Federal Bureau of Investigation

Los Angeles Field OfficeCyber-Infrastructure Program

September, 2002

NIPC Overview

• FBI and Infrastructure Protection– Criminal / Counterterrorism Investigations

• Cyber Crime• Cases• Fighting Cyber Crime

– Cyber Law– What to do

Infrastructure Protection:Traditional Threat Paradigm

Classic Military Threat

UnitedStatesArmedForces

ForeignMilitaryAntagonist

Infrastructure Protection:A New Threat Paradigm

The New Cyberspace: Critical Infrastructures

The New Threat: Anyone

“The nation is vulnerable to new forms of terrorism ranging from cyber attacks to attacks on military bases abroad to ballistic missile attacks on U.S. cities.

“Wars in the 21st century will increasingly require all elements of national power – not just the military. They will require that economic, diplomatic, financial, law enforcement and intelligence capabilities work together.”

Defense Secretary Donald Rumsfeld addresses the National Defense University, January 31, 2002.

FBI Cyber History

• 1992 National Computer Crime Squad» Washington D.C.» Later: New York and San Francisco, then others» Computer Analysis Response Team (CART)

• 1996 Computer Investigations and Infrastructure Protection CenterRegional CITA Squads created.

• 1998 National Infrastructure Protection Center created.» In anticipation of Presidential Decision Directive 63

(PDD 63)

National Infrastructure Protection Center Mission (per PDD-63):

• Manage FBI computer intrusion investigations program– Support the FBI’s law enforcement, counterterrorism, and foreign

counterintelligence missions

• Detect, deter, assess, warn of, investigate, and respond to attacks on critical infrastructures

• New Role for the FBI…– Support other agencies and state & local governments involved in

infrastructure protection

• Draft legislation moves some of these roles to the Office of Homeland Security

• Analysis and Warning Unit• Training and Outreach Unit

Additional NIPC Roles

• Share, analyze, and disseminate information

• Provide training for federal, state and local cyber-investigators, and private sector entities involved in the infrastructure protection mission

• “Act as a Clearinghouse for technological developments”

• 24/7 public watch and warning capability (nipcwatch@fbi.gov or (202) 323-3205

• Support National Security Authorities in acts of terrorism or foreign attacks on U.S. interests

Cyber Crime Who are today’s “Cyber- Bandits”?

• Hackers (recreational & professional)• “Hacktivists” (U.S. vs. China Hacker Wars)• Criminals

• Cyber Terrorists• (California ISO Hack?)

• Intelligence Officers• Information Brokers

• Building marketing databases…

• Competitors• Industrial Espionage

• Insiders

CSI Computer Crime SurveyLikely Sources of Attack

22 23

73

51

87

21

29

72

48

89

21

30

74

53

86

2126

77

44

81

2531

81

49

76

26 26

82

38

75

0

10

20

30

4050

60

70

80

90

100

Foreign gov. Foreign corp. Independenthackers

U.S. competitors Disgruntledemployees

199719981999200020012002

CSI/FBI 2002 Computer Crime and Security SurveySource: Computer Security Institutewww.gocsi.com

Per

cent

age

of R

espo

nden

ts

Case Note

CSI Computer Crime SurveyType of Attack/Misuse Experienced

20

40

78

85

38

55

40

26

40

91

94

49

64

36

20

25

79

85

71

60

27

25

30

97

90

55

69

31

18

23

77

83

44

64

24

20

20

68

82

40

68

0 20 40 60 80 100

Theft of proprietary info

System penetration

Insider abuse of Net access

Virus

Unauthorized access byinsiders

Laptop

Denial of Service

199719981999200020012002

Percentage of Respondents

Other CategoriesActive WiretapTelecom. EavesdroppingTelecom FraudFinancial FraudSabotage

2002 CSI / FBI Computer Crime Survey

• Among systems successfully attacked 74% reported intrusions via the internet.

• Up every year since 1996

• Total (reported) losses exceeded $455 million

• Value of proprietary data/information…

• Respondents’ reporting of incidents to law enforcement stabilized at around 34%

• Stabilization in use of digital IDs and intrusion detection systems

Cases…

• NASA / University hacks by Jason Diekman• Financial Institution hack by Vladimir Levin• Tamil Tigers: a Tool for Terrorism Propaganda

• The Analyzer• Web Page Hacks• Viruses

FBI Case BriefingJason Allen Diekman, aka “Shadow Knight” and

“DarkLord”

1998: JPL and Stanford Hacks: 17 year old 1998: JPL and Stanford Hacks: 17 year old Jason AllenJason Allen DiekmanDiekman gains root level access gains root level access to computers used to design NASA satellite to computers used to design NASA satellite flight control software.flight control software.Admits to hacking into Admits to hacking into ““hundreds, maybe hundreds, maybe thousandsthousands”” of computers including Stanford, of computers including Stanford, Harvard, Cornell, CSUF, UCLA, UCSD. Harvard, Cornell, CSUF, UCLA, UCSD. 2001: While on bond,2001: While on bond, DiekmanDiekman hacks into hacks into Oregon State University system 33 times: Oregon State University system 33 times: steals credit card numbers.steals credit card numbers.

