[ISN] Feds want help from private sector on IT security

From: InfoSec News (alerts@private)
Date: Thu Aug 03 2006 - 05:08:23 PDT


By William Jackson
GCN Staff

LAS VEGAS - For a decade federal law enforcement officials have been 
preaching the gospel of private-sector cooperation. The need for 
cooperation has long been obvious, but an FBI official told a gathering of 
computer security experts and hackers that the government is getting 
serious about the effort.

"Critical information about terrorism and other cybercrimes we are working 
on often resides with you folks, and will come to you first," Dan Larkin, 
a unit chief of the FBI's Internet Crime Complaint Center, said Wednesday 
at the opening of the Black Hat Briefings security conference.

But gaining the trust of the private sector has been difficult, and a good 
part of that problem has been the government's failures to follow through 
in using data it collects and to accommodate the private sector's needs.

An academic study on the use of the Internet to investigate organized 
crime, commissioned by the FBI in 1999, identified two channels of funding 
used by al-Qaeda in planning the Sept. 11, 2001, attacks on the United 
States. When that was realized, a light went on in the bureau, according 
to Larkin.

"We need to go after these partnerships more aggressively," he said.

The stakes in this game of cat and mouse between law enforcement and 
cybercriminals are getting higher.

"Spam and cybercrime are really about the money," Larkin said. "It's not 
just the script kiddies any more. There are people making a lot of money 
out there."

Security experts have been noting the commercialization of malicious code 
for several years now as a sophisticated black market in malware has 
changed the goal of hacking from bragging rights to financial gain.

Unreported vulnerabilities are auctioned off in this online marketplace 
and exploits are packaged into retail toolkits that can be used to snare 
potentially valuable information.

Finjan Inc. of Santa Clara, Calif., reported in a quarterly study of 
threat trends that new exploits are focusing on active content used on Web 
sites. These can perform stealthy attacks that maintain a steady leak of 
data from unsuspecting victims.

Finjan's Malicious Code Research Center found vulnerabilities in 
Microsoft's Internet Explorer and Vista operating system being offered to 
the highest bidder through the Full Disclosure e-mailing list. The list is 
hosted and sponsored by Secunia, a Danish security company that monitors 
vulnerabilities and reverse engineers software.

According to the list's guidelines, "any information pertaining to 
vulnerabilities is acceptable," including announcements of exploits, code 
and tools.

The center also found a Web Attacker toolkit offered on a Russian Web site 
for about $300. The kit, which lets the user create a malicious Web site 
that infects browsers with drive-by installations, even comes with an 
update subscription for $20.

"Befitting a professional software product, the toolkit is provided with 
detailed user guide and friendly user interface," and "also provides 
well-designed reports" on the numbers of infections broken down by 
exploit, the report said.

The result of these developments is an increasingly organized underground 
economy in which malware is bought, sold and deployed for financial gain.

In the last three years, the FBI has responded with improved cooperation 
with the private sector. Larkin now heads up the ICCC's Cyber Initiative 
Resource Fusion Unit, which is coordinating a number of initiatives 
targeting specific areas of crime.

Operation ReLEAF (Retail and Law Enforcement Against Fraud), started in 
2003, helped gather private-sector data that could spot emerging fraud 
schemes. The Slam Spam initiative has assembled two teams of analysts 
funded by industry and staffed in part by law enforcement to respond to 
spam problems, and is a model for the news Digital Phishnet that addresses 
phishing expeditions—the use of legitimate-seeming e-mail to coax people 
into revealing personal and financial information.

One thing the FBI has learned is that high-profile events spawn scams. In 
the wake of Hurricane Katrina, more than 5,000 reports of fraudulent 
schemes were received within weeks. Some of the Web sites used in the 
fraud were being registered even before Katrina made landfall, Larking 

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Thu Aug 03 2006 - 05:24:21 PDT