-1-

RESEARCH ASSIGNMENT

British Columbia Institute of Technology

Case of Nicodemo S. Scarfo V. USA

NAME: Arif Zina

email: zina.arif@hotmail.com

DATE: Nov 30, 2006

 -2-

Table of Contents

Introduction ------------------------------------------------------------------------------------ 3

Description of the broken applicable laws ---------------------------------------- 3

Description of the crime ------------------------------------------------------------------------- 3

Tools, Techniques and Technologies used ---------------------------------------- 4

PGP encryption technique --------------------------------------------------- 4

The Key Logger System --------------------------------------------------- 6

Definition of terms --------------------------------------------------- 6

How the crime was detected, investigated and prosecuted ------------------- 7

Legal issues involved in retrieval of evidence ----------------------------------------- 8

Privacy issues raised ------------------------------------------------------------------------- 9

Comparison with other cyber-crimes and techniques ------------------------------ 10

Conclusion ------------------------------------------------------------------------------------ 11

Bibliography ----------------------------------------------------------------------------------- 12
 -3-

Case of Nicodemo S. Scarfo V. USA

Introduction

Computer crime can broadly be defined as criminal activity involving the information technology
infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of
non-public transmissions of computer data to, from or within a computer system), data interference
(unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems
interference (interfering with the functioning of a computer system by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and
electronic fraud.

Description of the broken applicable laws

According to court records, confidential informants told FBI agents in January 1999 that Scarfo and an
associate, Andrew Knapik, had been running a sports-betting and loan-sharking operation linked to the
Gambino crime family out of a one-room office of a company known as Merchant Services Inc. in
Belleville, N.J.
It appeared to agents that Scarfo, 35, who had several arrests and convictions on assault, conspiracy and
weapons charges, was being groomed to take over the operation from Knapik, who was heading to
prison. The two would drive around collecting on bets and loan payments, and when Scarfo was arrested
he had more than $6,000 in cash on him, according to court records. Scarfo also would use the Merchant
Services office for loan collection, the records said.

In the Scarfo case, there were a number of laws that dealt with the crimes he had been accused of. The
prosecution had evidence showing that Scarfo had committed illegal gambling, loansharking and other
racketeering offenses which are violations of 18 U.S.C 371 (conspiracy), 892-94 (extortionate credit
transactions), 1955 (illegal gambling business) and 1962 (RICO). Under RICO, the prosecution must be
able to show that 1) the defendant committed 2 or more racketeering acts and 2) that they used those
acts to accomplish 3 criminal acts tied to business.

Description of the crime

Mr. Scarfo had been under surveillance and investigation for his criminal gambling, loan sharking and
other racketeering offenses. Scarfo had been charged with supervising “an illegal gambling business” in
violation of state and federal law and using extortionate loan shark tactics, according to the three-count
indictment filed in federal court in June 2000. Scarfo, who had been charged with masterminding a mob
linked loan sharking operation in New Jersey, used his computer and a popular PGP encryption to shield
his computer secrets from prying eyes.

In January 1999, agents of the FBI raided the offices of Nicodemo S. Scarfo, a reputed Philadelphia
underworld figure, and co-defendant Frank Paolercio, searching for evidence of illegal gambling
operations. Armed with search warrant, the agents searched for and seized files contained on Scarfo’s
computer, including a single file called “Factors” was encrypted using the commercial software PGP (i.e.
 -4-

"pretty good privacy"). PGP employs hybrid encryption technique, which I will explain in great details later
on in this report, making it extremely difficult to break. This became problematic for the government as it
was extremely difficult to break this PGP encrypted file and retrieve (usable) evidence.

Unable to crack the encryption code without a password, and convinced that the file contained evidence
of Scarfo’s illegal activities, the government on May 8, 1999, obtained an order from magistrate judge,
Donald Haneke granting the FBI to install its Key Logging System (KLS) on Scarfo's computer. Agents
went back again with a search warrant and placed the key-logging device on his computer, and monitored
it for about two months.

