Hamish Fraser - Partner, Truman Hoyle

David Jones – CTO & Founder, ThreatMetrix

Did You Know

Techy things that lawyers need to know

If you think that was fast…H

acki

ng a

nd C

yber

crim

e

is a

war

of

coun

term

easu

res

Cybercrime Foodchain(organised, cellular, distributed, technically skilled)

ThreatMetrix Confidential

Credit: Verisign

Cybercrime is mostly dealt with “in the trenches”

????

When credit-cards, logins and identities areStolen and traded - verifying or forensicallyinvestigating is time consuming and flawed.

Mostly prevention rather than remedy:-Local criminals pretending to be Overseas-Overseas criminals pretending to be Local

Step 1: Get some stolen ID/Card

Step 2: Bad Guys hide location with proxies and anonymisers

UTC+2

Countermeasure: Reveal True IP and Location

Transaction Time Threatmetrix Device ID Account EmailBrowser

Lang. Masked IP Add. Masked IP City8/25/2008 17:24 cf3fad94727611dd800000167e5d5632 wenthappy05@yahoo.com zh-cn 66.79.172.10 New York8/25/2008 18:17 cf3fad94727611dd800000167e5d5632 songlolvesky@aol.com zh-cn 208.77.47.109 New York8/27/2008 12:57 cf3fad94727611dd800000167e5d5632 fasterfeel148@yahoo.com zh-cn 78.129.235.30 Brussels8/28/2008 12:25 cf3fad94727611dd800000167e5d5632 leafsummer@decmail.com zh-cn 208.77.43.80 New York8/28/2008 19:09 cf3fad94727611dd800000167e5d5632 digtreejob3@yahoo.com zh-cn 204.16.192.197 Los Angeles

9/3/2008 13:33 cf3fad94727611dd800000167e5d5632 bardeep@usa-11.com zh-cn 64.32.7.84 Kalispell9/5/2008 12:24 cf3fad94727611dd800000167e5d5632 brightsun20@gmail.com zh-cn 66.79.172.10 New York

9/12/2008 13:08 cf3fad94727611dd800000167e5d5632 believelove@scotlandmail.com zh-cn 78.129.235.35 Brussels9/12/2008 13:20 cf3fad94727611dd800000167e5d5632 clickworldnow@verizonmail.com zh-cn 205.209.175.5 Los Angeles9/12/2008 16:48 cf3fad94727611dd800000167e5d5632 melanie.shiken@hotmail.com zh-cn 66.79.172.100 New York9/16/2008 14:33 cf3fad94727611dd800000167e5d5632 luckysmile@fastmail.net zh-cn 204.16.195.71 New York9/17/2008 14:19 cf3fad94727611dd800000167e5d5632 playgamehappy@hotmail.com zh-cn 75.126.8.13 New York9/18/2008 11:59 cf3fad94727611dd800000167e5d5632 everybeatens@yahoo.com zh-cn 75.126.8.13 New York9/18/2008 12:56 cf3fad94727611dd800000167e5d5632 rightfair@veryspeedy.net zh-cn 208.101.53.226 New York9/18/2008 15:02 cf3fad94727611dd800000167e5d5632 oscarwanhe7095@hotmail.com zh-cn 75.126.8.10 New York9/19/2008 12:38 cf3fad94727611dd800000167e5d5632 harrytop211@gmail.com zh-cn 208.101.53.230 New York9/19/2008 13:25 cf3fad94727611dd800000167e5d5632 yellowroad@sammimail.com zh-cn 78.129.235.34 Brussels9/19/2008 18:40 cf3fad94727611dd800000167e5d5632 eddylan3346@hotmail.com zh-cn 208.98.30.90 Kalispell9/22/2008 16:51 cf3fad94727611dd800000167e5d5632 oceanwideheart@catholic.org zh-cn 208.101.53.227 New York9/22/2008 17:35 cf3fad94727611dd800000167e5d5632 taylorzhu8911@hotmail.com zh-cn 75.126.8.13 New York9/22/2008 19:13 cf3fad94727611dd800000167e5d5632 heatteamfans@yahoo.com zh-cn 75.126.8.13 New York9/24/2008 17:29 cf3fad94727611dd800000167e5d5632 morgantong5198@hotmail.com zh-cn 66.2228.113.2 New York9/25/2008 12:45 cf3fad94727611dd800000167e5d5632 moomrising@rushpost.com zh-cn 64.32.7.97 Kalispell

