Mainstreaming eCrime

October 13th, 2006 at 14:13 UTC by Richard Clayton

Back in February I wrote about how the establishment of the Serious Organised Crime Agency (SOCA) was likely to lead to situation in which “level 2″ eCrime could end up failing to be investigated. “Level 1″ crime is “local” to a single police force, “level 3″ crime is “serious” or “organised” and requires tackling at a national or international level — and “level 2″ crime is what’s in-between: occurring across the borders of local police forces, but not serious or organised enough to be SOCA’s problem.

Over the past few weeks I’ve been at a Metropolitan Police “Knowledge Forum” and at a Parliament and Internet Conference. There I’ve learnt about how the police (at ACPO level, not just the Met) are intending to tackle eCrime in the future.

The jargon for the new policy is “mainstreaming” — by which is meant that the emphasis will move away from tackling “eCrime” as something special, and regular officers will deal with it just as “Crime”.

In particular when there are “e” aspects to a normal crime, such as a murder, then this will be dealt with as a matter of course, rather than be treated as something exotic. With the majority of homes containing computers, and with the ubiquity of email, instant messaging and social network sites, this can only be seen as a sensible adaptation to society as it is today. After all, the police don’t automatically call in specialist officers just because the murder victim owns a car.

Although there is a commitment to maintain existing centres of excellence, specialist units with expertise in computer forensics, units that tackle “grooming” by paedophiles, and undercover police who deal with obscene publications, I am less sanguine about the impact of this policy when it comes to crimes that rely upon the Internet to be committed. These types of crime can be highly automated, operated from a distance, hard to track down and obtain evidence about, and can be lucrative even if only small amounts are stolen from each victim.

I believe there is still some doubt that Internet-based crimes will be investigated, not just from lack of resources (always a problem, as anyone who has been burgled or had a car window smashed will know), but because it’s no-ones task and appears on no-one’s checklist for meeting Government targets (there’s still no central counting of eCrime occurring).

Mainstreaming is proposed to have some sensible adjuncts in that police forces will be encouraged to pool intelligence about eCrime (to build up a picture of the full impact of the crime and to link investigators together), and some sort of national coordination centre is planned to partially replace the NHTCU. However, although this may sometimes mean that an investigation can be mounted into an eBay fraudster in Kent who rips off people in Lancashire and Dorset — I am not sure that the same will be true if the victims are in Louisiana and Delaware — or if the fraudster lives in a suburb of Bucharest.

The details of what “mainstreaming” will mean for eCrime are still being worked out, so it’s not possible to be sure what it will mean exactly. It sounds like it will be an improvement on the current arrangements, but I’m pessimistic about it really getting to grips with many of the bad things that continue to happen on the Internet.

Entry filed under: Legal issues

9 comments Add your own

  • 1. Clive Robinson  |  October 14th, 2006 at 10:48 UTC

    Richard,

    With respect to the forensics aspects you say,

    “After all, the police don’t automatically call in specialist officers just because the murder victim owns a car.”

    For many reasons I would tend to consider E-Devices like unexploded FAE’s, most physical forensic evidence like a car etc does not age rapidly in that a day or two before expert analysis is not going to make that much of a difference, nore is physicsl evidence particularly easy to destroy beyond usefull analysis.

    It is way to easy to design electronic devices to be triggered just like a bomb, and in the process totaly destroy the real evidence they contain. The last thing that is needed is some E-Crime to go right through the pre-investigation phase, just to have the evedence needed for conviction go up in electronic smoke due to poor “on crime sceen” activities.

    The current ACPO recomendations although nice for a run of the mill criminal activity using consumer electronics just will not cut it with more knowledgable criminals (or even those that use things such as run time CD-OS’s where no hard disk is used and a simple hidden micro switch will trigger data loss).

    The argument in the past that criminals do not pocess the technical savey just does not apply any more. Over the past year or so with the likes of malware being used not for ego/braging points but for money the expected trend will be “guns for hire” technology savy crackers etc taking the cash for their knowledge either directly from criminals or from front/cutout organisations setup or funded by criminals (much in the same way Tabaco / food / drug companies are alledged to use scientists to get favourable “indipendent research”).

    One thing that will soon become apparent is highly programable portable consumer items (curently PDA/Mobile phones) will have software written for them that contains strong crypto and many many triggers. Also that the data storage will be rapidly rotated through memory using encryption techniques that will render just about any analysis technique close to impossible within financial constaints.

