Understanding the Computer Fraud and Abuse Act (CFAA) of 1984

The Computer Fraud and Abuse Act (CFAA) of 1984, later amended in 1992, addresses criminal and civil liability for unauthorized access to computers and obtaining information. The law distinguishes between outsiders and insiders who exceed their authorized access. It includes provisions related to national security, governmental computers, intent to defraud, and causing damage. Protected computers are defined under the law, and obtaining information encompasses a broad range of actions.

• Computer Fraud
• CFAA
• Unauthorized Access
• Cybersecurity
• Legal Framework

lupin Follow

Uploaded on Aug 28, 2024 | 12 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. The Computer Fraud and Abuse Act Richard Warner

2. CFAA Background First passed in 1984 as a purely criminal statute. Amended in 1992 to allow civil actions. Interpretation of terms uniform in both contexts: As a consequence, even in civil cases brought under the CFAA, the canon of strict construction of criminal statutes or what is referred to as the rule of lenity is followed. WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) Lenity: Ambiguities in a criminal statute about prohibitions and penalties must be resolved in favor of the defendant if it is not contrary to legislative intent.

3. The Computing Background Main frame computers with two threats: Outsiders hackers who gain access without any authorization. 1030(a)(3), 1030(a)(5)(A), (B), (C) (without). Insiders who are authorized to access the system but exceed that authorization. 1030(a)(1), (2), (4) (without or exceeds).

4. Information relevant to national security? Yes No Obtaining information? Without authorization 1030(a)(1) Yes No 1030(a)(3) 1030(a)(2) Governmental computer? Yes No 1030(a)(3) Without or exceeds authorization Intent to defraud? Yes No 1030(a)(4) Intentionally & causing damage? Yes No 1030(a)(5)(A) Recklessly & causing damage? Yes No Causing damage? Yes 1030(a)(5)(B) No 1030(a)(5)(C) A bit more

5. Computer Fraud and Abuse Act CFAA 18 U.S.C. 1030(a)(2)(C): Criminal and civil liability for whoever (a) intentionally accesses a computer (b) without authorization . . , and (c) thereby obtains ... information from any protected computer.

6. Obtaining Information A 1996 amendment: information includes information stored in intangible form. The National Information Infrastructure Protection Act of 1995, Obtain information: includes merely viewing information without downloading or copying it. Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp.2d 627, 648 (E.D. Pa. 2007).

7. What Is A Protected Computer? A protected computer is: 1) used exclusively by a financial institution or the federal government; 2) not used exclusively by a financial institution or the federal government, but is a computer the use of which by a financial institution or the federal government is affected by the conduct constituting the offense; or 3) used in or affecting interstate or foreign commerce or communication.

8. Lacking Authorization We will look at three ways: Circumventing technical barriers. Breaching contracts. Access after receiving a letter revoking consent. We begin with circumventing technical barriers. Examples of technical barriers: Password requirements. Firewalls. Intrusion monitoring systems.

9. The Breaking and Entering Analogy Circumventing technical barriers (like password requirements) is analogous to burglary, not trespass. Trespass = unauthorized Access to land Use of property that impairs value or harms a protected interest. Burglary requires Breaking = violation of a security device designed to exclude people State v. Newbegin, 25 Me. 500, 504 (1846) Entering

10. What Is Breaking? Breaking need involve force or violence Opening of closed, but unlocked door or window. State v. Boon, 35 N.C. 244, 246 (1852). But entering through a door left ajar or an open window may not be breaking State v. Boon, 35 N.C. 244, 246 (1852). Some later cases count this as breaking in if it is clear that access is unauthorized.

11. Unlocking Doorknob Locks Violation of a security device designed to exclude people, and a violation of norms.

12. United States v. Morris (1991) -- Fact Pattern Cornell computers Morris Authorized access Access by circumventing technical barriers Access via vulnerabilities in the Sendmail and Finger programs to spread a worm. Is this unauthorized access for purposes of 1030(a)(5)(A)? Internet connected computers

13. What Morris Did He wanted to show that the Internet was insecure. His plan was to demonstrate that by infecting computers with a worm without anyone noticing. Morris did not intend his worm to cause any harm. As the court notes, The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers.

14. The Design of the Worm Morris designed the worm to copy itself from Internet system to Internet system. But: before it copied itself, the worm first asked the computer if it already had a copy of the worm. The worm did not copy itself if it got a yes answer. Point: multiple copies would slow the computer down enough to signal the worm s presence, and he wanted to show that the worm could spread undetected. But: he also designed the worm to copy itself every 7thtime it got yes answer to defeat clever systems administrators.

15. The Error Every 7th time was a mistake. He should have choosen something like every 5000th. He greatly underestimated the number of times a computer would be asked if it had the worm. The worm spread with great rapidity over the Internet causing computer slowdowns and shutdowns and imposing on system owners the cost of removing the worm. Shut down roughly 6,000 hosts on the 1988 Internet, typically for 1 day; some longer. Robert Morris (Sr.) never became Director of the NSA.

16. United States v. Morris (1991) Morris was prosecuted criminally under the Computer Fraud and Abuse Act. Convicted in 1990 of violating 1986 Computer Fraud and Abuse Act (CFAA), fined $10,000, 400 hours of community service, 3-year suspended sentence. 1030(a)(5)(A) criminalizes (1) intentionally accessing computers (2) without authorization and (3) causing damage. The intention required is just the intention to access the computer, NOT: an intention to access without authorization, or an intention to cause damage.

