CSCI E-170 Lecture 11: Redux of papers, Logging, The Law, Integrity - - PowerPoint PPT Presentation

CSCI E-170 Lecture 11: Redux of papers, Logging, The Law, Integrity Management Simson L. Garfinkel

Center for Research on Computation and Society Harvard University December 5, 2005

1

Today’s Agenda

• 1. Administrivia
• 2. Midterm Projects: Redux
• 3. Logging
• 4. Federal Rules of Evidence
• 5. Federal Computer Crime Statutes
• 6. Integrity Management

2

Administrivia 1: HW4 You should be working now on P2, not HW4. HW4 should be released by next Monday.

3

Administrivia 1: P1 Overall, we were very impressed with the projects. Best papers:

• Trends in Biometrics and User Acceptance, by Team Future

(Ellen Jervis, Matt Kennedy, Neal Kepler, and Julia Kim).

• Steganography: Two Faces of a Coin, by Team Money

(Migdalia Rosa, David Root, Ricardo Rodriguez, Gerrick Rodrigues)

4

P1 Continued . . . Some groups had issues regarding citation and sourcing. You were all very careful not to plagiarize! . . . But you were not careful to use proper academic citations or sources.

5

Which is the better reference? [1] http://www.accessdata.com/Product04 Overview.htm? ProductNum=04 [1] Access Data. Forensic toolkit—overview, 2005.http://www. accessdata.com/Product04 Overview.htm?ProductNum=04

6

Which is the better reference? (2) [2] US Environmental Protection Agency. Wastes: The hazardous waste manifest system, 2005. http://www.epa.gov/epaoswer/hazwaste/gener/manifest/. [2] http://www.epa.gov/epaoswer/hazwaste/gener/manifest/

7

Which is the better reference? (3) [3] American Library Association Office for Information Technology Policy. Managing cookies to protect patron privacy,

• 2005. http://www.ala.org/ala/washoff/oitp/

emailtutorials/privacya/20.htm. Accessed April 20, 2005. [3] http://www.ala.org/ala/washoff/oitp/emailtutorials/ privacya/20.htm.

8

Which is the better reference? (4) [1] Steven Bauer and Nissanka B. Priyantha. “Secure data deletion for Linux file systems.” In Proc. 10th Usenix Security Symposium, pages 153–164. Usenix, San Antonio, Texas, 2001. [1] Chuvakin, Anton, Ph.D. “Linux Data Hiding and Recovery,” LinuxSecurity.COM, Posted 10 March 2002, http://www.linuxsecurity.com/content/view/117638/49/.

9

What’s wrong with Dr. Chuvakin’s article?

About the Author Anton Chuvakin, Ph.D. is a Senior Security Analyst with netForensics (http://www.netforensics.com), a security information management company that provides real-time network security monitoring solutions.

10

What’s wrong with this citation? [1] “Feds Get Wide Wiretap Authority,” CBS News, November 18,

• 2002. http://www.cbsnews.com/stories/2002/08/23/attack/

main519606.shtml

11

Common mistakes in sources on midterm projects:

• Providing URLs instead of proper citations.
• Citing articles in popular press.
• Citing market research reports (e.g. Gartner Group).
• Citing articles about patents rather than the patents

themselves.

• Citing references that are out-of-date.

12

P1 was a research report. P2 is a conference article. Key differences:

• Strict page limit.
• Two column format.

Why Johnny Canʼt Encrypt: A Usability Evaluation of PGP 5.0

Abstract 1 Introduction

13

Logging

% ls -l /var/log/ | grep -v gz total 1224

• rw-r--r--

1 root wheel 112590 Dec 5 13:45 asl.log

• rw-r--r--

1 root wheel 60159 Dec 4 00:12 crashreporter.log drwxr-xr-x 7 root wheel 238 Nov 28 15:11 cups/

• rw-r--r--

1 root wheel 216534 Dec 5 03:14 daily.out drwxr-xr-x 2 root wheel 68 Mar 20 2005 fax/

