Lessons learned in fighting

cybercrime and cyber

terrorism

Albena Spasova

International Cyber Investigation

Training Academy

Evolution of cybercrime

Web 1.0

Web 2.0

Web 3.0

What’s the future?

The dark side of Web 1.0

Traditional crime moved online

Web 1.0 - hacking

Web 1.0 - viruses

The dark side of Web 2.0

Traditional and dynamic phishing

Botnets

New tools for organized crime groups

New tactics for terrorist groups

Cyber tactic

1. Espionage

2. Propaganda

3. Denial of Service (DoS)

4. Data interference

5. Infrastructure manipulation

Organized crime?

“Old crimes, new

tools and

new crimes, new

tools”

Botnets – What are they?

Traditionally controlled through Internet

Relay Chat (IRC)

Botnets – What are they?

Botnets – Chasing New Exploits

Constantly looking for new

exploits

New infections before patch

released

Botnets – Security Bulletin –

08/08/2006

Botnets – DHS Warning –

08/09/2006

Botnets – Bot in the Wild by

Weekend

Botnets – How are they used?

Sending Spam

Denial of Service Attacks

ID Theft

Spyware Delivery

Botnets – How are they used?

ID Theft DDoS / SPAM attracted attention –

botnets were shut down

ISPs and Victims would monitor attacks

to find bots

Badguys discovered that they could make

$$$$ instead

Botnets – How are they used?

Spyware

Spyware / Adware used for

advertisement delivery

Popups

Affiliate programs pay per install

Bot Herders will install the spyware

on their bots in order to get paid

Botnets – How are they used?

Spyware

Botnets and eCommerce

Specific uses of botnets targeted

at abusing eCommerce users

ID theft combined with proxy

Dynamic Phishing Sites

Cases

Simple case: mule receives money to a bank account and moves the money to an other bank account

Complex case: mule receives money via online payment system, transfers the money via bank to an other account to an other mule; next mule transfers the money through online payment system to a different mule – all actions happen in different states

Example of Fraudulent Scheme

Money flows

•Fraud groups from set up

spoof sites all over the

world

•They convince victims to

send money/goods to

Spain, Italy, France,

Belgium and more

recently the UK

• Runners or Arrows

collect the money/goods

from around the world

and send it back to

Fraudster

Investigation – challenges for law

enforcement

Where did the crime happen?

Is the crime a crime in the jurisdictions

involved?

Who will investigate it?

Who is behind it?

Tracing back…

Tracing………

While its happening - where is the illegal

activity taking place – who are the parties

involved?

Using information provided by ISPs and

other communications providers – different

legal requirements

Encrypted communications

Tracing…

Preservation of data

Information kept must be sufficient to allow

tracing

Fast sharing of information

Tracing scheme…

Sharing electronic evidence

internationally

How long does it take to share information

between two countries?

What other challenges we have in the

process?

Challenges

Legislation and jurisdiction

Sufficient resources and personnel

Localizing and identifying the “bad guys”

Collect and share evidence internationally

Legal Instruments

CoE Cybercrime Convention - 2001

Council Framework Decision

2005/222/JHA on attacks against

information systems;

Council Framework Decision 2004/68/JHA

on combating the sexual exploitation of

children and child pornography.

Legal Challenges

Definition

Jurisdiction

Investigation

International Cooperation

Public-private Partnerships

Prevention

1. Definition of cyber-crime

Technology is rapidly evolving

Definition – open, flexible, vague

Balance between open legal requirements

and national constitutional prohibitions

Technology neutral language

Definition

CoE Convention – technology neutral

language - Art 1

Computer system

Computer data

Service provider

Definition

No universally accepted definition

Crimes related to cyberspace: no longer

computer and internet crime

“Information systems” – any device or a

group of interconnected or related devices

“Data”

E.g. Personal digital assistant, modern

car, mobile phone

Chapter II, Measures to be taken at

the national level - Substantive

criminal law Title I – Offences against the confidentiality,

integrity and availability of data – illegal

access, illegal interception, data interference,

system interference, misuse of devices

Title II – Computer-related offences – forgery,

fraud;

Title III - Content-related offences - child

pornography/ Protocol – hate speech

Title IV – Offences related to the

infringements of copyright and related rights

– copyright and related rights

Council Framework Decision 2005/222/JHA

on attacks against information systems

Approximation of criminal law systems:

Illegal access to information systems

Illegal system interference

Illegal data interference

Example – cyber terrorism case

Large scale attack against information

systems – E.g. terrorist would attack information

systems essential for international capital

markets and break them down

A computer-related offence – E.g. terrorist

would take over an information system

managing a nuclear facility and trigger a nuclear

meltdown

A content-related offence – E.g. terrorist

disseminate propaganda/blueprints for bombs

Example

State A

State B

State C

Criminal Hate speech: Drafted in one place, transmitted Through other and uploaded on a server in a third, viewed by the whole world

2. Determining Jurisdiction

CoE Cybercrime Convention: Territoriality principle

Personality principle

Protection principle

Council Framework Decision 2005/222/JHA on attacks against information systems Territoriality principle

Nationality principle

When several MS have jurisdiction – decide

Council Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography Territoriality principle

Active personality principle

The offence committed for the benefit of a legal person established in the territory of that MS

Problems

Dual criminality

Dual illegality

Legal harmonization – for extraterritorial or

universal jurisdiction

Toben Case – dual

criminality/illegality

In 1999 Australian national Created a website in Australia, in English

Which included a statement That Shoa never happened

Auschwitz denial is a crime In Germany

Site was viewed by Neo-Nazis

Under territoriality principle

Counter example

Advertisement of beer in Germany

Can be accessed in Islamic countries

Counter example

German Internet Blog critical of a dictatorship In the Far East

Blog is accessible in these countries

Conclusion: Degree of legal harmonization is necessary for legitimate Extraterritorial or even universal jurisdiction

3. Investigation: CoE Cybercrime Convention provisions

Title 2 – Expedited preservation of stored computer data – “quick freeze”

Title 3 – Production order

Title 4 – Search and Seizure of stored computer data

Title 5 – Real-time collection of computer data

Observations

Crimes committed “without right”

Problems

The use of remote forensic software to carry out remote search procedures, record VOIP communications, log keystrokes and passwords, identify IP addresses

Data retention/data privacy

Data Retention Directive – telecommunication

service providers - anybodies traffic for up to 6 months

Production order – produce specific data – passwords, encryption codes

Proportional measures

4. International Cooperation

“Loopholes of jurisdiction”

Cooperation is necessary:

Extradition – serious crime offenses

Mutual legal assistance

Minimum of harmonization on substantive and

procedural laws

Private-public partnerships

4. International Cooperation – CoE

Convention

Cooperation:

Art. 24 Extradition

Art. 25 Mutual Legal Assistance

Art. 26 Spontaneous information

Coordination:

which state should do what – points of contact

Harmonization:

Substantive

Procedural

Solutions:

Adopt adequate legislation

Assure sufficient law enforcement

personnel with adequate training and

resources

Partnerships with industry

Public awareness

Crime in a virtual world?

Should we be concerned? Do worlds

collide?

Virtual worlds

In worlds populations:

Second Life (with over 16 million)

Warcraft (12 million paid subscribers)

Disney Club Penquin (expected to attract over 30 million

participants)

Together the population of these three virtual worlds

alone exceeds the real- world populations of Canada,

Australia and Ireland combined

Life in a virtual world:

What can you do?

Life in a virtual world:

Interesting stats

567 mil. $ user to user transactions in 2009

65% jump from 2008

770.000 unique users made repeat visits to SL

in December 2009

Residents cashed 55 mil. $ transferring to

PayPal

Land barons make 12 mil. $ untidily per year

Users control IPRs of what they build

Average price per island is 1000 $

Virtual money

Money launderers can now move illicit cash through the growing number of virtual reality role-playing games, and convert that cash into real currency before withdrawing it from ATMs worldwide.

One wonders just how many laundrymen have tumbled to this cyberlaundering opportunity.

Compliance officers at financial institutions please note that their banks may be guilty of money laundering if it facilitates deposits or payments in these virtual worlds, for there is no functional due diligence on players or recipients.

Scenario

LD$

Imagine this scenario

All account with counterfeit identification

Policing the virtual world: Real

Police

In conclusion…

EU Regulations are coming

Take a step at a time

Thank you!

Conclusions

Prevention: Increase Internet culture

Protection: people and infrastructures

Cooperation: law enforcement and judiciary

Responsibility: national, regional, global

Financing…

Albena Spasova

President of the Management Board,

International Cyber Investigation Training Academy

Sofia, Bulgaria

Associate Professor,

Technical University, Lille – 1, France

www.cybersafetyblog.eu

аspasova@cybercrimeacademy.org

albaadvisors@gmail.com

Teл. 0887 30 32 89