Investigating Computer Crime Professor Carsten Maple University of Bedfordshire 8th February 2013
Why am I here?
Background Computer Scientist applicable computing Co-author of UK Security Breaches Report supported by SOCA and PCeU A director of the National Centre for Cyberstalking Research
Definition of Computer Crime We restrict our definition to where the computer; is a target of a criminal activity is a tool to commit a criminal activity Some add that it; is a repository of either direct or circumstantial evidence of the crime The term cybercrime has gradually become a general synonym for computer crime, as is e-crime, defined as; [+] the use of networked computers or internet technology to commit of facilitate the commission of crime. We will use computer crime in place of these definitions + ACPO, The Association of Chief Police Officers of England, Wales and Northern Ireland, e-crime strategy, http://www.acpo.police.uk/asp/policies/data/ecrime%20strategy%20website%20version.pdf; 2009.
Types of Computer Crime + Ali Alkaabi et al, Dealing with the Problem of Cybercrime, Digital and Forensics and Cyber Crime, 2 nd Internal ICST Conference, ICDF2C 2010, Abu Dhabi, UAE, 2010
Computer Crimes Against the Person As a result victims suffer (not necessarily a complete list): Financial (theft of credentials through Phishing, Trojans, hacking customer databases) Scams (ebay bogus auctions, fake online shops, letters (Nigerian, Russian brides)) Extortion (Ransomware, personal data theft) Loss of Reputation Impersonation (hacking of victim s email, Facebook, Twitter, etc.) Loss of Data (failed extortion scheme leading to destruction of data held as hostage ).
Computer Crimes Against the Person.cont d Also suffer: Loss of Employment Scams (EBay bogus auctions, fake online shops, letters (Nigerian, Russian brides)) Extortion (Ransomware, personal data theft) Loss of Freedom (victim s IP address hijacked, used for criminal action and victim incarcerated) Loss of Physical Integrity (online predators).
Computer Crimes Against the Computer As a result organisations suffer (again some examples): Theft of Critical Data (intellectual property, customer base) Theft of Credentials (phishing/social engineering, Trojans, IT system hack) Paralysis of Production Tools (Botnet DDoS, software vulnerability, compromise of SCADA) Loss of Reputation Trust among users (loss of confidence, defacement of company s website) Financial Loss Online Extortion (DDoS blackmail, loss of share value)
Financial Cost of Computer Crime Financial costs includes; Costs in anticipation of cybercrime Physical & virtual security measures Compliance (PCI DSS, etc.,), insurance costs Costs as a consequence of cybercrime Business continuity, disaster recovery Commercial exploitation of IP Costs in response to cybercrime Compensation payments to victims Regulatory fines, legal costs Indirect costs associated with cybercrime Reputational damage Expansion of the underground economy + Cabinet Office, The cost of cyber-crime, A Detica report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office, Available at:, http://www.cabinetoffice.gov.uk/resourcelibrary/, 2011.
Financial Cost of Computer Crime.cont d + Cabinet Office, The cost of cyber-crime, A Detica report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office, Available at:, http://www.cabinetoffice.gov.uk/resourcelibrary/, 2011.
Opportunities for Computer Crime [4] Cabinet Office, The cost of cyber-crime, A Detica report in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office, Available at:, http://www.cabinetoffice.gov.uk/resourcelibrary/, 2011.
UK Legislation In the UK, most computer crime falls under offences covered by one of three pieces of law: Computer Misuse Act 1990 Communications Act 2003 Fraud Act 2006 Regulation of Investigatory Powers Act 2000 Victims of computer crime are more often than not affected by at least one of the three acts listed above
Motives The motives for computer crime: Financial Gain Extortion Reputation (Kudos) Revenge / Malicious Damage (disgruntled employee) Hacktivism / Sense of Justice (Annoymous, LulzSec) Cyber Warfare / Espionage (Stuxnet) Terrorism
Methods used in Computer Crime The methods used in computer crime include: Use of available vulnerabilities (known weaknesses in software apps) Denial of Service (DoS) (is stopping a system by sending enormous IP packets that disables the system which cannot answer each request) Back doors (also called trap-doors, used by programmers to access systems quickly and easily by bypassing security mechanisms) Logic bombs (program stays inactive in system until a specific date or event occurs) Malware ( malicious software ) (computer viruses, worms, Trojan horses, rootkits, key loggers, spyware, adware, etc.) Social Engineering (phishing, spoofing, tailgating, shoulder surfing, etc.)
