Title : Know your enemy: Facing the cops
Author : Lance
_ _
_/B\_ _/W\_
(* *) Phrack #64 file 10 (* *)
| - | | - |
| | Know your enemy : facing the cops | |
| | | |
| | By Lance | |
| | | |
| | | |
(______________________________________________________)
The following article is divided into three parts. The first and
second part are interviews done by The Circle of lost Hackers. The
people interviewed are busted hackers. You can learn, through their
experiences, how cops are working in each of their country. The last
part of this article is a description about how a Computer Crime Unit
proceeds to bust hackers. We know that this article will probably help
more policemen than hackers but if hackers know how the cops proceed
thay can counter them. That's the goal of this article.
Have a nice read.
(Hi Lance! :)
------------------------------------------
Willy's interview
<THE CIRCLE OF LOST HACKERS> Hi WILLY, can you tell us who are you,
what's your nationality, and what's your daily job ?
hi. i'm from germany. i actually finished law school.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell us what kind of
relationship you're having with the police in your country ? In some other
European country, the law is hardening these days, what about germany ?
Well, due to the nature of my finished studies, I can view the laws
from a professional point. The laws about computer crime did not change
since years. so you cant see they are getting harder. What we can say is,
that due to 9/11/01, some privacy laws got stricter .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Can you explain us what kind of
privacy laws got stricter ?
Yeah. for example all universities have to point students that are
muslims, between 20/30, not married, etc. so police can do a screen
search. Some german courts said this is illegal, some said not. the
process is on-going, but the screen searches didnt have much results
yet. On the other hand, we have pretty active privacy-protection people
("datenschutzbeauftragte") which are trying to get privacy a fundamental
right written in the constitution. So, the process is like we have
certain people who want a stricter privacy law, e.g. observation due to
video-cameras on public places. (which does happen already somewhere).
But, again, we have active people in the cuntry who work against these
kind of observation methods. its not really decided if the supervision
is getting stronger. What is getting stronger are all these DNA-tests now
for certain kind of crimes, but its still not the way that any convicted
person is in a DNA database - luckly.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Do you have the feeling that
Computer related law is stricter since 09/11/01 ?
Definitly not.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Are these non-computer related
enforcements happened since the schroeder re-election ?
Nope. these enforcements ("sicherheitspaket") happened after 9/11. the
re-election of schroeder had nothing to do with enforcements. On
one hand, ISP's have to keep the logfiles of dial-in IP's for 90
days. but federal ministry of economics and technology is supporting
a project called "JAP" (java annonymous proxy) to realize anonymous
unobservable communication. I dont know in details, but I'm pretty
sure the realisation of JAP is not ok with the actualy laws in germany,
because you can surf really completely anonymously with JAP. this is not
corresponding with the law to keep the logfiles. i dont know. from my
point of view, eventhough i (of course) like JAP, it is not compatible
with current german law. but its support by a federal ministry. thats
pretty strange i think. well, we'll see. You can get information about
this on http://anon.inf.tu-dresden.de/index_en.html .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: now that we know a bit more about
the context, can you explain us how you get into hacking, and since when
you are involved in the scene ?
Well, how did i get contact to the scene? i guess it was a way pretty
much people started. i wanted to have the newest games. so I talked to
some older guys at my school, and they told me to get a modem and call
some BBS. This was i guess 1991. you need to know that my hometown
Berlin was pretty active with BBS, due to a political reason : local
calls did only cost 23pf. That was a special thing in west-berlin /
cold-war. I cant remember when it was abolished. but, so there amyn many
BBS in berlin due to the low costs. Then, short time after, i got in
contact with guys who always got the newest stuff from USA/UK into the
BBS, and i though. "wham, that must be expensive" - it didnt take a long
time untill i found out that there are ways to get around this. Also,
I had a local mentor who introduced me to blueboxing and all the neat
stuff around PBX, VMBS and stuff.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: when did you start to play with
TCP/IP network ?
