Cyber crime and cyber security abstracts

 

 

9.30 11:00 Research Session 1: Setting the sceneLocation: TBC

1. George Christou

The EU and Cyber Security Governance

2. Maria O’Neill

Cyber crime and cyber security: a late developer in the EU’s AFSJ.

3. Les Ball

The Role of OSINT in Countering Criminal Activity

 

 

 

The EU and Cyber Security Governance

 

George Christou

Associate Professor of European Politics

Director MA International Politics and Europe

University of Warwick

E-mail: g.christou@warwick.ac.uk

Tel: +44 2476 523110

http://www2.warwick.ac.uk/fac/soc/pais/staff/christou

Information and Communications Technologies (ICTs), in particular the Internet, have been an increasingly important aspect of global social, political and economic life for two decades, and are the backbone of the global information society today. Their evolution and development has brought many benefits but also the threat of serious cyber attacks demonstrated over the past few years through acts of cyber espionage and cyber crime within the virtual, networked ecosystem that we live. In this context, the European Union (EU) over the past ten years has been developing its policies towards cyber threats, even though this has often been quite fragmented and messy at times. Utilizing the concept of security as resilience this paper provides a theoretically informed understanding and critical assessment of the evolution of the EU governance system for cyber security, through addressing the following central research questions: How can we characterize, explain and understand the EU’s evolving ecosystem of cyber security governance? To what extent has the EU been able to construct a comprehensive and resilient approach to cyber security within the evolving ecosystem?

Cyber crime and cyber security: a late developer in the EU’s AFSJ

Dr. Maria O’Neill

Senior Lecturer in Law

University of Abertay Dundee

m.oneill@abertay.ac.uk

The EU has a well developed, and developing, legal framework to combat transnational crime and terrorism. The legal and cross border law enforcement issues surrounding cyber crime and cyber security are only now appearing in the EU’s strategy documents, with the Stockholm Programme[1] calling for the drafting of “policies to ensure a high level of network and information security”, [2] to “promote legislation” that “allows faster reactions in the event of cyber attacks”, [3] and to “improve judicial cooperation in cyber crime cases”.[4] Europol has been tasked with stepping up “strategic analysis on cyber crime,”[5] and the Commission has been asked “to make proposals for clarifying, where needed, the legal framework on investigations in the cyber space within the Union”.[6] Unlike other areas of EU transnational crime, reliance is being placed on, the external to the EU, 2001 Council of Europe Convention on Cybercrime, which the EU sees as becoming the “reference for fighting cyber crime at [the] global level. In this context the EU sees Europol as being the “European [as opposed to the EU] resource centre”, “creating a European platform for identifying offences,” thereby assisting member states and exchanging best practices in this crime area.[7] Work in this area has only just started. However a large number of legal tools are already in place to combat, inter alia, drug trafficking and terrorism, which should assist in this developing area of EU cross-border law enforcement. This paper will examine the new proposals for cyber crime and cyber counter-terrorism, in light of the existing EU legal framework.

