cybersecurity attacks critical legal and investigation aspects you must know

1

SINGAPORE POLYTECHNIC

(EMOG) FORUM 2014

Security & Talent

Management

2

By Zaid Hamzah

4 June 2014

Email: [email protected] www.cybersecuritylaw.asia

Workshop 4

Cybersecurity Attacks Critical Legal & Investigation Aspects

You Must Know

Objectives

1. Equip participants with the concepts and principles of computer crime laws and regulations

2. Understand investigative measures, methods and techniques which can be used to determine if a computer crime has been committed.

3. Understand methods to gather, preserve and present evidence of a computer crime

4. Provide an overview of the cybersecurity law in Singapore (Computer Misuse and Cybersecurity Act (Chapter 50A).

3

What we will cover 1. Learn how to identify legal risk issues in the design,

development and management of information technology security systems

2. Understand key legal risk management principles and strategies that organizations should adopt as part of their information security policy;

3. Know how to carry out investigation processes and techniques when a computer crime is suspected to have been committed;

4. Understand how to manage digital evidence to ensure that such evidence meets the legal standards and requirements in court proceedings;

5. Learn how they can better deal with legal and regulatory compliance in information security arena including understanding criminal prosecution procedures under Singapore’s cybersecurity law.

4

5

• Advocate & Solicitor, Singapore

• Solicitor, England & Wales

• Author of 9 books including “E-security Law &

Strategy” (other 8 books on Strategic Legal Risk

Management, Information Technology Contracts,

Biotechnology, Biomedical Science Law, Private Equity

and Venture Capital, IP Law and Strategy”)

Over 26 years of professional work experience including:

• Director for Intellectual Property at Microsoft, Asia Pacific,

• Chief Legal, Regulatory & Compliance Officer, Telekom

Malaysia

• Founder of software company, i-Knowledge Technologies

• Principal, SLG Consultants (regional business &

investment consultancy)

• Lawyer, Khattar Wong & Partners (law firm in Singapore)

• Singapore Government Service

About Zaid Hamzah

Present Role: Advisor to governments, enterprises, research institutions on IPR,

technology commercialization, IP-based financing, intellectual capital management

Entrepreneur: www.intellectualfutures.com

6

E-Security Law & Strategy by Zaid Hamzah

Publisher Lexis Nexis, 2005

www.lexisnexis.com.my

ISBN 967-962-632-6 (paperback)

E-Security Law and Strategy provides a concise and management-oriented legal guide on key aspects of information security and computer forensics, an emerging practice area that deals primarily with the management of digital evidence. Aimed at IT professionals and business executives in corporations, organizations and government agencies as well as lawyers seeking an

introduction to this emerging practice area.

http://www.lexisnexis.com.my/

7

1. Cyber-attacks harm national security and business interests -

usually considered criminal acts in most jurisdictions.

2. In managing the security aspects of the networked

environment, understanding how the law and legal process

operates is critical to cybercrime management

3. Knowing how digital evidence should be managed is critical

to successful prosecution in the courts.

4. Creating a robust legal framework and prosecution regime is

an essential building block in the fight against cybersecurity

breaches – this should be part of a proactive and structured

risk management framework.

KEY TAKE-AWAYS

GENERAL PRINCIPLES

8

9

Cybercrime – The Legal Aspects

The law operates in all aspects – You must understand legal issues &

ramifications

Chain of

Custody

Integrity of

Evidence

Burden of Proof

Admissibility of

Evidence

10

The Legal & Investigation Cycle

Intrusion

Detection

Evidence Preservation

& Analysis Investigation

Prosecution

Legal Aspects

are Integral

Parts of Cycle

11

Strategies to Manage Legal Aspects

Compliance with the law

Evidence produced must meet legal standards

Collection of evidence must comply with laws of criminal

procedures

• For successful criminal prosecution: – Must acquire the evidence while preserving the

integrity of the evidence • No damage during collection, transportation, or storage • Document everything • Collect everything the first time

