forensic ICT

Likely targets of ICT-criminals

Kelmen — Tue, 08 Dec 2009 01:51:40 -0700

The focus on this section is on the likely targets of computer criminals. The particular criminals centred on are professional computer criminals. This is so because their activities are by far the most difficult to investigate. As has been mentioned before, they use highly sophisticated technology and they go out of their way to cover and conceal their tracks. They are usually aware of possible investigation and will often use staging to misdirect the course of investigation. In countries where these offences are rampant, many investigators have engaged in wild goose chases as a result of this staging. However, just like any other investigation, there is never a completely organised crime hence there will always be leads that a seasoned investigator can pick and follow up on.

In this section we examine probable motive as a criminalistic guide to ‘mens rea’ (guilty mind) a legal necessity for there to be a crime. Further in this chapter we discuss probable motives that should be investigated when certain key institutions are hit. Note that the listed down institutions are not exhaustive on probable targets of hackers, but they only set examples upon which investigators can use to infer motive when other installations are hit.

The following motives should be considered for investigation;

MISCHIEF;

A growing number of especially young computer experts find a degree of psychological arousal from breaking into secured systems. After they break into systems they do nothing harmful. This people trespass into systems and are only mischievous.
Others write viruses and spread them among systems. They do not stand to gain anything but only to test the work of their genius; they commit the offence of software vandalism out of sheer mischief as a motive.

ENTERPRISE;

By far the most common motive of computer crime is profit. People break into systems for what they can get out of them. The targets are usually business institutions that deal with especially large sums of money. Banks, Insurance companies, financial institutions, stock brokerage firms, multinationals, hospitals and hotels are prime target for this motive. It is envisioned that once the crime comes of age, the land registry, the examination council, tax authority, pension schemes, shall be amongst the targets of enterprise criminals.

CONCEALMENT;

People under investigation may try to conceal evidence or even cover-up their dirty dealings. Consider a case of land dispute between two persons. One may hack into the land registry records to alter records to his favour. (Whereas Kenyan land registry records are almost entirely manual, there are increasing trends towards computerisation hence such will be the cases of the future). This is not an argument against computerisation for even in the manual system files have been known to disappear. This kind of motive can target virtually all sector of the economy including financial institutions, government records, criminal records office, pension fund administrators etc.

ESPIONAGE/ NETSPIONAGE

Businesses in competition may often seek to get an edge (advantage) over their competition. Breaking into their databases may just offer the required impetus to gain the said advantage. Moreover, by breaking into the competitions system, a company may alter records hence creating problems. For example, if goods of a certain amount were due to be delivered to a client, one can change the data so that less than or more than the transaction amount are actually delivered. Which ever is the case, the company gets a big problem. Consider where this is done to over a hundred clients, the company can suffer immeasurable damage.

Where competitors with sabotage as a motive fail to hack into the competitors system, they may send viruses to disable their systems.

Netspionage is a word used in the computer world to mean espionage in the net. Competitors will keep trying to steal information from their rivals using all mean, viruses, hacking and spywares (industrial espionage). The motive is sabotage as above .Countries also engage in Netspionage to sabotage each other or spy into especially the military installations of each other (international espionage).

AICCIFL - African ICT Criminal Intelligence, Forensics and Litigation SIG

ICT crime investigation personnel

Kelmen — Wed, 04 Nov 2009 05:46:43 -0700

This section documents the basic minimum of personnel required for an ict-crime syndicate to function effectively. The modern approach to Investigation emphasises team work, gone are the days when an inspector ‘Derricks ’ or ‘Charlock Holms’ would seem to anticipate everything a criminal does and like an onion, layer by layer unravels the crime exposing the criminal and the criminal acts to bare nakedness.

Today the concept of teamwork has gained more prominence as yielding better results. This is so because, teamwork benefits from various expertise available or necessary for the eventual solution of the crime. Hence depending on the nature of a crime a team of necessary experts is put together under a specialised investigator to carry out the investigations. Below we list some of the common experts necessary for any such investigation:

Investigating Officer;

The Investigating Officer is expected to have a good grasp of diverse subjects. An ICT- Crime Investigating Officer is especially expected to have a good grasp of Criminal Law, Law of evidence and Information Technology. In addition:

He is the overall in-charge of the Investigation,
He co-ordinates all the investigative activities including deploying experts to perform specific duties,
Applies for search warrants from the Court,
Ensures the proper Chain of custody is established and maintained,
Maintains the Single-Evidence Form
Ensures that necessary supplies and other logistical needs are available to the investigation team,
He prepares the investigation report and submits it to the relevant authorities,
Sometime he appears in court to testify on matters pertaining the investigation,

Computer Data Recovery Expert;

Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.
To duplicate and process all recovered storage devices
Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.
Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system.
Recovers all (or as much as possible) of discovered deleted files,
To trace the location and IP-address of any remote hacker,
To record all his activities in the crime scene,
Prints out an overall analysis of the subject’s computer system, as well as a listing of all possibly relevant files; and discovered file data. Further, provides an opinion of the system layout, the file structures discovered, any discovered data and authorship information, any attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and appears to be relevant to the overall computer system examination.
Reports to the Investigation Officer

Crime Scene Documentation Officers;

One to do overview photography of how the crime scene was found,
Look out for any attempt to use the computer by any user during the incident response process (The period of accessing and taking over the scene).
Another to sketch the scene of crime, including highlighting where specifically the evidence was collected from, and to;
Keep a record of all physical evidential material recovered at the crime scene using a Multi- Evidence Form,
Yet another to video record all the activities of all personnel at the crime scene,
Reports to the Investigating Officer.

