The Cyber-Mod Squad Sets Out After Crackers

The Secret Service's Electronic Crimes Task Force does battle against a growing army of IT criminals

NEW YORK

March 19. Internet Trading Technologies Inc. (ITTI) takes the first of a series of crippling denial-of-service shots to its online trading systems. Just as technologists block the offending incoming IP address, the company gets slammed again from another IP address.

1pixclear.gif
1pixclear.gif
1pixclear.gif

Inside the ECTF

Who: The New York-area Electronic Crimes Task Force

Headed by: The U.S. Secret Service, part of the U.S. Department of Treasury

Charter: Above and beyond its charter to protect the Treasury and the president, the Secret Service has authority to investigate any criminal acts under Title 18, Section 1029, of the U.S. Criminal Code, covering "fraud and related activity in connection with access devices," and Section 1030, covering "fraud and related activity in connection with computers."

Reference: Cornell Web site
1pixclear.gif

New York-based ITTI's information security consultant places a call to Bob Weaver, operations manager of the New York-area Electronic Crimes Task Force (ECTF), a 240-strong cyber-Mod Squad that's trained for operations like these. The next morning, Weaver's team of three sets up a war room at ITTI's data centers. They analyze and trace the offending IP traffic while calling telephone companies for traces on the lines and simultaneously faxing subpoenas.

"Have you ever seen a movie with a kidnap scene - agents sitting around monitoring equipment and phones? It's that type of setting you now have in the corporate sector," says Ed Stroz, founding president of New York-based security consulting firm Stroz and Associates. Stroz called the ECTF on behalf of ITTI.

Four hours later, they nab their man. Abdelkader Smires, formerly ITTI's chief programmer, is still at the keyboard when they catch him at a New York college where he taught night classes. Now Smires, who pleaded guilty to charges of computer fraud and misuse in the Eastern District Court of New York, awaits sentencing.

Just another example of the private/ public partnership for which the ECTF is becoming known.

The 5-year-old ECTF focuses primarily on the New York area, but its network is expanding to include the Washington area. The ECTF, a sort of central cybercrime clearinghouse for all arms of local, state and national law enforcement, is headed by the New York office of the U.S. Secret Service and boasts a membership of 180 top federal and local law enforcement agencies and prosecutors.

While the ECTF is careful to guard its top-secret data, it also welcomes new members to its network, which consists of about 60 companies from the private sector, mostly from the telecommunications, banking/finance and vendor/services communities.

For these private-sector groups - which are either handpicked by the ECTF or turn to the organization after falling victim to crackers - the ECTF has become the most important single point of contact and resources in the law enforcement community. It's a place to coordinate efforts, share information, review cases and learn from other investigations. It's also a way to get better and faster assistance from law enforcement when their technology is under attack.

How the Partnership Benefits the ECTF

Since its formation, the ECTF has put away large drug cartels, organized crime groups and individual crackers like Smires. The ECTF set the precedent for e-mail wiretapping, arrested 44 members of the John Gotti Jr. crime group for telecommunications fraud and tracked satellite interceptors of New York police car computer transmissions. In all, the ECTF is responsible for 788 arrests, the recovery of more than 2,000 cloned cell phones and the resolution of more than 2,100 identity thefts, all with a measly budget of $100,000, which even Weaver calls embarrassing.

But if it weren't for the assistance of those hand-selected members from the private sector, the ECTF wouldn't have nearly so much to brag about, according to Weaver, senior Secret Service special agent and point man for the ECTF.

"From the very first day we started, we worked with industry," he says. "We started with the telecommunications service providers and moved forward from there."

Weaver is the first to acknowledge that law enforcement is hog-tied by a lack of technically seasoned investigators. The Secret Service employs 125 special agents nationwide - eight of whom work out of the New York field office - who are trained in computer forensics techniques. Even though the ECTF also includes more than 100 cyberinvestigators from various law enforcement agencies, including state and local police, the Drug Enforcement Agency, the U.S. Customs Service, the FBI and others, there are exponentially more criminals learning new ways to beat, cheat and exploit electronic systems.

So the ECTF surrounds itself with some of the best people in technology, which means joining forces with the private sector.

"When it comes to technology, we don't have the expertise, the right tools or the people with the right type of knowledge to work some of these cases. The private sector can give us that," says Mick Chandrani, special agent in charge of the New York Secret Service field office.

Along with technical expertise, members of the private sector make great informants.

