Case Of Nicodemo V. Usa
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Case Of Nicodemo V. Usa as PDF for free.
More details
- Words: 4,922
- Pages: 13
-1-
RESEARCH ASSIGNMENT
British Columbia Institute of Technology
Case of Nicodemo S. Scarfo V. USA
NAME:
Arif Zina
email:
[email protected]
DATE:
Nov 30, 2006
-2-
Table of Contents Introduction
------------------------------------------------------------------------------------ 3
Description of the broken applicable laws
----------------------------------------
3
Description of the crime ------------------------------------------------------------------------- 3 Tools, Techniques and Technologies used
----------------------------------------
4
PGP encryption technique
--------------------------------------------------- 4
The Key Logger System
--------------------------------------------------- 6
Definition of terms
--------------------------------------------------- 6
How the crime was detected, investigated and prosecuted Legal issues involved in retrieval of evidence Privacy issues raised
------------------- 7
----------------------------------------- 8
------------------------------------------------------------------------- 9
Comparison with other cyber-crimes and techniques
------------------------------ 10
Conclusion
------------------------------------------------------------------------------------ 11
Bibliography
-----------------------------------------------------------------------------------
12
-3-
Case of Nicodemo S. Scarfo V. USA Introduction Computer crime can broadly be defined as criminal activity involving the information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
Description of the broken applicable laws According to court records, confidential informants told FBI agents in January 1999 that Scarfo and an associate, Andrew Knapik, had been running a sports-betting and loan-sharking operation linked to the Gambino crime family out of a one-room office of a company known as Merchant Services Inc. in Belleville, N.J. It appeared to agents that Scarfo, 35, who had several arrests and convictions on assault, conspiracy and weapons charges, was being groomed to take over the operation from Knapik, who was heading to prison. The two would drive around collecting on bets and loan payments, and when Scarfo was arrested he had more than $6,000 in cash on him, according to court records. Scarfo also would use the Merchant Services office for loan collection, the records said. In the Scarfo case, there were a number of laws that dealt with the crimes he had been accused of. The prosecution had evidence showing that Scarfo had committed illegal gambling, loansharking and other racketeering offenses which are violations of 18 U.S.C 371 (conspiracy), 892-94 (extortionate credit transactions), 1955 (illegal gambling business) and 1962 (RICO). Under RICO, the prosecution must be able to show that 1) the defendant committed 2 or more racketeering acts and 2) that they used those acts to accomplish 3 criminal acts tied to business.
Description of the crime Mr. Scarfo had been under surveillance and investigation for his criminal gambling, loan sharking and other racketeering offenses. Scarfo had been charged with supervising “an illegal gambling business” in violation of state and federal law and using extortionate loan shark tactics, according to the three-count indictment filed in federal court in June 2000. Scarfo, who had been charged with masterminding a mob linked loan sharking operation in New Jersey, used his computer and a popular PGP encryption to shield his computer secrets from prying eyes. In January 1999, agents of the FBI raided the offices of Nicodemo S. Scarfo, a reputed Philadelphia underworld figure, and co-defendant Frank Paolercio, searching for evidence of illegal gambling operations. Armed with search warrant, the agents searched for and seized files contained on Scarfo’s computer, including a single file called “Factors” was encrypted using the commercial software PGP (i.e.
-4"pretty good privacy"). PGP employs hybrid encryption technique, which I will explain in great details later on in this report, making it extremely difficult to break. This became problematic for the government as it was extremely difficult to break this PGP encrypted file and retrieve (usable) evidence. Unable to crack the encryption code without a password, and convinced that the file contained evidence of Scarfo’s illegal activities, the government on May 8, 1999, obtained an order from magistrate judge, Donald Haneke granting the FBI to install its Key Logging System (KLS) on Scarfo's computer. Agents went back again with a search warrant and placed the key-logging device on his computer, and monitored it for about two months. A seven page court order authorized the FBI and cooperating local police to break into Scarfo’s first floor “Merchant Services of Essex County” office as many times as necessary to deploy, maintain, and then remove “recovery methods which will capture the necessary key-related information and encrypted files.” The surveillance ultimately produced the password -- nds09813-050 -- which a source close to the case confirmed was the prison identification number of Scarfo's father. A KLS operates by recording the keystrokes typed on a keyboard. The FBI agents sneaked into Scarfo’s office in Belleville, New Jersey, on May 10, 1999, and installed a keyboard sniffing device, generally known as a key logger, to recover his password when he typed in. The FBI was able to look at the KLS record obtained from Scarfo's computer and determine his PGP passphrase. The FBI used the passphrase to open the encrypted file and recovered business data and subsequently indicted Scarfo using information they gained through their KLS search. These illegal activities and illicit businesses conducted by Scarfo, were clearly assisted by using his computer hardware and (data encrypting) software which was installed in his computer, and therefore prompting law enforcement to conduct a computer crime investigation.
Tools, techniques and technologies used PGP encryption/decryption technique The defendant, Scarfo, employed PGP software in encrypting files in his computer. PGP is a commercially available encryption program, and in fact is available free via the internet to individual user. Upon installation on a computer, this program can be configured to use different encryption algorithms, such as DES (Data Encryption Standard), triple DES and IDEA. A person using PGP encryption may encrypt (e.g., encipher or encode) the plain text of his/her files, store those files, and decrypt them. In this way, the PGP user prevents anyone not possessing the appropriate encryption key and key related information from decrypting (e.g., deciphering or decoding) the file. A user of the PGP program normally creates one public and private key pair (i.e., the keys are associated with each other) for himself. A user’s public key is used in the process of encrypting data such that only the user can decrypt that data using the paired private key. In addition to encrypting files intended merely be stored on a user’s computer, a PGP user, in conjunction with other PGP users, may use PGP to securely encrypt incoming or outgoing files and/or message files. The user may share his public key with others who may then send that user files and/or message files which have been securely encrypted by the sender utilizing the intended recipient’s (the user’s) public key. Public and private PGP keys tend to be long strings of computer data typically not capable of being memorized by the users. As a result, a simpler passphrase is used to protect the private key. PGP combines some of the best features of both conventional and public key cryptography. PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the
-5cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too short to compress or which don't compress well aren't compressed.) See figure 1-1.