Crime Scene Security Officers;

Systematically ensures all the security concerns are adhered to on arrival at the incidence scene. That is, people are moved out of the scene (no one who is not part of the team should touch any computer device until the investigation is complete).
To ensure that only the right personnel have access to the crime scene,
Ensure that nobody leaves with otherwise evidential material unless the person authorised to do so,
Safeguards scene integrity when work has to continue to the following day, (Sometimes this may be as easy as closing the door)
Keeps a crime scene log to document; all that entered the scene, reason for entry and time in time out.
Crime scene security means keeping out even senior personnel if they are not part of the investigation at the crime scene.
Reports to the Investigating Officer,

AICCIFL - African ICT Criminal Intelligence, Forensics and Litigation SIG

General procedures of ICT crime investigation

Kelmen — Wed, 04 Nov 2009 01:07:30 -0700

Crime Investigation is a scientific exercise that follows scientific procedures; each procedure is meticulously adhered to so that failure to follow the procedure could make the difference between solving the crime and not solving the crime. The procedure is what is called ‘General Procedure of Crime Investigation’ in the title above and it is chronologically listed below:-
NB: - The main way to know that a computer crime has been committed is if the person hit by the ICT-Criminals reports it.

INVESTIGATION PLANNING;

The investigator should plan his work to enable him to conduct his investigations in an efficient and timely manner. The plan should be based on knowledge of the nature of the case one is investigating. It should be made amongst other things to cover:

Acquiring knowledge on the victim (Victimology),
Establishing the vulnerability of the available security system,
Crime scene processing,
Evaluation of scene evidence,
Crime Classification,
Profiling the offender,
Crime Mapping,
Investigative consideration,
Performing Investigation Test,
Analysing the results,
Reporting the results/ surrendering the case to the prosecutor,

Planning should be continuous process throughout the engagement. The Investigation plan should be written with time and event schedules where possible. At the soonest possible point, the investigator needs to identify the resources required to carry out the investigation. Any restrictions on the investigation need also to be written down; inability to obtain sufficient evidence for any reason e.g. lack of resources or lack of sufficient time.

VICTIMOLOGY

The study of the victims: An examination on every facet of their lifestyle, background, health, economic status and physical characteristics. It is hoped that through an in-depth examination of the victim, we may know the perpetrator a little better. Victimology is important in the overall investigative process because it not only tells us of whom the victims were their health, personal history, social habits (hobbies) and personality, but also provides ideas as to why they were chosen as victims. In many situations the offender will hold back from choosing a victim until one that meets his needs comes along, possibly leading to a successful arrest. In our case the victim considered is the victim of ICT-Crimes. Specific questions asked therefore include;

What groups of individuals or organisations are in danger of becoming victims of computer crimes?
What makes the specific victim a target?
What makes the victim vulnerable?
Is the victim a victim of choice or a victim of opportunity?
Who really is the victim?
What does the victim do (professionally & as a hobby)?
How many people have the victim completely opened up to and therefore know him very well?
Are administrators competent? Friendly or authoritarian? Do they have exploitable personal weaknesses? Can they be bullied, seduced or side stepped?
Is the culture of the organisation security literate?
Does the victim have any known enemies/ rivals?
Does the victim have any known friends? Etc.

Victimology is as has been said above is concerned with objectification of social, and psychology, of (in our case) individuals/organisations who have become victims of ICT-Crimes.

CRIME CLASSIFICATION

Crime Classification will guide the investigator to know the kind of criminals he is dealing with so that he can acquire the necessary resources to handle the investigation appropriately. At this stage he is expected to answer questions such as:

What crime was committed, is it card forgery, ATM fraud, money laundering etc.?
Does the crime scene reflect a methodical and organised criminal, or
Does it reflect a disorganised one who made no effort to conceal his tracks?
Was ICT the primary crime or was it just a vehicle upon which other crimes may be marketed or committed e.g. Child pornography, violation of copy right laws.

FORENSIC PROCEDURES & FORENSIC FINDINGS

Gathering of appropriate evidence for criminal prosecution is the Science of ‘ICT Criminalistics’, ‘Cyber-forensics’, ‘forensic-computing’, or ‘digital forensics’; and can be quite complex an issue. This is because of the transient and intangible data that one often deals with, more so in a network environment. Networks often pose a problem of identity for example that of connecting a virtual person to a real life person. Moreover, the stickiness of data poses an integrity problem. This is to say that some times data that is not necessarily yours in origin, or even data that may not be in your know can be found in your possession. Moreover, this data can be easily interfered with or modified and therefore poses a major investigative challenge. In this stage of the investigation, the investigator has processed the crime scene and identified the evidence left behind that may link the perpetrator to the crime scene and particularly the crime itself. Sometimes the findings may inform the investigators of how exactly the crime was perpetrated. This evidence is collected, collated and stored for the purpose of presentation before a court of law.

Unlike other criminal activities, the focus of the investigator is not necessarily trace evidence but rather data. This is not to say that trace evidence does not have a place in ICT-Crime investigation but rather that it is not the main evidence sought. It is important for the investigator to be able to reconstruct the crime from the moment of conceptualisation to the completion of the crime. To do this the investigator must develop an accurate story from the forensic findings and fill up the gaps with what we have called above investigative consideration. Below we discuss procedures if adhered to will ensure the best chance of evidence being recovered in uncontaminated manner and therefore acceptable before the court of law.

A Single-Evidence evidence Form helps the investigator in recording the forensic findings systematically. It dedicates a page for each item retrieved for a case. It allows the investigator to record what was done to the evidence each time it was taken from the storage locker. It is also necessary to keep a Multi-Evidence is basically a form that summarises the details of all the single-Evidence form related to the said case.

