- Email: [email protected]
It could happen to you: Notes from the casebook of an expert witness
FEATURE
It Could Happen to You: Notes From the Casebook of an Expert Witness F.E. Taylor, Systems Technology Consultants his article, covering case histories of expert witness work is based on 27 years personal involvement in expert witness working. I was then employed by a nationally known (UK) service organization which offered a free service to some of its customers which during that year (1971) was extended to include advice on computer contracts and performance issues which were the subject of or becoming the subject of legal disputes. Seven years later I formed my own company and launched an expert witness service in March 1978. During the last 20 years some 260 legal issues have been referred to my company - - all of which have been progressed by one or other of the two principal consultants. I have been personally responsible for approximately 230 of these. Out of these cases only approximately 5 % have become the subject of a Court hearing, and out of those four were settled before the hearing progressed to the point of a judgement.
T
This illustrates one o f the principal functions o f an expert witness - - to identify the key issues in a case, the level of responsibility and liability associated with each party involved, and where and when possible to act as a c o u n s e l l o r a n d m e d i a t o r l e a d i n g to a c o m m e r c i a l s e t t l e m e n t o f the d i s p u t e w h i c h t h e n removes it from the legal sector. Virtually all expert witness matters prejudice the security of any system or systems since they prejudice at least the:
10
•
integrity o f the system or event in dispute
•
and in many cases the other elements of security are involved - - namely: •
confidentiality
•
access control
•
authorization and authentication
To date, I have not been i n v o l v e d in any cases concerning non-repudiation, although no doubt these will arise in the near future. These security headings are taken from International Standard IS7498-Security Addendum. The following four cases have been carefully chosen to illustrate how serious security failure can o c c u r a n d h o w it c a n a f f e c t an i n d i v i d u a l o r organization.
EIIR v Trevor Enstone (1998)
Scenario Trevor Enstone is an entrepreneur who, by his mid 50s, had been relatively successful. Like most entrepreneurs w h o have w o r k e d very hard he began to wind back a little and acquired a PC together with FORTE software and a browser which would allow h i m to s u r f the Usenet section of the Internet. As a consequence of personal orientation and interests he surfed a number of Usenet user groups concerned with information of a sexual nature. In the case o f a very small n u m b e r o f images, he deliberately saved them on his m a c h i n e - - but any images he considered offensive or did not want were not saved and were deliberately deleted - - or so he thought.
"all the images which he had very briefly browsed and immediately discarded were still in the free space on the hard disk where they existed as deleted files"
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE As a consequence of a tip-off by someone who obviously did not have his interests at heart, his PC was seized by Greater Manchester Police in November 1997 and all the correct forensic procedures were followed - namely the taking of a CD-ROM image of the contents on the hard disk drive which was then examined by the police using an appropriate forensic rig. Unfortunately for Trevor Enstone, all the images which he had very briefly browsed and immediately discarded were still in the free space on the hard disk where they existed as deleted files and were viewable on a f o r e n s i c rig. M a n y of t h e s e were of an o b j e c t i o n a b l e n a t u r e and Trevor E n s t o n e was correspondingly charged with making such pictures.
Legal issues I was on the defence side of this matter and it raised a considerable number of legal issues. They are as follows: I.
Does the act o f r e c e i v i n g and i m m e d i a t e l y discarding an offensive image constitute 'making a picture'? In a detailed report ! argued that this was most certainly not the case. In the case of Usenet and the World Wide Web, the maker of the picture who owns the copyright grants a free, unrestricted licence in perpetuity to the receiver who receives the image. Indeed, the copyright remains with that person for 70 years after their death. The receiver is, therefore, in my view, not "making' the picture.
. Trevor Enstone deliberately discarded a number of unwanted and offensive images as soon as they began to take shape on his screen. The key issue here is whether he ever processed them since they were deliberately discarded as unwanted at the time of initial browsing. This is a second key issue. Certain police forces maintain that anyone who receives an image, whether they have seen it or not, has possessed it, but this appears contrary to normal practice where an image can be only regarded as 'possessed' when it has been viewed and deliberately saved. 3. The design of the dialogue i.e. command system of the FORTE Version used involved provision of
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
' b r o w s e ' and ' s a v e ' f u n c t i o n s in very close proximity and, since Trevor Enstone was very much a naive computer user, it is more than likely that he often hit the save button and saved images which he had never browsed and never seen. This was s u p p o r t e d by the fact that some of the offensive images were of a very random nature and he claimed not to have seen them. . Although various police forces using commonly available forensic rigs have the ability to view images in free space on the hard disks of seized computers, there is no evidence necessarily that those images have been viewed or saved or indeed seen and/or handled by the person operating the PC at the time of seizure. Other evidence is likely to be required in such cases such as a video image of the defendant actually operating the PC with the images in question on the monitor.
Expert issues Although this case involved the Forte software used to view Usenet images, the principals also apply to browsers used to browse the World Wide Web. This case raises a number of expert issues - - many of which have not yet been resolved. They include, but are not restricted to: The cache memory within all lnternet browsers accumulates the elements of an HTML display picture before it is recognisable as a displayed image. In the event of the PC operator not liking what they see, and immediately stopping receipt of that i m a g e , can they be r e g a r d e d as h a v i n g possessed the image until it has been deliberately viewed and saved? . Until deliberately cleared, cache memory in either of the commonly used browsers - - Microsoft's Explorer or Netscape's Navigator, accumulates viewed images or partial images and receives u n v i e w e d or p a r t i a l l y v i e w e d i m a g e s . It is therefore possible for anyone with only a small amount of computer knowledge to go into the cache file or files, and see what the previous operator has been doing. Herein lies a warning to employees of corporate bodies who may surf the
11
FEATURE Net looking for the images of personal interest during their idle moments. . PC users who know they are handling sensitive information would do well to set up a DOS batch file or similar functional routine to deliberately clear all cache files, either when they turn their machine off or, more usually, when they turn it on again. Whilst this will only pass the images into free space, the continual process of doing this will minimize the number of images which might be recovered from free space. For those who wish to deliberately clear the cache memory and render the i m a g e s n o n - r e c o v e r a b l e , the o n l y step is to overwrite the contents of the cache memory with incoherent information from a rubbish or junk file and then delete the file. This technique is often used in free trials of software to prevent the trialist obtaining the software for free when the trial ends.
