The Ninth Circuit’s decision is certainly inconsistent with the Seventh Circuit’s analysis, to the extent the Seventh Circuit based liability under the CFAA on an agency theory where the servant (the employee) unilaterally aquireed an interest inconsistent with his principle (his employer) the serverant (the employee) lost his right (authorization) to access his employer’s (the principle’s) protected computer. The operative language cited in Citrin (following the Restatement (Second) of Agency §§ 112, 387 (1958): “Unless otherwise agreed, the authority of the agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.”

Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the CFAA regardless of his motivation. The opinion most likely would have been different under a slightly different factual scenario. First, if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment then the employee would have exceeded his level of authorization regardless of whether his interests were aligned or not aligned with his former employer. In LVRC Holding the employee was authorized to use the company computer and to access the information, he did not violate the statute, under the 9th Circuit’s decision the former employee’s motivation is irrelevant.

I believe the conclusion reached by the 9th circuit and 7th circuit can be rationally reconciled based on the factual differences between the two cases. The Court in Citrin properly reasoned that congress intended that the CFAA should apply to disgruntled employees in certain situations but the 9th circuit’s decision provides a better basis for defining culpability under the CFAA. Courts do not want to engage in mind-games to assess the employee’s intention (or motivation) in order reach a conclusion regarding whether an employee’s conduct violated or did not violate the CFAA

The CFAA was intended to reach:

Attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii)attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii).

However, the CFAA cannot become a catchall basis for finding criminal and/or civil liability in the absence of other relevant legal authority.

          

9th Circuit Decision in LVRC Holdings Rejects 7th Circuit’s Holding in Citrin Based on a Motivation Theory of Liability Under the Computer Fraud and Abuse Act originally appeared on Law Blog 2.0 on September 18, 2009.

a.    Take immediate action to stop the incident from continuing or recurring.

b.    If the incident does not involve the loss of confidential information or have other serious impacts to individuals IT should repair the system, restore service, and preserve evidence of the incident.

c.    If the incident involves the loss of confidential information or critical data or has other potentially serious impacts, you should consult with your general counsel or your legal counsel for guidance under applicable federal and state laws.

e.    File a Security Incident Report including a description of the incident and documenting any actions taken thus far.

f.     Refrain from discussing the incident with others until a response plan has been formulated.

g.    Repair the system and restore service.

h.    Preserve evidence of the incident.

Did a reportable security breach occur?

Some factors to consider when evaluating a potential security breach.

When determining whether or not acquisition has actually or is reasonably believed to have occurred, on should consider, at a minimum, the following indicators:

1. The information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other devices that have the capability of containing information, or such as a misdirected electronic mail transmission received and opened by an unauthorized person containing notice-triggering information.
2. The information has been downloaded or copied (e.g., any evidence that download or copy activity has occurred which may require forensic analysis);
3. The attacker deleted security logs or otherwise “covered their tracks”;
4. The duration of exposure in relation to maintenance of system logs or in cases of an inadvertent or unauthorized Web site posting;
5. The attack vector is known for seeking and collecting personal information;
6. The information was used by an unauthorized person, such as instances of identity theft reported or fraudulent accounts opened.

Appropriate Incident Handling Procedures Are Key.

DOs

1. Immediately isolate the affected system to prevent further intrusion, release of data, damage, etc.
2. Use the telephone to communicate. Attackers may be capable of monitoring email traffic.
3. Immediately notify your security incident response team.
4. Activate all auditing software, if not already activated.
5. Preserve all pertinent system logs, e.g., firewall, router, and intrusion detection system.
6. Make backup copies of damaged or altered files, and keep these backups in a secure location.
7. Identify where the affected system resides within the network topology.
8. Identify all systems and agencies that connect to the affected system.
9. Identify the programs and processes that operate on the affected system(s), the impact of the disruption, and the maximum allowable outage time.
10. In the event the affected system is collected as evidence, make arrangements to provide for the continuity of services, i.e., prepare redundant system and obtain data back-ups. To assist with your operational recovery of the affected system(s), pre-identify the associated IP address, MAC address, Switch Port location, ports and services required, physical location of system(s), the OS, OS version, patch history, safe shut down process, and system administrator or backup.

