Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Let The Music Play: Join EFF Today

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents
Up to --> Security

· What You Can Do About It
· Trusted Hosts
· Modem Security
· Backups
· The Official Word
· Changing Attitudes
· System Security
· Security and the Law

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 77 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

Linux Tutorial - Security - What You Can Do About It - Security and the Law
  System Security ---- Installing and Upgrading  

Security and the Law

The laws governing computer break-ins are going to differ from state to state and country to country. Although there are now federal laws covering break-ins, they only apply to the United States. What about hackers that come in from other countries? Cliff Stoll can tell you horror stories of the problems he had.

One thing Cliff did was to take very careful notes of the intruders activities and keep print-outs of the hacker's activity on his system. What made this useful in court is many aspects that he was very careful about how he handled the evidence.

There are several guidelines to follow if someone breaks into your system. The first thing is to contact CERT and your local law enforcement agency. Both will give you guidelines on what to do.

One of the first things that the law enforcement agency will do is to determine whether a crime has been committed. Although federal law says that the mere fact someone has gained unauthorized access to your system, they have committed a crime, there may be other issues involved such as theft of trade secrets, lost in work, etc.

Because of the federal laws involved, the FBI might have jurisdiction, or at least want to be involved. However, I recommend contacting your local authorities first and let them determine if the FBI should be involved. Additionally, the local authorities can provide you with information on how to proceed.

One thing that the law enforcement authorities will help you with is evidence collection. Maybe you know your system inside and out, and have monitored the intruders activities, but that does not mean what you have would be considered valid evidence in court. Your local authorities can tell you how to handle things correctly.

If information has been stolen, then you are going to want to find out what it was. This is important in estimating the financial losses for unauthorized disclosure. As an extreme example, let's take a case where an intruder steals plans for a new machine. You had planned to patent it, but since your system crashed, you are delayed. Although it would be foolish for a competitor to try and patent it themselves, they could publicize your research to destroy your competitive advantage. Therefore, it would be much more difficult to obtain a patent yourself. The amount you lost in royalties are real damages.

If you decide to pursue the issue and press both civil and criminal charges, you have to be willing to make a commitment. The police (or whatever agency is involved) cannot do it alone. They need your help in terms of both time and resources. They need someone there to show them the logs, identify the data that has been stolen as well as identify any evidence that is found in the hands of the intruder. Even after the intruder is caught, you will still have to spend time to support the investigation such as identifying data or appearing in court.

Unless you live in large metropolitan areas, there is a good chance that your local authorities may not understand the technical aspects of the crime. Basic concepts like data and networks are something they probably heard about, but understanding them is something else. There are just too many kinds of crimes for them to be experts in them all. Even if they have one computer crime a year, they just don't have the experience. Therefore, you may have to explain just what root access is and what the extend of the access/damage could be for someone with root privileges. In others area where crimes are reported regularly, there are special units that deal with these types of crimes.

Obviously, if you can't prove "who dunnit" then there is no way to collect any compensation. That is why it is vital that the rules of evidence be followed. Although the police can give you specific guidelines, here are few points to consider while you are waiting for the police to arrive.

However, do not let this discourage you. In most places, there is a difference between criminal and civil charges. In a criminal case, the prosecution has to prove their case beyond a reasonable doubt. In a civil case, the plaintive needs to prove preponderance of evidence. This means that some one can be declared not guilty in a criminal trial, but still be held liable in civil case. Look at the O.J. Simpson case as an example.

First, if the only evidence you have is based on on-line information such as files in the user's directory or email messages, you are on thin ice. Just as an intruder can steal files, he can also plant evidence. Although this kind of "evidence" might be sufficient to get a warrant to search the suspects house. This might not be enough to prove the person's guilt.

It might be sufficient for you to use this information as grounds for termination of an employee. But you must also be careful. Is there a reasonable expectation of privacy when sending email or storing files? If it is company policy that anything on the computers is company property, then you may have a case. I have worked for companies that have said email will not be read by anyone. There is a reasonable expectation of privacy and the company could be sued if they looked through someone's email. Here again, talk to the law enforcement agencies.

Speed is also important when gathering evidence. Maybe an intruder has used one machine as a storage house for information that he has collected from other machines. Copies of all the files and try to maintain the directory structure. This might be useful as evidence since the likelihood that two people have the same directory structure is low (sort of like dental X-rays). If the intruder deletes all the files, your evidence is gone. There are repeated cases where password files from other machines have been found along with password cracking programs.

As I mentioned before, don't let the intruder know you are watching. The best (least bad?) thing he could do is simply disappear, maybe breaking in through some other hole that you don't know about. The worst that could happen is that the intruder reformats your hard disk in an effort to cover his tracks.

Another aspect of evidence is "chain of possession." This means that it can be proven in court where the evidence was the whole time. Who obtained it, who secured it, who handed it to the police are all aspects of chain of possession. Once you have a piece of evidence you should mark it with your initials and then seal it in a container so no one else can get access to it.

In the Cuckoo's Egg case, the logs of the hackers activity proved to be a vital piece of evidence. Cliff was able to prove that certain action on the system were made by hackers other than the one he was tracking. There were patterns to his behavior that Cliff recognized and could separate from those people who were just having a look around.

Although what I have just talked about provides the foundation for a security investigation, don't take it as gospel. Laws are different from state to state and from country to country. Talk to your law enforcement agencies now, before the first attack. Find out what services they can offer in case of a break-in. Most importantly, find out what the law is governing break-ins, rules of evidence and especially privacy as you don't want to lose the case and get sued yourself.

 Previous Page
System Security
  Back to Top
Table of Contents
Next Page 
Installing and Upgrading


Test Your Knowledge

User Comments:

You can only add comments if you are logged in.

Copyright 2002-2009 by James Mohr. Licensed under modified GNU Free Documentation License (Portions of this material originally published by Prentice Hall, Pearson Education, Inc). See here for details. All rights reserved.

There are several different ways to navigate the tutorial.



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
You can get all the latest Site and Linux news by checking out our news page.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.08 Seconds