I think that was pretty late. i heard that some of my oversea friends
had a new way of chatting. no chat on BBS anymore, but on IRC. I guess
this was in 1994. So, i got some informations, some accounts on a local
university, and i only used "the net" for irc'ing.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: When (and why) did you get into
troubles for the first time,
Luckly, i only got into trouble once in 1997. I got a visit from four
policemen (with weapons), who had a search warrent and did search my
house. I was accused for espionage of data. thats how they call hacking
here. They took all my equipment and stuff and it took a long time untill
i heard of them again for a questionning . I was at the police several
times. first time, I think after 6 month, was due to a meeting with the
attorny at state and the policemen. This was just a meeting to see if
they can use my computer stuff as prove. It was like they switched the
computer on, the policemen said to the attorney "this could be a log file"
and the attorny said "ok this might be a prove". this went for all cd's
and at least 20 papers with notes. ("this could be an IP adress". "this
could be a l/p, etc . Of course, the attorney didnt have much knowledge,
and i lost my notes with phone numbers on it ("yeah, but it could be
an IP") . However, this was just a mandatory meeting because I denied
anything and didnt allow them to use any of the stuff, so there has to
be a judge or an attorney to see if the police took things that can be a
prove at all. The second time I met them was for the crimes in question. I
was there for a questioning (more than 2 years after the raid, and almost
3 years after the actualy date where i should have done the crime) .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: How long did you stay at the
police station just after your first perquisition ?
First time, that was only 15 minutes. It was really only to see if the
police took the correct stuff. e.g. if they had taken a book, I would
have to get it back. because a book cant have anything to do with my
accused crime. (except i had written IP numbers in that book, hehe)
--
<THE CIRCLE OF LOST HACKERS> QUESTION: what about the crime itself ? Did
you earn money or make people effectively loose money by hacking ?
No, i didnt earn any money. it was just for fun, to learn, and to see
how far you can push a border. see what is possible, whats not. People
didnt loose any money, too.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: How did they find you ?
I still dont really know how they found me. the accused crime was (just)
the unauthorized usage of dial-in accounts at one university. Unluckly,
it was the starting point of my activities, so was a bit scared at
first. You have to dial-in somwhere, if if that facility buists you,
it could have been pretty bad. At the end, after the real questioning
and after i got my fine, they had to drop ALL accuses of hacking and i
was only guilty for having 9 warez cd's)
--
<THE CIRCLE OF LOST HACKERS> QUESTION: were you dialing from your home ?
Yeah from my home. but i didnt use ISDN or had a caller ID on my analoge
line, and it is not ok to tap a phone line for such a low-profile crime
like hacking here in germany . So, since all hacking accuses got dropped,
I didnt see what evidence they had, or how they get me at all.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell more about the
policemen ? WHat kind of organisation did bust you ?
It was a special department for computer crime organzied from the state
police, the "landeskriminalamt" LKA. They didnt know much about computers
at all i think. They didnt find all logfiles I had on my computer, they
didnt find my JAZ disks with passwd files, they didnt find passwd files
on my comp., etc .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Where did they bring u after
beeing busted at the raid, and the second time for the interview ?
After the raid, I could stay at home ! For the interview, I went the
headquater of the LKA, into the rooms of the computer crime unit. simple
room with one window, a table & chair, and a computer where the policemen
himself did type what he asked, and what i answered.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: have you heard interresting
conversation between cops when you were in there ?
hehe nope. not at all. and, of course, the door to the
questioning room was closed when i was questioned. so i couldnt
hear anything else . I have been interviewed by only one guy from
"polizeihauptkommisar", no military grade, only a captain like explained
in http://police-badges.de/online/sammeln/us-polizei.html .
Another thing about the raid: they did ring normally, nothing with
bashing the door. if my mother hadnt opened the door, i had enough time
to destroy things. but unluckly, as most germans, she did open the door
when she heard the word "police" hehe.
I didnt not have a trial, i accepted a "order of summary punishment" this
is the technical term i looked up in the dictonary :-) This is something
that a judge decides after he has all information. he can open a trial
or use this order of summary punishment. they mail it you you, and if
you dont say "no, i deny" within one week, you accpeted it :-) When you
deny it, THEN you definitly decide to go to court and have a trial .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: do you advise hackers to accept
it ?
You cant generally give an advice about that. in my case, i found it
important that i do not have any crime record at all and that i count
as "first offender" if i ever have a trial in the future. so with that
accpetion of the summary, i knew what i get, which was acceptable for
my case. if you go to court, you can never know if the fine will be
much higher. but you cant generalize it. if its below "90 tagessaetze"
(--> over 90 you get a crime recoard), i guess i would accept it, but
again, better go to a lawyer of your trust :-)
--
<THE CIRCLE OF LOST HACKERS> QUESTION: can you compare LKA with an
american and/or european organisation ? What is their activity if their
are not skilled with computers ?