17. Guessing Passwords As Breaking In Morris gained access by guessing passwords. Guessing passwords is like trying a lot of keys to see which one works in a lock, so it is breaking in. (a) True (b) False

18. The Sendmail Backdoor A backdooris a secret way into either the computer itself or into a particular piece of software that was left behind by the software developers.

19. A Very Simple Backdoor Suppose you buy an encryption. The installation program secretly creates an empty text file, key.txt, on your hard drive. The program asks you to type in your secret key: my_key = input('Input your key:') Input your key: The program also has this code hidden in it: f = open('key.txt','w') # Open file key.txt f.write(my_key) # Write key to file key.txt f.close() # Close file User sees this

20. Was Using The Backdoor Breaking In? Did Morris break in when he used the Sendmail backdoor? Before we answer, let s look at why the backdoor was there.

21. Why Was There A Backdoor in Sendmail? Allman [the software creator] included several backdoors in the earliest version of sendmail. At the time Allman began writing sendmail, only three UNIX systems, all at UCB (University College, Berkeley) ran the software, and Allman already had root access on all of those systems. When sendmail was installed on a fourth system, and Allman was denied access to his new (and buggy) mail software, he added the backdoors. http://www.rikfarrow.com/Network/net0702.html

22. What Actually Happened RF: I wanted to ask you about the backdoors in sendmail. When I first asked you about this many years ago, you told me you were a student maintaining sendmail on a small number of systems, and then someone copied sendmail to a machine you had no access to. The owners of that machine then demanded that you fix a bug only expressed on that system. EA: Precisely. So I said let me log in and look at it. And they said we can t allow someone who is not part of the administrative staff onto the machine, which is normally a pragmatic approach to security. I said I will come into your office and someone can watch over my shoulder and make sure I don t do anything bad. They said, no, we can t let you on the machine. Then I can t fix your problem, and they said you have to fix our problem.

23. What Actually Happened EA: They got more and more insistent, that I had to fix this magically somehow. And that s when the backdoor went into sendmail. If they won t let me on the machine, well, here s a new version, why don t we see if it fixes the problem. And it did. RF: That backdoor stayed in there for a long time. EA: My mistake was in not taking it out immediately. The backdoor was so convenient, I thought maybe I ll leave it in and it will contribute to development. I pretty much forgot it was there. https://www.usenix.org/system/files/login/articles/login_summer17_09_allman_interview.pdf

24. How Did Morris Know About The Backdoor? Paul Vixie is a very distinguished computer scientist. From: vixie@decwrl.dec.com (Paul Vixie) Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards Subject: Re: a holiday gift from Robert "wormer" Morris Message-ID: <24@jove.dec.com> Date: 6 Nov 88 19:36:10 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> Distribution: na Organization: DEC Western Research Lab Lines: 15 # the hole [in sendmail] was so obvious that i surmise that Morris # was not the only one to discover it. perhaps other less # reproductively minded arpanetters have been having a field # 'day' ever since this bsd release happened. I've known about it for a long time. I thought it was common knowledge and that the Internet was just a darned polite place. (I think it _was_ common knowledge among the people who like to diddle the sendmail source.) The Berkeley Software Distribution (BSD) was an operating system based on Research Unix, developed and distributed . . . at the University of California, Berkeley. Today, "BSD" often refers to its descendants, such as FreeBSD . . .

25. Breaking In? Did Morris break in when he used the Sendmail backdoor? (a) Yes (b) No

26. Do The Physical Analogies Help? Breaking need not involve force or violence Opening of closed, but unlocked door or window. State v. Boon, 35 N.C. 244, 246 (1852) But entering through a door left ajar or an open window is not breaking State v. Boon, 35 N.C. 244, 246 (1852) Is a backdoor whose existence is widely known and presumably known to the owners of the system like a door left ajar or an open window?

27. The Finger Buffer Overflow Vulnerability Finger program Step 1 Code placed here will be executed Buffer = storage space while working Finger Tom Step 2 . . . . Put enough stuff in the buffer including code you want executed so it overflows to Information about Tom

28. Open Web Application Security Project (OWASP) Buffer overflow is probably the best known form of software security vulnerability . . . [1]Part of the problem is due to the wide variety of ways buffer overflows can occur, and [2] part is due to the error-prone techniques often used to prevent them . . . Attackers have managed to identify buffer overflows in a staggering array of products and components. https://owasp.org/www-community/vulnerabilities/Buffer_Overflow

29. The Morris Court on Unauthorized Access Morris's conduct here falls well within the area of unauthorized access. Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.

30. United States v. Phillips (2007) Phillips was computer science student at the University of Texas. He had signed the acceptable-use computer policy, in which he Agreed to perform scans that would permit him to search for vulnerabilities and agreed not to hack the network. A user s password was his or her Social Security number.

31. United States v. Phillips Phillips began using various programs designed to scan computer networks and steal encrypted data and passwords . . . infiltrating hundreds of computers, including machines belonging to other UT students, private businesses, U.S. Government agencies, and the British Armed Services webserver. In a matter of months, Phillips amassed a veritable informational goldmine by stealing and cataloguing a wide variety of personal and proprietary data, such as credit card numbers, bank account information, student financial aid statements, birth records, passwords, and Social Security numbers.

32. Norms and Authorization The the scope of a user s authorization to access a protected computer may be determined by the expected norms of intended use of the computer. Phillips s brute-force attack program was not an intended use . . . within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data. The court cited Morris v. US.

33. Norms Although the court did not elaborate on its standard, the intended function test appears to derive largely from a sense of social norms in the community of computer users. Under these norms, software designers design programs to perform certain tasks, and network providers enable the programs to allow users to perform those tasks. Orin Kerr, Cybercrime's Scope: Interpreting Access And Authorization In Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003).