A Visit from the FBI

[William Knowles <wk () c4i org>]

http://www.securityfocus.com/cgi-bin/sfonline/columnists-item.pl?id=215

[If its good enough for the FBI Computer Crime Squad, its good enough 
for you! http://www.amazon.com/exec/obidos/ASIN/B0000U9H40/c4iorg  -WK]


By Scott Granneman 
Jan 21 2004 

Well, it finally happened. Right before Christmas, I had a little 
visit from the FBI. That's right: an agent from the Federal Bureau of 
Investigation came to see me. He had some things he wanted to talk 
about. He stayed a couple of hours, and then went on his way. 
Hopefully he got what he wanted. I know I did. 

Let me explain. I teach technology classes at Washington University in 
St. Louis, a fact that I mentioned in a column from 22 October 2003 
titled, "Joe Average User Is In Trouble". In that column, I talked 
about the fact that most ordinary computer users have no idea about 
what security means. They don't practice secure computing because they 
don't understand what that means. After that column came out, I 
received a lot of email. One of those emails was from Dave Thomas, 
former chief of computer intrusion investigations at FBI headquarters, 
and current Assistant Special Agent in Charge of the St. Louis 
Division of the FBI. 

Dave had this to say: "I have spent a considerable amount in the 
computer underground and have seen many ways in which clever 
individuals trick unsuspecting users. I don't think most people have a 
clue just how bad things are." He then offered to come speak to my 
students about his experiences. 

I did what I think most people would do: I emailed Dave back 
immediately and we set up a date for his visit to my class. 

It's not every day that I have an FBI agent who's also a computer 
security expert come speak to my class, so I invited other students 
and friends to come hear him speak. On the night of Dave's talk, we 
had a nice cross-section of students, friends, and associates in the 
desks of my room, several of them "computer people," most not. 

Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't 
connect to the Internet - too dangerous, and against regulations, if I 
recall - but instead ran his presentation software using movies and 
videos where others would have actually gone online to demonstrate 
their points. While he was getting everything ready, I took a look at 
the first FBI agent I could remember meeting in person. 

Dave is from Tennessee, and you can tell. He's got a southern twang to 
his voice that disarms his listeners. He talks slowly, slightly 
drawling his vowels, and it sort of takes you in, making you think 
he's not really paying attention, and then you realize that he knows 
exactly what he's doing, and that he's miles ahead of you. He wears a 
tie, but his suit is ready to wear and just a bit wrinkled. His dark 
hair is longer than you'd think, hanging below his collar, further 
accentuating the country-boy image, but remember, this country boy 
knows his stuff. All in all, he gives off the air of someone who's 
busy as heck, too busy to worry about appearances, and someone who's 
seen a lot of things in his time. 

A-cracking we will go

Dave focused most of his talk on the threats that ordinary computer 
users face: what those threats are, who's behind them, and why they 
exist. He spent quite a bit of time talking about the intersection of 
Trojans and viruses. He started by showing us how easy it is to create 
a virus, using one of several virus creation wizards that can be 
easily found on the Net (of course, real men and women write their 
own). 

More and more, however, the viruses circulating on the Internet are 
quite purposeful in design. The goal is to install a Trojan on the 
unsuspecting user's machine that will then allow the bad guy to 
control the machine from afar, turning it into a Zombie machine under 
the control of another. All too often, this tactic is successful. 
Hundreds of thousands if not millions of machines are "owned" by 
someone other that the user sitting in front of the keyboard and 
monitor. 

These Trojans are often the ones that security pros have been watching 
for years: SubSeven, Back Orifice, and NetBus. A lot of the time, 
script kiddies are the ones behind these Trojans, and they do the 
usual stuff once they have control of a user's PC: grab passwords, use 
groups of machines to organized DDOS attacks (often against other 
script kiddies), and jump from machine to machine to machine in order 
to hide their tracks. 

What surprised me, however, were how often Trojans are used to mess 
with the heads of the poor unsuspecting suckers who own the zombie 
machines. A favorite trick is to surreptitiously turn on the Webcam of 
an owned computer in order to watch the dupe at work, or watch what 
he's typing on screen. This part isn't surprising. But Dave had 
countless screenshots, captured from impounded machines or acquired 
online from hacker hangouts, where the script kiddie, after watching 
for a while, just can't help himself any longer, and starts to insult 
or mock or screw with the duped owner. 

In one, a hacker sent a WinPopup message to a fellow: "Hey, put your 
shirt back on! And why are you using a computer when there's a girl on 
your bed!" Sure enough, the camera had captured a guy using his 
computer, sans shirt, and in the background you could clearly see a 
young woman stretched out on a bed. 

In another, a man was working a crossword puzzle online when the 
hacker helpfully suggested a word for 14 Down (I think it was 
"careless"), again using WinPopup. In a third, a screenshot captured 
the utterly shocked expression on a man's face - mouth agape, eyes 
open wide in amazement - when his computer began insulting him using, 
you guessed it, WinPopup. 

This is bad enough and it's also cruelly funny, but the scary part 
came in when Dave started talking about the other group behind the 
explosion of viruses and Trojans: Eastern European hackers, backed by 
organized crime, such as the Russian mafia. In other words, the 
professionals. 

