Search This Blog

3.31.2008

Electronic Crimes

The Secret Service of today has an Electronic Crimes Task Force which focuses on electronic crime, including international threats, credit card theft/fraud, ID theft, missing and exploited children, virus propagation, intrusions, and threats to companies from insiders (insider threats). The Secret Service also assists other federal and local law enforcement agencies.

The USA PATRIOT Act of 2001. Sec. 105, instructed the Director of the United States Secret Service to develop a national network of electronic crime task forces based on the New York Electronic Crimes Task Force (NYECTF) model. On October 16, 2001, President George Bush signed Executive Order 13231 titled the "Critical Infrastructure in the Information Age". Section S(f) of the order calls for "Law Enforcement Coordination with National Security Components, DOJ through NIPC and Department of Treasury through United States Secret Service". The Electronic Crimes Task Force has continued to grow since it's inception.

Today one of the big crimes the Secret Service deals with is credit card theft. Databases that contain credit card information are being broken into, and credit card information is stolen from compromised PCs. Groups of people buy and sell the stolen credit cards, even some organized crime groups and international groups.

ID theft is rampant today. One of the many methods used to steal personal information from computers is the use of trojan horse malware. There are a variety of ways to infect a machine with a trojan, including packaging the trojan in with another file. Once the computer is infected, the trojan will immediately send out information and usually opens a port to listen for an incoming connection. Typically the trojan can be configured to send a message via email or instant message containing the IP of the victim. The hacker can then connect to the infected machine. The trojan usually scans and gathers information such as passwords or credit card information automatically. This information can be retrieved when the machine is connected to, or it can be included in the initial message sent out. More sophisticated trojans can be configured to target certain kinds of information and can send the information anywhere. Many trojans include the ability to turn the infected machine into a proxy. Most trojans also include a keylogger which can be configured to begin immediately, or wait to be turned on after a connection is made.

Key logger software is software that logs all keys typed on a computer. This makes it possible to harvest user name and password information, account information, as well as credit card numbers entered and other data. It is advisable to never do sensitive transactions on a public computer. The Secret Service has investigated Universities and many other public computers and found that keylogger use is pandemic.

Virus investigations are conducted to try to track down and catch those who propagate viruses. One success story is the arrest of the Minnesota teen Jeffrey Lee Parson, known online as "teekid", for allegedly releasing a version of the "Blaster" computer worm. The Secret Service also reaches across international borders to try to catch cyber criminals.

The Secret Service investigates missing and exploited children. This can include incidents of older men contacting children and attempting to meet with them. It also includes one of the most heinous crimes, child pornography. Many times computers are seized and forensics are done to catch perpetrators.

There are many organized hacking groups, many of them international groups who conduct a plethora of electronic crime ranging from mild to severe. Historically there were unorganized "clique" networks of hackers. Today there are increasingly organized criminal "entrepreneurial" networks that are typically spread out through multiple countries.

One of the schemes perpetrated by organized groups is phishing scams. In phishing scams, hackers are used to develop a legitimate appearing email with a link to a legitimate appearing website, usually a clone of a real site, that will steal any information that is entered. Typically phishers are phishing for bank or other account information, usernames and passwords, or credit card numbers. Many times a separate group will open a bank account where stolen money can be sent, and then the money can be distributed to conspirators electronically and by using services such as Western Union. This makes tracking down all of those involved very difficult.

Intrusions into systems and networks do occur, and when they do many times the Secret Service is called in to do network forensics to determine the source(s) of the attacks.

One of the big threats to network security is the "insider threat". The majority of theft at companies occurs from internal employees. They are usually motivated by financial gain, or revenge against the company. An example of insider theft is AOL software engineer Jason Smathers, 24, who was charged with stealing AOL's entire customer list and selling it to spammers. Smathers was a member of AOL staff and used his access to steal the database of customer email addresses.

A network administrator must be aware of the potential for damage or theft from internal employees. The Secret Service has noted the psychology of typical insider criminals. They display observable behavior including different forms of disobedience, and they usually do not consider consequences.

Many times when a network administrator suspects that an internal employee is involved in illegal activity, or believes that the network has been compromised, or is not sure of what is going on, the Secret Service is called in to do forensic analysis. Problems that can occur include email spam, network intrusion, embezzlement, child porn, denial of service attacks, extortion, and other fraudulent activities.

It is a good tactic for a company to have an Incident Response Team (IRT) in place before an incident occurs. The team members should include a Senior Executive, members from marketing/PR, accounting, corporate security, and IT security. The goals of the incident response team are to prevent an uncoordinated response, collect information, minimize disruption of business, and to protect the organization's reputation. The team also facilitates a civil or criminal case, and works with law enforcement.

Law enforcement will need clear evidence when dealing with an incident. All servers and PCs that are involved should be identified, and logs should be kept, along with any audio or video evidence that may exist. The incident response team should have an impartial point of contact for dealing with law enforcement or the Secret Service.

The Secret Service works with other agencies including the FBI, the Department of Homeland Security, Department of Defense agencies, the National Security agencies, various Treasury agencies, the Office of Inspector General, as well as state and local law enforcement agencies.

The Secret Service is collaborating with CERT/CC of Carnegie Mellon University to develop the Critical Systems Protection Initiative (CSPI). An important part of CSPI is the Insider Threat Study, which " will analyze the physical and online behavior of insiders prior to and during network compromises."

The Secret Service works to protect national interest and critical infrastructure, as well as private industry. There are opportunities to join this team for Information Technology specialists of today and tomorrow.

USA PATRIOT Act as Passed by Congress
http://www.eff.org/Privacy/Surveillance/Terrorism/hr3162.php

Executive Order on Critical Infrastructure Protection
http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html

National Threat Assessment Center - Insider Threat Study
http://www.secretservice.gov/ntac_its.shtml


Where did the Internet come from?