Friday, October 25, 2013

Time Warner, the Keystroke Logger and Computer Crime

After he was convicted of three counts of computer trespass in violation of New York Penal Law § 156.10, three counts of computer tampering in the third degree in violation of New York Penal Law § 156.25[1], one count of unlawful duplication of computer related material in the first degree in violation of New York Penal Law § 156.30[2] and one count of criminal possession of computer related material in violation of New York Penal Law § 156.35, Louis Puesan appealed.  People v. Puesan, 2013 WL 5525987 (New York Supreme Court – Appellate Division 2013).  (For the convictions, he was sentenced to “an aggregate term of five years’ probation.”  People v. Puesan, supra.)

As to how the case arose, the opinion explains that on November 9, 2007, Puesan was

placed on disability leave from his job as a field technician for Time Warner Cable. . . . [A]n employee who is placed on work leave is not considered an active employee; his or her access card is disabled and thus cannot be used to gain access to the company's offices. 

This policy is announced in employee handbooks provided to employees, and any employee placed on leave is instructed by human resources department personnel regarding that policy. Since the public is not allowed to enter Time Warner Cable's Northern Manhattan office, security guards are stationed outside to ensure those entering the building have valid ID cards.

[At trial,] David Lopez, a head-end technician for Time Warner Cable, testified that sometime in late January or early February 2008, he arrived at work at the company's Northern Manhattan office . . . and spotted [Puesan] nearby. During a brief conversation, [Puesan] asked Lopez for [his] personal log-in and password for Time Warner Cable's billing and customer information system, CSG, but Lopez refused. 

[Puesan said] he would find another way to get that information. Specifically, . . . [Puesan] said he `might use a keylogger’ to get the password he needed to gain access. . . . Lopez warned Monty Harris, a Time Warner Cable crew chief and field technician, and two supervisors, Lance Giancotti and Thomas Bonelli, that [Puesan] might do something to the computers in the company's `service ready room.’ The service ready room is accessible to all employees, and contains three computers, one main computer and two `thin client’ computers. All three computers are installed with a program, CSG, that gives employees access to customers' personal information.

People v. Puesan, supra.

The opinion says it was “undisputed” that on February 10, 2008, Puesan entered the

Time Warner Cable Northern Manhattan office at 5:17 p.m., and left at 6:03 p.m. [At 5:30 p.m.,] Lopez . . . saw [him] using a computer in the service ready room. . . .[W]hile Lopez and Harris saw [Puesan] using all three of those computers . . . neither could see what he was doing with [them]. . . .

From the time he first saw [Puesan] using the computers to the time he left at 6:30 p.m., Harris saw no other individual using [them]. [He] did not notify anyone about [Puesan’s] use of the computer at the time; nor did he check the computers after [Puesan] left.

The following morning, . . . Harris logged on to the computers in the service ready room and noticed a program, Cracks, was open and running on the main computer. Harris was curious as to what the program was, and . . . visited the website and found it was a site that showed `how to generate password keys for software.’ This website and program was used to gain access to password-protected software. Harris discovered the same program was open and running on the other two computers in the room. 

As Harris went to report his findings, he saw Lopez walking in to the room. He and Lopez talked, and Harris reported his findings to Paul Hart, a foreman. Hart notified supervisor Lance Giancotti about the situation, and Giancotti concluded there had been a security breach.

Giancotti reported the security breach to Sandip Gupta, Time Warner Cable's Senior Director of Information Technology, and Gupta directed Marc Rosenthal, the IT Manager of Network Support, to go to the Northern Manhattan office to examine the three computers in the service ready room. On examining the computers, Rosenthal noticed a program, Winvestigator, that was never installed or used by Time Warner Cable. 

Rosenthal took screen shots of the computers, which showed Winvestigator was installed on each of [them] between 5:45 p.m. and 6:15 p.m. on February 10, 2008. A search through the computers' browser history revealed a site called Tropical Software was visited on all three computers, and Rosenthal discovered Winvestigator could be downloaded and purchased from that site. Rosenthal gathered and secured the computers to take them to Time Warner's 23rd Street office.