– Establish a chain of custody

• What to watch out for……. – Don’t work on original evidence! – Can perform analysis of evidence on exact copy! – Make many copies and investigate them without

touching original – Can use time stamping/hash code techniques to

prove evidence has not been compromised

Key Aspects

DIGITAL FORENSICS

13

14

Digital Forensics & the Law

Computer Forensics: An autopsy of a computer or network to uncover digital evidence of a crime Role of Evidence in the Court Evidence must be preserved and hold up in a court of law

HOW THE LAW OPERATES

15

16

1. Need to determine if it is a crime or a

civil wrong

2. All depends on the laws of the country –

so if hacking is not a criminal offence in a

particular country, cybercriminals cant

be put in jail in that country

3. Most cybercrimes are cross border in

nature – so one needs to know how to

deal with cross border legal issues

Types of Offences & Civil Wrongs

WHAT IS A CYBERCRIME?

17

18

Example of a Criminal Offence

3.—(1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.

Unauthorised access to computer material

Criminal intention + Action = CRIME

THE LEGISLATIVE FRAMEWORK IN

SINGAPORE

19

20

Part I PRELIMINARY

Part II OFFENCES

3 Unauthorised access to computer material

4 Access with intent to commit or facilitate commission of offence

5 Unauthorised modification of computer material

6 Unauthorised use or interception of computer service

7 Unauthorised obstruction of use of computer

8 Unauthorised disclosure of access code

9 Enhanced punishment for offences involving protected computers

10 Abetments and attempts punishable as offences

Part III MISCELLANEOUS AND GENERAL

11 Territorial scope of offences under this Act

12 Jurisdiction of Courts

12A Composition of offences

13 Order for payment of compensation

14 Saving for investigations by police and law enforcement officers

15 (Repealed)

15A Cybersecurity measures and requirements

16 Arrest by police without warrant

COMPUTER MISUSE AND CYBERSECURITY ACT

21

Part II OFFENCES

3 Unauthorised access to computer material

4 Access with intent to commit or facilitate commission of offence

5 Unauthorised modification of computer material

6 Unauthorised use or interception of computer service

7 Unauthorised obstruction of use of computer

8 Unauthorised disclosure of access code

9 Enhanced punishment for offences involving protected computers

10 Abetments and attempts punishable as offences


MANAGING DIGITAL EVIDENCE

22

23

Integrity of Evidence

Admissibility of Evidence

Weightage of Evidence

Concepts

Burden of Proof Beyond reasonable doubt

Cannot be illegally obtained

If not strong, not so useful (but you can try)

Tampered evidence cannot be used

24

1. Physical evidence

2. Digital Evidence

Evidence Management Lifecycle

Identify Evidence

Collect Evidence

Process Evidence

Analyze Evidence

Present in report

IP addresses are

like the digital

fingerprint


25

Additional slides provided by Mr Benjamin Ang

Part 2

Computer Misuse and Cyber Security Act

CMA Crimes – committed against computers

• ”for securing computer material against unauthorised access or modification”

• Deals largely with “pure” computer crimes i.e. crimes against computer systems e.g. Hacking, stealing information

Other Crimes (or Torts) – committed using computers

• Spreading pornography

• Spreading sedition

• Running illegal gambling operations

• Defamation

• Fraud e.g. scam emails

26

Computer Misuse Act offences

Section Offence

S. 3 Unauthorised access

S. 4 Access with intent to commit further offence

S. 5 Unauthorised modification

S. 6 Unauthorised use of computer service

S. 7 Unauthorised obstruction of use

S. 8 Unauthorised disclosure of access codes

S. 9 Enhanced Punishment for Protected computers

27

Section 3 - Unauthorised access

• Where a person, without authority, accesses the data or a program stored in a computer.

