[ISN] The FBI's Cybercrime Crackdown

From: InfoSec News (isnat_private)
Date: Fri Nov 08 2002 - 01:02:26 PST

  • Next message: InfoSec News: "[ISN] Microsoft calls 'foul' on OS vulnerability data"

    By Simson Garfinkel
    November 07, 2002
    To protect the classified information stored on her desktop computer,
    Special Agent Nenette Day uses one of the most powerful tools on the
    planet -- an air gap.
    Day points to an IBM ThinkPad resting on the table behind her desk.  
    "That computer is hooked up to the Internet," she says. "But if you
    break into it, have a good time: there's no secret work on it."
    Two meters away on her desk sits Day's other computer -- a
    gray-and-chrome minitower emblazoned with a red sticker proclaiming
    that its hard drive is classified SECRET. "This," she says
    protectively, "holds my e-mail." Day readily talks about the ThinkPad,
    describing how she got it as part of a big purchase by the Federal
    Bureau of Investigation (FBI) a few years ago and explaining that it's
    now somewhat out-of-date. And she happily shows off a collectible
    action figure -- still in its display box -- a colleague brought back
    from Belgium. It's a "cyberagent" with a gun in one hand and a laptop
    computer in the other. But if you let your eyes drift back to that red
    sticker and try to copy the bold, black words printed on it, Day will
    throw you out of her office.
    Day belongs to the FBI's Boston Computer Crime Squad, one of 16 such
    units located throughout the United States. Each is composed of about
    15 agents who investigate all manner of assaults on computers and
    networks -- everything from lone-hacker to cyberterrorist attacks --
    with a dose of international espionage thrown in for good measure.  
    Crimes range from Web site defacements and break-ins to so-called
    denial-of-service attacks, which prevent legitimate users from
    accessing targeted networks.
    The Computer Crime Squads form the heart of the FBI's new Cyber
    Division. Created as part of the FBI's reorganization that followed
    September 11, the Cyber Division is the U.S. government's first line
    of defense against cybercrime and cyberterrorism. Its mission, said
    FBI Director Robert S. Mueller, when he appeared before the Senate
    Committee on the Judiciary last May, is "preventing and responding to
    high tech and computer crimes, which terrorists around the world are
    increasingly exploiting to attack America and its allies."
    The emphasis on cybercrime is a big departure for the FBI. The
    bureau's agents traditionally got the most attention -- and the
    biggest promotions -- by pursuing bank robbers, kidnappers, and
    extortionists. J. Michael Gibbons worked on one of the FBI's very
    first computer-crime cases back in 1986; when he left the FBI in 1999,
    he was chief of computer investigations. "Frankly," says Gibbons, now
    a senior manager at KPMG Consulting in McLean, VA, "there was no great
    glory in the FBI on working computer investigation cases."
    But that attitude is changing as Washington increasingly realizes that
    big damage can be inflicted on U.S. businesses through their computers
    and networks. Remember back in February 2000 when a massive
    denial-of-service attack shut down Web sites belonging to companies
    such as Yahoo!, eBay, and Amazon.com? It cost those companies
    literally millions of dollars in lost revenue. That attack, it turns
    out, was executed by a single high school student. Experts worry that
    a similar assault on the nation's electric utilities, financial
    sector, and news delivery infrastructure could dramatically exacerbate
    the resulting confusion and possibly even the death toll of a
    conventional terrorist attack, if the two attacks were coordinated.
    Even without the specter of terrorism, cybercrime is bleeding millions
    of dollars from businesses. Earlier this year, the Computer Security
    Institute surveyed 503 organizations: together, they reported $456
    million dollars in damages due to attacks on their computers and
    networks over the past year, and more than $1 billion in damage over
    the previous six years. Those numbers -- which are the closest thing
    that the computer establishment has to reliable figures for the
    incidence of computer crime -- have climbed more than 20 percent since
    Day's activities show that although the FBI, the nation's premier
    law-enforcement agency, is starting to come to terms with cybercrime,
    it still has a long way to go. Agents such as Day receive special
    training and have access to specialized tools (many of which the FBI
    refuses to discuss). Their equipment, if not always at the James Bond
    cutting edge, is no longer embarrassingly outdated. On the other hand,
    the FBI's cybercrime squads are locked in a battle to keep current in
    the face of unrelenting technological change, and they are so
    short-staffed that they can investigate only a tiny fraction of the
    computer crimes that occur. Agents such as Day have served as only a
    small deterrent to hackers and high tech criminals bent on attacking a
    society that has become hopelessly dependent on its machines. But the
    deterrent is growing.