Figure 1-1
How PGP encryption works
A session key is randomly generated by the PGP program each time a file is encrypted. In reality, the files are actually encrypted with the session key, and the session key is then, in turn, encrypted with the recipient’s public key. In order to decrypt a file encrypted with the user’s public key, the PGP software program calls up a specific and known PGP computer file which displays to the computer screen (via a graphics/video card in the computer) a specific and known graphics user interface “dialog” box. This dialog box acts to visually prompt the user decrypting the file to enter, via the keyboard, the “passphrase” associated with the appropriate “private key”. When the user enters the proper passphrase, PGP verifies that the passphrase is correct and if so, uses that passphrase to decrypt the private key. This private key is then used to decrypt that session key, which is, in turn, used to decrypt the selected file. Therefore, in order to decrypt a PGP encrypted file it is necessary to have the encrypted file, the appropriate key, the passphrase associated with this private key, and the PGP program. See Figure 1-2
Fig 1-2
How PGP decryption works.
The Key Logger System (KLS) A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer's keyboard. As a
-6hardware device, a keylogger is a small battery-sized plug that serves as a connector between the user's keyboard and computer. Because the device resembles an ordinary keyboard plug, it is relatively easy for someone who wants to monitor a user's behavior to physically hide such a device "in plain sight." (It also helps that most workstation keyboards plug into the back of the computer.) As the user types, the device collects each keystroke and saves it as text in its own miniature hard drive. At a later point in time, the person who installed the keylogger must return and physically remove the device in order to access the information the device has gathered.
Fig 1.3 An example of hardware keylogger system A keylogger program does not require physical access to the user's computer. It can be downloaded on purpose by someone who wants to monitor activity on a particular computer or it can be downloaded unwittingly as spyware and executed as part of a rootkit or remote administration (RAT) Trojan horse. A keylogger program typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file (which does all the recording) and an executable file (.EXE) that installs the DLL file and triggers it to work. The keylogger program records each keystroke the user types and uploads the information over the Internet periodically to whoever installed the program. Although keylogger programs are promoted for benign purposes like allowing parents to monitor their children's whereabouts on the Internet, most privacy advocates agree that the potential for abuse is so great that legislation should be enacted to clearly make the unauthorized use of keyloggers a criminal offense. Definitions of terms: Spyware:
Spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.
Rootkit:
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network.
Trojan horse:
A Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk.
DLL:
A dynamic link library (DLL) is a collection of small programs, any of which can be called when needed by a larger program that is running in the computer.
Executable:
An executable is a file that contains a program - that is, a particular kind of file that is capable of being executed or run as a program in the computer.
Keystroke logging, depending on how it is implemented, can easily bypass the best host and network security, collecting valuable key information for use in later attacks or information gathering exercises. Keystroke logging through the data it captures can also remove the requirement to brute force attack encrypted information, as pass phrases are typed and then recorded by the logger in the clear. Keystroke logging has been around since the days of the first mini-computer systems and it is still effective today as a first step data capture utility.
-7How the crime was detected, investigated and procecuted In this (Scarfo) case, the Newark FBI office requested FBI Laboratory assistance in acquiring Scarfo’s key and key related information. In response, FBI engineers configured a hardware/software and/or firmware solution based upon previously developed techniques which would permit the FBI to obtain the defendant’s key and key related information. These techniques, and their various components, are known collectively within the FBI as the Key Logger System (KLS). Examination and evaluation of Scarfo’s stand alone computer by the FBI during and subsequent to the entry authorized by the order of January 15, 1999, revealed that the system generally four mechanisms or domains through which key or key related information could possibly enter or exit the encryption/decryption processes: 1.
From the transmission pathway through a modem attached to the computer.
2.
By retrieval from the storage.
3.
By entry, by someone typing on the keyboard.
4.
By the computer itself, by one or more processes working within that computer.
To prevent any legal issues, from the defense, FBI was challenged in this situation to device a technical search capability which could search for and record key or key-related information only entered through at least one of these mechanisms without detection and without either searching or seizing any information which in addition to being key or key related information, could also be an electronic communications, via the modem installed on Scarfo’s computer. Federal law requires that any device that listens in on communication, whether it be a bug in a room or a phone tap, requires a wiretap order. In the case of electronic communication via computers, the law specifically requires a wiretap order only if the communication is intercepted in transmission via computer modems and phone lines. That preserves the government's ability to seize a computer, with a simple search warrant, and examine copies of e-mail already sent or received, or anything else that might be stored on the computer's hard drive. The FBI, as part of the KLS deployed in the instant investigation, did not install and operate any component which would search for and record data entering or exiting the computer from the transmission pathway through the modem attached to the computer. Further, the FBI did not install and operate any KLS component which would search for or record any fixed data stored within the computer. When the user entered a key, the KLS system first checked all communication ports of the computer for the status, i.e., checked if the ports were in active or inactive state. The KLS would only record user key strokes if all the communication ports were in inactive state. There was issue with this process of checking and recording; for example, if Scarfo was online, the modem would be on and the keystroke capture component would, by default, not record keystrokes. However, the fact the modem of a computer is active, does not necessarily mean that the computer is, at that moment, engaged in sending electronic communications. Infact, in a Microsoft Windows operating system environment (which was the operating system on Scarfo’s computer), a computer user can activate the computer’s modem in one window in relationship to one application, then open and switch to a second window and actively work in that second window in an application incapable of engaging in electronic communications (e.g., a word processing program), but capable of executing the PGP program. Thus if Scarfo was simultaneously working in a separate window using his PGP program to
-8decrypt files, the keystroke capture component would not have captured and recorded his keystrokes and, hence, would not have captured a PGP passphrase. Examination of the defendant’s computer by agents of the FBI during entries authorized by court order revealed that the PGP program as configured on his computer and as used by the defendant during all relevant time periods was not technically capable of sending his passphrase over a network in any way. This meant that all of the PGP program’s functions and operations originated from the computer harddrive, with the exception of the passphrase which was entered by the defendant via the keyboard. This also meant that all actions involving either encryption or decryption necessarily occurred only within his computer, and not on some other networked computer connected via modem. This would be true even if Scarfo was using PGP on his computer and the modem was coincidentally activated by another program such as a browser in another window. PGP software program visually prompts the user who is decrypting a file for the passphrase associated with the appropriate private key. The passphrase itself is typed via keystrokes on the keyboard snd then entered into the PGP program. When the user enters the proper passphrase, PGP verifies that the pass phrase is correct and if so, uses the passphrase to decrypt the private key. The FBI developed a mechanism to recode the passphrase as entered via the keyboard by the user and certain other key related information. The FBI recognized that it was possible for the defendant to use PGP in sequatial combination with the wide array of encoding, scrambling or other encryption programs which would produce encryption layers. Such a process would effectively prohibit recovery of cognizable plain text even if the PGP passphrase and key related information were captured. Under these circumstances, the keystroke capture component would provide necessary capture capability to guard against this and other unknown contingencies without impairing functionality or jeopardizing the covert operation of the KLS. Accordingly, the multiple components of the KLS complemented each other, while operating within the parameters of the court’s orders specifying that the KLS would not capture communications subject to Title III. The government must obtain Title III if the government wants to read your emails in transmission, or listen to your telephone calls, or install an audio bug in your house. This order severely limits what the government can do. The order must be approved by high level Justice Department officials, can only be effective for 30 days at a time, and significant efforts must be made to ensure that only matters covered by the court order are examined. The law may also distinguish between the interception of email in transmission and email that is stored, even temporarily. As a general rule, for the government to obtain communications in transmission requires a Title III wiretap order, to obtain them in temporary storage requires search warrant, and to obtain them in permanent storage requires a mere subpoena.
Legal issues involved in retrieval of evidence The case appears to be the first in which the U.S. government used such aggressive surveillance techniques during an investigation, and some legal observers say the FBI's breaking-and-entering procedures go too far. "I don't think it's constitutional," said David Sobel, general counsel of the Electronic Privacy Information Center in Washington, D.C. "This case has the potential to establish some very important precedents on this issue." Scarfo's prosecution came at a time when the FBI's Carnivore surveillance system was under increasingly heavy fire from privacy groups, and the use of data-scrambling encryption products appears to be growing. The spring 1999 investigation of Scarfo may be what prompted the Clinton administration to recommend changing federal law to allow police to conduct electronic "black bag" jobs. The idea first publicly surfaced in mid-1999, when the Justice Department proposed legislation that would let police
-9obtain surreptitious warrants and "postpone" notifying the person whose property they entered for 30 days. After vocal objections from civil liberties groups, the administration backed away from the controversial bill. In the final draft of the Cyberspace Electronic Security Act submitted to Congress, the secret-search portions had disappeared. In January 2000, the Clinton administration seemed to change its mind. "When criminals like drug dealers and terrorists use encryption to conceal their communications, law enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect," Attorney General Janet Reno and Deputy Defense Secretary John Hamre wrote in a seven-page letter to Congress. That letter, however, suggested the feds didn't need a new law -- and would instead rely on "general authorities" when asking judges to authorize black bag jobs. A related "secret search" proposal resurfaced in May 2000 in a Senate bankruptcy bill. In the Scarfo case, the FBI in May 1999 asked for "authority to search for and seize encryption-keyrelated pass phrases" from his computer as well as "install and leave behind software, firmware, and/or hardware equipment which will monitor the inputted data entered on Nicodemo S. Scarfo's computer by recording the key related information as they are entered." Ruling that "normal investigative procedures to decrypt the codes and keys necessary to decipher the 'factors' encrypted computer file have been tried and have failed," U.S. Magistrate Judge G. Donald Haneke granted the FBI's request. EPIC's Sobel suggested that Haneke did not, under federal law, have the authority to grant such an order. "The interesting issue is that they in those (court) documents specifically disclaim any reliance on the wiretap statute," Sobel says. "If they're on record saying this isn't communications -- and it isn't -- then that extraordinary authority they have under the wiretap laws does not apply." "If we're now talking about expanding (black bag jobs) to every case in which the government has an interest where the subject is using a computer and encryption, the number of break-ins is going to skyrocket," Sobel said. "Break-ins are going to become commonplace." Eugene Volokh, a law professor at UCLA, said he believed the government could successfully argue the break-in was constitutional. "There's nothing in the Constitution that prohibits this kind of anticipatory search," says Volokh. "In many respects it's no different from a wiretap." A lawyer for Scarfo filed a motion challenging the legality of the FBI's black bag job. "Anything he typed on that keyboard -- a letter to his lawyer, personal or medical records, legitimate business records -- they got it all," attorney Donald Manno told the paper.
Privacy issues raised It is a case at the heart of how technology increasingly strains notions of privacy and whether established law works in a digital age. Scarfo's defense team, with assistance from privacy organizations, tried to force the government to reveal how the "key-logging" technology works as a possible prelude to asking that the evidence it yielded be thrown out. Privacy advocates were especially concerned that the key logger was planted on the basis of a simple search warrant and not a court-approved wiretap order, which is more difficult to obtain and carries far greater restrictions. Federal law requires that any device that listens in on communication, whether it be a bug in a room or a phone tap, requires a wiretap order. In the case of electronic communication via computers, the law specifically requires a wiretap order only if the communication is intercepted in transmission via computer modems and phone lines. That preserves the government's ability to seize a computer, with a simple search warrant, and examine copies of e-mail already sent or received, or anything else that might be stored on the computer's hard drive.
- 10 Prosecutors insist that the key logger planted by the FBI did not intercept communication, but refused to divulge how the technology worked to back up that claim. Privacy groups noted the new issue posed by key-logging technology, which is commercially available and used by some companies: Even if the key logger didn't intercept communication after it was sent by the computer's modem, it effectively does the same thing by capturing what is typed on an e-mail or instant message form just before the user hits the send button. Attorneys on both sides were under a court order not to speak about the case, but prosecutors argued in court filings that disclosing the key-logging technology would enable criminals to find ways to defeat it in the future. As a result, it's unclear whether the key logger used by the FBI was purely software or whether it involved some sort of device attached to the keyboard. It's also unknown how the data from the key logger was collected. The key logger is "a highly sensitive law enforcement search and seizure technique, the disclosure of which would compromise use of this technology and jeopardize the safety of law enforcement personnel," according to an affidavit by Donald Kerr, assistant director of the FBI's laboratory division. In an initial ruling last week, U.S. District Judge Nicholas Politan in Newark rejected that argument. "The government has not satisfactorily confirmed for the court that the key-logger device did not operate in conjunction with the computer's modems, or otherwise, to cause the interception of a communication," Politan wrote. He added that pages of captured keystrokes that the government placed in evidence "are in the truest sense 'gobbledygook,' " and that he cannot determine whether the search was legal if he doesn't know how this key-logging technology works. Former law enforcement officials said that criminals are increasingly using sophisticated high technology and that the government must have, within reason, the ability to keep one step ahead of them. "Encryption is virtually unbreakable by police today, with programs that can be bought for $15," said Stewart Baker, former general counsel of the National Security Agency and now partner at the Washington law firm Steptoe & Johnson. Although agreeing that surveillance should be done under strict guidelines, Baker said that "to a degree, the privacy groups got us into this by arguing that there should be no limits on encryption, and the police have to deal with it.". David Sobel, general counsel of the Electronic Privacy Information Center in Washington, which has been advising the defense team, disagreed. "Because of this technology there are a lot of gray areas," Sobel said, "but law enforcement is always attempting to resolve them in favor of more aggressive techniques." As an example he wondered whether, if the key-logging system used in the Scarfo case was able to turn itself off when the modem was activated to ensure that a wiretap order was not required, why it couldn't instead have been configured to activate only when an encryption program was run.
Comparison with other cyber-crimes and techniques Recovery the password could have also been done by installing a Trojan horse programs in the Scarfo’s computer. Trojan horse is destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.
Trojan horses are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: • • • •
Remote Access Trojans Data Sending Trojans Destructive Trojans Proxy Trojans
- 11 • • •
FTP Trojans security software disabler Trojans denial-of-service attack (DoS) Trojans
Data sending Trojans are a type of a Trojan horse that is designed to provide the attacker with sensitive data such as passwords, credit card information, log files, e-mail address or IM contact lists. These Trojans can look for specific pre-defined data (e.g., just credit card information or passwords), or they could install a keylogger and send all recorded keystrokes back to the attacker. Programs such as BO2K and Sub7 Trojans, or WinWhatWhere, or Monitorer can be secretly installed without user’s knowledge, and ordered to capture keystrokes in real time, before they are transmitted to the web. They can further be used to transmit the results of searches to law enforcement or intelligence agents in real time over the Internet or by direct dial-back.
Conclusion
In this investigation, one has to ask if government overreached, also was the installation and monitoring of the key logger program a violation of the wiretap law. Clearly the government had a legitimate interest in conducting a criminal investigation of Nicky Scarfo. The magistrate found probable cause to search the computer and to seize the pass phrase. Courts routinely permit the installation of hidden video cameras or surveillance. Indeed, only days after the government filed its classified motion, they revealed in another case that they had installed a hidden video camera at a government office to monitor a person, suspected of spying for Libya, and to watch him sending emails containing classified information. But there are limits to the government surveillance. There are essentially three limitations on the scope of government searches and seizures. They are the Fourth Amendment, federal rules on the issuance of search warrants, and federal law regarding “electronic surveillance”. The fourth Amendment by its terms provides that that: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The constitution therefore, requires that the conduct be considered a “search” or seizure, that it be reasonable, and that if searched pursuant to a warrant, there be a finding by a neutral and detached magistrate that there is a probable cause.
Bibliography
- 12 -
Break the Scarfo Silence. http://www.businessweek.com/technology/content/sept2001/tc2001094_186.htm FBI hacks alleged mobster http://www.wired.com/news/politics/1,40541-0.html FBI device sets off alarm http://www.usatoday.com High-Tech FBI Tactics Raise Privacy Question http://www.washingtonpost.com How far can FBI spying go http://www.wired.com/news/politics/1,45730.html Electronic Privacy Information Centre http://www.epic.org/crypto/scarfo.html www.epic.org
- 13 -
RESEARCH ASSIGNMENT
British Columbia Institute of Technology
Case of Nicodemo S. Scarfo V. USA
NAME:
Arif Zina
email:
[email protected]
DATE:
Nov 30, 2006
-2-
Table of Contents Introduction
------------------------------------------------------------------------------------ 3
Description of the broken applicable laws
----------------------------------------
3
Description of the crime ------------------------------------------------------------------------- 3 Tools, Techniques and Technologies used
----------------------------------------
4
PGP encryption technique
--------------------------------------------------- 4
The Key Logger System
--------------------------------------------------- 6
Definition of terms
--------------------------------------------------- 6
How the crime was detected, investigated and prosecuted Legal issues involved in retrieval of evidence Privacy issues raised
------------------- 7
----------------------------------------- 8
------------------------------------------------------------------------- 9
Comparison with other cyber-crimes and techniques
------------------------------ 10
Conclusion
------------------------------------------------------------------------------------ 11
Bibliography
-----------------------------------------------------------------------------------
12
-3-
Case of Nicodemo S. Scarfo V. USA Introduction Computer crime can broadly be defined as criminal activity involving the information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
Description of the broken applicable laws According to court records, confidential informants told FBI agents in January 1999 that Scarfo and an associate, Andrew Knapik, had been running a sports-betting and loan-sharking operation linked to the Gambino crime family out of a one-room office of a company known as Merchant Services Inc. in Belleville, N.J. It appeared to agents that Scarfo, 35, who had several arrests and convictions on assault, conspiracy and weapons charges, was being groomed to take over the operation from Knapik, who was heading to prison. The two would drive around collecting on bets and loan payments, and when Scarfo was arrested he had more than $6,000 in cash on him, according to court records. Scarfo also would use the Merchant Services office for loan collection, the records said. In the Scarfo case, there were a number of laws that dealt with the crimes he had been accused of. The prosecution had evidence showing that Scarfo had committed illegal gambling, loansharking and other racketeering offenses which are violations of 18 U.S.C 371 (conspiracy), 892-94 (extortionate credit transactions), 1955 (illegal gambling business) and 1962 (RICO). Under RICO, the prosecution must be able to show that 1) the defendant committed 2 or more racketeering acts and 2) that they used those acts to accomplish 3 criminal acts tied to business.
Description of the crime Mr. Scarfo had been under surveillance and investigation for his criminal gambling, loan sharking and other racketeering offenses. Scarfo had been charged with supervising “an illegal gambling business” in violation of state and federal law and using extortionate loan shark tactics, according to the three-count indictment filed in federal court in June 2000. Scarfo, who had been charged with masterminding a mob linked loan sharking operation in New Jersey, used his computer and a popular PGP encryption to shield his computer secrets from prying eyes. In January 1999, agents of the FBI raided the offices of Nicodemo S. Scarfo, a reputed Philadelphia underworld figure, and co-defendant Frank Paolercio, searching for evidence of illegal gambling operations. Armed with search warrant, the agents searched for and seized files contained on Scarfo’s computer, including a single file called “Factors” was encrypted using the commercial software PGP (i.e.
-4"pretty good privacy"). PGP employs hybrid encryption technique, which I will explain in great details later on in this report, making it extremely difficult to break. This became problematic for the government as it was extremely difficult to break this PGP encrypted file and retrieve (usable) evidence. Unable to crack the encryption code without a password, and convinced that the file contained evidence of Scarfo’s illegal activities, the government on May 8, 1999, obtained an order from magistrate judge, Donald Haneke granting the FBI to install its Key Logging System (KLS) on Scarfo's computer. Agents went back again with a search warrant and placed the key-logging device on his computer, and monitored it for about two months. A seven page court order authorized the FBI and cooperating local police to break into Scarfo’s first floor “Merchant Services of Essex County” office as many times as necessary to deploy, maintain, and then remove “recovery methods which will capture the necessary key-related information and encrypted files.” The surveillance ultimately produced the password -- nds09813-050 -- which a source close to the case confirmed was the prison identification number of Scarfo's father. A KLS operates by recording the keystrokes typed on a keyboard. The FBI agents sneaked into Scarfo’s office in Belleville, New Jersey, on May 10, 1999, and installed a keyboard sniffing device, generally known as a key logger, to recover his password when he typed in. The FBI was able to look at the KLS record obtained from Scarfo's computer and determine his PGP passphrase. The FBI used the passphrase to open the encrypted file and recovered business data and subsequently indicted Scarfo using information they gained through their KLS search. These illegal activities and illicit businesses conducted by Scarfo, were clearly assisted by using his computer hardware and (data encrypting) software which was installed in his computer, and therefore prompting law enforcement to conduct a computer crime investigation.
Tools, techniques and technologies used PGP encryption/decryption technique The defendant, Scarfo, employed PGP software in encrypting files in his computer. PGP is a commercially available encryption program, and in fact is available free via the internet to individual user. Upon installation on a computer, this program can be configured to use different encryption algorithms, such as DES (Data Encryption Standard), triple DES and IDEA. A person using PGP encryption may encrypt (e.g., encipher or encode) the plain text of his/her files, store those files, and decrypt them. In this way, the PGP user prevents anyone not possessing the appropriate encryption key and key related information from decrypting (e.g., deciphering or decoding) the file. A user of the PGP program normally creates one public and private key pair (i.e., the keys are associated with each other) for himself. A user’s public key is used in the process of encrypting data such that only the user can decrypt that data using the paired private key. In addition to encrypting files intended merely be stored on a user’s computer, a PGP user, in conjunction with other PGP users, may use PGP to securely encrypt incoming or outgoing files and/or message files. The user may share his public key with others who may then send that user files and/or message files which have been securely encrypted by the sender utilizing the intended recipient’s (the user’s) public key. Public and private PGP keys tend to be long strings of computer data typically not capable of being memorized by the users. As a result, a simpler passphrase is used to protect the private key. PGP combines some of the best features of both conventional and public key cryptography. PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the
-5cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too short to compress or which don't compress well aren't compressed.) See figure 1-1.
Figure 1-1
How PGP encryption works
A session key is randomly generated by the PGP program each time a file is encrypted. In reality, the files are actually encrypted with the session key, and the session key is then, in turn, encrypted with the recipient’s public key. In order to decrypt a file encrypted with the user’s public key, the PGP software program calls up a specific and known PGP computer file which displays to the computer screen (via a graphics/video card in the computer) a specific and known graphics user interface “dialog” box. This dialog box acts to visually prompt the user decrypting the file to enter, via the keyboard, the “passphrase” associated with the appropriate “private key”. When the user enters the proper passphrase, PGP verifies that the passphrase is correct and if so, uses that passphrase to decrypt the private key. This private key is then used to decrypt that session key, which is, in turn, used to decrypt the selected file. Therefore, in order to decrypt a PGP encrypted file it is necessary to have the encrypted file, the appropriate key, the passphrase associated with this private key, and the PGP program. See Figure 1-2
Fig 1-2
How PGP decryption works.
The Key Logger System (KLS) A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer's keyboard. As a
-6hardware device, a keylogger is a small battery-sized plug that serves as a connector between the user's keyboard and computer. Because the device resembles an ordinary keyboard plug, it is relatively easy for someone who wants to monitor a user's behavior to physically hide such a device "in plain sight." (It also helps that most workstation keyboards plug into the back of the computer.) As the user types, the device collects each keystroke and saves it as text in its own miniature hard drive. At a later point in time, the person who installed the keylogger must return and physically remove the device in order to access the information the device has gathered.
Fig 1.3 An example of hardware keylogger system A keylogger program does not require physical access to the user's computer. It can be downloaded on purpose by someone who wants to monitor activity on a particular computer or it can be downloaded unwittingly as spyware and executed as part of a rootkit or remote administration (RAT) Trojan horse. A keylogger program typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file (which does all the recording) and an executable file (.EXE) that installs the DLL file and triggers it to work. The keylogger program records each keystroke the user types and uploads the information over the Internet periodically to whoever installed the program. Although keylogger programs are promoted for benign purposes like allowing parents to monitor their children's whereabouts on the Internet, most privacy advocates agree that the potential for abuse is so great that legislation should be enacted to clearly make the unauthorized use of keyloggers a criminal offense. Definitions of terms: Spyware:
Spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.
Rootkit:
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network.
Trojan horse:
A Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk.
DLL:
A dynamic link library (DLL) is a collection of small programs, any of which can be called when needed by a larger program that is running in the computer.
Executable:
An executable is a file that contains a program - that is, a particular kind of file that is capable of being executed or run as a program in the computer.
Keystroke logging, depending on how it is implemented, can easily bypass the best host and network security, collecting valuable key information for use in later attacks or information gathering exercises. Keystroke logging through the data it captures can also remove the requirement to brute force attack encrypted information, as pass phrases are typed and then recorded by the logger in the clear. Keystroke logging has been around since the days of the first mini-computer systems and it is still effective today as a first step data capture utility.
-7How the crime was detected, investigated and procecuted In this (Scarfo) case, the Newark FBI office requested FBI Laboratory assistance in acquiring Scarfo’s key and key related information. In response, FBI engineers configured a hardware/software and/or firmware solution based upon previously developed techniques which would permit the FBI to obtain the defendant’s key and key related information. These techniques, and their various components, are known collectively within the FBI as the Key Logger System (KLS). Examination and evaluation of Scarfo’s stand alone computer by the FBI during and subsequent to the entry authorized by the order of January 15, 1999, revealed that the system generally four mechanisms or domains through which key or key related information could possibly enter or exit the encryption/decryption processes: 1.
From the transmission pathway through a modem attached to the computer.
2.
By retrieval from the storage.
3.
By entry, by someone typing on the keyboard.
4.
By the computer itself, by one or more processes working within that computer.
To prevent any legal issues, from the defense, FBI was challenged in this situation to device a technical search capability which could search for and record key or key-related information only entered through at least one of these mechanisms without detection and without either searching or seizing any information which in addition to being key or key related information, could also be an electronic communications, via the modem installed on Scarfo’s computer. Federal law requires that any device that listens in on communication, whether it be a bug in a room or a phone tap, requires a wiretap order. In the case of electronic communication via computers, the law specifically requires a wiretap order only if the communication is intercepted in transmission via computer modems and phone lines. That preserves the government's ability to seize a computer, with a simple search warrant, and examine copies of e-mail already sent or received, or anything else that might be stored on the computer's hard drive. The FBI, as part of the KLS deployed in the instant investigation, did not install and operate any component which would search for and record data entering or exiting the computer from the transmission pathway through the modem attached to the computer. Further, the FBI did not install and operate any KLS component which would search for or record any fixed data stored within the computer. When the user entered a key, the KLS system first checked all communication ports of the computer for the status, i.e., checked if the ports were in active or inactive state. The KLS would only record user key strokes if all the communication ports were in inactive state. There was issue with this process of checking and recording; for example, if Scarfo was online, the modem would be on and the keystroke capture component would, by default, not record keystrokes. However, the fact the modem of a computer is active, does not necessarily mean that the computer is, at that moment, engaged in sending electronic communications. Infact, in a Microsoft Windows operating system environment (which was the operating system on Scarfo’s computer), a computer user can activate the computer’s modem in one window in relationship to one application, then open and switch to a second window and actively work in that second window in an application incapable of engaging in electronic communications (e.g., a word processing program), but capable of executing the PGP program. Thus if Scarfo was simultaneously working in a separate window using his PGP program to
-8decrypt files, the keystroke capture component would not have captured and recorded his keystrokes and, hence, would not have captured a PGP passphrase. Examination of the defendant’s computer by agents of the FBI during entries authorized by court order revealed that the PGP program as configured on his computer and as used by the defendant during all relevant time periods was not technically capable of sending his passphrase over a network in any way. This meant that all of the PGP program’s functions and operations originated from the computer harddrive, with the exception of the passphrase which was entered by the defendant via the keyboard. This also meant that all actions involving either encryption or decryption necessarily occurred only within his computer, and not on some other networked computer connected via modem. This would be true even if Scarfo was using PGP on his computer and the modem was coincidentally activated by another program such as a browser in another window. PGP software program visually prompts the user who is decrypting a file for the passphrase associated with the appropriate private key. The passphrase itself is typed via keystrokes on the keyboard snd then entered into the PGP program. When the user enters the proper passphrase, PGP verifies that the pass phrase is correct and if so, uses the passphrase to decrypt the private key. The FBI developed a mechanism to recode the passphrase as entered via the keyboard by the user and certain other key related information. The FBI recognized that it was possible for the defendant to use PGP in sequatial combination with the wide array of encoding, scrambling or other encryption programs which would produce encryption layers. Such a process would effectively prohibit recovery of cognizable plain text even if the PGP passphrase and key related information were captured. Under these circumstances, the keystroke capture component would provide necessary capture capability to guard against this and other unknown contingencies without impairing functionality or jeopardizing the covert operation of the KLS. Accordingly, the multiple components of the KLS complemented each other, while operating within the parameters of the court’s orders specifying that the KLS would not capture communications subject to Title III. The government must obtain Title III if the government wants to read your emails in transmission, or listen to your telephone calls, or install an audio bug in your house. This order severely limits what the government can do. The order must be approved by high level Justice Department officials, can only be effective for 30 days at a time, and significant efforts must be made to ensure that only matters covered by the court order are examined. The law may also distinguish between the interception of email in transmission and email that is stored, even temporarily. As a general rule, for the government to obtain communications in transmission requires a Title III wiretap order, to obtain them in temporary storage requires search warrant, and to obtain them in permanent storage requires a mere subpoena.
Legal issues involved in retrieval of evidence The case appears to be the first in which the U.S. government used such aggressive surveillance techniques during an investigation, and some legal observers say the FBI's breaking-and-entering procedures go too far. "I don't think it's constitutional," said David Sobel, general counsel of the Electronic Privacy Information Center in Washington, D.C. "This case has the potential to establish some very important precedents on this issue." Scarfo's prosecution came at a time when the FBI's Carnivore surveillance system was under increasingly heavy fire from privacy groups, and the use of data-scrambling encryption products appears to be growing. The spring 1999 investigation of Scarfo may be what prompted the Clinton administration to recommend changing federal law to allow police to conduct electronic "black bag" jobs. The idea first publicly surfaced in mid-1999, when the Justice Department proposed legislation that would let police
-9obtain surreptitious warrants and "postpone" notifying the person whose property they entered for 30 days. After vocal objections from civil liberties groups, the administration backed away from the controversial bill. In the final draft of the Cyberspace Electronic Security Act submitted to Congress, the secret-search portions had disappeared. In January 2000, the Clinton administration seemed to change its mind. "When criminals like drug dealers and terrorists use encryption to conceal their communications, law enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect," Attorney General Janet Reno and Deputy Defense Secretary John Hamre wrote in a seven-page letter to Congress. That letter, however, suggested the feds didn't need a new law -- and would instead rely on "general authorities" when asking judges to authorize black bag jobs. A related "secret search" proposal resurfaced in May 2000 in a Senate bankruptcy bill. In the Scarfo case, the FBI in May 1999 asked for "authority to search for and seize encryption-keyrelated pass phrases" from his computer as well as "install and leave behind software, firmware, and/or hardware equipment which will monitor the inputted data entered on Nicodemo S. Scarfo's computer by recording the key related information as they are entered." Ruling that "normal investigative procedures to decrypt the codes and keys necessary to decipher the 'factors' encrypted computer file have been tried and have failed," U.S. Magistrate Judge G. Donald Haneke granted the FBI's request. EPIC's Sobel suggested that Haneke did not, under federal law, have the authority to grant such an order. "The interesting issue is that they in those (court) documents specifically disclaim any reliance on the wiretap statute," Sobel says. "If they're on record saying this isn't communications -- and it isn't -- then that extraordinary authority they have under the wiretap laws does not apply." "If we're now talking about expanding (black bag jobs) to every case in which the government has an interest where the subject is using a computer and encryption, the number of break-ins is going to skyrocket," Sobel said. "Break-ins are going to become commonplace." Eugene Volokh, a law professor at UCLA, said he believed the government could successfully argue the break-in was constitutional. "There's nothing in the Constitution that prohibits this kind of anticipatory search," says Volokh. "In many respects it's no different from a wiretap." A lawyer for Scarfo filed a motion challenging the legality of the FBI's black bag job. "Anything he typed on that keyboard -- a letter to his lawyer, personal or medical records, legitimate business records -- they got it all," attorney Donald Manno told the paper.
Privacy issues raised It is a case at the heart of how technology increasingly strains notions of privacy and whether established law works in a digital age. Scarfo's defense team, with assistance from privacy organizations, tried to force the government to reveal how the "key-logging" technology works as a possible prelude to asking that the evidence it yielded be thrown out. Privacy advocates were especially concerned that the key logger was planted on the basis of a simple search warrant and not a court-approved wiretap order, which is more difficult to obtain and carries far greater restrictions. Federal law requires that any device that listens in on communication, whether it be a bug in a room or a phone tap, requires a wiretap order. In the case of electronic communication via computers, the law specifically requires a wiretap order only if the communication is intercepted in transmission via computer modems and phone lines. That preserves the government's ability to seize a computer, with a simple search warrant, and examine copies of e-mail already sent or received, or anything else that might be stored on the computer's hard drive.
- 10 Prosecutors insist that the key logger planted by the FBI did not intercept communication, but refused to divulge how the technology worked to back up that claim. Privacy groups noted the new issue posed by key-logging technology, which is commercially available and used by some companies: Even if the key logger didn't intercept communication after it was sent by the computer's modem, it effectively does the same thing by capturing what is typed on an e-mail or instant message form just before the user hits the send button. Attorneys on both sides were under a court order not to speak about the case, but prosecutors argued in court filings that disclosing the key-logging technology would enable criminals to find ways to defeat it in the future. As a result, it's unclear whether the key logger used by the FBI was purely software or whether it involved some sort of device attached to the keyboard. It's also unknown how the data from the key logger was collected. The key logger is "a highly sensitive law enforcement search and seizure technique, the disclosure of which would compromise use of this technology and jeopardize the safety of law enforcement personnel," according to an affidavit by Donald Kerr, assistant director of the FBI's laboratory division. In an initial ruling last week, U.S. District Judge Nicholas Politan in Newark rejected that argument. "The government has not satisfactorily confirmed for the court that the key-logger device did not operate in conjunction with the computer's modems, or otherwise, to cause the interception of a communication," Politan wrote. He added that pages of captured keystrokes that the government placed in evidence "are in the truest sense 'gobbledygook,' " and that he cannot determine whether the search was legal if he doesn't know how this key-logging technology works. Former law enforcement officials said that criminals are increasingly using sophisticated high technology and that the government must have, within reason, the ability to keep one step ahead of them. "Encryption is virtually unbreakable by police today, with programs that can be bought for $15," said Stewart Baker, former general counsel of the National Security Agency and now partner at the Washington law firm Steptoe & Johnson. Although agreeing that surveillance should be done under strict guidelines, Baker said that "to a degree, the privacy groups got us into this by arguing that there should be no limits on encryption, and the police have to deal with it.". David Sobel, general counsel of the Electronic Privacy Information Center in Washington, which has been advising the defense team, disagreed. "Because of this technology there are a lot of gray areas," Sobel said, "but law enforcement is always attempting to resolve them in favor of more aggressive techniques." As an example he wondered whether, if the key-logging system used in the Scarfo case was able to turn itself off when the modem was activated to ensure that a wiretap order was not required, why it couldn't instead have been configured to activate only when an encryption program was run.
Comparison with other cyber-crimes and techniques Recovery the password could have also been done by installing a Trojan horse programs in the Scarfo’s computer. Trojan horse is destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.
Trojan horses are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: • • • •
Remote Access Trojans Data Sending Trojans Destructive Trojans Proxy Trojans
- 11 • • •
FTP Trojans security software disabler Trojans denial-of-service attack (DoS) Trojans
Data sending Trojans are a type of a Trojan horse that is designed to provide the attacker with sensitive data such as passwords, credit card information, log files, e-mail address or IM contact lists. These Trojans can look for specific pre-defined data (e.g., just credit card information or passwords), or they could install a keylogger and send all recorded keystrokes back to the attacker. Programs such as BO2K and Sub7 Trojans, or WinWhatWhere, or Monitorer can be secretly installed without user’s knowledge, and ordered to capture keystrokes in real time, before they are transmitted to the web. They can further be used to transmit the results of searches to law enforcement or intelligence agents in real time over the Internet or by direct dial-back.
Conclusion
In this investigation, one has to ask if government overreached, also was the installation and monitoring of the key logger program a violation of the wiretap law. Clearly the government had a legitimate interest in conducting a criminal investigation of Nicky Scarfo. The magistrate found probable cause to search the computer and to seize the pass phrase. Courts routinely permit the installation of hidden video cameras or surveillance. Indeed, only days after the government filed its classified motion, they revealed in another case that they had installed a hidden video camera at a government office to monitor a person, suspected of spying for Libya, and to watch him sending emails containing classified information. But there are limits to the government surveillance. There are essentially three limitations on the scope of government searches and seizures. They are the Fourth Amendment, federal rules on the issuance of search warrants, and federal law regarding “electronic surveillance”. The fourth Amendment by its terms provides that that: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The constitution therefore, requires that the conduct be considered a “search” or seizure, that it be reasonable, and that if searched pursuant to a warrant, there be a finding by a neutral and detached magistrate that there is a probable cause.
Bibliography
- 12 -
Break the Scarfo Silence. http://www.businessweek.com/technology/content/sept2001/tc2001094_186.htm FBI hacks alleged mobster http://www.wired.com/news/politics/1,40541-0.html FBI device sets off alarm http://www.usatoday.com High-Tech FBI Tactics Raise Privacy Question http://www.washingtonpost.com How far can FBI spying go http://www.wired.com/news/politics/1,45730.html Electronic Privacy Information Centre http://www.epic.org/crypto/scarfo.html www.epic.org
- 13 -
Related Documents
Case Of Nicodemo V. Usa
April 2020 3
Usa V. Rothstein, Information
July 2020 3
Usa V Jaikaran 1998
May 2020 5
1993_8_12_nation-v-usa
June 2020 2
Olmstead V Usa - Copy
June 2020 3
Usa V. Brittingham
December 2019 5More Documents from ""
Vulnerability Disclosure Debate
April 2020 3
Case Of Nicodemo V. Usa
April 2020 3
Final Project - Penetration Testing
April 2020 5
Aush Cyber Library : Souvenir
June 2020 37