Vladimir Golubev

USING OF COMPUTER SYSTEMS ACCOUNTABILITY

TECHNOLOGIES IN THE FIGHT AGAINST CYBERCRIMES

 

 

Implementation of modern information technologies lead to new types of crime, which use calculation systems, novel means of telecommunication and communication, means of íåãëàñíîãî obtaining of information, etc. The quantity of so called cybercrimes using modern information technologies, stealing the cash and non-cash funds is increasing. The term “cyber crime” is young and is created by combination of the two words: cyberspace and crime. The term cyberspace space (terms “virtual space”, “virtual world” are used more often in domestic literature) and (according to the definition in “New hacker vocabulary” by Eric S. Raimond) defines the information space modeled through computer, in which defined types of objects or symbol images of information exist – the place where computer programs work and data is transferred [1].     

The report on computer security and cyber crime problem has been produced according to the data of the American Computer Security Insitute on the basis of the research, conducted at the assignment of International Computer Crime Squads FBI USA [2], indicating the most common methods of attacks and offences: 

·       brute-force  - 13,9%. Selection of passwords, keys to fit and other identification or authentication information; 

·       IP-spoofing - 12,4%.  Method of attack when criminal changes IP-addresses of packages, transferred through Internet so, that they look like “internal” for the network where every unit trusts the address information of the other; 

·       denial of service - 16,3%.  Influence on network or its separate parts with the purpose of breach of usual functioning order; 

·       sniffer - 11,2%. Looking through and decoding the transferred data with the purpose of collection of passwords, keys and other identification or authentication information; 

·       scanner - 15,9%. Method of attack using the software, which consequentially check possible points of entering the system (for instance, TCP-port numbers or telephone numbers) with the purpose of identifying ways and possibilities to intrude; 

·       data diddling - 15,6%. 

The victims of criminals become banks, institutions, enterprises and organizations, which use automated systems for processing documents, making payments and other operations. Classic example for such crime could be one of the criminal cases, which investigation has been conducted by Russian law enforcement and FBI USA [3]. Criminal case was opened for V. Levin and other citizens of the Russian Federation, which enter in collusion with each other with the purpose to thief great amounts of funds from "City Bank of America" (USA). They have created criminal group, used Internet and overcame several levels of protection from unauthorized access, through personal computer of standard configuration from the office, located in St-Petersburg (Russia), they entered untrue information into the cash flow management system the above bank.  The criminals have accomplished not less than 40 transfers of funds of the total amount of 10 millions 700 thousands US Dollars.

Levin was at last arrested in Great Britain in September 1997 and extradited to USA. He admitted himself guilty and in February 1998 has been sentenced to 36 months in jail.

According to statistic data, obtained by FBI USA as a result of analysis of attempts to penetrate in 220 computer systems of American network "MILNET" [4], 20% of the password used appeared vulnerable. In 98% of the cases administrators of attacked systems in order to clarify the circumstances of the suspicious activity did not even try to contact the organization, which network, after offender has illegally entered it, was used for attacks on other networks.  8% of the systems has disclosed to offender the information on its current status and users in response to simplest request of sysstat, who, etc.   1% of systems has given limited access to data bases and e-mail systems. In 2% of the cases a criminal managed to enter the system under the name of authorized user. 2% of systems has given the offender the automated system administrator authorization.

On October 23, 1998 through unauthorized access to automated banking system from the accounts of Reserve Fund of Vinnitsa Department of the National Bank of Ukraine 80,4 millions of Hryvnias (equivalent of approx. 20 millions of US Dollars) were stolen.

            As it is obvious, there are many ways of unauthorized access to the data and interference in the information processing and exchange processes in automated systems. The term automated system (ÀS) means organization-technical system, which realizes information technology and combines operation system, physical environment, personnel and information processed [5]. Reliable information protection system is critical for AS safety, and in the event of offense allows law enforcement to conduct investigation.

As it is known, the subjects for applying means and measures in criminal judiciary are its participants, since they take part in the process of proving and collect, research, assess and use criminality information. However, due to different levels of their procedural status, forms and extent of use of the special means and knowledge are also different. Such means are instruments for work and law enforcement for investigators and detectives and they are authorized to use them directly (Art. 114 of the Criminal Code of Ukraine) or indirectly, involving special knowledge of expert (Art. 75 of the Criminal Code of Ukraine) [6]. Similar legal norms exist in many countries of the world. Therefore, legitimacy in application of accountability technology upon investigation of cyber crimes is characterized by legal side of acceptance and shows that application of these technologies for collection of criminality information is appropriate.

