[ISN] Cyberspies protect the virtual business world

From: William Knowles (wkat_private)
Date: Mon Jun 04 2001 - 15:35:28 PDT

  • Next message: William Knowles: "[ISN] Desirable Undesirables"

    By Max Smetannikov
    Interactive Week 
    June 4, 2001 2:33 AM PT
    Many who have done business in developing countries where wealth is
    disproportionate, hostage-taking is common and Americans are always a
    target, know the value of a couple of bodyguards and an armored escort
    when driving, no matter how much the service costs.
    The main reason why companies budget for physical protection in some
    locales is a certainty on their part that if they don't defend
    themselves, the local law won't defend them either.
    The same is true on the Internet, where business conditions are
    probably comparable to working conditions in Uzbekistan or North
    Korea--the 149th and 155th least-free economies on the planet,
    according to the 2000 Index of Economic Freedom. But in the last year,
    a handful of private companies have started to take enforcement into
    their own hands, quietly developing security units to protect their
    clients' assets in cyberspace.
    Web hosters such as Exodus Communications, Metromedia Fiber Network
    and ServerVault have been hiring retired agents from the Federal
    Bureau of Investigation, National Security Agency, Secret Service,
    Royal Canadian Mounted Police, Scotland Yard, U.S. Army and U.S. Navy,
    and whisking others away from their government salaries and security
    clearances to build private cybersecurity divisions.
    What has emerged is a powerful, albeit clandestine, industry within an
    industry, with an unsurpassed access to otherwise classified security
    information that is now seeking to exercise its political clout to
    make the virtual business world safer for commerce.
    In 1998, the Pentagon computer system--the holiest of the holy--was
    hacked by a ring of five Israeli and three American hackers, who
    picked their target because of a shared dislike of organizations.
    Their attack was so fierce that early reports of what was later dubbed
    "Solar Sunrise" caused Rep. Curt Weldon, R-Pa., to conclude that the
    U.S. had entered a cyberwar. The perpetrators, all under the drinking
    age, were caught by a phenomenal joint American-Israeli law
    enforcement effort. No trial date has been set yet.
    Private companies' sites--as evidenced by an avalanche of
    denial-of-service strikes in February 2000 against Amazon.com, CNN and
    ZDNet, the site of this magazine's then-parent company--are just as
    attractive as targets.
    But law enforcement's track record in catching the bad guys and
    protecting business interests in cyberspace is spotty at best.
    Last month, the General Accounting Office published an extensive
    report on the performance of the FBI's National Infrastructure
    Protection Center, which has been assigned a broad set of
    responsibilities aimed at both warning private and public
    organizations of the attacks, and catching the bad guys. The report
    concluded that the NIPC has fallen behind in its investigations,
    overpowered by both the volume of crimes and the lack of cooperation
    from the FBI's local offices.
    What this means for private businesses is that unless the president is
    making a statement about your e-mail server being hacked into, the
    U.S. authorities are probably not going to do anything about your
    request to investigate the crime. And if the perpetrator has staged an
    attack from a far-off land, you might as well patch the security hole
    and forget about justice.
    The FBI is legally barred from doing investigations overseas, which
    leaves businesses with a choice of the Central Intelligence
    Agency--which arguably has other issues on its plate than catching
    cybervandals--the Department of Justice or the Department of State,
    according to law enforcement community participants.
    A case that piques the interest of the DOJ or the State Department
    would be forwarded from Washington, D.C., to a respective embassy.
    From there, the embassy would contact local law enforcement
    organizations and, "depending on the personalities involved," some
    people who have walked down that lane explain, a criminal case might
    be opened. This, of course, is not the same as bringing an identified
    criminal to justice, as is evidenced by the Solar Sunrise episode.
    Lousy cyberpolicing is precisely the reason why most companies driving
    their business down the fast lane of the information superhighway want
    the equivalent of a bumper-squashing, siren-wailing, privately owned
    Mercedes-Benz Gelaendewagen protecting their Web site.
    The burden of meeting this business request falls squarely on the
    shoulders of the companies that host the very sites that are used as
    either targets or as the means to break into corporate networks: Web
    hosters and Internet service providers.
    Just as the Roman emperors developed the need for the Praetorian
    Guard, a special task force that acted as bodyguards and special army,
    modern-day Web rulers feel the need for private security when it comes
    to policing the Internet.
    It's no longer enough to be just technically savvy. Managed firewalls,
    security patches and hardened operating systems on Web servers seem
    too basic to many customers.
    Businesses that come to Web hoster ServerVault want to be sure their
    machines--and the information they contain--can't be fried with a ray
    gun from outside the data center. Users of MFN's colocation, managed
    and network services want to be assured their business partner knows
    how to handle information security forensics when investigating
    attacks internally, so the evidence is admissible in the court.
    Companies that work with Exodus want to be sure that if a strike
    breaks through their hoster's defenses, Exodus would be able to
    coordinate the efforts of international security agencies to ensure
    attackers are caught.
    Charles Neal is a 20-year veteran of the FBI who started his career in
    the bureau's cybercrime division with the investigation of hacker
    Kevin Mitnick, and ended his government work with the MafiaBoy case
    almost exactly a year ago. He left the FBI to head development of
    Exodus' Cyber Attack Tiger Team (CATT) and, as such, is an apt
    spokesman for this new class of security powerbrokers.
    "At the FBI, we recognized that there was a serious problem of
    underreporting, which continues to this day," says Neal, now vice
    president of cyberterrorism and incident response at Exodus.
    The FBI, Neal says, has run an undercover project for a number of
    years, seeking to find out the exact number of compromised sites
    around the world. The results were anything but soothing. "We have
    identified thousands of compromised sites, and we identified so many
    so quickly we couldn't tell all the victims they were victims -
    otherwise, we would have no time to do anything else," he says.
    Only 2 percent of the companies that discovered their sites had been
    compromised reported the incidents to investigators, Neal says. And
    the ones that did work with the FBI found themselves spending a lot of
    money with few results, he says.
    Exodus' CATT was built to compensate for the pitfalls of law
    enforcement that Neal learned about in the school of hard knocks, and
    to patch up the cracks through which cases affecting Exodus' hosting
    customers would ordinarily fall. His personal goal is to use his
    agency background to improve the security of the Internet through
    Exodus, which he calls a "private platform."
    "The trend I see is more teams like ours doing incident response,
    because companies don't want to go to law enforcement," Neal says
    The two biggest disappointments that Neal had at the FBI were juvenile
    cases, which the federal government doesn't prosecute unless the
    circumstances of the case are extraordinary, and dealing with
    international issues, since the agents are precluded from even calling
    their sources overseas to collect information on the case. With CATT,
    as a private citizen, he can both call on colleagues overseas and
    advise customers to go after juveniles in countries with the toughest
    laws on the books.
    Four divisions
    Catt is broken into four divisions. digital firemen is the physical
    incident response team, which consists of individuals that carry
    pagers and let customers know of an intrusion at all hours of the day.
    Infrastructure is the team that handles security nuts and bolts, such
    as firewalls and probe monitoring. Forensics consists of ex-security
    gurus that prepare evidence for prosecutors, making sure the evidence
    is admissible in court and is transparent enough for even the least
    savvy district attorney to make the case against an Exodus customer's
    attacker. And then there is an intelligence division, modeled after an
    FBI infiltration unit that monitors the hacker community from the
    Most customers avoid going to the authorities, Neal says, aiming to
    just patch up the security hole and go on with their business. But
    there are situations when prosecution is very much desired.
    Jill Knesek, Exodus' West Coast team leader for the incident response
    team, recalls a recent episode when CATT traced a hack to a customer's
    competitor, which was seeking to gain advanced intelligence to get an
    edge in a bidding war for a large contract. The Exodus customer was
    motivated to bring the case to authorities, which resulted in
    successful prosecution, Knesek says.
    Exodus will strive to inspire other Web hosters to develop units
    similar to CATT, so that the private sector could become the missing
    link that would connect an international information security network,
    Neal says.
    Information sharing and black helicopter tales
    That missing link could appear sooner than anybody expects. in a
    recent study by Meta Group comparing the overall security of Web
    hosting organizations, ServerVault topped the list, followed by
    Telenisus, Genuity, Exodus, Electronic Data Systems and UUnet.
    The exchange of information with federal officials is very much on the
    mind of Patrick Sweeney, ServerVault's president and CEO. The company
    has been designed with security as its main focus, and is one of the
    few hosters that builds its data centers with the Department of
    Defense's, the NSA's and the Pentagon's specifications in mind.
    Sweeney expected to meet last week with folks from the NIPC "with a
    specific idea in mind of sharing information between public and
    private-sector companies."
    ServerVault would know a thing or two about setting up a process like
    that. The company is working with the Secret Service on a pilot
    program in which ServerVault would help the agency with collecting
    hacker information.
    Sweeney views his company's efforts as part of the conceptual change
    in how governments protect themselves in the information age. Warfare
    has historically been conducted with large armies, he reasons. But why
    make bombs if just as much damage could be inflicted electronically by
    taking out, say, a power grid or a stock exchange? A single person
    here could cause as much damage as a tank division, and it's just a
    matter of time before agencies such as the CIA, the FBI and Interpol
    all work together against cybercrime, Sweeney says.
    In the meantime, Exodus, ServerVault and others do what they can to
    fend off attacks themselves. Sweeney says that a lot of unfriendly
    traffic aimed at compromising ServerVault comes from China and former
    Eastern Bloc countries. But what can ServerVault do, even if it knows
    who the cracker is?
    Sometimes the best thing to do is to do nothing but collect
    information on the criminal and ensure the customers' data is safe
    against their exploits, Sweeney says.
    Security industry experts say that while many companies avoid taking
    their cases to the authorities, the tales of black helicopters and
    midnight visits to the homes of suspected crackers by men in black
    leather jackets are greatly exaggerated. Some companies do, however,
    take matters into their own hands. "Some companies get fed up, find
    out who is attacking them and just lay it out for them, asking them to
    stop and telling them they know who they are and where they live,"
    says Elias Levy, Internet defense firm SecurityFocus.com's co-founder
    and chief technology officer. "Or they simply contact their employers
    or parents."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 06:59:38 PDT