Posted at 10:12 p.m. PST Sunday, March 8, 1998 Identifying Net criminals difficult BY DAVID PLOTNIKOFF Mercury News Staff Writer The special Internet offer for a 60-piece socket-wrench set sounded too good to be true. It was. Three weeks after mailing your check to an out-of-state P.O. box, no goods have arrived. The Web site you ordered from is gone. The angry e-mail you sent came back as undeliverable. Potential loss: $19.95. Internal copies of your software company's breakthrough application, due for release next quarter, have been posted to the Net by a disgruntled ex-employee. Potential loss: $9 million in R&D -- and your job. What began as an innocent chat-room flirtation isn't so innocent anymore. The last e-mail message you received began: ``I know where you live. I know where you work. I know where your kids go to day care. . . .'' Potential loss: Your life. There is no way to calculate how many hundreds or thousands of times each day the Net brings crime into some unsuspecting person's life. But a report released by the Computer Security Institute found that nearly two-thirds of the 520 corporations, government offices, financial institutions and universities queried had experienced electronic break-ins or other security breaches in the past 12 months. Although fewer than half the companies assigned a dollar amount to their losses, the estimated total from those that did is staggering: $236 million for the last two years. With nearly a quarter-billion dollars vanishing into the ether, you'd think someone would call the cops. But those charged with enforcing the law in cyberspace say the vast majority of Net-borne crime never reaches the criminal justice system. And in the relatively few instances where a crime is reported, most often the criminal's true identity is never found. The San Jose Police Department's elite high-tech crimes unit is every citizen's first line of defense when trouble comes down the wire in the capital city of Silicon Valley. But today, four years after the explosion of the Internet as a mass market, even the top technology-crimes police unit in the country finds itself with just a handful of Internet crimes to investigate. SJPD was first in the nation In 1986, when the San Jose Police Department became the first local law enforcement agency in the nation to add a high-tech crimes detail, fewer than 10,000 computers -- most of them government and university mainframes -- were connected to the Internet. The word ``Internet'' -- and the concept of crime on it -- would not enter the public consciousness until 1988, with the release of the first widespread virus, the ``Morris Worm.'' In the beginning, the unit consisted of just one sergeant and one officer, and the focus was on the millions of dollars worth of components disappearing off the loading docks of the city's high-tech manufacturers. Today a handful of other metropolitan police departments have similar units, but San Jose's team still occupies a singular position. ``They are the leader in the nation,'' says Lee Curtis, Silicon Valley chapter president for the international High Technology Crime Investigation Association. ``They're clearly the largest and the best.'' Of the approximately 25 cases the team has open at any given time, between 50 percent and 70 percent are component thefts and related fraud. In terms of sheer dollar value, chips are still where the action is. The team's second largest responsibility is supporting other parts of the department -- from burglary to homicide. (Whenever a computer is believed to be involved in a crime, it's the team's job to do the seizure and the forensic search for evidence). The Internet slice of the job -- chasing down hackers, stalkers and assorted scammers -- is too small to even keep statistics on. When pressed for a guess, Sgt. Don Brister, the unit's supervisor, estimates that Internet and online-service crimes make up ``probably no more than 3 or 4 percent'' of the team's workload. Brister, 44, and the unit's four investigators are all veteran cops, with lengthy experience in other details ranging from homicide to fraud to narcotics. But it's hard to think of any prior assignment that could prepare them to police a territory that has no borders, few maps and few fixed addresses. Ask the San Jose team or others in the field what proportion of Net crime ever appears on the criminal-justice radar and they'll say, in essence: We are equipped with computers and modems, but no psychic hotline. ``We're putting out fires,'' says an exasperated Curtis. ``We're reacting to who yells the loudest. We don't go looking for victims. How much of this problem is getting through to us? I don't know. It's like asking what percent of America doesn't file tax returns.'' Of the Net fraud that does get reported, the loss is often too small to meet the threshold for an investigation. ``It is really not worth the time going through the criminal justice system spending $10,000 for a $200 loss,'' says Brister, a 22-year SJPD veteran who transferred to the high-tech unit a year ago after a stint in fraud. ``Often, with just a couple hours work on our end, we're able to satisfy the victim. By making a couple of phone calls and maybe a couple of personal contacts, we can solve the problem but not have to get the full system committed.'' Stalking, harassment and