    How to Catch a Cybercrook
    The phone rings at the FBI Crime Squad and a "complaint agent"  
    answers. Most calls are short, not too sweet, and not terribly
    satisfying for the person seeking help. "We get a lot of phone calls
    from people who say that somebody has hacked their home computer,"  
    says Day. Others report death threats delivered in online chat rooms.
    Unsettling as such events are for the victims, most callers are told
    that there's nothing the FBI can do for them. For one thing, federal
    computer-crime statutes don't even kick in unless there is at least
    $5,000 damage or an attack on a so-called "federal interest computer"  
    -- a broad category that includes computers owned by the federal
    government, as well as those involved in interstate banking,
    communications, or commerce. In places especially rife with computer
    crime, like New York City, the intervention bar is even higher.
    Even cases whose damages reach the threshold often die for lack of
    evidence. Many victims don't call the FBI right away. Instead, they
    try to fix their computers themselves, erasing their hard drives and
    reinstalling the operating system. That's like wiping fingerprints off
    the handle of a murder weapon: "If you have no evidence, we can't work
    it," says Day. And, of course, an attack over the Internet can
    originate from practically anywhere -- the other side of the street or
    the other side of the world. "We can't do a neighborhood sweep and
    ask, 'Did you see anybody suspicious walking around here?'" she
    For many computer offenses, the FBI lacks not only solid evidence but
    even the knowledge that an incident has occurred at all. According to
    this year's Computer Security Institute survey, only about one-third
    of computer intrusions are ever reported to law enforcement. "There is
    much more illegal and unauthorized activity going on in cyberspace
    than corporations admit to their clients, stockholders, and business
    partners, or report to law enforcement," says Computer Security
    Institute director Patrice Rapalus.
    Every now and then, however, all the ingredients for a successful case
    come together: a caller who has suffered a significant loss,
    undisturbed evidence, and a perpetrator who is either known or easily
    Day remembers a case from October 2000. The call came from the vice
    president of Bricsnet US, a software company in Portsmouth, NH.  
    Bricsnet had just suffered a massive attack over the Internet.  
    Somebody had broken into its systems, erased customer files, modified
    financial records, and sent e-mail to Bricsnet's customers, announcing
    that the company was going out of business.
    When Day arrived on the scene she went quickly for what she hoped
    would be the key source of evidence: the log files. These are the
    routine records -- the digital diary -- computers retain about their
    actions. Computers can keep highly detailed logs: an e-mail server,
    for example, might track the "To" and "From" addresses, as well as the
    date, of every message it processes. Some computers keep no log files
    at all. Getting lucky, Day found that Bricsnet's log file contained
    the time of the attack and the Internet Protocol, or IP, address of
    the attacker's computer.
    Every address on the Internet is assigned to either an organization or
    an Internet service provider. In the Bricsnet case, the address
    belonged to a local service provider. Day issued a subpoena to that
    company, asking for the name of the customer "who had connected on
    this IP address" when the attack took place. This information came
    from the service provider's own log files.
    It turned out that the offending address corresponded to a dial-up
    connection. Each time a subscriber dials in, the service provider's
    log files record the date, time, username, and the originating phone
    number. Within a week of launching the investigation, Day had fingered
    a likely suspect: Patrick McKenna, a help desk worker whom Bricsnet
    had fired on the morning of the first attack. McKenna was arrested,
    charged, and convicted under the Computer Fraud and Abuse Act. He was
    sentenced in June 2001 to six months in federal prison, followed by a
    two-year parole. He was also ordered to pay restitution for the damage
    he had caused, which the court determined to be $13,614.11.
    Masked Men and Dead Ends
    Day's bust in the Bricsnet case was unusual for its speed and for the
    resulting conviction. That's because many crimes are perpetrated with
    stolen usernames and passwords. In the Bricsnet case, for instance,
    McKenna had broken into the company's computers using his former
    supervisor's username and password.
    The key to cracking the Bricsnet case was caller ID and automatic
    number identification (ANI), two technologies more and more Internet
    service providers are using to automatically record the phone numbers
    of people dialing up their servers. When a crime is committed over a
    telephone line, this information is invaluable.
