Big Brother does Russia
by ALiEN Assault
Published in Phrack #64 as a part of "Know your enemy : facing the cops" article.
This file is a basic description of russian computer law related
issues. Part 1 contains information gathered primarily from
open sources. As this sources are all russian, information may be
unknown to those who doesn't know russian language. Part 2 consists
of instructions on computer crime investigation: raid guidelines and
suspect's system exploration.
0 - DISCLAIMER 1 - LAW
1.1 - Basic Picture 1.2 - Criminal Code 1.3 - Federal Laws
2 - ORDER
2.1 - Tactics of Raid 2.2 - Examining a Working Computer 2.3 -
Expertise Assignment
--[ 0.DISCLAIMER.
INFORMATION PROVIDED FOR EDUCATIONAL PURPOSES ONLY. IT MAY BE ILLEGAL
IN YOUR COUNTRY TO BUST HACKERS. IT MUST BE ILLEGAL AT ALL. THERE ARE
BETTER THINGS TO DO. EXPLORE YOURSELF AND THIS WORLD. SMILE. LIVE.
--[ 1. LAW.
----[ 1.1. Basic Picture.
Computer-related laws are very draft and poorly describes what are
ones about. Seems that these are simply rewritten instructions
from 60's *Power Computers* that took a truck to transport.
Common subjects of lawsuits include carding, phone piracy (mass
LD service thievery) and... hold your breath... virii infected
warez trade. Russia is a real warez heaven - you can go to about
every media shop and see lots of CDs with warez, and some even has
"CRACKS AND SERIALS USAGE INSTRUCTIONS INCLUDED" written on front
cover (along with "ALL RIGHTS RESERVED" on back)! To honour pirates,
they include all .nfo files (sometimes from 4-5 BBSes warez was
courriered through). It is illegal but not prosecuted. Only if
warez are infected (and some VIP bought them and messed his system up)
shop owners faces legal problems.
/* Latest addition - pressure on warez became stronger. Article was writen in 2002 */
Hacking is *not that common*, as cops are rather dumb and busts
mostly script kiddies for hacking their ISPs from home or sending your
everyday trojans by email.
There are three main organisations dealing with hi-tech crime:
FAPSI (Federal Government Communications and Information Agency
- mix of FCC and secret service), UKIB FSB (hi-tech feds; stands for
departamernt of computer and information security) and UPBSWT MVD
(hi-tech crime fightback dept.) which incorporates R unit (R for radio -
busts ham pirates and phreaks).
/* Latest addition - FAPSI was disbanded */
FSB (secret service) also runs NIIT (IT research institute).
This organisation deals with encryption (reading your PGPed mail),
examination of malicious programs (revealing Windoze source) and
restoration of damaged data (HEXediting saved games). NIIT is believed
to possess all seized systems so they have tools to do the job.
UPBSWT has a set of special operations called SORM (operative
and detective measures system). Media describes this as an
Echelon/Carnivore-like thing, but it also monitors phones and
pagers. Cops claims that SORM is active only during major criminal
investigations.
----[ 1.2. Criminal Code.
Computer criminals are prosecuted according to this articles of the Code:
159: Felony. This mostly what carders have to do with, accompanied by
caught-in-the-act social engineers. Punishment varies
from fine (minor, no criminal record) to 10 years prison term
(organized and repeated crime).
272: Unauthorized access to computer information. Easy case will end
up in fine or up to 2 years probation term, while organized, repeated
or involving "a person with access to a computer, computer complex
or network" (!#$@!) crime may lead to 5 years imprisonment.
Added to this are weird comments on what are information,
intrusion and information access.
273: Production, spreading and use of harmful computer
programs. Sending trojans by mail considered to be lame and punished by up to 3
years in prison. Part II says that "same deeds *carelessly* caused
hard consequences" will result in from 3 to 7 years in jail.
274: Computer, computer complex or network usage rules breach. This
one is tough shit. In present, raw and somewhat confused
state this looks, say, *incorrect*. It needs that at least
technically literate person should provide correct and clear
definitions. After that clearances this could be useful thing:
if someone gets into a poorly protected system, admin will
have to take responsibility too. Punisment ranges from ceasing
of right to occupy "defined" (defined where?) job positions to
2 years prison term (or 4 if something fucked up too seriously).
