1. What should the Connecticut Company have done to prevent the computer intrusion described in this case? What should it have done to detect this computer intrusion?
After the computer system has been compromised with, and an intrusion is detected, a computer forensics investigation is necessary to stop further intrusion. The Connecticut Company ought to have put in place preventive measures in order to prevent intruders from accessing their information. In case, the preventive security measures fails, Intrusion Detection System, IDs, is implemented which completely detects any intrusion into the system, and, if the intruder is indentified necessary legal actions are taken.
For that reason, any computer system network must have a firewall. This is a system, or rather a virtual wall that prevents entry of information into the network without approved authorization. This firewall will block away any information that has not been allowed by the administrator. This is a necessary preventive measure to block the external persons from accessing internal information. Use of anti- virus software is also a preventive measure that prevents harmful programs from getting into a computer system.
In addition to the firewall, an intrusion detection system can also be used by a server to detect an intrusion, if an intruder has by-passed a firewall and has full access to the system. Another preventing measure is having a restrictive access to computers, and this is achieved by creating a password that prevents any intrusion on the computer terminal. The company should always adhere to the said measures and many others that are not mentioned herein. For instance, computers should not be connected to the internet when not in use.
2. What security controls should be implemented by any organization to prevent, detect, and recover from a computer intrusion?
Security controls to prevent computer intrusion should be implemented beforehand and before one begins surfing. Every safety control should be put in place, so that the intruders will never get an opportunity of accessing from other computer systems. The first security control that should be implemented is a firewall Test. This is a security measure that is very first and very accurate. It should be effectively locked, in order to prevent your credit cards, passwords, bank accounts and other personal information that is considered crucial and significant.
Another security control measure that the organization should implement is having intrusion prevention hardware and software. Both are configured, therefore, ensuring tight web security. Other than relying on the hardware and software devices, an organization should ensure that it has taken a firewall test. This security measure helps determine malicious programs that an intruder may have put into a computer system. Even with the firewalls, it sometimes becomes very challenging, since one may not be certain on the correct button to select. One may a select a button that may provide a full access for the intruder to evade all the security measures that have been put in place.
For this reason, the organization should implement a popup Test that identifies such malicious entries. A free spyware removal program is also significant as a security control measure, since it detects and prevents any entries of malicious programs into the computer system and terminal. Together with that, an organization should implement web security services which prevent installation of unwanted software. For that reason, an intrusion prevention test, or rather an internal IP audit, is installed as this ensures that an intruder cannot allow java applets to execute unrestricted areas.
3. Why would someone want to use a forged e-mail address? Explain how this worked to the intruders’ advantage in this case.
In the current world, computers are being used for almost every aspect that affects human being. This ranges from banking services, shopping services and communication. While sending messages regarding these services, most people use email or even the chat programs.
People tend to think that communicating via emails is secretive, or rather a safe service. However, some people may send messages using your computer if at all they don’t want to be traced. They attack other computer systems using forged emails since they do not want to be known. They even use the forged emails when they have an intention of getting some personal information from another computer system. This becomes very difficult to trace the intruder, since they forge an email.
In some other circumstances, someone else might be mistaken incase the intruder hacks the password and email address pertaining to a particular person. Intruders do not mind about the identity of persons they have hacked their accounts. Their intention is to gain control of the computer system, so that they can utilize it in launching attack to other computer systems. Moreover, forged emails are advantageous to the intruder since it helps them to conceal their true location as they launch their attacks.
4. Numerous entries similar to the following were found in BoatingCT.coms Web logs. What does this entry mean?
While a lot of information can be obtained from a host computer, some other information can also be obtained, from the server. Most of the events that happen in a computer system are saved in web logs on servers. If a person fails to gather the system logs, significant information can be left out.
These logs stores some important information, such as username, password, the access time, and the devices used, the functions performed and other type of information depending on the type of log utilized. By evaluating the logs, it is easier to prove that a particular user account actually performed a specified questionable act. Together with that, the firewalls and the Intrusion Detection System, have some logs that can be examined for suspicious activities.
Most network routers have also some logs which may compel an investigator to rebuild evidence. By evaluating the web logs in an information system, it becomes possible to analyze a crime that may have occurred. Having numerous entries similar to a single web logs, may mean that, there are some people that may be trying to hack the website by having similar information. For that reason, servers should be very cautious concerning their login details, the usernames and also passwords.
