Q&A: Making a federal case -- how the FBI collars cybercriminals

Computerworld - Identity theft, hacking for profit, espionage, iPod slurping -- the FBI is increasingly focused on helping organizations fight these and other cybercrimes. Computerworld's Robert L. Mitchell asked several agents what they're seeing in the field and what advice they can offer IT. Andrew G. Arena is special agent in charge of the FBI's criminal division in New York, Matt Heron is assistant special agent in charge of the transnational criminal enterprise branch in New York, and Timothy O'Brien is a special agent with the computer crimes squad in the New York office. Nenette Day, a special agent in Boston, was responsible for a sting operation that recovered the source code stolen from a major computer-aided design software vendor.

You all met recently with corporate CIOs. Why are you seeking them out?
Arena: We're trying to build a relationship with the private sector where they will trust us, where they will be comfortable coming to us if there is an intrusion.

What's on the minds of CIOs you've met?
Arena: Right now, the concern is, What is the FBI going to do? If we go to the FBI, is this going to be in the media the next day? Is our stock price going to go down? Am I going to lose my job? How will we handle it? Are we discreet?

Are you hearing about specific issues?
Arena: A lot of it was, "This is what we're seeing. ... We're getting pinged from locations in the old Soviet bloc, the Philippines."
O'Brien: They're on the front lines, dealing with the things that we're investigating. I'm seeing a lot of activity coming from overseas. That seems to be a major source of the phishing.

How big of an issue is cybercrime to the FBI?
Arena: Cybercrime is the No. 3 overall priority at the FBI, behind counterterrorism and counterintelligence.

What happened to organized crime?
Arena: It's still there. Cybercrime really overlaps every other program in the FBI. It's not just some 18-year-old kid with no social life trying to hack into the system. It's organized groups, it's state-sponsored organizations, it's terrorist organizations, for whatever purpose, trying to infiltrate our country. It's economic espionage targeting our infrastructure, trying to damage us financially. There's a lot of different reasons and a lot of different groups involved in this. That's why it's such a high priority.

From which areas overseas are most attacks originating right now?
O'Brien: Eastern Europe and Asia are two of the bigger hot spots.

The FBI has reported that some companies have been victimized by another scam, interactive voice response spoofing. How does that work?
Day: Phishers are now spoofing the phone trees of various companies, mainly banks. It sounds exactly like the phone tree that you're used to calling into where you put in your account number and PIN. You're putting in your account number and PIN, but you're actually calling a spoofed number that has been sent to you in an e-mail [saying], "There are problems with your account; we don't want you communicating over the Internet -- it's not safe -- just call this number to check in and make sure your account balance is correct." They're getting [user account and PIN] information by spoofing the phone tree of companies. It's the latest trend.

What are the top problems reported?
O'Brien: Now there is a profit motive. Take botnets, for example, [where the creator is] leasing out part of the botnet for use in some other type of crime. That's a relatively new evolution of the old crimes.
Day: Denial-of-service attacks were a problem a long time ago. Then companies got wise. They altered the network management, and it became not much of a problem. Then the botnets came on, and you've got thousands of compromised computers all over the world now attacking a site that your network isn't going to be able to handle. They're too big, and so the denial-of-service attack has once again become something that you have to be very concerned about. The botnets, where you have thousands of compromised computers, are just that powerful.

How many computer security incidents has your organization had within the past 12 months? Base: 1,811 respondents Does your organization have computer security logging activated?Base: 2,018 respondents Does your organization have Web site logging activated?Base: 1,995 respondents Source: 2005 FBI Computer Crime Survey

What have been your most notorious cases?
Heron: The largest consumer fraud in the U.S. was committed by the Gambino crime family. The loss was approximately $250 million dollars in an Internet fraud. They took a two-pronged approach. One was offering these free tours of adult Internet sites and then asking for a credit card for age-verification purposes. Nothing legitimate is going to come out of a question like that.

People were taking free tours, and then their credit cards were getting hit for charges over and over again. The second prong to this scheme involved telephone cramming, where they co-opted the head of a telephone company and the president of a bank in the Midwest and were going through a third-party billing provider, putting charges on peoples' telephone bills for services not provided.

The average person doesn't look too often at the individual charges on their phone bill. A small amount for this, a dollar for that ... nobody knows what they are, and no one pays much attention. That's what they were counting on. The end result was a $250 million loss to the public committed by four members and associates of one of the five La Cosa Nostra families in New York City.

Do you see a lot of organized crime involvement in stealing trade secrets?
Arena: I would call it organized groups. We see a lot of activity out of the former Soviet bloc countries of Eastern Europe. The bureau right now is kicking off an initiative where we're sending agents into those countries to work with the local law enforcement.

Do you see a lot of problems with mobile devices?
Day: Mobile computing is starting to be the big concern, with thefts of customer lists or intellectual property. The fact that laptops, PDAs and cell phones are so easily lost, the fact that they often have Bluetooth and other types of technologies, the fact that employees don't understand the risks. I could walk right by you and connect to your PDA and be reading all of your files if you don't have it locked down. It's a technology that's advancing very rapidly.

How are handhelds and cell phones compromised?
Day: You can compromise a cell phone so that you can turn it on whenever you want, and the conversations going on around you can be transmitted to whoever is controlling the cell phone. If I had your cell ... and I made a single phone call, I could download a program to the cell phone that would make the cell phone controllable.

How do you prevent that?
Day: Never let anyone use your cell phone. Honestly, you can't let people borrow your cell phone unless you know who the person is.

Should companies have policies disallowing cell phones and other mobile devices in highly sensitive meetings?
Day: I think that's a good idea. That's our policy. You shed all electronic equipment before you go into certain areas or certain meetings.

How safe are encrypted mobile devices? Is a software-based encryption program good enough?
Day: I don't know of an instance where encryption was not successful in protecting that information.
O'Brien: A number of [CIOs] have said that their most up-to-date initiative is to encrypt all of their mobile devices. That's something people seem to recognize as a potential loss problem.

What are the most common losses that could have been prevented?
Arena: One of the most common ones we've seen is the disgruntled employee who is no longer in the company but is able to gain access because their access to the network wasn't shut down in a timely fashion.

Do you see a lot of problems with stolen data leaving the premises on removable media?
Day: That problem has always existed. It's just that now you can carry out a lot more information. The iPod is the [newest] thing. Podslurping ... has turned the iPod into exactly the thing we never wanted to see on a 60GB storage device that's that tiny. [It runs] a program that can connect [an iPod] via the USB port and without access to a keyboard actually go through and suck up to 60GB of information in a very short period.

How can companies protect themselves from coordinated efforts to steal secrets?
Arena: You've got to put the time, the money, the effort into not only setting up your security system but [also] in updating it. You can't just say, "OK, we're secure; that's it." You've got to work every day; you've got to come to conferences and find out what's going on. Because the bad guys, they're not taking any days off. Their research and development far surpasses the private sector's. They're doing it. You've got to be doing it. Otherwise, they're going to break your system.

Source: 2005 FBI Computer Crime Survey