other Net crimes that threaten lives take precedence over property crimes. But once the immediate threat has passed, victims are often hesitant to press forward with an investigation. The person making the threats ``is often someone who the victim has met online and discussed personal things with,'' Brister says. Many of those victims decide not to pursue the matter because of fear a spouse or significant other may learn of the digital dalliances. ``I think the fear among victims of being found out sometimes has been a big mind-changer,'' Brister says. Likely outcome In virtually every case where a charge does get filed, the result is either a guilty plea or a conviction at trial. (Thanks to the overwhelming amount of evidence gathered for Internet cases, very few go through to trial.) Brister is proud of the fact that no bad guy has ever gotten away scot-free from the high-tech unit. But the challenge usually lies in attaching the right name to the charge. ``Nobody's ever walked -- if we've identified them,'' says investigator Randy Andrews, a 23-year veteran who's been on high-tech for the last year and a half. ``The problem is that in about one out of 10 (of all the cases the unit handles) there's someone identified.'' And the identification rate for Net crimes may be even lower. ``Usually we identify (online criminals) only because they made mistakes,'' Andrews says. Many potential investigations stop cold before they even start because the investigator knows there's no way to determine the suspect's true Internet address. Many Internet service providers issue a different numeric address (called an ``IP'' address) from a pool of such numbers every time a user signs on. Anonymous remailer services can automatically strip all identifying data from e-mail and send it on using a different numeric address. And free Web-based e-mail services allow users to hide behind disposable, unverifiable e-mail accounts that are accessible through any machine with a Web browser. ``You can walk into your local library and sign up for an hour's computer usage and send messages all over the place, and no one's going to know who really had their fingers on the keyboard,'' says Keith Lowry, 44, an investigator who worked almost two dozen Net cases for the team. Lowry left the unit last fall to take a similar position with the Santa Clara County District Attorney's Office. ``I've had several recent cases with those (free, Web-based) e-mail accounts and they make my job very complicated. You may have the same log-on identity and a different location each time you access the mail.'' When a suspect is identified and charged, police must be prepared to prove conclusively that the suspect was the person using the account at the time of the crime. ``The only way we can answer that is to have a telephone line corresponding to the computer location,'' Andrews says. ``The IP address has to be verified as (corresponding) to that (street) address. . . . We can say, `We watched the house. Nobody came. Nobody left. That was the only occupant.' '' Finding the right person San Jose's investigators are sometimes forced to plow through seven or eight layers of network identities before the trail finally leads to a real person. And at each layer, they must work through the Internet service provider (ISP) that provided the account. It's hard to gauge the state of relations between the law and the service providers. While some on both sides may characterize the exchange of information as cooperative and collegial, others say it is stiff, guarded and more cumbersome than it need be. The law itself mandates some of that stiffness. The federal Electronic Communications Privacy Act requires Internet providers to safeguard their customers' information. The ISPs can be held liable if material is released without the proper legal tool. This means every request for user identities, files or e-mail must be accompanied by a search warrant or subpoena. Although ISPs have great latitude to investigate anything within the bounds of their networks, those investigations rarely make their way to the police. ``More often than not, we're the ones who initiate the contact,'' Lowry says. ``I don't recall ever being contacted by an ISP other than when they're the victim of a crime.'' Andrews' experience is similar: ``Basically, these companies all have their own investigators, and when their systems are threatened they become very cooperative. But when it's a privacy issue and the case involves account holders, each one has a different take on what their responsibilities are.'' When Net investigations take the San Jose team across state lines to distant ISPs, the provider may refuse to honor the California search warrant. In those cases, the team must have the warrant served by a local counterpart or a federal agent. Police say America Online -- the largest Internet provider in the land -- is a prime example of how this jurisdictional disconnect needlessly delays investigations and hinders the apprehension of criminals. The Dulles, Va.