Uses hacked ATT phone cards to call Western Union and transfer mUses hacked ATT phone cards to call Western Union and transfer money oney to himself from the stolen credit card accounts. Social Engineeto himself from the stolen credit card accounts. Social Engineering issues ring issues –– Diekman Diekman forwarded phones to his number for WU verificationforwarded phones to his number for WU verification……2001 2001 Diekman Diekman hacks into Bay Area Internet Solutions: steals usernames hacks into Bay Area Internet Solutions: steals usernames and passwords; uses system to store exploits and cracking codeand passwords; uses system to store exploits and cracking code……Sentenced to 21 months in federal prison and ordered to pay $88,Sentenced to 21 months in federal prison and ordered to pay $88,000 in 000 in restitution.restitution.

FBI Case BriefingVladimir Levin/Citibank

Group of Russian hackers led by Group of Russian hackers led by Vladimir Levin, a 24Vladimir Levin, a 24--yearyear--old computer old computer expert expert Targeted major U.S. financial Targeted major U.S. financial institutioninstitution’’s cash management system by s cash management system by compromising passwords to impersonate compromising passwords to impersonate account holders account holders Attempted 40 transfers to offshore Attempted 40 transfers to offshore accounts totaling $10 million, with actual accounts totaling $10 million, with actual losses of $400,000losses of $400,000Captured in London and extradited to Captured in London and extradited to U.S. for trial. 4 conspirators pled guiltyU.S. for trial. 4 conspirators pled guiltySentenced to 36 months in U.S. and Sentenced to 36 months in U.S. and ordered to pay restitution of $240,000ordered to pay restitution of $240,000

FBI Case BriefingTamil Tigers

• Intent was to spread propaganda and conduct an illegal fund-raising scheme via the Internet

• Terrorists spoofed authorized accounts to carry out the fraudulent fund-raising scheme

• Also launched denial of service attacks against Sri Lanka’s government systems

• In June, 1997 Tamil Tigers terrorist group hacked into Sheffield University, UK computer network

FBI Case BriefingThe Analyzer

Handle: AnalyzerName: Ehud TenebaumHack: Series of intrusions to

U.S. Department of Defense computers from multiple locations.Removed from Military Service for ProsecutionOffered numerous Television and book deals…

Web Page Hacks

• U.S. vs. China “Hacker War”– Spring, 2000– Prophet - Hacker Nationalism

• Israeli vs. Palestinian “Hacker War”– Hate crime elements…

Web Page Hacks

• CIA

Web Page Hacks

• DOJ

Web Page Hacks

• New York Times

• plus many more…

Denial of Service Attacks

• A Well Documented Vulnerability• Victim computer(s) have not been compromised• Victim computer simply overwhelmed with

traffic….ICMP, Syn flood, etc.• Code Red WhiteHouse.Gov attack

• Distributed Denial of Service…more traffic, harder to trace

• You Have No Control

Viruses

• Melissa – David L. Smith Arrested April 1, 1999– Pled Guilty to One Count of 18 USC 1030– Stipulated to Causing $80 Million in Damages in Over

One Million Systems• The Love Bug

– Estimated to have impacted 45 million users• 20 Different Countries• $10 Billion• Two Days!

• Code Red v1, v2, Code Red II• W32 / My Party Worm

Fighting Cyber-Crime:Cyber Law

• Federal Criminal Statutes• Specific Federal Cyber Laws• California Penal Code Section 502

Possible Federal Violations

18 USC § 641 Embezzlement and Theft of Public Money, Property or Records18 USC § 659 Interstate or Foreign Shipments by Carriers18 USC § 793 Gathering, Transmitting, or Losing Defense Information18 USC § 794 Gathering/delivering Defense info to Aid Foreign Government18 USC § 1001 False Statements18 USC § 1029 Fraud and related activity in connection with access devices18 USC § 1030 Computer Fraud and Abuse Act of 199618 USC § 1366 Destruction of an Energy Facility 18 USC § 1343 Fraud by wire, radio, or television18 USC § 1361 Malicious Mischief18 USC § 1831 Economic Espionage Act of 199618 USC § 2071 Records and Reports: Concealment, removal, or mutilation18 USC § 2155 Sabotage: Destruction of national defense material, national

defense premises, or national defense utilities18 USC § 2314 Interstate Transportation of Stolen Property18 USC § 2511 Interception and Disclosure of Wire, Oral, or Electronic Communications