    A simple bio-metric device such as a fingerprint reader makes an excelent trigger and are starting to appear as standard in consumer items. The criminal puts all his fingerprints in as individual entries, the software then requires that the correct fingerprint at the right time be entered. Any of the other correct fingerprints at the wrong time triggers data destruction silently, whilst the app apears to function as normal. And of course if the device does not receive the appropriate fingerprint in a given time frame again data destruction occures.

    The posibilities are almost endless when it comes to this sort of thing, the hard part is comming up with a system that the criminal can use conveniantly but is still reliably secure. Oh and getting the criminals to keep their mouths closed (over 80% of crimes are solved through criminals bragging to others) and following other sensible precautions.

    I would say it is not possible to train all police officers or a large number of “scean of crime” officers to deal with this sort of thing and specialists will always be required. At best you train those frontline troups to recognise when to get the experts in quickly, and that its self may be quite difficult to arange.

  • 2. Richard Clayton  |  October 14th, 2006 at 11:31 UTC

    Clive comments:

    With respect to the forensics aspects you say,

    “After all, the police don’t automatically call in specialist officers just because the murder victim owns a car.”

    but forensics is NOT what I am talking about here.

    In the past the police have not been calling in the specialists to do forensics — but to tell them about the technology (“you must understand this about cars, Lestrade, they can transport people across London at very high speed, without the need to keep a horse of your own…”). Mainstreaming is NOT about getting random officers to do forensics, but in ensuring that the “e” aspects of traditional crimes get properly considered.

    As for the rest of “the possibilities are endless” — for many years the police have been taking a very pragmatic approach to the technology. They worry about what they actually encounter, not what people dream up in ivory towers.

    But this is really getting away from my main point, that the police are still struggling to put forward a plausible story about investigating level 2 crime which leverages the opportunities the Internet provides for action at a distance and the automation of low probability of success actions to create viable threats.

  • 3. Nick Towner  |  October 14th, 2006 at 14:21 UTC

    Here in the Netherlands, professors in the psychology of law have been warning since 2002 about crimes not being investigated because they do not fit neatly into the police organisation, and about professional criminals taking advantage of this – not just in eCrime but generally.

    The government response, however, has been to push even harder for a centralized, national police force and consequent removal of local accountability.

  • 4. Robin Hood  |  October 15th, 2006 at 19:06 UTC

    Uz crimz love being one step ahead. Excellent reading material!

  • 5. Clive Robinson  |  October 17th, 2006 at 13:36 UTC

    @Richard

    As I understand it from your first paragraph there are three levels of crime outlined,

    Level 1 = crime is “local” to a single police force
    Level 2 = crime is occurring across the borders of local police forces
    Level 3 = crime is “serious” or “organised”

    And that eCrime that falls into level 2 will not be investigated, effectivly by choice (ie no resouces / mechanisum etc).

    What you are not clear about is if the Level 2 eCrime you are concerned about is national only or international when you talk about borders.

    From my limited perspective based on what I have seen publicaly available, most of the eCrime for profit at Level 2 is International in origin not National. Which would tend to sugest that it still falls under SOCA’s remit from your description. The reason for this would appear to be that the Internet actually reduces both the costs of the type of crime/scam but more importantly adds the safety of distance and one or two international boarders at no extra cost.

    In your second and third paragraph you go on to describe that
    under a process called “mainstreaming” eCrime will no longer be treated as something special, and regular officers will deal with it just as “Crime”.

    As far as the administrative paper work etc this is fine it takes an exception out of that current work flow. But this is not ok for the rest of the process which is the aprehension of criminals and the recovery of assets. Which is what we as the tax payers like to think the money is being spent on, not on developing a burgeoning bureaucracy or technilogical infrestructure.

    Also If National Level 2 eCrime is quite small then “mainstreaming” might be a sensible way to deal with it, providing the local Police forces are given access to the appropriate resources at say the regeional level (which is unlikley given current trends).

    What you have not addressed in your description and what also may not have even been considered by the Met or Parliment is that there has been a very marked change in eCrime trends in recent times.

    It would appear that those with the technical ability would prefer to benifit financialy from their knowledge rather than the more risky ego food of web defacment etc. Obviously prefering the lower risk “eCrime for profit” to the “eCrime for ego”.

    As most of those with the technical ability do not pocess the knowledge to handle the proceads of “eCrime for profit” they need to colaborate with those who do. Likewise criminals who are adroit at dealing with money laundering etc are looking to get the technical knowledge to move into the lower risk areas of crime.