----[ 1.3. Federal Law.
Most notable subject related laws are:
"On Information, Informatization and Information Security"
(20.02.95). 5 chapters of this law defines /* usually not
correct or even intelligent */ various aspects of information and
related issues. Nothing really special or important - civil rights
(nonexistent), other crap, but still having publicity (due to weird
and easy-to-remember name i suppose) and about every journalist covering
ITsec pastes this name into his article for serious look maybe.
"National Information Security Doctrine" (9.9.2K) is far more
interesting. It will tell you how dangerous Information Superhighway
is, and this isn't your average mass-media horror story - it's
a real thing! Reader will know how hostile foreign governments are
busy imlpementing some k-rad mind control tekne3q to gain r00t on
your consciousness; undercover groups around the globe are engaging in
obscure infowarfare; unnamed but almighty worldwide forces also about
to control information...ARRGGH! PHEAR!!!
{ALiEN special note: That's completely true. You suck Terrans. We'll
own your planet soon and give all of you a nice heavy industry job}.
Liberal values are covered too (message is BUY RUSSIAN). Also there are
some definitions (partly correct) on ITsec issues.
"On Federal Government Communications and Information" (19.2.93,
patched 24.12.93 and 7.11.2K). Oh yes, this one is serious. Everyone
is serious about his own communications - what can i say? Main message
is "RESPONSIBLES WILL BE FOUND. OTHERS KEEP ASIDE".
Interesting entity defined here is Cryptographic Human Resource -
a special unit of high qualified crypto professionals which must be
founded by FAPSI. To be in Cryptographic Human Resource is to serve
wherever you have retired or anything.
Also covered are rights of government communications personnel. They
have no right to engage in or to support strike. Basically they have
no right to fight for rights. They don't have a right to publish or
to tell mass-media anything about their job without previous censorship
by upper level management.
Cryptography issues are covered in "On Information Security
Tools Certification" (26.6.95 patched 23.4.96 and 29.3.99) and "On
Electronic Digital Signature" (10.2.02). Not much to say about. Both
mostly consists of strong definitions of certification procedures.
--[ 2. ORDER.
----[ 2.1. Tactics of Raid.
Given information is necessary for succesful raid. Tactics of raid
strongly depends on previously obtained information.
It is necessary to define time for raid and measures needed to conduct
it suddenly and confidentially. In case of presence of information
that suspect's computer contains criminal evidence data, it is
better to begin raid when possibility that suspect is working on that
computer is minimal.
Consult with specialists to define what information could be stored
in a computer and have adequate technics prepared to copy that
information. Define all measures to prevent criminals from destroying
evidence. Find raid witnesses who are familiar with computers
(basic operations, programs names etc.) to exclude possibility of
posing raid results as erroneous at court. Specifity and complexity
of manipulations with computer technics cannot be understood
by illiterate, so this may destroy investigator's efforts on
strengthening the value of evidence.
Witness' misunderstanding of what goes on may make court discard evidence.
Depending on suspect's qualification and professional skills,
define a computer technics professional to involve in investigation.
On arrival at the raid point is necessary to: enter fast and sudden
to drive computer stored information destruction possibility to the
minimum. When possible and reasonable, raid point power supply must be
turned off.
Don't allow no one touch a working computer, floppy disks, turn computers
on and off; if necessary, remove raid personnel from the raid point;
don't allow no one turn power supply on and off; if the power supply
was turned off at the beginning of raid, it is necessary to unplug all
computers and peripherals before turning power supply on; don't manipulate
computer technics in any manner that could provide inpredictable results.
After all above encountered measures were taken, it is necessary
to preexamine computer technics to define what programs are working
at the moment. If data destruction program is discovered active
it should be stopped immediately and examination begins with exactly
this computer. If computers are connected to local network, it is
reasonable to examine server first, then working computers, then other
computer technics and power sources.
----[ 2.2. Examining a Working Computer.
During the examination of a working computer is necessary to:
define what program is currently executing. This must be done by
examining the screen image that must be described in detail in raid
protocol. While necessary, it should be photographed or videotaped. Stop
running program and fix results of this action in protocol, describing
changes occured on computer screen;
define presence of external storage devices: a hard drive (a
winchester*), floppy and ZIP type drives, presence of a virtual drive (a temporary
disc which is being created on computer startup for increasing
performance speed) and describe this data in a protocol of raid;
define presence of remote system access devices and also the
current state of ones (local network connection, modem presence), after what
disconnect the computer and modem, describing results of that in
a protocol;
copy programs and files from the virtual drive (if present) to the
floppy disk or to a separate directory of a hard disk;
turn the computer off and continue with examining it. During this is
necessary to describe in a raid protocol and appended scheme the location
of computer and peripheral devices (printer, modem, keyboard,
monitor etc.) the purpose of every device, name, serial number,
configuration (presence and type of disk drives, network cards,
slots etc.), presence of connection to local computing network and
(or) telecommunication networks, state of devices (are there tails
of opening);
accurately describe the order of mentioned devices interconnection,
marking (if necessary) connector cables and plug ports, and disconnect computer
devices.
Define, with the help from specialist, presence of nonstandard
apparatus inside the computer, absence of microschemes, disabling of an inner power
source (an accumulator);
pack (describing location where were found in a protocol) storage
disks and tapes. Package may be special diskette tray and also common paper
and plastic bags, excluding ones not preventing the dust (pollutions
etc.) contact with disk or tape surface;
pack every computer device and connector cable. To prevent
unwanted individuals' access, it is necessary to place stamps on system block -
stick the power button and power plug slot with adhesive tape and
stick the front and side panels mounting details (screws etc.) too.
If it is necessary to turn computer back on during examination, startup
is performed with a prepared boot diskette, preventing user programs
from start.
* winchester - obsolete mainstream tech speak for a hard drive. Seems to
be of western origin but i never met this term in western sources. Common
shortage is "wint".
----[ 2.3. Expertise Assignment.
Expertise assignment is an important investigation measure for such
cases. General and most important part of such an expertise is
technical program (computer technics) expertise. MVD (*) divisions have
no experts conducting such expertises at the current time, so it
is possible to conduct such type of expertises at FAPSI divisions
or to involve adequately qualified specialists from other organisations.
Technical program expertise is to find answers on following:
what information contains floppy disks and system blocks presented to
expertise?
What is its purpose and possible use?
What programs contains floppy disks and system blocks presented to
expertise?
What is their purpose and possible use?
Are there any text files on floppy disks and system blocks presented to
expertise?
If so, what is their content and possible use?
Is there destroyed information on floppy disks presented to expertise?
If so, is it possible to recover that information?
What is that information and what is its possible use?
What program products contains floppy disks presented to expertise?
What are they content, purpose and possible use?
Are between those programs ones customized for passwords
guessing or otherwise gaining an unauthorized computer networks access?
If so, what are their names, work specifications, possibilities of
usage to penetrate defined computer network?
Are there evidence of defined program usage to penetrate the
abovementioned network?
If so, what is that evidence?
What is chronological sequence of actions necessary to start defined
program or to conduct defined operation?
Is it possible to modify program files while working in a given
computer network?
If so, what modifications can be done, how can they be done and from
what computer?
Is it possible to gain access to confidential information through
mentioned network?
How such access is being gained?
How criminal penetration of the defined local computer
network was committed?
What is the evidence of such penetration?
If this penetration involved remote access, what are the possibilites
of identifying an originating computer?
If an evidence of a remote user intrusion is absent, is it possible
to point computers from which such operations can be done?
Questions may be asked about compatibility of this or that programs;
possibilities of running a program on defined computer etc. Along with
these, experts can be asked on purpose of this or that device related
to computer technics:
What is the purpose of a given device, possible use?
What is special with its construction?
What parts does it consist of?
Is it industrial or a homemade product?
If it is a homemade device, what kind of knowledge and in what kind of
science and technology do its maker possess, what is his professional
skill level?
With what other devices could this device be used together?
What are technical specifications of a given device?
Given methodic recommendments are far from complete list of questions
that could be asked in such investigations but still does reflect the
important aspects of such type of criminal investigation.
* MVD (Ministry of Inner Affairs) - Russian police force.
CREDITS
I like to mention stiss and BhS group for contibutions to this file.