DON’Ts

1. Delete, move, or alter files on the affected systems.
2. Contact the suspected perpetrator.
3. Conduct a forensic analysis.

Other Considerations

1. Collect information for each server, router, switch, and Data Service Unit (DSU) including:
   • IP address
   • Media Access Control (MAC) address
   • Switch Port location (switch name and port number)
   • Port assignment
   • Ports and services are required
   • Statement that all other unneeded ports and services are closed and/or removed
   • Responsible system administrator and backup
   • Physical location of server
   • Physical security implemented
   • Emergency contact information (both technical and user management)
   • OS/Version/Patch history
   • Systems supported, impact of outage, and maximum allowable outage (MAO)
   • Shutdown script (if applicable)
   • Recovery process
2. Identify all external connections, assess the need for the connections, the security risk to each connection, and any recommended safeguards or strategies.
3. Provided an adequate security message and warning banner on your system.
4. Implement a keystroke monitoring program.
5. Does personal information reside on, or is it transmitted through the affected system (as defined by federal and/or state security breach notification statutes)?

Steps to Minimize Potential Liability

1. Review physical and electronic access by employees and investigate abnormal activity in ALL computing environments.
2. Review system administrators, field accounts, and special access rights for appropriate access levels.
3. Ensure that systems are always backed up and the data is securely placed in an offsite location. Periodically conduct data restore tests.
4. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored. In addition, schedule routine virus scans on servers and desktops.
5. Remove sensitive information from websites.
6. Limit the size and manage the type of email attachments that can be received (certain systems allow you to disable executable files).
7. Keep the IT Operational Recovery Plan (ORP) and Business Continuity Plan (BCP) up-to-date, tested, and ready for implementation.
8. Establish security accountability for any and all users at appropriate levels.
9. Improve security on access to critical assets and facilities with technology environments.
10. Remove unnecessary services on routers, ports, servers, and network devices.
11. Trace or monitor the necessary services.
12. Designate an Information Security Officer (ISO) who shall report to the Director of the department or designee. The ISO shall not report to the Chief Information Officer (CIO).
13. Continuously educate management on the priority of security and the security risks associated with Information Technology.
14. Install warning banners at the login process for access to all state systems and applications.
15. Increase user awareness in security by continuously enhancing technology use policy such as “non-personal use of email.”
16. Verify that software updates and patches are continuously installed on a timely basis to operating systems and applications. Be wary of standard software installations. These installations often include services or features which you do not use and do not update.
17. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored.
18. Improve or remove user accounts with weak passwords, default or built-in passwords, old passwords, or no passwords. All accounts must have passwords and passwords should be complex and difficult to guess.
19. Require use of passwords containing alpha-numeric-special character combinations. Passwords should expire after a set period of time and employ a password history to prevent repeated passwords.
20. Ask if you have a policy which cancels log-ins/passwords when employees leave your organization. If so, verify that the policy is enforced.
21. Implement intrusion detection, provide monitoring on critical information systems, such as maintaining system logs on write only CDs.
22. Restrict non-business use of e-mail.
23. Review your remote access procedures and policies. Who is granted access? How is it monitored? If virtual private network (VPN) access is provided, have minimum security standards been established for the remote computer? How is this verified?
24. Enforce a policy regarding Internet use (viruses such as Trojan Horses can be introduced by visiting websites).
25. Restrict use of chat room software, AOL Instant Messenger, IRC Chat, ICQ Chat, (viruses can be introduced by visiting chat rooms).
26. Maintain a firewall between your system and any untrusted system (Internet connection).

Recommended Resources

NIST Special Publication 800-61 (Rev. 1)(Mar 2008    ) Computer Security Incident Handling Guide (available at http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf).
NIST Special Publication 800-86(Aug 2006) Guide to Integrating Forensic Techniques into Incident Response (available at http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf).
NIST Special Publication 800-83(Nov 2005) Guide to Malware Incident Prevention and Handling (available at http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf).

          

Evaluating Secutiy Incidents — Security Incident DOs and DON’Ts originally appeared on Law Blog 2.0 on September 8, 2009.

