Identity theft, hacking for profit, espionage, iPod slurping — the FBI is increasingly focused on helping organisations fight these and other cybercrimes. I asked several agents what they’re seeing in the field and what advice they can offer IT.
Andrew G Arena is special agent in charge of the FBI’s criminal division in New York; Matt Heron is assistant special agent in charge of the transnational criminal enterprise branch in New York, and Timothy O’Brien is a special agent with the computer crimes squad in the New York office. Nenette Day, a special agent in Boston, was responsible for a sting operation that recovered the source code stolen from a major computer-aided design software vendor.
You all met recently with corporate CIOs. Why are you seeking them out?
Arena: We’re trying to build a relationship with the private sector where they will trust us, where they will be comfortable coming to us if there is an intrusion.
What’s on the minds of CIOs?
Arena: Right now, the concern is what is the FBI going to do? If we go to the FBI is this going to be in the media the next day? Is our stock price going to go down? Am I going to lose my job? How will we handle it? Are we discreet?
Are you hearing about specific issues?
Arena: A lot of it was, “This is what we’re seeing ... We’re getting pinged from locations in the old Soviet bloc; the Philippines.”
O’Brien: They’re on the front lines, dealing with the things that we’re investigating. I’m seeing a lot of activity coming from overseas. That seems to be a major source of the phishing.
How big an issue is cybercrime to the FBI?
Arena: Cybercrime is the number three overall priority at the FBI, behind counter-terrorism and counter-intelligence.
What happened to organised crime?
Arena: It’s still there. Cybercrime really overlaps every other programme in the FBI. It’s not just some 18-year-old kid with no social life trying to hack into the system. It’s organised groups; it’s state-sponsored organisations; it’s terrorist organisations, for whatever purpose, trying to infiltrate the country. It’s economic espionage targeting our infrastructure, trying to damage us financially. There are a lot of different reasons and a lot of different groups involved in this. That’s why it’s such a high priority.
From which areas overseas are most attacks originating right now?
O’Brien: Eastern Europe and Asia are two of the bigger hot spots.
The FBI has reported that some companies have been victimised by another scam: interactive voice response spoofing. How does that work?
Day: Phishers are now spoofing the phone trees of various companies, mainly banks. It sounds exactly like the phone tree that you’re used to calling into, where you put in your account number and PIN. You’re putting in your account number and PIN, but you’re actually calling a spoofed number that has been sent to you in an email [saying], “There are problems with your account; we don’t want you communicating over the internet — it's not safe — just call this number to check in and make sure your account balance is correct.” They’re getting [user account and PIN] information by spoofing the phone tree of companies. It’s the latest trend.
What are the top problems reported?
O’Brien: Now there is a profit motive. Take botnets, for example, [where the creator is] leasing out part of the botnet for use in some other type of crime. That’s a relatively new evolution of the old crimes.
Day: Denial-of-service attacks were a problem a long time ago. Then companies got wise. They altered the network management and it became not much of a problem. Then the botnets came on, and you’ve got thousands of compromised computers all over the world now attacking a site that your network isn’t going to be able to handle. They’re too big, and so the denial-of-service attack has once again become something that you have to be very concerned about. The botnets, where you have thousands of compromised computers, are just that powerful.
What have been your most notorious cases?
Heron: The largest consumer fraud in the US was committed by the Gambino crime family. The loss was approximately US$250 million (NZ$403 million) in an internet fraud. They took a two-pronged approach. One was offering these free tours of adult internet sites and then asking for a credit card for age-verification purposes. Nothing legitimate is going to come out of a question like that.
People were taking free tours, and then their credit cards were getting hit for charges over and over again. The second prong to this scheme involved telephone cramming, where they co-opted the head of a telephone company and the president of a bank in the Midwest and were going through a third-party billing provider, putting charges on peoples’ telephone bills for services not provided.
The average person doesn’t look too often at the individual charges on their phone bill. A small amount for this, a dollar for that ... nobody knows what they are and no one pays much attention. That’s what they were counting on. The end result was a US$250 million loss to the public, committed by four members and associates of one of the five La Cosa Nostra families in New York City.
Do you see a lot of organised crime involvement in stealing trade secrets?
Arena: I would call it organised groups. We see a lot of activity out of the former Soviet bloc countries of Eastern Europe. The bureau right now is kicking off an initiative where we’re sending agents into those countries to work with local law enforcement.
Do you see a lot of problems with mobile devices?
Day: Mobile computing is starting to be the big concern, with thefts of customer lists or intellectual property. The fact is that laptops, PDAs and cellphones are easily lost. The fact is that they often have Bluetooth and other types of technologies; the fact is that employees don’t understand the risks. I could walk right by you and connect to your PDA and read all your files if you don’t have it locked down. It’s a technology that’s advancing very rapidly.
How are handhelds and cellphones compromised?
Day: You can compromise a cellphone so that you can turn it on whenever you want, and the conversations going on around you can be transmitted to whoever is controlling the cell phone. If I had your cell ... and I made a single phone call, I could download a program to the cellphone that would make the cellphone controllable.
How do you prevent that?
Day: Never let anyone use your cell phone. Honestly, you can’t let people borrow your cellphone unless you know who the person is.
Should companies have policies dis-allowing cellphones and other mobile devices in highly sensitive meetings?
Day: I think that’s a good idea. That’s our policy. You shed all electronic equipment before going into certain areas or certain meetings.
How safe are encrypted mobile devices? Is a software-based encryption program good enough?
Day: I don’t know of an instance where encryption was not successful in protecting that information.
O’Brien: A number of [CIOs] have said that their most up-to-date initiative is to encrypt all of their mobile devices. That’s something people seem to recognise as a potential loss problem.
What are the most common losses that could have been prevented?
Arena: One of the most common ones we’ve seen is the disgruntled employee who is no longer in the company but is able to gain access because their access to the network wasn’t shut down in a timely fashion.
Are there a lot of problems with data leaving the premises on removable media?
Day: That problem has always existed. It’s just that now you can carry out a lot more information. The iPod is the [newest] thing. Podslurping ... has turned the iPod into exactly the thing we never wanted to see on a 60GB storage device that’s that tiny. [It runs] a program that can connect [an iPod] via the USB port and, without access to a keyboard, actually go through and suck up to 60GB of information in a very short period.
How can companies protect themselves against efforts to steal secrets?
Arena: You’ve got to put the time, the money, the effort into not only setting up your security system but [also] updating it. You can’t just say, “Okay, we’re secure; that’s it.” You’ve got to work every day; you’ve got to come to conferences and find out what’s going on.
Because the bad guys, they’re not taking any days off. Their research and development far surpasses the private sector’s. They’re doing it. You’ve got to be doing it. Otherwise, they’re going to break your system.