A seven page court order authorized the FBI and cooperating local police to break into Scarfo’s first floor
“Merchant Services of Essex County” office as many times as necessary to deploy, maintain, and then
remove “recovery methods which will capture the necessary key-related information and encrypted files.”
The surveillance ultimately produced the password -- nds09813-050 -- which a source close to the case
confirmed was the prison identification number of Scarfo's father.

A KLS operates by recording the keystrokes typed on a keyboard. The FBI agents sneaked into Scarfo’s
office in Belleville, New Jersey, on May 10, 1999, and installed a keyboard sniffing device, generally
known as a key logger, to recover his password when he typed in.

The FBI was able to look at the KLS record obtained from Scarfo's computer and determine his PGP
passphrase. The FBI used the passphrase to open the encrypted file and recovered business data and
subsequently indicted Scarfo using information they gained through their KLS search.

These illegal activities and illicit businesses conducted by Scarfo, were clearly assisted by using his
computer hardware and (data encrypting) software which was installed in his computer, and therefore
prompting law enforcement to conduct a computer crime investigation.

Tools, techniques and technologies used

PGP encryption/decryption technique

The defendant, Scarfo, employed PGP software in encrypting files in his computer. PGP is a
commercially available encryption program, and in fact is available free via the internet to individual user.
Upon installation on a computer, this program can be configured to use different encryption algorithms,
such as DES (Data Encryption Standard), triple DES and IDEA. A person using PGP encryption may
encrypt (e.g., encipher or encode) the plain text of his/her files, store those files, and decrypt them. In this
way, the PGP user prevents anyone not possessing the appropriate encryption key and key related
information from decrypting (e.g., deciphering or decoding) the file.

A user of the PGP program normally creates one public and private key pair (i.e., the keys are associated
with each other) for himself. A user’s public key is used in the process of encrypting data such that only
the user can decrypt that data using the paired private key. In addition to encrypting files intended merely
be stored on a user’s computer, a PGP user, in conjunction with other PGP users, may use PGP to
securely encrypt incoming or outgoing files and/or message files. The user may share his public key with
others who may then send that user files and/or message files which have been securely encrypted by
the sender utilizing the intended recipient’s (the user’s) public key. Public and private PGP keys tend to be
long strings of computer data typically not capable of being memorized by the users. As a result, a simpler
passphrase is used to protect the private key.

PGP combines some of the best features of both conventional and public key cryptography. PGP is a
hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data
compression saves modem transmission time and disk space and, more importantly, strengthens
cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the
 -5-

cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to
cryptanalysis. (Files that are too short to compress or which don't compress well aren't compressed.)
See figure 1-1.

Figure 1-1 How PGP encryption works

A session key is randomly generated by the PGP program each time a file is encrypted. In reality, the files
are actually encrypted with the session key, and the session key is then, in turn, encrypted with the
recipient’s public key.

In order to decrypt a file encrypted with the user’s public key, the PGP software program calls up a
specific and known PGP computer file which displays to the computer screen (via a graphics/video card in
the computer) a specific and known graphics user interface “dialog” box. This dialog box acts to visually
prompt the user decrypting the file to enter, via the keyboard, the “passphrase” associated with the
appropriate “private key”. When the user enters the proper passphrase, PGP verifies that the passphrase
is correct and if so, uses that passphrase to decrypt the private key. This private key is then used to
decrypt that session key, which is, in turn, used to decrypt the selected file. Therefore, in order to decrypt
a PGP encrypted file it is necessary to have the encrypted file, the appropriate key, the passphrase
associated with this private key, and the PGP program. See Figure 1-2

Fig 1-2 How PGP decryption works.

The Key Logger System (KLS)

A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or
small program that monitors each keystroke a user types on a specific computer's keyboard. As a
 -6-

hardware device, a keylogger is a small battery-sized plug that serves as a connector between the user's
keyboard and computer. Because the device resembles an ordinary keyboard plug, it is relatively easy for
someone who wants to monitor a user's behavior to physically hide such a device "in plain sight." (It also
helps that most workstation keyboards plug into the back of the computer.) As the user types, the device
collects each keystroke and saves it as text in its own miniature hard drive. At a later point in time, the
person who installed the keylogger must return and physically remove the device in order to access the
information the device has gathered.