-based service, with more than 10 million members, says it's just adhering to the federal privacy law. America Online will directly honor subpoenas from out-of-state agencies seeking information on the identity of its customers. But when the request is for files, such as e-mail, police must get a local search warrant or court order. That means San Jose's tech team and every other law enforcement agency outside Virginia must turn to the FBI or the Loudoun County (Virginia) sheriff for assistance. The latter will secure a search warrant from the local district court, serve it on AOL and then relay the information back to San Jose. One of the largest ISPs -- with connection points in 331 cities in the United States, Canada and the United Kingdom -- is based almost within view of San Jose police headquarters. Netcom is a cyberspace metropolis, more than a half-million members -- and a security force of six. When trouble comes to Netcom, the in-house investigation is overseen by John Guinasso, director of corporate integrity and risk management. Guinasso says the most common types of cases involve the trading of child pornography and the theft of credit-card account numbers. ``Back in the old days, you had groups who would (hack their way onto a network). . . . Now, all they need to do is steal a credit card number and they're off and running. It's actually easier to do that than to break a password to get an account somewhere.'' While most Net crimes are actually old crimes -- stalking, harassment, fraud and theft -- in a new venue, there is at least one criminal act entirely native to cyberia: ``denial of service'' attacks. It was this type of hack, which floods servers with bogus queries and prevents them from establishing connections with legitimate users, that rocked NASA, the Navy and university computers across the country recently. ``Nowadays, if some sophisticated cracker wants to cause a significant problem with a company or ISP, denial of service is one way to do it,'' says Guinasso, who's been in network security for 12 years. ``It used to be only those crackers who had those capabilities to develop those tools -- the bad guys had to build their own weapons. But now those weapons have been made available on the Internet to any kid who wants them.'' Companies have own forces Like the ISPs, most of the major tech companies in Silicon Valley maintain their own internal police forces and do their own investigations when break-ins or other crimes touch their networks. Sixty percent of the Silicon Valley membership of the High Technology Crime Investigation Association comes from the private sector. The amount of business transacted over the Net has soared exponentially in recent years as companies move orders, credit checks, financial data and other business functions online. Cyber crime on those networks is up, too. (The Computer Security Institute survey found crime increased 16 percent in the last year -- and the dollar value of the losses soared 36 percent.) Still, few corporate break-ins ever get reported to the SJPD. There are many reasons for a tech company to avoid involving the police department: In the case of break-ins to a corporate network from the Internet, the company may not want to call attention to security holes for fear of becoming a more prominent target. Often, they don't want competitors and financial analysts to know they've been robbed blind. ``We'd get calls all the time,'' Lowry says, ``from corporations who'd say, `Hey, we've been broken into, either from the outside or the inside, and we want to go after these people, but we also want to control how you do it.' '' Lowry says there are two reasons corporations will fight to keep investigations in-house: ``Fear of publicity. And fear that someone who has been successful in stealing intellectual property will end up sharing that information in court.'' In a more perfect virtual world, one with clearly marked boundaries and jurisdictions, the San Jose Police Department would get more credit for the work they do out on the wire. Many of the online cases they investigate technically belong to other parts of the department, such as the child-exploitation unit, which takes the lead on child-sex crimes. Outside the department, the boundaries are just as blurry: Legally speaking, a Net crime can occur where the bad guy lives, where the victim lives or where the financial transaction was made. And while most of the unit's cases involve victims who are resident in San Jose, Brister and Lowry can't recall a single Net case that began and ended entirely within the city limits. Investigator has doubts Of all the investigators to chase bad guys through the wires, Lowry harbors the most doubts about whether law enforcement can fulfill its mandate on the Net: ``You're assuming we can police cyberspace and I don't think we can. I don't believe the Internet is to a point where a government entity can come through and say `I'm going to control what goes on here.' How do you put a boundary on something you can't put your hands around?'' Lowry is painfully aware of what the criminal landscape will look like in years to come, as millions of newcomers take their business and personal lives to the Net. The fact that most of these woes have yet to reach the criminal justice system is no comfort to him. ``The scary part,'' Lowry says, ``is we know the storm is coming, but we don't know exactly what shape it's going to take. The scale is huge. . . . You're sitting on this beach, knowing it's going to hit, but you don't know what it is or when it's going to hit.''
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:17 PDT