[IWAR] INTERNET policing net crime

From: 7Pillars Partners (partnersat_private)
Date: Mon Mar 09 1998 - 12:32:36 PST

  • Next message: 7Pillars Partners: "[IWAR] BIOTERROR various"

    Posted at 10:12 p.m. PST Sunday, March 8, 1998 
     Identifying Net criminals difficult
     Mercury News Staff Writer 
     The special Internet offer for a 60-piece socket-wrench set sounded
     too good to be true. It was. Three weeks after mailing your check to
     an out-of-state P.O. box, no goods have arrived. The Web site you
     ordered from is gone. The angry e-mail you sent came back as
     undeliverable. Potential loss: $19.95.
     Internal copies of your software company's breakthrough
     application, due for release next quarter, have been posted to the Net
     by a disgruntled ex-employee. Potential loss: $9 million in R&D --
     and your job.
     What began as an innocent chat-room flirtation isn't so innocent
     anymore. The last e-mail message you received began: ``I know
     where you live. I know where you work. I know where your kids go
     to day care. . . .'' Potential loss: Your life.
     There is no way to calculate how many hundreds or thousands of
     times each day the Net brings crime into some unsuspecting person's
     life. But a report released by the Computer Security Institute found
     that nearly two-thirds of the 520 corporations, government offices,
     financial institutions and universities queried had experienced
     electronic break-ins or other security breaches in the past 12 months.
     Although fewer than half the companies
     assigned a dollar amount to their losses,
     the estimated total from those that did is
     staggering: $236 million for the last two
     With nearly a quarter-billion dollars
     vanishing into the ether, you'd think
     someone would call the cops.
     But those charged with enforcing the law
     in cyberspace say the vast majority of
     Net-borne crime never reaches the
     criminal justice system. And in the
     relatively few instances where a crime is reported, most often the
     criminal's true identity is never found.
     The San Jose Police Department's elite high-tech crimes unit is every
     citizen's first line of defense when trouble comes down the wire in the
     capital city of Silicon Valley. But today, four years after the explosion
     of the Internet as a mass market, even the top technology-crimes
     police unit in the country finds itself with just a handful of Internet
     crimes to investigate.
     SJPD was first in the nation
     In 1986, when the San Jose Police Department became the first local
     law enforcement agency in the nation to add a high-tech crimes detail,
     fewer than 10,000 computers -- most of them government and
     university mainframes -- were connected to the Internet. The word
     ``Internet'' -- and the concept of crime on it -- would not enter the
     public consciousness until 1988, with the release of the first
     widespread virus, the ``Morris Worm.'' In the beginning, the unit
     consisted of just one sergeant and one officer, and the focus was on
     the millions of dollars worth of components disappearing off the
     loading docks of the city's high-tech manufacturers.
     Today a handful of other metropolitan police departments have similar
     units, but San Jose's team still occupies a singular position. ``They are
     the leader in the nation,'' says Lee Curtis, Silicon Valley chapter
     president for the international High Technology Crime Investigation
     Association. ``They're clearly the largest and the best.''
     Of the approximately 25 cases the team has open at any given time,
     between 50 percent and 70 percent are component thefts and related
     fraud. In terms of sheer dollar value, chips are still where the action is.
     The team's second largest responsibility is supporting other parts of
     the department -- from burglary to homicide. (Whenever a computer
     is believed to be involved in a crime, it's the team's job to do the
     seizure and the forensic search for evidence).
     The Internet slice of the job -- chasing down hackers, stalkers and
     assorted scammers -- is too small to even keep statistics on. When
     pressed for a guess, Sgt. Don Brister, the unit's supervisor, estimates
     that Internet and online-service crimes make up ``probably no more
     than 3 or 4 percent'' of the team's workload.
     Brister, 44, and the unit's four investigators are all veteran cops, with
     lengthy experience in other details ranging from homicide to fraud to
     narcotics. But it's hard to think of any prior assignment that could
     prepare them to police a territory that has no borders, few maps and
     few fixed addresses.
     Ask the San Jose team or others in the field what proportion of Net
     crime ever appears on the criminal-justice radar and they'll say, in
     essence: We are equipped with computers and modems, but no
     psychic hotline. ``We're putting out fires,'' says an exasperated Curtis.