Proceedings As a consequence of his personal position and the fact that he was somewhat upset by the whole matter, he pleaded guilty in July 1998 to the offences and charges, which were part of a set of offences including other offences and was subsequently sentenced to seven years in jail. The proceedings involved sentencing only.
Security issues The issue of rendering cache memory contents nonrecoverable has already been dealt with under 'Expert issues' earlier in this article. From the point of view of security managers, especially in corporate bodies, the t e c h n o l o g y p r e s e n t l y in p l a c e allows s e c u r i t y managers to explore exactly what staff have been doing when Internet browsers have been used. Very few corporate bodies require users to consult the Usenet sun-network of the Internet, since it contains very little commercially valuable information, and the e x i s t e n c e of a U s e n e t s c a n n e r / b r o w s e r within a corporate PC speaks for itself!
EIIR v Mack and Jackson (1998)
Scenario Mr Mack was formerly a relatively senior technically
12
qualified employee of British Telecom. He left the company early in 1996 to allegedly launch a high value premium rate telephone service providing high value information on demand covering many aspects of communications technology to those with an urgent need who would feed enquiries into a system, and receive in computer-compatible format the responses to their enquiries. Retrospective examination of the service suggests that, at least in theory, it would cover anything from the pin c o n n e c t i o n s for a D sub-min c o n n e c t o r carrying V24 or X25 signals through to the structure of X25/HDLC packets in terms of sequence size and significance of the fields, and other similar information which is sometimes urgently required in order to solve design or operational problems. Conceptually, this was a very welcome and highly valuable service to those w o r k i n g at a high t e c h n i c a l level w i t h i n the communications profession. To satisfy the perceived need for such information on demand (which I would most certainly support) Mr Mack, with the assistance of Mr Jackson, took out a licence to use an 0897 premium rate number for this service, carrying a premium of £1.50 per minute at the time of licensing, and subsequently seemed to launch his service in March 1996. During the first m o n t h of operation a very considerable number of calls appeared to reach the database server which was actually sited at Mr Mack's home, clocking up a considerable n u m b e r of premium minutes. It is understood that the accrued sum due to Mr M a c k at the end of the first month of operation was of the order of £20 000 or so. Fortunately, just before remittance
"For those who wish to deliberately clear the cache memory and render the images nonrecoverable, the only step is to overwrite the contents of the cache memory with incoherent information from"
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE was despatched, one of BT's other staff (realising that they too were communications experts!) decided to examine the traffic on the premium rate line. He was more than puzzled to find that it consisted of nothing o t h e r than spaces, c o m m a s and c a r r i a g e return c h a r a c t e r s . T h e r e was no d a t a r e l a t e d to communications technology, particularly of the type which was purported to be offered. This led to a j o i n t i n v e s t i g a t i o n by B r i t i s h T e l e c o m ' s I n v e s t i g a t i o n D e p a r t m e n t and South Yorkshire Police. I was retained by the latter as an expert witness to certify and accredit all their work and provide a second opinion as matters progressed. The findings were that a relatively small PC had been placed in Mr Jackson's home to create calls to a BT 0800 exchange which were, of course, free calls. The actual calls contained information which would generate a call back to the 0897 server PC which was based at Mr Mack's home. The critical link was within the 0800 e x c h a n g e - - o u t g o i n g calls f r o m Mr Jackson's PC were received into a mailbox, passed to a second mailbox in such a way that the calling number was stripped off, and then the second mailbox was activated to generate a call back to Mr Mack's machine. The procedure for passing the calling information from mailbox to mailbox was and is confidential to BT as the 0801t exchange owner and operator, but there is no doubt about the functionality which occurred in order to create the traffic observed on the 0897 line. Mr Jackson's machine was, therefore, making longtimed calls to an 0897 line at Mr Mack's home. It tested the line at short intervals ifa call was not in progress and if that was the case it would generate a call to it which had a time duration of between 15 and 25 minutes set by a timing loop in the CROSSTALK software. The line was then broken, tested and a new call set up when it was determined to be free, which was of course the case since the service had not been widely publicized since it was not a genuine service extracting information from a correctly populated database. The presented work involved going through the wtrious c o m m u n i c a t i o n scripts u s i n g the CROSSTALK protocols which generated calls within Mr Jackson's machine to the 0897 service. All the features just mentioned were detected - - the called
Computer Fraud & Security April 1999 3723/991520.00 © 1999 Elsevier Science Ltd. All rights reserved
number which was an 0897 number, the timing loop for timing the duration of calls, and a test facility to test whether the 0897 line was free.
Legal issues In addition to the calls to the 0897 number, a number of other calls were made to questionable numbers including bulletin boards carrying very questionable images of females. In addition to the fraudulent use of an 0897 number, the second issue raised was that of misuse of a telephone line being paid for by another p a r t y - - in this case B r i t i s h T e l e c o m , for an unauthorized purpose. Had it gone further, this would have resulted in charges under the Computer Misuse Act. These were not progressed in view of the fact that the major issue already raised was considered to have sufficient charges for the time being.
Expert issues The main work involved in crediting and certifying the work of the investigators involved was carefully checking detail features such as: • The accuracy of the clock on each of the PCs concerned. •
The date of creation of the various files involved in the case. The contents of the functional files which would, and indeed did, create calls to the 0897 number right down to the bit level were required. In other words, this was forensic work not only down to the nuts and bolts level, but down to the threads level as well!
Proceedings The proceedings in this particular case were all set up to go in mid July 1998 and were scheduled to start on 21 July. After preparing for a long Court hearing of around three weeks or so, I and all the others involved were informed in the middle of July 1998 that both Mack and Jackson had pleaded guilty after, no doubt, reviewing all the highly detailed and accredited evidence which had been accumulated in connection with this case and they were duly sentenced by the Crown Court, Sheffield, UK. However, the need for the hearings was eliminated by the guilty plea.