• rw-r-----

1 root admin 0 Dec 4 05:50 ftp.log drwxr-xr-x 10 root wheel 340 Dec 4 05:50 httpd/

• rw-r--r--

1 root admin 0 Dec 1 17:41 install.log

• rw-r-----

1 root admin 0 Dec 4 05:50 ipfw.log

• rw-r-----

1 root admin 14112 Dec 5 13:41 lastlog

• rw-r-----

1 root admin 0 Dec 4 05:50 lpr.log

• rw-r-----

1 root admin 713 Dec 5 03:14 mail.log

• rw-r-----

1 root wheel 3742 May 12 2005 mb.log

• rw-r--r--

1 root wheel 721 Dec 1 17:41 monthly.out

• rw-r-----

1 root admin 0 Dec 4 05:50 netinfo.log drwxr-xr-x 2 root wheel 68 Mar 26 2005 ppp/

• rw-r-----

1 root admin 0 Dec 4 05:50 ppp.log drwxr-xr-x 2 root wheel 68 Mar 20 2005 sa/ drwxr-xr-x 4 root wheel 136 Jun 22 23:15 samba/

• rw-r-----

1 root admin 5033 Dec 5 13:23 secure.log

• rw-r-----

1 root admin 8504 Dec 5 13:45 system.log

• rw-r--r--

1 root wheel 2741 Dec 4 05:50 weekly.out

• rw-r-----

1 root admin 49132 Dec 5 13:23 windowserver.log

• rw-r-----

1 root admin 56188 Nov 30 06:21 windowserver_last.log

• rw-r--r--

1 root admin 3312 Dec 5 13:41 wtmp

14

What is a log?

15

What gets logged?

16

What gets logged?

• Logins & Logouts
• Privilege escalation
• Security relevant events

17

What gets logged?

• Logins & Logouts
• Privilege escalation
• Security relevant events

18

Why keep logs?

19

Why look at logs? Policy may require it. Regulations may require it. Cost savings—find inefficiencies that can be avoided.

20

But what really gets logged?

21

What really gets logged... windowserver.log:

Nov 30 09:00:40 [70] Server is starting up Nov 30 09:00:42 [70] Accel caps: 00000003 Nov 30 09:00:42 [70] Accel caps: 00000003 Nov 30 09:00:42 [70] CGXPerformInitialDisplayConfiguration Nov 30 09:00:42 [70] Display 0x4270a80: MappedDisplay Unit 0; Vendor 0x610 Model 0x9c2a S/N 0; online enabled built-in (0,0)[1024 x 768], base addr 0xb0015000 Nov 30 09:00:42 [70] Display 0x3f003d: MappedDisplay Unit 1; Vendor 0xffffffff Model 0xffffff ff S/N -1; offline enabled (2048,0)[1 x 1], base addr 0xb2016000 Nov 30 09:00:49 [70] kCGErrorIllegalArgument: CGXSetWindowListTags: Operation

• n a window 0x1 not owned by caller SecurityAgent

Nov 30 09:00:50 [70] kCGErrorIllegalArgument: CGXOrderWindow: Operation on a window 0x1 not owned by caller SecurityAgent Nov 30 09:02:32 [70] kCGErrorFailure: CGXDisableUpdate: UI updates were forcibly disabled by application "Finder" for over 1 second. Server has re-enabled them. Nov 30 09:09:37 [70] "loginwindow" (0x3eb3) set hot key operating mode to all disabled Nov 30 09:09:37 [70] Hot key operating mode is now all disabled Nov 30 11:55:15 [70] "loginwindow" (0x3eb3) set hot key operating mode to normal Nov 30 11:55:15 [70] Hot key operating mode is now normal Nov 30 11:57:17 [70] "loginwindow" (0x3eb3) set hot key operating mode to all disabled Nov 30 11:57:17 [70] Hot key operating mode is now all disabled Nov 30 11:57:22 [70] kCGErrorCannotComplete: CGXPostNotification2 : Time out waiting for reply from "coreaudiod" for notification type 102 (CID 0xc903, PID 42)

Most log files are created for debugging, not for security.