The Role of OSINT in Countering Criminal Activity

Dr. Les Ball,

Division of Computing,

School of Engineering, Computing and Applied Mathematics

University of Abertay Dundee

Bell Street, Dundee, DD1 1HG

L.Ball@abertay.ac.uk

The digital age has cultivated unprecedented communication opportunities. Social networking has boomed as a consequence, with the birth of ‘virtual countries’ such as Facebook and Twitter, where hordes of information are created and shared. Complementary methods of expression exist within the general blogosphere and web forums. As digital deposits, their content is open to evaluation and contributes strongly to the accepted notion that 80% of all data are stored as text. Held as text, the potential value in these data is more difficult to extract as quantitative interpretations of language are inherently more complex than analyses of numeric data. Nevertheless, computational techniques are being developed to extract valuable summaries from text deposits. The business world is capitalizing on this, for example, by using a crowd sourcing approach to canvas opinion on, say, their latest product prototype. This captures the ‘wisdom of the crowd’ in terms of business intelligence. It is a structured approach to problem solving as any company remains in control of the questions posed and the demographic of the invited crowd. In this respect, the intelligence gathering exercise is overt. Whilst social media may offer a degree of structure, as for example in using a hash tag in Twitter to generate a thread of discussion, their content remains open and semi-structured. This openness of social media content has given rise to the phenomenon of open source intelligence (OSINT). OSINT  essentially provides an opportunity for any interested party to gather intelligence covertly i.e. without the knowledge or consent of the user. Some social media content is restricted, as for example on Facebook where the user can opt for data privacy levels. Each service provider may also have policies on the degree of open access to its content. The blogosphere on the other hand, tends to be unrestricted and more about expressing opinion rather than social networking. More surreptitious is the availability of weblog data which may offer more insights into the type of user not only from the content they post but also from their behavioural traits at the website. In terms of cyber-security, the jury is out as to whether OSINT is a valuable resource for actionable intelligence in terms of counter-terrorism and domestic crime. The debate is rich and brings together the computing and social sciences, law and language as well as professionals in the intelligence services, defence and the private sector. OSINT is a double-edged sword in that it can be used not only for counter-intelligence but also to facilitate the actual planning and organization of criminal activity. In this sense, it has become a virtual battleground. Furthermore, the conventional methods of misinformation also pervade this virtual arena and consideration must therefore be given to the quality and trust of the information being analysed as OSINT. For example, an attempted civil uprising using social media feeds may easily be countered by a computer bot which can flood a medium with automatically generated text. Ideally, OSINT provides an opportunity for covert data gathering and analysis for deployment in military strategy and counter-intelligence to thwart or disrupt the growth of any criminal or terrorist plot that is using social media to promote, organize and mobilize its cause.

 

 

 

11.30 13.00 Research Session 2: Location: TBC

1. Elaine Fahey

Transatlantic relations and EU Cybercrime Policies: Reflections on Transatlantic spill over.

2. Robert Dewar

The role of the European Union in providing and ensuring cyber-security in Europe.

3. Natalie Coull

The Role of Social Engineering in Cyber Crime.

 

 

Transatlantic relations and EU Cybercrime Policies: Reflections on Transatlantic spill over

Dr. Elaine Fahey

Post-Doctoral Researcher,

Amsterdam Centre for European Law and Governance (ACELG)

E.L.FAHEY@UVA.NL

The First Annual Report on the implementation of the European Union (EU) Internal Security Strategy, published November 2011 by the Commission, details a vast array of enacted and proposed measures. Notably, it includes various EU-US Justice and Home Affairs (JHA) measures in its midst- four specifically- such as the EU-US Passenger Name Records (EU-US PNR) Agreements and EU-US Terrorist Financial Tracking Programme (EU-US TFTP) Agreements. Moreover, it alludes to the success of the EU-US Cyber Security and Cyber Crime Working Group (WGCC) in delivering results in the area of child pornography and cyber-attacks as part of the Report to warrant further internal EU action. There are thus manifold “replica” Internal EU Security policies currently being pursued, as referenced in the Report, that are inspired by and progressing these EU-US policies- principally an EU PNR and an EU TFTS, mirroring EU-US PNR and EU-US TFTP. The effectiveness of EU-US justice cooperation seems central to EU Internal Security and appears to serve as a precedent or gold-standard to progress EU rules further than their originators. Legal effectiveness remains a challenging guiding concept, from the perspective of law and policy. The language of the Internal Security Report suggests a form of policy spillover of the “external” into “internal” and the concept of legal effectiveness as a reason to heighten internal EU legal standards. Yet, the precise legal interpretation of the link between external EU security and internal EU security seems especially curious.

The EU-US WGCC group was established after the EU-US Summit in November 2010. The EU-US goals in this regard are to formulate global strategies, to carry out joint and global incident management, to foster public-private partnerships, to remove child pornography from the internet and to advance the Council of Europe Conventions on Cyber-crime (of which the US is not a member). The EU Cybercrime Centre, by contrast, was established in early 2012 and notably, it is expressly linked to the European Internal Security Strategy. While the EU Cybercrime policies are pursued temporally after the comparable EU-US policies, the EU internal policies are solely institutional and programmatic and do not establish a more stringent regime that the EU-US policies pursued. These differences more substantively reflect the nature or objectives of the EU policies pursued- i.e. the establishment of a European Centre with global potential to cooperate with other international institutions. EU Cybercrime policies indicate that there are comparably less transatlantic “spillover” effects in this policy field. EU Cybercrime thus provides an important contrasting casestudy for the study of transatlantic relations and its impact upon the EU internal legal order.