13
FEATURE At Doncaster Crown Court on 25 September 1998 D a v i d M a c k was s e n t e n c e d to 18 m o n t h s imprisonment suspended for two years and ordered to pay £10 000 towards the costs of this case. Charles Jackson was sentenced to 100 hours of community service.
Security issues It is almost self evident that in this case the access control features which were in place on the various mailboxes in BT's 0800 exchange would best have been changed when a key employee who knew them - - namely Mr Mack - - left the company to allegedly set up and run a business in the same professional sector and, in this case, involving complementary use of BT's services. That they were not changed allowed the mailbox transfers to occur, with the results set out here! In other words, the main factor which allowed this near massive fraud to occur was the failure to i m p l e m e n t and a c t i o n r i g o r o u s and d i s c i p l i n e d changes to access control tokens and passwords.
A logic bomb within a CAD management system operated by AB Packaging (1984) Scenario AM were a highly successful West Midlands, UK goods processing c o m p a n y who added attractive packaging and value to bulk goods, and split them up into i n d i v i d u a l units or s m a l l g r o u p s o f units for sale. To improve customer response and minimize the dwell time of goods on the shop floor, i.e. optimize the use o f workspace it ordered a computer-aided production (CAD) management system. Its objective was to more closely control the allocation of incoming goods to the staff who w o u l d pack or adjust or add value to incoming items and in so doing prepare them for sale. The operations within the company were virtually completely labour-intensive, and at times several
"A 'logic bomb' in the software zeroed all the data files and virtually all the input information relating to customers,"
14
h u n d r e d s o f s t a f f w o r k e d on c o n v e y o r lines, converting incoming goods into outgoing, packed items. Their work was controlled manually by some 26 production scheduling staff who monitored orders taken, the arrival of incoming goods, and monitored the flow of goods along the conveyor lines and into the despatch vehicles for despatch to various market outlets. In view of the fact that the nature of the work carried out was labour intensive using relatively unskilled people, this trading sector is extremely c o m p e t i t i v e . The key to s u c c e s s is v e r y rapid turnaround of incoming goods to maintain goodwill with customers, and minimize the time in between arrival of incoming goods available and their despatch for marketing and sale, in order to speed up the corresponding cash flow. The CAD management system was ordered several months before its arrival and was scheduled to arrive approximately one month before it actually arrived. In o r d e r to j u s t i f y the costs of the s y s t e m , the 26 production scheduling staff were given one month's notice of redundancy which was issued at the promised time of delivery of the computer system so that one month's parallel running of the manual and computer systems would be possible. In the event, delivery of the system was one month late. The overlap between manual production scheduling by disillusioned staff who were being made redundant and the incoming computer system was an overlap of three days only. No exhaustive parallel running could be carried out to check consistency between manual and computer scheduling. Four days after the production scheduling staff had left the company, and some seven days into operation of the new computer system a 'logic bomb' in the software zeroed all the data files and virtually all the input information relating to customers, products in progress and future orders was totally lost. The system was new, and the member of staff operating it had not been taught to take back-ups, and therefore, recovery using the same computer system or another computer s y s t e m with m o d i f i e d s o f t w a r e to eliminate the erroneous program was not possible. Neither was it possible to revert to the manual system since the staff who operated it had left.
Computer Fraud & Security April 1999 3723•99•520.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE The net result was chaos, and the goods which were supposed to flow along the company's production lines (typical time between receipt and departure was within 48 h o u r s ) c e a s e d to m o v e s i n c e there w e r e no schedules to establish and progress their movement. Customers became disillusioned when they did not arrive. Within 48 hours virtually all the incoming goods which had arrived for processing were taken elsewhere to competitors for processing, as were future orders.
All software should be thoroughly tested before delivery, and the user company should require successful running of acceptance tests at the supplier's premises before delivery and re-test the software on arrival at the point of use.
Legal ~sues
Such a contingency plan should involve tall-back to a manual system operated by staff diverted from their normal tasks such as managers, in order to m a i n t a i n p r o d u c t i o n a c t i v i t i e s and their scheduling, particularly in a company such as this operating in a highly competitive field.
Since the company went into liquidation and no funds were available for detailed investigation to determine the cause and the origin of this 'logic bomb' they were never determined. No one knows to this day whether it was accidental or deliberate.
A contingency plan to operate a system with reduced c o m p u t e r facilities in the event of a program failing or becoming suspect is again absolutely vital.
EIIR v Stuart Pearson (1996)
Expert issues The origin of this 'logic bomb' was never determined since the company effectively went into liquidation some days after it virtually lost the major part of its business. The problem may have been a deliberate 'logic bomb' put in by an aggrieved member of staff about to depart (involuntarily), or by a competitor or by someone within the systems house which had produced the system, although the latter seems most unlikely.
Proceedings Since continuous production scheduling is crucial to such a company, diversion of middle and senior level management from their usual tasks could have saved the company. No such contingency plans were ever formulated, and it therefore went into liquidation.
Security issues The- security lessons learned from this particular case are:
•
Parallel running of new computer systems and manual systems is absolutely vital.
The taking and preservation of back-ups - - including copies both on and off site is absolutely vital.
Computer Fraud & Security April 1999 3723/991520.00 © 1999 Elsevier Science Ltd. All rights reserved
Scenario S t u a r t P e a r s o n in 1995 w a s a h i g h l y t r a i n e d , enthusiastic computer professional who did not have a job at the time. He was also a computer hobbyist and had an Amiga computer and a 2400 bits per second battery-driven modem. He understandably went 'fishing' for free resources during the days he had a v a i l a b l e to k e e p up his i n t e r e s t and competence. In July 1996, he appeared in court under the Computer Misuse Act for using an 0800 free call number which he had innocently obtained from a public bulletin board for Amiga users which he had attempted to use as a gateway to get electronic mail onto the Internet. It allowed access to a Unix machine which had international dial-out facilities. Shortly after he attempted this he was visited by the police who seized his computer configuration and charged him with C o m p u t e r M i s u s e . It e m e r g e d during the p r o c e e d i n g s that the 0800 n u m b e r he used was intended to be a secret number used only by sales staff of a company in Pocklington, UK.
