http://www.wired.com/wired/archive/15.01/cybercop.html By Robin Mejia Wired Magazine [1] Issue 15.01 January 2007 Keep your friends close and your enemies closer. Why the Pentagon's toughest Internet crime fighter likes hanging out with blackhat hackers. By Robin Mejia LOCATED ON THE LESS FASHIONABLE north end of the Las Vegas strip, the Riviera Hotel and Casino has seen better days. Even the girls in posters for the hotel's topless revue could use a makeover. But hey, it's cheap. Which is why 6,000 hackers have descended upon it for DefCon, billed as the "largest underground hacking event in the world." So while the hotel is no doubt happy for the business, it's also in classic Vegas fashion hedging its bet. Employees received a memo warning them to be on the lookout for people skimming guests' card numbers. Credit card processing has been suspended in the food court. The Riviera doesn't need the grief. Yet the Riviera's conference facilities are strangely tranquil. In the "chill-out room," a bored-looking cashier is selling burgers, chicken sandwiches, and salads to people too focused or too lazy to walk across the hotel to the Quizno's. On the wall next to the bar, someone is projecting usernames and the first few letters of the associated passwords noobs sent that info unencrypted over the conference's wireless network. At the front of the room, a middle-aged man in khaki shorts sits with a small group having a beer. He's graying, a little thick around the middle. Across the back of his polo shirt are the words dod cyber crime response team as in US Department of Defense. A big guy with a shaved head walks up. "You're Jim Christy," he says, smiling. He has a hint of an accent. Christy smiles back: "What's your handle?" "Oh, I don't really have a handle." All hackers have handles. Christy pushes it. "But really," he says, "what's your handle?" "Most guys go through that phase for a while, but for me, it was really just a couple of days. Not enough time for a handle." They're both smiling. Neither has broken eye contact. Christy points out a pulsing vein in the guy's neck suggesting it's a sign he is lying. The guy calls Christy an old man. He hints that maybe he might have some small connection to Mossad. As he finally sits down, Christy passes him a business card. "You know, sometimes I become aware of botnets running on DOD networks," the maybe-ex-intelligence agent says. "It would be nice to have someone to contact." Christy says he'd be happy to oblige. Bingo: another node in the Jim Christy network. That's why he comes to DefCon, to extend his already vast informal intelligence web of hackers, security professionals, and computer geeks. He's also here to pick up tips, of course. And to try to recruit a few of the blackhats to the side of justice or at least to scare them straight. "We're appealing to their patriotism," he says. "And if that doesn't work, then fear works, too." Fifteen years ago, Christy founded the Pentagon's first digital forensics lab. Back then, most cops didn't even bother to seize computers when they executed a search warrant. Ten years ago, he was the guy they tapped to explain computer security to senators and the White House. Now Christy has built his shop into the world's largest center for pulling evidence off damaged or encrypted hard drives, tracking hackers across networks, reconstructing terrorists' computers, and training a new generation of law enforcement. He's the government's original geek with a gun. JIM CHRISTY was 19 when he joined the military. It was 1971; he was barely passing his classes at a Baltimore-area junior college and working full time at a car wash to help support his parents. Christy knew he wouldn't qualify for a student deferment. He figured that if he had to go in, he'd choose how. He enlisted in the Air Force. But Christy didn't end up in Vietnam. He became a computer operator, eventually landing on the night shift at the Pentagon. He stayed on after his discharge, and in 1986 he heard the Air Force Office of Special Investigations was looking for a computer crime investigator. "I read the job announcement and said, 'Wow, I get to stay with technology and carry a gun and be a cop play cops and robbers for real?'" Apparently, his experience writing Cobol and Fortran algorithms to organize how people paid for parking at the Pentagon gave him an edge; Christy was hired as the assistant chief of the 16-person unit. About the same time, Cliff Stoll, a UC Berkeley astronomer turned computer security guru, found hackers on his network. In The Cuckoo's Egg, Stoll's now-classic account of the story, he says that local police had no idea what he was talking about, and the FBI dismissed it as small-potatoes fraud. They told him to call back when he'd lost half a million dollars. Stoll finally found Christy. Though Stoll's hackers had accessed only unclassified military computers, Christy thought it was espionage. "I realized the guy was searching for 'SDI,' which was the old Star Wars Strategic Defense Initiative, or 