22

What does this mean? Nov 30 09:00:40 [70] Server is starting up Nov 30 Month and day (no year!) 09:00:40 The time (is it accurate?) [70] Unix Process ID Server is starting up Message

23

There is no regularity for log files—not even within a single log file. windowserver.log: Nov 30 09:00:40 [70] Server is starting up secure.log: Dec 4 13:01:44 localhost com.apple.SecurityServer: Entering Dec 4 13:01:51 G12-2 SecurityAgent[90]: Showing Login Window Dec 4 13:01:54 G12-2 SecurityAgent[90]: User Authenticated: Dec 4 13:01:54 G12-2 com.apple.SecurityServer: authinternal authenticated user simsong (uid 501). Most log files are created to be read by humans, not programs.

24

Log files can contain unexpectedly sensitive information These logs are readable by anybody:

• rw-r--r--

1 root wheel 112590 Dec 5 13:45 asl.log

• rw-r--r--

1 root wheel 60159 Dec 4 00:12 crashreporter.log

• rw-r--r--

1 root wheel 216534 Dec 5 03:14 daily.out

• rw-r--r--

1 root admin 0 Dec 1 17:41 install.log

• rw-r--r--

1 root wheel 721 Dec 1 17:41 monthly.out

• rw-r--r--

1 root wheel 2741 Dec 4 05:50 weekly.out

• rw-r--r--

1 root admin 3312 Dec 5 13:41 wtmp

These logs are protected:

• rw-r-----

1 root admin 0 Dec 4 05:50 ftp.log

• rw-r-----

1 root admin 0 Dec 4 05:50 ipfw.log

• rw-r-----

1 root admin 14112 Dec 5 13:41 lastlog

• rw-r-----

1 root admin 713 Dec 5 03:14 mail.log

• rw-r-----

1 root wheel 3742 May 12 2005 mb.log

• rw-r-----

1 root admin 5033 Dec 5 13:23 secure.log

• rw-r-----

1 root admin 8504 Dec 5 13:45 system.log

• rw-r-----

1 root admin 49132 Dec 5 13:23 windowserver.log

• rw-r-----

1 root admin 56188 Nov 30 06:21 windowserver_last.log

Why?

25

Conventional thinking is to protect any log that may contain sensitive information

• rw-r-----

1 root admin 0 Dec 4 05:50 ftp.log

• rw-r-----

1 root admin 0 Dec 4 05:50 ipfw.log

• rw-r-----

1 root admin 14112 Dec 5 13:41 lastlog

• rw-r-----

1 root admin 713 Dec 5 03:14 mail.log

• rw-r-----

1 root wheel 3742 May 12 2005 mb.log

• rw-r-----

1 root admin 5033 Dec 5 13:23 secure.log

• rw-r-----

1 root admin 8504 Dec 5 13:45 system.log

• rw-r-----

1 root admin 49132 Dec 5 13:23 windowserver.log

• rw-r-----

1 root admin 56188 Nov 30 06:21 windowserver_last.log

What’s sensitive?

• Usernames — users may provide passwords by accident.
• Email records — reveals relationships.

But conventional thinking may be wrong. It may be appropriate to keep all log files confidential.

26

Web server log files for a single server contain sensitive information from multiple websites.

c-24-60-201-12.hsd1.ma.comcast.net - - [17/Oct/2005:22:48:18 -0400] "GET 1" 200 15202 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 1.1.4322; InfoPath.1)" c-24-60-201-12.hsd1.ma.comcast.net - - [17/Oct/2005:22:48:19 -0400] "GET HTTP/1.1" 200 3941 "http://e170.ex.com/" "Mozilla/4.0 (compatible; MSIE

• ws NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)"

c-24-60-201-12.hsd1.ma.comcast.net - - [17/Oct/2005:22:48:19 -0400] "GET s HTTP/1.1" 200 412 "http://e170.ex.com/" "Mozilla/4.0 (compatible; MSIE