Specific Federal Cyber Laws

• 18 U.S.C. 1030 Computer Fraud and Abuse• 18 U.S.C. 1831 Economic Espionage• 18 U.S.C. 1832 Industrial Espionage (Theft of Trade

Secrets)• 18 U.S.C. 1029 Access Device• 18 U.S.C. 1343 Fraud By Wire• No Electronic Theft (NET) Act (strengthening 17 USC 506

and 18 USC 2319)

• 18 U.S.C. 2511 SysAdmin Authority to Monitor

On-Line Resources

• Federal Bureau of Investigation– http://www.nipc.gov

• U.S. Department of Justice– Computer Crime and Intellectual

Property Section

On-Line Resources (continued)

• CERT/CC– http://www.cert.org

• located at the Software Engineering Institute• Federally funded research and development center operated

by Carnegie Mellon University.

• CIAC– http://ciac/llnl.gov/ciac/

• Located at Lawrence Livermore National Labs• Federally funded by U.S. D.O.E.

You’ve just been hacked.

• What should you do?• What should you NOT do?

What You Should Do If Attacked…

• Notify corporate security, legal counsel, and law enforcement.– Think About:

• Protecting Yourself – (Mission Critical vs. Proprietary Data)

• Catching the Perpetrator

• Activate your incident management team.• Created PRIOR to any incident• One person in charge• One person responsible for evidence.

• Keep a chronological log of events - record everything your team does.

What To Do (continued)

• Activate all available audit trails & logging• What logs were active at the time of the attack?

• Begin keystroke monitoring• Consent to Monitor (banner in place?)• SysAdmin Monitoring Authority under 2511

– Can be used even absent consent or a warning banner

• Identify and recover available evidence• System log files, system images, altered/damaged files,

intruders’ files, network logs (routers, SNMP, etc.), traditional evidence

• Secure evidence and maintain simple “chain-of-custody”records

What To Do (continued)Example Banner

• This is a ___________ computer system. Before processing classified and/or sensitive but unclassified information, check the security accreditation level of this system. Do not process, store, or transmit information classified above the accreditation level of this system. This computer system, including all related equipment, networks, and network devices (including Internet access) are provided only for authorized ___________ use. _________ computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes, but is not limited to, active attacks by authorized __________ entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this __________ computer system, authorized or unauthorized, constitutes consent to monitoring. Unauthorized use of this __________ computer system may subject you to civil litigation and/or criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for all lawful purposes.

What To Do (continued)

• Identify source(s) of the attack.• Record specific damages and losses

• Including hours spent on recovery– Now recoverable under Patriot Act provisions

• Important for prosecution

• Prepare for repeat attacks.• Protecting Mission Critical vs. Proprietary Data

• Theorize - nobody knows your system better than you.

• Determine how the intrusion happened.• Identify possible subjects and motives.

• Be patient with law enforcement.

What NOT To Do

• Do NOT use the compromised systems before preserving any evidence.

• Do not make assumptions as to Federal jurisdiction or prosecutorial merit.

• Do not assume that by ignoring the incident, or damage to your files, that it will go away.

• Do not correspond via E-mail on a compromised network regarding the incident or the investigation.

What to Expect if you call the FBI

• Agents will interview staff and obtain evidence• Obtain prosecutive opinion• Trace the attack (subpoenas, 2703(d) orders, sources

– Identify the subject(s)• Obtain/execute search warrants, interview subjects• Examine evidence, identify more victims, develop

more leads• Obtain Federal Grand Jury Indictment• Arrest and Possible Trial

– Disclosure Issues• Can sometimes be overcome by documents filed under seal

Con

fiden

tial

Pub

lic

What to Expect if you call the FBI

• Agents will interview key witnesses– IT Managers / Operators

• Agents may offer assistance in recovering logs; securing systems

• Agents may seek to identify the individual responsible• Possible plea bargaining• Possible trial• Sentencing (upon conviction)

– Restitution

These steps do NOT occur quickly!

Contacts

• Federal Bureau of Investigation– Los Angeles Field Office

• Cybercrime Division– NIPC Counterintelligence / Counterterrorism Squad – NIPC Computer Crime Squad

11000 Wilshire Blvd., Suite 1700Los Angeles, California 90024Main telephone number: (310) 477-6565