craschworks

http://www.securityfocus.com/cgi-bin/sfonline/columnists-item.pl?id=215

[If its good enough for the FBI Computer Crime Squad, its good enough
for you! http://www.amazon.com/exec/obidos/ASIN/B0000U9H40/c4iorg -WK]

By Scott Granneman
Jan 21 2004

Well, it finally happened. Right before Christmas, I had a little
visit from the FBI. That's right: an agent from the Federal Bureau of
Investigation came to see me. He had some things he wanted to talk
about. He stayed a couple of hours, and then went on his way.
Hopefully he got what he wanted. I know I did.

Let me explain. I teach technology classes at Washington University in
St. Louis, a fact that I mentioned in a column from 22 October 2003
titled, “Joe Average User Is In Trouble”. In that column, I talked
about the fact that most ordinary computer users have no idea about
what security means. They don't practice secure computing because they
don't understand what that means. After that column came out, I
received a lot of email. One of those emails was from Dave Thomas,
former chief of computer intrusion investigations at FBI headquarters,
and current Assistant Special Agent in Charge of the St. Louis
Division of the FBI.

Dave had this to say: “I have spent a considerable amount in the
computer underground and have seen many ways in which clever
individuals trick unsuspecting users. I don't think most people have a
clue just how bad things are.” He then offered to come speak to my
students about his experiences.

I did what I think most people would do: I emailed Dave back
immediately and we set up a date for his visit to my class.

It's not every day that I have an FBI agent who's also a computer
security expert come speak to my class, so I invited other students
and friends to come hear him speak. On the night of Dave's talk, we
had a nice cross-section of students, friends, and associates in the
desks of my room, several of them “computer people,” most not.

Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't
connect to the Internet – too dangerous, and against regulations, if I
recall – but instead ran his presentation software using movies and
videos where others would have actually gone online to demonstrate
their points. While he was getting everything ready, I took a look at
the first FBI agent I could remember meeting in person.

Dave is from Tennessee, and you can tell. He's got a southern twang to
his voice that disarms his listeners. He talks slowly, slightly
drawling his vowels, and it sort of takes you in, making you think
he's not really paying attention, and then you realize that he knows
exactly what he's doing, and that he's miles ahead of you. He wears a
tie, but his suit is ready to wear and just a bit wrinkled. His dark
hair is longer than you'd think, hanging below his collar, further
accentuating the country-boy image, but remember, this country boy
knows his stuff. All in all, he gives off the air of someone who's
busy as heck, too busy to worry about appearances, and someone who's
seen a lot of things in his time.

A-cracking we will go

Dave focused most of his talk on the threats that ordinary computer
users face: what those threats are, who's behind them, and why they
exist. He spent quite a bit of time talking about the intersection of
Trojans and viruses. He started by showing us how easy it is to create
a virus, using one of several virus creation wizards that can be
easily found on the Net (of course, real men and women write their
own).

More and more, however, the viruses circulating on the Internet are
quite purposeful in design. The goal is to install a Trojan on the
unsuspecting user's machine that will then allow the bad guy to
control the machine from afar, turning it into a Zombie machine under
the control of another. All too often, this tactic is successful.
Hundreds of thousands if not millions of machines are “owned” by
someone other that the user sitting in front of the keyboard and
monitor.

These Trojans are often the ones that security pros have been watching
for years: SubSeven, Back Orifice, and NetBus. A lot of the time,
script kiddies are the ones behind these Trojans, and they do the
usual stuff once they have control of a user's PC: grab passwords, use
groups of machines to organized DDOS attacks (often against other
script kiddies), and jump from machine to machine to machine in order
to hide their tracks.

What surprised me, however, were how often Trojans are used to mess
with the heads of the poor unsuspecting suckers who own the zombie
machines. A favorite trick is to surreptitiously turn on the Webcam of
an owned computer in order to watch the dupe at work, or watch what
he's typing on screen. This part isn't surprising. But Dave had
countless screenshots, captured from impounded machines or acquired
online from hacker hangouts, where the script kiddie, after watching
for a while, just can't help himself any longer, and starts to insult
or mock or screw with the duped owner.

In one, a hacker sent a WinPopup message to a fellow: “Hey, put your
shirt back on! And why are you using a computer when there's a girl on
your bed!” Sure enough, the camera had captured a guy using his
computer, sans shirt, and in the background you could clearly see a
young woman stretched out on a bed.

In another, a man was working a crossword puzzle online when the
hacker helpfully suggested a word for 14 Down (I think it was
“careless”), again using WinPopup. In a third, a screenshot captured
the utterly shocked expression on a man's face – mouth agape, eyes
open wide in amazement – when his computer began insulting him using,
you guessed it, WinPopup.

This is bad enough and it's also cruelly funny, but the scary part
came in when Dave started talking about the other group behind the
explosion of viruses and Trojans: Eastern European hackers, backed by
organized crime, such as the Russian mafia. In other words, the
professionals.

These people are after one thing: money. The easiest way to illegally
acquire money now is through the use of online tools like Trojans, or
through phishing: set up a fake Web site for PayPal or eBay or Amazon,
and then convince the naíve to enter their usernames, passwords, and
credit card information. Viruses and spam also intersect in this nasty
spiderweb. Viruses help spread Trojans, and Trojans are used to turn
unsuspecting users' computers into spam factories, or hosts for
phishing expeditions, and thus furthering the spread of all the
elements in this process: viruses, Trojans, spam, and phishing. It's a
vicious cycle, and unfortunately, it appears to be getting worse. The
FBI is working as hard as it can, but the nations of Eastern Europe
are somewhat powerless to solve the problem at this time.

One way to trace just how bad the situation has gotten: track the
price for a million credit card numbers. Just a few years ago, Dave
saw prices of $100 or more for a million stolen credit card numbers.
Now? Pennies. Stealing credit cards is so easy, and so rampant, that
prices have dropped precipitously, in a grotesque parody of capitalist
supply and demand.

Along with this comes intrusions into banks and other financial
institutions. Dave wouldn't name names, but he said several
organizations that we would all know have been infiltrated
electronically by Eastern Europeans, who then grab customer data. A
few days later, the unsuspecting president of the bank gets an email
demanding $50,000, or else the media will be told of the break-in. Of
course, the break-in is news to the bank. As proof of their exploit, a
spreadsheet is attached to the email, with a few hundred rows of
client data: bank account numbers, home addreses, balances.

Unfortunately, many banks decide to keep it all a secret from their
customers, so they reluctantly decide to go ahead and pay the
extortion. $50,000 goes to the criminals, and the bank breathes a sigh
of relief.

Three days later, ten emails arrive, from ten different criminal
organizations, each demanding $25,000. Ooops. Far from buying
protection, the bank revealed itself as a easy mark, amenable to
blackmail. And it will only get worse. Time to call in the FBI, as it
should have done from the beginning.

American companies have tried to respond to the massive fraud being
perpetrated online. One common preventive, adopted by most companies
that sell products online, has been to refuse shipments outside of
North America, or allow international shipping, except for Eastern
Europe. Criminals have figured out a way around this, however. They
hire folks to act as middlemen for them. Basically, these people get
paid to sit at home, sign for packages from Dell, Amazon, and other
companies, and then turn around and reship the packages to Russia,
Belorussia, and Ukraine. You know those signs you see on telephone
poles that read “Make money! Work at home!”? A lot of that “work” is
actually laundering products for the Russian mob. Of course, anyone
caught acting as a middleman denies knowledge of their employer: “I
had no idea why I was shipping 25 Dell computers a day to Minsk! I
just assumed they liked computers!”

Proof once again that social engineering, coupled with greed, is the
easiest way to subvert any security.

Some surprises

Dave had some surprises up his sleeve as well. You'll remember that I
said he was using a ThinkPad (running Windows!). I asked him about
that, and he told us that many of the computer security folks back at
FBI HQ use Macs running OS X, since those machines can do just about
anything: run software for Mac, Unix, or Windows, using either a GUI
or the command line. And they're secure out of the box. In the field,
however, they don't have as much money to spend, so they have to
stretch their dollars by buying WinTel-based hardware. Are you
listening, Apple? The FBI wants to buy your stuff. Talk to them!

Dave also had a great quotation for us: “If you're a bad guy and you
want to frustrate law enforcement, use a Mac.” Basically, police and
government agencies know what to do with seized Windows machines. They
can recover whatever information they want, with tools that they've
used countless times. The same holds true, but to a lesser degree, for
Unix-based machines. But Macs evidently stymie most law enforcement
personnel. They just don't know how to recover data on them. So what
do they do? By and large, law enforcement personnel in American end up
sending impounded Macs needing data recovery to the acknowledged North
American Mac experts: the Royal Canadian Mounted Police. Evidently the
Mounties have built up a knowledge and technique for Mac forensics
that is second to none.

(I hope I'm not helping increase the number of sales Apple has to drug
trafficers.)

The biggest surprise was how approachable and helpful Dave was to
everyone in the room. According to Dave, the FBI has really made
reaching out to the local communities it's in more of a priority.
Since the September 11th attacks, the FBI has shifted its number one
focus to preventing terrorism, but the number two priority remains
preventing and capturing crimes based around technology. In order to
best achieve both goals, the FBI has been working hard to reach out to
American citizens, and Dave's talk to my class was part of that
effort.

I'm a civil libertarian at heart, and that brings with it an innate
mistrust of governmental authority – power corrupts, after all. But
I'm glad people like Dave Thomas are in the FBI. He's a good man, and
he has a good understanding not just of technology, but also of the
complexities of the moral and ethical issues surrounding technology in
our society today. He did a great job enlightening my students, and he
really made the FBI sound like a pretty cool environment for people
interested in pursuing security as a career. My advice: call your
local FBI and see if they won't come visit your class, or Users Group,
or club. I guarantee you'll learn something.

Scott Granneman is a senior consultant for Bryan Consulting Inc. in
St. Louis. He specializes in Internet Services and developing Web
applications for corporate, educational, and institutional clients.