The paper argues that the specific legal commitments of bilateral policies pursued by the EU and US in Cyber-crime and Cyber-security suggest that transatlantic spillover has a new dimension to be considered. Accordingly, this paper explores linkages from the external to the internal in EU Security legal order, considering the relationship between transatlantic relations and EU Cybercrime policies.

The role of the European Union in providing and ensuring cyber-security in Europe.

Robert Dewar

Global Security Studies,

University of Glasgow,

1100905D@student.gla.ac.uk

The paper adopts a social-science perspective in analysing European Union (EU) cybersecurity policy, and whether or not there is a role for the EU as an institution in protecting Europe against cyber threats.

It notes that there are three key challenges facing the EU when dealing with this issue. The first reflects the need to ensure effective co-operation between nations and between civilian and military institutions as well as between the public and private sectors. This cooperation is necessary because, due to the nature of cyberspace and the infrastructure that supports it, threats from that domain do not recognise borders or boundaries, either geographical, national, institutional or even between separate networks (European Cyber Security Conference, 2011: 6). For example, a virus targeting a military network can easily cross boundaries and affect civilian infrastructure. As a predominately civilian organisation albeit with some growing military competencies the EU may have a role to play here but what that role is remains undefined.

This reflects the second challenge: cyber-security as a concept is still relatively ill-defined, posing difficulties for the EU in compiling a coherent policy. Even among experts in the field, there are differences of opinion in what should be secured, how and against whom, as well as what sort of action is adequate or reasonable in response to a cyber-attack (Caton, 2012: 158). For the EU, this problem is further exacerbated given the wide variation in definitions used in the cyber-security strategies of different Member States

(National Cyber Security Strategies — ENISA, 2012).

This problem of definitions leads to a third challenge: operating within the EU itself. The EU is not a single sovereign state, but an amalgamation of nations each with different interests and priorities. A common policy must take into account the security and defence requirements of 27 different members.

The paper argues that despite these challenges there is a role for the European Union in providing and maintaining cyber-security in Europe: A role of leadership and management. The EU potentially has the ability to establish a set of working criteria and definitions of cyber-attacks, referent objects for cyber-security and a set of minimum standards promoting preparedness and resilience against cyber-attacks, as well as the capabilities to deal with them when they occur. Under the leadership of the EU, these standards will be implemented by member states at national level thus enabling closer co-operation and coordination between member states. These minimum standards will also be promoted as a benchmark on the world stage.

This role, however, is not yet clearly or purposively defined, and can only be identified by teasing policy positions out of current official Commission and Council policy documents. By undertaking a thorough analysis of key documentation and supporting findings with primary elite interview data the paper may go some way to establishing an EU position on cyber security thus supporting the steps being taken to address the institutional gap in a comprehensive European cyber-security strategy.

The Role of Social Engineering in Cyber Crime

Natalie Coull, Les Ball, Gavin Ewan

Software Applications,

School of Engineering, Computing and Applied Mathematics

University of Abertay Dundee

Bell Street, Dundee, DD1 1HG

N.Coull@abertay.ac.uk

Abstract – It is perceived that the majority of cybercrime is achieved through a series of very complex attacks, conducted by malicious hackers who possess significant technical skills. The reality is that cybercrime can be committed with a minimum of technical competency. Social engineering is an attack vector often used by cyber criminals that exploits the biggest weakness in a system – the human user. Social engineering can be used in a number of ways, from face to face communication with the user, a rogue telephone call or a carefully crafted email that contains a malicious hyperlink. Social engineering is effective by convincing the victim that the communication is genuine and trustworthy. There are a number of software tools that have been developed to aid the social engineer with information gathering and constructing attacks. This work describes the process of social engineering, the various software tools and discusses a number of case studies in which it has been effective.

Keywords: social engineering, cyber crime, spear phishing

Overview.