    "I love ANI," says Day. "The last thing you want to do is show up at
    Joe Smith's house because some hacker has logged in using Smith's
    username and password." This tool, she says, "lets you know if you are
    on the right track. It has made a huge difference." Not all new
    telecommunications technologies are so helpful, though. Many recent
    computer attacks, for example, flow from the growing availability of
    always-on high-speed Internet connections. Attackers employ computer
    viruses and other programs to compromise users' home computers, and
    then they use the compromised computers as platforms for launching
    other attacks without the owners' knowledge. Even worse, an attacker
    can jump from system to system, forging a long chain that cannot be
    traced. Microsoft Windows typically does not keep logs of its
    activity. "A lot of our investigations have been stopped cold in their
    tracks because someone is trotting through one of those computers,"  
    Day says, referring to cable-modem-connected PCs that run vulnerable
    copies of Microsoft Windows 95.
    Even caller ID and automatic number-identification information can be
    faked by a person who has control of a corporate telephone system with
    a certain kind of connection to the public telephone network. So far,
    faked caller ID hasn't been a problem -- but that could change, too.
    The Internet's cloak of anonymity has made fighting crime especially
    tough. It's almost as if there were booths outside banks distributing
    free ski masks and sunglasses to everybody walking inside. "Anonymity
    is one of the biggest problems for the FBI crime squads," former agent
    Gibbons says. He maintains that cybercriminals' ability to disguise
    their identities does more than just complicate investigations; it
    also makes attackers more aggressive and more willing to take chances
    and do damage.
    "People act differently when they don't think that they are being held
    accountable for their actions," says Gibbons. For years, computer
    security experts have maintained that corrupt employees and former
    insiders -- such as McKenna at Bricsnet -- perpetrate the lion's share
    of computer crime. But Day's experience contradicts this prevailing
    wisdom. Today things are changing: according to Day, most cases she
    investigates involve outsiders who commit their crimes anonymously
    over the Internet, frequently from overseas. Day says she has traced
    some 70 percent of the attacks to foreign Internet addresses.  
    Nevertheless, insiders still represent the bulk of her investigations
    as they represent the most damaging attacks.
    In one case, Day says, she determined that a major break-in had
    originated at a cybercafe in a small town in Romania. Because computer
    hacking is not a crime in Romania, the local police offered no
    assistance. Seeking help elsewhere, she phoned the cafe itself and
    talked with its owner, who spoke fluent English. "The owner said he
    has a bunch of cyberhackers who come there, but this is Romania, and
    they pay cash," Day says.
    The investigation was terminated.
    Attack of the Grownups
    The media frequently portray the typical computer criminal as a
    disaffected male youth, a computer wizard who lacks social skills. In
    the archetypal scene, FBI agents conduct a predawn raid: with their
    guns drawn, they arrest a teenager while his horrified parents look
    on. And in fact, Day says that as recently as five years ago,
    juveniles made up the majority of the perpetrators she encountered.  
    They were teenagers who broke into Web sites that had little security,
    and their digital crowbars were tools that they downloaded freely from
    the Internet. These kids made no attempt to hide their success.  
    Instead, they set up their own servers on the penetrated computers,
    bragged to their friends, and left behind lots of evidence of their
    But such attacks are no longer the most important cases that Day's
    office investigates. Recent years have brought "an interesting shift,"  
    she says. Now she sees attackers breaking into computers that are
    supposedly protected by firewalls and security systems. These
    perpetrators -- virtually all of them adults -- mount extremely
    sophisticated attacks. They don't brag, and they don't leave obvious
    tracks. "It's economic espionage," Day concludes.
    It's not surprising that these cases are the hardest to crack, she
    says. One incident involved a suspect who had used a stolen credit
    card to purchase dial-up accounts at Internet service providers,
    specifically smaller providers that did not use caller ID or automatic
    number identification. He then proceeded to quietly break into
    thousands of computers. Day monitored the attacker for four months,
    trying to figure out who he was. "He was very good," she recounts.  
    Then, in the middle of her investigation, the stolen credit card was
    canceled and the dial-up accounts were closed. "I was horrified," she
    says. The investigation fell apart, and the perpetrator is still at
    Computer crime culprits defy stereotyping. One case that was
    successfully prosecuted -- after a three-year investigation by the FBI
    -- involved an assistant principal at a Long Island high school. The
    school administrator flooded the e-mail systems at Suffolk, James
    Madison, and Drexel universities with tens of thousands of messages,
    causing significant damage. In July 2001 the culprit, whose crimes
    carried punishments as high as a year in jail and $200,000 in fines,
    was sentenced to six months in a halfway house.
    In the coming years the widespread adoption of wireless networking
    technology will probably pose the biggest problem for the FBI
    cybercrime squad. These networks, based on the 802.11(b), or Wi-Fi,
    standard, let people use laptops and handheld computers as they move
    freely about their homes and offices. But unless additional protective
    measures are taken, wireless signals invariably leak beyond buildings'
    walls: simply lurking within the 100- to 300-meter range of a typical
    base station, an attacker can break into a network without even
    picking up a telephone or stepping onto the victim's property. "Many
    people who are moving to wireless as a costsaving measure don't have
    any appreciation of the security measures they should employ,"  
    explains Special Agent Jim Hegarty, Day's supervisor.
    And as the Boston cybercrime unit has discovered, wireless attacks are
    not just theoretical. The wireless network of one high tech company
    recently suffered a break-in. According to Hegarty, the attacker -- an
    activist who was opposed to the company's product and management --
    literally stationed himself on a park bench outside the company's
    offices and over the course of several weeks, used the wireless
    network to "sniff" usernames and passwords of the company's president
    and other senior-level executives. The activist then used the
    information to break into the company's computers -- again, making his
    entry through its wireless network. Armed with this illicit access,
    the attacker downloaded months of e-mail and posted it on the Web.
    The e-mail contained confidential information about customers and
    their contracts. Once that became public, all hell broke loose. Some
    customers who discovered that they were paying higher rates than
    others demanded better deals; others canceled orders upon discovering
    that the vendor had been selling the same product to their
    competitors. Ultimately, the attacked company suffered more than $10
    million in direct losses from the break-in. As wireless networks
    proliferate, attacks of this kind are likely to become more common,
    according to Hegarty. The advent of 802.11, he says, "is going to be a
    watershed event for us."
    All in a Day's Work
    When Technology Review first approached the FBI about interviewing an
    agent of the computer crime squad, the idea was to write about an
    agent's "average day." The public affairs manager at the FBI's Boston
    office nixed the idea: there are no average days for an FBI agent, she
    said. Indeed, Day says that one of the best things about her job is
    its endless variety.
    "I might spend one day in trial preparation. I could spend an entire
    day milling through computer files doing evidence assessment. The next
    day I could be scheduled to testify in a trial. And last month I spent
    a couple weeks in Bangkok, Thailand, teaching police from 10 different
    Asian countries." She spends some days on the phone, perhaps
    overseeing a new case coming in from a financial institution or
    phoning FBI headquarters with information that needs to be relayed to
    other field offices. A few days later she might be off to the range
    for weapons training. Agent Day carries a .40-caliber Glock 23 and
    assists on the occasional drug raid. "It is very long work, and it's
    very hard," she says about her job, "but it gives you something that
    you would never see in the private sector."
    The Glock doesn't get much use out there on the Internet, of course,
    but Day's FBI training in understanding criminal behavior does. She
    is, for example, involved in a project at the FBI's research center in
    Quantico, VA, developing a psychological profile of serial hackers --
    people who might become criminals or could be hired by a foreign
    government. A serial hacker could be a powerful tool for Al Qaeda or
    some other terrorist organization.
    Moving forward, the biggest challenge, says Day, will be for society
    as a whole "to try to define and distinguish between what is basically
    online vandalism -- when somebody is damaging a business or a
    computer-and cyberterrorism. All of those things are conflated in the
    discussion of the criminal prosecution of hackers. In my mind those
    are different kinds of contact with different social harm."
    Today cybercrime is one of the FBI's top priorities -- even above
    fraud, drugs, and gun running, says Day. But while scary talk of
    cyberterrorism captures the headlines, the most damaging cybercrime
    may actually be old-fashioned crimes being committed with new and
    virtually untraceable tools. Catching the new bad guys will require
    people like Nenette Day to stay on technology's leading edge, but it
    will also require an FBI able to build an organization that gives Day
    and her fellow agents adequate support. Furthermore, it will require
    the capability to bring superior computing firepower against the
    cyberattackers and beat them at their own high tech game.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 04:04:41 PST