Opportunities for Computer Crime Cyberstalking example: Stalking existed before the development of computer, internet or mobile phone. The motivation & techniques of stalkers have remained consistent over time. Tools stalkers use has changed over time. They exploit technology in ways never envisioned or intended by the creators [5] Surveillance, tracking and eavesdropping with commonly used technology Location tracking devices attached to victim s car Social networking Email communications 2011 Cyberstalking in the UK An Analysis of the ECHO Pilot Survey found that of those who reported being stalked electronically; 83% were stalked through e-mail 35% through instant messaging 46% reported been stalked using a hidden camera to monitor their actions 10% reported that Global Positioning System (GPS) location tracking technology was used to monitor their location
How NCCR advises on Cyberstalking Prevention Motivation Means Impact Investigation
Types of attack Identity theft controlling victim s credentials Posting false profiles Posing as the victim and attacking others Discrediting in online communities Discrediting victim in workplace Direct threats through email/instant messaging Constructing websites targeting the victim Transferring attack to victim s relatives Use of the victim s image Provoking others to attack the victim Following the victim in cyberspace
Attribution Attacker Victim Communication Medium
Challenges in Investigating Computer Crime we will never have enough law enforcement to deal with the extent of cybercrime out there Charlie McMurdie, 2008 [+] Technical challenges: Offenders can use software devices that do not require in-depth technical knowledge, e.g.; Backtrack Port Scanning, Cain and Abel Password Cracking, etc. Attribution Difficulty in tracing offenders and they can hinder investigation by disguising their identity and employing Anti-Forensic techniques e.g.; TimeStomp, MAC Spoofing, etc. Few control instruments that can be utilised by law enforcement available on the internet Technical proficiency of perpetrators often exceeds the capability of the victims and law enforcement Legal challenges: Legislation and procedures can differ across international jurisdictions A single crime scene can be compounded by the lack of any definitive jurisdiction or consistent global legislation No clear distinction between issues that are best dealt with through better regulation and those that require law enforcement action + McMurdie C, The e-crime gap, Police Professional, December 11, 2008
Computer Forensics Approach Machine Learning Forensics Borrows techniques and technology from Computer Security domain for Computer Forensics. Log Analysis (use of data mining algorithms to search & correlate large log datasets) Mining Intrusion Detection Systems (IDS) collect multiple event log data sources Live Digital Forensics Gathering data from a system during operation. Reveals open ports, active network connections, memory resident malware, etc. Encrypted data could be unlocked as encryption key usually stored in RAM Distributed Digital Forensics Addresses problem of imaging very large datasets and helps alleviates I/O bottlenecks Email Forensics Remote Forensics
Support for Successful Prosecution UK instrumental in contributions to fight Computer Crime nationally and internationally ACPO (Association of Chief Police Officers) Leads the strategic and operational development of policing practice in England, Wales and Northern Ireland PCeU (Police Central e-crime Unit) Investigates significant intrusions ( hacking ) eg. Government, commercial and academic DoS, BotNets, large scale phishing CEOP (Child Exploitation and Online Protection) Tackles the sexual abuse and exploitation of children and young people Virtual Global Taskforce (VGT) Partnership approach between police, industry and academia
Case Studies Good and Bad Computer Crime Investigations Good - PCeU Operation Pagode (investigation into underground forum for cybercriminals. Saved 84m worth of harm ) Operation Dynamaphone (investigation into co-ordinated online banking fraud and phishing attacks. Saved 5.5m worth of harm Bad Northfolk Constabulary Operation Cabin + ( botched investigation into the hacking of data from the Climate Research Centre (CRU) at the University of East Anglia (UEA) nicknamed Climategate ) Complex and costly investigation, involving Met s Counter Terrorism Command (CTC), National Domestic Extremism Team (NDET), PCeU and consultants in online security Investigation team lacked expertise and resources to identify perpetrators Investigation started in 2009, 3 year time limit for prosecution expired in 2012 *http://www.met.police.uk/pceu/ + http://thinkprogress.org/climate/2012/07/19/546131/uk-police-cease-botched-investigation-into-stolen-uea-climate-scientists-emails/
Questions?