Aggressive E-Discovery

The references to the use or misuse of this "e-mail system" in paragraph 4 could reasonably be interpreted to refer only to the company's work-based system and not to an employee's personal private email account accessed via the company's computer.

<noscript> <META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login?nojs=1"> </noscript>

          

Analysis of Former Employee’s Laptop Can Raise Privilege Issues originally appeared on Law Blog 2.0 on July 10, 2009.

Going to Court to force an ISP to disclose the identity of anonymous blogger raises many legal road blocks including issues of First Amendment rights. For example,

On June 13, 2007, the New Jersey Township of Manalapan filed a malpractice suit against its former attorney Stuart Moskovitz, alleging misconduct regarding the Township’s purchase of polluted land in 2005. The decision to file suit was met by a lively debate in the regional press and among local bloggers. One blogger who was particularly critical of the Township, of this and other decisions, was Blogspot blogger “datruthsquad”

(http://www.eff.org/cases/manalapan-v-moskovitz).

Long story short the Township lost, a copy of Electronic Freedom Foundation’s (“EFF”) motion squash is available here motiontoquashmpa-signed; and the Court order squashing the subpoena is available here order-122107.  However, there may exist an alternative method for “unmasking” anonymous bloggers, cyber-stalkers, etc. using public information.  Everyone has a unique writeprint (basically a written fingerprint that can be used to identify him or her).  This technique s has traditionally been used to identify the true author of a text (e.g. a book) where authorship is disputed or unknown. Forensics linguistics has been used to provide evidence in trademark disputes cases, identifying the author of anonymous texts (such as threat or harassment letters), and identifying cases of plagiarism. The identification process relies on the analysis of an individual’s particular patterns of language use (vocabulary, collocations, pronunciation, spelling, grammar, etc.). The term “idiolect” is defined as the speech patterns of a specific person (a dialect, unique in pronunciation, grammar, and vocabulary to a single person). Stylistic features can be used to create a fingerprint of an individual’s writing style (a linguistic fingerprint is called a “writeprint”). A writeprint is composed of features that represent an author’s writing style, which are consistent across all of an individual’s writings. For a gentle introduction, see Digital fingerprints: tiny behavioral differences can reveal your identity, by Julie Rehmeyer in the January 13, 2007 issue of Science News (Westlaw cite 2007 WLNR 2239738).

Email identification is a unique subset of authorship identification. When identifying authorship of anonymous emails, the following considerations have been noted:

• The identification of an author is usually attempted from a small set of known candidates; and

• Other evidence in the form of e-mail headers, e-mail trace route, e-mail attachments, time stamps, or other independent evidence is often used in conjunction with linguistic analysis to establish the identity of the author.

Two studies (both funded by security related government agencies) have applied forensic linguistics to the identification of the authorship of anonymous emails. (See A. Anderson, M. Corney, O. de Vel, and G. Mohay; Identifying the Authors of Suspect E-mail, Communications of the ACM, 2001 (available at eprints.qut.edu.au/archive/00008039/01/8039.pdf); see also Jiexun Li, Rong Zheng, Hsinchun Chen; From Fingerprint to Writeprint, Communications of the ACM (April 2006)).

Characteristics of an email that are relevant in establishing authorship include:

• Composition and writing, such as particular syntactic and structural layout traits;

• Patterns of vocabulary usage;

• Unusual language usage (e.g., converting the letter “f” to “ph”); and

• The excessive use of digits or upper-case letters.

Id.

These studies have found that a dataset of available e-mail used to conduct an evaluation ideally should include about 50 emails per author where each author’s emails include in total approximately 12,000 words. Id. However, other studies have shown that a total of 20 documents for each author are adequate to achieve sufficient accuracy for purposes of authorship identification of an unknown email if additional independent corroborating features are also available. Id. One study, focusing on knowledge acquisition within an organization (for purposes of maintaining institutional knowledge which is lost when an employee leaves an organization) found that email text analysis was superior to a content matter based approached in identifying subject matter expertise within an organization. Campbell, Christopher S.; Maglio, Paul P; Cozzi, Alex; and Dom, Bryon, Expertise Identification using Email Communications, IBM Almaden Research Center (ACM © 2003). Moreover, this study finds a small number of emails sufficient to identify a subject matter expert within an organization. Id.