• ws NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)"

c-24-60-201-12.hsd1.ma.comcast.net - - [17/Oct/2005:22:49:02 -0400] "GET HTTP/1.1" 200 2045 "http://e170.ex.com/" "Mozilla/4.0 (compatible; MSIE ws NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)" c-24-60-201-12.hsd1.ma.comcast.net - - [17/Oct/2005:22:49:07 -0400] "GET HTTP/1.1" 200 2486825 "http://e170.ex.com/hw3.php" "Mozilla/4.0 (compatible; 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)" c-24-60-201-12.hsd1.ma.comcast.net - - [17/Oct/2005:22:49:32 -0400] "GET HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; CLR 1.1.4322; InfoPath.1)"

27

Simple tricks for looking at a log file...

% awk ’{print $1;}’ /usr/home/www/e170.ex.com/logs/access_log \ | sort | uniq

• c

1 026.a.006.mel.iprimus.net.au 3 0x50a13527.bynxx10.adsl-dhcp.tele.dk 13 0x535b0b6a.arcnxx20.adsl-dhcp.tele.dk 7 0x535b0b99.arcnxx20.adsl-dhcp.tele.dk 2 1-1-4-11i.sov.sth.bostream.se 7 12-201-27-34.client.mchsi.com 7 12-216-191-61.client.mchsi.com 374 12.104.2.99 5 12.146.73.14 6 12.175.0.44 132 12.18.36.40 9 12.181.231.66 6 12.42.51.27 5 12.42.51.28

% host 12.18.36.40 40.36.18.12.in-addr.arpa domain name pointer ns40.pfizer.com. %

28

What did “374 12.104.2.99” do on the website?

% grep 12.104.2.99 /usr/home/www/e170.ex.com/logs/access_log | more 12.104.2.99 - - [18/Oct/2005:16:04:20 -0400] "GET / HTTP/1.1" 200 15267 "-" "Mozil la/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0 .50215; InfoPath.1)" 12.104.2.99 - - [18/Oct/2005:16:04:20 -0400] "GET /style.css HTTP/1.1" 200 412 "ht tp://e170.ex.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET C LR 1.1.4322; .NET CLR 2.0.50215; InfoPath.1)" 12.104.2.99 - - [18/Oct/2005:16:04:20 -0400] "GET /logo.png HTTP/1.1" 200 3941 "ht tp://e170.ex.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET C LR 1.1.4322; .NET CLR 2.0.50215; InfoPath.1)" 12.104.2.99 - - [18/Oct/2005:17:49:53 -0400] "GET / HTTP/1.1" 200 15267 "-" "Mozil la/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0 .50215; InfoPath.1)"

29

How popular was money.pdf? Who downloaded it?

% grep money.pdf /usr/home/www/e170.ex.com/logs/access_log | wc 83 1783 15299 % grep money.pdf /usr/home/www/e170.ex.com/logs/access_log | awk ’{print $1,$4;}’ | uniq -c 3 24.91.87.4 [01/Dec/2005:19:52:10 1 192.77.198.12 [01/Dec/2005:19:59:27 2 68.162.60.7 [01/Dec/2005:20:04:26 1 66.27.57.235 [01/Dec/2005:20:17:07 1 68.232.70.214 [01/Dec/2005:20:17:30 2 66.30.203.3 [01/Dec/2005:20:51:13 1 140.247.197.14 [01/Dec/2005:21:00:52 1 64.252.178.189 [01/Dec/2005:21:04:49 1 64.252.178.189 [01/Dec/2005:21:04:53 2 146.115.126.185 [01/Dec/2005:21:22:06 ...

30

There are many packages for computing statistics...

