Unit5 Intrusiondetection

In Information Security, intrusion detection is the act of detecting actions that attempt to compromisetheconfidentiality,integrityoravailabilityofaresource.WhenIntrusiondetection takes a preventive measure without direct human intervention, then it becomes an Intrusion preventionsystem. Intrusiondetectioncanbeperformedmanuallyorautomatically.Manualintrusiondetectionmight takeplacebyexamininglogfilesorotherevidenceforsignsofintrusions,includingnetworktraffic. A system that performs automated intrusion detection is called an Intrusion Detection System (IDS).AnIDScanbeeitherhostbased,ifitmonitorssystemcallsorlogs,ornetworkbasedifit monitors the flow of network packets. Modern IDSs are usually a combination of these two approaches.Anotherimportantdistinctionisbetweensystemsthatidentifypatternsoftrafficor applicationdatapresumedtobemalicious(misusedetectionsystems),andsystemsthatcompare activitiesagainsta'normal'baseline(anomalydetectionsystems). WhenaprobableintrusionisdiscoveredbyanIDS,typicalactionstoperformwouldbelogging relevantinformationtoafileordatabase,generatinganemailalert,orgeneratingamessagetoa pagerormobilephone. Determiningwhattheprobableintrusionactuallyisandtakingsomeformofactiontostopitor preventitfromhappeningagainareusuallyoutsidethescopeofintrusiondetection.However,some forms of automaticreactioncanbeimplementedthroughtheinteractionofIntrusionDetection Systemsandaccesscontrolsystemssuchasfirewalls. Some authors classify the identification of attack attempts at the source system as extrusion detection(alsoknownasoutboundintrusiondetection)techniques. Intrusionpreventionisanevolutionofintrusiondetection.

Networkbased
ANetworkintrusiondetectionsystem(NIDS)isonecommontypeofIDSthatanalyzesnetwork trafficatalllayersoftheOpenSystemsInterconnection(OSI)modelandmakesdecisionsaboutthe purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on a networkandcanoftenviewtrafficfrommanysystemsatonce.Atermbecomingmorewidelyused byvendorsisWirelessintrusionpreventionsystem(WIPS)todescribeanetworkdevicethat monitors and analyzes the wireless radio spectrum in a network for intrusions and performs countermeasures.

Wireless
Awirelesslocalareanetwork(WLAN)IDSissimilartoNIDSinthatitcananalyzenetworktraffic. However,itwillalsoanalyzewirelessspecifictraffic,includingscanningforexternaluserstryingto connecttoaccesspoints(AP),rogueAPs,usersoutsidethephysicalareaofthecompany,and WLANIDSsbuiltintoAPs.Asnetworksincreasinglysupportwirelesstechnologiesatvarious pointsofatopology,WLANIDSwillplaylargerrolesinsecurity.ManypreviousNIDStoolswill includeenhancementstosupportwirelesstrafficanalysis.

NetworkBehaviorAnomalyDetection
NetworkBehaviorAnomalyDetection(NBAD)viewstrafficonnetworksegmentstodetermineif anomaliesexistintheamountortypeoftraffic.Segmentsthatusuallyseeverylittletrafficor segmentsthatseeonlyaparticulartypeoftrafficmaytransformtheamountortypeoftrafficifan unwantedeventoccurs.NBADrequiresseveralsensorstocreateagoodsnapshotofanetworkand requiresbenchmarkingandbaseliningtodeterminethenominalamountofasegmentstraffic.

Hostbased
Hostbasedintrusiondetectionsystem(HIDS)analyzenetworktrafficandsystemspecificsettings suchassoftwarecalls,localsecuritypolicy,locallogaudits,andmore.AHIDSmustbeinstalledon eachmachineandrequiresconfigurationspecifictothatoperatingsystemandsoftware.