Legal issues The Computer Misuse Act requires the person charged to intend or s u c c e e d in deliberate, unauthorized
15
FEATURE access. No evidence was or could be produced of deliberate intent.
Expert issues These include: Had the defendant been warned at any time that he was attempting to access a private site? The answer was "no". Why was the DP manager of the attacked company logged onto an Amiga bulletin board not relevant to his work during w o r k i n g hours? This was detected by accident whilst examining the Amiga bulletin board used by Stuart Pearson.
at risk u n l e s s a d e q u a t e s e c u r i t y m e a s u r e s are implemented before any critical computer system, on which the company will rely is brought into operation. The scene is changing, as shown by the case histories described and in particular by attack originating from personal computers in domestic environments which is occurring. A number of factors and trends have been set out in this article which affect security. They are changing with time and the position may be summarized as follows: The Trevor Enstone case has shown that Internet software can be a two-edged sword. It keeps images which have been downloaded, but which may never have been seen by the PC's operator. Even after deletion they can be recovered using special software (e.g. Norton Utilities) or forensic rigs. Bad news for the operator unless they deliberately overwrite the contents on the cache memory.
Proceedings Stuart Pearson was charged under the Computer Misuse Act Sections 2 and 3 - - attempted or successful unauthorized access to a computer system with serious intent rather than mischievous intent. As the case proceeded it became clear that there was no 'mens rea' or deliberate intent. He had used what appeared to be a free service, but free use had not been granted by the owners, but rather by someone mischievous or with a grievance against the machine's owners who know the 0800 number which gave access. Because there was no intent to commit any sort of serious offence, and the number had been innocently used, the case was found proved technically, but the defendant was simply bound over to be of good behaviour for a year, i.e. effectively there was no penalty providing he continues to behave himself.
On the other hand, this is good news for security managers and officers who wish to check what e m p l o y e e s have been doing and confirm that access to the Net is within authorized bounds. A quick look at the cache memory will reveal all unless it has been deliberately overwritten. If it has, the reason why needs to be looked into - - who is trying to hide what? The David M a c k case shows very clearly what can happen if a complete chain of access controls is not maintained. In this case, changes on a periodic basis would have been desirable and also on departure of any member of staff with a good working knowledge of all the passwords. Failure to action this literally enabled the fraud which o c c u r r e d to be p e r p e t r a t e d . D i a l - t h r o u g h mailboxes are so sensitive in some cases that use of 'one-time' passwords as used in the defence sector is desirable. This is also done by one leading building society.
Security issues Unbelievably, it emerged that the access password to access the Unix root directory of the ' a t t a c k e d ' machine was absent and had never been set up let alone changed. There were, therefore, no barriers or warnings of passing a critical security boundary. This should never have occurred. •
The AB Packing
Postscript
when:
These case histories show that many companies with restricted computer security knowledge can be totally
•
16
c a s e shows that can happen
untested software is commissioned in haste for w h a t e v e r reason - - and the same remark
Computer Fraud & Security April 1999 3723/991520.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE applies to software not acquired from an a p p r o v e d s o u r c e and virus tested b e f o r e use
the cost of not maintaining back-ups at very regular intervals e.g. four times a day until a system is known to have integrity and be stable In this case, the problem encountered took the company out. The Stuart Pearson case demonstrates the folly of not c h a n g i n g or in this c a s e not c r e a t i n g a structured password system within any computer system on which a company's business depends. It is implicit that timely changes of password are necessary. It also demonstrates the folly of using an 0800 number for incoming calls by sales staff. Use of chargecards with their PIN which can be changed would have given the required level of security. 0800 numbers are often scanned by c u r i o u s a m a t e u r s l o o k i n g for b a r g a i n s or promotions sold via freecall marketing numbers. Detection of a modem tone will only arouse more curiosity. The trend in the security area can be summarized by using the well-established security addendum to the open s y s t e m s standard (IS 7456 PAD2) as a structure and model. In my view, the position is as follows: Integrity has i n c r e a s e d rapidly over the last decade - - principally as a consequence of the f a l l i n g c o s t o f b a c k u p h a r d w a r e and r a p i d d e v e l o p m e n t s in the p o w e r and capability of p r o c e s s i n g hardware. This trend is likely to continue and will enhance and increase integrity within all systems using such state-of-the-art hardware. 2. Confidentiality is based principally on encryption techniques - - and particularly resulting from use of sophisticated encryption techniques such as the R S A a l g o r i t h m and p o t e n t i a l l y the C l i p p e r
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
algorithm. No recent cases in this area suggests that s e c u r i t y is i n c r e a s i n g , i.e. threats are decreasi ng. . Access control is becoming a critical issue as a result of the tremendous openness of modern PC-based systems - - particularly those using p r o p r i e t a r y and w i d e l y d i s t r i b u t e d ' o p e n standards' products. Their security features in the access control area normally rely on passwords of increasing length which give a high level of security. Ultimately, such security is under the control of the user since they d e t e r m i n e the f r e q u e n c y o f c h a n g e of such p a s s w o r d s . A radical step forwards in the access control field will probably come in the not too distant future with biometrics-based devices detecting biological characteristics such as fingerprints or v o i c e p r i n t s . D e v i c e s b a s e d on e y e (iris) c h a r a c t e r i s t i c s or r e c o g n i t i o n of p r e - s t o r e d p i c t u r e s o f p e o p l e are n o w a v a i l a b l e c o m m e r c i a l l y and will give a higher level of control than passwords. . Authentication and masquerading as a legitimate user in order to perpetrate a fraud is a problem which has been known for some time, but the number of occurrences appears to be decreasing. In more than 20 years of investigation he has not encountered any authentication problems. . Non-repudiation of critical messages is a field which is only just becoming a security matter, and few cases exist, none of which are yet known to have led to court p r o c e e d i n g s . H o w e v e r , providing notarisation measures as specified within IS 7458 PAD2 are installed ahead of threats, there should be no problems and the trend in s e c u r i t y s h o u l d be t o w a r d s a zero occurrence rate. This article makes attempts to analyse a number of specific case histories to show how security events are changing with time and to indicate likely trends in the future.
