Monday, January 24, 2011

“Breach of Computer Security”

This post deals with a prosecution for “breach of computer security” in violation of Texas law.

Texas Penal Code § 33.02(a) defines the crime as follows: “A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.”

Sabina Muhammed was convicted of violating § 33.02(a) and sentenced to “180 days confinement in the Harris County Jail, probated for two years.” Muhammed v. State, __ S.W.3d __, 2011 WL 80741 (Texas Court of Appeals 2011). She appealed, arguing, in part, that the evidence presented at trial was not sufficient to support the conviction. Muhammed v. State, supra.

This is how the prosecution arose:

[Muhammed] and . . . Heber Saravia, an engineering student, both attended the University of Houston (`UH’). At the end of the spring 2004 semester, Saravia received an email in one of his UH accounts from an unknown Yahoo account, which contained his social security number. This was the beginning of a series of incidents involving Saravia's UH account. These included one incident in the fall of 2004, when Saravia discovered someone had hacked into his UH account, changed his password, and had deleted all of his engineering work stored there.

The incidents began to escalate in 2006 when Saravia started receiving emails inquiring about his personal life. One of these provided a hint as to who the sender might be: the email mentioned `their name started with an “S.”’ Another incident involved Saravia receiving a notice from the UH College of Business indicating he had requested to change his major. Saravia testified this was not correct as he was `in the middle of [his] engineering degree’ and was passing all of his classes. . . .

Saravia [also] noticed [Muhammed] waiting for him outside his classrooms, observing him at the Metro bus stop, and following him around the UH campus. [He] testified that [she] sent him a `friend request’ on Facebook. . . . [and] transcripts of other UH students were mailed to his home address. During the spring of 2007, the UH Police Department notified Saravia that someone had been using his e-mail address to conduct fraudulent activities. Saravia testified he never granted [Muhammed] permission to access his UH account or any of the information contained therein.

Muhammed v. State, supra. David Canales, “a UH alumnus,” also testified at Muhammed’s trial. He said he had encountered problems with his UH account

similar to those experienced by Saravia. Canales also testified that he had witnessed [Muhammed] following him around the UH campus as well. After Canales reported to the UH Police Department that someone had hacked into his UH account and made changes, Officer Russell Lyman of the UH Police Department began investigating.

Muhammed v. State, supra.

The UH information technology department provided Officer Lyman with IP addresses that were used to access the

UH students' information. Most of the IP addresses were located at UH, however one was located at Lone Star College (`LSC’). Lyman looked for a connection between the schools. He discovered that [Muhammed], a UH student, worked at LSC as a tutor and had access to the computers located on the LSC campus. Officer Lyman requested that the LSC police monitor [her] computer use.

Muhammed v. State, supra. Pervaiz Parker, “an LSC police officer,” also testified at Muhammed’s trial. Muhammed v. State, supra. He testified that he knew Muhammed

only worked at LSC on Saturdays. . . . [O]n Saturday, February 24, 2007, he spotted [her] in the LSC computer lab. Parker walked behind [Muhammed] while she was using one of the computers in the . . . lab. [He] noticed [she] was accessing the UH website. Parker saw the name `Vargas’ on [her] computer screen. . . .Vargas was one of the six names associated with UH accounts that had been improperly accessed. . . .

Officer Parker contacted an information technician at the LSC IT department, Wesley Parker. Officer Parker asked Mr. Parker to remotely monitor [Muhammed’s] computer. Mr. Parker proceeded to remotely access [her] computer and determined she was on the UH website.

Mr. Parker, and later his supervisor Celeste Burkards, captured images of the computer screens as [Muhammed] accessed various UH student accounts for approximately forty minutes. During this time period, [she] accessed Saravia's student account as well as the accounts of other UH students. After [she] finished browsing, she deleted her browsing history and cookies. The images of [her] activities captured by Mr. Parker and Ms. Burkards were printed, turned over to Officer Lyman, and admitted into evidence during [Muhammed’s] trial.

Muhammed v. State, supra.

At trial, Muhammed took the stand and “insisted that mismanagement of the UH computer accounts was responsible for the breach of security on Saravia’s UH account.” Muhammed v. State, supra. Muhammed maintained that she did not know Saravia and

had never noticed him on the UH campus. [She] testified she was always in class, at work, or at home studying, and therefore could not have been in the same places as Saravia. [She] testified to this effect even though Saravia had not testified as to specific dates and times when he had seen [her] following him. When asked about the State's screen captures, [Muhammed] did not recall seeing any of the screen images and implied that [they] had been fabricated as they appeared `copied and pasted.’

Muhammed v. State, supra. The jury apparently didn’t believe her because Muhammed was convicted, sentenced and then filed a motion for a new trial. Muhammed v. State, supra. The court held a hearing on her motion for a new trial, at which she called

Uche Okafor to testify [as] to the authenticity of the State's screen shots. Okafor . . . is the founder of Iseek4 Computer Consulting, . . . [which] deals with networking, database management, computer surveillance, software management, and other similar activities. He also testified that he had discovered discrepancies in the . . . screen shots. . . .

Okafor noted that several of the State's exhibits simultaneously displayed the alleged hacking from [Muhammed’s] remotely-accessed computer with the computer clock showing the date and time. [He] opined that when an individual accesses a remotely-accessed computer, such as the one used by [Muhammed], it is impossible for that person to `pull up the clock from the computer to show the time and date.’ Okafor insisted the UH system had `very good security policies’ where it was `impossible . . . that a student can access the [UH] e-mail account without being the actual student or knowing the user credentials.’

Muhammed v. State, supra.

Muhammed claimed Okafor’s testimony was “newly-discovered evidence” which entitled her to a new trial under Texas law. Muhammed v. State, supra. Under Texas Code of Criminal Procedure § 40.001, a “new trial shall be granted where material evidence favorable to the accused has been discovered since trial.” The trial judge in this case “pointed out that [Muhammed]] could have subpoenaed” Okafor to testify at trial, which meant that his testimony was not “newly-discovered evidence.” Muhammed v. State, supra. The judge therefore denied the motion for a new trial, which led to the appeal. Muhammed v. State, supra.

On appeal, as noted earlier, Muhammed claimed the evidence presented at trial was not sufficient to prove beyond a reasonable doubt that she illegally accessed Saravia’s account, thereby committing breach of computer security. Muhammed v. State, supra. The Court of Appeals basically reviewed the evidence outlined above and held that it was, in fact, sufficient to support the conviction. Muhammed v. State, supra.

The Court of Appeals also rejected Muhammed’s argument that the trial judge abused his discretion in denying her motion for a new trial; it did not reach the merits of the motion. Muhammed v. State, supra. Instead, it held that Muhammed had waived this issue by “failing to adequately brief it” on appeal. Muhammed v. State, supra. It therefore affirmed the conviction. Muhammed v. State, supra.

This obviously isn’t a case that presented any novel legal issues (except, I guess, the notion of illegally accessing a computer as a breach of computer security). I decided to write it about it because of the rather unusual name of the crime . . . and because this is one of those cases where you have to wonder what the defendant was thinking. . . .


Anonymous said...


Susan Brenner said...

Thanks for this.

Anonymous said...

If an employee who is specifically assigned a company work computer and given full rights to that computer then installs TrueCrypt and puts full-disk-encryption on that computer during the course of his employment, and if that employee was never asked to sign any company policy or waiver or computer usage restrictions, and if the employer never objected to the encryption while said employee was under employment, and if the employer suddenly terminates the employee and the employee is asked not to come back. Is that considered a breach of computer security?

Let’s imagine the employer, after terminating the employee, contacts the employee and asks the employee for the encryption password. The employee refuses to send the password in plaintext via email but agrees to unlock and remove the encryption at a neutral place such as the police station if the employer would bring the computer to the police station. Furthermore let’s say a detective agrees to this and facilitates this and instructs the terminated employee to come to the police station to unlock the computer. But then the employer changes his mind and refuses to allow the employee to unlock the computer and asks the detective to send this case to the DA and charge the ex-employee with a state jail felony of breach of computer security (Texas).

The DA later contacts the ex-employee’s defense attorney and wants to work something out and close the investigation and dismiss the case without having to officially press charges or go for an indictment. After some back and forth, the ex-employee (defendant) gives up the password and sends the password to his attorney, and the attorney sends the password to the detective and to the complainant. But the employer now refuses to accept the password, siting that he is afraid that if he unlocks the encrypted computer desktop that something bad might happen. He does not agree for the defendant’s attorney to come to his company to unlock the computer with the password, and he also now does not agree to unlock the encrypted computer even though he is given what he initially wanted (the encryption password) since the beginning. Instead, he sends the DA an estimate of how much it would cost for a third party independent forensics lab to do a complete analysis of the encrypted computer and how much it would cost for the forensic company to “clean” the computer for all potential rootkits, viruses, malware, etc and the bill comes out to be around $3500. The employer now refuses to use the encryption password, he refuses to unlock the computer or to allow anyone else to unlock the computer until he gets the defendant to agree to write him a personal cashier’s check for the amount of $3500 so that he can (so he alleges) hire said aforementioned forensic IT company to safeguard both the computer workstation in question and his larger company network as they unlock the computer.

He threatens a civil suit if the defendant does not immediately comply, and simultaneously he is pressing and pressuring the DA to charge and indict the defendant with breach of computer security if the defendant does not first pony up the $3500.

If you found yourself in the position of the defendant, what would you do?