    So in effect the technically adroit have become “guns for hire”, we have seen inept attempts to go out on their own, such as the auctioning off of bot nets / credit card lists / personal data etc and some more sophisticated attempts have come to light where the potential victims of attempted extorsion etc have gone public (which unfortunatly does not happen that often)

    The technical knowledge that is available for sale from the technicaly adroit has two forms.

    1) The first is those that might be used to commit the crime such as virus worm and other penetration, replication, phishing or spamming technology, (ie the “Tools of the Trade” for the level 2 eCrime you are concered about).

    2) The second are those that reduce the likely hood of capture / conviction for those deploying the first, by eliminating records and evidence of the crime and of the location of the procedes of the crime.

    A technology “expert” caught selling the first is likley to spend considerable time regreting their actions in a prison cell. This is why they are migrating to the use of very very sophisticated techniques to protect themselves.

    For instance the now “old hat” use of BlueTooth technology to communicate from a laptop computer to a mobile phone, and from the phone via mobile Internet services to the Internet that was a logical succesor to the “pole job” of the land line era. The mobile phone and its account being obtained via extreamly difficult to trace but easy methods (cash at car boot sales / down the pub / back of a lorry etc).

    The person finds a place where they can observer a large open space easily which is where they hide the mobile (up a tree in a park is workable or if in Moscow in a rock). The place they have chosen would usually have an easy escape route for them but an extreamly difficult aproach from the phone, as well as a low risk of identification (say a library/hotel/office room/roof overlooking a park, with a large fence etc in between). Then if anybody interferes with the phone they calmly leave the area, also if they pick the right type of room radio direction finding at 2.5Ghz would be almost as obvious as the phone being interfered with. As I said this is old hat and overly elaborate way, there are newer easier techniques available to those who wish to use them, thanks to the wide deployment of low cost consumer electronics from the likes of Maplin and PC shops.

    The second type of technology sale is probably not even illegal if done correctly so from the technology experts point of view a lot safer but possibly not as profitable. Also safer for the criminal as they can keep an untrusted person out of the criminal activities, thus avoid having a plea bargain risk in their midst.

    Why would criminals be interested in the second type of technology, well it is down to the process of evolution. As the Police have become technically more sophisticated by the use of CCTV / Phone Tapping / etc they have caught the less cautious criminals. Those that remain, either learn from the mistakes of those who have been caught or join them.

    Even the less intelligent criminals are aware of things like CCTV and usually take care to keep their hoods up and and be quick about their business. Some are even aware that it is not good to talk on the phone unless in some rapidly evolving code (ie drug dealers etc). However enough still “blag” to their mates etc so there are enough examples “going down” to serve as warning to the others that security matters.

    In some cases technology is even being used to provide alibis “I was visiting a mate at some pub twenty miles away at the time, I was a bit lost so I phoned him on me mobile for directions” and the phone records indicating the cell the call was made from is produced as coroberating evidence. They might even garnish it a bit by producing a chip-n-pin (ie no signiture) card recipt for the drinks and food. The fact that it was actually two of his mates with his phone and card having a nice night out and giving him an alibi may not occur to people.

    Likewise young criminals in London know that they can have their movments tracked by the use of their free Oyster Travel Cards, so they get their mate to dress up in the appropriate way and take a bus / tube to establish the alibi and use their mobile phone. Even with CCTV on the bus a person wearing a base ball cap and hood is difficult to recognise. Also the CCTV footage is not kept for very long as was shown by 7/7, so if they can keep from being investigated for a couple of months they are likley to be home and dry.

    All of the above means that forensic evidence is the most likley way the Police will obtain a conviction against a moderatly sensible criminal. And, as has been shown by TV documentries in the past Baristers are not averse to telling criminals how to avoid leaving traceable physical evidence at the scean of a crime. Or they could just read the press reports of the supposed “IRA Theft” of however many millions of Northern Irish Bank Notes etc.

    Therefore it is probably safe to assume that the question of forensic evidence has not escaped the criminals attention. Especially that convictions now increasingly need reliable forensic evidence. Or that several high profile cases have come to grief as the evidence has been called into question infront of juries or they do not understand the techniques and technologies involved.

    It has most certainly not escaped the attention of the legislators who are pressing for Judge only cases where the evidence is considered to be technical in nature. Or to have evidence of a criminal past known during a trial etc. In essence to gain a conviction under the present system you need good reliable forensic evidence. Without it you either do not go to trial or you change the trial system. This makes forensics the bed rock of current criminal prosecutions.

