[ISN] CSI: TCP/IP

From: InfoSec News (alerts@private)
Date: Tue Jan 02 2007 - 22:17:19 PST


http://www.wired.com/wired/archive/15.01/cybercop.html

By Robin Mejia
Wired Magazine [1] 
Issue 15.01
January 2007

Keep your friends close and your enemies closer. Why the Pentagon's 
toughest Internet crime fighter likes hanging out with blackhat hackers. 
By Robin Mejia

LOCATED ON THE LESS FASHIONABLE north end of the Las Vegas strip, the 
Riviera Hotel and Casino has seen better days. Even the girls in posters 
for the hotel's topless revue could use a makeover. But hey, it's cheap. 
Which is why 6,000 hackers have descended upon it for DefCon, billed as 
the "largest underground hacking event in the world." So while the hotel 
is no doubt happy for the business, it's also in classic Vegas fashion 
hedging its bet. Employees received a memo warning them to be on the 
lookout for people skimming guests' card numbers. Credit card processing 
has been suspended in the food court. The Riviera doesn't need the 
grief.

Yet the Riviera's conference facilities are strangely tranquil. In the 
"chill-out room," a bored-looking cashier is selling burgers, chicken 
sandwiches, and salads to people too focused or too lazy to walk across 
the hotel to the Quizno's. On the wall next to the bar, someone is 
projecting usernames and the first few letters of the associated 
passwords noobs sent that info unencrypted over the conference's 
wireless network. At the front of the room, a middle-aged man in khaki 
shorts sits with a small group having a beer. He's graying, a little 
thick around the middle. Across the back of his polo shirt are the words 
dod cyber crime response team as in US Department of Defense.

A big guy with a shaved head walks up. "You're Jim Christy," he says, 
smiling. He has a hint of an accent.

Christy smiles back: "What's your handle?"

"Oh, I don't really have a handle."

All hackers have handles. Christy pushes it. "But really," he says, 
"what's your handle?"

"Most guys go through that phase for a while, but for me, it was really 
just a couple of days. Not enough time for a handle." They're both 
smiling. Neither has broken eye contact.

Christy points out a pulsing vein in the guy's neck suggesting it's a 
sign he is lying. The guy calls Christy an old man. He hints that maybe 
he might have some small connection to Mossad. As he finally sits down, 
Christy passes him a business card.

"You know, sometimes I become aware of botnets running on DOD networks," 
the maybe-ex-intelligence agent says. "It would be nice to have someone 
to contact." Christy says he'd be happy to oblige.

Bingo: another node in the Jim Christy network. That's why he comes to 
DefCon, to extend his already vast informal intelligence web of hackers, 
security professionals, and computer geeks. He's also here to pick up 
tips, of course. And to try to recruit a few of the blackhats to the 
side of justice or at least to scare them straight. "We're appealing to 
their patriotism," he says. "And if that doesn't work, then fear works, 
too."

Fifteen years ago, Christy founded the Pentagon's first digital 
forensics lab. Back then, most cops didn't even bother to seize 
computers when they executed a search warrant. Ten years ago, he was the 
guy they tapped to explain computer security to senators and the White 
House. Now Christy has built his shop into the world's largest center 
for pulling evidence off damaged or encrypted hard drives, tracking 
hackers across networks, reconstructing terrorists' computers, and 
training a new generation of law enforcement. He's the government's 
original geek with a gun.

JIM CHRISTY was 19 when he joined the military. It was 1971; he was 
barely passing his classes at a Baltimore-area junior college and 
working full time at a car wash to help support his parents. Christy 
knew he wouldn't qualify for a student deferment. He figured that if he 
had to go in, he'd choose how. He enlisted in the Air Force.

But Christy didn't end up in Vietnam. He became a computer operator, 
eventually landing on the night shift at the Pentagon. He stayed on 
after his discharge, and in 1986 he heard the Air Force Office of 
Special Investigations was looking for a computer crime investigator. "I 
read the job announcement and said, 'Wow, I get to stay with technology 
and carry a gun and be a cop play cops and robbers for real?'" 
Apparently, his experience writing Cobol and Fortran algorithms to 
organize how people paid for parking at the Pentagon gave him an edge; 
Christy was hired as the assistant chief of the 16-person unit.

About the same time, Cliff Stoll, a UC Berkeley astronomer turned 
computer security guru, found hackers on his network. In The Cuckoo's 
Egg, Stoll's now-classic account of the story, he says that local police 
had no idea what he was talking about, and the FBI dismissed it as 
small-potatoes fraud. They told him to call back when he'd lost half a 
million dollars.