5. What was the importance of having court orders immediately issued to Hotmail.com and Time Warner Cable?
Issuing court order to Hot.com and the Time Warner Cable was very significant since they would both stick to tracing for any intruder that may have hacked into their system. Also, a court order would play as a warning to them that their system has already been compromised with, and, they, therefore, need to straighten things up before their entire system collapses.
Together with that, such a sudden court order compels hotmail.com to be a little bit cautious while giving accounts to individuals. They should accept to take responsibility of any crime that occurs and is linked to their agency. Additionally, a court order might be issued by a superior court to requests both the Hotmail.com and the Time Warner cable to disclose to the law enforcement agencies the subscriber of the account holder from which the anonymous emails were sent from.
However, these two agencies might defy to the order, as per 47 U.S.C. § 551, which disallows them to disclose any information concerning their subscribers, However, they may accept the order depending on the situation and for what purpose the email was used, and, for this case the email was used for fraudulent reasons.
6. When the FBI New Haven field office requested the log files from the University of Akron, none were available. Do you think it is typical for universities not to retain log files? What is the impact of this on the security of university computing environments?
The decision for the universities to retain log files is dependent on various things. For one, the law might require the university to either retain of destroy the log files. Secondly, retaining or destroying log files might be under the description of the university policies. Thirdly, the university may decide to retain the files as long as they deem them useful. Fourthly, the university might retain the log files in case they are expecting or rather hoping to follow up some things from these logs. Lastly, retaining or not retaining these logs is determined by the amount of space they utilize.
Considering the reasons named above, I believe it is very typical for the Universities to retain the log files. Every individual in the University has his/her objective and motive, and, therefore, it is always appropriate to take chances. Even though, it is under the policy of the university to practice confidential regarding their access to their personal data, on the other hand, it is the responsibility of the University to maintain accuracy, reliability and discretion of any incoming and/or outgoing information in order to ensure that there are no unauthorized disclosures that takes place.
For that reason, the university is compelled to closely monitor every individual’s electronic data, software and also the log files. These logs are stored and they are retrieved when necessary. This ensures that incase of any computer intrusion detected within the University, the administrator is in a better position to face the law since it will be simple to narrow down to the intruder by using the log files.
7. The FBI New Haven CART field examiners imaged the hard drive and worked off of that. They did not use the original drive or the original evidence. Why?
In collecting evidence, data should be protected but capturing the correct copy of the original data. This process is called imaging. The image that is captured is the one that is used, instead of the original data, as this helps in preserving the original data in order to use it in the court. Imaging is regarded as very significant in computer forensics and the computer evidence captured is considered valid and reliable in the court of law.
8. When the Web logs from BoatingCT.com were analyzed, the CART field examiner discovered that intruders from around the world had gained unauthorized access to the company’s daily order file. The company was informed of this, but the CART field examiners focus remained on identifying the sender of the suspicious e-mails to BoatingCT.coms customers, the reason given for the FBIs involvement in this case. What other reasons might the FBI have had for not pursuing these other intruders?
Every country has its own legal procedures pertaining to the cybercrime. For instance, the USA considers hacking passwords, stealing confidential customer order information, credit card numbers and so forth as cybercrime. However, other countries like, Czech Republic does not have any enforcement laws regarding cybercrime. The reason as to why the FBIs might focus on where the source of information comes from is to make sure that they indentify the intruder and prevent further sending of malicious information. It is from the same source that they will send warning information to other intruders. They will also be able to contact the customers and alert them of certain emails that they should consider as spam.
9. The computer intruder described in this case was a U.S. citizen who resided in Ohio. What would the FBI have done if he were a non-U.S. citizen who resided in a foreign country? How do we shape an effective initial response to a computer network attack that is actor- independent?
The FBI will apply similar procedure in detaining the person in assumption that the person is aware of the laws pertaining to cybercrime. In this case US laws will be applicable. The foreign country must be willing to cooperate with the US FBIs, and in case the foreign country attempts to prevent the criminal, this might be considered as a matter of national security. For actor independent circumstances, we apply laws that deal with issue on an individual basis.
10. What types of Internet-related crimes should be reported to the FBI? At what point should a computer crime be reported to law enforcement?
a. Computer intrusion, hacking
b. Password trafficking
c. Currency counterfeiting through the internet
d. Pornography literature to children via internet
e. Child abuse and Internet Fraud issues that have a mail nexus
f. Internet fraud and anonymous malicious mails
g. Internet harassment
h. Bomb threats via internet
i. Transacting in explosives and combustible devices or weapons via Internet
A computer crime should be reported to the law enforcement when it’s determined that the FBIs cannot handle the crime any longer.