% mkdir ~www/e170.ex.com/htdocs/reports % webalizer -n e170.ex.com -o ~www/e170.ex.com/htdocs/reports \ /usr/home/www/e170.ex.com/logs/access_log Webalizer V2.01-10 (FreeBSD 6.0-RELEASE) English Using logfile /usr/home/www/e170.ex.com/logs/access_log (clf) Creating output in /usr/home/www/e170.ex.com/htdocs/reports Hostname for reports is ’e170.ex.com’ History file not found... Generating report for October 2005 Generating report for November 2005 [new_snode] Warning: String exceeds storage size (73) Generating report for December 2005 Generating summary report Saving history information... 44390 records (134 ignored) in 0.55 seconds

View the report at http://e170.ex.com/reports/

31

Other kinds of logs: Mail Logs

2004-11-13 23:51:35 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domideltana@ex.com>: Unknown user 2004-11-13 23:51:36 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domidrumsaloe@ex.com>: Unknown user 2004-11-13 23:51:36 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domie.douglass@ex.com>: Unknown user 2004-11-13 23:51:37 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domielihli@ex.com>: Unknown user 2004-11-13 23:51:37 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domierdoc14@ex.com>: Unknown user 2004-11-13 23:51:38 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domifdwyer@ex.com>: Unknown user 2004-11-13 23:51:38 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domil.cpwhiz40@ex.com>: Unknown user 2004-11-13 23:52:01 H=ns.simson.net (cable-67-97-53-251.dct.al.charter.com) [64.7.15.234] F=<mvceubrfvsrm@charter.com> rejected RCPT <gayda@ex.com>: Unknown user 2004-11-13 23:52:01 H=ns.simson.net (cable-67-97-53-251.dct.al.charter.com) [64.7.15.234] F=<mvceubrfvsrm@charter.com> rejected RCPT <jensen@ex.com>: Unknown user

32

Radius Logs

Sun Mar 18 04:35:24 2001 Acct-Session-Id = "00000000’’ NAS-IP-Address = 192.168.1.5 Acct-Status-Type = Stop Acct-Session-Time = 0 Acct-Delay-Time = 0 Timestamp = 984918924 Request-Authenticator = Verified Sun Mar 18 04:35:24 2001 Acct-Session-Id = "06000004’’ User-Name = "admin’’ NAS-IP-Address = 192.168.1.5 Acct-Status-Type = Start Acct-Authentic = Local Service-Type = Administrative-User Login-Service = Telnet Login-IP-Host = 192.168.1.1 Acct-Delay-Time = 75 Timestamp = 984918924 Request-Authenticator = Verified

33

Security Incidents: Strange Authentication Attempts

‘‘I woke up to find these entries in my RADIUS log file: Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/system] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/password admin] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/13370n3z] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/fawkoffsz] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/save] (from nas xxxx/S99)

http://seclists.org/lists/incidents/2004/Mar/0116.html

34

Common mistakes with logs (Marcus Ranum)

• 1. Collecting information and never looking at it.
• 2. Watching logs for perimeter systems while ignoring internal

systems.

• 3. Designing the log architecture before you decide what you’re

going to collect.

• 4. Only looking for what you know you want to find instead of just

looking to see what you will find.

35

More common mistakes with logs (Marcus Ranum)

• 1. Proceeding without doing back-of-the-envelope estimates

regarding your log load.

• 2. thinking your logs are evidence if you don’t collect them

properly.

• 3. Forgetting that this is just a data management problem.
• 4. Drinking the XML Kool-aid.

36

Log Architectures How things are logged:

• f = fopen("logfile","w+")
• syslog()
• logger

Logging on Unix with UDP:

• /etc/syslog.conf
• /etc/newsyslog.conf
• grep
• swatch

Logging on Windows:

• Event Viewer
• Local security settings

37

Any questions about logging?

38

Federal Rules of Evidence What is Hearsay?

39

Federal Rules of Evidence 9 Articles Many states follow FRE Codifies common law Why study them?