The literature has found the following stylistic features relevant in describing an individual’s dialect:

• Number of blank lines/ total number of lines;

• Average sentence length;

• Average word length (number of characters);

• Vocabulary richness: (distinct words (V) / total number of words (M));

• Total number of function words (Conjunctions, prepositions, and articles) / total number of words;

• Total number of words three letters or less: all, at, his;

• Hapax legomenon / total number of words (hapax legomenon is a word which occurs only once in the text);

• Hapax legomenon/ total number of unique words;

• Total number of characters in words/ total number of characters in the body of the email (C);

• Total number of alphabetic characters in words/ total number of characters in the body of the email (C);

• Total number of upper case characters in words/ total number of characters in the body of the email (C);

• Total number of digit characters in words/ total number of characters in the body of the email (C);

• Total number of white space characters/ total number of characters in the body of the email (C);

• Total number of space characters/ total number white space characters; and

• Total number of tab spaces/ total number of characters in the body of the email (C).

To date there is only one application publicly available for performing authorship analysis of emails. This application is a python script called Unmask. The application was presented at a computer security conference in 2002 to demonstrate the ease with which stylistic patterns could be used to identify authorship and demographic information of an author using only the text of an email or IRC chat session log. Unmask has been used by forensic examiners for the last few years to identify the authorship of unknown emails with a high degree of accuracy (depending on the stylistic features used). Accuracy ranges between 97.85% and 99.01%. Unmask identifies the author of anonymous email text by analyzing select stylistic features and matching properties of the anonymous text with a known email text. Unmask does not use all the listed stylistic features. A summary of features recognized by various researchers has been compiled for reference purposes. The stylistic features detailed above can also be used to classify emails based on the geographical origin of the author, gender, age, occupation, and sexual orientation.

Unmask is available at http://www.immunitysec.com/downloads/unmask1.0.tar.gz. Unmask was developed by Dave Aitel, who currently is CTO of Immunity Security.¹ Unmask was written soon after Dave Aitel’s departure from the National Security Agency where he worked for six years. Similar tools are known to be in use by the Federal Government for purposes of identifying terrorists and other criminals: these tools are not publically available. By compounding it he expands the differences between different people. The more you match, the more an individual score will increase, however, this is not a linear function. There are some really obvious words, like “a”, “the”, “I”, and “an” that a hypothetical email user will use, and thus common doubles. The frequency of triples is significantly less frequent. Punctuation

Relatively minor differences between the raw scores for two hypothetical test users may reflect significant differences in the likelihood of a match. For example Jane may have a raw score of 20 and John a raw score of 18 and John when identifying an unknown email compared against each users known sample emails. Jane compared against John shows that John’s score is ninety percent that of Jane. Numerous, normal, stylistic similarities between Jane and John will result in their scores hitting a local minimum value that reflects these “normal” stylistic similarities. Beyond this local minimum value unusual and unique stylistic features become a factor (the relative magnitude of these differences are significantly smaller as compared to normal stylistic similarities) accordingly these few matches reflect an exponentially difference in the quality of the match. Accordingly, a 10% relative difference in raw score may potentially equate to a 99% match for Jane and 10% (or less likelihood) of a match for John, even though Jane and John share styles are objectively very close to each-other.

Some unique features of the matching algorithm should be carefully considered when evaluating the quality of a given match:

• Two hypothetical users, with a strong command of English that use a lot of articles, prepositions and conjunctions where there is little bias of either user toward a given combination of words, the more significant small variations become;

• Individuals with a limited vocabulary will have their stylistic features padded by less common words, and generally by default will match less well, accordingly, the likelihood of error is significantly higher where comparing an anonymous email against a universe of potential email users some of which have a good command of English and other users who have a limited English vocabulary. However, users with a limited command of English will likely have stylistics variations that are indicate of their demographic group or nationality; and

• Unique words have been to shown to be strongly correlated to a given user. However, the Unmask algorithm may not match long and/or odd word combinations especially where the sample size for a given library of emails for a given user test case becomes extremely large. Nevertheless the matching algorithm should not be significantly affected with emails because emails are relatively short (opposed to other types of written texts) and where the total sample size of 12,000 words among all emails for a given user is maintained.

