Web Security, Privacy and Commerce, 2nd Edition

only for RuBoard - do not distribute or recompile

19.1 Your Legal Options After a Break-In

If you suffer a break-in or criminal damage to your system, you have a variety of recourses under the U.S. legal system. This chapter cannot advise you on the many subtle aspects of the law. There are differences between state and federal law, as well as different laws that apply to computer systems used for different purposes. Laws outside the U.S. vary considerably from jurisdiction to jurisdiction; we won't attempt to explain anything beyond the U.S. system.[1] However, we should note that the global reach of the Internet may bring laws to bear that have their origin outside the U.S.

[1] An excellent, although somewhat dated, discussion of legal issues in the U.S. can be found in Computer Crime: A Crimefighter's Handbook(O'Reilly), and we suggest you start there if you need more explanation than we provide in this chapter. The book is out of print, but used copies are available.

Discuss your specific situation with a competent lawyer before pursuing any legal recourse. Because there are difficulties and dangers associated with legal approaches, you should be sure that you want to pursue this course of action before you go ahead.

In some cases, you may have no choice; you may be required to pursue legal action. For example:

If you believe that your system is at especially high risk for attack, you should probably speak with your organization's legal counsel before you have an incident as part of your security incident pre-planning. Organizations have different policies on when law enforcement should or should not be involved. By doing your homework, you increase the chances that these policies will actually be followed when they are needed.

To give some starting points for discussion, this section provides an overview of a few issues you might want to consider.

19.1.1 Filing a Criminal Complaint

You are free to contact law enforcement personnel any time you believe that someone has broken a criminal statute. You start the process by making a formal complaint to a law enforcement agency. A prosecutor will likely decide if the allegations should be investigated and what charges should be filed, if any.

In some cases perhaps a majority of them criminal investigation will not help your situation. If the perpetrators have left little trace of their activity and the activity is not likely to recur, or if the perpetrators are entering your system through a computer in a foreign country, you probably will not be able to trace or arrest the individuals involved. Many experienced computer intruders will leave little tracing evidence behind.[2]

[2] Although few computer intruders are as clever as they believe themselves to be.

If you do file a complaint, there is no guarantee that the agency will actually conduct a criminal investigation. The prosecutor involved (federal, state, or local) decides which, if any, laws have been broken, the seriousness of the crime, the availability of trained investigators, and the probability of a conviction. It is important to remember that the criminal justice system is overloaded; new investigations are started only for severe violations of the law or for cases that warrant special treatment. A case in which $200,000 worth of data is destroyed is more likely to be investigated than a case in which someone is repeatedly scanning your home computer through your cable modem.

If an investigation is conducted, you may be involved with the investigators or you may be completely isolated from them. You may even be given erroneous information that is, you may be told that no investigation is taking place, even though a full-scale investigation is in the works. Many investigations are conducted on a "need to know" basis, occasionally using classified techniques and informants. If you are told that there is no investigation and in fact there is one, the person who gives you this information may be deliberately misinforming you, or they themselves may simply not have the "need to know."

Investigations can place you in an uncomfortable and possibly dangerous position. If unknown parties are continuing to break into your system by remote means, law enforcement authorities may ask you to leave your system open, thus allowing the investigators to trace the connection and gather evidence for an arrest. Unfortunately, if you leave your system open after discovering that it is being misused, and the perpetrator uses your system to break into or damage another system elsewhere, you may be the target of a third-party lawsuit. Cooperating with law enforcement agents is not a sufficient shield from such liability. Investigate the potential ramifications before putting yourself at risk in this way.

19.1.1.1 Choosing jurisdiction

One of the first things you must decide is to whom you should report the crime. Every state and the federal government currently have laws against some sorts of computer crime, so you have choices. In some cases, state authorities can even prosecute under federal statutes.

Unfortunately, there is no way to tell in advance whether your problem will receive more attention from local authorities or from federal authorities. Here are some recommendations:

19.1.1.2 Local jurisdiction

In many areas, because the local authorities do not have the expertise or background necessary to investigate and prosecute computer-related crimes, you may find that they must depend on your expertise. You may be involved with the investigation on an ongoing basis possibly to a great extent. You may or may not consider this a productive use of your time. Your participation may also result in contamination of the case; as the aggrieved party, you could be blamed for falsifying evidence.