40

Article I: Ground Rules Rule 101 - Scope

• Rule 1101 - Does not apply to preliminary questions of fact,

grand jury, miscellaneous proceedings Rule 102 - Purpose:

• Fairness
• Eliminate unjustifiable expense and delay

Rule 103 - Rulings on Evidence

• What to do when opposing parties disagree.

http://www.law.cornell.edu/rules/fre/rules.htm#Rule101

41

Article II: Judicial Notice Every case involves the use of hundred or thousands of non-evidence facts When a witness says “car,” everyone assumes that the “car” is an automobile, not a railroad car, that it is self-propelled, and so on. http://www.law.cornell.edu/rules/fre/rules.htm#Rule201

42

Article III: Presumptions in Civil Actions and Proceedings Determines who has the burden of rebutting the evidence. Presumption imposes on the party against whom it is directed the burden of going forward with evidence to rebut or meet the presumption http://www.law.cornell.edu/rules/fre/rules.htm#Rule301

43

Article IV: Relevancy and its Limits Relevant evidence is admissible Irrelevant evidence is inadmissible Evidence that wastes time can be excluded Character evidence of defendant not admissible to prove conduct (unless introduced by defendant) Character evidence of victim introduced only in homicide case to rebut evidence that alleged victim was first aggressor Rule 412 - “rape shield” law http://www.law.cornell.edu/rules/fre/rules.htm#Rule401

44

Article V: Privileges “. . . may be interpreted by the courts of the United States in light

• f reason and experience”

http://www.law.cornell.edu/rules/fre/rules.htm#Rule501

45

Article VI: Witnesses Rule 601: Every person is competent to be a witness (except as

• therwise provided)

Rule 602: Witness must have personal knowledge Rule 605: Judge cannot testify as witness Rule 606: Juror may not testify as witness Rule 612: Adverse party is entitled access to “writing used to refresh memory” http://www.law.cornell.edu/rules/fre/rules.htm#Rule601

46

Article VII: Opinions and Expert Testimony Rule 701: Law witness may not testify based on “scientific, technical, or other specialized knowledge.” Rule 702: Experts must be qualified; use reliable principles and methods; witness must apply standards to this case. Rule 704: Experts may state an opinion of the “ultimate issue,” except for matters of mental state. http://www.law.cornell.edu/rules/fre/rules.htm#Rule701

47

Article VIII: Hearsay Rule 801: “Hearsay” is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted. There are many exceptions to hearsay: 803(5) Recorded Recollection 803(6) Records of regularly conducted activity 803(7) Absence of entry in records kept in accordance with 803(6) “to prove nonoccurance or nonexistence” http://www.law.cornell.edu/rules/fre/rules.htm#Rule801

48

Article IX: Authentication and identification Rule 901: Documents must be authenticated; many examples given Rule 902: Some documents are self-authenticating; (computer records aren’t) http://www.law.cornell.edu/rules/fre/rules.htm#Rule901

49

Article X: Contents of writings, recordings, and photographs Rule 1002: Originals are required, except where duplicates may be admitted. Rule 1003: Duplicates may be admitted unless genuine questions are raised about the authenticity or in “unfair” circumstances. http: //www.law.cornell.edu/rules/fre/rules.htm#Rule1001 What is an original computer record?

50

Article XI: Miscellaneous rules Rule 1101: Applicability Rule 1102: Amendments Rule 1103: Title http: //www.law.cornell.edu/rules/fre/rules.htm#Rule1101

51

Orin S. Kerr article What’s the point? What are “Records of regularly conducted activity?” Are computer records “monolithic?” How do you Authenticate computer records? How are they challenged? When do the Hearsay rules apply?

• What’s the deal with postings from websites of white

supremacist groups?

• What about email in a harassment case?
• What is a log?

52

Talking points for TR Information Warfare Article

• What’s social engineering? Who uses it? (Austin)
• “only one firm even detected a breach.”

How do you detect a breach? Is VoIP a security issue?

53

Computer Crime: Other references Annual CSI/FBI report: http://i.cmpnet.com/gocsi/db area/pdfs/fbi/FBI2005.pdf “How a Bookmaker and a Whiz Kid Took On an Extortionist—and Won,” Scott Berinato, CSO Magazine, May 2005 http://www.csoonline.com/read/050105/extortion.html

54