    The proliferation of public information about sources and methods and the technology behind it for anti terorist investigations, has made the more intelligent criminals aware that they need the second type of technology more than the first, as it prevents the evidence that might convict them from becoming available. Especially as the procedes of eCrime for pofit are generally intangable trails of information.

    As I indicated the technology to do this is now becoming common place in the high street of larger towns and cities so owning it is not in of its self as suspicious as a few years ago when it was considerd “Spy Technology”. What the criminals do not generaly currently possess is the indepth technical knowledge of how to use the technology safely and reliably. This is what the technology adroit “guns for hire” can and are providing.

    Importantly for the criminal the technology does not need to be perfect, it just needs to be sufficiently good as to make investigating it further not cost effective. Therfore many low value crimes are a lot lot safer than one or two high value crimes, which oddly is the converse of non eCrimes.

    Again the legislature has realised this some time ago with the likes of RIPA etc. However they still need evidence that the evidence existed in the first place (meta evidence), or else the case goes no where. Even where this “meta evidence” might exist the criminal can just deny any knowledge of it etc. Or take the RIPA time as being less than they might otherwise get. Worse is if the defence can show that the prosecution “lost the evidence” due to incompetence or negligence, as now the defendent cannot prove that the information was of an inocent but confidential nature and unrelated to the crime they are accused of.

    The need to keep rising personel costs down has given rise to static technology solutions such as CCTV which has actually reduced the likley hood of getting a criminal conviction against an evolving criminal population. Likewsie low cost technology will aid the hiding of eCrimes and the proceds, whilst the cost of investigating it rises almost exponentialy.

    Therefor unless the Police take the initiative and train Police and scene of crime officers correctly the forensic evidence of your Level 2 eCrime will evaporate infront of their eyes along with any hope of a conviction.

    The problem with this is that the level of technicl expertise is corespondingly high, so only the likes of SOCA etc can afford to have the staff trained to the required level.

    So this actually sugests that the remit of SOCA should be broadend downwards to cover the Level 2 National eCrime. Not the upwards development of local and regional Police forces by making it part of an ordinary Police Officers job via “mainstreaming”.

    Therefore unless the forensic investigation abilities of either the local/regional Police or SOCA are improved to deal with the easy availability and rapid development of low cost technology available or for profit eCrime below level 3 will remain uninvestigated to any extent.

  • 6. Clive Robinson  |  October 17th, 2006 at 14:00 UTC

    Richard you might find teh following interesting,

    http://news.com.com/The+future+of+malware+Trojan+horses/2100-7349_3-6125453.html?tag=nefd.lede

  • 7. Richard Clayton  |  October 17th, 2006 at 14:07 UTC

    Clive writes (at considerable length, have you considered writing your own blog?): “From my limited perspective based on what I have seen publicaly available, most of the eCrime for profit at Level 2 is International in origin not National. Which would tend to sugest that it still falls under SOCA’s remit from your description.”

    No. Being “international” does not, of itself, make it “serious or organised”. So it isn’t level 3 and doesn’t fall under SOCA as it is currently established.

    By all means argue that extending SOCA “downwards” is more likely to be effective than mainstreaming.. but the police are realists and have chosen otherwise. SOCAs remit was established very recently indeed by political decision. Lobbying for a change in that is unlikely to succeed in the short term.

  • 8. Clive Robinson  |  October 18th, 2006 at 12:28 UTC

    Richard,

    No I wouldn’t normaly have time to post let alone have my own blog.

    The main reason I have time at the moment to post replies of “considerable length” is I am recovering from a hospital aquired infection after surgery on my lower abdomen, and I have time to kick my heals at home etc, but not for much longer.

  • 9. Clive Robinson  |  January 30th, 2007 at 17:04 UTC

    Richard,

    The following ZDnet artical is of relevance.

    http://news.zdnet.co.uk/security/0,1000000189,39285631,00.htm

    It relates to the Met’s detective chief inspector Charlie McMurdie who has written a report,

    http://www.mpa.gov.uk/committees/mpa/2007/070125/10.htm

    that appears to ask for the National Hi Tech Crime Unit back.

    Which might imply that SOCA (which absorbed the old NHTCU) is not carrying the load.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

October 2006
M T W T F S S
« Sep   Nov »
 1
2345678
9101112131415
16171819202122
23242526272829
3031