Mmmm every country within germany has its special department called LKA.
Its not like the FBI (that would be BKA), but it would be like a state
in the usa, say florida, has a police department for whole florida
which does all the special stuff, like organzied crime. Computer crime
in germany belongs to economic crime, and therefore, the normal police
isnt the correct department, but the LKA. By the way, I heard from
different people that they are more skilled now. but at that time, I
think only one person had an idea about UNIX at all. I know that the BKA
has a special department for computer crime, because a friend of mine got
visited by the BKA, but, most computer crime departments here are against
child-porn. I dont think that too many people get busted for hacking in
germany at all. they do bust child porn, they do bust warez guys, they
do bust computer fraud, related to telco-crimes. but hacking, I dont
know lots of people who had problems for real hacking. except one guy .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: is there special services in your
country who are involved in hacking ?
Special services ? what do you mean? like CIA ? hehe ?! We have
BND (counter-spying), MAD (military spying), verfassungsschutz
(inland-spying), but I dont think we a service that is concentrating
on computer crime. What we do have is a lot of NSA (echelon) stations
from the US. I guess because of the cold war, we're still pretty much
under the supervision of these services :-) so the answer is: we dont
have such services, or they do work so secret that noone knows, but i
doubt this in germany hehe.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Except for the crime they inculped
you, did you have any relations with the police ? (phone calls, non
related interview, job proposition) ?
Hehe, no, not at all.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: what kind of information was
the police asking you during your interview ? Were they asking non
crime-related information ? (like: who are you chilling with, etc ?)
Yeah, that was the part they where most interested in ! They had
printed my /etc/passwd and said "thats your nick, right?" . I didnt say
anything to that whole complex, but they continued, and I mean, if you
have one user in your /etc/passwd, it is pretty easy to guess thats
your nick. So, they had searched the net for that nick, they found a
page maintained by some hackers who formed some kind of crew. they had
printed the whole website of that crew, pointing out my name anywhere
where it appeared. They tried to play the good-cop game, the "you're that
cool dude there eh?" etc. I didnt say anything again. It took several
minutes, and they wanted to pin-point me that i'm using this nick they
found in /etc/passwd and that i am a member of that group which they
had the webpage printed. They knew that there was a 2nd hacker at that
university. They asked me all the time if i know him. I dont know why
he had more luck. of course i did know him, it was my mate with whom i
did lots of the stuff together.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: You didnt say anything ? How did
they accepted this ?
hehe. they had to accept it. i think thats in most countries that, if
you are accused, you have the right to say nothing. I played an easy
game: I accepted to have copied the 9 cd's. because the cd's are prove
enough at all, then the cops where happy. I didnt say anything to that
hacking complex, which was way more interesting for them. I though "I
have to give them something, if I dont want to go before court" . I said
"I did copy that windows cd" so they have at least something.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: did you feel some kind of evolution
in your relation with police ? Did they try to be friend with you at
some point ?
yeah, they did try to be friend at several stages.
a) At the raid. my parents where REALLY not amuzed, i think you can
imagine that. having policemen sneaking through your cloth, your bedroom,
etc. So, they noticed my mom was pretty much nervous and "at the end"
. They said "make it easy for your mother, be honest, be a nice guy,
its the first time, tell us something ..." (due to my starting law
school at that time, I, of course knew that its the best thing to stay
calm and say nothing.)
b) At the questioning, of course. after I admitted the warez stuff,
they felt pretty good, which was my intention. they allowed me to smoke,
and stuff like that. when it came to hacking, and i didnt say anything,
They continued to be "my friend", and tried to convince me "thats its
easier and better if i admit it, because eveidence is so high" . They
where friendly all the time, yeah.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: What do you think they were really
knowing ?
They definitly knew I used unauthorized dial-in accounts at that
university, they knew I was using that nick, and that I am a member of
that hacking group (nothing illegal about that, though) . I was afraid
that they might know my real activities, because, again, that university
was JUST my starting point, so all i did was using accounts i shouldnt
use. Thats no big deal at all, dial-ins. but i didnt know what they knew
about the real activities after the dial-in, so i was afraid that they
know more about this.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: did they know personnal things
about the other people in your hacking group ?
nope, not at all.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: How skilled are the forensics
employed by german police in 2002 ?
huh, i luckly dont know. I read that they do have some forensic
experts at the BKA, but the usually busting LKA isnt very skilled, in my
opinion. they have too less people to cover all the computer crimes. they
work on low money with old equipment. and they use much of their time
to go after kiddie-porn.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: how does the police perceived
your group ? (front-side german hacking group you guyz all know)
I think they thought we're a big active crew which does hacking, hacking
and hacking all the time. i guess they wanted to find out if we e arn
money with that, e.g., of if we're into big illegal activities. because
of course, it might be illegal just to be a member of an illegal group.
like organzied crime.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: in the other hand, what do you
think the other hacking crew think about your group ?
We and other hackers saw us as group which shares knowledge, exchange
security related informations, have nice meetings, find security problems
and write software to exploit that problems. I definitly did not see us
as organzied hacking group which earns money, steal stuff or make other
people loose money, but, I mean, you cant know what a group really does
just from visiting a webpage and looking at some papers or tools.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: are the troubles over now ?
yeah, troubles are completely over now. i got a fine, 75 german marks
per cd, so i had to pay around 800 german marks. I am not previously
convicted, no crime record at all. no civil action.
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Now that troubles are over, do you
have some advices for hackers in your country, to avoid beeing busted,
or to avoid having troubles like you did ?
hehe yeah, in short words:
a) Always crypt your ENTIRE harddisk
b) Do NOT own any, i repeat, any illegal warez cd. reason: any judge
knows illegal copied cds. he understands that. so, like in my case,
you get accused for hacking and you end up with a fine for illegal
warez. Thats definitly not necessary. and, furthermore, you get your
computer stuff back MUCH easier & faster if you dont have any warez
cd. usually, they cant prove your hacking. but warez cd's are easy.
c) do not tell ANYTHING at the raid.
d) if you are really into trouble, go to a lawyer after the raid.
--
<THE CIRCLE OF LOST HACKERS> Thanks for the interview WILLY !
De nada, you are welcomed ;)
------------------------------------------
Zac's interview
<THE CIRCLE OF LOST HACKERS> Hello Zac, nice to meet you .
Hi new staff, how's life ?
<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell us what kind of
relationship you're (as a hacker) having with the police in your country ?
I live in France, as a hacker I never had troubles with justice . In my
country, you can have troubles in case you are a stupid script kiddy (most
of the time), or if you disturb (even very little) intelligence services
. Actually we have very present special services inside the territory,
whereas the police itself is too dumb to understand anything about
computers . Some special non-technical group called BEFTI usually deals
with big warezers, dumb carders, or people breaking into businesses's
PABX and doing free calls from there, and stuffs like that .
--
<THE CIRCLE OF LOST HACKERS> Explain to us how you got into hacking,
since when you are involved in the scene, and when you started to play
with TCP/IP networks .
I started quite late in the 90' when I met friends who were doing warez
and trying to start with hacking and phreaking . I have only a few years
of experience on the net, but I learnt quite fast beeing always behind
the screen, and now I know a lot of people, all around the world, on
IRC and IRL .
Beside this, I had my first computer 15 years ago, owned many INTEL based
computers, from 286 to Pentium II . I have now access to various hardware
and use these ressources to do code . I used to share my work with other
(both whitehats and blackhats) peoples, I dont hide myself particulary
and I am not involved in any kind of dangerous illegal activity .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: When did you get into troubles
for the first time ?
Last year (2001), when DST ('Direction de la Surveillance du Territoire',
french inside-territory intelligence services) contacted me and asked if
I was still looking for a job . I said yes and accepted to meet them .
I didnt know it was DST at that time, but I catched them using google ;)
They first introduced themself from 'Ministere de l'Interieur', which is
basicaly Ministery charged of police coordination and inside-territory
intelligence services . In another later interview, they told me they
were DST, I'll call them 'the feds' .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: How did they find you ?
I still have no idea, I guess someone around me taught them about me
. When I asked, they told me it was from one of the various (very few)
businesses I had contacted at that time . Take care when you give your
CV or anything, keep it encrypted when it travels on the net, because
they probably sniff a lot of traffic . I also advise to mark it in a
different way each time you give it, so that you can know from where it
leaked using SE at the feds .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell more about the
organization ?