Detectiontypes
Signaturebaseddetection
An IDS can usesignaturebaseddetection,relyingonknowntrafficdatatoanalyzepotentially unwantedtraffic.Thistypeofdetectionisveryfastandeasytoconfigure.However,anattackercan slightlymodifyanattacktorenderitundetectablebyasignaturebasedIDS.Still,signaturebased detection,althoughlimitedinitsdetectioncapability,canbeveryaccurate.

Anomalybaseddetection
An IDS that looks at network traffic and detects data that is incorrect, not valid, or generally abnormaliscalledanomalybaseddetection.Thismethodisusefulfordetectingunwantedtraffic that is notspecificallyknown.Forinstance,ananomalybasedIDS willdetectthatanInternet protocol(IP)packetismalformed.Itdoesnotdetectthatitismalformedinaspecificway,but indicatesthatitisanomalous.

StatefulProtocolInspection
Statefulprotocolinspectionissimilartoanomalybaseddetection,butitcanalsoanalyzetrafficat thenetworkandtransportlayerandvendorspecifictrafficattheapplicationlayer,whichanomaly baseddetectioncannotdo.

History
TheoriginalcellularphonenetworkintheUnitedStateswascalledtheAnalogMobilePhone System(AMPS).ItwasdevelopedbyAT&Tandlaunchedin1983.AMPSoperatedinthe800MHz range,from824849MHzand869894MHz.Thelowerbandwasusedfortransmissionsfromthe phonetothebasestation,andtheupperbandwasforthereversedirection(LeonGarciaand Widjaja2000).Thisallowsfullduplexconversation,whichisdesirableforvoicecommunications. Thebandsweredividedinto832subchannels,andeachconnectionrequiredapair:oneeachfor sendingandreceivingdata.Eachsubchannelwas30KHzwide,whichyieldedvoicequality comparabletowiredtelephones.Thesubchannelsweresetupsothateverysubchannelpairwas exactly45MHzapart(LeonGarciaandWidjaja2000).Severalofthechannelswerereserved exclusivelyforconnectionsetupandteardown.Thebasestationinaparticularcellkeptarecordof whichvoicesubchannelpairswereinuse.Thoughusable,thissystemincludedanumberofsecurity

aws.Becauseeachphonetransmitted(likeanyradiotransmitter)intheclearonitsownfrequency, thephonesinthissystemwerealmostcomicallyvulnerabletosecurityattacks(Riezenman2000, 40).Thecrimeofservicetheftplaguedcellularserviceproviders,asindividualswithradioscanners couldsnithecellularfrequenciesandobtainthephoneidenticationnumbersnecessaryto cloneaphone(Riezenman2000,39).Theabusercouldthenusethisclonedphonetomakefree telephonecallsthatwouldbechargedtothelegitimateusersaccount.Inanattempttostemthese attacks,serviceprovidersworkedwithCongresstopunishsuchabuse.Congresspassedalawin 1998tomakeowningacellularscannerwithintenttodefraudafederalcrime(Riezenman2000, 40).Unfortunately,punitivelegislationwasnotenoughtosolvetheproblem;anewstandardwas needed.Tocreateanewstandard,engineersneededtostartanew,examiningeachpartofthecurrent system.