These people are after one thing: money. The easiest way to illegally 
acquire money now is through the use of online tools like Trojans, or 
through phishing: set up a fake Web site for PayPal or eBay or Amazon, 
and then convince the naíve to enter their usernames, passwords, and 
credit card information. Viruses and spam also intersect in this nasty 
spiderweb. Viruses help spread Trojans, and Trojans are used to turn 
unsuspecting users' computers into spam factories, or hosts for 
phishing expeditions, and thus furthering the spread of all the 
elements in this process: viruses, Trojans, spam, and phishing. It's a 
vicious cycle, and unfortunately, it appears to be getting worse. The 
FBI is working as hard as it can, but the nations of Eastern Europe 
are somewhat powerless to solve the problem at this time. 

One way to trace just how bad the situation has gotten: track the 
price for a million credit card numbers. Just a few years ago, Dave 
saw prices of $100 or more for a million stolen credit card numbers. 
Now? Pennies. Stealing credit cards is so easy, and so rampant, that 
prices have dropped precipitously, in a grotesque parody of capitalist 
supply and demand. 

Along with this comes intrusions into banks and other financial 
institutions. Dave wouldn't name names, but he said several 
organizations that we would all know have been infiltrated 
electronically by Eastern Europeans, who then grab customer data. A 
few days later, the unsuspecting president of the bank gets an email 
demanding $50,000, or else the media will be told of the break-in. Of 
course, the break-in is news to the bank. As proof of their exploit, a 
spreadsheet is attached to the email, with a few hundred rows of 
client data: bank account numbers, home addreses, balances. 

Unfortunately, many banks decide to keep it all a secret from their 
customers, so they reluctantly decide to go ahead and pay the 
extortion. $50,000 goes to the criminals, and the bank breathes a sigh 
of relief. 

Three days later, ten emails arrive, from ten different criminal 
organizations, each demanding $25,000. Ooops. Far from buying 
protection, the bank revealed itself as a easy mark, amenable to 
blackmail. And it will only get worse. Time to call in the FBI, as it 
should have done from the beginning. 

American companies have tried to respond to the massive fraud being 
perpetrated online. One common preventive, adopted by most companies 
that sell products online, has been to refuse shipments outside of 
North America, or allow international shipping, except for Eastern 
Europe. Criminals have figured out a way around this, however. They 
hire folks to act as middlemen for them. Basically, these people get 
paid to sit at home, sign for packages from Dell, Amazon, and other 
companies, and then turn around and reship the packages to Russia, 
Belorussia, and Ukraine. You know those signs you see on telephone 
poles that read "Make money! Work at home!"? A lot of that "work" is 
actually laundering products for the Russian mob. Of course, anyone 
caught acting as a middleman denies knowledge of their employer: "I 
had no idea why I was shipping 25 Dell computers a day to Minsk! I 
just assumed they liked computers!" 

Proof once again that social engineering, coupled with greed, is the 
easiest way to subvert any security. 

Some surprises

Dave had some surprises up his sleeve as well. You'll remember that I 
said he was using a ThinkPad (running Windows!). I asked him about 
that, and he told us that many of the computer security folks back at 
FBI HQ use Macs running OS X, since those machines can do just about 
anything: run software for Mac, Unix, or Windows, using either a GUI 
or the command line. And they're secure out of the box. In the field, 
however, they don't have as much money to spend, so they have to 
stretch their dollars by buying WinTel-based hardware. Are you 
listening, Apple? The FBI wants to buy your stuff. Talk to them! 

Dave also had a great quotation for us: "If you're a bad guy and you 
want to frustrate law enforcement, use a Mac." Basically, police and 
government agencies know what to do with seized Windows machines. They 
can recover whatever information they want, with tools that they've 
used countless times. The same holds true, but to a lesser degree, for 
Unix-based machines. But Macs evidently stymie most law enforcement 
personnel. They just don't know how to recover data on them. So what 
do they do? By and large, law enforcement personnel in American end up 
sending impounded Macs needing data recovery to the acknowledged North 
American Mac experts: the Royal Canadian Mounted Police. Evidently the 
Mounties have built up a knowledge and technique for Mac forensics 
that is second to none. 

(I hope I'm not helping increase the number of sales Apple has to drug 
trafficers.) 

The biggest surprise was how approachable and helpful Dave was to 
everyone in the room. According to Dave, the FBI has really made 
reaching out to the local communities it's in more of a priority. 
Since the September 11th attacks, the FBI has shifted its number one 
focus to preventing terrorism, but the number two priority remains 
preventing and capturing crimes based around technology. In order to 
best achieve both goals, the FBI has been working hard to reach out to 
American citizens, and Dave's talk to my class was part of that 
effort. 

I'm a civil libertarian at heart, and that brings with it an innate 
mistrust of governmental authority - power corrupts, after all. But 
I'm glad people like Dave Thomas are in the FBI. He's a good man, and 
he has a good understanding not just of technology, but also of the 
complexities of the moral and ethical issues surrounding technology in 
our society today. He did a great job enlightening my students, and he 
really made the FBI sound like a pretty cool environment for people 
interested in pursuing security as a career. My advice: call your 
local FBI and see if they won't come visit your class, or Users Group, 
or club. I guarantee you'll learn something. 

Scott Granneman is a senior consultant for Bryan Consulting Inc. in 
St. Louis. He specializes in Internet Services and developing Web 
applications for corporate, educational, and institutional clients.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.