CyberSecurity Malaysia | An Agency Under MOSTI
Organizer:
Endorsed by:
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
People First,
Performance Now
Ministry od Science,
Technology and Innovation
BRIDGING BARRIERS:
LEGAL AND TECHNICAL OF
CYBERCRIME CASES
Two Case Studies.. a Gradual
Evolution
Federal Agent Ross McDonald
Australian Federal Police
6 July 2011
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 1- Op PROXIMA
• In March 2005, the AFP received information
from the Computer Crime Unit, Belgian Federal
Police.
• In February 2005 a Distributed Denial of Service
(DDoS) attack was directed at "several IRC
servers of big companies in Belgium". A suspect
interviewed divulged the e-mail address and
nickname of one of the offenders as “iCER” with
the email address “goawayfeds@hotmail.com”.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 1- Op PROXIMA
• Open source information revealed that
“iCER” was also a key organiser of
Distributed Denial of Service attacks
against Australian and International
targets, particularly the Austnet IRC
Network.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Investigation
• Telephone Intercept Warrant was sworn.
Numerous attacks captured and other
offenders identified.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
DDOS attacks against servers in
United States
Austria
Singapore
Australia
Organizer:
Endorsed by:
People First,
Performance Now
Operation Proxima bots
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Complexity
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Demand Email
•
Subject: [Austnet/Help] I ADVISE YOU TO READ THIS
You have had this comming. All you opers deserve the death penalty. Now unless AustNET controls its lameness, the
attacks will continue till AustNET is no longer.
Demands:
1. Kevin does not associate with AustNET administration anymore. He must leave the ASD/OPER department. This
applies for medrawt too.
2. Administration of ALL AustNET gets overlooked, and a new access list chart is created. All oper's need a channel to
all idle in together and discuss matters together. Not 'what Kevin says, goes'.
3. /MSG OperOP list gets updated.
4. www.Austnet.org gets updated. The same thing goes for the box, as it is vulnerable to remote attacks.
5. Remove user 'mark' account from the webmaster.com (website box) as it is compromised (then look for the local
compromised vulnerability and then patch it then re-run chkrootkit).
6. Link up at least 2 reliable servers which handle DDOS filtering to prevent further wipeouts / delinking’s.
7. Stop G-lining non-wanted users such as bottlers / xdcc’s / warez affiliated users/bots. Redirect them to one allowable
server if you must.
8. REMOVE ALL GLINES, on non compromised hosts that get requested by ALL users.
9. Do not assume who is behind this, as we are spoofing to get the attention off us.
10. Do not follow any of these, and you will remain down until terminated.
After all these demands are followed, email back to above email address with proof of EACH task been met.
This email account cannot be traced, or traced back to the IP that is logged into it. We will only log into the email on the
17th of June at 6PM +GMT and only once then wiped.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Resolution
• 22 March 2006 – AFP/State Police
execute five simultaneous search warrants
in three States.
• Giannakis was arrested and his computers
seized.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Resolution
• Bill Giannakis charged under the Criminal
Code Act 1995 (Cth)
– Use telecommunications network with intent
to commit a serious offence (s.474.14) x 5
counts
– Cause unauthorised impairment of electronic
communication (s.477.3) x 5 counts
– Control of data with intent to commit a
computer offence (s.478.3) x 5 counts
Organizer:
Endorsed by:
People First,
Performance Now
Aftermath
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Result
• It was decided to proceed summarily.
• Guilty plea to one count of causing unauthorised
impairment of electronic communication (s.
477.3) covering all attacks.
• Discharged without conviction.
• 2 year $1,000 good behaviour bond.
• As Austnet was a not for profit organisation, no
monetary value could be placed on the offences.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Issues Identified- PROXIMA
• Unwillingness by victims to provide official statementsscared of online retribution and lack of confidence in
police/court system.
• Investigative challenges
– Very resource intensive:
- monitoring and interpretation of Telephone Intercepts;
- analysis of seized items.
– Lack of experience and case law regarding DDoS attacks: not
many previous cases for computer offences.
– Mutual Assistance Requests were made: results arrived 6
months after sentencing.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Issues Identified- PROXIMA
• Prosecution challenges
– Lack of experience amongst prosecutors and the
judiciary regarding computer offences: not many
previous briefs or cases for many computer offences,
hence very little case law.
– Not always possible to place a monetary value on the
effect of an offence.
– Perception by judges that computer offenders are just
‘naughty boys’, even though they can cost millions.