Social engineering is older than technology. Throughout history, there is evidence of criminals exploiting aspects of human psychology to assist with their crimes. Computer users are often unaware of the full range of attacks that they can be exposed to online.  Increasing awareness of social engineering, its methods and helping companies and individuals recognise what they can do to reduce the opportunities for attack could help to combat this problem. Technology is now very effective at blocking the majority of spam email and of those emails that do manage to reach the recipient, the vast majority of users are able to recognise them as being fraudulent and  delete them. However, spear phishing emails are carefully crafted to evade spam filters and can take advantage of information that a user has revealed about themselves online to appear genuine and interesting. Software tools such as Maltego can be used to gather information, which can then be further exploited to craft an attack email. For example. the website of an Edinburgh based company used in our research revealed information about employees names, email addresses and common interests such as badminton and hill walking. This information could be used to create a spear phishing email that offered the victim a one-month free subscription to a hill walking magazine, with a hyperlink to the magazine’s website. While the user may not be foolish enough to enter their credit card details into the website, their curiosity may lead them to click on the hyperlink in the email. Carefully crafted malware could infect the victim’s computer simply by visitng the malicious website, which could then steal username and passwords or bank details. The Koobface virus that was prevalent on social networking sites last year is another example of social engineering, where the malware exploited the implicit trust that the users place in their friends’ posts on social network sites. There are a number of techniques that would help to reduce the effectiveness of social engineering attacks. These include improved staff training to help recognise social engineering attacks in action, stressing the importance of not clicking on malicious links and ensuring that employees do not reveal information about themselves that could be used to make a social engineer appear genuine and trustworthy.

 

 

14.00 15.30 Research Session 3: Location: TBC

1. Javier Argomainz and Helena Carrapiço

EU governance of the internet: analyzing Europol’s role in the development of EU cyber crime and cyber security policies.

2. R.I. Ferguson and A.M. MacLeod

On the technical, legal and ethical aspects of cross-jurisdictional digital forensic investigation of IPR infringement: A case study.

3. Fiona Grant

Information Assurance and Cyber Security in the Internet of Things: initial thoughts on the issues impacting upon the prevailing EU legal landscape.

 

 

 

 

EU governance of the internet: analyzing Europol’s role in the development of a EU cyber crime and cyber security policies

Javier Argomaniz

Department of International Relations

University of St. Andrews.

ja51@st-andrews.ac.uk

& Helena Carrapico,

International Relations,

University of Coimbra, Portugal,

and the University of Strathclyde

Helena.Carrapico@EUI.eu

In recent years, the European Union has come to view cyber security, and in particular, cyber crime as one of the most relevant challenges to the completion of its Area of Freedom, Security and Justice. Given European societies’ increased reliance on borderless and decentralized information technologies, this sector of activity has been identified as an easy target for actors such as organised criminals, hacktivists or terrorist networks. Such analysis has been accompanied by EU calls to step up the fight against unlawful online activities, namely through increased cooperation among law enforcement authorities (both national and extra- communitarian), the approximation of legislations, and public- private partnerships. Although EU initiatives in this field have, so far, been characterized by a lack of interconnection and an integrated strategy, there has been, since the mid- 2000s, an attempt to develop a more cohesive and coordinated policy. An important part of this policy is connected to the activities of Europol, which have come to assume a central role in the coordination of intelligence gathering and analysis of cyber crime. The European Cybercrime Center (EC3), which will become operational within Europol in January 2013, is regarded, in particular, as a focal point of the EU’s fight against this phenomenon. Bearing this background in mind, the present article wishes to understand the role of Europol in the development of a European policy to counter the illegal use of the internet. The article proposes to reach this objective by analyzing, through the theoretical lenses of experimental governance, the evolution of this agency’s activities in the area of cyber crime and cyber security, its positioning as an expert in the field, and the consequences for the way this policy is currently developing and is expected to develop in the near future.