17
It Could Happen to You: Notes From the Casebook of an Expert Witness F.E. Taylor, Systems Technology Consultants his article, covering case histories of expert witness work is based on 27 years personal involvement in expert witness working. I was then employed by a nationally known (UK) service organization which offered a free service to some of its customers which during that year (1971) was extended to include advice on computer contracts and performance issues which were the subject of or becoming the subject of legal disputes. Seven years later I formed my own company and launched an expert witness service in March 1978. During the last 20 years some 260 legal issues have been referred to my company - - all of which have been progressed by one or other of the two principal consultants. I have been personally responsible for approximately 230 of these. Out of these cases only approximately 5 % have become the subject of a Court hearing, and out of those four were settled before the hearing progressed to the point of a judgement.
T
This illustrates one o f the principal functions o f an expert witness - - to identify the key issues in a case, the level of responsibility and liability associated with each party involved, and where and when possible to act as a c o u n s e l l o r a n d m e d i a t o r l e a d i n g to a c o m m e r c i a l s e t t l e m e n t o f the d i s p u t e w h i c h t h e n removes it from the legal sector. Virtually all expert witness matters prejudice the security of any system or systems since they prejudice at least the:
10
•
integrity o f the system or event in dispute
•
and in many cases the other elements of security are involved - - namely: •
confidentiality
•
access control
•
authorization and authentication
To date, I have not been i n v o l v e d in any cases concerning non-repudiation, although no doubt these will arise in the near future. These security headings are taken from International Standard IS7498-Security Addendum. The following four cases have been carefully chosen to illustrate how serious security failure can o c c u r a n d h o w it c a n a f f e c t an i n d i v i d u a l o r organization.
EIIR v Trevor Enstone (1998)
Scenario Trevor Enstone is an entrepreneur who, by his mid 50s, had been relatively successful. Like most entrepreneurs w h o have w o r k e d very hard he began to wind back a little and acquired a PC together with FORTE software and a browser which would allow h i m to s u r f the Usenet section of the Internet. As a consequence of personal orientation and interests he surfed a number of Usenet user groups concerned with information of a sexual nature. In the case o f a very small n u m b e r o f images, he deliberately saved them on his m a c h i n e - - but any images he considered offensive or did not want were not saved and were deliberately deleted - - or so he thought.
"all the images which he had very briefly browsed and immediately discarded were still in the free space on the hard disk where they existed as deleted files"
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE As a consequence of a tip-off by someone who obviously did not have his interests at heart, his PC was seized by Greater Manchester Police in November 1997 and all the correct forensic procedures were followed - namely the taking of a CD-ROM image of the contents on the hard disk drive which was then examined by the police using an appropriate forensic rig. Unfortunately for Trevor Enstone, all the images which he had very briefly browsed and immediately discarded were still in the free space on the hard disk where they existed as deleted files and were viewable on a f o r e n s i c rig. M a n y of t h e s e were of an o b j e c t i o n a b l e n a t u r e and Trevor E n s t o n e was correspondingly charged with making such pictures.
Legal issues I was on the defence side of this matter and it raised a considerable number of legal issues. They are as follows: I.
Does the act o f r e c e i v i n g and i m m e d i a t e l y discarding an offensive image constitute 'making a picture'? In a detailed report ! argued that this was most certainly not the case. In the case of Usenet and the World Wide Web, the maker of the picture who owns the copyright grants a free, unrestricted licence in perpetuity to the receiver who receives the image. Indeed, the copyright remains with that person for 70 years after their death. The receiver is, therefore, in my view, not "making' the picture.
. Trevor Enstone deliberately discarded a number of unwanted and offensive images as soon as they began to take shape on his screen. The key issue here is whether he ever processed them since they were deliberately discarded as unwanted at the time of initial browsing. This is a second key issue. Certain police forces maintain that anyone who receives an image, whether they have seen it or not, has possessed it, but this appears contrary to normal practice where an image can be only regarded as 'possessed' when it has been viewed and deliberately saved. 3. The design of the dialogue i.e. command system of the FORTE Version used involved provision of
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
' b r o w s e ' and ' s a v e ' f u n c t i o n s in very close proximity and, since Trevor Enstone was very much a naive computer user, it is more than likely that he often hit the save button and saved images which he had never browsed and never seen. This was s u p p o r t e d by the fact that some of the offensive images were of a very random nature and he claimed not to have seen them. . Although various police forces using commonly available forensic rigs have the ability to view images in free space on the hard disks of seized computers, there is no evidence necessarily that those images have been viewed or saved or indeed seen and/or handled by the person operating the PC at the time of seizure. Other evidence is likely to be required in such cases such as a video image of the defendant actually operating the PC with the images in question on the monitor.
Expert issues Although this case involved the Forte software used to view Usenet images, the principals also apply to browsers used to browse the World Wide Web. This case raises a number of expert issues - - many of which have not yet been resolved. They include, but are not restricted to: The cache memory within all lnternet browsers accumulates the elements of an HTML display picture before it is recognisable as a displayed image. In the event of the PC operator not liking what they see, and immediately stopping receipt of that i m a g e , can they be r e g a r d e d as h a v i n g possessed the image until it has been deliberately viewed and saved? . Until deliberately cleared, cache memory in either of the commonly used browsers - - Microsoft's Explorer or Netscape's Navigator, accumulates viewed images or partial images and receives u n v i e w e d or p a r t i a l l y v i e w e d i m a g e s . It is therefore possible for anyone with only a small amount of computer knowledge to go into the cache file or files, and see what the previous operator has been doing. Herein lies a warning to employees of corporate bodies who may surf the
11
FEATURE Net looking for the images of personal interest during their idle moments. . PC users who know they are handling sensitive information would do well to set up a DOS batch file or similar functional routine to deliberately clear all cache files, either when they turn their machine off or, more usually, when they turn it on again. Whilst this will only pass the images into free space, the continual process of doing this will minimize the number of images which might be recovered from free space. For those who wish to deliberately clear the cache memory and render the i m a g e s n o n - r e c o v e r a b l e , the o n l y step is to overwrite the contents of the cache memory with incoherent information from a rubbish or junk file and then delete the file. This technique is often used in free trials of software to prevent the trialist obtaining the software for free when the trial ends.
