[ISN] FBI operation penetrates hacker underground

From: InfoSec News (isnat_private)
Date: Mon Sep 17 2001 - 02:03:21 PDT

  • Next message: InfoSec News: "Re: [ISN] New York Red Cross Needs Tech assistance!"

    Forwarded by: Jeff Moss <jmossat_private>
    
    http://www.computerworld.com/cwi/story/0,1199,NAV47_STO63711,00.html
    
    By DAN VERTON 
    September 11, 2001
    
    The FBI has gained a foothold in the hacker underground thanks to an
    18-month undercover operation launched during the height of the U.S.
    military's 1999 bombing campaign in Kosovo.
    
    What started out as a Defense Department operation designed to ferret
    out pro-Serbian hackers responsible for the April 1999
    denial-of-service attacks against U.S. government and NATO Web sites
    soon led to the first coordinated undercover operation targeting
    U.S.-based hackers, Computerworld has learned.
    
    The operation, whose code name is being withheld for security reasons,
    involved a joint team of half a dozen FBI and Pentagon criminal
    investigators who posed as hackers on the Internet. Dozens of
    investigations by the Justice Department have been opened as a result
    of the operation's success, including some that are continuing.
    
    During the course of the operation, agents developed multiple
    informants within the hacker underground, conducted more than a dozen
    authorized defacements of government Web sites to establish a
    reputation among the hackers and received assistance and training from
    hackers they had arrested.
    
    William Swallow is director of incident response for the Cyber Attack
    Tiger Team (CATT) at Exodus Communications Inc. in Santa Clara, Calif.
    He is also the former lead investigator in the sting operation and one
    of the agents who for a year posed as a hacker. Although the team
    never defaced a corporate Web site, it received permission to hack
    into and deface government Web sites and then posted those defacements
    to Attrition.org, a Web site that archives hacker defacements, he
    said.
    
    "Even a half-dozen hacks got you a pretty good reputation," said
    Swallow. "I had to be able to demonstrate to them that I could do it."
    
    The plan worked. Swallow and the other investigators developed close,
    even competitive, relationships with hackers through the use of
    Internet Relay Chat rooms. Soon, hackers were trying to get the
    investigators to take part in coordinated hacking attacks and offering
    to share stolen information.
    
    "It took about six months to really get them to feel comfortable
    enough to pass information along," said Swallow. "I had hackers pass
    stolen credit cards to me and request help in hacks." Some of those
    young hackers had relationships with Russian mafia organizations and
    were trying to sell the information.
    
    Swallow came up with the idea for the investigation shortly after he
    was detailed to the FBI's computer intrusion squad in Los Angeles in
    1999. He had been sent there by the Pentagon to help develop sources
    in the Serbian hacker community who might be able to lead
    investigators to the perpetrators of the April denial-of-service
    attack against Defense Department Web sites. He managed to uncover a
    valuable informant who helped him collect volumes of intelligence
    information on hackers around the world. But when the Serbian hacker
    operation was about to come to an end, Swallow realized that he and
    others had managed to penetrate a good portion of the hacker
    underground in the U.S.
    
    Rather than shut down the operation, the FBI agreed to keep it going.
    
    Although Swallow and others didn't know it at the time, the undercover
    investigation would come to play a pivotal role in the eventual
    prosecution of the 17-year-old hacker known as "Mafiaboy." The
    Canadian hacker pleaded guilty to 58 charges stemming from the
    February 2000 denial-of-service attacks against Web sites belonging to
    five companies, including Amazon.com Inc., Dell Computer Corp., eBay
    Inc., Yahoo Inc. and CNN.
    
    On the night that Mafiaboy launched his attack, Swallow and other
    hackers watched in disbelief as he bragged about what he had just
    done. Nobody, including the other hackers who were present in the chat
    room, believed him. As a result, Swallow, who had operator status in
    the chat room -- giving him the authority to control who was allowed
    in -- kicked Mafiaboy out and banned him from returning.
    
    "Most of us really didn't have much respect for him," said Swallow.
    "We didn't believe him and didn't think he was that good. I don't
    think he was that good. I think he just had access to the right
    tools." Hacker informants would later lead the FBI to the teenager.
    
    A U.S. attorney who spoke on condition of anonymity said undercover
    operations, including this one and others that are ongoing, have been
    "very important" to the FBI's ability to track down hackers,
    "especially with people that are beyond the reach of our courts
    overseas."
    
    Eric Friedberg, a former computer and telecommunications crime
    coordinator at the U.S. Attorney's Office in New York, said that
    although undercover operations are "the wave of the future," there are
    risks.
    
    Hacker informants can be "extremely unreliable," said Friedberg, now a
    computer crime consultant at Stroz and Associates in New York.
    
    "It's hard to engender a sense of loyalty in that community," he said.
    "They see it as sort of a game. Many of them don't appreciate that
    they're jammed up [in trouble with the law]. It makes for very dicey
    work."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 04:59:13 PDT