Fig 1.3 An example of hardware keylogger system

A keylogger program does not require physical access to the user's computer. It can be downloaded on
purpose by someone who wants to monitor activity on a particular computer or it can be downloaded
unwittingly as spyware and executed as part of a rootkit or remote administration (RAT) Trojan horse. A
keylogger program typically consists of two files that get installed in the same directory: a dynamic link
library (DLL) file (which does all the recording) and an executable file (.EXE) that installs the DLL file and
triggers it to work. The keylogger program records each keystroke the user types and uploads the
information over the Internet periodically to whoever installed the program. Although keylogger programs
are promoted for benign purposes like allowing parents to monitor their children's whereabouts on the
Internet, most privacy advocates agree that the potential for abuse is so great that legislation should be
enacted to clearly make the unauthorized use of keyloggers a criminal offense.

Definitions of terms:

Spyware: Spyware is programming that is put in someone's computer to secretly gather information
about the user and relay it to advertisers or other interested parties. Spyware can get in a
computer as a software virus or as the result of installing a new program.

Rootkit: A rootkit is a collection of tools (programs) that enable administrator-level access to a

computer or computer network.

Trojan horse: A Trojan horse is a program in which malicious or harmful code is contained inside
apparently harmless programming or data in such a way that it can get control and do its
chosen form of damage, such as ruining the file allocation table on your hard disk.

DLL: A dynamic link library (DLL) is a collection of small programs, any of which can be called
when needed by a larger program that is running in the computer.

Executable: An executable is a file that contains a program - that is, a particular kind of file that is
capable of being executed or run as a program in the computer.

Keystroke logging, depending on how it is implemented, can easily bypass the best host and network
security, collecting valuable key information for use in later attacks or information gathering exercises.
Keystroke logging through the data it captures can also remove the requirement to brute force attack
encrypted information, as pass phrases are typed and then recorded by the logger in the clear. Keystroke
logging has been around since the days of the first mini-computer systems and it is still effective today as
a first step data capture utility.
 -7-

How the crime was detected, investigated and procecuted

In this (Scarfo) case, the Newark FBI office requested FBI Laboratory assistance in acquiring Scarfo’s key
and key related information. In response, FBI engineers configured a hardware/software and/or firmware
solution based upon previously developed techniques which would permit the FBI to obtain the
defendant’s key and key related information. These techniques, and their various components, are known
collectively within the FBI as the Key Logger System (KLS).

Examination and evaluation of Scarfo’s stand alone computer by the FBI during and subsequent to the
entry authorized by the order of January 15, 1999, revealed that the system generally four mechanisms or
domains through which key or key related information could possibly enter or exit the
encryption/decryption processes:

1. From the transmission pathway through a modem attached to the computer.

2. By retrieval from the storage.

3. By entry, by someone typing on the keyboard.

4. By the computer itself, by one or more processes working within that computer.

To prevent any legal issues, from the defense, FBI was challenged in this situation to device a technical
search capability which could search for and record key or key-related information only entered through
at least one of these mechanisms without detection and without either searching or seizing any
information which in addition to being key or key related information, could also be an electronic
communications, via the modem installed on Scarfo’s computer.

Federal law requires that any device that listens in on communication, whether it be a bug in a room or a
phone tap, requires a wiretap order. In the case of electronic communication via computers, the law
specifically requires a wiretap order only if the communication is intercepted in transmission via computer
modems and phone lines. That preserves the government's ability to seize a computer, with a simple
search warrant, and examine copies of e-mail already sent or received, or anything else that might be
stored on the computer's hard drive.

The FBI, as part of the KLS deployed in the instant investigation, did not install and operate any
component which would search for and record data entering or exiting the computer from the
transmission pathway through the modem attached to the computer. Further, the FBI did not install and
operate any KLS component which would search for or record any fixed data stored within the computer.

When the user entered a key, the KLS system first checked all communication ports of the computer for
the status, i.e., checked if the ports were in active or inactive state. The KLS would only record user key
strokes if all the communication ports were in inactive state.

There was issue with this process of checking and recording; for example, if Scarfo was online, the
modem would be on and the keystroke capture component would, by default, not record keystrokes.
However, the fact the modem of a computer is active, does not necessarily mean that the computer is, at
that moment, engaged in sending electronic communications. Infact, in a Microsoft Windows operating
system environment (which was the operating system on Scarfo’s computer), a computer user can
activate the computer’s modem in one window in relationship to one application, then open and switch to
a second window and actively work in that second window in an application incapable of engaging in
electronic communications (e.g., a word processing program), but capable of executing the PGP
program. Thus if Scarfo was simultaneously working in a separate window using his PGP program to
 -8-

decrypt files, the keystroke capture component would not have captured and recorded his keystrokes
and, hence, would not have captured a PGP passphrase.

Examination of the defendant’s computer by agents of the FBI during entries authorized by court order
revealed that the PGP program as configured on his computer and as used by the defendant during all
relevant time periods was not technically capable of sending his passphrase over a network in any way.
This meant that all of the PGP program’s functions and operations originated from the computer
harddrive, with the exception of the passphrase which was entered by the defendant via the keyboard.
This also meant that all actions involving either encryption or decryption necessarily occurred only within
his computer, and not on some other networked computer connected via modem. This would be true even
if Scarfo was using PGP on his computer and the modem was coincidentally activated by another
program such as a browser in another window.

PGP software program visually prompts the user who is decrypting a file for the passphrase associated
with the appropriate private key. The passphrase itself is typed via keystrokes on the keyboard snd then
entered into the PGP program. When the user enters the proper passphrase, PGP verifies that the pass
phrase is correct and if so, uses the passphrase to decrypt the private key.

The FBI developed a mechanism to recode the passphrase as entered via the keyboard by the user and
certain other key related information. The FBI recognized that it was possible for the defendant to use
PGP in sequatial combination with the wide array of encoding, scrambling or other encryption programs
which would produce encryption layers. Such a process would effectively prohibit recovery of cognizable
plain text even if the PGP passphrase and key related information were captured. Under these
circumstances, the keystroke capture component would provide necessary capture capability to guard
against this and other unknown contingencies without impairing functionality or jeopardizing the covert
operation of the KLS. Accordingly, the multiple components of the KLS complemented each other, while
operating within the parameters of the court’s orders specifying that the KLS would not capture
communications subject to Title III.

The government must obtain Title III if the government wants to read your emails in transmission, or listen
to your telephone calls, or install an audio bug in your house. This order severely limits what the
government can do. The order must be approved by high level Justice Department officials, can only be
effective for 30 days at a time, and significant efforts must be made to ensure that only matters covered
by the court order are examined. The law may also distinguish between the interception of email in
transmission and email that is stored, even temporarily. As a general rule, for the government to obtain
communications in transmission requires a Title III wiretap order, to obtain them in temporary storage
requires search warrant, and to obtain them in permanent storage requires a mere subpoena.

Legal issues involved in retrieval of evidence

The case appears to be the first in which the U.S. government used such aggressive surveillance
techniques during an investigation, and some legal observers say the FBI's breaking-and-entering
procedures go too far. "I don't think it's constitutional," said David Sobel, general counsel of the Electronic
Privacy Information Center in Washington, D.C. "This case has the potential to establish some very
important precedents on this issue."

Scarfo's prosecution came at a time when the FBI's Carnivore surveillance system was under increasingly
heavy fire from privacy groups, and the use of data-scrambling encryption products appears to be
growing. The spring 1999 investigation of Scarfo may be what prompted the Clinton administration to
recommend changing federal law to allow police to conduct electronic "black bag" jobs. The idea first
publicly surfaced in mid-1999, when the Justice Department proposed legislation that would let police
 -9-

obtain surreptitious warrants and "postpone" notifying the person whose property they entered for 30
days.

