right”
Problems
The use of remote forensic software to carry out remote search procedures, record VOIP communications, log keystrokes and passwords, identify IP addresses
Data retention/data privacy
Data Retention Directive – telecommunication
service providers - anybodies traffic for up to 6 months
Production order – produce specific data – passwords, encryption codes
Proportional measures
4. International Cooperation
“Loopholes of jurisdiction”
Cooperation is necessary:
Extradition – serious crime offenses
Mutual legal assistance
Minimum of harmonization on substantive and
procedural laws
Private-public partnerships
4. International Cooperation – CoE
Convention
Cooperation:
Art. 24 Extradition
Art. 25 Mutual Legal Assistance
Art. 26 Spontaneous information
Coordination:
which state should do what – points of contact
Harmonization:
Substantive
Procedural
Solutions:
Adopt adequate legislation
Assure sufficient law enforcement
personnel with adequate training and
resources
Partnerships with industry
Public awareness
Crime in a virtual world?
Should we be concerned? Do worlds
collide?
Virtual worlds
In worlds populations:
Second Life (with over 16 million)
Warcraft (12 million paid subscribers)
Disney Club Penquin (expected to attract over 30 million
participants)
Together the population of these three virtual worlds
alone exceeds the real- world populations of Canada,
Australia and Ireland combined
Life in a virtual world:
What can you do?
Life in a virtual world:
Interesting stats
567 mil. $ user to user transactions in 2009
65% jump from 2008
770.000 unique users made repeat visits to SL
in December 2009
Residents cashed 55 mil. $ transferring to
PayPal
Land barons make 12 mil. $ untidily per year
Users control IPRs of what they build
Average price per island is 1000 $
Virtual money
Money launderers can now move illicit cash through the growing number of virtual reality role-playing games, and convert that cash into real currency before withdrawing it from ATMs worldwide.
One wonders just how many laundrymen have tumbled to this cyberlaundering opportunity.
Compliance officers at financial institutions please note that their banks may be guilty of money laundering if it facilitates deposits or payments in these virtual worlds, for there is no functional due diligence on players or recipients.
Scenario
LD$
Imagine this scenario
All account with counterfeit identification
In conclusion…
EU Regulations are coming
Take a step at a time
Thank you!
Conclusions
Prevention: Increase Internet culture
Protection: people and infrastructures
Cooperation: law enforcement and judiciary
Responsibility: national, regional, global
Financing…
Albena Spasova
President of the Management Board,
International Cyber Investigation Training Academy
Sofia, Bulgaria
Associate Professor,
Technical University, Lille – 1, France
www.cybersafetyblog.eu
аspasova@cybercrimeacademy.org
albaadvisors@gmail.com
Teл. 0887 30 32 89