Strike and Counterstrike: The Law on intrusions and ...



Strike and Counterstrike: The Law on Automated Intrusions and Striking Back

Detailed outline & Notes

Curtis E.A. Karnow //BlackHat February 2003

Copyright 2003 Curtis Karnow

Introduction

1 Will discuss

1 automated intrusions:: routine search ‘bots / screen scraping / intentional network assaults such as DDoS.

2 Legal doctrines, 800 years old --trespass and nuisance-- used by the courts to evaluate claims that the assaults are illegal, as well as evolving legal issues of striking back at the attacking system.

3 “self defense’ and ‘self help’ theories to justify strike back at automated intrusions (e.g. worms and viruses). New Interest in “self help” mechanisms ::

1 Content providers such as record labels and movie studios favor proposed federal legislation that would allow them to disable copyright infringers’ computers.

2 Software licensors endorse state laws that permit the remote disabling of software in use by the licensee when the license terms are breached.

3 striking back at computers which launch worms, viruses, and other intrusions.

2 The Thin Grey Line. Serious problems when the line between legal and illegal is thin and vague-- and rapidly changing. Chaotic situation: small distinctions with very large consequences for liability, e./g.

1 Difference between one ping and two pings?

2 Ping with small or fatter payload?

3 Spider for google vs. spider for bidder’s edge or some competitor- or even just some non-search entity.

4 Port scans- banner grabbing vs. others, like SYN…

5 Thin gray line between what’s legal and what isn’t.

1 techniques like sending a bot to a site -- appears legal but maybe aren’t, and

2 counterstrike a site which launches a worm -- appears illegal, but maybe isn’t

3 Focus on AUTOMATED intrusions because critical ideas of “Intent” & ‘authorized” and “permission” are very difficult, where

1 the processes are automated,

2 no specific site is targeted

3 programmed by people who don’t actually know what they are doing,

4 where no one reads the terms of service and other restrictions that tell you what you and can’t do at a site

5 or there are terms, but aren’t effective because bots don’t read English…

6 a lot of the “permission” to access a site is technology based- passwords, etc-- and the technology is often just wrongly configured

Outline of presentation

1 Legal system/basic laws

2 Intrusions under the civil and criminal law & what “Authorized” means

3 Legality of counterstrike

Basic laws on intrusions

1 Criminal

1 Basic concepts: “permission” and “authorized” & “unauthorized access” in e.g. computer fraud & abuse (18 § 1030) and other statutes:

2 ‘fraud’ in connection with “access devices’ (18 § 1029) illegal to use or traffic in (mere possession is enough) ‘access devices’ which

1 Access Device is ‘any…code [or] number.. which alone or with another device .. can be used to obtain … anything of value…’

3 interception and unauthorized access to computers, interfering w/ another’s authorized use of a computer.

4 Use of computer resources such as memory or CPUs without permission (Cal penal code 502(c)(5)

5 illegal = without permission uses or causes to be used computer services; access without permission a computer; introduces a contaminant (virus worm, etc but broader- any instruction designed to .. transmit information within a computer…without the intent or permission of the owner of the information…”

6 Cal penal code 502(b)(1): “Access” means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network”-- very, very broad- probably includes port scans- so only question will be: AUTHORIZED or not?

2 Civil:

1 CFAA violation is also civil suit

2 Trespass. [Rapidly developing area of law]

1 History

1 Any wrong at all was a trespass- “Forgive us our trespasses…”

2 ‘Going onto the land’…Interfering with possession of goods or land

3 Had to be substantial interference- more than just nominal or momentary

2 Now, in internet context: using up any resources, entry, without “permission” i.e., contrary to

1 TOS

2 Or robot exclusion standards?? Not much law yet

3 Contrary to classic trespass law-- No injury required- substantial or not. Some case take absolutist position. Even insignificant (“negligible”) burden on a system resource is enough for liability

4 Cases/examples- will discuss.

3 Nuisance. [Bleeding edge of the law] Will discuss later in context of counterstrike. For now

1 Definition: Interference with enjoyment of property- bad smells, noise, etc. UNCLEAR if this includes viruses/worms…

3 Both civil and criminal liability, & both CFAA and trespass, depend on “Authorized” and “permission” :: what do these terms really mean?

1 Express/implied

2 If no published restrictions on site- much may be “permitted”

3 Restrictions: three types

1 Published/printed restrictions, terms of use

2 Robot exclusion standards

3 Password protected, other technologies

4 You may have authorization to access but not make copies, or not use for certain purposes, or not make changes; or ‘personal’ you can view and make copy, but as employee of competitor, you can’t…

4 Unauthorized use of site = in violation of printed Terms of service

1 ( private civilian polices create criminal liability! Lack of authorization could be established by an explicit statement on the website restricting access (unless restrictions violate "public policy").

2 site owners really must adopt clear terms of service that speak in terms of authorized access ("you are not authorized to access this site in the following manner . . .")

3 “Access and Interference.