Figure 1 – Functions Words (Prepositions, Articles, and Conjunctions Are Distinctive Features)

The few courts that have addressed the issue over the last century have generally found linguistic stylistic features to be admissible evidence:

• In the Matter of the Estate of Violet Houssien, 3AN-98-59 P/R, Superior Court for the State of Alaska(1999)(available at http://www.touchngo.com/sp/html/sp-5496.htm), Court held that the disputed will was not authored by the decedent but by the Appellants [or at their direction].

• In the Matter of the Appeal of Amarjit Saluja, 30082 and 94-16 (1994 California State Personnel Board)(available at http://www.spa.ca.gov/spblaw/pdsindex.htm), the Court found that employee authored anonymous letters that harmed other employees.

• In United States v Larson, 596 F2d 759 (CA8 Minn. 1979), the court held that the jury in a criminal prosecution had been properly permitted to consider evidence showing that one ransom note contained three separate misspellings of “approach” as “approuch,” while a letter known to be written by the accused also contained the same misspelling.

• In Josephs v Briant, 115 Ark 538, 172 SW 1002 (Ark. 1914), court allowed evidence of spelling peculiarities, as well as syntactical peculiarities, to establish authorship of a document.

• In Bartholomew v Walsh, 191 Mich. 252, 157 NW 575 (Mich. 1916), evidence of punctuation characteristics and technical typing characteristics were found admissible.

• In Re Cravens’ Estate, 206 Okla. 174, 242 P2d 135 (Okla. 1952), the court allowed evidence of distinctive punctuation technique along with other typing characteristics to show that a purported testator had not typed certain portions of a disputed will.

Over the last 25 years, with the evolution of more advanced statistical methods and algorithms to identify authorship of a document, this type of evidence has not been challenged. Statistical methods of evaluating the authorship of an article are distinct from traditional literary theory (which in at least one researcher’s opinion is not sufficient to satisfy a Daubert challenge). See C. Chaski., A Daubert-inspired assessment of current techniques for language-based author identification, Technical Report, US National Institute of Justice, 1998 (available at www.ncjrs.org). Writeprinting authors using stylistic features is a new method to combat cybercrime where law enforcement or victims of cybercrimes can use a criminal’s own anonymous emails, blog entries and IRC chat sessions as evidence of their illegal conduct.

          

Fingerprinting (Writeprinting) Text Using Stylistic Features Can Be Used To Accurately Identify the Authorship of Anonymous Emails, Blog Entries and IRC Chat Sessions originally appeared on Law Blog 2.0 on June 20, 2009.

When the File Investigator TOOLS product (http://www.forensicinnovations.com/fitools.html) finds encrypted files, it reports the type of encrypted file and, when possible, what encryption algorithm is used. While some encrypted files can’t be narrowed down to a specific application, just knowing that they are encrypted can be important. In a legal case, knowing that potential evidence is encrypted and intentionally hidden can provide the leverage to entice the encryption key from the owner or show the court intent to conceal evidence. Employers can use this tool to catch employees hiding data on company computers and potentially collecting intellectual property. This technology is also available to our business partners and as a licensed API. For further details, and a discussion on this topic, visit the Innovations Blog, http://www.forensicinnovations.com/blog.

The product has three operating modes, and the SDK (application interface) can be licensed and used in programs that run on Windows, Unix, and Linux.  There is a demo version is limited to 100 files.  The licensed version will identify 30,000 files. There is also a command line DOS type interface. The product identifies over 100+ fields. (See the table below).

The screen shots below shows the two interfaces.

fiwdir \? Command Line Options

Windows Interface

In addition to identifying the above fields of metadata it appears this tool can also be populated with data from the NIST NSRL database.   The National Software Reference Library (NSRL) collects software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS is a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts.  Other hashes can be found in the haskeeper database.

.

Fields Identified

          

File Identification Tool — Good Product for Identifying Encrypted Files. originally appeared on Law Blog 2.0 on May 20, 2009.