Some information about them has already been disclosed in french
electronic fanzines like Core-Dump (92') and NoWay (94'), both written
by NeurAlien . I heard he got mad problem because of this, I dont really
want to experiment the same stuff .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: is there other special services
in your country who are involved in hacking ?
Besides DST, there is DGSE ('Direction General de la Securite Exterieur'),
these guys most focuss on spying, military training, and information
gathering outside the territory . There is also RG ('Renseignement
generaux', trans. : General Information) , a special part of police
which is used to gather various information about every sensible events
happening . The rumor says there's always 1 RG in each public conference,
meeting, etc and its not very difficult to believe .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: can you compare the organization
with an equivalent one in another country ?
Their tasks is similar to CIA's and NSA's one I guess . DST and DGSE
used to deal with terrorists and big drugs trafic networks also, they
do not target hackers specifically, their task is much larger since they
are the governemental intelligence services in France .
--
<THE CIRCLE OF LOST HACKERS> Is DST skilled with computers ?
They -seem- quite skilled (not too much, but probably enough to bust a
lot of hackers and keep them on tape if necessary) . They also used to
recruite people in order to experiment all the new hacking techniques
(wireless, etc) .
However, I feel like their first job is learning information, all
the technical stuff looks like a hook to me . Moreover, they pay very
bad, they'll argue that having their name on your CV will increase your
chances to get high payed jobs in the future . Think twice before signing,
this kind of person has very converging tendances to lie .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: what kind of information did they
ask during the interviews ?
The first time, it was 2 hours long, and there was 2 guyz . One was
obviously understanding a bit about hacking (talking about protocols,
reverse engineering, he assimilated the vocabulary as least), the other
one wasnt doing the difference between an exploit and a rootkit, and
was probably the 'nice fed around' .
They asked everything about myself (origin, family, etc), one always
taking notes, both asking questions, trying to appear like interrested
in my life . They asked everything from the start to the end . They
asked if the official activity I have right now wasnt too boring,
who were the guy I was working with, in what kind of activity I was
involved, and the nature of my personnal work . They also asked me if I
was aware of 0day vulnerabilities into widely-used software . I knew I
add not to tell them anything, and try to get as much information about
them during the interview . You can definitely grab some if you ask them
questions . Usually, they will tell you 'Here I am asking the questions',
but sometimes if you are smart, you can guess from where they got the
information, what are their real technical skills level, etc .
At the end of the interview, they'll ask what they want to know if you
didnt tell them . They can ask about groups they think you are friend
with, etc . If you just tell them what is obviously known (like,
'oh yeah I heard about them, its a crew interrested in security, but
I'm not in that group') and nothing else, its ok .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: What do you think they were really
knowing ?
I guess they are quite smart, because they know a lot of stuff, and
ask everything as if they were not knowing anything . This way, they
can spot if you are lying or not . Also, if you tell them stuffs you
judge irrevelant, they will probably use it during other interviews,
in order to guess who you are linked to .
--
<THE CIRCLE OF LOST HACKERS> QUESTION: are the troubles over now ?
I hope they will let me where I am, anyway I wont work for them, I
taught a few friends of mine about it and they agreed with me . Their
mind changes over time and government, I highly advise -NOT- to work
for them unless you know EXACTLY what you are doing (you are a double
agent or something lol) .
--
<THE CIRCLE OF LOST HACKERS> do you have some advices for hackers in
your country, to avoid beeing busted, or to avoid having troubles ?
Dont have a website, dont release shits, dont write articles, dont do
conference, dont have a job in the sec. industry . In short : it's very
hard . If they are interrested in the stuffs you do and hear about it,
they'll have to meet you one day or another . They will probably just
ask more about what you are doing, even if they have nothing against
you . Dont forget you have the right to refuse an interview and refuse
answering questions . I do not recommand to lie to them, because they
will guess it easily (dont forget information leakage is their job) .
I advise all the hackers to talk more about feds in their respective
groups because it helps not beeing fucked . Usually they will tell
you before leaving 'Dont forget, all of this is CONFIDENTIAL', it is
just their way to tell you 'Okay, thanks, see you next time !' . Dont
be impressed, dont spread information on the net about a particular guy
(targetted hacker, or fed), you'll obviously have troubles because of it,
and its definitely not the good way to hope better deals with feds in
the future . To FEDS: do not threat hackers and dont put them in jail,
we are not terrorists . Dont forget, we talk about you to each other,
and jailing one of us is like jailing all of us .