     ``We're reacting to who yells the loudest. We don't go looking for
     victims. How much of this problem is getting through to us? I don't
     know. It's like asking what percent of America doesn't file tax
     Of the Net fraud that does get reported, the loss is often too small to
     meet the threshold for an investigation. ``It is really not worth the time
     going through the criminal justice system spending $10,000 for a
     $200 loss,'' says Brister, a 22-year SJPD veteran who transferred to
     the high-tech unit a year ago after a stint in fraud. ``Often, with just a
     couple hours work on our end, we're able to satisfy the victim. By
     making a couple of phone calls and maybe a couple of personal
     contacts, we can solve the problem but not have to get the full system
     Stalking, harassment and other Net crimes that threaten lives take
     precedence over property crimes. But once the immediate threat has
     passed, victims are often hesitant to press forward with an
     investigation. The person making the threats ``is often someone who
     the victim has met online and discussed personal things with,'' Brister
     says. Many of those victims decide not to pursue the matter because
     of fear a spouse or significant other may learn of the digital dalliances.
     ``I think the fear among victims of being found out sometimes has
     been a big mind-changer,'' Brister says.
     Likely outcome
     In virtually every case where a charge does get filed, the result is
     either a guilty plea or a conviction at trial. (Thanks to the
     overwhelming amount of evidence gathered for Internet cases, very
     few go through to trial.) Brister is proud of the fact that no bad guy
     has ever gotten away scot-free from the high-tech unit.
     But the challenge usually lies in attaching the right name to the charge.
     ``Nobody's ever walked -- if we've identified them,'' says investigator
     Randy Andrews, a 23-year veteran who's been on high-tech for the
     last year and a half. ``The problem is that in about one out of 10 (of
     all the cases the unit handles) there's someone identified.'' And the
     identification rate for Net crimes may be even lower. ``Usually we
     identify (online criminals) only because they made mistakes,''
     Andrews says.
     Many potential investigations stop cold before they even start because
     the investigator knows there's no way to determine the suspect's true
     Internet address. Many Internet service providers issue a different
     numeric address (called an ``IP'' address) from a pool of such
     numbers every time a user signs on. Anonymous remailer services can
     automatically strip all identifying data from e-mail and send it on using
     a different numeric address. And free Web-based e-mail services
     allow users to hide behind disposable, unverifiable e-mail accounts
     that are accessible through any machine with a Web browser.
     ``You can walk into your local library and sign up for an hour's
     computer usage and send messages all over the place, and no one's
     going to know who really had their fingers on the keyboard,'' says
     Keith Lowry, 44, an investigator who worked almost two dozen Net
     cases for the team. Lowry left the unit last fall to take a similar
     position with the Santa Clara County District Attorney's Office. ``I've
     had several recent cases with those (free, Web-based) e-mail
     accounts and they make my job very complicated. You may have the
     same log-on identity and a different location each time you access the
     When a suspect is identified and charged, police must be prepared to
     prove conclusively that the suspect was the person using the account
     at the time of the crime. ``The only way we can answer that is to have
     a telephone line corresponding to the computer location,'' Andrews
     says. ``The IP address has to be verified as (corresponding) to that
     (street) address. . . . We can say, `We watched the house. Nobody
     came. Nobody left. That was the only occupant.' ''
     Finding the right person
     San Jose's investigators are sometimes forced to plow through seven
     or eight layers of network identities before the trail finally leads to a
     real person. And at each layer, they must work through the Internet
     service provider (ISP) that provided the account.
     It's hard to gauge the state of relations between the law and the
     service providers. While some on both sides may characterize the
     exchange of information as cooperative and collegial, others say it is
     stiff, guarded and more cumbersome than it need be.
     The law itself mandates some of that stiffness. The federal Electronic
     Communications Privacy Act requires Internet providers to safeguard
     their customers' information. The ISPs can be held liable if material is
     released without the proper legal tool. This means every request for
     user identities, files or e-mail must be accompanied by a search
     warrant or subpoena.
     Although ISPs have great latitude to investigate anything within the
     bounds of their networks, those investigations rarely make their way
     to the police. ``More often than not, we're the ones who initiate the
     contact,'' Lowry says. ``I don't recall ever being contacted by an ISP
     other than when they're the victim of a crime.''
     Andrews' experience is similar: ``Basically, these companies all have
     their own investigators, and when their systems are threatened they
     become very cooperative. But when it's a privacy issue and the case
     involves account holders, each one has a different take on what their
     responsibilities are.''
     When Net investigations take the San Jose team across state lines to
     distant ISPs, the provider may refuse to honor the California search
     warrant. In those cases, the team must have the warrant served by a
     local counterpart or a federal agent.
     Police say America Online -- the largest Internet provider in the land
     -- is a prime example of how this jurisdictional disconnect needlessly
     delays investigations and hinders the apprehension of criminals. The
     Dulles, Va.-based service, with more than 10 million members, says
     it's just adhering to the federal privacy law.