Stoll finally found Christy. Though Stoll's hackers had accessed only 
unclassified military computers, Christy thought it was espionage. "I 
realized the guy was searching for 'SDI,' which was the old Star Wars 
Strategic Defense Initiative, or 'nuclear,' or 'chemical,' or 
'biological,'" Christy says.

Stoll turned out to be a good teacher, full of tricks for tracking bad 
guys online. Together with a like-minded FBI agent, the pair traced the 
hackers back to West Germany. They sent police there to pick up five 
men, in their late teens to early twenties, selling US military 
documents to the KGB. The bust made his reputation. As DefCon founder 
Jeff Moss (handle: the Dark Tangent) tells it, in the late '80s and 
early '90s there were only three people hackers worried about. Christy 
was one of them. "It was like, be fearful, there's Jim Christy. Holy 
crap, stay out of his way."

As computers and networks became common, Christy's caseload grew. In 
1991, a murder suspect on an Air Force base chopped up two floppy disks. 
Investigators found 23 pieces, which Christy took to forensic 
specialists in law enforcement and intelligence. They said they couldn't 
help. Eventually, he and a deputy put the fragments together with tape 
and a magnifying glass; he recovered about 95 percent of the data, 
practically handing the military prosecutor a conviction. (Will he 
reveal who said it couldn't be done? "No way," Christy says. "I have to 
work with those agencies.") That same year, Christy founded his digital 
forensics lab, which was really just him and another guy reading 
confiscated hard drives with scavenged equipment at Bolling Air Force 
Base in DC. But the Pentagon started to see their value, and in 1998, 
Christy's lab was moved from the Air Force to the Department of Defense.

The team became known for recovering ungettable evidence. Once, the 
Naval Safety Center sent them a mass of unspooled black recording tape, 
the remains of a flight data recorder destroyed in a collision of two 
F-18s. One of the pilots had died in the crash, and the Navy thought the 
blame lay with the surviving pilot. Christy's group cleaned the 
firefighting foam off the tape, reconstructed and respooled it, and 
salvaged most of the data. The safety board used it to determine that 
the dead pilot was actually at fault.

In another case, the wife of an airman thought her husband was trying to 
kill her. Office of Special Investigations agents taped her confronting 
him over the phone. When the suspect got wind of the recording, he set 
fire to the office where the tape was stored. The team found the charred 
and melted remains of the cartridge, but they realized that the tape was 
wound so tightly inside that only its edges were burned. Christy's team 
recovered the audio and the Air Force charged and convicted the airman 
with conspiracy to commit murder and arson.

Meanwhile, Christy was putting in time on Capitol Hill. He'd get up 
early, do a few hours at the lab, then go coordinate cybersecurity 
hearings for the Senate or work on the President's Task Force on 
Infrastructure Protection. "We'd send him to see a senator," says Dan 
Gelber, a Florida state representative and former staff director for the 
US Senate Investigations subcommittee. "He'd go in there and explain not 
only how the Internet worked, but how it was breached." Other staffers 
started calling Gelber to find Christy their bosses wanted his 
briefings. "They finally had someone explain to them what happened on a 
computer and why it was important."

That's when Christy started hanging out with hackers. His superiors 
didn't quite understand why he was going to DefCon; why not just send 
undercover agents? But Christy knew that if he talked to hackers, 
hackers would talk to him. One former blackhat says that meeting Christy 
and his fellow government operatives at DefCon over the years convinced 
him to switch sides. "When you realize that all the hackers in other 
countries, especially China, are ganging up on America, it doesn't take 
a rocket scientist to decide what side you want to be on," he says. 
After a couple of years working undercover "with, not for" various 
agencies with three-letter initialisms, he enlisted in the Army. He 
plans to try for Special Forces and hopes to get a job in law 
enforcement when he's done.

THE DEFENSE Cyber Crime Center, or DC3, occupies a low unmarked brick 
building just off Highway 295, the Baltimore-Washington Parkway. Christy 
now heads its research lab, the Defense Cyber Crime Institute, on the 
top floor. It's tasked with ensuring that the tools and technologies 
used by the guys downstairs actually perform as advertised, a process 
called validation. Digital forensics is still a relatively young field; 
most of the applications Christy used in the 1980s were written by two 
really smart IRS agents at home in their off hours. "We'd say, 'We need 
stuff that does X,' and they'd go develop it," Christy says. But these 
days the institute spends months evaluating everything homegrown or not 
before deployment. "You need to make sure that the tool doesn't create 
evidence," Christy says. One piece of software reported that a cell 
phone had sent a text message when it hadn't not cool if you're trying 
to figure out when two suspects were in contact.