StakeholdersinWirelessSecurity

In attempting to avoid security problems like those that plagued the rstgeneration cellular systems, engineers must design security into any new technology it cannot be added as an afterthought.Unfortunately,thisisnoeasytask.Implementinggoodsecurityrequiresthatsecurity bedesignedintoeveryaspectofthesystem;otherwise,asecurityleakexists.Thus,thefollowing entitiesmustcooperatetocreatethesecurewirelesssystem: Governmentregulator Networkinfrastructureprovider Wirelessserviceprovider Wirelessequipmentprovider Wirelessuser(Russell2001,172) InformationSecurityModel Beforeseekingtodesignandimplementwirelesssecurity,however,onerstneedstounderstand what this elusive concept of security really means. In this case, wireless security is really a combinationofwirelesschannelsecurity(securityoftheradiotransmission)andnetworksecurity (securityofthewirednetworkthroughwhichthedataows).Thesecollectivelycanbereferredto aswirelessnetworksecurity(Russell2001,173).Butthisstilldoesnotexplainthesecurityaspect. Inadigitalrealm,securityalmostalwaysmeansinformationsecurity.Therefore,wecanusethe informationsecuritymodelproposedbytheNationalSecurityTelecommunicationsandInformation Systems SecurityCommittee (NSTISSC), whilethe rowsontheleftside ofthecube are the informationcharacteristicsthatthesecuritypolicyshouldprovide.Thecolumnsontherightside ofthecubedetailthethreebroadcategoriesofsecuritymeasuresthatcanbepursuedtoprotectthe information.Thecubeisthussplitinto27smallercubes,eachofwhichmustbeexaminedforrisks andsolutionsinanyextensivesecurityaudit.Thisdocument,ontheotherhand,isnotmeantto containsuchanaudit,butrathertopresentthemajorissuesofwirelesssecurity,theobjectivesof futurewirelesstechnology,andthesecuritymeasuresneededtoreachthosegoals.

WirelessSecurityIssues Wirelesssystemsfaceanumberofsecuritychallenges,oneofwhichcomesfrominterference.As morewirelessdevicesbegintousethesamesectionofelectromagneticspectrum,thepossibilityof interference increases. This can result in a loss of signal for users. Moreover, an abuser can intentionallymountadenialofserviceattack(loweringavailability)byjammingthefrequencies used.IowaStateUniversityprofessorSteveRussellcommentsthatanRFengineerusing$50worth ofreadilyavailablecomponentscanbuildasimpleshortrange Physical securitycanposeproblems aswell.Cellularphones andotherhandhelddevices were designedtobesmallandmobile,butthisalsomeansthattheyaremorelikelythanotherpiecesof technologytogetlostorstolen,andthievescaneasilyconcealthem.Becauseoftheirsize,these devicesoftenhaveextremelylimitedcomputingpower.Thiscouldmanifestitselfinlowerlevelsin theencryptionthatprotectstheinformation(NIST,U.S.Dept.OfCommerce,526).Asencryption isimprovedinthesamedevice,speedisconsequentlylowered,asisavailablebandwidth(Russell 2001,174).Othersoftwareissuescanopensecurityholesaswell.Forexample,manyhandheld wirelessdevicesincludetheabilitytodownloadandrunprograms,someofwhichmaynotbe trustworthy.Eventhecoreoperatingsystemsoftwaremaynotbesecure;engineersmayhaverushed toreleaseitinordertooernewfeaturesinthecompetitivehandhelddevicemarket.Perhapsmost damaging,theuserstypicallylackawarenessthatanyofthesesecurityissuesmaybepresentin theirwirelesshandhelddevice(NIST,U.S.Dept.ofCommerce,527).Thesesecurityissuesserve asareminderthatdesigningforsecurityisneveranishedprocess.Everynewtechnologymustbe analyzedforsecurityissuesbeforeitisfullyimplemented.Eventhen,onemustkeepacarefuleye onanynewissuesthatmaydevelop. SecurityAnalysis Objectives Therststepinanalyzingcellularwirelesssecurityistoidentifythesecurityobjectives.Theseare thegoalsthatthesecuritypolicyandcorrespondingtechnologyshouldachieve.Howard,Walker, andWright,oftheBritishcompanyVodafone,createdobjectivesfor3Gwirelessthatareapplicable to4Gaswell: Toensurethatinformationgeneratedbyorrelatingtoauserisadequatelyprotected againstmisuseormisappropriation. Toensurethattheresourcesandservicesprovidedtousersareadequatelyprotected againstmisuseormisappropriation. Toensurethatthesecurityfeaturesarecompatiblewithworldwideavailability... Toensurethatthesecurityfeaturesareadequatelystandardizedtoensureworldwide interoperabilityandroamingbetweendierentproviders. Toensurethatthelevelofprotectionaordedtousersandprovidersofservicesiscon sideredtobebetterthanthatprovidedincontemporaryxedandmobilenetworks... Toensurethattheimplementationofsecurityfeaturesandmechanismscanbeex tendedandenhancedasrequiredbynewthreatsandservices.

Toensurethatsecurityfeaturesenablenewecommerceservicesandotheradvanced applications(Howard,Walker,andWright2001,22) Thesegoalswillhelptodirectsecurityeorts,especiallywhenthesystemisfacedwith specicthreats. Threats Becauseinstancesof4Gwirelesssystemscurrentlyonlyexistinafewlaboratories,itisdicultto knowexactlywhatsecuritythreatsmaybepresentinthefuture.However,onecanstillextrapolate basedonpastexperienceinwirednetworktechnologyandwirelesstransmission.Forinstance,as mobilehandhelddevicesbecomemorecomplex,newlayersoftechnologicalabstractionwillbe added.Thus,whilelowerlayersmaybefairlysecure,softwareatahigherlayermayintroduce vulnerabilities, or viceversa. Future cellular wireless devices will be known for their software applications, which will provide innovative new features to the user. Unfortunately, these applicationswilllikelyintroducenewsecurityholes,leadingtomoreattacksontheapplication level(Howard,Walker,andWright2001,22).JustasattacksovertheInternetmaycurrentlytake advantage of awsinapplications likeInternetExplorer,sotoomayattacks inthefuturetake advantageofpopularapplicationsoncellularphones.

Trojanhorsedefense
ATrojanhorseprogramisatypeofmalware,ormalicioussoftware.Likeothermalware,itinstalls itselfsurreptitouslyonacomputer;unlikeothertypesofmalware,aTrojanhorseletstheperson whodisseminateditremotelycontrolthecomputer(s)onwhichitinstalleditself.Thepersonwho controlstheTrojanwillhavecompleteaccesstothedataonthecompromisedcomputerandcan copy it, delete it or put new data on the computer. ThelastfeatureiswhatIwanttotalkabouttoday.It'sgivenrisetowhatiscalledthe"Trojanhorse defense."AfriendandIwrotealawreviewarticleanalyzinghowprosecutorscanrebutthedefense. (SusanBrenner,BrianCarrier&JefHenninger,TheTrojanHorseDefenseinCybercrimeCases,21 SantaClaraComputerandHighTechnologyLawJournal1(2004)).Thearticlefocusesbothon legalargumentsandtechnicalissuesaprosecutorfacingthedefensecanusetorebutit.Itgoesinto agreatdealofdetailtoday,IwanttotalkgenerallyabouttheTrojanhorsedefense(THD)and some of the issues it raises. TheTHDbecamenotoriousin2003,whenAaronCaffreyusedintheUnitedKingdom.Caffreywas charged,basically,withhackingintothePortofHoustoncomputersandcausingthemtoshutdown. HisdefenseattorneyconcededtheattackcamefromCaffrey'slaptopcomputer,butclaimedCaffrey wasnot responsiblefortheattack,thathehad,ineffect,been"framed"byotherhackers who installed Trojan horse programs on his laptop and used them to attack the Port of Houston computers.Inanefforttorebutthisdefense,theprosecutionpointedoutthatnotraceofTrojan horseprogramshadbeenfoundonthelaptop;thedefensecounteredbyexplainingthattheTrojan hourseprogramshadbeen"selferasing"Trojans,sonotracewouldremain.Thejuryclearlybought the defense's argument, as it acquitted Caffrey. ThiswasnotthefirstinstanceinwhichtheTHDhadbeenusedintheUK,buttheCaffreycase receivedfarmorepublicitythantheearlierinstance(s)inwhichthedefensewas raised.News storiespointedoutthatCaffrey'sdefenseraisedseriouschallengesforprosecutors.As oneobservernoted,the"casesuggeststhatevenifnoevidenceofacomputerbreakinis

unearthedonasuspect'sPC,theymightstillbeabletosuccessfullyclaimthattheywere notresponsibleforwhatevertheircomputerdoes,orwhatisfoundonitsharddrive."And otherspointedoutthatsomeonecouldestablishthefactualbasisforsuchadefenseby having Trojan horse programs on their computer. Aswenoteinthearticle,theTHDisanewversionofaveryolddefense:theSODDI defense(asitisknownintheU.S.).SODDIstandsfor"someotherdudedidit."Whena defendantraisesaSODDIdefense,he(orshe)concedesthatacrimewascommittedbut blames someone else for its commission. The SODDI defense is usually not very successfulinrealworldprosecutions(theO.J.Simpsoncaseisamajorexception).When adefendantraisesaSODDIdefenseinaprosecutionforatraditional,realworldcrime like,say,murderorrapeheclaimsthecrimewascommittedbyanunknownsomeone else.Jurorstendtobeskepticalofclaimeslikethis,especiallyif,asisusuallythecase,the prosecution is able to link the defendant to the crime by showing motive, opportunity and/or incriminating evidence that isin hispossession orcan be traced tohim(DNA, fingerprints,etc.).Jurorsareskepticalofclaimslikethisbecausetheyunderstandhowthe realworld works. TheSODDIdefensehasbeenmuchmoresuccessfulincybercrimecasesbecausethey involveacontextwhichmostjurorsdon'treallyunderstand,orunderstandenoughtobuy defenseclaimslikeCaffrey'scontentionaboutbeingframedbyselferasingTrojanhorse programs. (I'mnotatechnicallytrainedperson,soIcannotopineonthelikelihoodofselferasing Trojans.Iknowpeoplewhoaretechnicallytrainedwhodonotbelievetheyexist.Iftheydo not exist now, I assume they will at some point, so I don't see this as a particularly important issue, at least not for the prosecution.) Incybercrimecases,theSODDIdefenseturnsthetablesontheprosecution:Inacriminalcase,the prosecutionhastheburdenofprovingalltheelementsofthecrimebeyondareasonabledoubtand thedefensehastheburdenofprovinganaffirmativedefensebyapreponderanceoftheevidence. Thepreponderancestandardismuchlowerthanthestandardtheprosecutionmustmeet,but itensuresthatthedefensecannotpresentsomepurelyfrivoloustheorytothejury. Affirmative defenses concede that a crime has been committed byassert there is some reasonwhythedefendantshouldnotbeheldliableforit,suchasthatthedefendantisinsane orthatheactedinselfdefense. TogetaTHDbeforethejury,thedefensemustthereforepresentcredibleevidencethatwouldleta "reasonablejuror"findthatthedefensehadproventhatthecrimewasvirtuallycommittedbySome OtherDude,usingaTrojanhorse.IntheCaffreycase,thisevidencecameintheformofAaron Caffrey'stestimonytothejury;Caffrey,whoadmittedhewasahacker,actedashisownexpert witness,whichwasparticularlyimportantgiventhatnoTrojanhorseprogramswerefoundonthis computer IfaTrojanhorseprogramisfoundonadefendant'scomputer,thatwouldprovidethefactualbasis forgettingthedefensetothejury...thatalongwithtestimonywhichestablisheswhataTrojan horseprogramisandwhatitdoes.Oncethedefensedoesthis,theballisnowintheprosecution's court:Theprosecutionmustrebutthedefense,whichmeansitmustprovebeyondareasonable doubtthatitwasthedefendantnotSomeOtherDudeUsingaTrojanHorsewhocommittedthe

crim(s)

charged.

This

is

where

the

difficulty

arises.

