TrewMTE Mobile & Technology Exploration: cyber evidence

Tuesday, May 29, 2012

New malware invokes label "cyber weapon"

New malware invokes label "cyber weapon"

A report from the BBC News online technology section ( http://www.bbc.com/news/technology-18238326 ) highlighted the discovery by Kaspersky Labs of a new malware called 'Flame' and said to be a highly complex virus.

Of particular interest to me was the following taxonomy of attackers set out in the comments of Kaspersky's chief malware expert Vitaly Kamluk: "Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states.

Back in 1998 I ran a series of reports published in FEN (Forensic Expert News) into Smart Card Hacking, which was before the successful 1998 attack on GSM SIM Cards ( http://trewmte.blogspot.co.uk/2007/08/cloning-gsm-sim-card-report.html ).

In the FEN Report Part 1 (images of original below) I referred to the following taxonomy of attackers with reference to its source:

"One of the few recent articles that discuss the subject describes the design of the current range of IBM products and proposes the following taxonomy of attackers [ADD+91]:

" Class I (clever outsiders):
They are often very intelligent but may have insufficient knowledge of the system. They may have access to only moderately sophisticated equipment. They often try to take advantage of an existing weakness in thesystem, rather than try to create one.

" Class II (knowledgeable insiders):
They have substantial specialised technical education and experience. They have varying degrees of understanding of parts of the system but potential access to most of it. They often have highly sophisticated tools and instruments for analysis.

" Class III (funded organisations):
They are able to assemble teams of specialists with related and complementary skills backed by great funding resources. They are capable of in-depth analysis of the system, designing sophisticated attacks, and using the most advanced analysis tools. They may use Class II adversaries as part of the attack team."

[ADD+911] DG Abraham, GM Dolan, GP Double, JV Stevens, "Transaction Security System", in IBM Systems Journal v 30 no 2 (1991) pp 206-229

I thought I would comment on this taxomony of attackers first published in 1991 so that researchers can have traceability back to information that tends to get airbrushed from history in the course of re-invention of newly labelled threats.

Background material

A copy of FEN Index ref: UPD 5/1-Vol1-FEN98 is available upon request (trewmte@gmail.com).

Previous discussions about Cybercrime:

http://trewmte.blogspot.co.uk/2011/10/cybercrime-really-its-ict-crime-by-any.html

http://trewmte.blogspot.co.uk/2011/09/cybercrime-procedures-deterrent-and.html

http://trewmte.blogspot.co.uk/2011/08/research-critiques-of-author.html

http://trewmte.blogspot.co.uk/2010/11/cyberbullying-report.html

http://trewmte.blogspot.co.uk/2010/10/cyber-what.html

Sunday, September 11, 2011

Cybercrime: procedures, deterrent and investigation

Cybercrime: procedures, deterrent and investigation

The title cybercrime Convention on Cybercrime is not new and has had numerous airings going back to the late 1990s and early 2000s. It has largely languished there, though, until it became the economic follow-up to the war on terrorism given there has been a signifcant shift towards electronic attacks or gained perception about the potential threat for crimes to be committed using technoology.

Cybercrime isn't actually a qualification in itself of the 'actual crime' that has been or is about to be perpetrated, rather on the one hand it provides a global statement under which preventions, deterrent and investigation can be defined about crimes where technology is or can be used as a conduit for a criminal or terrorist event. The technologies that are perceived to be relevant and 'usable' for cybercrime are set out in:

Proposal for a COUNCIL FRAMEWORK DECISION on attacks against information systems

Article 2
Definitions
For the purposes of this Framework Decision, the following definitions shall apply:
(a) "Electronic communications network" means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed"

So this represents a broad range of identified technologies (whether used in natural sciences or manmade systems) that are identified avenues for 'cybercirme' procedures, deterrent and investigation. Furthermore, and on the other hand, cybercrime equally requires the 'type' of crime (substantive or inchoate) to be identifed that has or could operate 'through' a single or combination of technologies. For instance:

- a virus that is inserted into the electronic communication messages sent via Broadband of Power Lines (BPL) that takes down or attempts to take down a power station causing blackout might range in criminal law as a type of crime indicted eg under criminal damage, ecomonic damage, computer misuse, terrorism etc
- a message mispresenting a genuine individual that allows funds to be removed from the indiviudals account using the wireless network may be indicted in criminal proceedings as a fraud etc

In the UK, legislation covers crimes such as 'abstraction of electricity', 'obtaining a telecommunication service with the intention of avoiding payment', 'computer misuse', unlawful interception' etc. To re-write all the relevant Statutes to identify crimes like these and other as 'cybercrime' would not seem practical at all. Cybercrime, then, perhaps may well be best described for use as a 'global title' to identify a state of 'events' generated through the use of various technologies.

The International Telecommunications Union (ITU) recognises the need for cybercrime procedures, deterrent and investigation and published two highly informative draft guides that one would expect to find produced from such an experienced and authoritative organisation:

D010B0000073301PDFE.pdf

ITU toolkit cybercrime legislation.pdf

As these documents are drafts, it is clear that evolving documents will continue to refine and define 'cybercrime' but may remain unable to circumvent the identification of the actual technologies used in a crime. One possible consequence of this is that forensic exmainers and experts in their specific fields will continue to provide their services, but an adjustment to a report or opinion may be required to start with e.g.

"Cybercrime Report/Opinion: The use of X-technology in such and such an alleged crime...."

Mobile Phone Forensic Examination

Greg Smith has over 30 years (1985 to 2016) experience in handling digital and mobile telephone evidence in criminal and civil investigations and providing services to blue-chip clients in the UK. Our unit the DEEU conducts acquisition and harvesting of data from:

SIM/USIM/MMC Cards
Mobile/Smart Phones/Tablets
Satellite/WiFi
Computer Forensics/network

Forensically recovering saved and deleted data using a range of hardware and software tools to obtain or image physical data or download logical data.

Cell Site Analysis investigations and evidence since 1988.

Contact:
The DEEU
Email: trewmte@gmail.com