Our best advice is to contact local law enforcement before any problem occurs, and get some idea of their expertise and willingness to help you in the event of a problem. The time you invest up front could pay big dividends later on if you need to decide who to call at 2 a.m. on a holiday because you have evidence that someone is making unauthorized use of your system.

19.1.1.3 Federal jurisdiction

Although you might often prefer to deal with local authorities, you should contact federal authorities if you:

Offenses related to national security, fraud, or telecommunications are usually handled by the FBI. Cases involving financial institutions, stolen access codes, or passwords are generally handled by the U.S. Secret Service. However, other federal agents may have jurisdiction in some cases; for example, the Customs Department, the U.S. Postal Service, and the Air Force Office of Investigations have all been involved in computer-related criminal investigations.

Luckily, you don't need to determine jurisdiction on your own. If you believe that a federal law has been violated in your incident, call the nearest U.S. Attorney's office and ask them who you should contact. Often that office will have the name and contact information for a specific agent or an office in which the personnel have special training in investigating computer-related crimes.

19.1.2 Federal Computer Crime Laws

There are many federal laws that can be used to prosecute computer-related crimes. Usually, the choice of law pertains to the type of crime rather than whether the crime was committed with a computer, a phone, or pieces of paper. Depending on the circumstances, laws relating to wire fraud, espionage, or criminal copyright violation may come into play. You don't need to know anything about the laws involved the authorities will make that determination based on the facts of the case.

19.1.3 Hazards of Criminal Prosecution

There are many potential problems in dealing with law enforcement agencies, not the least of which is their experience with computers, networking, and criminal-related investigations. Sadly, there are still many federal agents who are not well versed with computers and computer crime.[3] In many local jurisdictions you will find even less expertise. Unless you are specifically working with a "computer crime squad," your case will probably be investigated by an agent who has little or no training in computing.

[3] However, we have noticed a distinct improvement since the first edition of this book was released. Federal authorities have recognized the need for more training and resources, and have been working to improve the average skill set for their agents.

Computer-illiterate agents will sometimes seek your assistance to try to understand the subtleties of the case. Other times, they will ignore your advice perhaps to hide their own ignorance, and often to the detriment of the case and the reputation of the law enforcement community.

If you or your personnel are asked to assist in the execution of a search warrant to help identify material to be searched, be sure that the court order directs such "expert" involvement. Otherwise, you might find yourself complicating the case by appearing as an overzealous victim. You may benefit by recommending an impartial third party to assist the law enforcement agents.

The attitude and behavior of the law enforcement officers can sometimes cause major problems. Your equipment might be seized as evidence or held for an unreasonable length of time for examination even if you are the victim of the crime. If you are the victim and are reporting the case, the authorities will usually make every attempt to coordinate their examinations with you, to cause you the least amount of inconvenience. However, if the perpetrators are your own employees, or if regulated information is involved (bank, military, etc.), you might have no control over the manner or duration of the examination of your systems and media. This problem becomes more severe if you are dealing with agents who need to seek expertise outside their local offices to examine the material. Be sure to keep track of downtime during an investigation as it may be included as part of the damages during prosecution and any subsequent civil suit suits that may be waged against either your attacker or, in some cases, the law enforcement agency itself.

Your site's backups can be extremely valuable in an investigation. You might even make use of your disaster-recovery plan and use a standby or spare site while your regular system is being examined.

Heavy-handed or inept investigative efforts may also place you in an uncomfortable position with respect to the computer community. Many computer users harbor negative attitudes toward law enforcement officers these feelings can easily be redirected toward you if you are responsible for bringing the "outsiders" in. Such attitudes can place you in a worse light than you deserve, and hinder cooperation not only with the current investigation but with other professional activities. Furthermore, they may make you a target for electronic attack or other forms of abuse after the investigation concludes. These attitudes are unfortunate, because there are some very good investigators, and careful investigation and prosecution may be needed to stop malicious or persistent intruders.

For these reasons, we encourage you to carefully consider the decision to involve law enforcement agencies with any security problem pertaining to your system.

Be aware that the problem you spot may be part of a much larger problem that is ongoing or beginning to develop. You may be risking further damage to your systems and the systems of others if you decide to ignore the situation.

We wish to stress the positive. Law enforcement agencies are aware of the need to improve how they investigate computer crime cases, and they are working to develop in-service training, forensic analysis facilities, and other tools to help them conduct effective investigations. In many jurisdictions (especially in high-tech areas of the country), investigators and prosecutors have gained considerable experience and have worked to convey that information to their peers. The result is a significant improvement in law enforcement effectiveness over the last few years, with a number of successful investigations and prosecutions. You should very definitely think about the positive aspects of reporting a computer crime not only for yourself, but for the community as a whole. Successful prosecutions may help prevent further misuse of your system and of others' systems.

19.1.4 The Responsibility to Report Crime

Finally, keep in mind that criminal investigation and prosecution can only occur if you report the crime. If you fail to report the crime, there is no chance of apprehension. Not only does that not help your situation, it leaves the perpetrators free to harm someone else.

A more subtle problem results from a failure to report serious computer crimes: it leads others to believe that there are few such crimes being committed. As a result, insufficient emphasis is placed on budgets and training for new law enforcement agents in this area; little effort is made to enhance the existing laws and little public attention is focused on the problem. The consequence is that the computing milieu becomes incrementally more dangerous for all of us.

Playing It Safe . . .

Here is a summary of additional recommendations for avoiding possible abuse of your computer. Most of these are simply good policy whether or not you anticipate break-ins:

  • Put copyright and/or proprietary ownership notices in your source code and data files. Do so at the top of each and every file. If you express a copyright, consider filing for the registered copyright this version can enhance your chances of prosecution and recovery of damages.

  • Be certain that your users are notified about what they can and cannot do.

  • If it is consistent with your policy, make all users of your system aware of what you may monitor. This includes email, keystrokes, and files. Without such notice, monitoring an intruder or a user overstepping bounds could itself be a violation of wiretap or privacy laws!

  • Keep good backups in a safe location. If comparisons against backups are necessary as evidence, you need to be able to testify as to who had access to the media involved. Having tapes in a public area will probably prevent them from being used as evidence.

  • If something happens that you view as suspicious or that may lead to involvement of law enforcement personnel, start a diary. Note your observations and actions, and note the times. Run paper copies of log files or traces and include those in your diary. A written record of events such as these may prove valuable during the investigation and prosecution. Note the time and context of each and every contact with law enforcement agents as well.

  • Try to define in writing the authorization of each employee and user of your system. Include in the description the items to which each person has legitimate access (and the items each person cannot access). Have a mechanism in place so each person is apprised of this description and can understand his or her limits.

  • Tell your employees explicitly that they must return all materials, including manuals and source code, when requested or when their employment terminates.

  • If something has happened that you believe requires law enforcement investigation, do not allow your personnel to conduct their own investigation. Doing too much on your own may prevent some evidence from being used or otherwise cloud the investigation. You may also aggravate law enforcement personnel with what they might perceive to be interference in their investigation.

  • Make your employees sign an employment agreement that delineates their responsibilities with respect to sensitive information, machine usage, electronic mail use, and any other aspect of computer operation that might later arise. Make sure the policy is explicit and fair, and that all employees are aware of it and have signed the agreement. State clearly that all access and privileges terminate when employment does, and that subsequent access without permission will be prosecuted.

  • Make contingency plans with your lawyer and insurance company for actions to be taken in the event of a break-in or other crime, the related investigation, and any subsequent events.

  • Identify law enforcement personnel who are qualified to investigate problems that you may have ahead of time. Introduce yourself and your concerns to them in advance of a problem. Having at least a nodding acquaintance will help if you later encounter a problem that requires you to call upon law enforcement for help.

  • Consider joining societies or organizations that stress ongoing security awareness and training. Work to enhance your expertise in these areas.

only for RuBoard - do not distribute or recompile

Категории