     America Online will directly honor subpoenas from out-of-state
     agencies seeking information on the identity of its customers. But
     when the request is for files, such as e-mail, police must get a local
     search warrant or court order. That means San Jose's tech team and
     every other law enforcement agency outside Virginia must turn to the
     FBI or the Loudoun County (Virginia) sheriff for assistance. The latter
     will secure a search warrant from the local district court, serve it on
     AOL and then relay the information back to San Jose.
     One of the largest ISPs -- with connection points in 331 cities in the
     United States, Canada and the United Kingdom -- is based almost
     within view of San Jose police headquarters. Netcom is a cyberspace
     metropolis, more than a half-million members -- and a security force
     of six. When trouble comes to Netcom, the in-house investigation is
     overseen by John Guinasso, director of corporate integrity and risk
     Guinasso says the most common types of cases involve the trading of
     child pornography and the theft of credit-card account numbers.
     ``Back in the old days, you had groups who would (hack their way
     onto a network). . . . Now, all they need to do is steal a credit card
     number and they're off and running. It's actually easier to do that than
     to break a password to get an account somewhere.''
     While most Net crimes are actually old crimes -- stalking, harassment,
     fraud and theft -- in a new venue, there is at least one criminal act
     entirely native to cyberia: ``denial of service'' attacks.
     It was this type of hack, which floods servers with bogus queries and
     prevents them from establishing connections with legitimate users, that
     rocked NASA, the Navy and university computers across the country
     ``Nowadays, if some sophisticated cracker wants to cause a
     significant problem with a company or ISP, denial of service is one
     way to do it,'' says Guinasso, who's been in network security for 12
     years. ``It used to be only those crackers who had those capabilities
     to develop those tools -- the bad guys had to build their own
     weapons. But now those weapons have been made available on the
     Internet to any kid who wants them.''
     Companies have own forces
     Like the ISPs, most of the major tech companies in Silicon Valley
     maintain their own internal police forces and do their own
     investigations when break-ins or other crimes touch their networks.
     Sixty percent of the Silicon Valley membership of the High
     Technology Crime Investigation Association comes from the private
     The amount of business transacted over the Net has soared
     exponentially in recent years as companies move orders, credit
     checks, financial data and other business functions online. Cyber
     crime on those networks is up, too. (The Computer Security Institute
     survey found crime increased 16 percent in the last year -- and the
     dollar value of the losses soared 36 percent.) Still, few corporate
     break-ins ever get reported to the SJPD.
     There are many reasons for a tech company to avoid involving the
     police department: In the case of break-ins to a corporate network
     from the Internet, the company may not want to call attention to
     security holes for fear of becoming a more prominent target. Often,
     they don't want competitors and financial analysts to know they've
     been robbed blind.
     ``We'd get calls all the time,'' Lowry says, ``from corporations who'd
     say, `Hey, we've been broken into, either from the outside or the
     inside, and we want to go after these people, but we also want to
     control how you do it.' ''
     Lowry says there are two reasons corporations will fight to keep
     investigations in-house: ``Fear of publicity. And fear that someone
     who has been successful in stealing intellectual property will end up
     sharing that information in court.''
     In a more perfect virtual world, one with clearly marked boundaries
     and jurisdictions, the San Jose Police Department would get more
     credit for the work they do out on the wire. Many of the online cases
     they investigate technically belong to other parts of the department,
     such as the child-exploitation unit, which takes the lead on child-sex
     Outside the department, the boundaries are just as blurry: Legally
     speaking, a Net crime can occur where the bad guy lives, where the
     victim lives or where the financial transaction was made. And while
     most of the unit's cases involve victims who are resident in San Jose,
     Brister and Lowry can't recall a single Net case that began and ended
     entirely within the city limits.
     Investigator has doubts
     Of all the investigators to chase bad guys through the wires, Lowry
     harbors the most doubts about whether law enforcement can fulfill its
     mandate on the Net: ``You're assuming we can police cyberspace
     and I don't think we can. I don't believe the Internet is to a point
     where a government entity can come through and say `I'm going to
     control what goes on here.' How do you put a boundary on
     something you can't put your hands around?''
     Lowry is painfully aware of what the criminal landscape will look like
     in years to come, as millions of newcomers take their business and
     personal lives to the Net. The fact that most of these woes have yet to
     reach the criminal justice system is no comfort to him.
     ``The scary part,'' Lowry says, ``is we know the storm is coming, but
     we don't know exactly what shape it's going to take. The scale is
     huge. . . . You're sitting on this beach, knowing it's going to hit, but
      you don't know what it is or when it's going to hit.''

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:17 PDT