[ISN] A Visit from the FBI

From: William Knowles (wk@private)
Date: Wed Jan 28 2004 - 02:40:12 PST

  • Next message: William Knowles: "[ISN] SCO offers $250,000 reward for arrest of Mydoom worm author"

    http://www.securityfocus.com/cgi-bin/sfonline/columnists-item.pl?id=215
    
    [If its good enough for the FBI Computer Crime Squad, its good enough 
    for you! http://www.amazon.com/exec/obidos/ASIN/B0000U9H40/c4iorg  -WK]
    
    
    By Scott Granneman 
    Jan 21 2004 
    
    Well, it finally happened. Right before Christmas, I had a little 
    visit from the FBI. That's right: an agent from the Federal Bureau of 
    Investigation came to see me. He had some things he wanted to talk 
    about. He stayed a couple of hours, and then went on his way. 
    Hopefully he got what he wanted. I know I did. 
    
    Let me explain. I teach technology classes at Washington University in 
    St. Louis, a fact that I mentioned in a column from 22 October 2003 
    titled, "Joe Average User Is In Trouble". In that column, I talked 
    about the fact that most ordinary computer users have no idea about 
    what security means. They don't practice secure computing because they 
    don't understand what that means. After that column came out, I 
    received a lot of email. One of those emails was from Dave Thomas, 
    former chief of computer intrusion investigations at FBI headquarters, 
    and current Assistant Special Agent in Charge of the St. Louis 
    Division of the FBI. 
    
    Dave had this to say: "I have spent a considerable amount in the 
    computer underground and have seen many ways in which clever 
    individuals trick unsuspecting users. I don't think most people have a 
    clue just how bad things are." He then offered to come speak to my 
    students about his experiences. 
    
    I did what I think most people would do: I emailed Dave back 
    immediately and we set up a date for his visit to my class. 
    
    It's not every day that I have an FBI agent who's also a computer 
    security expert come speak to my class, so I invited other students 
    and friends to come hear him speak. On the night of Dave's talk, we 
    had a nice cross-section of students, friends, and associates in the 
    desks of my room, several of them "computer people," most not. 
    
    Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't 
    connect to the Internet - too dangerous, and against regulations, if I 
    recall - but instead ran his presentation software using movies and 
    videos where others would have actually gone online to demonstrate 
    their points. While he was getting everything ready, I took a look at 
    the first FBI agent I could remember meeting in person. 
    
    Dave is from Tennessee, and you can tell. He's got a southern twang to 
    his voice that disarms his listeners. He talks slowly, slightly 
    drawling his vowels, and it sort of takes you in, making you think 
    he's not really paying attention, and then you realize that he knows 
    exactly what he's doing, and that he's miles ahead of you. He wears a 
    tie, but his suit is ready to wear and just a bit wrinkled. His dark 
    hair is longer than you'd think, hanging below his collar, further 
    accentuating the country-boy image, but remember, this country boy 
    knows his stuff. All in all, he gives off the air of someone who's 
    busy as heck, too busy to worry about appearances, and someone who's 
    seen a lot of things in his time. 
    
    A-cracking we will go
    
    Dave focused most of his talk on the threats that ordinary computer 
    users face: what those threats are, who's behind them, and why they 
    exist. He spent quite a bit of time talking about the intersection of 
    Trojans and viruses. He started by showing us how easy it is to create 
    a virus, using one of several virus creation wizards that can be 
    easily found on the Net (of course, real men and women write their 
    own). 
    
    More and more, however, the viruses circulating on the Internet are 
    quite purposeful in design. The goal is to install a Trojan on the 
    unsuspecting user's machine that will then allow the bad guy to 
    control the machine from afar, turning it into a Zombie machine under 
    the control of another. All too often, this tactic is successful. 
    Hundreds of thousands if not millions of machines are "owned" by 
    someone other that the user sitting in front of the keyboard and 
    monitor. 
    
    These Trojans are often the ones that security pros have been watching 
    for years: SubSeven, Back Orifice, and NetBus. A lot of the time, 
    script kiddies are the ones behind these Trojans, and they do the 
    usual stuff once they have control of a user's PC: grab passwords, use 
    groups of machines to organized DDOS attacks (often against other 
    script kiddies), and jump from machine to machine to machine in order 
    to hide their tracks. 
    
    What surprised me, however, were how often Trojans are used to mess 
    with the heads of the poor unsuspecting suckers who own the zombie 
    machines. A favorite trick is to surreptitiously turn on the Webcam of 
    an owned computer in order to watch the dupe at work, or watch what 
    he's typing on screen. This part isn't surprising. But Dave had 
    countless screenshots, captured from impounded machines or acquired 
    online from hacker hangouts, where the script kiddie, after watching 
    for a while, just can't help himself any longer, and starts to insult 
    or mock or screw with the duped owner. 
    
    In one, a hacker sent a WinPopup message to a fellow: "Hey, put your 
    shirt back on! And why are you using a computer when there's a girl on 
    your bed!" Sure enough, the camera had captured a guy using his 
    computer, sans shirt, and in the background you could clearly see a 
    young woman stretched out on a bed. 
    
    In another, a man was working a crossword puzzle online when the 
    hacker helpfully suggested a word for 14 Down (I think it was 
    "careless"), again using WinPopup. In a third, a screenshot captured 
    the utterly shocked expression on a man's face - mouth agape, eyes 
    open wide in amazement - when his computer began insulting him using, 
    you guessed it, WinPopup. 
    
    This is bad enough and it's also cruelly funny, but the scary part 
    came in when Dave started talking about the other group behind the 
    explosion of viruses and Trojans: Eastern European hackers, backed by 
    organized crime, such as the Russian mafia. In other words, the 
    professionals. 
    
