2007-04-01
Abstract
The recent Julie Amero court case has raised a number of concerns regarding computer security, investigation and liability. Who is responsible when a person uses a computer that is infected with malicious software? Can the user be liable even when unaware of the infestation? Can the user be liable even if they do not own or control the computer? Patrick Knight considers what is needed to achieve justice in the digital age.
Copyright © 2007 Virus Bulletin
By now many of you will have heard of the court case involving the Norwich, Connecticut, substitute teacher Julie Amero (see VB, March 2007 p.12). She was convicted on 7 January on four counts of ‘risk of injury to a minor, or impairing the morals of a child’ after a malware-infested classroom computer that she was using displayed a barrage of porn-related pop-up windows.
In October 2004, Amero was called to substitute a seventh grade Language Arts class. Reports of the case indicate that a computer in the classroom, which was running Windows 98 with Internet Explorer 5, was used by Amero to browse the Internet and to check email. At some point a website related to hairstyles was accessed either by the teacher or by students. The website contained code that caused a flood of porn-related pop-ups which the teacher could not control. The prosecution in the case claimed that Amero had ‘physically clicked’ on porn links to cause the pop-ups, which then exposed the children to adult pornography.
Further reports from the trial indicate that the prosecution suppressed critical evidence that would have mitigated the case against her. The forensics investigator for the prosecution admitted that he had not scanned the computer’s hard drive for malicious software. The defence hired an independent computer forensics investigator who found several malicious code samples, including code within the hairstyle web page which caused the porn pop-ups. Unfortunately, the jury was not presented much of this evidence because the defence had failed to bring up the topic of malware during the trial’s discovery phase.
Testimony also pointed out that since Amero had no credentials to log onto the computer, the regular teacher had logged on with his own credentials and instructed her not to turn off the computer as she would be unable to log back in. This was the reason she gave for not having turned the computer off as a means to protect the children from exposure to porn.
Some serious questions were raised during the trial: why was the teacher accessing her own email from school? Was she browsing the Internet during class time when she should have been teaching? Why did she not do more to shield the children from viewing the images? Who actually accessed the hairstyle website: Amero or a student? All of these are valid questions that demand answers.
In the end, based on the evidence presented during the trial, a jury of Connecticut citizens decided that a 40-year-old female substitute teacher who was four months pregnant had actively surfed the Internet for pornography during class time. Evidently the jury found this to be more believable than a much more difficult explanation involving malicious software, outdated security products, and other computer forensics mumbo jumbo.
The Amero case has raised a number of concerns regarding computer security, investigation and liability. Who is responsible when a person uses a computer that is infected with malicious software? Can the user be liable even when unaware of the infestation? Can the user be liable even if they do not own or control the computer?
We live in a world where technology is the tool of choice for criminals who want to make money at any cost. The malicious software industry is out to make money and those behind it do not care whose lives are destroyed in the process.
Who is pursuing the author of the website that injected code to cause the pop-ups on the computer in Ms Amero’s classroom? Why is this person not liable? What is the liability of the school district that chose to use old computers running outdated content filters and outdated anti-virus software? Does the school district have any responsibility to protect the teachers and students from this type of prosecution by providing safeguards? What about the responsibility of the manufacturer of the web browser to protect users from these types of threats?
The power to legislate and prosecute these crimes is placed in the hands of people who, generally, have no clue about the technology involved. In July 2006 US Senator from Alaska, Ted Stevens, famously described the Internet as a ‘series of tubes’ and later went on to say: ‘[I] just the other day got an Internet ... sent by my staff at 10 o’clock in the morning on Friday and I just got it yesterday [sic].’ Statements like these might be considered laughable if Stevens were not the Chairman of the US Senate Committee on Commerce, Science, and Transportation – which oversees legislation concerning, among other things, interstate commerce, science, technology and telecommunications (e.g. the Internet). From his statements we must presume that he is in no way qualified to make critical decisions regarding technology, and that in order for him to make informed decisions regarding Internet issues he must rely on well-financed lobbyists who have traditionally demonstrated their lack of concern for the greater good.
Criminal prosecutors are no more equipped to discern how technology can be manipulated in a criminal case. Complicating this are methods used by computer forensics investigators who are well trained in file system forensics, but who are not always trained to look for and analyse malicious software. Many computer forensic investigations include some form of virus scan of the digital data in question. However, if the virus scan does not identify an infection the evidence is submitted as ‘clean’. In fact, a result of ‘nothing found at this time’ might be more accurate. This type of result can easily be manipulated by prosecutors to effectively rule out the possibility of the presence of malicious software.
More and more criminal trials include evidence that requires some sort of computer forensics examination even if the digital information is not the central theme of the trial. Take the 2004 trial of Scott Peterson who was convicted of killing his wife and unborn son in 2002. The Peterson’s home computer was examined for any evidence regarding the disappearance of his wife. Evidence of web browsing was found on the computer. The time of the browsing activities reportedly took place after the time at which police believed Mrs Peterson had disappeared, thus presenting the investigation timeline with a question of whether she was, in fact, still at home or whether Scott was browsing the web after her disappearance. The computer evidence was minor considering the mountain of DNA evidence and other physical evidence against Peterson, but computer investigation was necessary to complete the criminal investigation. If this were another case with an innocent defendant, legal fees including the cost of a computer forensics investigation would surely mount.
Let’s examine another hypothetical, but realistic scenario. Suppose a customized trojan infects a PC and deletes, alters or plants email evidence that is somehow used to incriminate an innocent victim. Only the most sophisticated heuristic virus scanner may be able to detect that this trojan is malicious. If such a malware sample is found the forensics investigator must be equipped to analyse it. However, with the volume of data involved in most modern computer forensics investigations, it is not unreasonable to expect that the investigator will not analyse such an application if it is not picked up by the virus scanners.
One might expect that additional evidence would likely exonerate the victim. To this, I simply point back to the Julie Amero case. There was such evidence, but a combination of failures from the defence counsel and improper investigations led to a conviction that many believe is false.
We are creating a society where average citizens must live in fear that their personal computer or the computers they use at work can be used for crime or have evidence planted on them that can destroy their life. The culpability is placed on the user, even when they do not own the computer.
For anyone who handles malicious software it is easy to imagine customized applications that are designed to perform a specific job that might otherwise not find their way into the sample collection of an AV company. Customized trojans need not replicate, open back doors or be found by the hundreds to be malicious. How about a trojan designed to alter timestamps on specific files on a file system? If this trojan does not further open an IRC backdoor or mass mail itself to other machines it may never be picked up by an anti-virus scanner. It is not unusual these days to see this type of malicious software used against another individual or company. In fact, the number of customized trojans is growing as targeted attacks become more common.
This raises the bar for anyone whose primary job is to perform computer forensics or otherwise to analyse malicious software. In a world of incomplete legal representation the stakes are high regarding high-tech investigations. Incomplete investigations or poor defence lawyers can stand between acquittal and a prison sentence.
Computer investigations like this are also quite expensive. Some victims will find themselves forced into a situation where it is financially preferable to make a plea deal with prosecutors than to go broke paying for defence costs and risk greater jail time despite being innocent of the charges against them. There are some organizations, though, that will take on pro bono cases and provide computer forensics examinations. One such organization is the Computer Forensic Volunteer Project which provides computer forensics investigation support for people who are unable to pay for expensive investigations.
More and more, computer forensics and malicious software analysis go hand in hand. In fact, many virus analysts also have forensics backgrounds. Many virus analysts in the AV industry already find themselves helping law enforcement authorities take down bot nets or spam networks. These tasks require a great deal of time and effort on the part of virus analysts as well as law enforcement personnel to gather and present evidence. This effort illustrates the active battle that the AV industry is waging against the malware industry, which goes beyond the passive battle of malware detection.
Lawmakers and law enforcement authorities are in many ways outdated in their abilities to counter malware threats and to protect innocent people. The response of the AV industry to legal investigations is increasing due to the sheer volume of malicious software and how it is being used by criminals. The anti-virus community is well positioned and well equipped to provide the expert testimonies in cases that involve computers and to go after the real criminals.