When the computers arrived at Time Warner Cable's lab on 23rd Street, Rosenthal and Gupta discovered unplugging them had caused the hard drives to be erased on the two `thin client’ computers. However, the main computer's hard drive remained intact, and Rosenthal was able to make a copy to analyze without damaging the contents of the original hard drive.

[He] was unable to access Winvestigator's log file, which keeps track of the program's information and data, and discovered it had been password protected. To gain access to [it] Gupta purchased a `back-door’ password to . . . Winvestigator. Rosenthal was able to access the program. He discovered [it] had stored his own password as well as Giancotti's. The individual who installed Winvestigator on the Time Warner computers . . . had set the program's password to `lp.’

People v. Puesan, supra.

Tom Allen, Time Warner Cable's Vice President of Security, was notified of the problem in the Northern Manhattan office and reported it to the New York City Police Department.  People v. Puesan, supra. On April 3, Allen and Rosenthal turned over two hard drives and a desktop computer tower to Detective Jorge Ortiz, of the NYPD's Computer Crime Squad, who was trained in computer forensics. People v. Puesan, supra. Ortiz made copies of the hard drives and desktop tower and conducted a forensic analysis on the copies. People v. Puesan, supra.

He ran a program named NetAnalysis, which analyzes the computer's Internet history, and two malware detection programs, Gargoyle and Encase. He found that on February 10, 2008, at 5:32:09 p.m., someone visited . . ., which provides individuals with access codes and key generators to access specific software. Additionally, between 5:32:58 p.m. and 5:58:19 p.m., someone visited the home page of Tropical Software, which makes Winvestigator, and downloaded the program.

Both Gargoyle and Encase showed Winvestigator [was] installed on the desktop computer on February 10, 2008. . . . Ortiz determined Winvestigator's settings were set to log keystrokes, user sign-ons, and the times programs opened and closed. 

[It was also] programmed to self-encrypt and not warn others that the program was running, so anyone without the programmed password would be unable to look at the Winvestigator log file, because it would display only incomprehensible text. Ortiz determined Winvestigator had started to log keystrokes at 5:37 p.m. on February 10, 2008.

People v. Puesan, supra.

On appeal, Puesan claimed the evidence presented at trial (and summarized above) was not sufficient to prove his guilty of the charges against him beyond a reasonable doubt. People v. Puesan, supra.  The court began its analysis of the argument by explaining that to “determine the legal sufficiency of the evidence to support a conviction, the Court must view the evidence in the light most favorable to the People to decide whether any rational trier of fact, using any valid line of reasoning, could have found the elements of each crime beyond a reasonable doubt.” People v. Puesan, supra. 

The Appellate Division began with Puesan’s convictions for computer trespass, noting that "under Penal Law § 156.10,” the evidence must show he “`knowingly use[d] . . . or accesse[d] a computer . . .  or computer network without authorization and . . .  knowingly gain[ed] access to computer material.’” People v. Puesan, supra.   Puesan claimed he could not be “convicted of accessing `computer material’ because he did not gain access to the types of materials defined in the statute” and the evidence did not prove “he lacked authorization to use the three computers.” People v. Puesan, supra.  

The court disagreed, finding, first, that the evidence “fully supports” the conclusion that Puesan accessed Time Warner’s computers when he was not authorized to do so:

Time Warner announced in its employee handbook that employees on disability leave were prohibited from entering the building, and the company deactivated those employees' access cards; this establishes that [he] had actual notice that he lacked authorization to enter the building and to use the company's computers. 

Furthermore, [Puesan’s] request of Lopez to use his log-in information, Lopez's refusal, and [Puesan’s] reply that he would find another way to access the system, support the finding that [he] was aware of his lack of authorization.

People v. Puesan, supra.  