The rest of the team works on problems that commercial software can't 
yet handle, like decoding information hidden inside images or audio 
files. It's called steganography, and there are more than 100 free tools 
that can do it. The trouble is, pedophile rings are increasingly relying 
on steganography to hide child pornography. And while some commercial 
software can sniff out a steganographically concealed file, it can't 
decrypt it. Christy's institute is working on software that can reveal 
the contents of a steg file. "It could be like a virus scan," Christy 
says.

But even with 38 staffers, Christy has more problems than time. So this 
summer, he decided to get outside help. At DefCon, Christy announced the 
DC3 Forensics Challenge: 12 problems covering everything from 
recognizing faked images to cracking passwords Christy had answers to 
only 10. Whoever solved the most first (or best) would win a free trip 
to Christy's annual DOD Cyber Crime Conference. More than 130 teams 
signed up.

Of course, Christy will never keep pace with every tool the bad guys or 
the good guys, for that matter can come up with. "One of the big things 
we're struggling with is gonna be Vista and BitLocker," he says. 
Microsoft's BitLocker Drive Encryption locks down an entire hard drive 
if the startup information is changed or a particular chip is removed. 
Microsoft has pledged never to create a BitLocker backdoor, and Christy 
worries about what that means for his team. "Right now, a dead box comes 
to us, and with the tools we have, we can exploit it," he says. "With 
Vista, we're gonna get dead boxes and they're gonna stay dead."

Maybe it's a good problem for next year's Forensics Challenge. Or maybe 
he won't have to wait that long for help. The contest has introduced 
Christy to universities and research groups across the country that, 
before last August, had no idea DC3 existed. Now many want to be his 
partner.

AT 7 O'CLOCK on the opening night of DefCon, Christy and 10 other 
middle-aged, casually dressed white guys settle into their seats at the 
front of the Riviera's grand ballroom. Most have the short hair and 
perfect posture that come from long stints in the military or law 
enforcement. They're all old friends of Christy's. One is an assistant 
secretary of defense, another is ex-NSA. The title of the panel is Meet 
the Fed, an oddity at a conference where the badges have no names on 
them and registration is cash-only to preclude the creation of an 
attendee roster.

In fact, any registered conference attendee who outs an undercover agent 
gets a T-shirt that reads i spotted the fed. So Christy decides to have 
some fun. "We're gonna play a little game here," he says. "It's gonna be 
called 'Spot the Lamer.'" He sends two of his programmers out into the 
room to pick six candidates.

The unlucky six line up, and panel members start in with questions. 
"Number two, have you ever participated in a Star Trek marathon?"

"No sir, I'm a Star Wars fan."

"Number four, have you compiled your kernel yet today?"

He did it yesterday.

"Number three, have you ever been caught playing with a 3-inch floppy?"

It's hard to hear the answer over the laughter.

The winner, by audience acclaim, turns out to be number three, who 
apparently speaks fluent hexadecimal.

Christy wraps things up with a pitch. "It's a lot harder to defend a 
network than it is to break into one," he says. "And we could use a lot 
of talented people. So if you haven't crossed that line yet, don't. Come 
to work for us."

The hackers start to ask questions of their own. One guy says he's in a 
band called Preteen Porn Star, and he wants to know what to do with the 
creepy inquiries that come in through its Web site. Others want to talk 
about the government's support of open source. But the paycheck Christy 
hinted at is what really gets their attention.

"So," says an attendee in de rigueur black, "a few youthful 
indiscretions will they disqualify you from jobs at a federal agency?"

"Not forever," Christy says. "But if you were doing it last week, you'd 
probably be ineligible."

A long line of fans trails Christy out the door, hackers and script 
kiddies queued up to ask advice and hand over tidbits of information. 
One tells Christy about a way he's discovered to strip information off 
of RFID chips. Another wants a business card so he can email about 
future employment.

So does Christy have undercover informants at DefCon? He shrugs. Of 
course. Then why go himself? "We not only find out what's happening," he 
says, "we find out who's doing it."

Even better, a few months after the conference, he got a call from one 
of the organizers, a fixture in the hacker community. The guy wanted 
advice on how to get a job doing digital forensics. Another node in the 
Jim Christy network.

Robin Mejia (mejia (at) nasw.org) wrote about computer surveillance and 
the movie Enemy of the State in issue 14.06.

Copyright 1993-2007 The Cond Nast Publications Inc. All rights reserved.

[1] http://www.amazon.com/exec/obidos/ASIN/B00005N7TL/c4iorg


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 22:32:21 PST