One Month Same Device 23 User Names In China Pretending to be in…

Synthetic Identities generated by Fraudster spoofing IP

Botnets: Ultimate Anonymity

Botnet: DDOS impact(Distributed Denial of Service, rentable by the hour!)

Faking Emails

Faking Emails (manual and 5mins work)

Faking Emails (or send millions with a Botnet)

Why merchants need “some” info

CreatedAccount Login IP Address IP Geo

Cookies Enabled

Javascript Enabled

Payment Dollars

Payment Currency

Payment Response

12/9/2008 5:28 lehung 216.127.92.39 US no no 20 usd Reject12/9/2008 5:26 truyen2 216.127.92.39 US no no 20 usd Accept12/9/2008 5:24 truyen4 216.127.92.39 US no no 20 usd Accept12/9/2008 5:22 hungkt16 216.127.92.39 US no no 20 usd Accept12/9/2008 5:19 jtungss 216.127.92.39 US no no 20 usd Accept

CreatedAccount Login Device ID Proxy Ip

Proxy Ip Geo

Proxy Type True IP

True Ip Geo

12/9/2008 5:28 lehung cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:26 truyen2 cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:24 truyen4 cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:22 hungkt16 cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN12/9/2008 5:19 jtungss cc4fa496c54511dd800000163e119596 216.127.92.39 US hidden 58.187.21.118 VN

With ThreatMetrix [Fraud Stopped 1st time]

Using old-school “velocity” detection[Fraud stopped on 5th try]

Stops Fraud First Time

ThreatMetrix Confidential

14

Stop fraud first time by detecting and piercing proxies to discover true location of device

CloudComputing Security

• PCI – Visa/Mastercard• TJMAX, Heartland Breaches

• PII – Personally Identifiable Information (SSN, DOB, Drivers License, combinations)

Problem for data owners: • Quite often they are not competent• Outsourced Development has risks• Zero-day flaws = Its easier to hack than protect (?)

Privacy and ALRC

• Australian Law Reform Commission (ALRC) report in Aug 2008 (after 2 ½ yrs)

• 2,700 page report making 295 recommendations• 2 parts, the easy (18 months) and the hard (no

likely time frame)• Nothing yet!

Not much better in USA

• CA SB1386 (PII)• “(e) For purposes of this section, "personal information" means an individual's first name or first initial

and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's

financial account. ”• Or not

• email address?• Combinations?• EU?

• Play Channel 7 Video seven.mp4

Google Buzz: Whats wrong with this picture?

BTW, Why can “I” see

this?

BTW, Why can “I” see

this?

Other ways to offend other laws

• Twitter• Blogs• Gaming• Web 2.0

(UGC)

•Defamation

•Vilification

•TPA

What issues arise here?

Copyright

• Filesharing• iiNet wasn't authorising• Lily Allen was offended, but still got it wrong!• Google images misconception. Google Books• YouTube content• General confusion

• JK Wedding

Chris Brown - Forever

• Song was released in May 2008 • JK Wedding in July 2009 (43M views – 16M in

first 10 days)• Got to #6 in iTunes Downloads in July 2009• What happened?

Chasing Copyrighted content is tough

• Digital Checksums/Fingerprints• Watermarks• Steganography• Media manipulation is easy (Shenzhen image touchup sweatshop)

• Photoshop in dating and outsourcing market (faked DL’s passports and avatars)

Questions? (Slides at: http://www.slideshare.net/djinoz)

David @djinoz

http://djinoz.com

http://www.google.com/profiles/david.jones

Hamishhttp://www.trumanhoyle.com.au/people.htm

http://twitter.com/hkbf

http://au.linkedin.com/pub/hamish-fraser/4/9a5/306