Federal Bureau of Investigation Los Angeles Field Office ...neighorn/PDF/hacked.pdf · Federal...
Transcript of Federal Bureau of Investigation Los Angeles Field Office ...neighorn/PDF/hacked.pdf · Federal...
Federal Bureau of Investigation
Los Angeles Field OfficeCyber-Infrastructure Program
September, 2002
NIPC Overview
• FBI and Infrastructure Protection– Criminal / Counterterrorism Investigations
• Cyber Crime• Cases• Fighting Cyber Crime
– Cyber Law– What to do
Infrastructure Protection:Traditional Threat Paradigm
Classic Military Threat
UnitedStatesArmedForces
ForeignMilitaryAntagonist
Infrastructure Protection:A New Threat Paradigm
The New Cyberspace: Critical Infrastructures
The New Threat: Anyone
“The nation is vulnerable to new forms of terrorism ranging from cyber attacks to attacks on military bases abroad to ballistic missile attacks on U.S. cities.
“Wars in the 21st century will increasingly require all elements of national power – not just the military. They will require that economic, diplomatic, financial, law enforcement and intelligence capabilities work together.”
Defense Secretary Donald Rumsfeld addresses the National Defense University, January 31, 2002.
FBI Cyber History
• 1992 National Computer Crime Squad» Washington D.C.» Later: New York and San Francisco, then others» Computer Analysis Response Team (CART)
• 1996 Computer Investigations and Infrastructure Protection CenterRegional CITA Squads created.
• 1998 National Infrastructure Protection Center created.» In anticipation of Presidential Decision Directive 63
(PDD 63)
National Infrastructure Protection Center Mission (per PDD-63):
• Manage FBI computer intrusion investigations program– Support the FBI’s law enforcement, counterterrorism, and foreign
counterintelligence missions
• Detect, deter, assess, warn of, investigate, and respond to attacks on critical infrastructures
• New Role for the FBI…– Support other agencies and state & local governments involved in
infrastructure protection
• Draft legislation moves some of these roles to the Office of Homeland Security
• Analysis and Warning Unit• Training and Outreach Unit
Additional NIPC Roles
• Share, analyze, and disseminate information
• Provide training for federal, state and local cyber-investigators, and private sector entities involved in the infrastructure protection mission
• “Act as a Clearinghouse for technological developments”
• 24/7 public watch and warning capability ([email protected] or (202) 323-3205
• Support National Security Authorities in acts of terrorism or foreign attacks on U.S. interests
Cyber Crime Who are today’s “Cyber- Bandits”?
• Hackers (recreational & professional)• “Hacktivists” (U.S. vs. China Hacker Wars)• Criminals
• Cyber Terrorists• (California ISO Hack?)
• Intelligence Officers• Information Brokers
• Building marketing databases…
• Competitors• Industrial Espionage
• Insiders
CSI Computer Crime SurveyLikely Sources of Attack
22 23
73
51
87
21
29
72
48
89
21
30
74
53
86
2126
77
44
81
2531
81
49
76
26 26
82
38
75
0
10
20
30
4050
60
70
80
90
100
Foreign gov. Foreign corp. Independenthackers
U.S. competitors Disgruntledemployees
199719981999200020012002
CSI/FBI 2002 Computer Crime and Security SurveySource: Computer Security Institutewww.gocsi.com
Per
cent
age
of R
espo
nden
ts
Case Note
CSI Computer Crime SurveyType of Attack/Misuse Experienced
20
40
78
85
38
55
40
26
40
91
94
49
64
36
20
25
79
85
71
60
27
25
30
97
90
55
69
31
18
23
77
83
44
64
24
20
20
68
82
40
68
0 20 40 60 80 100
Theft of proprietary info
System penetration
Insider abuse of Net access
Virus
Unauthorized access byinsiders
Laptop
Denial of Service
199719981999200020012002
Percentage of Respondents
Other CategoriesActive WiretapTelecom. EavesdroppingTelecom FraudFinancial FraudSabotage
2002 CSI / FBI Computer Crime Survey
• Among systems successfully attacked 74% reported intrusions via the internet.