– Admission of foreign evidence and offences
committed overseas: MAR process is time
consuming.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• January 2009- Customer database for a
major Australian Domain registrar was
placed for sale on the internet.
• Only discovered when AFP member saw
the post whilst monitoring hacking forums.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• Seller engaged online by AFP covert
operative.
• Open source enquiries made to identify
seller.
• Seller identified as Brendan TAYLOR of
Perth (23yrs).
• Investigators travelled to Perth and
executed search warrants at TAYLOR’s
work and residence.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• Upon being arrested, TAYLOR revealed
2nd offender (BAKER) was actually
responsible for unlawful access to data.
• Search warrant executed at BAKER’s
residence same day.
• Evidence of database located on
computers belonging to both offenders.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• TAYLOR charged with 1 x Dishonestly Obtain or
Deal in Personal Financial Information.
• TAYLOR was originally to be sentenced to 12
months imprisonment to serve 4 months.
• Due to assistance provided against BAKER this
sentence was amended to 12 months
imprisonment to be released forthwith, along
with a 12 month good behaviour bond with
$2,000 surety.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• BAKER was charged with:
1 x Dishonestly Obtain or Deal in Personal
Financial Information; and
1 x Unauthorised Access to Data Held in a
Computer.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• BAKER was sentenced to 18 months
imprisonment on each charge, to be
eligible for release after 6 months.
• The court found it a sophisticated,
deliberate and planned course of events.
• The judge noted the difficulty of proving
computer crime offences and the need for
there to be general and specific
deterrence.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
A Gradual Evolution
• Prosecutors and the judiciary are becoming
more familiar with the concepts and terminology
used in tech enabled crime.
• As more offenders are prosecuted both in
Australia and internationally, the crime type is
slowly losing its aura of mystery.
• Non specialist police are becoming more
confident in prosecuting computer offences- the
AFP is providing training to all officers.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
A Gradual Evolution
• Victims are more willing to make
complaints and provide statements.
• Almost a “carnival atmosphere” amongst
the hacking community for PROXIMA.. not
so for CARPO.
A long way to go.. but we’re slowly getting
there…..
Organizer:
Endorsed by:
People First,
Performance Now
How we see the world
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
How it really looks online
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Questions….
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Endorsed by:
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
People First,
Performance Now
Ministry od Science,
Technology and Innovation
BRIDGING BARRIERS:
LEGAL AND TECHNICAL OF
CYBERCRIME CASES
Two Case Studies.. a Gradual
Evolution
Federal Agent Ross McDonald
Australian Federal Police
6 July 2011
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 1- Op PROXIMA
• In March 2005, the AFP received information
from the Computer Crime Unit, Belgian Federal
Police.
• In February 2005 a Distributed Denial of Service
(DDoS) attack was directed at "several IRC
servers of big companies in Belgium". A suspect
interviewed divulged the e-mail address and
nickname of one of the offenders as “iCER” with
the email address “goawayfeds@hotmail.com”.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 1- Op PROXIMA
• Open source information revealed that
“iCER” was also a key organiser of
Distributed Denial of Service attacks
against Australian and International
targets, particularly the Austnet IRC
Network.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Investigation
• Telephone Intercept Warrant was sworn.
Numerous attacks captured and other
offenders identified.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
DDOS attacks against servers in
United States
Austria
Singapore
Australia
Organizer:
Endorsed by:
People First,
Performance Now
Operation Proxima bots
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Complexity
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Demand Email
•
Subject: [Austnet/Help] I ADVISE YOU TO READ THIS
You have had this comming. All you opers deserve the death penalty. Now unless AustNET controls its lameness, the
attacks will continue till AustNET is no longer.
Demands:
1. Kevin does not associate with AustNET administration anymore. He must leave the ASD/OPER department. This
applies for medrawt too.
2. Administration of ALL AustNET gets overlooked, and a new access list chart is created. All oper's need a channel to
all idle in together and discuss matters together. Not 'what Kevin says, goes'.
3. /MSG OperOP list gets updated.
4. www.Austnet.org gets updated. The same thing goes for the box, as it is vulnerable to remote attacks.
5. Remove user 'mark' account from the webmaster.com (website box) as it is compromised (then look for the local
compromised vulnerability and then patch it then re-run chkrootkit).
6. Link up at least 2 reliable servers which handle DDOS filtering to prevent further wipeouts / delinking’s.
7. Stop G-lining non-wanted users such as bottlers / xdcc’s / warez affiliated users/bots. Redirect them to one allowable
server if you must.
8. REMOVE ALL GLINES, on non compromised hosts that get requested by ALL users.
9. Do not assume who is behind this, as we are spoofing to get the attention off us.
10. Do not follow any of these, and you will remain down until terminated.
After all these demands are followed, email back to above email address with proof of EACH task been met.
This email account cannot be traced, or traced back to the IP that is logged into it. We will only log into the email on the
17th of June at 6PM +GMT and only once then wiped.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Resolution
• 22 March 2006 – AFP/State Police
execute five simultaneous search warrants
in three States.
• Giannakis was arrested and his computers
seized.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Resolution
• Bill Giannakis charged under the Criminal
Code Act 1995 (Cth)
– Use telecommunications network with intent
to commit a serious offence (s.474.14) x 5
counts
– Cause unauthorised impairment of electronic
communication (s.477.3) x 5 counts
– Control of data with intent to commit a
computer offence (s.478.3) x 5 counts
Organizer:
Endorsed by:
People First,
Performance Now
Aftermath
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Result
• It was decided to proceed summarily.
• Guilty plea to one count of causing unauthorised
impairment of electronic communication (s.
477.3) covering all attacks.
• Discharged without conviction.
• 2 year $1,000 good behaviour bond.
• As Austnet was a not for profit organisation, no
monetary value could be placed on the offences.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Issues Identified- PROXIMA
• Unwillingness by victims to provide official statementsscared of online retribution and lack of confidence in
police/court system.
• Investigative challenges
– Very resource intensive:
- monitoring and interpretation of Telephone Intercepts;
- analysis of seized items.
– Lack of experience and case law regarding DDoS attacks: not
many previous cases for computer offences.
– Mutual Assistance Requests were made: results arrived 6
months after sentencing.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Issues Identified- PROXIMA
• Prosecution challenges
– Lack of experience amongst prosecutors and the
judiciary regarding computer offences: not many
previous briefs or cases for many computer offences,
hence very little case law.
– Not always possible to place a monetary value on the
effect of an offence.
– Perception by judges that computer offenders are just
‘naughty boys’, even though they can cost millions.
– Admission of foreign evidence and offences
committed overseas: MAR process is time
consuming.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• January 2009- Customer database for a
major Australian Domain registrar was
placed for sale on the internet.
• Only discovered when AFP member saw
the post whilst monitoring hacking forums.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• Seller engaged online by AFP covert
operative.
• Open source enquiries made to identify
seller.
• Seller identified as Brendan TAYLOR of
Perth (23yrs).
• Investigators travelled to Perth and
executed search warrants at TAYLOR’s
work and residence.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• Upon being arrested, TAYLOR revealed
2nd offender (BAKER) was actually
responsible for unlawful access to data.
• Search warrant executed at BAKER’s
residence same day.
• Evidence of database located on
computers belonging to both offenders.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• TAYLOR charged with 1 x Dishonestly Obtain or
Deal in Personal Financial Information.
• TAYLOR was originally to be sentenced to 12
months imprisonment to serve 4 months.
• Due to assistance provided against BAKER this
sentence was amended to 12 months
imprisonment to be released forthwith, along
with a 12 month good behaviour bond with
$2,000 surety.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• BAKER was charged with:
1 x Dishonestly Obtain or Deal in Personal
Financial Information; and
1 x Unauthorised Access to Data Held in a
Computer.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Case Study 2- Op CARPO
• BAKER was sentenced to 18 months
imprisonment on each charge, to be
eligible for release after 6 months.
• The court found it a sophisticated,
deliberate and planned course of events.
• The judge noted the difficulty of proving
computer crime offences and the need for
there to be general and specific
deterrence.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
A Gradual Evolution
• Prosecutors and the judiciary are becoming
more familiar with the concepts and terminology
used in tech enabled crime.
• As more offenders are prosecuted both in
Australia and internationally, the crime type is
slowly losing its aura of mystery.
• Non specialist police are becoming more
confident in prosecuting computer offences- the
AFP is providing training to all officers.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
A Gradual Evolution
• Victims are more willing to make
complaints and provide statements.
• Almost a “carnival atmosphere” amongst
the hacking community for PROXIMA.. not
so for CARPO.
A long way to go.. but we’re slowly getting
there…..
Organizer:
Endorsed by:
People First,
Performance Now
How we see the world
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
How it really looks online
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Questions….
Ministry od Science,
Technology and Innovation
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation