Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society

Stanford Law SchoolStanford, California USA

http://cyberlaw.stanford.edu

Black Hat Briefings 2004

Legal Liability and Security Incident Investigation

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Intrusion Investigation Tools

• Social Engineering• Wiretap• Sniffing Wireless• Stored Communications• Keystroke Logging• Port Scanning

Intrusion Investigation Tools, con’t

• Vulnerability Scanning• Remote Access• Trojan Horse Programs• Ping, whois, traceroute, finger,

googling• Web Beacons• Strike-Back or “Active Defense”

Technology

Possible Legal Liability/Obstacles

• Fourth Amendment• Fraud• Illegal Interception of/Access to Data

• Computer Crime Laws: Unauthorized Access

• Possessing Illegal Tools/Devices

Fourth Amendment

Protects against unreasonable search and seizure

Constrains government and gov’t agents

Social Engineering

If you have some idea of who attacked your system, or where evidence might be, can you pretend to be someone else to get information (user ids, passwords, etc.) to use in your investigation?

FraudApplies to Social engineering?•Misrepresentation•Fraudulent purpose: “to

deprive another of the intangible right of honest services, money, etc.”?

SniffingCan you monitor in real time

your own system, the suspected intruder’s system, or the system of a third party to get more information about the attack?

Illegal Interception Issues

• Monitoring by:– Intelligence Agency or Law

Enforcement– Service Provider, Business, Employer– Other

• Content of Communications vs. Transactional or Traffic Information

• Real Time vs. In Storage• Rights of Third Parties

Wiretapping/Sniffing

General Rule: No interception (acquisition) of the CONTENTS of communications in transit. – No eavesdropping/sniffing– No using or disclosing

intercepted communications

Exceptions to Rule Against Interception

• Warrant• Computer Trespasser Exception• Consent of a Party to the

Communication Exception• Provider Exception (System

Protection)• Readily accessible to general

public

Wiretap Warrant

• DOJ Approval• Federal Judge• Warrant/Prob. Cause• Predicate Offense• Necessity/No Other Means• Minimization• 30 day authorization

Computer Trespasser Exception

Government may monitor “trespasser” if• No contractual relationship or authority to

be on computer• Provider authorized interception• Government does the monitoring• Only communications to and from

trespasser intercepted and• Reasonable grounds to believe info is

relevant to an ongoing (legitimate) investigation

Party/Consent Exception

Party to a communication can intercept or give consent to intercept–Warning Banners: All activity subject to monitoring

–Terms of Service

Service Provider Exception

• Provider May Monitor to Protect Its Rights or Property

• May intercept communications if inherently necessary to providing the service

• Scope of exception undefined

Accessible to the Public

• 2511(2)(g)(i): It shall not be unlawful under this chapter or chapter 121 of this title for any person - “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public”

• Are open wireless access points accessible to the general public?

Can You Do RT Traffic Analysis?

General prohibition• LE needs a pen/trap and trace order• Service provider need

– Relating to operation of service– Protection of rights or property of

provider– To record fact of completion

• Consent of user

Reviewing Stored Files or Logs

Can you search documents the intruder placed on your system? On an intermediary system? On his/her own system?

Accessing Stored Communications

General Prohibition:Illegal to access stored

communications without or in excess of authorization

Provider’s Right to Review

• Any provider may freely read stored email/files of its customers– Not unauthorized access to the

system

• A non-public provider may also freely disclose that information– for example, an employer

Accessing Stored Subscriber Info

Provider may access and disclose non-content records to anyone except a governmental entity

• Exceptions– to protect provider’s rights/property– threat of death/serious bodily injury– appropriate legal process – consent of subscriber

Accessing Other Computer Systems

Can you disable a system that is sending you malicious code? Can you install monitoring programs on another system? Can you gain remote access to that system to search it?

Computer Fraud and Abuse Act (18 USC 1030)

• Unauthorized access that causes damage to protected computer– loss > $5,000 in value– modification or impairment of the medical

data– physical injury to any person; – a threat to public health or safety; – damage to computer system used in

furtherance of the administration of justice, national defense, or national security

Things That Are Unauthorized

Access/Trespass• SPAM• Domain name search robots• Internet auction information

spiders• Travel agent price aggregators• “Cookies”• Port scanning?

Port Scanning

• Metaphors–Jiggling Doorknobs–Looking at the house

• Moulton v. VC3: Not unauthorized access under 18 USC 1030, no damage

• Attempt?

Trojan Horse• 18 USC 1030(a)(5)(A)(i) :

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer

Strike Back•Unauthorized Access/Transmission

•Defense of self/others?•Justification/Necessity?

Possible to Get in Trouble for Net. Analysis Tools?

• COE: Article 6

• France: LEN

• US: DMCA

COE Article 6

• Criminalizes the production, sale, procurement for use, import, distribution of a device or program designed or adapted primarily for the purpose of committing unauthorized access or data intercept, and possession with criminal intent or such a device.

• No criminal liability if not for the purpose of committing an offence, such as for the authorized testing or protection of a computer system

France: loi pour la confiance dans l'économie numérique

• Art. 323-3-1. - Le fait, sans motif légitime, d'importer, de détenir, d'offrir,de céder ou de mettre à disposition un équipement, un instrument, un programme informatique ou toute donnée conçus ou spécialement adaptés pour commettre une ou plusieurs des infractions prévues par les articles 323-1 à 323-3 est puni des peines prévues respectivement pour l'infraction elle-même ou pour l'infraction la plus sévèrement réprimée.»

• “Sans motif legitime”: Burden on possessor to prove legitimate motive

US: DMCA

• Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work

• Prohibits Manufacturing and Distribution of Any Technology (Tools)– Primarily Designed for the Purpose of

Circumventing Access Controls – Limited Commercially Significant Purpose

OR– Marketed for Use in Circumvention

Talk to a Lawyer Before

• Lying to get account information• Intercepting communications • Doing real time traffic analysis• Accessing, installing code on or

disabling other people’s systems

Jennifer Stisa Granick, Esq. Center for Internet & Society

Stanford Law School

559 Nathan Abbott WayStanford, California 94305 USA

+1 (650) 724-0014Jennifer@law.stanford.edu