Security and the Law
The laws governing computer break-ins are going to differ from state to state and country
to country. Although there are now federal laws covering break-ins, they only apply to the United
States. What about hackers that come in from other countries? Cliff Stoll can tell you horror
stories of the problems he had.
One thing Cliff did was to take very careful notes of the
intruders activities and keep print-outs of the hacker's activity on his system. What made this
useful in court is many aspects that he was very careful about how he handled the
There are several guidelines to follow if someone breaks into your system. The first
thing is to contact CERT and your local law enforcement agency. Both will give you guidelines on
what to do.
One of the first things that the law enforcement agency will do is to determine
whether a crime has been committed. Although federal law says that the mere fact someone has gained
unauthorized access to your system, they have committed a crime, there may be other issues involved
such as theft of trade secrets, lost in work, etc.
Because of the federal laws involved, the
FBI might have jurisdiction, or at least want to be involved. However, I recommend contacting
your local authorities first and let them determine if the FBI should be involved. Additionally, the
local authorities can provide you with information on how to proceed.
One thing that the law
enforcement authorities will help you with is evidence collection. Maybe you know your system inside
and out, and have monitored the intruders activities, but that does not mean what you have would be
considered valid evidence in court. Your local authorities can tell you how to handle things
If information has been stolen, then you are going to want to find out what it was.
This is important in estimating the financial losses for unauthorized disclosure. As an extreme
example, let's take a case where an intruder steals plans for a new machine. You had planned to
patent it, but since your system crashed, you are delayed. Although it would be foolish for a
competitor to try and patent it themselves, they could publicize your research to destroy your
competitive advantage. Therefore, it would be much more difficult to obtain a patent yourself. The
amount you lost in royalties are real damages.
If you decide to pursue the issue and
press both civil and criminal charges, you have to be willing to make a commitment. The police (or
whatever agency is involved) cannot do it alone. They need your help in terms of both time and
resources. They need someone there to show them the logs, identify the data that has been stolen as
well as identify any evidence that is found in the hands of the intruder. Even after the intruder is
caught, you will still have to spend time to support the investigation such as identifying data or
appearing in court.
Unless you live in large metropolitan areas, there is a good chance that
your local authorities may not understand the technical aspects of the crime. Basic concepts like
data and networks are something they probably heard about, but understanding them is something else.
There are just too many kinds of crimes for them to be experts in them all. Even if they have one
computer crime a year, they just don't have the experience. Therefore, you may have to explain
just what root access is and what the extend of the access/damage could be for someone with root
privileges. In others area where crimes are reported regularly, there are special units that deal
with these types of crimes.
Obviously, if you can't prove "who dunnit" then
there is no way to collect any compensation. That is why it is vital that the rules of evidence be
followed. Although the police can give you specific guidelines, here are few points to consider
while you are waiting for the police to arrive.
However, do not let this discourage you. In
most places, there is a difference between criminal and civil charges. In a criminal case, the
prosecution has to prove their case beyond a reasonable doubt. In a civil case, the plaintive
needs to prove preponderance of evidence. This means that some one can be declared not guilty in a criminal trial, but still be held liable in civil case. Look at the O.J. Simpson case as an example.
First, if the only evidence you have is based on on-line information such as files in
the user's directory or email messages, you are on thin ice. Just as an intruder can steal
files, he can also plant evidence. Although this kind of "evidence" might be sufficient to
get a warrant to search the suspects house. This might not be enough to prove the person's
It might be sufficient for you to use this information as grounds for termination of an
employee. But you must also be careful. Is there a reasonable expectation of privacy when sending
email or storing files? If it is company policy that anything on the computers is company
property, then you may have a case. I have worked for companies that have said email will not be
read by anyone. There is a reasonable expectation of privacy and the company could be sued if
they looked through someone's email. Here again, talk to the law enforcement
Speed is also important when gathering evidence. Maybe an intruder has used one
machine as a storage house for information that he has collected from other machines. Copies of all
the files and try to maintain the directory structure. This might be useful as evidence since
the likelihood that two people have the same directory structure is low (sort of like dental
X-rays). If the intruder deletes all the files, your evidence is gone. There are repeated cases
where password files from other machines have been found along with password cracking
As I mentioned before, don't let the intruder know you are watching. The best (least
bad?) thing he could do is simply disappear, maybe breaking in through some other hole that you
don't know about. The worst that could happen is that the intruder reformats your hard disk in
an effort to cover his tracks.
Another aspect of evidence is "chain of possession."
This means that it can be proven in court where the evidence was the whole time. Who obtained it,
who secured it, who handed it to the police are all aspects of chain of possession. Once you have a
piece of evidence you should mark it with your initials and then seal it in a container so no one
else can get access to it.
In the Cuckoo's Egg case, the logs of the hackers activity
proved to be a vital piece of evidence. Cliff was able to prove that certain action on the system
were made by hackers other than the one he was tracking. There were patterns to his behavior that
Cliff recognized and could separate from those people who were just having a look around.
Although what I have just talked about provides the foundation for a security
don't take it as gospel. Laws are different from state to state and from country to country.
Talk to your law enforcement agencies now, before the first attack. Find out what services
they can offer in case of a break-in. Most importantly, find out what the law is governing
break-ins, rules of evidence and especially privacy as you don't want to lose the case and get