<THE CIRCLE OF LOST HACKERS> Thanks zac =)
At your service, later .
------------------------------------------
Big Brother does Russia
by
ALiEN Assault
This file is a basic description of russian computer law related
issues. Part 1 contains information gathered primarily from
open sources. As this sources are all russian, information may be
unknown to those who doesn't know russian language. Part 2 consists
of instructions on computer crime investigation: raid guidelines and
suspect's system exploration.
0 - DISCLAIMER 1 - LAW
1.1 - Basic Picture 1.2 - Criminal Code 1.3 - Federal Laws
2 - ORDER
2.1 - Tactics of Raid 2.2 - Examining a Working Computer 2.3 -
Expertise Assignment
--[ 0.DISCLAIMER.
INFORMATION PROVIDED FOR EDUCATIONAL PURPOSES ONLY. IT MAY BE ILLEGAL
IN YOUR COUNTRY TO BUST HACKERS. IT MUST BE ILLEGAL AT ALL. THERE ARE
BETTER THINGS TO DO. EXPLORE YOURSELF AND THIS WORLD. SMILE. LIVE.
--[ 1. LAW.
----[ 1.1. Basic Picture.
Computer-related laws are very draft and poorly describes what are
ones about. Seems that these are simply rewritten instructions
from 60's *Power Computers* that took a truck to transport.
Common subjects of lawsuits include carding, phone piracy (mass
LD service thievery) and... hold your breath... virii infected
warez trade. Russia is a real warez heaven - you can go to about
every media shop and see lots of CDs with warez, and some even has
"CRACKS AND SERIALS USAGE INSTRUCTIONS INCLUDED" written on front
cover (along with "ALL RIGHTS RESERVED" on back)! To honour pirates,
they include all .nfo files (sometimes from 4-5 BBSes warez was
courriered through). It is illegal but not prosecuted. Only if
warez are infected (and some VIP bought them and messed his system up)
shop owners faces legal problems.
Hacking is *not that common*, as cops are rather dumb and busts
mostly script kiddies for hacking their ISPs from home or sending your
everyday trojans by email.
There are three main organisations dealing with hi-tech crime:
FAPSI (Federal Government Communications and Information Agency
- mix of FCC and secret service), UKIB FSB (hi-tech feds; stands for
departamernt of computer and information security) and UPBSWT MVD
(hi-tech crime fightback dept.) which incorporates R unit (R for radio -
busts ham pirates and phreaks).
FSB (secret service) also runs NIIT (IT research institute).
This organisation deals with encryption (reading your PGPed mail),
examination of malicious programs (revealing Windoze source) and
restoration of damaged data (HEXediting saved games). NIIT is believed
to possess all seized systems so they have tools to do the job.
UPBSWT has a set of special operations called SORM (operative
and detective measures system). Media describes this as an
Echelon/Carnivore-like thing, but it also monitors phones and
pagers. Cops claims that SORM is active only during major criminal
investigations.
----[ 1.2. Criminal Code.
Computer criminals are prosecuted according to this articles of the Code:
- 159: Felony. This mostly what carders have to do with, accompanied by
caught-in-the-act social engineers. Punishment varies
from fine (minor, no criminal record) to 10 years prison term
(organized and repeated crime).
- 272: Unauthorized access to computer information. Easy case will end
up in
fine or up to 2 years probation term, while organized, repeated
or involving "a person with access to a computer, computer complex
or network" (!#$@!) crime may lead to 5 years imprisonment.
Added to this are weird comments on what are information,
intrusion and information access.
- 273: Production, spreading and use of harmful computer
programs. Sending
trojans by mail considered to be lame and punished by up to 3
years in prison. Part II says that "same deeds *carelessly* caused
hard consequences" will result in from 3 to 7 years in jail.
- 274: Computer, computer complex or network usage rules breach. This
one is
tough shit. In present, raw and somewhat confused
state this looks, say, *incorrect*. It needs that at least
technically literate person should provide correct and clear
definitions. After that clearances this could be useful thing:
if someone gets into a poorly protected system, admin will
have to take responsibility too. Punisment ranges from ceasing
of right to occupy "defined" (defined where?) job positions to
2 years prison term (or 4 if something fucked up too seriously).
----[ 1.3. Federal Law.
Most notable subject related laws are:
"On Information, Informatization and Information Security"
(20.02.95). 5 chapters of this law defines /* usually not
correct or even intelligent */ various aspects of information and
related issues. Nothing really special or important - civil rights
(nonexistent), other crap, but still having publicity (due to weird
and easy-to-remember name i suppose) and about every journalist covering
ITsec pastes this name into his article for serious look maybe.
"National Information Security Doctrine" (9.9.2K) is far more
interesting. It will tell you how dangerous Information Superhighway
is, and this isn't your average mass-media horror story - it's
a real thing! Reader will know how hostile foreign governments are
busy imlpementing some k-rad mind control tekne3q to gain r00t on
your consciousness; undercover groups around the globe are engaging in
obscure infowarfare; unnamed but almighty worldwide forces also about
to control information...ARRGGH! PHEAR!!!
{ALiEN special note: That's completely true. You suck Terrans. We'll
own your planet soon and give all of you a nice heavy industry job}.
Liberal values are covered too (message is BUY RUSSIAN). Also there are
some definitions (partly correct) on ITsec issues.
"On Federal Government Communications and Information" (19.2.93,
patched 24.12.93 and 7.11.2K). Oh yes, this one is serious. Everyone
is serious about his own communications - what can i say? Main message
is "RESPONSIBLES WILL BE FOUND. OTHERS KEEP ASIDE".
Interesting entity defined here is Cryptographic Human Resource -
a special unit of high qualified crypto professionals which must be
founded by FAPSI. To be in Cryptographic Human Resource is to serve
wherever you have retired or anything.
Also covered are rights of government communications personnel. They
have no right to engage in or to support strike. Basically they have
no right to fight for rights. They don't have a right to publish or
to tell mass-media anything about their job without previous censorship
by upper level management.
Cryptography issues are covered in "On Information Security
Tools Certification" (26.6.95 patched 23.4.96 and 29.3.99) and "On
Electronic Digital Signature" (10.2.02). Not much to say about. Both
mostly consists of strong definitions of certification procedures.
--[ 2. ORDER.
----[ 2.1. Tactics of Raid.
Given information is necessary for succesful raid. Tactics of raid
strongly depends on previously obtained information.
It is necessary to define time for raid and measures needed to conduct
it suddenly and confidentially. In case of presence of information
that suspect's computer contains criminal evidence data, it is
better to begin raid when possibility that suspect is working on that
computer is minimal.
Consult with specialists to define what information could be stored
in a computer and have adequate technics prepared to copy that
information. Define all measures to prevent criminals from destroying
evidence. Find raid witnesses who are familiar with computers
(basic operations, programs names etc.) to exclude possibility of
posing raid results as erroneous at court. Specifity and complexity
of manipulations with computer technics cannot be understood
by illiterate, so this may destroy investigator's efforts on
strengthening the value of evidence.
Witness' misunderstanding of what goes on may make court discard evidence.
Depending on suspect's qualification and professional skills,
define a computer technics professional to involve in investigation.
On arrival at the raid point is necessary to: enter fast and sudden
to drive computer stored information destruction possibility to the
minimum. When possible and reasonable, raid point power supply must be
turned off.
Don't allow no one touch a working computer, floppy disks, turn computers
on and off; if necessary, remove raid personnel from the raid point;
don't allow no one turn power supply on and off; if the power supply
was turned off at the beginning of raid, it is necessary to unplug all
computers and peripherals before turning power supply on; don't manipulate
computer technics in any manner that could provide inpredictable results.
After all above encountered measures were taken, it is necessary
to preexamine computer technics to define what programs are working
at the moment. If data destruction program is discovered active
it should be stopped immediately and examination begins with exactly
this computer. If computers are connected to local network, it is
reasonable to examine server first, then working computers, then other
computer technics and power sources.
----[ 2.2. Examining a Working Computer.