Unlike other crimes, ICT-Crimes offer the following specific challenges:

Difficulty in locating the place of crime,
Weak links between chains in an evidence system,
Impossibility to watch and fix evidence visually,
Wide usage of coded information by criminals.

The procedure for digital forensics involves a number of stages: (i). Identifying what data may be available and where it may be found. (ii). Preserving such data in a way that minimizes interference. (iii). Collating such data for intelligence and evidential purpose. (iv). presentation of the data in a court of Law. The following key issues should be considered as standard forensic procedures, when processing a computer crime scene and including investigative considerations to be followed up on:

Victims Premises:

Investigator must obtain authorisation from authorities such as those who have commissioned the investigation in case of a private case and a magistrate in case it is a case of public interest.

First secure the crime scene.
Move people away from computers and power supply.
Remove battery from laptops and palmtops that are switched off.

Note that you will need a search warrant before you can be allowed to process suspect’s computer at home or any other place. This is an important issue, because without authorisation, evidence gathered may not be accepted in trial as legitimately collected. The rule of law of evidence states that evidence collected illegally is not acceptable in the courts of law. (more about Search Warrant is discussed ahead).

Always record all your activities at home or any other place. anything which may related to case should fully recode, for instance, Location, Time, Date, Serial Number, etc.

The stolen data must be found in the suspects’ computer.

Process all storage equipments such as the PC’s hard drive and diskettes using hard line analysers to restore deleted information. Soft ware examples include; easy restore utilities, acronis recovery expert, PC Inspector and easy recovery professional at the forensic laboratory.

Analysis Evidence

All collected evidence must be analyse to extract the evidence to answer, “who, when, why and how” questions. The main challenge in this process is to check and run, unknown programs, unknown files, to find out what is the result. NB. Empty recycle bin is no longer a safe option to discard information because it is now possible to retrieve a document that has been overwritten up to seven times.

INVESTIGATIVE CONSIDERATIONS;

Investigators need to be aware of all the probable causes of the crime that is fraudulent intent, negligence, abuse of power, sabotage, and terror etcetra. It is necessary to discover the IP-address of the originator of the criminal action. IP-address is a unique number which identifies the relevant resource i.e. Pc, Mobile phone e.t.c. The address is then linked logically to the originators domain name, e.g. xxxx@swiftkenya.or.ke. Whereas the IP-address is unique, the persons using it usually vary e.g. in a cyber-café. Sometimes a suspect has been identified positively, but there is insufficient evidence to sustain a conviction. In such cases, surveillance must be undertaken especially to monitor suspect’s activities in and around ICT-systems. Video recording his activities as well as recording his computer time using the necessary software shall be required.
Moreover, investigative consideration will seek to find answers to the following questions:

What risk did the offender take in perpetrating the crime?
What security System was in place?
How many people are privy to the passwords?
How often are passwords changed?
Does the organisation have an IT- Security Policy? (What are its Provisions?)
For all suspects note irregular increase in bank account deposit?
Investigate into registration of new companies by suspects?
Further look into increase in share capital in companies associated to the suspect.
Note irregular spending habits amongst suspects.

Get the history of whom the suspect has been communicating to on phone i.e. Sms and actual calls; from the relevant CSP.
Carry out a background check on all people in communication with the suspect. (This information can be found from telephone service providers, it is the policy of the government of Kenya that it “…will create Statutory obligations of telecommunications Service providers to assist law enforcement in executing legal intercept pursuant to the security needs of the country” pg 34 of National Information & Communications Technology (ICT) Policy – by Ministry of Information & Communication January 2006).
Especially in cases falling in the class of professional ICT-Crimes, investigate possibility of cultic activities and Satanism.
All these questions have some investigative value because there answers are admissible in a court of law as facts forming part of the same transaction. Especially when they seem to incriminate a person suspected to have participated in the said crime. Moreover they can serve as a finger to point out a suspect.

SEARCH WARRANT CONSIDERATION

Once a suspect or suspects have been identified, investigators would need a search warrant to further build there case against a suspect. There are many storage devices that may be encountered during the search and may be valuable sources of evidence if handled in an acceptable manner so as not to compromise evidence acceptabity. It is important to remember that an investigation must satisfy the legal standards i.e. proving the accused guilty beyond a reasonable doubt. For this reason the stolen data as well as the stealing material must be found in the possession of the suspect. Hence some of the places the investigator must find a search warrant for include the following;

Suspects office, house or both. Focus will be to find information on the victim if any, or information that could show design or the suspects plans, this will help in proving intention and motive.

The crime scene is the whole house; storing devices such as diskettes should be collected and processed. It should be remembered that the litter bin could actually contain the material that is being sought for.

Consider the PC if any as another crime scene.

Any information found in the possession of the suspect goes to link the suspect to the crime.

Reporting and Presentation after Analysis at the Computer Forensic Laboratory

Reporting and Presentation is the conclusions and corresponding evidence from the investigation needs to convince an authority. The following document must be presented to an authority:

Document the entire seize the evidence and chain of custody, document all the gathered evidence, document what was examined and what was the result.

Data Recovery specialist will take several careful steps to identify and attempt to retrieve possible Data that may exist on a subject computer system:

Protects the subject computer system during the Recovery examination from any possible alteration, damage, data corruption, or virus introduction.
Discovers all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files.
Recovers all (or as much as possible) of discovered deleted files.
Reveals (to the extent possible) the contents of hidden files as well as temporary or swap files used by both the application programs and the operating system.
Accesses (if possible and if legally appropriate) the contents of protected or encrypted files.
Analyzes all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called 'unallocated' space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as 'slack' space in a file (the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data, but once again may be a possible site for previously created and relevant evidence).
Prints out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provides an opinion of the system layout, the file structures discovered, any discovered data and authorship information, any attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and appears to be relevant to the overall computer system examination.