Proceedings As a consequence of his personal position and the fact that he was somewhat upset by the whole matter, he pleaded guilty in July 1998 to the offences and charges, which were part of a set of offences including other offences and was subsequently sentenced to seven years in jail. The proceedings involved sentencing only.
Security issues The issue of rendering cache memory contents nonrecoverable has already been dealt with under 'Expert issues' earlier in this article. From the point of view of security managers, especially in corporate bodies, the t e c h n o l o g y p r e s e n t l y in p l a c e allows s e c u r i t y managers to explore exactly what staff have been doing when Internet browsers have been used. Very few corporate bodies require users to consult the Usenet sun-network of the Internet, since it contains very little commercially valuable information, and the e x i s t e n c e of a U s e n e t s c a n n e r / b r o w s e r within a corporate PC speaks for itself!
EIIR v Mack and Jackson (1998)
Scenario Mr Mack was formerly a relatively senior technically
12
qualified employee of British Telecom. He left the company early in 1996 to allegedly launch a high value premium rate telephone service providing high value information on demand covering many aspects of communications technology to those with an urgent need who would feed enquiries into a system, and receive in computer-compatible format the responses to their enquiries. Retrospective examination of the service suggests that, at least in theory, it would cover anything from the pin c o n n e c t i o n s for a D sub-min c o n n e c t o r carrying V24 or X25 signals through to the structure of X25/HDLC packets in terms of sequence size and significance of the fields, and other similar information which is sometimes urgently required in order to solve design or operational problems. Conceptually, this was a very welcome and highly valuable service to those w o r k i n g at a high t e c h n i c a l level w i t h i n the communications profession. To satisfy the perceived need for such information on demand (which I would most certainly support) Mr Mack, with the assistance of Mr Jackson, took out a licence to use an 0897 premium rate number for this service, carrying a premium of £1.50 per minute at the time of licensing, and subsequently seemed to launch his service in March 1996. During the first m o n t h of operation a very considerable number of calls appeared to reach the database server which was actually sited at Mr Mack's home, clocking up a considerable n u m b e r of premium minutes. It is understood that the accrued sum due to Mr M a c k at the end of the first month of operation was of the order of £20 000 or so. Fortunately, just before remittance
"For those who wish to deliberately clear the cache memory and render the images nonrecoverable, the only step is to overwrite the contents of the cache memory with incoherent information from"
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE was despatched, one of BT's other staff (realising that they too were communications experts!) decided to examine the traffic on the premium rate line. He was more than puzzled to find that it consisted of nothing o t h e r than spaces, c o m m a s and c a r r i a g e return c h a r a c t e r s . T h e r e was no d a t a r e l a t e d to communications technology, particularly of the type which was purported to be offered. This led to a j o i n t i n v e s t i g a t i o n by B r i t i s h T e l e c o m ' s I n v e s t i g a t i o n D e p a r t m e n t and South Yorkshire Police. I was retained by the latter as an expert witness to certify and accredit all their work and provide a second opinion as matters progressed. The findings were that a relatively small PC had been placed in Mr Jackson's home to create calls to a BT 0800 exchange which were, of course, free calls. The actual calls contained information which would generate a call back to the 0897 server PC which was based at Mr Mack's home. The critical link was within the 0800 e x c h a n g e - - o u t g o i n g calls f r o m Mr Jackson's PC were received into a mailbox, passed to a second mailbox in such a way that the calling number was stripped off, and then the second mailbox was activated to generate a call back to Mr Mack's machine. The procedure for passing the calling information from mailbox to mailbox was and is confidential to BT as the 0801t exchange owner and operator, but there is no doubt about the functionality which occurred in order to create the traffic observed on the 0897 line. Mr Jackson's machine was, therefore, making longtimed calls to an 0897 line at Mr Mack's home. It tested the line at short intervals ifa call was not in progress and if that was the case it would generate a call to it which had a time duration of between 15 and 25 minutes set by a timing loop in the CROSSTALK software. The line was then broken, tested and a new call set up when it was determined to be free, which was of course the case since the service had not been widely publicized since it was not a genuine service extracting information from a correctly populated database. The presented work involved going through the wtrious c o m m u n i c a t i o n scripts u s i n g the CROSSTALK protocols which generated calls within Mr Jackson's machine to the 0897 service. All the features just mentioned were detected - - the called
Computer Fraud & Security April 1999 3723/991520.00 © 1999 Elsevier Science Ltd. All rights reserved
number which was an 0897 number, the timing loop for timing the duration of calls, and a test facility to test whether the 0897 line was free.
Legal issues In addition to the calls to the 0897 number, a number of other calls were made to questionable numbers including bulletin boards carrying very questionable images of females. In addition to the fraudulent use of an 0897 number, the second issue raised was that of misuse of a telephone line being paid for by another p a r t y - - in this case B r i t i s h T e l e c o m , for an unauthorized purpose. Had it gone further, this would have resulted in charges under the Computer Misuse Act. These were not progressed in view of the fact that the major issue already raised was considered to have sufficient charges for the time being.
Expert issues The main work involved in crediting and certifying the work of the investigators involved was carefully checking detail features such as: • The accuracy of the clock on each of the PCs concerned. •
The date of creation of the various files involved in the case. The contents of the functional files which would, and indeed did, create calls to the 0897 number right down to the bit level were required. In other words, this was forensic work not only down to the nuts and bolts level, but down to the threads level as well!
Proceedings The proceedings in this particular case were all set up to go in mid July 1998 and were scheduled to start on 21 July. After preparing for a long Court hearing of around three weeks or so, I and all the others involved were informed in the middle of July 1998 that both Mack and Jackson had pleaded guilty after, no doubt, reviewing all the highly detailed and accredited evidence which had been accumulated in connection with this case and they were duly sentenced by the Crown Court, Sheffield, UK. However, the need for the hearings was eliminated by the guilty plea.
13
FEATURE At Doncaster Crown Court on 25 September 1998 D a v i d M a c k was s e n t e n c e d to 18 m o n t h s imprisonment suspended for two years and ordered to pay £10 000 towards the costs of this case. Charles Jackson was sentenced to 100 hours of community service.
Security issues It is almost self evident that in this case the access control features which were in place on the various mailboxes in BT's 0800 exchange would best have been changed when a key employee who knew them - - namely Mr Mack - - left the company to allegedly set up and run a business in the same professional sector and, in this case, involving complementary use of BT's services. That they were not changed allowed the mailbox transfers to occur, with the results set out here! In other words, the main factor which allowed this near massive fraud to occur was the failure to i m p l e m e n t and a c t i o n r i g o r o u s and d i s c i p l i n e d changes to access control tokens and passwords.
A logic bomb within a CAD management system operated by AB Packaging (1984) Scenario AM were a highly successful West Midlands, UK goods processing c o m p a n y who added attractive packaging and value to bulk goods, and split them up into i n d i v i d u a l units or s m a l l g r o u p s o f units for sale. To improve customer response and minimize the dwell time of goods on the shop floor, i.e. optimize the use o f workspace it ordered a computer-aided production (CAD) management system. Its objective was to more closely control the allocation of incoming goods to the staff who w o u l d pack or adjust or add value to incoming items and in so doing prepare them for sale. The operations within the company were virtually completely labour-intensive, and at times several
"A 'logic bomb' in the software zeroed all the data files and virtually all the input information relating to customers,"
14
h u n d r e d s o f s t a f f w o r k e d on c o n v e y o r lines, converting incoming goods into outgoing, packed items. Their work was controlled manually by some 26 production scheduling staff who monitored orders taken, the arrival of incoming goods, and monitored the flow of goods along the conveyor lines and into the despatch vehicles for despatch to various market outlets. In view of the fact that the nature of the work carried out was labour intensive using relatively unskilled people, this trading sector is extremely c o m p e t i t i v e . The key to s u c c e s s is v e r y rapid turnaround of incoming goods to maintain goodwill with customers, and minimize the time in between arrival of incoming goods available and their despatch for marketing and sale, in order to speed up the corresponding cash flow. The CAD management system was ordered several months before its arrival and was scheduled to arrive approximately one month before it actually arrived. In o r d e r to j u s t i f y the costs of the s y s t e m , the 26 production scheduling staff were given one month's notice of redundancy which was issued at the promised time of delivery of the computer system so that one month's parallel running of the manual and computer systems would be possible. In the event, delivery of the system was one month late. The overlap between manual production scheduling by disillusioned staff who were being made redundant and the incoming computer system was an overlap of three days only. No exhaustive parallel running could be carried out to check consistency between manual and computer scheduling. Four days after the production scheduling staff had left the company, and some seven days into operation of the new computer system a 'logic bomb' in the software zeroed all the data files and virtually all the input information relating to customers, products in progress and future orders was totally lost. The system was new, and the member of staff operating it had not been taught to take back-ups, and therefore, recovery using the same computer system or another computer s y s t e m with m o d i f i e d s o f t w a r e to eliminate the erroneous program was not possible. Neither was it possible to revert to the manual system since the staff who operated it had left.
Computer Fraud & Security April 1999 3723•99•520.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE The net result was chaos, and the goods which were supposed to flow along the company's production lines (typical time between receipt and departure was within 48 h o u r s ) c e a s e d to m o v e s i n c e there w e r e no schedules to establish and progress their movement. Customers became disillusioned when they did not arrive. Within 48 hours virtually all the incoming goods which had arrived for processing were taken elsewhere to competitors for processing, as were future orders.
All software should be thoroughly tested before delivery, and the user company should require successful running of acceptance tests at the supplier's premises before delivery and re-test the software on arrival at the point of use.
Legal ~sues
Such a contingency plan should involve tall-back to a manual system operated by staff diverted from their normal tasks such as managers, in order to m a i n t a i n p r o d u c t i o n a c t i v i t i e s and their scheduling, particularly in a company such as this operating in a highly competitive field.
Since the company went into liquidation and no funds were available for detailed investigation to determine the cause and the origin of this 'logic bomb' they were never determined. No one knows to this day whether it was accidental or deliberate.
A contingency plan to operate a system with reduced c o m p u t e r facilities in the event of a program failing or becoming suspect is again absolutely vital.
EIIR v Stuart Pearson (1996)
Expert issues The origin of this 'logic bomb' was never determined since the company effectively went into liquidation some days after it virtually lost the major part of its business. The problem may have been a deliberate 'logic bomb' put in by an aggrieved member of staff about to depart (involuntarily), or by a competitor or by someone within the systems house which had produced the system, although the latter seems most unlikely.
Proceedings Since continuous production scheduling is crucial to such a company, diversion of middle and senior level management from their usual tasks could have saved the company. No such contingency plans were ever formulated, and it therefore went into liquidation.
Security issues The- security lessons learned from this particular case are:
•
Parallel running of new computer systems and manual systems is absolutely vital.
The taking and preservation of back-ups - - including copies both on and off site is absolutely vital.
Computer Fraud & Security April 1999 3723/991520.00 © 1999 Elsevier Science Ltd. All rights reserved
Scenario S t u a r t P e a r s o n in 1995 w a s a h i g h l y t r a i n e d , enthusiastic computer professional who did not have a job at the time. He was also a computer hobbyist and had an Amiga computer and a 2400 bits per second battery-driven modem. He understandably went 'fishing' for free resources during the days he had a v a i l a b l e to k e e p up his i n t e r e s t and competence. In July 1996, he appeared in court under the Computer Misuse Act for using an 0800 free call number which he had innocently obtained from a public bulletin board for Amiga users which he had attempted to use as a gateway to get electronic mail onto the Internet. It allowed access to a Unix machine which had international dial-out facilities. Shortly after he attempted this he was visited by the police who seized his computer configuration and charged him with C o m p u t e r M i s u s e . It e m e r g e d during the p r o c e e d i n g s that the 0800 n u m b e r he used was intended to be a secret number used only by sales staff of a company in Pocklington, UK.
Legal issues The Computer Misuse Act requires the person charged to intend or s u c c e e d in deliberate, unauthorized
15
FEATURE access. No evidence was or could be produced of deliberate intent.
Expert issues These include: Had the defendant been warned at any time that he was attempting to access a private site? The answer was "no". Why was the DP manager of the attacked company logged onto an Amiga bulletin board not relevant to his work during w o r k i n g hours? This was detected by accident whilst examining the Amiga bulletin board used by Stuart Pearson.
at risk u n l e s s a d e q u a t e s e c u r i t y m e a s u r e s are implemented before any critical computer system, on which the company will rely is brought into operation. The scene is changing, as shown by the case histories described and in particular by attack originating from personal computers in domestic environments which is occurring. A number of factors and trends have been set out in this article which affect security. They are changing with time and the position may be summarized as follows: The Trevor Enstone case has shown that Internet software can be a two-edged sword. It keeps images which have been downloaded, but which may never have been seen by the PC's operator. Even after deletion they can be recovered using special software (e.g. Norton Utilities) or forensic rigs. Bad news for the operator unless they deliberately overwrite the contents on the cache memory.
Proceedings Stuart Pearson was charged under the Computer Misuse Act Sections 2 and 3 - - attempted or successful unauthorized access to a computer system with serious intent rather than mischievous intent. As the case proceeded it became clear that there was no 'mens rea' or deliberate intent. He had used what appeared to be a free service, but free use had not been granted by the owners, but rather by someone mischievous or with a grievance against the machine's owners who know the 0800 number which gave access. Because there was no intent to commit any sort of serious offence, and the number had been innocently used, the case was found proved technically, but the defendant was simply bound over to be of good behaviour for a year, i.e. effectively there was no penalty providing he continues to behave himself.
On the other hand, this is good news for security managers and officers who wish to check what e m p l o y e e s have been doing and confirm that access to the Net is within authorized bounds. A quick look at the cache memory will reveal all unless it has been deliberately overwritten. If it has, the reason why needs to be looked into - - who is trying to hide what? The David M a c k case shows very clearly what can happen if a complete chain of access controls is not maintained. In this case, changes on a periodic basis would have been desirable and also on departure of any member of staff with a good working knowledge of all the passwords. Failure to action this literally enabled the fraud which o c c u r r e d to be p e r p e t r a t e d . D i a l - t h r o u g h mailboxes are so sensitive in some cases that use of 'one-time' passwords as used in the defence sector is desirable. This is also done by one leading building society.
Security issues Unbelievably, it emerged that the access password to access the Unix root directory of the ' a t t a c k e d ' machine was absent and had never been set up let alone changed. There were, therefore, no barriers or warnings of passing a critical security boundary. This should never have occurred. •
The AB Packing
Postscript
when:
These case histories show that many companies with restricted computer security knowledge can be totally
•
16
c a s e shows that can happen
untested software is commissioned in haste for w h a t e v e r reason - - and the same remark
Computer Fraud & Security April 1999 3723/991520.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE applies to software not acquired from an a p p r o v e d s o u r c e and virus tested b e f o r e use
the cost of not maintaining back-ups at very regular intervals e.g. four times a day until a system is known to have integrity and be stable In this case, the problem encountered took the company out. The Stuart Pearson case demonstrates the folly of not c h a n g i n g or in this c a s e not c r e a t i n g a structured password system within any computer system on which a company's business depends. It is implicit that timely changes of password are necessary. It also demonstrates the folly of using an 0800 number for incoming calls by sales staff. Use of chargecards with their PIN which can be changed would have given the required level of security. 0800 numbers are often scanned by c u r i o u s a m a t e u r s l o o k i n g for b a r g a i n s or promotions sold via freecall marketing numbers. Detection of a modem tone will only arouse more curiosity. The trend in the security area can be summarized by using the well-established security addendum to the open s y s t e m s standard (IS 7456 PAD2) as a structure and model. In my view, the position is as follows: Integrity has i n c r e a s e d rapidly over the last decade - - principally as a consequence of the f a l l i n g c o s t o f b a c k u p h a r d w a r e and r a p i d d e v e l o p m e n t s in the p o w e r and capability of p r o c e s s i n g hardware. This trend is likely to continue and will enhance and increase integrity within all systems using such state-of-the-art hardware. 2. Confidentiality is based principally on encryption techniques - - and particularly resulting from use of sophisticated encryption techniques such as the R S A a l g o r i t h m and p o t e n t i a l l y the C l i p p e r
Computer Fraud & Security April 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
algorithm. No recent cases in this area suggests that s e c u r i t y is i n c r e a s i n g , i.e. threats are decreasi ng. . Access control is becoming a critical issue as a result of the tremendous openness of modern PC-based systems - - particularly those using p r o p r i e t a r y and w i d e l y d i s t r i b u t e d ' o p e n standards' products. Their security features in the access control area normally rely on passwords of increasing length which give a high level of security. Ultimately, such security is under the control of the user since they d e t e r m i n e the f r e q u e n c y o f c h a n g e of such p a s s w o r d s . A radical step forwards in the access control field will probably come in the not too distant future with biometrics-based devices detecting biological characteristics such as fingerprints or v o i c e p r i n t s . D e v i c e s b a s e d on e y e (iris) c h a r a c t e r i s t i c s or r e c o g n i t i o n of p r e - s t o r e d p i c t u r e s o f p e o p l e are n o w a v a i l a b l e c o m m e r c i a l l y and will give a higher level of control than passwords. . Authentication and masquerading as a legitimate user in order to perpetrate a fraud is a problem which has been known for some time, but the number of occurrences appears to be decreasing. In more than 20 years of investigation he has not encountered any authentication problems. . Non-repudiation of critical messages is a field which is only just becoming a security matter, and few cases exist, none of which are yet known to have led to court p r o c e e d i n g s . H o w e v e r , providing notarisation measures as specified within IS 7458 PAD2 are installed ahead of threats, there should be no problems and the trend in s e c u r i t y s h o u l d be t o w a r d s a zero occurrence rate. This article makes attempts to analyse a number of specific case histories to show how security events are changing with time and to indicate likely trends in the future.
17