• Up every year since 1996
• Total (reported) losses exceeded $455 million
• Value of proprietary data/information…
• Respondents’ reporting of incidents to law enforcement stabilized at around 34%
• Stabilization in use of digital IDs and intrusion detection systems
Cases…
• NASA / University hacks by Jason Diekman• Financial Institution hack by Vladimir Levin• Tamil Tigers: a Tool for Terrorism Propaganda
• The Analyzer• Web Page Hacks• Viruses
FBI Case BriefingJason Allen Diekman, aka “Shadow Knight” and
“DarkLord”
1998: JPL and Stanford Hacks: 17 year old 1998: JPL and Stanford Hacks: 17 year old Jason AllenJason Allen DiekmanDiekman gains root level access gains root level access to computers used to design NASA satellite to computers used to design NASA satellite flight control software.flight control software.Admits to hacking into Admits to hacking into ““hundreds, maybe hundreds, maybe thousandsthousands”” of computers including Stanford, of computers including Stanford, Harvard, Cornell, CSUF, UCLA, UCSD. Harvard, Cornell, CSUF, UCLA, UCSD. 2001: While on bond,2001: While on bond, DiekmanDiekman hacks into hacks into Oregon State University system 33 times: Oregon State University system 33 times: steals credit card numbers.steals credit card numbers.
Uses hacked ATT phone cards to call Western Union and transfer mUses hacked ATT phone cards to call Western Union and transfer money oney to himself from the stolen credit card accounts. Social Engineeto himself from the stolen credit card accounts. Social Engineering issues ring issues –– Diekman Diekman forwarded phones to his number for WU verificationforwarded phones to his number for WU verification……2001 2001 Diekman Diekman hacks into Bay Area Internet Solutions: steals usernames hacks into Bay Area Internet Solutions: steals usernames and passwords; uses system to store exploits and cracking codeand passwords; uses system to store exploits and cracking code……Sentenced to 21 months in federal prison and ordered to pay $88,Sentenced to 21 months in federal prison and ordered to pay $88,000 in 000 in restitution.restitution.
FBI Case BriefingVladimir Levin/Citibank
Group of Russian hackers led by Group of Russian hackers led by Vladimir Levin, a 24Vladimir Levin, a 24--yearyear--old computer old computer expert expert Targeted major U.S. financial Targeted major U.S. financial institutioninstitution’’s cash management system by s cash management system by compromising passwords to impersonate compromising passwords to impersonate account holders account holders Attempted 40 transfers to offshore Attempted 40 transfers to offshore accounts totaling $10 million, with actual accounts totaling $10 million, with actual losses of $400,000losses of $400,000Captured in London and extradited to Captured in London and extradited to U.S. for trial. 4 conspirators pled guiltyU.S. for trial. 4 conspirators pled guiltySentenced to 36 months in U.S. and Sentenced to 36 months in U.S. and ordered to pay restitution of $240,000ordered to pay restitution of $240,000
FBI Case BriefingTamil Tigers
• Intent was to spread propaganda and conduct an illegal fund-raising scheme via the Internet
• Terrorists spoofed authorized accounts to carry out the fraudulent fund-raising scheme
• Also launched denial of service attacks against Sri Lanka’s government systems
• In June, 1997 Tamil Tigers terrorist group hacked into Sheffield University, UK computer network
FBI Case BriefingThe Analyzer
Handle: AnalyzerName: Ehud TenebaumHack: Series of intrusions to
U.S. Department of Defense computers from multiple locations.Removed from Military Service for ProsecutionOffered numerous Television and book deals…
Web Page Hacks
• U.S. vs. China “Hacker War”– Spring, 2000– Prophet - Hacker Nationalism
• Israeli vs. Palestinian “Hacker War”– Hate crime elements…
Denial of Service Attacks
• A Well Documented Vulnerability• Victim computer(s) have not been compromised• Victim computer simply overwhelmed with
traffic….ICMP, Syn flood, etc.• Code Red WhiteHouse.Gov attack
• Distributed Denial of Service…more traffic, harder to trace
• You Have No Control
Viruses
• Melissa – David L. Smith Arrested April 1, 1999– Pled Guilty to One Count of 18 USC 1030– Stipulated to Causing $80 Million in Damages in Over
One Million Systems• The Love Bug
– Estimated to have impacted 45 million users• 20 Different Countries• $10 Billion• Two Days!