AICCIFL - African ICT Criminal Intelligence, Forensics and Litigation SIG

ICT crime classification

Kelmen — Wed, 04 Nov 2009 00:59:20 -0700

Crime classification is a very important step in every investigation; G. Mutusovskly says that “constant development of criminalistical characteristic of crimes is explained by the necessity of improving methods of their detection on the base of getting to know the nature of the criminal action itself, it’s mechanism, ways regularities of the inquiry process, and peculiarities of reflected evidences.”

Success in investigating any crime mostly depends on an investigators ability to understand not only the criminal-legal nature but also the criminalistical nature of the committed crime only under definite conditions. He should know typical criminalistic evidences of different crimes and be capable of revealing necessary criminalistical characteristic of a corresponding crime.
Trial-psychological characteristic reflects the most substantial psychological data on criminals and victims, typical groups of witnesses as to separate kinds of crimes and so on.

Different characteristics are used as a complex in the practical activity of crime investigation, every of which aims at making investigation more effective and establishing truth in a case.

Not enough research has been done on computer crimes classification; however, current research gives us three broad classifications:

CRIME OF MISCHIEF:

People who partake in this kind of criminal activity are usually young and curios mostly in their late teens and early twenties. They have developed competence and skills in computers and engage in breaking into computer security systems for a thrill, i.e. they get psychological arousal by successfully breaking into computer security systems. These people are generally called crackers and not hackers. Research confirms that not withstanding their competence in computers, they usually succeed to break into secured systems by chance. Though they serve to identify flaws in systems, they are criminals by virtue that they enter into secured systems without authority. In more advanced countries, such young people who do not have criminal motives in their activities are usually considered by security managers and law enforcement agencies for employment. There is however a class of mischief criminals who design and spread viruses to mess software for ‘kicks’. They get psychological stimulation out of success in it .Their crime is software vandalism. Amid relentless progress in urbanisation and the information society, more and more people are losing contact with the community and are harbouring amorphous hatred in isolation and alienation, perhaps that is why they engage in these crimes. Often offenders show no remorse for their crimes and even boast of their accomplishment.

ICT-OCCUPATIONAL CRIMES:

Persons who engage in this form of crime violate criminal law in the course of their occupational activities and do not conceive themselves as criminals but rather as respectable citizens.

They are generally employees and hence they have the technical know how, access and opportunity to carry out most of what is considered criminal. Insiders have perpetrated a lot of criminal activities. Their most common targets include breaking into credit facilities. Information databases, espionage, piracy of software and programmes and even subscribing and down loading child pornographic material.

Outsiders contracted such as suppliers, computer systems engineers, can gain access to computer systems and networks and may enter and steal information, alter data bases, or install viruses.

Project managers both in governmental organisations and NGOs will often embezzle money entrusted to them. They will attempt to alter computer records to cover-up their activities. These cover-ups are not so sophisticated and whenever suspicion arises, they are often easy to investigate.

Example: Some unscrupulous professionals at the Stock brokerage firms manipulate equity markets in what is now known as the ‘pump’ and ‘dump’ scheme. Typified by dissemination of false but rather positive information about a company stock. This usually causes the band wagon effect (Pump) and the unsuspecting dear public rush in to buy the shares of the company which at the time the prices are very high. The crooked professionals proceed to sell their shares (Dump) and make a fortune while the share prices return to their original cost.

Racketeering also falls to this class. (Racketeering The process of repeated (pervasive) fraud or other crimes)

PROFESSIONAL ICT-CRIMES:

People who engage in professional ICT-Crimes are characterised by specialised skills in computers, ICT gizmos, gadgets etc. and their activities are either aimed towards economic gain or extremist goals like cyber-terrorism. Cyber-terrorism is a reflection in the cyberspace of a threat against a country usually in the form of distribution of hate propaganda against citizens of the said country; distribution of bomb making technology and attacking systems that forms part of a nations critical infrastructure. These individuals make crime their profession. Criminal hackers fall on this class. One of the widely used methods by professional ICT-criminals for obtaining payment card requisites in criminal structures is creating porno web sites. According to foreign special services, the Internet porno business is closely related to professional criminal groups specialising in plastic card frauds.

Porno web sites are also used to launder stolen card requisites. For example, after visiting of a porno site, a card owner finds out, with surprise, that he/she subscribed for the service and it will collect subscription fees monthly, and it is quite problematic to cancel.

Consider this other example, UP and ATM: though no case has been reported in Kenya, this type of activity has been repeated in less innocuous fashion. Criminals have been known to build false fronts for automated teller at banks. These devices fit over regular machines and are similar in appearance. The false front will accept cards, prompt for the holder’s Personal Identity Number (PIN), and the give a message about some problem and a suggestion to contact the bank in the morning. After a few hours, the crooks collect the device; remove the card read the stored PIN’s and spend a few hours extracting as much cash as possible at legitimate bank machines using the cards and access codes collected.

Professional ICT-Criminals carry out ICT-Crimes or use computers as a means of concealing other crimes (staging). Illegal groups like the Skin Heads, Ku Klux Klan, Al-Qaeda terrorist movement and other anti-social groups have found the internet a fertile ground for recruitment and spread their ideologies. Other crimes committed by these criminals include:

Card forgery;
Money Laundering;
Lost or stolen card fraud;
Multiple payments of service and goods;
Post or phone order fraud;
Repeated cash withdrawal;
Slip fraud;
ATM fraud;
Skimming (connecting an electronic recorder to the POS/ terminal or ATM);
Child pornography;
Blackmail;
Kidnapping and Rape;
Narcotics;
Terrorism; &
Hate Crimes (neo-Nazis, KKK e.t.c)

AICCIFL - African ICT Criminal Intelligence, Forensics and Litigation SIG

Threats to ICT systems

Kelmen — Wed, 04 Nov 2009 00:47:17 -0700

Threats are things or conditions that pose a threat to secured data or programmes. Threats may include unauthorised modification, capture, and destruction or disclosure. Personal data are not the only vulnerable data. Confidential data on market strategies and product development must be kept from the eyes of competitors. Large sums of money transferred daily by electronic fund transfer must be kept against theft. The very high volume of business information processed by computers today means that the rewards of industrial espionage and fraud are of much higher magnitude than in the past and are increasing.

Records must also be protected from threats such as accidents and natural disasters. For example a breakdown in air conditioning may cause some computers to overheat, resulting in loss of computer facilities. Fire, floods, hurricanes, and even heavy snowfall causing a roof to collapse can cause the destruction of data and valuable computers. Action taken to avert possible threats is called mitigation. Below we discuss two very common security threats:

VIRUSES AND MALWARES

Researchers have not agreed upon a final definition of a virus. A common definition is,” a programme that modifies other programmes to contain a possibly altered version of it”, this definition is attributed to Fred Cohen. Another possible definition is an entity that uses resources of the host (system computer) to reproduce itself and spread without informed operator action.

Malwares are generally all forms of malicious or damaging of software, including viral programmes, Trojan Horses, Logic Bombs, and the like. It is generally taken to include so-called benign viruses that have no intentionally damaging pre-loads.

Worms are programmes that usually spread across networks and don’t attach themselves parasitically to another programme. However they can be said to infect an operating system, a mail application or a network.

Trojan Horses (or Trojan, for short), we mean something that probably isn’t a virus, or a worm, because it doesn’t self-replicate. That is, it moves from system to system if someone is persuaded to move it directly because it doesn’t include a programme infection routine. Trojan Horses are often defined as “programmes that claim to do something useful or desirable, and may do so, but also perform actions which victims wouldn’t expect or want’. These actions may include payload such as password stealing Trojans use fake login screens while others use simple social engineering. Some anti-virus software’s detect these routinely not only by signature recognition but also heuristically.

Logic Bomb pre-programmed into a large programme that waits for some trigger event to perform some very damaging function. Logic Bombs do not reproduce and so are not viral, but a virus may contain a Logic Bomb as a pre-load. Logic Bombs that trigger at pre-programmed time are sometimes known as ‘Time Bombs’.

HACKING & CRACKING

Hacker was originally someone who had or was on the way to acquiring an unusual degree of skill in various aspects of computer use. Now the term is used almost exclusively to refer to computer vandals, people who break into systems, and so on. Sometimes they are also called criminal hackers. Cracker, the word is often used as a synonym to hacker though they actually don’t mean the same. The term is particularly associated with password “cracking” (gaining un-authorised access) the crackers copy protected programmes, allowing easy installations of illegal copies. Investigators hold crackers in disdain for they pose no investigative challenge.

COMMON METHODS USED BY HACKERS

SOCIAL ENGINEERING

It is widely used in hacking, yet poorly investigated. Social engineering attracts such a range of definitions;

The question is does accepted definitions meet the needs of those charged with addressing these classes of threats? The term is originally derived from social science but even there it seems to have shades of meanings. While most security managers and investigators still don't know what social engineering is, criminals are making use of the psychology to subvert systems. Security officers and investigators should now begin to give considerable attention to this type of threats in training, conferences and articles. Common Red Flags of password stealers through social engineering include mail apparently sent by the systems administrator, yet asking for a password. Many site and internet service providers will often tell you that system administrators will never need your password.” Some common definitions of social engineering include:

“The skilful manipulation of a governed population by misinformation to produce a desired change.”------ Keytel
“Psychological manipulation of an individual or set of individuals to produce a desired result”. ------ David Harley
“Deceptive practice that attempts to obtain information from people using social/business of technical discourse”. ------ SRI International
“The term used by crackers and samurai (hackers for hire) for techniques that target the weakness in wetware (people) rather than hardware or software”. ------ Jargon file
“Plain old con game”. ------ Robert Slade

SHOULDER SURFING

This usually means standing where you can watch somebody type in sensitive data such as passwords, user names, pins, phone card numbers and so on. Even seeing what kind of hand held authentification device employers use may be of some use to a hacker.

EAVESDROPPING AND SURVEILLANCE

Hackers use a variety of ways to conduct surveillance:
a. “Using electronic snifters”- vampire taps, directional microphones, phone taps and so on.
b. “Being there”- around the corner, at the next table, or in the reception area at the right time.
c. “Being invisible”- temps, cleaners, janitors, electricians, telephone company engineers, contractors, messengers, courier and similar workers tend to be overlooked by professionals. Moral: “Check out strangers cautiously”

BEING SOCIABLE

Socialising creates an opportunity to gather information:
a.After work hours activities such as chats down the pub, in news groups.
b. In the course of business, including social chat during business calls.

PHONE PHONIES

People are accustomed to some freedom in responding to callers claiming to be conducting surveys, journalist enquiries, or sales cold calling, and may give away valuable organisational information.

DUMPSTER DIVING

For every firm that shreds everything, there are dozens that do not. Skip (dumpsters), wastebaskets, recycling bin and such are often sources of organisational information, classified information obsolete media and even hardware.

ELECTRONIC LEFTOVERS

Systems produce a lot of electronic ‘waste’ that can yield valuable information. Disk, file print, spool and terminal buffers are often left untidied and unflushed. ‘Deleted’ files are often still accessible I.e. to someone with even a bare minimum of technical knowledge or basic recovery tools.

If you have access to a PC, there is a good chance you can retrieve something interesting if, for instance the owner has not logged out of a network connection.

PHISHING

Also called carding or brand spooning is an email scam using known logos from known organisations to ‘phish’ for personal information…The victim receives a legitimate-looking e-mail proclaiming problems with account information, ”just click on the link and provide some additional personal and financial information to clear-up a few questions.” everything looks authentic, but you are actually being redirected to a site that is here one moment and gone the next taking your identity with it…

Those who are responsible for phished messages use psychological tactics to prey on their victims. They use the name of familiar company and create urgency that gets people to act quickly.

WHAT THE INTRUDER MAY WANT TO KNOW:

Who owns the target machines?
From Human Resources. “What jobs are available?” The issue in his mind is, (would applying for one get me access to anything interesting?)
From Public Relations. “What can you tell me about the organisation and your current projects?” The issue in his mind is, (Are you worth further interest?)
From Security. “Are you interested in product ABC?” The issue in his mind is, ( so you are using XYZ).
From Sale and Marketing. “What current products are you selling?”

WHAT MALICIOUS HACKERS DO

The process of hacking is 80% reconnaissance. Reconnaissance refers to the process of gathering information about the supposed target, and it is done both in the computer but also outside using the methods mentioned above. The remaining 20% is the actual hacking done either remotely, in a local network terminal or on the actual computer. Passive reconnaissance involves acquiring information without interacting with the organisation. Whereas active reconnaissance requires interaction process of social engineering.

After the reconnaissance stage, the hacker will move to scanning. This basically refers to the pre-attack phase when the hacker scans the network for specific information on the basis of information gathered during reconnaissance. Hackers have to get a single point of entry to launch an attack. Scanning can include use of diallers, port scanners, network mapping, sweeping, vulnerability scanners and so on.

The third phase of hacking is gaining access. During this stage, the hacker exploits the vulnerability of the system. The exploit can occur over LAN or the internet.

The fourth stage occurs when the hacker tries to maintain access after he has compromised the system. The hacker will create a backdoor, rootkits or install a Trojan. Hackers can upload, download, or manipulate data, applications and configurations on the system.

The final phase of hacking is covering the tracks. This refers to the steps to conceal the misdeeds. The reasons for concealment could include the need for prolonged stay, continued use of resources, removing evidence of hacking and avoiding legal action. This process is done using steganography, tunnelling and changing log files.

AICCIFL - African ICT Criminal Intelligence, Forensics and Litigation SIG

Computer Security

Kelmen — Wed, 04 Nov 2009 00:38:52 -0700

With every change in technology comes an opportunity to violate systems and newer intrusions are getting to be more creative and effective. In one case in 1993, a long distance telephone company card holder compromised his card and 600 unauthorised international calls were placed on that card before network specialists detected the problem and disconnected the violators. All these happened in less than two minutes. Law enforcers and security managers have to be faster and smarter. They cannot continue the traditional approach of ‘security through obscurity, which is the keeping of vulnerable data security. There is need to embrace technology and device security policies that not only dissuade the violator from breaking into the system but also catch the violator. It is such technologies and policies that are the subject for this topic.

Security is where the data (and information) are protected against unauthorized modification, capture, and destruction or disclosure. Personal data are not the only vulnerable data. Confidential data on market strategies and product development must be kept from the eyes of competitors. Large sums of money transferred daily by electronics fund transfer must be protected against theft. The very high volume of business information processed by computers today means that the rewards of industrial espionage and fraud are of much higher magnitude than in the past and are ever increasing.

Records must also be protected from accidents and natural disasters. For example a breakdown in air conditioning may cause computers to overheat, resulting in loss of computer facilities. Fire, floods, hurricanes, and even heavy snowfall causing a roof to collapse can cause the destruction of data and valuable computers. Security measures described below are designed to guard information systems from all the above threats. The measures can be envisioned as providing layers of protection. Some controls guard against infiltration for purpose of data manipulation, alteration of computer programmes, pillage or unauthorized use of the computer itself. Other measures guard against physical plant, monitor operations and telecommunications, and regulate personnel. These controls are now discussed below.

TERMINAL USER CONTROLS

Badge systems, physical barriers (locked doors, windows bars, electric fences), a buffer zone, guard dogs and security check stations are procedures common to restricted areas of manufacturing plants and government installations where work with secret or classified materials takes place. A vault for storage of files and programmes and a librarian responsible for their checkouts provides additional control. With online systems using telecommunications, security access controls to terminals may not exist at remote sites. The computer itself must therefore, ascertain the identity of persons wishing to log on and must determine whether they entitled to use the system. Identification can be based on:

What the user has, such as an ID card, or key;
Who the user is as determination by some biometric measures or physical characteristics
What the user knows such as passwords

KEYS AND CARDS

Locks on the terminals that require a key before they can be operated are one way to restrict access to a computer. Another way is to require users to carry an identifier that is inserted in a card reader when they went to the computer. Microprocessors make a reject or accept decision based on the card. Many types of cards, similar to credit cards with strip of magnetically encode data on the front or back. Some have a core of magnetised spots of encoded. Proximity cards contain electronic circuitry sandwiched in the card; the reader for this card must include a transmitter and a receiver. Optical cards in code data, as a pattern of light sources, such as infrared. In addition there are smarter ID cards that have an integrated circuit chip embedded in the plastic. The chip has coded memory where personal identification codes can be stored, and microprocessor intelligence.

The disadvantage of keys and cards is that they can be lost, stolen or counterfeited. In other words, their possession does not identify the holder as an authorised system user. For this reason, the use of passwords is often an added security feature of key and card system.

BIOMETRIC SYSTEM

Some terminal control systems base identification on the physical attributes of the system users. For example, an electronic scan may be made of the hand of the person requesting terminal access. This scan is then measured and stored in the computer’s memory. Only a positive match will permit systems access.

Fingerprints and palm prints can like wise be used to identify bona fide system users. Such security systems use electro-optical recognition and file matching of fingerprints and palm prints minutiae. Signature verification of the person wishing to log on the computer is yet another security option. Such systems are based on the dynamics of pen motions related to time signer signs with a wired pen or on a sensitised pad. A biometric system can also be based on a voice print. In this case a voice profile of each authorised user is recorded as an analogue signal, then converted into digital from which a set of measurements are derived that identify the voice pattern of the person wishing computer access is compared with voice profiles in the computer memory.

Biometric controls systems, of special interest to the defence industries and the police, have been under development for many years. Although technological break through that enable discrimination of complex patterns have been made recently, pattern recognition systems are still not problem free. Many have difficulty recognising patterns under less than optimal conditions. For example, a blister, inflammations even sweat on the hands, can interfere with fingerprints match. A combination of devices, such as voice plus hand analysers, might ensure positive identification; but such equipment is too expensive at the present time to be cost effective for most operations in business.

PASSWORDS

The use of passwords is one of the more popular methods of restricting terminal access. One example of a passwords system is the required use of a personal identification number to gain access to an automated teller machine at a bank. The problem with passwords is that they are subject to careless handling by users. Some users write the code on a sheet of paper that they carry in there wallet or they tape the paper on the terminal itself. When given a choice, users usually select passwords they can easily remember, such as their birth dates, house number, or names of pets, wives and children. Top on the list in Britain seem to be ‘Fred’, ‘God’, ‘Pass’, ‘Genius’.

Someone determined to access the computer will make guesses trying such obvious passwords first. Even passwords as complex as Algebraic transformation of a random number have been broken with the assistance of readily available micro-computers. Of course the longer the password is in use the higher the chances of it being compromised. On-time passwords are available alternatives but systems of this nature are difficult to administer.

AUTHORISATION CONTROLS

In addition to identification systems outlined in the preceding section, control systems can be installed to verify, whether a user is authorised to access files and data bases and to ascertain what kind of access is permitted (read, write or update).

DATA DIRECTORY

A computer can be programmed to reference a stored Data Directory Security Matrix to determine the security code needed to access specific data elements in files before processing a users job. When a user lacks the proper security clearance, access will be denied. In a similar manner, the computer might be programmed to reference tables that specify the type of access permitted or the time of the day when access is permitted.

The data elements accessible from each terminal can likewise be regulated. For example, according to a programmed rule, the terminal in the data administrator’s office might be the only terminal permitted access to all files and programmes and the only terminal with access to the security matrix itself. Samples print out form and access director, sorted by user identification number. Assigning access levels to individuals within an organisation can be a difficult task. Information is power and the right to access it is a status symbol. Employees may vie for clearance even when they do not require such clearance for their jobs. Managers should realise that security measures designed to protect confidential data and valuable computing resources may antagonise loyal employees. It is important that the need for security be understood by workers and that security controls be administered with tact.

SECURITY KERNEL

Unfortunately, the use of security matrix does not provide foolproof security. In a multi-user system, installing a ‘Trojan Horse’ programme can raid data in a file. The concept of a security kernel addresses the Trojan horse issue. A kernel is a hardware/ software mechanism that implements a reference monitor, a system component that checks each reference by a subject (user or programme) to each object (file, device or programme) and determines whether the access is valid according to the systems security policy.

A security kernel represents new technology still in development stage. Although a number of projects have attempted to demonstrate the practicality of this security approach, results have thus far been mixed.

COMMUNICATION SECURITY

Computer processing is today closely linked to telecommunications, which allows the transference of computer data through remote points. Protecting the confidentiality of this data at the initiating terminals, during transmission or when transmission is received has required the development of sophisticated security techniques. For example, a ‘Handshake’, a predetermined signal that the computer must recognise before initiating transmission, is one way to control communication. This prevents individuals from masquerading, pretending, to be legitimate user of a system. Most companies use call back boxes that phone would be users at pre-authorised number to verify access request before allowing the user to log on. A hacker who has learnt the handshake code would be denied access with such a system. Protocols, conventions, procedure for user identification and dialogue also help maintaining confidentiality of data. During transmission messages are vulnerable to wire-tapping, the electromagnetic pick-up of messages on communication lines. This may be eavesdropping, passive listening or active wire-tapping involving alteration of data, such as ‘piggy backing’ (the selective interception, modification or substitution of messages). Another form of modification is reading between the lines. An illicit user taps the connection when a bona fide user is connected to the system and is paying for computer time but is ‘thinking’, so the computer is idle. This and other uses of unauthorised time can be quite costly to a business firm. One method of preventing message interception is to encode, or encrypts, data in order to render it useless if intercepted.

CONTROLS

A combination of filters (also called screens) and gate way's) act like walls against viruses or other unauthorised traffic. They are called firewalls, and prevent unauthorised traffic (as defined as defined policies) from the inside to outside or the other way round. The main danger of all these strategies is that they may lull the potential victim into a sense of being protected. The anti-viral strategies that exist are against known viruses only. Corporate and end-users must recognise the intruder, especially the ‘intellectually motivated’ intruder, may be challenged by the control mechanism into finding new strain and a new twist to an old or device new threats to beat the systems that we have not yet heard of or even thought of.