Our web site contains robot exclusion headers and you agree that you will not use any robot, spider, other automatic device, or manual process to monitor or copy our web pages or the content contained herein without our prior expressed written permission. You agree that you will not use any device, software or routine to bypass our robot exclusion headers, or to interfere or attempt to interfere with the proper working of the eBay site or any activities conducted on our site. You agree that you will not take any action that imposes an unreasonable or disproportionately large load on our infrastructure. Much of the information on our site is updated on a real time basis and is proprietary or is licensed to eBay by our users or third parties. You agree that you will not copy, reproduce, alter, modify, create derivative works, or publicly display any content (except for Your Information) from our website without the prior expressed written permission of eBay or the appropriate third party.

4 “ grants you a limited license to access and make personal use of this site and not to download (other than page caching) or modify it, or any portion of it, except with express written consent of . This license does not include any resale or commercial use of this site or its contents; any collection and use of any product listings, descriptions, or prices; any derivative use of this site or its contents; any downloading or copying of account information for the benefit of another merchant; or any use of data mining, robots, or similar data gathering and extraction tools. This site or any portion of this site may not be reproduced, duplicated, copied, sold, resold, visited, or otherwise exploited for any commercial purpose without express written consent of ”

5 ‘Bots (& screen scraping)

1 bots retrieving metatag information- “negligible” interfere with target = trespass (Oyster)

2 bidder’s edge sending webcrawling bots to eBay- retrieve data to post at Bidder’s Edge- 100,000 times a day for months.- court holds ANY use of the eBay system without permission is- trespass

3 Verio used bots to access and collect registrant from ’s WHOIS database. The TOS was NOT enough to forbid this use of bots- but a notice sent out by was enough to stop future use of bots; ANY amount of interference with target site is enough ‘harm’ to be both trespass and violation of Computer Fraud and abuse act

4 Scraper use “exceeded authorized access” in violation of CFAA if there is “explicit” restriction like a stated restriction on the site (EF Cultural 1st Cir 2003)

5 Spam to AOL’s AOL’s servers were not “authorized” use of the AOL server. (AOL ND Ill. 2001)

6 Cookie transmitted without authority- CFAA violation. (Intuit Privacy Litigation, (CD Cal 2001)

7 Intel: “trespass” when system received spam

8 But bots don’t read English--Use of robot exclusion standards

1 Robots.txt at web root

2 Robot meta tags

3 If no Robots.txt- any bot activity OK?

6 Bad security ==?== “permission?

1 Apache server upgrade which can replace instructions on which directories are password protected; other bad patches, badly installed, etc.

2 Client had code available to exchange with contractors- thought it was behind firewall, and wasn’t. Competitor had a peek

7 What does “permission” mean in e.g.

1 p2p networks!! Kazaa

1 About 188 million Kazaa desktops downloaded

2 Every client is a file server

3 Study: unintended file sharing is prevalent

4 H:/ drive mapping- could provide access to corporate sever

2 systems administrator who tests out perimeter security- without clearing it with superiors.

3 Access per license agreement that was never read

1 UCITA /remote disabling of s/w

2 audit provisions which give licensor to conduct searches of your systems

3 Adware, spyware, leechware- data from client relayed back-channel to the mother ship.

4 installed DRM (digital rights management) which reports back usage and other data to the mothership

8 Port scans & reverse port scans--what’s “authorized”? Most surprising…

1 No non-public data accessed- just at most banner grabbing- so it’s ok re ‘unauthorized access’?? Implied “authorization”? Does it matter how the TOS is written?

2 BUT, re trespass:: and laws re eating cycles in e.g. SyN flood attack- a few SYN packets every 10 second enough to disable a port….. eating cycles and memory, often gets in under the firewall:

1 constant scanning can eat up target bandwidth, tying up connection to server

2 synscan = probably ‘trespass’ per new cases. Even though no actual connection made

9 Deliberate worms & viruses /evilbots for DDoS

1 No issue. Not authorized-- not because TOS, but because everyone knows.

2 Doesn’t matter if unintended computers hit.

4 Knowing and not doing- a form of indirect liability

1 To whom do you owe the duty?? Very delicate area, unresolved

2 Story that Symantec knew about Slammer and didn’t tell anyone except select customers

3 Manufactures who knew of vulnerability and don’t say anything. E.g. Epic knowing about vulnerabilities in the Unreal game engine- furious when it was announced by PivX

Counterstrike

1 Tim Mullen- developing an interesting debate…

2 Practicalities aside/PR aside/are you making yourself into a beacon for further attacks

3 Why we care about Counterstrike….the backfill:

1 High Connectivity

1 Wireless

2 High bandwidth

3 DSL ‘always on’

4 P2P increase

2 No skill required: Tools in the hands of children

3 High Speed of propagation

1 Here’s how fast Sapphire spread:

1 it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.” “At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.” Moore, et al., "The Spread of the Sapphire/Slammer Worm," Cooperative Association for Internet Data Analysis ,

2 flash worm- start with 10k to 50k likely vulnerable sites, use hit list strategy diving up the list every time the worm replicates- takes a few seconds to hit each vulnerable machine.