    These people are after one thing: money. The easiest way to illegally 
    acquire money now is through the use of online tools like Trojans, or 
    through phishing: set up a fake Web site for PayPal or eBay or Amazon, 
    and then convince the naíve to enter their usernames, passwords, and 
    credit card information. Viruses and spam also intersect in this nasty 
    spiderweb. Viruses help spread Trojans, and Trojans are used to turn 
    unsuspecting users' computers into spam factories, or hosts for 
    phishing expeditions, and thus furthering the spread of all the 
    elements in this process: viruses, Trojans, spam, and phishing. It's a 
    vicious cycle, and unfortunately, it appears to be getting worse. The 
    FBI is working as hard as it can, but the nations of Eastern Europe 
    are somewhat powerless to solve the problem at this time. 
    
    One way to trace just how bad the situation has gotten: track the 
    price for a million credit card numbers. Just a few years ago, Dave 
    saw prices of $100 or more for a million stolen credit card numbers. 
    Now? Pennies. Stealing credit cards is so easy, and so rampant, that 
    prices have dropped precipitously, in a grotesque parody of capitalist 
    supply and demand. 
    
    Along with this comes intrusions into banks and other financial 
    institutions. Dave wouldn't name names, but he said several 
    organizations that we would all know have been infiltrated 
    electronically by Eastern Europeans, who then grab customer data. A 
    few days later, the unsuspecting president of the bank gets an email 
    demanding $50,000, or else the media will be told of the break-in. Of 
    course, the break-in is news to the bank. As proof of their exploit, a 
    spreadsheet is attached to the email, with a few hundred rows of 
    client data: bank account numbers, home addreses, balances. 
    
    Unfortunately, many banks decide to keep it all a secret from their 
    customers, so they reluctantly decide to go ahead and pay the 
    extortion. $50,000 goes to the criminals, and the bank breathes a sigh 
    of relief. 
    
    Three days later, ten emails arrive, from ten different criminal 
    organizations, each demanding $25,000. Ooops. Far from buying 
    protection, the bank revealed itself as a easy mark, amenable to 
    blackmail. And it will only get worse. Time to call in the FBI, as it 
    should have done from the beginning. 
    
    American companies have tried to respond to the massive fraud being 
    perpetrated online. One common preventive, adopted by most companies 
    that sell products online, has been to refuse shipments outside of 
    North America, or allow international shipping, except for Eastern 
    Europe. Criminals have figured out a way around this, however. They 
    hire folks to act as middlemen for them. Basically, these people get 
    paid to sit at home, sign for packages from Dell, Amazon, and other 
    companies, and then turn around and reship the packages to Russia, 
    Belorussia, and Ukraine. You know those signs you see on telephone 
    poles that read "Make money! Work at home!"? A lot of that "work" is 
    actually laundering products for the Russian mob. Of course, anyone 
    caught acting as a middleman denies knowledge of their employer: "I 
    had no idea why I was shipping 25 Dell computers a day to Minsk! I 
    just assumed they liked computers!" 
    
    Proof once again that social engineering, coupled with greed, is the 
    easiest way to subvert any security. 
    
    Some surprises
    
    Dave had some surprises up his sleeve as well. You'll remember that I 
    said he was using a ThinkPad (running Windows!). I asked him about 
    that, and he told us that many of the computer security folks back at 
    FBI HQ use Macs running OS X, since those machines can do just about 
    anything: run software for Mac, Unix, or Windows, using either a GUI 
    or the command line. And they're secure out of the box. In the field, 
    however, they don't have as much money to spend, so they have to 
    stretch their dollars by buying WinTel-based hardware. Are you 
    listening, Apple? The FBI wants to buy your stuff. Talk to them! 
    
    Dave also had a great quotation for us: "If you're a bad guy and you 
    want to frustrate law enforcement, use a Mac." Basically, police and 
    government agencies know what to do with seized Windows machines. They 
    can recover whatever information they want, with tools that they've 
    used countless times. The same holds true, but to a lesser degree, for 
    Unix-based machines. But Macs evidently stymie most law enforcement 
    personnel. They just don't know how to recover data on them. So what 
    do they do? By and large, law enforcement personnel in American end up 
    sending impounded Macs needing data recovery to the acknowledged North 
    American Mac experts: the Royal Canadian Mounted Police. Evidently the 
    Mounties have built up a knowledge and technique for Mac forensics 
    that is second to none. 
    
    (I hope I'm not helping increase the number of sales Apple has to drug 
    trafficers.) 
    
    The biggest surprise was how approachable and helpful Dave was to 
    everyone in the room. According to Dave, the FBI has really made 
    reaching out to the local communities it's in more of a priority. 
    Since the September 11th attacks, the FBI has shifted its number one 
    focus to preventing terrorism, but the number two priority remains 
    preventing and capturing crimes based around technology. In order to 
    best achieve both goals, the FBI has been working hard to reach out to 
    American citizens, and Dave's talk to my class was part of that 
    effort. 
    
    I'm a civil libertarian at heart, and that brings with it an innate 
    mistrust of governmental authority - power corrupts, after all. But 
    I'm glad people like Dave Thomas are in the FBI. He's a good man, and 
    he has a good understanding not just of technology, but also of the 
    complexities of the moral and ethical issues surrounding technology in 
    our society today. He did a great job enlightening my students, and he 
    really made the FBI sound like a pretty cool environment for people 
    interested in pursuing security as a career. My advice: call your 
    local FBI and see if they won't come visit your class, or Users Group, 
    or club. I guarantee you'll learn something. 
    
    Scott Granneman is a senior consultant for Bryan Consulting Inc. in 
    St. Louis. He specializes in Internet Services and developing Web 
    applications for corporate, educational, and institutional clients.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 28 2004 - 05:31:53 PST