'nuclear,' or 'chemical,' or 'biological,'" Christy says. Stoll turned out to be a good teacher, full of tricks for tracking bad guys online. Together with a like-minded FBI agent, the pair traced the hackers back to West Germany. They sent police there to pick up five men, in their late teens to early twenties, selling US military documents to the KGB. The bust made his reputation. As DefCon founder Jeff Moss (handle: the Dark Tangent) tells it, in the late '80s and early '90s there were only three people hackers worried about. Christy was one of them. "It was like, be fearful, there's Jim Christy. Holy crap, stay out of his way." As computers and networks became common, Christy's caseload grew. In 1991, a murder suspect on an Air Force base chopped up two floppy disks. Investigators found 23 pieces, which Christy took to forensic specialists in law enforcement and intelligence. They said they couldn't help. Eventually, he and a deputy put the fragments together with tape and a magnifying glass; he recovered about 95 percent of the data, practically handing the military prosecutor a conviction. (Will he reveal who said it couldn't be done? "No way," Christy says. "I have to work with those agencies.") That same year, Christy founded his digital forensics lab, which was really just him and another guy reading confiscated hard drives with scavenged equipment at Bolling Air Force Base in DC. But the Pentagon started to see their value, and in 1998, Christy's lab was moved from the Air Force to the Department of Defense. The team became known for recovering ungettable evidence. Once, the Naval Safety Center sent them a mass of unspooled black recording tape, the remains of a flight data recorder destroyed in a collision of two F-18s. One of the pilots had died in the crash, and the Navy thought the blame lay with the surviving pilot. Christy's group cleaned the firefighting foam off the tape, reconstructed and respooled it, and salvaged most of the data. The safety board used it to determine that the dead pilot was actually at fault. In another case, the wife of an airman thought her husband was trying to kill her. Office of Special Investigations agents taped her confronting him over the phone. When the suspect got wind of the recording, he set fire to the office where the tape was stored. The team found the charred and melted remains of the cartridge, but they realized that the tape was wound so tightly inside that only its edges were burned. Christy's team recovered the audio and the Air Force charged and convicted the airman with conspiracy to commit murder and arson. Meanwhile, Christy was putting in time on Capitol Hill. He'd get up early, do a few hours at the lab, then go coordinate cybersecurity hearings for the Senate or work on the President's Task Force on Infrastructure Protection. "We'd send him to see a senator," says Dan Gelber, a Florida state representative and former staff director for the US Senate Investigations subcommittee. "He'd go in there and explain not only how the Internet worked, but how it was breached." Other staffers started calling Gelber to find Christy their bosses wanted his briefings. "They finally had someone explain to them what happened on a computer and why it was important." That's when Christy started hanging out with hackers. His superiors didn't quite understand why he was going to DefCon; why not just send undercover agents? But Christy knew that if he talked to hackers, hackers would talk to him. One former blackhat says that meeting Christy and his fellow government operatives at DefCon over the years convinced him to switch sides. "When you realize that all the hackers in other countries, especially China, are ganging up on America, it doesn't take a rocket scientist to decide what side you want to be on," he says. After a couple of years working undercover "with, not for" various agencies with three-letter initialisms, he enlisted in the Army. He plans to try for Special Forces and hopes to get a job in law enforcement when he's done. THE DEFENSE Cyber Crime Center, or DC3, occupies a low unmarked brick building just off Highway 295, the Baltimore-Washington Parkway. Christy now heads its research lab, the Defense Cyber Crime Institute, on the top floor. It's tasked with ensuring that the tools and technologies used by the guys downstairs actually perform as advertised, a process called validation. Digital forensics is still a relatively young field; most of the applications Christy used in the 1980s were written by two really smart IRS agents at home in their off hours. "We'd say, 'We need stuff that does X,' and they'd go develop it," Christy says. But these days the institute spends months evaluating everything homegrown or not before deployment. "You need to make sure that the tool doesn't create evidence," Christy says. One piece of software reported that a cell phone had sent a text message when it hadn't not cool if you're trying to figure out when two suspects were in contact. The rest of the team works