Theprosecutionnowisobligatedtoproveanegative:thatitwasnotSomeOtherDudeUsinga TrojanHorseprogramwhohackedthePortofHouston,collectedchildpornographyorcommitted some other cybercrime. Proving a negative can be difficult, especially in this context. AsopposedtoinstancesinwhichadefendantraisesaSODDIdefenseinarealworldcriminalcase, theprosecutioncannotrelyonthejury'sabilitytousetheircommonsensetoassessthemeritsof andthenrejectthedefenseasimplausiblebecausethedefenseisgroundedinwhatisstill,formany, adistinctly"uncommon"context:thevirtualenvironmentofcomputes,harddrivesandcyberspace. Somejurorsmayknownothingabouttechnology,whichreallygivesthemnoconceptualframework touseinjudgingthemeritsofaTHD.This,Ithink,makesthemsomethingofawildcard;their decisiontogowiththeprosecutionorthedefensemaybemadearbitrarily,ajuror'sequivalentof flipping a coin. Otherjurorsmayknowalittleabouttechnology,enoughtoknowwhatvirusesareandtohavea generalideaofwhattheycando.Asfarastheprosecutionisconcerned,alittleknowledgemaybea dangerousthing:Thesejurorsmayunderstandenoughabouttechnologytobewillingtobelievethat Trojanhorses(andothertypesofmalware)candothingstheymaynotbeabletodoatall,ormay not have been able to do given the facts in the case before them. (I'mnotsurewhereIcomeoutonjurorswhoknowalotabouttechnology.Theymightbeableto analyzeandrejectthefactualfoundationofashaky/untenableTHDortheymightoveranalyzethe evidencepresentedandsobuyintothedefense.IguessonereasonIamnotsurewhereIcomeout on these jurors is that I think they are likely to be very scarce in the jury pool.) Assuming,asIthinkisreasonable,thatthejuryismadeupofpeoplewithlittleornoknowledgeof technology,howdoestheprosecutionrebutthedefense'spresentationofaTHD?Itseemsthatthe prosecutionwillhavetodissectthetechnicalbasisofthedefensetodoso;theCaffreyprosecution showedthatnoTrojanhorseswereonCaffrey'slaptop,andaskedthejurytoinferfromthisthatit wasCaffrey,notaTrojanhorseprogrambeingusedbysomeoneelse,whoshutdownthecomputers at the Port of Houston. ButifTrojanhorsesarefoundonthesuspect'scomputer,theprosecutionwillhavetogetintothe specificsoftechnologyitscapabilitiesandlimitationstorebuttheTHD.This,Ithink,creates realdifficultiesforprosecutors,becauseitrequiresthattheybeabletoexplainabtruse,technical concepts and processes to a lay jury in a way laypeople can understand and can use that understandingtoconductacriticalassessmentoftheTHDpresentedtothem.Thatcanbeavery difficultprocess;itwillrequire,Ithink,notonlyexpertwitnesses,buttheskillfuluseofgraphics animations,diagrams,maybephysicalexhibitsthatcanreallyletjurorsgraspwhatwouldhave hadtooccurfortheTHDtobevalidandwhythatdidnotoccur(establishing,byinference,thatthe THD defense is invalid). Doing all that can be a huge undertaking for the average prosecutor/prosecutor'soffice,asitrequirestime,expertiseandthemoneytopayforthecreationof the necessary demonstrative evidence (animations, diagrams, etc.). Fornow,IsuspectthedefenseenjoystheadvantagewithregardtotheTHD,whichiswhyIam surprised that we have not seen it used more in this country (it still seems be be used, often successfully, in the United Kingdom). TheonlyAmericancaseIknowofinwhichithasbeenusedsuccessfullyisanAlabamastatetax