As to Puesan’s argument that he did not access computer material, the court noted that under New York Penal Law § 156.00[5], computer material consists of computer data or a computer program that “`is not and is not intended to be available to anyone other than the person . . . rightfully in possession’” of it and that “accords or may accord such rightful possessors an advantage over competitors or other persons who do not have knowledge or the benefit thereof’”.  People v. Puesan, supra (quoting §156.00[5]). 

The court explained that by using log-in information and passwords obtained through his use of the keystroke-logging program Puesan was able to obtain information that was not meant “to be available to anyone but Time Warner and its “authorized employees”.  People v. Puesan, supra.  It also found that the information was the “sort of information businesses have an interest in protecting and keeping away from competitors.”  People v. Puesan, supra.   It therefore found the evidence supported Puesan’s convictions for computer trespass.  People v. Puesan, supra.  

The court then took up Puesan’s challenge to his convictions for computer tampering, noting that the crime “is committed when the individual uses or accesses a computer without authorization and `intentionally alters in any manner or destroys computer data or a computer program of another person’”.  People v. Puesan, supra (quoting New York Penal Law § 156.20). Since the Appellate Division had already found that “the evidence supports the finding that [Puesan] used or accessed three Time Warner computers without authorization”, the only issue to be resolved was whether it proved beyond a reasonable doubt that he  intentionally altered or destroyed computer data or a computer program.” People v. Puesan, supra.  

The court found that it did:  “The installation of a program that secretly monitors and replicates other users' keystrokes, and self-encrypts if the wrong password is used to attempt access to it, constitutes an alteration of the computer programs or programs on of the computers on which it was installed.” People v. Puesan, supra.   The Appellate Division therefore affirmed his convictions for this offense. People v. Puesan, supra.  

Next, Puesan challenged his conviction for unlawful duplication of computer related material in violation of New York Penal Law § 156.30[2].  People v. Puesan, supra.   The court noted that someone commits this offense when “having no right to do so, he or she copies, reproduces or duplicates in any manner . . . any computer data or computer program with an intent to commit or attempt to commit or further the commission of any felony.” People v. Puesan, supra (quoting § 156.30[2]). Puesan argued that “there is insufficient evidence that he duplicated or copied computer materials.”  People v. Puesan, supra.   The Appellate Division, however, found that the act of installing

a keystroke logging program to reproduce other employees' user ID's and passwords amounts to arranging for the duplication of that log-in information, to which [Puesan] alone gained access. The finding that [he] arranged for the duplication of the user log-in information in furtherance of his commission of the felony of computer trespass is fully supported by the evidence.

People v. Puesan, supra.  

Finally, Puesan challenged his conviction for criminal possession of computer related material.  People v. Puesan, supra.  One is guilty of this offense when he/she “having no right to do so,” knowingly possesses, “in any form, any copy, reproduction or duplicate of any computer data or computer program which was copied, reproduced or duplicated in violation of [New York Penal Law §] 156.30 . . . with intent to benefit himself or a person other than an owner thereof.”  New York Penal Law § 156.35.  Puesan argued that “it was not proven that he `possessed’ computer related materials with the intent to `benefit’ himself”.   People v. Puesan, supra.

The Appellate Division did not agree.  It noted, first, that it had already “determined that there is legally sufficient evidence to establish that [Puesan] arranged for the duplication of computer data in violation of Penal Law § 156.30”.  People v. Puesan, supra. The court then found that there

is no requirement that [Puesan] physically, tangibly possess the copies or duplicates of the information stored by the Winvestigator program; the statute expressly states that possession `in any form’ is sufficient. Since [he] alone had access to and exercised control over the information Winvestigator duplicated, it follows that he constructively possessed such duplicated materials.

As to whether his possession of the illicitly duplicated computer data was `with intent to benefit himself or a person other than an owner thereof,’ [Puesan’s] expressed desire to gain access to Time Warner's CSG program, as well as the actions he took to gain that access, permit the inference that he intended to benefit either himself or someone else with the information he could obtain from the CSG system.

People v. Puesan, supra.

The court therefore affirmed his conviction and sentence on all charges. People v. Puesan, supra.  If you are interested, you can find a press release on the case here.  

No comments: