BRIDGING BARRIERS:

LEGAL

AND

TECHNICAL

OF

CYBERCRIME CASES

Two
Case
Studies..
a
Gradual


Evolution


Federal Agent Ross McDonald

Australian Federal Police

Case Study 1- Op PROXIMA

•



In March 2005, the AFP received information

from the Computer Crime Unit, Belgian Federal

Police.

•



In February 2005 a Distributed Denial of Service

(DDoS) attack was directed at "several IRC

servers of big companies in Belgium". A suspect

interviewed divulged the e-mail address and

Case Study 1- Op PROXIMA

•



Open source information revealed that

“iCER” was also a key organiser of

Investigation

•



Telephone Intercept Warrant was sworn.

Numerous attacks captured and other

DDOS attacks against servers in

United States

Australia

Singapore

Demand Email

•

 

Subject: [Austnet/Help] I ADVISE YOU TO READ THIS

You have had this comming. All you opers deserve the death penalty. Now unless AustNET controls its lameness, the

attacks will continue till AustNET is no longer.

Demands:

1. Kevin does not associate with AustNET administration anymore. He must leave the ASD/OPER department. This

applies for medrawt too.

2. Administration of ALL AustNET gets overlooked, and a new access list chart is created. All oper's need a channel to

all idle in together and discuss matters together. Not 'what Kevin says, goes'.

3. /MSG OperOP list gets updated.

4. www.Austnet.org gets updated. The same thing goes for the box, as it is vulnerable to remote attacks.

5. Remove user 'mark' account from the webmaster.com (website box) as it is compromised (then look for the local

compromised vulnerability and then patch it then re-run chkrootkit).

6. Link up at least 2 reliable servers which handle DDOS filtering to prevent further wipeouts / delinking’s.

7. Stop G-lining non-wanted users such as bottlers / xdcc’s / warez affiliated users/bots. Redirect them to one allowable

server if you must.

8. REMOVE ALL GLINES, on non compromised hosts that get requested by ALL users.

9. Do not assume who is behind this, as we are spoofing to get the attention off us.

10. Do not follow any of these, and you will remain down until terminated.

After all these demands are followed, email back to above email address with proof of EACH task been met.

Resolution

•



22 March 2006 – AFP/State Police

execute five simultaneous search warrants

in three States.

Resolution

•



Bill Giannakis charged under the Criminal

Code Act 1995 (Cth)

–



Use telecommunications network with intent

to commit a serious offence (s.474.14) x 5

counts

–



Cause unauthorised impairment of electronic

communication (s.477.3) x 5 counts

Result

•



It was decided to proceed summarily.

•



Guilty plea to one count of causing unauthorised

impairment of electronic communication (s.

477.3) covering all attacks.

•



Discharged without conviction.

•



2 year $1,000 good behaviour bond.

Issues Identified- PROXIMA

•



Unwillingness by victims to provide official statements-

scared of online retribution and lack of confidence in

police/court system.

•



Investigative challenges

–



Very resource intensive:

- monitoring and interpretation of Telephone Intercepts;

- analysis of seized items.

–



Lack of experience and case law regarding DDoS attacks: not

many previous cases for computer offences.

–



Mutual Assistance Requests were made: results arrived 6

Issues Identified- PROXIMA

•



Prosecution challenges

–



Lack of experience amongst prosecutors and the

judiciary regarding computer offences: not many

previous briefs or cases for many computer offences,

hence very little case law.

–



Not always possible to place a monetary value on the

effect of an offence.

–



Perception by judges that computer offenders are just

‘naughty boys’, even though they can cost millions.

–



Admission of foreign evidence and offences

Case Study 2- Op CARPO

•



January 2009- Customer database for a

major Australian Domain registrar was

placed for sale on the internet.

Case Study 2- Op CARPO

•



Seller engaged online by AFP covert

operative.

•



Open source enquiries made to identify

seller.

•



Seller identified as Brendan TAYLOR of

Perth (23yrs).

•



Investigators travelled to Perth and

Case Study 2- Op CARPO

•



Upon being arrested, TAYLOR revealed

2

nd

_{offender (BAKER) was actually}

responsible for unlawful access to data.

•



Search warrant executed at BAKER’s

residence same day.

•



Evidence of database located on

Case Study 2- Op CARPO

•



TAYLOR charged with 1 x Dishonestly Obtain or

Deal in Personal Financial Information.

•



TAYLOR was originally to be sentenced to 12

months imprisonment to serve 4 months.

•



Due to assistance provided against BAKER this

sentence was amended to 12 months

Case Study 2- Op CARPO

•



BAKER was charged with:

1 x Dishonestly Obtain or Deal in Personal

Financial Information; and

Case Study 2- Op CARPO

•



BAKER was sentenced to 18 months

imprisonment on each charge, to be

eligible for release after 6 months.

•



The court found it a sophisticated,

deliberate and planned course of events.

•



The judge noted the difficulty of proving

computer crime offences and the need for

there to be general and specific

A Gradual Evolution

•



Prosecutors and the judiciary are becoming

more familiar with the concepts and terminology

used in tech enabled crime.

•



As more offenders are prosecuted both in

Australia and internationally, the crime type is

slowly losing its aura of mystery.

•



Non specialist police are becoming more

A Gradual Evolution

•



Victims are more willing to make

complaints and provide statements.

•



Almost a “carnival atmosphere” amongst

the hacking community for PROXIMA.. not

so for CARPO.