fraud/tax evasion prosecution against Eugene Pitts, a Hoover, Alabama accountant. Pitts was accusedofunderreportingincomeonhistaxreturnsfor1997,1998and1999.Headmittedthere wereerrorsonhisreturnsforthoseyears,butblamedtheerrorsonacomputervirus.Although prosecutorspointedoutthattheallegedvirusdidnotaffecttheclienttaxreturnsPittspreparedon thesamecomputer,thejuryacquittedhimofallchargesafterdeliberatingfor3hours...another "Caffrey verdict." IassumetheinfrequencywithwhichaTHDisusedinthiscountryhassomethingtodowiththe defensebar'sfamiliarity,orunfamiliarty,withtechnology.Otherthanthat,Icannotimaginewhyit doesnotshowupmoreoften,especiallygiventhefrequencywithwhichtherealworldvariantof the SODDI defense is used. EverythingIhavesaidinthisposthasbeendirectedattheprosecution'sburdenandabilitytorebut aTHDdefense.EverythingIhavesaidsofarimplicitlyassumesthattheinvocationofthedefenseis frivolousasitwas,IMHO,intheCaffreyandPittscases.AndIthinkthatislikelytobetruein many (most?) of the cases in which a THD is used. Itwillnot,however,betrueineverycase.Aspeopleknowledgeableaboutcomputertechnologywill tellyou,aTrojanhorseprogramcouldeasilybeusedtoframesomeoneforacrime.Whileitseems exceedinglyunlikely("incredible")thataTrojanhorseprogramcouldput15,000imagesofchild pornographysortedintofoldersandsubfoldersonsomeone'sharddrivewithouttheirknowingit,a Trojan horse could be used to frame someone for, fraud, embezzlement or other crimes, even murder. Thinkaboutit:Doyouknoweverythingthatisonyourharddrive...everyfilefolder,everyfile?I can'timaginethatyoudo,giventheamountofdatamostofusacquire.Andhowmanyofusever checktoseewhat,exactly,isonourharddrive?Maybeotherpeopledo;Idon't(IhopeIamnot inviting someone to frame me by admitting that . . . ). ThepossibilitymakesmethinkoftheoldTVseries,TheFugitive.IntheTVseries(andinthe movie),Dr.RichardKimbleisadventitiouslyframedbytheonearmedmanwhokillsKimble's wife.Kimble'sSODDIdefense(assertingthatthemysteriousonearmedman,whomonlyhesaw, killed his wife) fails, and he is convicted of the crime. The same thing could be done, more calculatedly and with far less risk to the framer, by using a Trojan horse program. ImagineatwentyfirstcenturyversionofTheFugitive:Kimble'swifebecomesillsohetakesherto thehospital,whereshedies;theautopsyshowsshediedofricinpoisoning.Asintheseries,Kimble andhiswifehadbeenfighting;theevidenceofmaritaldiscordencouragesthepolicetotakehim seriouslyasasuspectinherdeath.Policeobtainasearchwarrant,seizethecomputerintheirhome andsearchit.Onitsharddrive,theyfindevidence(downloadeddata,evidenceofInternetsearches) thatKimbleresearchedthetoxicityofricinpoisoningandtheprocessesusedtoextractricinfrom castorbeans.(Theymightalsofindricininthehousesomewhere,maybeinaplaceKimbleuses.) Thiswouldbeenoughtochargehimwithhiswife'sdeath(absentothercontraveningfacts)and probably enough to convict him (absent a compelling defense). Inthisscenario,KimblecouldtryassertingaTHDtodisclaimresponsibilityfortheresearchinto ricinpoisoning,buttheTHDwouldnotbeaseffectivehereasitcouldbeina"pure"cybercrime case.Here,aTrojanhorseprogramisbeingused,inpart,toframesomeoneforarealworldcrime, murder.Thepotentialforpersuadingthejury(correctly,inthisinstance)thatsomeoneusedaTrojan horseprogramtoputthericindataonthecomputeraspartofalargerplottoframeKimbleforhis

wife'sdeathwouldbeunderminedbythatfactbecausethejurorswouldbelikelytoconcentrateon therealworldaspectsofthecrime(death,fighting,ricin,opportunity,etc.)andusetheircommon sense (no one said it's infallible) to conclude that he did it. Icouldgoon,butIhopeI'vemademypoint.TheTrojanhorsedefenseisatwoedgedsword:Itcan beusedbyguiltypartiesseekingtoavoidbeingheldliableforwhattheyhavedone;butitcanalso beusedtoframetheinnocent.