On the technical, legal and ethical aspects of crossjurisdictional

digital forensic investigation of IPR infringement: A case study

R.I. Ferguson & A.M. MacLeod

University of Abertay,

School of Computing, Engineering and Applied Mathematics,

Dundee DD1 1HG.

i.ferguson@abertay.ac.uk,

a.macleod@abertay.ac.uk

 

Abstract

The Internet, of its very nature, is cross-jurisdictional. Crime too is no respecter of borders. When the two combine in the organised international piracy of pay-per-view TV channels, the conflicting legislation in the many jurisdictions involved presents a significant challenge to those involved in the investigation of such crimes.

Novel approaches to the gathering of digital evidence may be required to facilitate the analysis of “pirate” distribution networks. Further, the range of technical countermeasures available may differ significantly depending on the country from which the measures are implemented.

This paper presents a case-study involving a recent investigation of a pirate network which employed a combination of client-server and peer-to-peer streaming media technologies to widely redistribute pay-per-view TV to customers in India. The channels whose copyright was thus infringed were from around the globe, some of the servers were US-based and the investigation took place in Scotland at the University of Abertay Dundee.

The technical aspects of both the crime and the investigation are presented along with an examination of the revenue model used by the perpetrators. A discussion of the legal context is given (in as far as it is clear) and the resulting options available both for tracing, analysis and interdiction are discussed from the technical, legal and ethical perspectives.

Information Assurance and Cyber Security in the Internet of Things; initial thoughts on the issues impacting upon the prevailing EU legal landscape.

Fiona Grant,

Division of Law,

Dundee Business School,

University of Abertay Dundee,

Bell Street,

Dundee DD 1 1HG,

Scotland.

f.grant@abertay.ac.uk

Although consumers can generally be considered experienced users of various forms of machine to machine [M2M] communication[8] the ramifications of human interaction with familiar objects ranging from ‘smart’ phones to ‘smart’ cards, in terms of the legal protection of personal data harvested and the uses both lawful and unlawful it is then put to is unlikely to be so readily understood.[9] The advent of the internet of things [IoT] can only obfuscate the issue and concomitantly present new challenges in terms of the maintenance of informational privacy and the security of the environment in which data is retained.

The IoT is not a new concept. Kevin Ashton’s[10] embryonic appellation in 1999 to a future virtual world where commonplace objects enjoy varying levels of autonomous inter-connectivity is now a teenager. Ashton’s vision ultimately portends the removal of a human element from data input, capture, collation and processing once an initial command has been generated.[11] Put at its simplest, inter-connected objects will be programmed by a service provider and/or user to become independent decision makers and decision takers.[12] Yet the growing pains and the potential for the concept of the IoT coming of age to create a modal shift from a network of inter-connected computers, the internet as it is currently understood, to a network of inter-connected objects is not well rehearsed beyond the confines of the information communications technology community and connected industries. Thus, the IoT has received limited attention to date from legal academics[13] and has only begun to assume significance, at least publicly, at supranational level. From 2007 to date the European Union [EU] has published a suite of documents in this sphere, ranging from subject specific communications[14] to more general policy and consultation documents.[15] The on-going discussion is being conducted across different Directorates General [DG] with varying imperatives and remits.[16] Accordingly, the substantive legal issues posed by the IoT must firstly be clearly defined given the potential for intra-EU conflict when stated [technical] objectives are measured against current legal instruments. Concomitantly, the expectation that consumer interface with the IoT will become the norm rather than the exception within the next decade[17] poses [as yet undefined] critical questions as to the efficacy of pre-existing laws designed to ensure inter alia data protection, privacy of electronic communications[18] and the security of the environment within which such exchanges occur from attack.[19] When such imperatives are juxtaposed with the prevention and detection of cybercrime[20] the robustness of prevailing criminal law perpetration theory which is predicated on human ‘command and control’ of a machine where an initiating living actor is always [theoretically] identifiable and ultimately culpable, is also open to question given that the IoT is predicated on inter-connected objects empowered to make autonomous decisions.[21]

The forthcoming paper will seek to define the critical questions and also suggest parameters for subsequent legal enquiry, in the context of a multi-disciplinary approach to further research being undertaken by roundtable participants.

 


[1] The Stockholm Programme — An open and secure Europe serving and protecting citizens, 2010 OJ C 115/01.

[2] Ibid. at 4.2.3. Mobilising the necessary technological tools, p.19.

[3] Ibid.

[4] Ibid. at 4.4.4. Cyber crime, p.23, third paragraph.

[5] Ibid. first paragraph.

[6] Ibid. third paragraph.

[7] Ibid. p.22, second paragraph.

[8] For example, barcodes enable a checkout operator to scan an item which is then read by a computer; Radio Frequency Identification [RFID] operates on the basis of a receiver sending a signal to a tag attached to or embedded in an object to track and identify its location with this information then being transmitted to a computer. The ‘electronic’ tagging of offenders makes use of RFID technology

[9] http://www.computing.co.uk/ctg/news/2175933/android-ios-apps-subject-eu-privacy-regulations-ico?WT.rss_f=

[10] Ashton, K (2009) That ‘Internet of Things’ Thing; In the real world, things matter more than ideas http://www.rfidjournal.com/article/view/4986

[11] The IoT has alternatively been defined by Guo et al as ‘…extracting individual, spatial, and social intelligence from smart things…’  Living with Internet of Things: The Emergence of Embedded Intelligence  The 2011 IEEE International Conference on Cyber, Physical, and Social Computing Dalian, China available at www.ayu.ics.keio.ac.jp/members/bingo/research/EI_CPSCom.pdf

[12] “ If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best.” Op.cit. at footnote 1

[13] One notable exception being Gadzheva who argues that if the potential for connectivity is embedded ‘… in … every object it will be difficult (if not impossible) for users to maintain control over data generation, transfer, and use and to achieve unobservability and anonymity’ and that ‘… present-day privacy legislation has several weaknesses if confronted with the …[IoT] environment that could lead to the need for new principles on which to base new regulations, to take account of the changed context.’ Gadzheva M Social Science Computer Review Volume 26, Issue 1, February 2008 pp 60-74 at 60

[14] RFID in Europe: Steps Towards a Policy Framework COM (2007) 096 final;  IoT – An Action Plan for Europe COM (2009) 278 final; Digital Agenda for Europe COM (2010) 245 final

[15] Early Challenges Regarding the IoT SEC/2008/2516;An e-consultation on the IoT is currently live(closing 10/07/12) http://ec.europa.eu/information_society/digital-agenda/actions/iot-consultation/index_en.htm

[16] For example, DG Justice, Fundamental Rights and Citizenship oversees data protection and the implementation of the Stockholm Programme  2010/C 115/01 where a current imperative is to secure ‘common standards for gathering evidence in criminal matters in order to ensure its admissibility’ http://eur-lex.europa.eu/LexUriServ.do?uri=OJ:C:2010:115:0001:0038:en:PDF

whereas DG Information Society is charged with implementing the Digital Agenda for Europe http://ec.europa.eu/information_society/digital-agenda/index_en.htm

[17] Internet of Things in 2020 A Roadmap for the Future 2008 at page 5

www.iot-visitthefuture.eu/fileadmin/documents/researchforeurope/270808_IoT_in_2020…

[18] Data Protection Directive 95/46/EC; E- privacy Directive 2002/58/EC; Data Retention Directive 2006/24/EC

[19] See Internet of Things; ubiquitous monitoring in time and space A speech by Giovanni Buttarelli, Assistant European Data Protection Supervisor at the European Privacy and Data Protection Commissioners’ Conference, Prague, 29 April 2010 www.edps.europa.eu/…/10-04-29_Speech_Internet_Things_EN.pdf where he highlights the key challenge of protecting privacy in the context of policing the IoT. It should be noted that this speech was delivered prior to the publication of a draft Data Protection Regulation on 25/01/12 (to replace Directive 95/46/EC) and a separate Directive with regard to data processing in connection with the crime prevention and detection (replacing Framework Decision 2008/977/JHA)

[20] In this context the lawful surveillance and interception of data must also be considered

[21] The presumed requirement for proof of the human attribute of mens rea in most criminal acts as opposed to regulatory breaches [offences] which may or may not confer strict liability must be considered. Likewise the current issue with botnets that infect inter-connected computers must be examined in the context of attacks on inter-connected objects http://www.enisa.europa.eu/media/press-releases/facing-the-cyber-zombies-2013-eu-agency-gets-tough-on-botnets