Intrusion Detection Law
CS 493/693 Lecture,
Dr. Lawlor, 2006/04/24
See Chapter 9 of Bace's Intrusion Detection book for tons of detail on network security law.
Using "Soft Law" to Stop Attackers
- Use traceroute to find the DNS name of the attacking machine's organization.
- Use whois and Google to find contact information for that organization's admin.
- Send the admin a short, polite, non-accusatory letter outlining the evidence you've gathered. You'll either get:
- A fairly quick reply saying they've shut the guy down or cleaned up the hacked system.
- No response, or "It's not my problem. Go away." Go
up one organizational layer--from that admin to his boss, from that
boss to the organization's ISP, etc.
- For foreign countries, use babelfish
to do a rough translation before emailing admins. A translation
poorly by the machine constructed is better than 外国語は読み易くない。
- All this stuff takes time. Filter packets in the meantime.
Using the Law to Prosecute Attackers
- Generally speaking, the categories of peril faced by attackers include:
- Organizational. Attackers could be expelled from school or fired
from a job. The choice of what happens is up to the organization;
however most organizations are not eager to protect an attacker.
- Civil. In a civil judgement, a court determines which side wins
based on a "preponderance of evidence". A court may order an
injunction against further bad behavior, or order the repayment of
damages (actual or statutory).
- Criminal. A criminal court will only find a defendant guilty if
the evidence establishes guilt "beyond a reasonable doubt". A criminal
judgement may include damages, jail time, and probation. It's common
for judges to require attackers to stay off the net for a period of
some years after release from jail.
- Evidence of an attack must be preserved to be useful against an attacker.
- Keep notes. This is the only way you can hope to keep
track of repeated attackers. The notes are also useful in
figuring out what else you need to keep.
- Keep a documented "Chain of Custody"that details when and where a
particular piece of incriminating data came from. In court,
imagine how easy it would be for a defense lawyer to claim you modifed
an unsubstantiated text file sitting on your hard drive. To
prevent this, keep a documented whole-drive image extracted in a known
way to read-only media. "dd" isn't as nice as nCase for this purpose.
- For US attackers, the federal criminal statutes are in Title 18 of the US Code (18 USC).
It's called "Code" because it's basically a huge brick of if-then
statements; essentially "if (crime) then { punishment;}". Sadly,
they wrote it in English, and didn't factor it into subroutines very
well, so it's tricky to read--in particular, there are huge blocks of
copy-and-paste code, and a few parenthesis would make it much
ambiguous.
- Specifically, section 1030 of the section on Fraudcovers
computer crime. You can get up to 10 years in jail, or a
fine of open-ended size. However, it only addresses cases where the
attackers:
- Cause damage over $5000
- Steal or traffic in passwords
- Attack financial, medical, government, or military computers.
- Attack a machine "that affects interstate or foreign commerce". This is the standard workaround for the 10th amendment, which theoretically restricts the federal government to a specific list of powers. Any webserver probably applies--even one that doesn't sell anything.
- Also in the Copyright section, Title 17, Section 1201, the DMCA,
may apply to certain attacks, especially if the attackers crack
passwords. Passwords are copyrightable, since they're a written
expression. Therefore hashed passwords are a technical measure
that controls access to a copyrighted work. DMCA violations are $200 to $2,500 each.
Ways to Violate the Law in Pursuit of Attackers
- Vigilantism: (District Attorney) "You say you 'counterhacked' the
attacking IP address. When did you realize the server you
disabled belonged to a bank?"
- Negligence: "Your job was to stop these attackers. You
didn't. You're fired, and you'll be hearing from our lawyers."
- Invasion of privacy: "You found a virus in... Wait, you read my email!? You're fired!"
- Distribution of copyrighted material, trade secrets, etc.