Showing posts with label authentication. Show all posts
Showing posts with label authentication. Show all posts

Thursday, June 20, 2013

Featured Paper: Adequate Attribution: A Framework For Developing A National Policy For Private Sector Use of Active Defense

Volume 8, Issue 1 of the University of Maryland Journal of Business & Technology Law published a rather interesting article on active defense policy. Adequate Attribution: A Framework For Developing A National Policy For Private Sector Use of Active Defense was authored by Shane McGee, General Counsel and Vice President of Legal Affairs at Mandiant, Randy V. Sabett, Counsel with ZwillGen PLLC, and Anand Shah, Staff Attorney at Mandiant and Technology Fellow at ZwillGen PLLC.

The article is very timely, as it follows on the heels of a recent IP Commission Report  that recommended the government investigate how active defense measures might be appropriately utilized by the private sector. Specifically,  the IP Commission Report recommended that "new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited." The Report suggested that "[s]tatutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers."

With momentum gaining in support of active defense strategies, McGee, Sabett, and Shah argue that national policy in active defense should avoid the "unrealistic" goal of "absolute identification of a cyber attacker" and should instead begin with a "national dialog" on what would define "adequate attribution."

This is a great read for those interested in the concept of active defense.  An excerpt appears below, with footnotes redacted (follow the link above for the full article):
Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion of offensive use of cyber capability continues to gain considerable attention. As we ponder the implications of publicly-reported cyberattacks with a kinetic component (e.g., America’s alleged involvement in Stuxnet and the appearance of Flame), we also need to determine if other broad attacks (e.g., Duqu and Shamoon) should be viewed as significant steps forward in attack vectors or simply more annoying distractions in the cyber landscape. In any event, no one can deny that offensive operations must be considered as a possible device in the cyber toolkit. The logic seems valid — the right of self-defense has existed for hundreds of years in the physical realm; it should have a corresponding construct in the cyber world. Unfortunately, a lack of clarity in current law and policy has not allowed that to happen.
. . . .
The nagging question involves picking the level of certainty required by a victim of cyberattack in the identity of the attacker before responding. At one extreme would be absolute knowledge of the identity of the attacker. However, several scholars agree that significant difficulty exists in attaining 100% certainty of an attacker’s identity and that even identifying an attacker beyond a reasonable doubt is “bordering on impossible.” At the other extreme would be a policy where little, if any, diligence would be required prior to attacking back. Richard Clarke provides perhaps the most accurate answer by stating that it will “depend upon the real-world circumstances at the time.” In this paper, we will lay out an argument that, since absolute identification of a cyber attacker is unrealistic, a national dialog should occur around what constitutes adequate attribution.We will then provide a normative framework for use by the private sector when contemplating the use of active cyber defense.

Thursday, June 13, 2013

State appellate court rules on Facebook message authentication and hearsay arguments

In Smith v. State, No. 2012-KA-00218-COA, the Mississippi Court of Appeals addressed authentication and hearsay arguments regarding social networking messages in a case of first impression. The court ultimately found the messages to have been properly admitted.

The defendant was convicted of capital murder for the death of his stepdaughter, a seventeen-month old girl. At trial, the prosecution was allowed to use as evidence Facebook messages sent between the defendant and his wife.

On appeal, the defendant argued that the Facebook messages should not have been admitted because they were not properly authenticated and were hearsay. As to the issue of authentication, the court found the messages to be properly authenticated because the wife testified that the printouts were "Facebook messages between her and Smith."

On the hearsay issue, there were two types of messages before the court. One was an e-mail notification produced automatically by Facebook notifying the wife of a new message which contained the content of the message itself. The other was a printout of wall postings from the defendant on the wife's page. The court found that because the e-mail was "a fully automatic process, ... [it] may not be considered as hearsay." Comparing the case to one a federal court opinion, the court reasoned:
The court noted that when someone forwards an email, he or she has made an out-of-court assertion as to what someone else said. Id. There, however, a person forwarded the message. Thus, there was an assertion and a declarant. Here, an automatic process sent each message. As a result, in this case there was neither an assertion nor a declarant. The email notification, which contained the Facebook message, is not within the definition of hearsay.
The court then found that the defendant's statements were admissions by a party-opponent and therefore not hearsay. The wife's statement "could be hearsay" and no exception was offered by the state, but the error was considered harmless.

Tuesday, April 30, 2013

Featured Paper: Cloud Computing Security and Privacy

Cloud computing has been viewed by many as the next inevitable step towards a more efficient system for information management and storage. However, as our dependence on cloud computing continues to grow, many have started to examine the privacy, security, and legal ramifications that such a system creates. The Center for Applied Cybersecurity Research (CACR), located at Indiana University, has recently released a new white paper, Cloud Computing Security and Privacy, that examines the privacy and security risks associated with cloud dependence, as well as what should be done to create more secure and sustainable cloud-computing systems. The white paper was authored by Drew Simshaw, former information security fellow at CACR and current project manager and policy analyst with the Center for Law, Ethics, and Applied Research (CLEAR) in Health Information. I highly recommend taking a look at this white paper if you at all involved in cloud computing. The abstract appears below:
As the world’s data increase at unfathomable rates, individuals and organizations are seeking more convenient and cost effective ways to store and manage it. Many are turning to the cloud, recognizing its benefits, but failing to understand how it actually works. To confirm that cloud computing is no longer a fringe IT issue, one need look no further than President Obama’s re-election campaign, which was successful thanks in no small part to its utilization of Amazon’s cloud platform for a massive voter database. As cloud computing use continues to increase, security and privacy issues, as evidenced by recent events, should be considered so individuals and organizations can decide how best to store and manage their data. Although these events shed some light on measures that can be taken to reduce risk, they also demonstrate that bigger thinking is needed when it comes to improving security and privacy in the cloud. Therefore, as opportunity in the cloud expands and the stakes continue to rise, individuals, organizations, and cloud service providers must bear in mind the following security and privacy issues:
  • Creating a Bigger Target for Hackers
  • Government Access to Data in the Cloud
  • Data Access and Control in the Cloud
  • Cloud Service Outages and Human Error
  • Authentication
  • Encryption

In addition to being a guest author at Cybercrime Review, Andrew Proia is a research assistant to Professor Fred Cate, Director of the Center for Applied Cybersecurity Research. Andrew is also set to become a CACR Post-Doctoral fellow in information security law & policy later this year. All opinions expressed by the author are solely in his individual capacity.

Friday, April 20, 2012

11th Circuit affirms use of chat transcript and virus scanner file list in CP case

In United States v. Rubinstein, 2012 U.S. App. LEXIS 7890 (11th Cir. 2012), the Eleventh Circuit upheld convictions for transporting and possessing child pornography. On appeal, the defendant argued that online chat transcripts and a list of files generated by the computer's antivirus program should not have been admitted into evidence. The investigation began with connecting the defendant's screen name to his ISP and residence, and then searching his home. His computer and DVD contained hundreds of images of child pornography.

The Eleventh Circuit found that the chat transcripts "were relevant because they show that child pornography was exchanged and the sexual comments about children help establish that Rubinstein knowingly exchanged the illicit images." Additionally, testimony about how the program operated and how the list was created properly authenticated it.

With regard to the virus scanner list, the court found it to be relevant "because some file names on the list were suggestive of child pornography, tending to show that Rubinstein knowingly possessed child pornography."

The use of the file list is a little troubling, though two things are important to note: (1) actual images of child pornography were found, and (2) most people are not likely to name non-CP images with names that suggest CP content. But suppose I created a document on my computer called "how_I_hacked_the_government.doc". Should that name alone be used against me in a prosecution for hacking? It could be a fictional story - you can't know without the content. It just seems that this file list was unnecessary and should not be admissible in a case where the files are not actually recovered.

Friday, April 6, 2012

11th Cir. affirms authentication of chat messages with testimony of minor

In United States v. Lebowitz, 2012 U.S. App. LEXIS 6859 (11th Cir. 2012), the Eleventh Circuit affirmed the authenticity of chat printouts after one of the participants, a minor, testified that they "were exactly what was on his computer." The minor had printed the messages, but "a section of chat messages was missing." An expert testified that the way the messages were printed "created a possibility for alternation," but there was no evidence of that occurring.

Click here for further discussion of authentication of digital evidence.

Thursday, March 29, 2012

5th Circuit finds chat log authenticated with detective testimony

Concurring with decisions from other jurisdictions, a Fifth Circuit panel held yesterday that chat logs were properly authenticated by the "detective testifying that the transcripts were an accurate reflection of the chats." United States v. Lundy, 2012 U.S. App. LEXIS 6315 (5th Cir. 2012). The detective, who was a party to the conversation, had copied and pasted the text into a Word document. Additionally, he "was subject to cross-examination on his biases and methodology."

Also, the detective used software to take a video screen capture during the chat. The video was also found to have been properly authenticated.

Thursday, February 9, 2012

Texas court finds MySpace profile properly authenticated by page's content

The Court of Criminal Appeals of Texas found MySpace profiles to be properly authenticated in Tienda v. State, 358 S.W.3d 633 (2012). Tienda was on trial for murder after a multiple car shootout. The victim's sister found the MySpace profiles and testified at trial as to how she found them. Subscriber reports were also obtained by subpoena from MySpace.

The court used the following circumstantial evidence to find that the MySpace pages belonged to the appellant and that he wrote the admitted posts:
  1. The page contained photographs of Tienda
  2. A post contained information about the murder victim and the music at his funeral
  3. References to Tienda's gang
  4. Posts referring to information Tienda knew
Courts have long-struggled with authentication of digital evidence. Click here for earlier posts discussing the issue.

Sunday, December 18, 2011

Electronic evidence authenticated by pictures, greetings, and stated interests

In previous posts, I have attempted to list what courts look for when authenticating digital evidence. A recent California case almost adds a new one to the list. I may be reading too much into the opinion, but it's a worthwhile argument nonetheless.

The issue concerned authentication of a printed MySpace profile. People v. Valdez, 201 Cal. App. 4th 1429  (2011). It contained the following that was attributable to the alleged author: his pictures, greetings addressing him by name or relation, and stated interest in gangs and a picture of him "forming a gang signal with his right hand."

The profile was used to tie the defendant to gang activity, and the relevant data had been posted more than a year before the crime, making it inconceivable that anyone would have fabricated the information that early. Thus, implicit in this decision is a rule that electronic evidence can be authenticated if it appears that the supposed author has continued to update the profile. If they had not authored certain data on the page, they obviously would have deleted those postings (assuming, of course, that they saw them).

Wednesday, December 14, 2011

Maine SC finds chat log properly authenticated by detective testimony

The Maine Supreme Court recently held that a chat conversation between the victim and defendant was properly authenticated after a detective who witnessed the conversation testified to its legitimacy (State v. Churchill,   32 A.3d 1026 (2011).

The victim, a 12-year-old girl, used instant messaging software to converse with the defendant while detectives monitored the conversation. After the chat was over, the victim emailed a transcript to one of the detectives. The trial court admitted a printout of the conversation after the detective testified that the printout was what appeared on the computer screen and that the text had not been changed.

The Maine Supreme Court found these additional factors relevant to the authentication of the chat log:
  • The e-mail was sent while the officers were at the victim's home and was received on the detective's phone while there.
  • The detectives monitored the entire chat and closely supervised the victim while she e-mailed the log.
  • The "time stamps on each message show[ed] an uninterrupted sequence, the messages respond[ed] logically to one another, and Churchill's messages respond[ed] directly to statements the victim made over the telephone."

Authentication can sometimes be tricky when presenting digital evidence, but courts usually defer to testimony of law enforcement in cases like this. See Stearman v. State, 2010 Ind. App. Unpub. LEXIS 1115 (2010); Jackson v. State, 320 S.W.3d 13 (Ark. Ct. App. 2009). Of course, this situation is slightly different than other cases because the detective simply observed the conversation - in Stearman and Jackson, the officers were a party to the chat.

For other posts dealing with authentication of digital evidence, click here.

Tuesday, November 22, 2011

Military court finds Facebook messages authenticated

The United States Air Force Court of Criminal Appeals held in United States v. Grant, 2011 CCA LEXIS 217 (A.F. Ct. Crim. App. 2011) that Facebook correspondence admitted into evidence in a court-martial proceeding were properly authenticated by testimony from the recipient. As I discussed here, authenticating messages from Facebook can be a tricky process.

The court listed several reasons for its decision:
  • Messages contained the defendant's name and profile picture
  • A witness testified that:
    • She had just met the defendant when he requested her to be his friend
    • He gave her his cell phone number, and they used it to text message each other
    • She and the defendant made plans over Facebook messaging
While the appellate court used the testimony to authenticate the messages, usually this is done with the evidence itself. It contained unique information (Commonwealth v. Purdy, 945 N.E.2d 372 (Mass. 2011)), and the continued conversations through the defendant's cell phone and making plans properly connected the defendant to the Facebook conversation (Commonwealth v. Amaral, 78 Mass. App. Ct. 671 (2011)).

RELATED CASE: In State v. Mosley, 2011 Wash. App. LEXIS 2644 (2011), the court upheld authentication of photos that were printed from MySpace because an officer recognized the people in the picture. Some courts have not been so trusting, such as People v. Lenihan, 911 N.Y.S.2d 588 (2010) which declined to do so because of the ability to "photoshop" images.

Sunday, September 18, 2011

PA appeals court finds text messages not properly authenticated

In Commonwealth v. Koch, 2011 WL 4336634 (Pa. Super. Ct. 2011), the court held that text messages were not properly authenticated and should not have been admitted as evidence. The detective "testified that he transcribed the text messages, together with identifying information, from the cellular phone belonging to Appellant. He acknowledged that he could not confirm that Appellant was the author of the text messages and that it was apparent that she did not write some of the messages. Regardless, the trial court found that the text messages were sufficiently authenticated to be admissible." Neither the alleged sender or recipient testified at trial to authenticate the messages.

Courts often require a heightened standard for admission of electronic evidence because of the ease of falsifying this information, and a phone number or e-mail address tying it to the supposed sender is insufficient. Parties must take it further in order to show the alleged author was, in fact, the author. Other courts have shown admission of text messages by:

  • Testimony from cell phone company, investigator, and co-conspirators (United States v. Hunter, 266 Fed.Appx. 619 (9th Cir. 2008))
  • Recipient testifying that messages were received on his phone under the author's name and that each contained the author's unique signature (State v. Thompson, 777 N.W.2d 617 (N.D. 2010)) (Note, however, that the issue in Koch was that the cell phone was used by multiple people. Thus, a unique signature may not be influential.)
  • Text messages contained details only the defendant would know (Massimo v. State, 144 S.W.3d 210, 216 (Tex. App. 2004))
  • Author providing their car model and name (State v. Taylor, 632 S.E.2d 218 (N.C. Ct. App. 2006))
  • Message showing up under saved number on witness's phone, victim's phone was found near her body, and evidence suggested no one had used her phone that day (State v. Damper, 225 P.3d 1148 (Ariz. Ct. App. 2010))
Many cases look to authentication requirements of electronically stored information (ESI) generally and do not apply specific rules for a specific type device. Therefore, authentication rules applying to e-mails or Facebook posts might also work for text messages. For example, a text message from Author saying he will go to a certain place at a certain time and evidence showing that he was there at that time, would be properly authenticated. Commonwealth v. Amaral, 78 Mass. App. Ct. 671 (2011).

Wednesday, August 10, 2011

SNS printout authentication attempt struck down

In State v. Eleck, 23 A.3d 818 (Conn. App. Ct. 2011), the defense sought admission of a Facebook messaging conversation between the defendant and a witness for the prosecution. The witness admitted that the messages were sent to her account, but she was not the author. Rather, her account had been hacked. The defendant claims that he was removed as the witness's Facebook friend days later, but the witness claims she still did not have access to her account. Ultimately, the trial court found that the messages were not properly authenticated and were thus inadmissible.

The appellate court affirmed, finding that there was not enough circumstantial evidence to authenticate the printout. Citing a variety of cases from other states (the issue was one of first impression for the court), the court essentially made it impossible to admit any evidence from an Internet source without an admission from the author.

Barring discovery and financial issues, here are some ways it possibly could have been authenticated:
  • Internet cache connecting the postings to the witness's computer. (Commonwealth v. Purdy, 945 N.E.2d 372 (Mass. 2011))
  • Facebook representative testimony connecting the messages to witness's IP address at the time. Griffin v. State, 2011 Md. LEXIS 226 (2011)
  • Unique information others would not have been aware of. (Commonwealth v. Purdy, 945 N.E.2d 372 (Mass. 2011); Commonwealth v. Amaral, 78 Mass. App. Ct. 671 (2011))
UPDATE: The Connecticut Supreme Court has since granted defendant's appeal with regard to this issue (302 Conn. 945 (2011)).