In order to solve these problems, one of the Ukrainian enterprises (http://www.anna.zp.ua), developed "Network Remote Monitor" security system, which is under the certification of the Department of Special Telecommunication Systems and Information Protection of the Security Service of Ukraine. In addition, the Department of operative-search activity of Zaporizhia Law Institute under US-Ukraine Research Partnership Program conducts research purported to develop recommendations on disclosing and investigation of the transnational computer crime (cyber crime) using the Internet.

            "Network Remote Monitor" security system (hereinafter SS "NRM") is network hardware - software security system purported for automated accountability of computer (calculation) user automated systems,  who work under Windows 95/98/NT, Microsoft (USA) in automated systems based on TCP/IPnetworks.

In SS “NRM” such security function as accountability is involved, it is computer (calculation) system feature, which allows to track the activity of users and processes, use of passive objects as well as identify indicators of users and processes, engaged in certain acts with the purpose of prevention of the information security policy violations and/or enforcement liability for certain acts. Security system makes audit, which allows to collect and analyse the information on using objects and functions under control of security means by users and processes and maintains audit trail as systemized set of registration records, each of which is made by complex of security means when the controlled event occurs.

Using the accountability technology in SS “NRM” is important for investigation of cyber crime, related to “human factor”, which gives the possibility for law enforcement to resolve the following issues:

1. identification of separate facts information escape from local network;
2. restoring erased or modified by offender files, determination of precise time and date of these events;
3. detection of the unauthorized hardware and software installation;
4. decoding of files encoded by offender;
5. registration of unauthorized access attempts;
6. determination of author, location and time of creation of the files;
7. assessment of professional qualifications of individuals in the sphere of information technologies;

 

Investigation starts with analysis of audit trail of SS “NRM”, where investigation agency can find answers on the following questions:

1. What software is installed on ECM and whether it is possible using these means to conduct the acts accused?
2. What information resources the ECM user worked with?
3. Whether or not the detected files are copies of information located on certain ECM?
4. Whether or not the detected documents where created on certain ECM, if they were then erased from the ECM?
5. When (day, month, hour, minute), by whom (who uses certain password), on which ECM (who uses the working place) the work with certain information has been conducted?
6. Whether or not the escape of information is the result of installation of special software?
7. Whether or not the files of the software are infected by virus, if yes, by which virus and what is its effect (termination, copying, modification, transfer of information into the network or other)?
8. Whether or not the files of the software are files with bookmarks if yes, which bookmarks and what is its effect (termination, copying, modification, transfer of information into the network or other)?
9. Whether or not the texts on paper are records of initial code of the software and what is the purpose of this software?
10. Whether or not the texts on paper are records, which then were entered by certain ECM user as certain electronic document?
11. Whether or not the certain computer information has been terminated, copied, modified?
12. What rules of ECM exploitation exist in this information system and whether or not these rules were violated (work on ECM after hours, unauthorized connection to modem and software installation, etc.)?
13. Whether or not the violation of the rules is related to termination, copying, modification of information?
14. Determine electronic addresses to which the unauthorized transfer of certain information has been made (determine the addressee) and determine what exactly has been transferred;
15. Identify all cases when the information and word combinations in question have been typed on the keyboard, etc.

 

Therefore, implementing the accountability technology for computer systems using SS “NRM” gives effective means for combating and investigating "cyber crime".

 

1.       Collin Barry C. The Future of Cyber Terrorism // Proceedings of 11th Annual International Symposium on Criminal Justice Issues. The University of Illinois at Chicago, 1996.

2.       International Computer Crime Squads The report of the President's Commission on Critical Infrastructure Protection, 1997. http://www.pccip.gov/report_index.html

3.       Golubev V.O.  Computer crimes in banking sphere. — Zaporozhya, 1997. Ñ.16-18.

4.       Mark M. Pollitt. CYBERTERRORISM - Fact or Fancy. FBI Laboratory.

5.       ND TZI 1.1-003-99. Terminology in the sphere of computer systems information protection from unauthorized access. // Department of Special Telecommunication systems and Information protection of Security Services of Ukraine. – Kyiv, 1999.

6.       Criminal-procedural Code of Ukraine: scientific-practical comments. — Kyiv, 1995. —639 p.