Jennifer Stisa Granick Esq Exec Director Center for

Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society Stanford Law School Stanford, California USA http: //cyberlaw. stanford. edu Black Hat Briefings 2004 Legal Liability and Security Incident Investigation

Intrusion Investigation Tools • • • Social Engineering Wiretap Sniffing Wireless Stored Communications Keystroke Logging Port Scanning

Intrusion Investigation Tools, con’t • • • Vulnerability Scanning Remote Access Trojan Horse Programs Ping, whois, traceroute, finger, googling Web Beacons Strike-Back or “Active Defense” Technology

Possible Legal Liability/Obstacles • Fourth Amendment • Fraud • Illegal Interception of/Access to Data • Computer Crime Laws: Unauthorized Access • Possessing Illegal Tools/Devices

Fourth Amendment Protects against unreasonable search and seizure Constrains government and gov’t agents

Social Engineering If you have some idea of who attacked your system, or where evidence might be, can you pretend to be someone else to get information (user ids, passwords, etc. ) to use in your investigation?

Fraud Applies to Social engineering? • Misrepresentation • Fraudulent purpose: “to deprive another of the intangible right of honest services, money, etc. ”?

Sniffing Can you monitor in real time your own system, the suspected intruder’s system, or the system of a third party to get more information about the attack?

Illegal Interception Issues • Monitoring by: – Intelligence Agency or Law Enforcement – Service Provider, Business, Employer – Other • Content of Communications vs. Transactional or Traffic Information • Real Time vs. In Storage • Rights of Third Parties

Wiretapping/Sniffing General Rule: No interception (acquisition) of the CONTENTS of communications in transit. – No eavesdropping/sniffing – No using or disclosing intercepted communications

Exceptions to Rule Against Interception • Warrant • Computer Trespasser Exception • Consent of a Party to the Communication Exception • Provider Exception (System Protection) • Readily accessible to general public

Wiretap Warrant • • DOJ Approval Federal Judge Warrant/Prob. Cause Predicate Offense Necessity/No Other Means Minimization 30 day authorization

Computer Trespasser Exception Government may monitor “trespasser” if • No contractual relationship or authority to be on computer • Provider authorized interception • Government does the monitoring • Only communications to and from trespasser intercepted and • Reasonable grounds to believe info is relevant to an ongoing (legitimate) investigation

Party/Consent Exception Party to a communication can intercept or give consent to intercept – Warning Banners: All activity subject to monitoring – Terms of Service

Service Provider Exception • Provider May Monitor to Protect Its Rights or Property • May intercept communications if inherently necessary to providing the service • Scope of exception undefined

Accessible to the Public • 2511(2)(g)(i): It shall not be unlawful under this chapter or chapter 121 of this title for any person - “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public” • Are open wireless access points accessible to the general public?

Can You Do RT Traffic Analysis? General prohibition • LE needs a pen/trap and trace order • Service provider need – Relating to operation of service – Protection of rights or property of provider – To record fact of completion • Consent of user

Reviewing Stored Files or Logs Can you search documents the intruder placed on your system? On an intermediary system? On his/her own system?

Accessing Stored Communications General Prohibition: Illegal to access stored communications without or in excess of authorization

Provider’s Right to Review • Any provider may freely read stored email/files of its customers – Not unauthorized access to the system • A non-public provider may also freely disclose that information – for example, an employer

Accessing Stored Subscriber Info Provider may access and disclose noncontent records to anyone except a governmental entity • Exceptions – to protect provider’s rights/property – threat of death/serious bodily injury – appropriate legal process – consent of subscriber

Accessing Other Computer Systems Can you disable a system that is sending you malicious code? Can you install monitoring programs on another system? Can you gain remote access to that system to search it?

Computer Fraud and Abuse Act (18 USC 1030) • Unauthorized access that causes damage to protected computer – loss > $5, 000 in value – modification or impairment of the medical data – physical injury to any person; – a threat to public health or safety; – damage to computer system used in furtherance of the administration of justice, national defense, or national security

Things That Are Unauthorized Access/Trespass • • • SPAM Domain name search robots Internet auction information spiders Travel agent price aggregators “Cookies” Port scanning?

Port Scanning • Metaphors – Jiggling Doorknobs – Looking at the house • Moulton v. VC 3: Not unauthorized access under 18 USC 1030, no damage • Attempt?

Trojan Horse • 18 USC 1030(a)(5)(A)(i) : knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer

Strike Back • Unauthorized Access/Transmission • Defense of self/others? • Justification/Necessity?

Possible to Get in Trouble for Net. Analysis Tools? • COE: Article 6 • France: LEN • US: DMCA

COE Article 6 • Criminalizes the production, sale, procurement for use, import, distribution of a device or program designed or adapted primarily for the purpose of committing unauthorized access or data intercept, and possession with criminal intent or such a device. • No criminal liability if not for the purpose of committing an offence, such as for the authorized testing or protection of a computer system

France: loi pour la confiance dans l'économie numérique • Art. 323 -3 -1. - Le fait, sans motif légitime, d'importer, de détenir, d'offrir, de céder ou de mettre à disposition un équipement, un instrument, un programme informatique ou toute donnée conçus ou spécialement adaptés pour commettre une ou plusieurs des infractions prévues par les articles 3231 à 323 -3 est puni des peines prévues respectivement pour l'infraction elle-même ou pour l'infraction la plus sévèrement réprimée. » • “Sans motif legitime”: Burden on possessor to prove legitimate motive

US: DMCA • Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work • Prohibits Manufacturing and Distribution of Any Technology (Tools) – Primarily Designed for the Purpose of Circumventing Access Controls – Limited Commercially Significant Purpose OR – Marketed for Use in Circumvention

Talk to a Lawyer Before • • Lying to get account information Intercepting communications Doing real time traffic analysis Accessing, installing code on or disabling other people’s systems

Jennifer Stisa Granick, Esq. Center for Internet & Society Stanford Law School 559 Nathan Abbott Way Stanford, California 94305 USA +1 (650) 724 -0014 Jennifer@law. stanford. edu