• Code Red v1, v2, Code Red II• W32 / My Party Worm
Fighting Cyber-Crime:Cyber Law
• Federal Criminal Statutes• Specific Federal Cyber Laws• California Penal Code Section 502
Possible Federal Violations
18 USC § 641 Embezzlement and Theft of Public Money, Property or Records18 USC § 659 Interstate or Foreign Shipments by Carriers18 USC § 793 Gathering, Transmitting, or Losing Defense Information18 USC § 794 Gathering/delivering Defense info to Aid Foreign Government18 USC § 1001 False Statements18 USC § 1029 Fraud and related activity in connection with access devices18 USC § 1030 Computer Fraud and Abuse Act of 199618 USC § 1366 Destruction of an Energy Facility 18 USC § 1343 Fraud by wire, radio, or television18 USC § 1361 Malicious Mischief18 USC § 1831 Economic Espionage Act of 199618 USC § 2071 Records and Reports: Concealment, removal, or mutilation18 USC § 2155 Sabotage: Destruction of national defense material, national
defense premises, or national defense utilities18 USC § 2314 Interstate Transportation of Stolen Property18 USC § 2511 Interception and Disclosure of Wire, Oral, or Electronic Communications
Specific Federal Cyber Laws
• 18 U.S.C. 1030 Computer Fraud and Abuse• 18 U.S.C. 1831 Economic Espionage• 18 U.S.C. 1832 Industrial Espionage (Theft of Trade
Secrets)• 18 U.S.C. 1029 Access Device• 18 U.S.C. 1343 Fraud By Wire• No Electronic Theft (NET) Act (strengthening 17 USC 506
and 18 USC 2319)
• 18 U.S.C. 2511 SysAdmin Authority to Monitor
On-Line Resources
• Federal Bureau of Investigation– http://www.nipc.gov
• U.S. Department of Justice– Computer Crime and Intellectual
Property Section
On-Line Resources (continued)
• CERT/CC– http://www.cert.org
• located at the Software Engineering Institute• Federally funded research and development center operated
by Carnegie Mellon University.
• CIAC– http://ciac/llnl.gov/ciac/
• Located at Lawrence Livermore National Labs• Federally funded by U.S. D.O.E.
What You Should Do If Attacked…
• Notify corporate security, legal counsel, and law enforcement.– Think About:
• Protecting Yourself – (Mission Critical vs. Proprietary Data)
• Catching the Perpetrator
• Activate your incident management team.• Created PRIOR to any incident• One person in charge• One person responsible for evidence.
• Keep a chronological log of events - record everything your team does.
What To Do (continued)
• Activate all available audit trails & logging• What logs were active at the time of the attack?
• Begin keystroke monitoring• Consent to Monitor (banner in place?)• SysAdmin Monitoring Authority under 2511
– Can be used even absent consent or a warning banner
• Identify and recover available evidence• System log files, system images, altered/damaged files,
intruders’ files, network logs (routers, SNMP, etc.), traditional evidence
• Secure evidence and maintain simple “chain-of-custody”records
What To Do (continued)Example Banner
• This is a ___________ computer system. Before processing classified and/or sensitive but unclassified information, check the security accreditation level of this system. Do not process, store, or transmit information classified above the accreditation level of this system. This computer system, including all related equipment, networks, and network devices (including Internet access) are provided only for authorized ___________ use. _________ computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes, but is not limited to, active attacks by authorized __________ entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this __________ computer system, authorized or unauthorized, constitutes consent to monitoring. Unauthorized use of this __________ computer system may subject you to civil litigation and/or criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for all lawful purposes.
What To Do (continued)
• Identify source(s) of the attack.• Record specific damages and losses
• Including hours spent on recovery– Now recoverable under Patriot Act provisions
• Important for prosecution
• Prepare for repeat attacks.• Protecting Mission Critical vs. Proprietary Data
• Theorize - nobody knows your system better than you.
• Determine how the intrusion happened.• Identify possible subjects and motives.
• Be patient with law enforcement.
What NOT To Do
• Do NOT use the compromised systems before preserving any evidence.
• Do not make assumptions as to Federal jurisdiction or prosecutorial merit.
• Do not assume that by ignoring the incident, or damage to your files, that it will go away.
• Do not correspond via E-mail on a compromised network regarding the incident or the investigation.
What to Expect if you call the FBI
• Agents will interview staff and obtain evidence• Obtain prosecutive opinion• Trace the attack (subpoenas, 2703(d) orders, sources
– Identify the subject(s)• Obtain/execute search warrants, interview subjects• Examine evidence, identify more victims, develop
more leads• Obtain Federal Grand Jury Indictment• Arrest and Possible Trial
– Disclosure Issues• Can sometimes be overcome by documents filed under seal
Con
fiden
tial
Pub
lic
What to Expect if you call the FBI
• Agents will interview key witnesses– IT Managers / Operators
• Agents may offer assistance in recovering logs; securing systems
• Agents may seek to identify the individual responsible• Possible plea bargaining• Possible trial• Sentencing (upon conviction)
– Restitution
These steps do NOT occur quickly!
Contacts
• Federal Bureau of Investigation– Los Angeles Field Office
• Cybercrime Division– NIPC Counterintelligence / Counterterrorism Squad – NIPC Computer Crime Squad
11000 Wilshire Blvd., Suite 1700Los Angeles, California 90024Main telephone number: (310) 477-6565