After vocal objections from civil liberties groups, the administration backed away from the controversial
bill. In the final draft of the Cyberspace Electronic Security Act submitted to Congress, the secret-search
portions had disappeared. In January 2000, the Clinton administration seemed to change its mind.
"When criminals like drug dealers and terrorists use encryption to conceal their communications, law
enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect,"
Attorney General Janet Reno and Deputy Defense Secretary John Hamre wrote in a seven-page letter to
Congress. That letter, however, suggested the feds didn't need a new law -- and would instead rely on
"general authorities" when asking judges to authorize black bag jobs. A related "secret search" proposal
resurfaced in May 2000 in a Senate bankruptcy bill.

In the Scarfo case, the FBI in May 1999 asked for "authority to search for and seize encryption-key-
related pass phrases" from his computer as well as "install and leave behind software, firmware, and/or
hardware equipment which will monitor the inputted data entered on Nicodemo S. Scarfo's computer by
recording the key related information as they are entered." Ruling that "normal investigative procedures to
decrypt the codes and keys necessary to decipher the 'factors' encrypted computer file have been tried
and have failed," U.S. Magistrate Judge G. Donald Haneke granted the FBI's request.

EPIC's Sobel suggested that Haneke did not, under federal law, have the authority to grant such an order.
"The interesting issue is that they in those (court) documents specifically disclaim any reliance on the
wiretap statute," Sobel says. "If they're on record saying this isn't communications -- and it isn't -- then
that extraordinary authority they have under the wiretap laws does not apply." "If we're now talking about
expanding (black bag jobs) to every case in which the government has an interest where the subject is
using a computer and encryption, the number of break-ins is going to skyrocket," Sobel said. "Break-ins
are going to become commonplace."

Eugene Volokh, a law professor at UCLA, said he believed the government could successfully argue the
break-in was constitutional. "There's nothing in the Constitution that prohibits this kind of anticipatory
search," says Volokh. "In many respects it's no different from a wiretap." A lawyer for Scarfo filed a motion
challenging the legality of the FBI's black bag job.

"Anything he typed on that keyboard -- a letter to his lawyer, personal or medical records, legitimate
business records -- they got it all," attorney Donald Manno told the paper.

Privacy issues raised

It is a case at the heart of how technology increasingly strains notions of privacy and whether established
law works in a digital age. Scarfo's defense team, with assistance from privacy organizations, tried to
force the government to reveal how the "key-logging" technology works as a possible prelude to asking
that the evidence it yielded be thrown out.

Privacy advocates were especially concerned that the key logger was planted on the basis of a simple
search warrant and not a court-approved wiretap order, which is more difficult to obtain and carries far
greater restrictions.
Federal law requires that any device that listens in on communication, whether it be a bug in a room or a
phone tap, requires a wiretap order. In the case of electronic communication via computers, the law
specifically requires a wiretap order only if the communication is intercepted in transmission via computer
modems and phone lines. That preserves the government's ability to seize a computer, with a simple
search warrant, and examine copies of e-mail already sent or received, or anything else that might be
stored on the computer's hard drive.
 - 10 -

Prosecutors insist that the key logger planted by the FBI did not intercept communication, but refused to
divulge how the technology worked to back up that claim.
Privacy groups noted the new issue posed by key-logging technology, which is commercially available
and used by some companies: Even if the key logger didn't intercept communication after it was sent by
the computer's modem, it effectively does the same thing by capturing what is typed on an e-mail or
instant message form just before the user hits the send button.

Attorneys on both sides were under a court order not to speak about the case, but prosecutors argued in
court filings that disclosing the key-logging technology would enable criminals to find ways to defeat it in
the future. As a result, it's unclear whether the key logger used by the FBI was purely software or whether
it involved some sort of device attached to the keyboard. It's also unknown how the data from the key
logger was collected.

The key logger is "a highly sensitive law enforcement search and seizure technique, the disclosure of
which would compromise use of this technology and jeopardize the safety of law enforcement personnel,"
according to an affidavit by Donald Kerr, assistant director of the FBI's laboratory division.
In an initial ruling last week, U.S. District Judge Nicholas Politan in Newark rejected that argument.
"The government has not satisfactorily confirmed for the court that the key-logger device did not operate
in conjunction with the computer's modems, or otherwise, to cause the interception of a communication,"
Politan wrote.
He added that pages of captured keystrokes that the government placed in evidence "are in the truest
sense 'gobbledygook,' " and that he cannot determine whether the search was legal if he doesn't know
how this key-logging technology works.

