Hunting Hackers: How to Fight Back

In police work, sometimes the longest journeys end with the shortest trips. That's what happened to Brian Koref, who spent months at the Air Force Office of Special Investigations (OSI) tracking down a pair of Swedish hackers who invaded U.S. Air Force, U.S. Army, NASA and other military systems, helping themselves to password files and other sensitive data in the process.

Koref was scheduled to fly to Stockholm tomorrow, to testify against Charlie Malm and Joel Soederberg, both 24. But the trip was canceled when the two pleaded guilty to five counts of unauthorized intrusion into U.S. military systems.

Their trial for invasion of servers at WIRE Ltd., the British company through which they launched their U.S. attack, started last week, according to Matthew Richard, former director of WIRE.

The charges relating to the U.S. intrusions make up "a great case with a lot of robust evidence," said Koref, who's now in the Air Force Reserve. He works full time at business Internet service provider Conxion Corp. in Santa Clara, Calif.

The plea bargain was the culmination of months of electronic gumshoe work in which Koref backtracked the attackers through multiple servers within defense networks and beyond. He brought in the Swedish National Police and even participated in a raid and the interrogation of the suspects.

Analysts say detective skills like Koref's, which are often gained in military-security posts and law enforcement, are beginning to filter out to private-sector information technology operations, pulled by fears engendered by high-profile hacks like last month's incident at Wallingford, Conn.-based CD Universe.com, which found some of its customers' credit-card numbers posted on the Web. And last week, Yahoo Inc., Cable News Network, eBay Inc., Buy.com Inc. and ZD Inc.'s ZDNet were all hit with what appeared to be coordinated denial-of-service attacks from parties as yet unknown.

Koref now uses his detective skills to find out how and where attackers strike Conxion clients like Microsoft Corp., a prime target of crackers.

Other private-sector organizations are using the same techniques for liability purposes to identify the source of illegal software or pornography posted secretly on their sites.

A lot of the skills needed for tracking attackers grow out of military computer crime units, which have learned a lot since the early '90s, when the Kevin Mitnicks of the world tromped freely through their systems. In the past four years, each branch of the military has built computer crime labs that provide the technical support and analysis for computer-based investigations.

"We're seeing a 50% increase in these cases every year. We're getting better at watching our networks (and) investigating and catching computer criminals," said Jeffrey Hormann, commander at the Computer Crime Resident Agency, part of the Army's Criminal Investigation and Command in Fort Belvoir, Va. "We have better-trained administrators, more intrusion-detection capabilities, better-trained enforcement and improved processes in place to address attacks when they happen."

How They Did It

Koref's investigation started in November 1996, with a call from the Air Force's Information Warfare Center at Kelly Air Force Base in San Antonio.

"Their intrusion-detection filters turned up a string of characters with the letters PHF in it, and (we) wondered if it warranted further investigation," Koref said. "This was an attack signature against Apache Web servers that was rampant at the time."

Koref traced the attacker's movements by looking up the IP addresses the packets came from, checking through the domain-name registry Internic Registrations.com and following them through various hops among IP addresses of Department of Defense computers and beyond.

In so doing, he discovered that hackers were helping themselves to buckets of password files as they infiltrated numerous military and NASA installations. He even tracked the attackers back to a pornography site, from which they had downloaded customer credit-card numbers.

Koref's break came when he followed an IP address back to another department of the U.S. military. This time, the attacker had entered through a military Web server, whose administrator was willing to help, with log files and other information. This address originated from an Internet service provider in Sweden.

That's when Koref contacted the Swedish National Police.

The Swedish police contacted the service provider, Sweden's chief telephone company. They then pulled the remote server access logs at the company and correlated the dynamic IP addresses assigned to users who had dialed in to the Internet service at the exact times of the attacks on the military sites.

The phone company was able to trace those connections back to the phone number and address of the attackers.

In January 1997, Koref accompanied the Swedish National Police on a raid of the crackers' lair, an apartment -- empty except for the two young men, a dozen stolen computers and four phone lines -- in a subsidized housing project near Stockholm.

"It was a hacker heaven," Koref said.

Cases like these call for a lot of old-fashioned detective work -- phone calls to other victimized server administrators, subpoenas and search warrants that allow law enforcement to review log files at Internet service providers and universities, through which hackers launch most attacks.

It's not easy.

In one case, called Operation Moonlight Maze, Air Force and Army computer crime investigators early last year tracked the attacks to an Internet service provider in Russia. But the trail went cold.

