home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 26.1 Legal Options After a Break-in Chapter 26
Computer Security and U.S. Law
Next: 26.3 Civil Actions

26.2 Criminal Prosecution

You are free to contact law-enforcement personnel any time you believe that someone has broken a criminal statute. You start the process by making a formal complaint to a law-enforcement agency. A prosecutor will likely decide if the allegations should be investigated and what (if any) charges should be filed.

In some cases (perhaps a majority of them), criminal investigation will not help your situation. If the perpetrators have left little trace of their activity and the activity is not likely to recur, or if the perpetrators are entering your system through a computer in a foreign country, you are not likely to trace or arrest the individuals involved. Many experienced computer intruders will leave little tracing evidence behind.[2]

[2] Although few computer intruders are as clever as they believe themselves to be.

There is no guarantee that a criminal investigation will ever result from a complaint that you file. The prosecutor involved (Federal, state, or local) will need to decide which, if any, laws have been broken, the seriousness of the crime, the availability of trained investigators, and the probability of a conviction. Remember that the criminal justice system is very overloaded; new investigations are started only for very severe violations of the law or for cases that warrant special treatment. A case in which $200,000 worth of data is destroyed is more likely to be investigated than is a case in which someone is repeatedly trying to break the password of your home computer.

Investigations can also place you in an uncomfortable and possibly dangerous position. If unknown parties are continuing to break into your system by remote means, law-enforcement authorities may ask you to leave your system open, thus allowing the investigators to trace the connection and gather evidence for an arrest. Unfortunately, if you leave your system open after discovering that it is being misused, and the perpetrator uses your system to break into or damage another system elsewhere, you may be the target of a third-party lawsuit. Cooperating with law-enforcement agents is not a sufficient shield from such liability. Before putting yourself at risk in this way, you should discuss alternatives with your lawyer.

26.2.1 The Local Option

One of the first things you must decide is to whom you should report the crime. Usually, you should deal with local or state authorities, if at all possible. Every state currently has laws against some sort of computer crime. If your local law-enforcement personnel believe that the crime is more appropriately investigated by the Federal government, they will suggest that you contact Federal authorities.

You cannot be sure whether your problem will receive more attention from local authorities or from Federal authorities. Local authorities may be more responsive because you are not as likely to be competing with a large number of other cases (as frequently occurs at the Federal level). Local authorities may also be more likely to be interested in your problems, no matter how small the problems may be. At the same time, local authorities may be reluctant to take on high-tech investigations where they have little expertise.[3] Many Federal agencies have expertise that can be brought in quickly to help deal with a problem. One key difference is that investigation and prosecution of juveniles is more likely to be done by state authorities than by Federal authorities.

[3] Although in some venues, there are very experienced local law-enforcement officers, and they may be more experienced than a typical Federal officer.

Some local law-enforcement agencies may be reluctant to seek outside help or to bring in Federal agents. This may keep your particular case from being investigated properly.

In many areas, because the local authorities do not have the expertise or background necessary to investigate and prosecute computer-related crimes, you may find that they must depend on you for your expertise. In many cases, you will be involved with the investigation on an ongoing basis - possibly to a great extent. You may or may not consider this a productive use of your time.

Our best advice is to contact local law enforcement before any problem occurs, and get some idea of their expertise and willingness to help you in the event of a problem. The time you invest up front could pay big dividends later on if you need to decide who to call at 2 a.m. on a holiday because you have found evidence that someone is making unauthorized use of your system.

26.2.2 Federal Jurisdiction

Although you might often prefer to deal with local authorities, you should contact Federal authorities if you:

  • Are working with classified or military information

  • Have involvement with nuclear materials or information

  • Work for a Federal agency and its equipment is involved

  • Work for a bank or handle regulated financial information

  • Are involved with interstate telecommunications

  • Believe that people from out of the state or out of the country are involved with the crime

Offenses related to national security, fraud, or telecommunications are usually handled by the FBI . Cases involving financial institutions, stolen access codes, or passwords are generally handled by the U.S. Secret Service. However, other Federal agents may also have jurisdiction in some cases; for example, the Customs Department, the U.S. Postal Service, and the Air Force Office of Investigations have all been involved in computer-related criminal investigations.