Former law enforcement officials said that criminals are increasingly using sophisticated high technology
and that the government must have, within reason, the ability to keep one step ahead of them.
"Encryption is virtually unbreakable by police today, with programs that can be bought for $15," said
Stewart Baker, former general counsel of the National Security Agency and now partner at the
Washington law firm Steptoe & Johnson.
Although agreeing that surveillance should be done under strict guidelines, Baker said that "to a degree,
the privacy groups got us into this by arguing that there should be no limits on encryption, and the police
have to deal with it.". David Sobel, general counsel of the Electronic Privacy Information Center in
Washington, which has been advising the defense team, disagreed.
"Because of this technology there are a lot of gray areas," Sobel said, "but law enforcement is always
attempting to resolve them in favor of more aggressive techniques." As an example he wondered
whether, if the key-logging system used in the Scarfo case was able to turn itself off when the modem
was activated to ensure that a wiretap order was not required, why it couldn't instead have been
configured to activate only when an encryption program was run.

Comparison with other cyber-crimes and techniques

Recovery the password could have also been done by installing a Trojan horse programs in the Scarfo’s
computer. Trojan horse is destructive program that masquerades as a benign application. Unlike viruses,
Trojan horses do not replicate themselves but they can be just as destructive.

Trojan horses are broken down in classification based on how they breach systems and the damage they
cause. The seven main types of Trojan horses are:

• Remote Access Trojans

• Data Sending Trojans
• Destructive Trojans
• Proxy Trojans
 - 11 -

• FTP Trojans
• security software disabler Trojans
• denial-of-service attack (DoS) Trojans

Data sending Trojans are a type of a Trojan horse that is designed to provide the attacker with sensitive
data such as passwords, credit card information, log files, e-mail address or IM contact lists. These
Trojans can look for specific pre-defined data (e.g., just credit card information or passwords), or they
could install a keylogger and send all recorded keystrokes back to the attacker.

Programs such as BO2K and Sub7 Trojans, or WinWhatWhere, or Monitorer can be secretly installed
without user’s knowledge, and ordered to capture keystrokes in real time, before they are transmitted to
the web. They can further be used to transmit the results of searches to law enforcement or intelligence
agents in real time over the Internet or by direct dial-back.

Conclusion

In this investigation, one has to ask if government overreached, also was the installation and monitoring
of the key logger program a violation of the wiretap law.

Clearly the government had a legitimate interest in conducting a criminal investigation of Nicky Scarfo.
The magistrate found probable cause to search the computer and to seize the pass phrase. Courts
routinely permit the installation of hidden video cameras or surveillance. Indeed, only days after the
government filed its classified motion, they revealed in another case that they had installed a hidden video
camera at a government office to monitor a person, suspected of spying for Libya, and to watch him
sending emails containing classified information. But there are limits to the government surveillance.
There are essentially three limitations on the scope of government searches and seizures. They are the
Fourth Amendment, federal rules on the issuance of search warrants, and federal law regarding
“electronic surveillance”.

The fourth Amendment by its terms provides that that: “The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated,
and no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly
describing the place to be searched, and the persons or things to be seized.”

The constitution therefore, requires that the conduct be considered a “search” or seizure, that it be
reasonable, and that if searched pursuant to a warrant, there be a finding by a neutral and detached
magistrate that there is a probable cause.

Bibliography
 - 12 -

Break the Scarfo Silence.

http://www.businessweek.com/technology/content/sept2001/tc2001094_186.htm

FBI hacks alleged mobster

http://www.wired.com/news/politics/1,40541-0.html

FBI device sets off alarm

http://www.usatoday.com

High-Tech FBI Tactics Raise Privacy Question

http://www.washingtonpost.com

How far can FBI spying go

http://www.wired.com/news/politics/1,45730.html

Electronic Privacy Information Centre

http://www.epic.org/crypto/scarfo.html

www.epic.org
- 13 -