"ISPs dump records in 30 days," said J. W. Gee, commander of the Army's field investigative unit. "It's difficult to get the type of cooperation you need from these administrators in a matter of weeks. But that's what's needed to trace the linkage back. Unfortunately, hackers know this."

It's even worse in the private sector because corporate investigators lack the authority to conduct searches outside their own corporate borders.

"The hardest part is the human factor," said Curt Bryson, formerly an Air Force OSI counterintelligence and forensics expert. He's now a private-sector trainer in computer forensics at New Technologies Inc., a security consulting and training firm in Gresham, Ore. "You need to talk to the other administrator, who has privacy issues and is afraid to talk because of his or her legal department."

Bryson learned it's best to address the administrator's concerns and try to strike some middle ground. Maybe the investigator doesn't need the perpetrator's e-mail address; confirming that the IP address came through that server may be enough, he said.

Cases like these also call for an unprecedented level of multiagency cooperation, according to Matt Parsons, chief of computer investigations operations at the Naval Criminal Investigative Service (CIS) in Washington.

"We've come a long way in information sharing," he said. "If the trail leads to another military site, we call those administrators. If it leads beyond military servers and into a private or college site, we call the FBI. And if it comes from a Navy box in Australia, we pick up the phone and call our counterparts in Australia, the Australian National Police. We can also call other agencies."

Reporting the Problem

A centralized reporting database at the National Infrastructure Protection Center (NIPC), which is managed by the FBI, helps investigators sort through cases and minimize redundant investigations. Through the NIPC, law enforcement agents can check for similar attack patterns as reports of incidents flow in from authorities and the private sector.

Similar attacks against businesses and private-sector organizations have also been rising for the past three years, according to reports by the American Society of Industrial Security (ASIS) in Alexandria, Va., and the Computer Security Institute in San Francisco. According to ASIS, Fortune 1,000 companies last year lost more than $45 billion in intellectual property theft, mostly through their computer systems.

Private-sector reporting is also on the rise. According to the CIS's 1999 Computer Crime and Security Survey, reporting rose from 37% in 1996 to 57% last year.

Because the best way to entice law enforcement to act is to present it with solid evidence (specifically log files that provide an evidence trail of the attacker's illegal activities), such investigative techniques will eventually be essential in the private sector, said Capt. John Jarrett, computer crime investigator for the city police department of Show Low, Ariz.

Vendors are taking notice of this need. In fact, some vendors, like Recourse Technologies Inc. in Palo Alto, Calif., and Network Ice Corp. in San Mateo, Calif., are beginning to market "response" tools that automate much of the process Koref did manually.

Peter van de Gohm, director of information asset protection at Enron Energy Services, an unregulated division of the $48 billion energy company Enron Inc. in Houston, said such investigative work is "definitely needed in the corporate sector." For example, such skills could track and contain incidents within global corporate networks.

"You may have a virus that first manifests itself in, say, your Australian office. The only way to stop revenue and data loss is to isolate the virus and make sure you get every infected machine," said van de Gohm, who was formerly with the Air Force's security police and was responsible for intellectual property protection for the Air Force's next-generation strike fighter aircraft program. "You also need to do this post-mortem to establish the facts. You need to know why your countermeasures didn't work so you can repair them."

Skills in Action

In December, Conxion engineers used such skills to deflect a denial-of-service attack against two World Trade Organization (WTO) servers housed at Conxion. Between Nov. 30 and Dec. 3, the Electrohippies tried to flood the WTO servers with traffic and take them off-line. Conxion tracked the IP address back to the Electrohippies site, deflected the attacks and redirectted the traffic back to the Electrohippies site, which was overloaded.

Jarrett said he would like to see more organizations get involved in actively protecting their own assets.

"I'd really actually hope people get tired of things and take a stand," he said.

Gathering your own evidence could also limit liability in the private sector. For example, if an organization is hacked and used as a launch point, it would need to prove the attack originated elsewhere. The same goes for illegal images of child pornography secretly stored on corporate servers.

Although they can't talk about them, military computer-crime investigators say more new cases are moving toward prosecution, thanks to such cybersleuthing techniques.ý

"With the right skill in reading audit logs and tracing packets back to where they came from, you could head off a lot of problems," Koref said.

Radcliff is a Computerworld contributing writer in Northern California. Contact her at derad@aol.com.

6 tips for scaling up team collaboration tools
  
Shop Tech Products at Amazon