on problems that commercial software can't yet handle, like decoding information hidden inside images or audio files. It's called steganography, and there are more than 100 free tools that can do it. The trouble is, pedophile rings are increasingly relying on steganography to hide child pornography. And while some commercial software can sniff out a steganographically concealed file, it can't decrypt it. Christy's institute is working on software that can reveal the contents of a steg file. "It could be like a virus scan," Christy says. But even with 38 staffers, Christy has more problems than time. So this summer, he decided to get outside help. At DefCon, Christy announced the DC3 Forensics Challenge: 12 problems covering everything from recognizing faked images to cracking passwords Christy had answers to only 10. Whoever solved the most first (or best) would win a free trip to Christy's annual DOD Cyber Crime Conference. More than 130 teams signed up. Of course, Christy will never keep pace with every tool the bad guys or the good guys, for that matter can come up with. "One of the big things we're struggling with is gonna be Vista and BitLocker," he says. Microsoft's BitLocker Drive Encryption locks down an entire hard drive if the startup information is changed or a particular chip is removed. Microsoft has pledged never to create a BitLocker backdoor, and Christy worries about what that means for his team. "Right now, a dead box comes to us, and with the tools we have, we can exploit it," he says. "With Vista, we're gonna get dead boxes and they're gonna stay dead." Maybe it's a good problem for next year's Forensics Challenge. Or maybe he won't have to wait that long for help. The contest has introduced Christy to universities and research groups across the country that, before last August, had no idea DC3 existed. Now many want to be his partner. AT 7 O'CLOCK on the opening night of DefCon, Christy and 10 other middle-aged, casually dressed white guys settle into their seats at the front of the Riviera's grand ballroom. Most have the short hair and perfect posture that come from long stints in the military or law enforcement. They're all old friends of Christy's. One is an assistant secretary of defense, another is ex-NSA. The title of the panel is Meet the Fed, an oddity at a conference where the badges have no names on them and registration is cash-only to preclude the creation of an attendee roster. In fact, any registered conference attendee who outs an undercover agent gets a T-shirt that reads i spotted the fed. So Christy decides to have some fun. "We're gonna play a little game here," he says. "It's gonna be called 'Spot the Lamer.'" He sends two of his programmers out into the room to pick six candidates. The unlucky six line up, and panel members start in with questions. "Number two, have you ever participated in a Star Trek marathon?" "No sir, I'm a Star Wars fan." "Number four, have you compiled your kernel yet today?" He did it yesterday. "Number three, have you ever been caught playing with a 3-inch floppy?" It's hard to hear the answer over the laughter. The winner, by audience acclaim, turns out to be number three, who apparently speaks fluent hexadecimal. Christy wraps things up with a pitch. "It's a lot harder to defend a network than it is to break into one," he says. "And we could use a lot of talented people. So if you haven't crossed that line yet, don't. Come to work for us." The hackers start to ask questions of their own. One guy says he's in a band called Preteen Porn Star, and he wants to know what to do with the creepy inquiries that come in through its Web site. Others want to talk about the government's support of open source. But the paycheck Christy hinted at is what really gets their attention. "So," says an attendee in de rigueur black, "a few youthful indiscretions will they disqualify you from jobs at a federal agency?" "Not forever," Christy says. "But if you were doing it last week, you'd probably be ineligible." A long line of fans trails Christy out the door, hackers and script kiddies queued up to ask advice and hand over tidbits of information. One tells Christy about a way he's discovered to strip information off of RFID chips. Another wants a business card so he can email about future employment. So does Christy have undercover informants at DefCon? He shrugs. Of course. Then why go himself? "We not only find out what's happening," he says, "we find out who's doing it." Even better, a few months after the conference, he got a call from one of the organizers, a fixture in the hacker community. The guy wanted advice on how to get a job doing digital forensics. Another node in the Jim Christy network. Robin Mejia (mejia (at) nasw.org) wrote about computer surveillance and the movie Enemy of the State in issue 14.06. Copyright 1993-2007 The Cond Nast Publications Inc. All rights reserved. [1] http://www.amazon.com/exec/obidos/ASIN/B00005N7TL/c4iorg _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 22:32:21 PST