[liberationtech] Blogged: So, what about Cybercrime in Switzerland? A visit to KOBIK

Tue Mar 27 02:13:40 PDT 2012

So, what about Cybercrime in Switzerland?

Swiss Cybercrime Coordination Unit (KOBIK)

Yesterday, I joined some people from Chaos Computer Club Zürich (CCCZH)
to visit the Cybercrime Coordination Unit (KOBIK) in Bern. The
background was a Freedom of Information Act based request by the CCCZH:
KOBIK provides a list of domain names that host child pornography. It is
seen as a voluntary DNS blacklist for ISPs (and all the large Swiss ISPs
apply this list). Naturally, groups like the CCCZH are worried given the
non-public and intransparent nature of this list, lack of independent
monitoring, and its possible implications for future expansion to other
areas. This is not a theoretical danger, given that a court ordered
Swiss ISPs to block swissjustice.net for “defamatory statements”.

$ dig @8.8.8.8 swissjustice.net any +short # google dns
"v=spf1 a mx ip4:72.34.40.81 ?all"
0 swissjustice.net.
ns1.mh.tc. accounts.elinuxservers.com. 2011102801 86400 7200 3600000 86400
ns1.mh.tc.
ns2.mh.tc.
72.34.40.86
$ dig @62.2.24.162 swissjustice.net any +short # cablecom.ch dns
$

KOBIK, the Cybercrime Unit, invited us to look at the list. The head of
the organization and his assistant gave a presentation on the background
of the unit and their main activities. We asked several questions, and
were repeatedly encouraged to write more questions or come for another
visit any time.

Down to Earth in Switzerland

The atmosphere was very friendly, and we felt welcome. In some way they
even wanted us to be there, to hear their side of the story. I have no
reason not to believe what they told us, and I did not sense any hidden
agenda. In contrast to other law enforcement agents I had contact with
in the past, they did not seem to be much depressed about external
influences or wrong decisions being made “above them”. In some way,
Switzerland seems to be successful in buying its freedom in some areas,
and, due to this independence and size, does not appear to be under the
same non-stop heat of lobbyism as I am used to in Germany.

Knowing about our background, they constantly tried to assure us that
they were against all sorts of “other” blocking activities, and that the
lists were provided more as a side project to providers who asked about
them, not because anyone would believe it is a particularly useful
measure against child pornography, but to “spare children and families
from accidentially stumbling across the content”. At the same time, they
contact ISP and local law enforcement. They are well aware that DNS
level blocks are no defense mechanism at all, and argue against IP level
blocks for their coarse granularity and side effects (and any other
categories of blocking for that matter).

Cybercrime’s Just Images

I reckon it’s still not much different in other European countries, but
it still came as a surpise to us to experience that the whole
Switzerland Cybercrime Coordination Unit, the (quote) “center of
excellence for the public, authorities and Internet service providers
about legal, technical and criminological issues on Internet crimes”
plus “contact for foreign cybercrime authorities” (my emphases), has
only 10 employees at a ~$1m budget. Maybe a somewhat special situation
in Switzerland and for historical reasons, it still almost completely
focusses on child pornography and display of violence (hard pornography
illegal in Switzerland). They will slowly expand into other directions
in the future, but specifically grew out of a working group around a
large child pornography case in the 90s, Operation Genesis. Also, they
themselves argue that most crimes involve the real world and are better
suited to be dealt with in the traditional departments.

Yes, Porn

How do they find the sites in the first place? They have three main
sources: a form where anyone can report suspicious websites
‘anonymously’ (they do log IPs and don’t offer HTTPS!). Secondly,
INTERPOL seems to maintain a somewhat broader list, but KOBIK verifies
each site again for specific violations of Swiss law. They also seem to
conduct a limited number of own investigations. The head of department
didn’t go into detail about this area, not only because they cannot talk
too much about their operational strategies, but also because the whole
event was more focussed on blacklist creation, distribution and
verification. I don’t believe the budget allows for many investigations
after all. (a few numbers are at the end of this post)

Once the sites are added to the list, they are regularly checked again
to see if content has changed. It sounded like a low number of countries
and ISPs don’t cooperate well (but most do), and there isn’t much else
they can do in such cases. The situation is different with pictures that
directly involve Swiss citizens. In those cases they work together with
the traditional pedocrime unit and try to seize the server.

Independent monitoring

So far there is no external inspection. Some ISPs seem to verify the
content themselves before redirecting DNS (not all ISPs block all
hostnames), which according to the KOBIK lawyer is perfectly legal to do
in Switzerland. You get to see the website depicted in the screenshot,
which ISPs can either self-host or use one hosted by KOBIK. Alledgely,
IPs hitting the blocked sites are not stored/analyzed in any way, nor
does KOBIK operate any honeypots or have legal or technical access to
visitor information (no DPI/logging at ISPs). Most of the sites they
deal with, at least concerning the blocks, are public websites full of
advertisements and clearly not “insider exchanges”, and tend to move
quickly. The turnaround time for the full list is only a few days (until
most or all sites are either taken down or moved somewhere else), and
most sites and pictures pop up again under a different name.

Need some hash?

Another growing area for KOBIK is the maintenance of a database of “100%
illegal child pornography” hashes for various commercial forensic tools
used by the different Kantons (states). Looking for (or at) evidence in
child pornography cases is arguably not a very delightful job, so
investigators more and more turn to automatic tools for that. KOBIK
stated that they are careful about only including definitive matches and
pick out only 100% clear-cut child pornography images for this.

Encryption and Tor

Given my background, I was naturally quite interested in their take on
Tor, and how often they come across encryption. While they are not
involved in the seizure or forensic analysis of machines very much, they
did say that “apparently most pedo criminals have their blood somewhere
else”.

KOBIK uses Tor in their investigations.

Technical

Once ISPs subscribe to the service and sign some paperwork, they get
SFTP access to a daily updated and zipped textfiles of hostnames.

KOBIK seemed genuinely interested in extending the cooperation towards
research institutes, especially since they don’t have the manpower to
properly follow up on developing trends (what kind of ISPs and ASNs are
more involved than others in this business etc).

Conclusion

The current staff seems to have its heart at the right place. The list
serves a well-intentioned purpose and was not introduced by external
pressure, but as an internal idea, not alone to save the investigators
the trouble to have to justify that some websites might still be up
“days after a report came in.” Still, changes in political climate can
come faster than KOBIK expects. Even if they can hold powers back for a
while, in the end either heads will roll or, more likely, some people
will want to keep their job. What if, some day rather sooner than later,
something like Cleanfeed UK repeats in Switzerland? Will KOBIK stand
against a court order? Not likely. And Torproject.org is already listed
in several “civilized” blocklists around the globe. This is real.

Some numbers

 * 5000-7000 reports coming in from the public p.a.
 * at the time of our visit, the blocklist contained 148 hostnames
 * the Interpol list was said to be a bit larger, but the same order of
magnitude
 * 10 employees (including head of department)
 * budget around CHF 1m ($USD 1.1m)
 * ~200 access providers exist in Switzerland, around 10% use the list
(large ISPs, cover 90% of the population)

http://www.hackerbus.eu/blog/2012/03/27/so-what-about-cybercrime-in-switzerland.html

-- 
Moritz Bartl
https://www.torservers.net/