Luckily, you don't need to determine jurisdiction on your own. If you believe that a Federal law has been violated in your incident, call the nearest U.S. Attorney's office and ask them who you should contact. Often, that office will have the name and contact information for a specific agent, or office in which the personnel have special training in investigating computer-related crimes.

26.2.3 Federal Computer Crime Laws

There are many Federal laws that can be used to prosecute computer-related crimes. Usually, the choice of law pertains to the type of crime, rather than whether the crime was committed with a computer, a phone, or pieces of paper. Depending on the circumstances, laws relating to wire fraud, espionage, or criminal copyright violation may come into play.

Some likely laws that might be used in prosecution include:

18 U.S.C. 646

Embezzlement by a bank employee.

18 U.S.C. 793

Gathering, transmitting, or losing defense information.

18 U.S.C. 912

Impersonation of a government employee to obtain a thing of value.

18 U.S.C. 1005

False entries in bank records.

18 U.S.C. 1006

False entries in credit institution records.

18 U.S.C. 1014

False statements in loan and credit applications.

18 U.S.C. 1029

Credit Card Fraud Act of 1984.

18 U.S.C. 1030

Computer Fraud and Abuse Act.

18 U.S.C. 1343

Wire fraud (use of phone, wire, radio, or television transmissions to further a scheme to defraud).

18 U.S.C. 1361

Malicious mischief to government property.

18 U.S.C. 2071

Concealment, removal, or mutilation of public records.

18 U.S.C. 2314

Interstate transportation of stolen property.

18 U.S.C. 2319

Willful infringement of a copyright for profit.

18 U.S.C. 2701-2711

Electronic Communications Privacy Act.

In the coming years, we fully expect new laws to be passed governing crime on networks and malicious mischief on computers. We also expect some existing laws to be modified to extend coverage to certain forms of data used on computers. Luckily, you don't need to carefully track each and every piece of legislation in force (unless you really want to): the decision about which laws to use, if any, will be up to the U.S. Attorney for your district.

26.2.4 Hazards of Criminal Prosecution

There are many potential problems in dealing with law-enforcement agencies, not the least of which is their lack of experience with computer criminal-related investigations. Sadly, there are still many Federal agents who are not well versed with computers and computer crime. In most local jurisdictions, there may be even less expertise. Your case will be probably be investigated by an agent who has little or no training in computing.

Computer-illiterate agents will sometimes seek your assistance and try to understand the subtleties of the case. Other times, they will ignore helpful advice - perhaps to hide their own ignorance - often to the detriment of the case and to the reputation of the law-enforcement community.

If you or your personnel are asked to assist in the execution of a search warrant, to help identify material to be searched, be sure that the court order directs such "expert" involvement. Otherwise, you may find yourself complicating the case by appearing as an overzealous victim. You will usually benefit by recommending an impartial third party to assist the law-enforcement agents.

The attitude and behavior of the law-enforcement officers can cause you major problems. Your equipment might be seized as evidence, or held for an unreasonable length of time for examination. If you are the victim and are reporting the case, the authorities will usually make every attempt to coordinate their examinations with you, to cause you the least amount of inconvenience. However, if the perpetrators are your employees, or if regulated information is involved (bank, military, etc.), you might have no control over the manner or duration of the examination of your systems and media. This problem becomes more severe if you are dealing with agents who need to seek expertise outside their local offices to examine the material. Be sure to keep track of downtime during an investigation as it may be included as part of the damage during prosecution and any subsequent civil suit.

An investigation is another situation in which backups can be extremely valuable. You might even make use of your disaster-recovery plan, and use a standby or spare site while your regular system is being examined.

Heavy-handed or inept investigative efforts may also place you in an uncomfortable position with respect to the computer community. Attitudes directed toward law-enforcement officers can easily be redirected toward you. Such attitudes can place you in a worse light than you deserve, and may hinder not only cooperation with the current investigation, but also with other professional activities. Furthermore, they may make you a target for electronic attack or other forms of abuse after the investigation concludes. These attitudes are unfortunate, because there are some very good investigators, and careful investigation and prosecution may be needed to stop malicious or persistent intruders.

For these reasons, we encourage you to carefully consider the decision to involve law-enforcement agencies with any security problem pertaining to your system. In most cases, we suggest that you may not want to involve the criminal justice system at all unless a real loss has occurred, or unless you are unable to control the situation on your own. In some instances, the publicity involved in a case may be more harmful than the loss you have sustained. However, be aware that the problem you spot may be part of a much larger problem that is ongoing or beginning to develop. You may be risking further damage and delay if you decide to ignore the situation.

We wish to stress the positive. Law-enforcement agencies are aware of the need to improve how they investigate computer crime cases, and they are working to develop in-service training, forensic analysis facilities, and other tools to help them conduct effective investigations. In many jurisdictions (especially in high-tech areas of the country), investigators and prosecutors have gained considerable experience and have worked to convey that information to their peers. The result is a significant improvement in law enforcement effectiveness over the last few years, with a number of successful investigations and prosecutions. You should very definitely think about the positive aspects of reporting a computer crime - not only for yourself, but for the community as a whole. Successful prosecutions may help dissuade further misuse of your system and of others' systems.

26.2.5 If You or One of Your Employees Is a Target of an Investigation...

If law-enforcement officials believe that your computer system has been used by an employee to break into other computer systems, to transmit or store controlled information (trade secrets, child pornography, etc.), or to otherwise participate in some computer crime, you may find your computers impounded by a search warrant (criminal cases) or writ of seizure (civil cases). If you can document that your employee has had limited access to your systems, and if you present that information during the search, it may help limit the scope of the confiscation. However, you may still be in a position in which some of your equipment is confiscated as part of a legal search.

Local police or Federal authorities can present a judge with a petition to grant a search warrant if they believe there is evidence to be found concerning a violation of a law. If the warrant is in order, the judge will almost always grant the search warrant. Currently, a few Federal investigators and law-enforcement personnel in some states have a poor reputation for heavy-handed and excessively broad searches. The scope of the search is usually detailed in the warrant by the agent in charge and approved by the judge; most warrants are derived from "boiler plate" examples that are themselves too broad. These problems have resulted in considerable ill will, and in the future might result in evidence not being admissible on Constitutional grounds because a search was too wide-ranging. How to define the proper scope of a search is still a matter of some evolution in the courts.

Usually, the police seek to confiscate anything connected with the computer that may have evidence (e.g., files with stolen source code or telephone access codes). This confiscation might result in seizure of the computer, all magnetic media that could be used with the computer, anything that could be used as an external storage peripheral (e.g., videotape machines and tapes), auto-dialers that could contain phone numbers for target systems in their battery-backed memory, printers and other peripherals necessary to examine your system (in case it is nonstandard in setup), and all documentation and printouts. In past investigations, even laser printers, answering machines, and televisions have been seized by Federal agents.

Officers are required to give a receipt for what they take. However, you may wait a very long time before you get your equipment back, especially if there is a lot of storage media involved, or if the officers are not sure what they are looking for. Your equipment may not even be returned in working condition - batteries discharge, media degrades, and dust works its way into moving parts.

You should discuss the return of your equipment during the execution of the warrant, or thereafter with the prosecutors. You should indicate priorities (and reasons) for the items to be returned. In most cases, you can request copies of critical data and programs. As the owner of the equipment, you can also file suit[4] to have it returned, but such suits may drag on and may not be productive. Suits to recover damages may not be allowed against law-enforcement agencies that are pursuing a legitimate investigation.

[4] If it is a Federal warrant, your lawyer may file a "Motion for Return of Property" under Rule 41(e) of the Federal Rules of Criminal Procedure.

You can also challenge the reasons used to file the warrant and seek to have it declared invalid, forcing the return of your equipment. However, in some cases, warrants have been sealed to protect ongoing investigations and informants, so this option can be made much more difficult to execute. Equipment and media seized during a search may be held until a trial if they contain material to be used as prosecution evidence. Some state laws require forfeiture of the equipment on conviction.

At present, a search is not likely to involve confiscation of a mainframe or even a minicomputer. However, confiscation of tapes, disks, and printed material could disable your business even if the computer itself is not taken. Having full backups offsite may not be sufficient protection, because tapes might also be taken by a search warrant. If you think that a search might curtail your legitimate business, be sure that the agents conducting the search have detailed information regarding which records are vital to your ongoing operation and request copies from them.

Until the law is better defined in this area, you are well advised to consult with your attorney if you are at all worried that a confiscation might occur. Furthermore, if you have homeowners' or business insurance, you might check with your agent to see if it covers damages resulting from law-enforcement agents during an investigation. Business interruption insurance provisions should also be checked if your business depends on your computer.

26.2.6 Other Tips

Here is a summary of additional observations about the application of criminal law to deter possible abuse of your computer. Note that most of these are simply good policy whether or not you anticipate break-ins.

  • Replace any welcome message from your login program and /etc/motd file with warnings to unauthorized users stating that they are not welcome. We know of no legal precedent where a welcome message has been used as a successful defense for a break-in; however, some legal authorities have counselled against anything that might suggest a welcome for unwanted visitors.

  • Put copyright and/or proprietary ownership notices in your source code and data files. Do so at the top of each and every file. If you express a copyright, consider filing for the registered copyright - this version can enhance your chances of prosecution and recovery of damages.

  • Be certain that your users are notified about what they can and cannot do.

  • If it is consistent with your policy, put all users of your system on notice about what you may monitor. This includes email, keystrokes, and files. Without such notice, monitoring an intruder or a user overstepping bounds could itself be a violation of wiretap or privacy laws!

  • Keep good backups in a safe location. If comparisons against backups are necessary as evidence, you need to be able to testify as to who had access to the media involved. Having tapes in a public area probably will prevent them from being used as evidence.

  • If something happens that you view as suspicious or that may lead to involvement of law-enforcement personnel, start a diary. Note your observations and actions, and note the times. Run paper copies of log files or traces and include those in your diary. A written record of events such as these may prove valuable during the investigation and prosecution. Note the time and context of each and every contact with law-enforcement agents, too.

  • Try to define, in writing, the authorization of each employee and user of your system. Include in the description the items to which each person has legitimate access (and the items that each person cannot access). Have a mechanism in place so that each person is apprised of this description and can understand their limits.

  • Tell your employees explicitly that they must return all materials, including manuals and source code, when requested or when their employment terminates.

  • If something has happened that you believe requires law-enforcement investigation, do not allow your personnel to conduct their own investigation. Doing too much on your own may prevent some evidence from being used, or may otherwise cloud the investigation. You may also aggravate law-enforcement personnel with what they might perceive to be outside interference in their investigation.

  • Make your employees sign an employment agreement that delineates their responsibilities with respect to sensitive information, machine usage, electronic mail use, and any other aspects of computer operation that might later arise. Make sure the policy is explicit and fair, and that all employees are aware of it and have signed the agreement. State clearly that all access and privileges terminate when employment does, and that subsequent access without permission will be prosecuted.

  • Make contingency plans with your lawyer and insurance company for actions to be taken in the event of a break-in or other crime, related investigation, and subsequent events.

  • Identify, ahead of time, law-enforcement personnel who are qualified to investigate problems that you may have. Introduce yourself and your concerns to them in advance of a problem. Having at least a nodding acquaintance will help if you later encounter a problem that requires you to call upon law enforcement for help.

  • Consider joining societies or organizations that stress ongoing security awareness and training. Work to enhance your expertise in these areas.

26.2.7 A Final Note on Criminal Actions

Finally, keep in mind that criminal investigation and prosecution can only occur if you report the crime. If you fail to report the crime, there is no chance of apprehension. Not only does that not help your situation, it leaves the perpetrators free to harm someone else.

A more subtle problem results from a failure to report serious computer crimes: such failure leads others to believe that there are few such crimes being committed. As a result, little emphasis is placed on budgets or training for new law-enforcement agents in this area, little effort is made to enhance the existing laws, and little public attention is focused on the problem. The consequence is that the computing milieu becomes incrementally more dangerous for all of us.

Previous: 26.1 Legal Options After a Break-in Practical UNIX & Internet Security Next: 26.3 Civil Actions
26.1 Legal Options After a Break-in Book Index 26.3 Civil Actions