3 Brute force scan of entire address space- a few hours

4 Here’s how fast the legal system works:

1 1-2 years to judgement

2 In other cases, the legal systems does help orders to stop infringement, stop spread of a trade secret, freeze money assets etc.

4 Expensive to fix damage

5 hard to identify bad guys

6 hard to get interest of law enforcement

7 Multi-jurisdictional

1 overseas bad guys

2 agency coordination

8 problem is getting worse: CERT

1 1990: 252

2 1995: 2412

3 2000: 21,756

4 2002: 82,094

9 Possible legal exposure to downstream victims (attacked though one’s system) and customers (who rely on one’s system)

10 Information warfare. Legality of counterstrike probably affect what is lawful information warfare, at least low intensity conflicts without declared war- likely depends on what’s criminal or not

4 Counterstrike Examples

1 Pentagon

1 Forcing constant reloads of attacker’s browser, forcing reboots

2 Conxion

1 San Jose hosting service that reversed the attack on the WTO server, recognized the attack was coming from a single IP address belonging to the e-hippies server. "So we told our filtering software to redirect any packets coming from these machines back at the e-hippies Web server…”

3 DirecTV

1 broadcast all sorts of update codes, downloaded into smart cards and those were copied by pirates into counterfeits assuming they were needed…- then a new broadcast combined those and executed the result, killed the counterfeits

5 true counterstrike appears illegal. Defenses to charge of illegality: self defense & ‘abate” the nuisance

1 self defense

1 Elements:

1 Proportionate

2 Often can stand ground, need not retreat

3 No adequate alternative

2 basic problem: must have no ‘adequate alternatives”

1 hard to explain why defense measures weren’t enough,

2 there’s always a patch-somewhere! (e.g. MS patch for Sapphire)

3 explain to a jury why you could i/.d. the attacker but couldn't just block him

4 SO: very iffy defense

2 self help (nuisance)

1 can we use Nuisance doctrine? Well, we’re using the related and as ancient “trespass”…

2 Nuisance: anything that interferes with enjoyment of one’s property (smells noise, fire hazards, electromagnetic interference)

3 expressly contemplates Self Help- “abate” the nuisance

1 remove or destroying the nuisance

2 if reasonably necessary includes breaking down doors, smashing locks, etc

3 counterattack/abatement must be “reasonable” and proportional to the nuisance

4 malware might well qualify as a nuisance. No good law on this; a case or two suggest this might work

1 like a light/noise/ intangible interference

2 interferes with use of one’s property

3 at least one case

3 Collateral Damages: Making a mistake

1 the wrong machine

2 too much data/code destroyed

3 legal doctrine

1 collateral damages if reasonable (broken locks)

2 shifted intent (mistakes will happen)(bystander hit by police during robbery)- not liable for accident, but

3 liable if the risk of collateral damage was relatively high.

4 Exemplar question: shutting down the zombied machines in a DDOs attack.

4 Conclusions: Elements of the ‘Future Right’ to Abate- with elements from self defense added

1 targeted and proportional: no other data or code destroyed

2 no other machine interrupted

3 Collateral damage: crashing a server: Interrupting other users?

4 TOS and robots.txt at victim site

5 Notice of offensive measures provided to probable intruders (deterrence being a central justification for the automated counterstrike)

6 REPRISE the Thin Grey line

================Notes==================

Scraper use “exceeded authorized access” in violation of CFAA (EF Cultural 1st Cir 2001) 274 F.3d 577, see 2003 decision

Spam to AOL’s AOL’s servers were not “authorized” use of the AOL server. (AOL ND Ill. 2001)174 F Supp 2d 890

Cookie transmitted without authority- CFAA violation. (Intuit Privacy Litigation, (CD Cal 2001)138 F Supp 2d 1272

Date: Fri, 14 Feb 2003 10:56:43 -0600 From: Lawrence Brenninkmeyer Subject: MacOS 10.2.4 update & httpd.conf replacement The Mac OS X operating system is a work in progress. Users are treated to small upgrades every one or two months that fix bugs, improve security, and occasionally provide increased functionality. Presumably in an effort to add functionality to the built-in Apache server, the latest update installs a brand new httpd.conf file. This is file that tells the Apache server how to configure itself (which modules to load, where the root directory is, etc.) The update kindly (and silently) saves the original httpd.conf as httpd.conf.applesaved. The risk is that replacing the original, not telling anyone, and then leaving the server active on restart can lead to a breach of security. One of the things that you can use the httpd.conf file for is to govern which directories are password protected and which are not [1]. This information is not retained in the new httpd.conf, so directories that were password protected are opened to the world after the update has been installed. The risks are obvious, and so are the solutions. At a minimum, they should have disabled Apache on startup and presented the user with a dialog box informing them of the change. [1] Apache httpd documentation: Basic Security

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download