NOLASEC – Hidden Legal Pitfalls of Digital Forensics Research

Print Friendly

Yesterday was the first NOLASEC meeting in the new presentation format. Previously, the meeting had one speaker giving a 30 minute talk with questions and discussions after. The newer format is intended to allow for multiple shorter 6 minute talks that are not as intimidating for those not familiar with certain technical depths involved in the talks, and to provide a greater variety of topics.

For my talk, I decided to speak about how lines of security or forensics research can have unanticipated legal consequences and to use the recent example of GIOCONDA LAW GROUP PLLC v. ARTHUR WESLEY KENZIE to illustrate research gone wrong. Obviously, 6 minutes is far too brief a window to tackle even one of the legal issues in depth so my talk was designed more as a “food for thought” format.

I like to start off by highlighting the differences between ethical behavior, and lawful behavior. In sum, what we as researchers consider ethical is a standard of conduct within the research community – in essence asking, is this course of action something which would be acceptable to peer reviewers? Lawful behavior, on the other hand, evaluates acts against the law regardless of peer acceptance. This brings out the first counter-intuitive thought that the set of things that are ethical, say {E}, and the set of things that are lawful, say {L}, are not equivalent. Unethical actions may be lawful, and some ethical actions may be unlawful.

Moving on, to understand the example case, you first have to understand the issue being studied. The slide set has a few “recall” slides about DNS. DNS resolves certain types of DNS Records to other information and IP addresses. Type A records resolve a hostname to an IP address, type MX records identify the mail host responsible for receiving email to the domain, and so forth. So for user@domain where user might be one of {bob, alice, carl} and domain might be one of {gmail.com, yahoo.com, Hotmail.com}, the domain part will indicate where the sending mail server should send the email, and the user part indicates which mailbox the receiving mail server should deposit it in.

The type A records also do things like resolve the URL you enter into your browser to the location of the webserver. You may notice if you mistype a domain, you end up on a page full of ads – this phenomena is often referred to as typosquatting. It happens easily enough if you leave out a letter or transpose two when typing in the address of your intended destination. Now, if you take the MX records and add the typosquatting phenomena, you get the basis for the hullabaloo in the example case.

Arthur Kenzie, a Canadian researcher, registered a number of domains which were close similarities or common typos of legitimate corporate domains. Then, he created MX records directing email addressed to the typo domain to his mail server which was set to accept all incoming email – similar to a honey pot, but maybe calling it fly paper would be more accurate? The idea being, many people mistype email addresses and the only way they know is when a bounce message is returned. If someone registers the typos, then they will get the mail intended for someone else without the sender knowing. There are variations on this which turn it into a man-in-the-middle attack. Kenzie was not the first to demonstrate this, the GodaiGroup created a short whitepaper on their parallel research back in September 2011 entitled, “Doppelganger Domains“; they got a rash of blog press over it at the time so whether Kenzie’s work was inspired by theirs or whether they were independently developed is unknown.

Before going forward, there is one potential stark difference in approach I must note differentiating Kenzie’s work from the GodaiGroup’s. Both admit their research resulted in significant amounts of intercepted email, but Godai, to my knowledge, has not attempted to profit directly from their work. There is a report that Kenzie attempted to sell the typo domains to the legitimate companies for $295.

After HD replied to Kenzie, the real motivation behind the mail came out quickly. For the low price of $295.00, along with a “negotiated or mediated non-improvident fee in consideration of my expertise in bringing this vulnerability to [his] attention and in ensuring that no malevolent entity is able to exploit it for their own purposes”, HD could get the domain Kenzie registered as his own. To encourage HD to accept this incredible deal, Kenzie mentions that he has already intercepted six emails that were meant for HD.

Quoted from the above link.

There are different ways to handle actions such as Kenzie’s. In the slide set, I mention the Uniform Domain-Name Dispute Resolution Policy (UDRP) established by ICANN as one, and litigation as another. Lockheed Martin Corporation used the UDRP route to reclaim lockheedmarton.com and lockheedmartun.com from Kenzie (UDRP Decision here) which Kenzie later blogged about. The Gioconda Law Group chose to litigate and filed the example case.

What is Gioconda suing Kenzie for?

  • The Anti-Cybersquatting Prevention Act (15 USC 1125);
  • The Wiretap Act (18 USC 2511);
  • Section 32 of the Lanham Act (15 USC 1114);
  • Section 43 of the Lanham Act (15 USC 1125);
  • New York Common Law for Trademark Infringement, and Unfair Competition;
  • New York Business Law section 349 (N.Y. GBS. 349);
  • and New York Business Law section 250 (N.Y. GBS. 350).

They seek, among other things, various forms of injunctive relief, actual damages (treble), and (my favorite part) punitive damages up to… 1 million dollars!

According to PACER, the complaint was served by registered mail sent June 25, 2012, but no answer has been filed yet.

In the final slide in my talk, I ended with questions about whether the GodaiGroup could face the same potential liability as Kenzie or if their research practices could be distinguished. The GodaiGroup whitepaper does not provide enough particular information about their research to do more than a surface comparison, and they do go further than Kenzie in identifying typo domains for Fortune 500 companies existing in the wild with China based registrations, but the details just are not there. I end with the general observation that security and forensics research often walks a narrow legal line and traverses a lot of grey areas. As responsible researchers it is important we are aware of these issues, and approach experiments using methods both ethical and lawful – both because it is the responsible thing to do, and because lawsuits are expensive.

Slides:

*UPDATE*

A few days after my talk Arthur Kenzie, the Defendant in the example case, posted a blog update offering to transfer domains he registered for use in his research to legitimate parties for cost. In the post he also notes most of the domains will expire in September as he registered them in September 2011. In this post and in my talk I noted that GodaiGroup published their white paper in September 2011 and that from the information I had available did not indicate whether the similar lines of research were developed independently or if Kenzie’s work was drawn from the GodaiGroup white paper. Given the timing of the domain registrations, I would say the evidence now points to the later case.

 

Posted in Computer Science, Digital Forensics, Law, News & Commentary, Security, Talks Tagged with: , , ,
2 comments on “NOLASEC – Hidden Legal Pitfalls of Digital Forensics Research
  1. Anonymous says:

    While Kenzie may try and hide his actions under research, what is missing is the fact that he sent out letters asking for a $25,000 consulting fee to demonstrate/fix an unnamed vunerability in the targets email system.

    I’ve personally seen one such letter, and know of two more. The UDRP decision re: Lockheed Martin hints that they also received such a letter (in the form of an unpublished attachment to the case).

  2. Brian says:

    That is interesting, have any public copies of the letter surfaced anywhere?