During the examination of a working computer is necessary to:
- define what program is currently executing. This must be done by
examining
the screen image that must be described in detail in raid
protocol. While necessary, it should be photographed or videotaped. Stop
running program and fix results of this action in protocol, describing
changes occured on computer screen;
- define presence of external storage devices: a hard drive (a
winchester*),
floppy and ZIP type drives, presence of a virtual drive (a temporary
disc which is being created on computer startup for increasing
performance speed) and describe this data in a protocol of raid;
- define presence of remote system access devices and also the
current state of
ones (local network connection, modem presence), after what
disconnect the computer and modem, describing results of that in
a protocol;
- copy programs and files from the virtual drive (if present) to the
floppy disk or to
a separate directory of a hard disk;
- turn the computer off and continue with examining it. During this is
necessary to
describe in a raid protocol and appended scheme the location
of computer and peripheral devices (printer, modem, keyboard,
monitor etc.) the purpose of every device, name, serial number,
configuration (presence and type of disk drives, network cards,
slots etc.), presence of connection to local computing network and
(or) telecommunication networks, state of devices (are there tails
of opening);
- accurately describe the order of mentioned devices interconnection,
marking
(if necessary) connector cables and plug ports, and disconnect computer
devices.
- Define, with the help from specialist, presence of nonstandard
apparatus inside
the computer, absence of microschemes, disabling of an inner power
source (an accumulator);
- pack (describing location where were found in a protocol) storage
disks and
tapes. Package may be special diskette tray and also common paper
and plastic bags, excluding ones not preventing the dust (pollutions
etc.) contact with disk or tape surface;
- pack every computer device and connector cable. To prevent
unwanted
individuals' access, it is necessary to place stamps on system block -
stick the power button and power plug slot with adhesive tape and
stick the front and side panels mounting details (screws etc.) too.
If it is necessary to turn computer back on during examination, startup
is performed with a prepared boot diskette, preventing user programs
from start.
* winchester - obsolete mainstream tech speak for a hard drive. Seems to
be of western origin but i never met this term in western sources. Common
shortage is "wint".
----[ 2.3. Expertise Assignment.
Expertise assignment is an important investigation measure for such
cases. General and most important part of such an expertise is
technical program (computer technics) expertise. MVD (*) divisions have
no experts conducting such expertises at the current time, so it
is possible to conduct such type of expertises at FAPSI divisions
or to involve adequately qualified specialists from other organisations.
Technical program expertise is to find answers on following:
- what information contains floppy disks and system blocks presented to
expertise?
- What is its purpose and possible use?
- What programs contains floppy disks and system blocks presented to
expertise?
- What is their purpose and possible use?
- Are there any text files on floppy disks and system blocks presented to
expertise?
- If so, what is their content and possible use?
- Is there destroyed information on floppy disks presented to expertise?
- If so, is it possible to recover that information?
- What is that information and what is its possible use?
- What program products contains floppy disks presented to expertise?
- What are they content, purpose and possible use?
- Are between those programs ones customized for passwords
guessing or
otherwise gaining an unauthorized computer networks access?
- If so, what are their names, work specifications, possibilities of
usage to
penetrate defined computer network?
- Are there evidence of defined program usage to penetrate the
abovementioned network?
- If so, what is that evidence?
- What is chronological sequence of actions necessary to start defined
program
or to conduct defined operation?
- Is it possible to modify program files while working in a given
computer network?
- If so, what modifications can be done, how can they be done and from
what computer?
- Is it possible to gain access to confidential information through
mentioned network?
- How such access is being gained?
- How criminal penetration of the defined local computer
network was
committed?
- What is the evidence of such penetration?
- If this penetration involved remote access, what are the possibilites
of identifying an
originating computer?
- If an evidence of a remote user intrusion is absent, is it possible
to point computers from
which such operations can be done?
Questions may be asked about compatibility of this or that programs;
possibilities of running a program on defined computer etc. Along with
these, experts can be asked on purpose of this or that device related
to computer technics:
- what is the purpose of a given device, possible use?
- What is special with its construction?
- What parts does it consist of?
- Is it industrial or a homemade product?
- If it is a homemade device, what kind of knowledge and in what kind of
science and technology do its maker possess, what is his professional
skill level?
- With what other devices could this device be used together?
- What are technical specifications of a given device?
Given methodic recommendments are far from complete list of questions
that could be asked in such investigations but still does reflect the
important aspects of such type of criminal investigation.
* MVD (Ministry of Inner Affairs) - Russian police force.
CREDITS
I like to mention stiss and BhS group for contibutions to this file.