– Hacking

– Snooping around

– Accessing commercially sensitive information e.g. financial database of bank

– Accessing someone else’s email, social media

28

Section 4 - Access with intent to commit further offence

• Where a person uses a computer with intent to commit an offence (theft, cheating/fraud or bodily injury) – Setting up online transactions to transfer money from

another person’s account

– Credit-card skimming to make purchases

– Credit-card skimming to create counterfeit cards

– Illegal altering of stored value of cinema smart cards

• The ACCESS is an offence even if the final offence (theft, fraud etc) was no completed

29

Section 5 - Unauthorised modification

• Where a person causes unauthorised modification (changes, erases, copies, moves, uses) of the contents of any computer.

– Intentionally introducing a virus

– Deleting someone else’s data

– Changing someone else’s data

30

What offences were committed?

• Lim Siong Khee v PP: Lim and victim broke up their relationship; three of victim’s friends received an e-mail sent from her account giving lurid details of her relationship with Lim

• PP v. Lim Boon Hong: Skimmed data stored on the magnetic strips of credit cards for the purpose of the cheating credit card companies

• Law Aik Meng v PP: Skimmed data from genuine ATM cards to manufacture cloned ATM cards

• Navaseelan Balasingam v PP: Used cloned ATM cards to withdraw money

31

Section 6 - Unauthorised use of computer service

• Where a person gains access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service.

– Using someone else’s account without permission

– Using someone else’s wi-fi without permission

32

Section 7 - Unauthorised obstruction of use

• Where a person interferes with, or interrupts or obstructs the lawful use of a computer.

– Email bombs, ‘ping’ attacks, viruses

– All kinds of Denial of Service (DOS) attacks

33

Section 8 - Unauthorised disclosure of access codes

• Where a person knowingly and without authority, discloses

– any password,

– access code or

– any other means of gaining access to any program or data held in any computer.

34

What offences were committed?

• PP v Mohd Nuzaihan: Reconfigured a company’s server to create an IRC account for himself; then used the company’s high speed link to download files from the Internet

• PP v Kendrick Tan: Sent 2,500 e-mail to 3 different addresses at the HDB, asking for a response

• Sicknet case: 2 hackers obtained the passwords of several Singnet subscribers and posted them on a US-based website called Sicknet

35

Section 9 – “Protected” computers

• The offender gets an enhanced sentence if he/she knew that the computer is used for – – Security, defence, international relations;

– confidential source of information relating to the enforcement of a criminal law;

– communications infrastructure, banking and finance, public utilities, public transportation or public key infrastructure;

– public safety, essential emergency services (police, civil defence and medical services)

36

SEARCH & SEIZURE OF DIGITAL EVIDENCE

37

SEARCH AND SEIZURE CRIMINAL PROCEDURE CODE

38 Power of court to impound document or other thing produced

39 Power to access computer

40 Power to access decryption information

38 Power of court to impound document or other thing produced

• A court may, if it thinks fit, impound any document or other thing taken under this Code and produced before it.

39


• 39.—(1) A police officer or an authorised person, investigating an arrestable offence, may at any time —

• (a) access, inspect and check the operation of a computer that he has reasonable cause to suspect is or has been used in connection with the arrestable offence; or

• (b) use or cause to be used any such computer to search any data contained in or available to such computer.

40


• (3) Any person who obstructs the lawful exercise by a police officer or an authorised person of the powers under subsection (1), or who fails to comply with any requirement of the police officer or authorised person under subsection (2), shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.

41


• (2) The police officer or authorised person referred to in subsection (1) shall be entitled to —

• (a) access any information, code or technology which has the capability of retransforming

• or unscrambling encrypted data into readable and comprehensible format or text for the purposes of investigating the arrestable offence;

42


• (b) A police officer can also require —

• any person … having charge of, or otherwise concerned with the operation of, such computer, to provide him with such reasonable technical and other assistance as he may require; and

• require any person whom he reasonably suspects to be in possession of any decryption

• information to grant him access to such decryption information as may be necessary

43

CONFIDENTIAL INFORMATION

44

Elements of Confidence

• The following information will be protected

– The information was confidential to the business/company;

– The information has been revealed in breach of a promise of confidence;

– The information was used in an improper way that has resulted in financial damage to the business/company.

• The owner of the information can sue for an injunction or damages

END

46