There is also a cost to all these control strategies against viruses. There is a possible lose of morale when employees are not fully trusted. There is a loss in efficiency. Each layer and level of security has an overhead cost and loose in productivity and performance. In addition to calculating these costs one must estimate the probability of attack and value of the loss entailed if the attack is successful. This analysis is necessary before a security system is designed and implemented to combat viruses.

ENCRYPTION

From the Greek word crypt meaning to hide, it is done through transposition or substitution. In transposition, characters are exchanged by a set of rules. For example, the third and fourth characters might be switched so that 5289 become 5298.In substitution, characters are replaced. The number 1 may become a 3; so that 514 read 534 or the substitution may become more complex. A specified number may be added to a digit, making 514 read 516. Decryption restores the data to its original value. Although the principles of encryption are relatively simple most schemas are highly complex. Understanding them may require mathematical knowledge and technical expertise. A change to a message or file such as the appearance of data is changed and cannot be recognised as the original without proper processing. Polymorphism is scanners to recognise their presence. However, encryption is most often used to password-protect files, disks, mail messages, telephone conversations, cable televisions and so on.

CONSEQUENCE OF SECURITY SYSTEM FAILURE

Identity theft
Persons being wrongly accused, especially where themselves have been victims of identity theft.

Wrong information associated with individuals leading wrongful decision making; for example in emergencies, persons with altered medical records may receive the wrong treatment, loss of confidentiality; that is where a system containing a person’s personal information e.g. Fate of birth, age, full names, ID number e.t.c. the data is also required in other systems therefore his confidential information is compromised.

Security should be taken seriously to avoid all these and other negative consequences.

AICCIFL - African ICT Criminal Intelligence, Forensics and Litigation SIG

Computers & Telecommunications

Kelmen — Wed, 04 Nov 2009 00:29:00 -0700

Information Communication Technology (ICT) stand for the technologies including computers, telecommunication and audio-visual systems that enable the collection, processing, transportation, and delivery of information and communication services to users. Computer Technology Crimes include, theft of hardware, theft of software (piracy), theft of information (spying and netspionage), theft of time, trespass (hacking), credit card theft, ATM related theft and vandalism of hardware and software and denial of services. Having said these, it is necessary to explain what some of these words mean:

Hardware includes, the physical parts of a computer system, that is, the inputting devices such as keyboard, mouse, the Central Processing Unit (CPU), the display screen, and any other physical unit that qualify to be on the computer. Hardware theft therefore is when these components are physically stolen, while hardware vandalism is where malicious damage is occasioned on these components.

Software consist of the intangible parts of a computer, for example, the framework programmes, productivity tools, information and data stored in the computer. The theft of software is varied and at times forms a complex web. Most computer crimes target software compared to all others. They are also abuse against intellectual property.

COMPUTERS RELATION TO TELECOMMUNICATION

Computers today are closely linked to telecommunication, which allows the transfer of computer data between remote points. The processing speed of a CPU is measured in macro, nano, or pico seconds, users can not get the full benefits of this speed if tapes and disks are the only method which input recorded are physically transported to the computer for data entry. Similarly the delivery of paper output can be time consuming particularly when users are not located on the same building as the CPU, for example in a sale office, branch office or warehouse.

With teleprocessing (the processing of data received from or sent to remote locations by way of telecommunications line, such as coaxial cable or telephone wires), input and output is instantaneous. This is the mode of processing for multi-user systems where people located in dispersed locations share a computer but need to input data and access up-to-date information at all times. The technology telecommunications, which links input/output terminals to distant CPUs, workstations, peripherals and computers into networks, is what is called telecommunication, data communication or info-communication. Networks are valued by organizations because they promote the exchange of information among computer users (many business activities require the skills of many people), the collection of data from many sources and the sharing of expensive computer resources. Networks can be:
Local Area Networks (LAN) which permit users in a single building or complex to communicate between terminals (often microcomputers), interact with a computer host (normally a mini or mainframe) or share peripherals linked LAN with a small geographical area.

National networks bank ATMs that link banks to computer users in location across the country.

International (wide area) networks, are the most expensive networks because of long-distance between nodes; the most difficult to implement because the standards of regulations vary from country to country. Also there can be a system that incorporates a combination of the above networks.

A LAN of microcomputers, peripherals and interconnect with other networks has a component that caters to all the requests of the network computers. For example a disk server is a component that acts like an extra disk drive: It is usually partitioned so that each computer can access a particular private, storage area. A file server is more sophisticated, allowing access to stored data by name.

Large mainframe computer systems generally include a front-end processor programmed to relieve the CPU of communication tasks. For example, processor may receive messages; store transmitted information and route input to the CPU according to the pre-established priorities. It may validate data and pre-process the data well. Another major function of front-end processor is to compensate for the relatively slow speed of transmission compared to the processing speed of the CPU. Front-end processor may also:

Perform message switching between terminals,
Process data when teleprocessing load is low or unsent,
Act as multiplexes and concentrators,
Provides access to external storage and other peripherals.
Checks security authorisation,
Keep teleprocessing statistics,
Accept messages from local lines with mixed modes of communication,
Facilitate the use of CPU by other users in a time-sharing system.

Interconnectivity

Each computer system may have a unique configuration of computing resources such as computer speed, file capacity and peripherals that include fast printers and optical scanners. As the management of each computer system may not be able to afford all the resources when they are not being fully utilised. This can be achieved through interconnectivity, the linking of computer systems by telecommunications and networks.

AICCIFL - African ICT Criminal Intelligence, Forensics and Litigation SIG