"Our investigative ability is only as good as our information," says Bill DeArmond, a senior special agent at the Customs Service. "The private sector is an information resource, so this is the best way to cultivate information."

Perhaps the most important perspective the private sector can bring to law enforcement is a look at the bigger picture. For example, two years ago, telephone companies in the New York area started seeing huge spikes in fraudulent calling-card charges. When the fraud investigators from a half-dozen of these competing telephone companies got together, they realized they were facing an organized crime ring, which was stealing calling-card numbers and personal identification numbers (PIN) from travelers at Chicago O'Hare International Airport. In this case, a suspect from the ring recorded calling-card numbers and PINs as business travelers keyed them into phones at Chicago O'Hare, then sold them to various ethnic crime rings, which were peddling them on the streets of New York and back in their home countries.

"Once we realized we had a suspect and losses, we went to the Secret Service in New York and said, 'We've got a problem,' " says "Ralph," a fraud investigator at AT&T Corp. who asked that his real name not be used because the organized criminals in these cases are dangerous. "The Secret Service may not have known this guy was from an organized crime group, had they arrested him without our input."

What's in It for the Private Sector?

Benefits to law enforcement from such a partnership are pretty obvious - information, investigative assistance and even some free services and software. In turn, the private sector has much to gain.

"Intelligence gathering is important so that we can provide timely protection to threats and viruses," explains Dennis Batchelder, vice president of research and development at Computer Associates International Inc., an Islandia, N.Y.-based security software vendor. "The ECTF helps us know more about countermeasures and gives us access to better intelligence."

As Weaver puts it, reviewing these cases gives corporate executives a "peek under the hood" at how criminals abuse technologies, letting them better protect corporate assets and understand scams.

Indeed, this is why some 60 members of the private sector attended a filled-to-capacity ECTF operational meeting last month at the Secret Service field office in New York's World Trade Center.

"The Secret Service has taken a prominent role in financial crimes, credit-card and ID theft, all of which are stored within our secured systems. In talking to the Secret Service, we're developing a working knowledge of exposures," says James McCarthy, vice president of anti-money laundering at Citibank, a subsidiary of New York-based Citigroup Inc.

By joining the ECTF, companies are also developing a relationship with law enforcement that reaps better, faster response when they decide to prosecute.

"The ECTF offers opportunities for private industry to voice their opinion in what cases should be brought to law enforcement. In fact, we're hoping to develop a video-signal theft case and approach Bob Weaver with it," says Andrew Brogan, senior staff supervisor of antipiracy operations at the Motion Picture Association of America Inc. in New York.

Ralph adds that the ECTF is also a conduit to other state and local jurisdictions. Since most electronic crimes cross multiple jurisdictions, this means less confusion in processing cases.

"Before the ECTF, we would have to knock on the doors of each prosecutor in each city, state and region involved," he explains. "Now we route our cases through the task force, which, with its contacts, reaches out to other task-force members outside the state and local jurisdiction."

And because of its relationship with the ECTF, AT&T also knows where it can make up for some of law enforcement's shortcomings. For example, AT&T Laboratories can break encryption faster than law enforcement agencies can. So when investigators needed to decrypt thousands of stolen calling cards in the O'Hare case, that portion of the investigation was carried out by AT&T Labs.

Still, companies are understandably hesitant to get involved with law enforcement, let alone to prosecute cases. Weaver says there are a number of reasons companies prefer not to prosecute. But mainly, he says, companies working with the ECTF often don't want the negative publicity, nor do they want their corporate information released to the public.

But since their involvement with the ECTF is voluntary, private-sector investigators and executives say they're not really worried about privacy issues or unwanted attention from law enforcement. In fact, Weaver says, in most cases it's better to send a public message that such crimes won't be tolerated by companies or the government.

"It's true that many companies fear letting us into their computers. But in this particular case, ITTI knew that they'd be out of business if the attack continued for any length of time," Weaver says. "They wanted to protect their clients, and they wanted to send a signal to the industry that hacks on Wall Street will not be tolerated."

Stroz, who made the decision to call the ECTF during the attack on ITTI's servers, says the company suffered very little image fallout from the attack, even though some of its customers couldn't trade for the three days the machines were under attack.

"When ITTI management was faced with the decision to call the ECTF, we were already in crisis management, which by its nature is emotional decision-making," Stroz says. "They were worried about their image. But once the apprehension occurred so quickly, the company could deal with the natural publicity that comes from arresting someone and say, 'Yes, this is our company. We were happy to see them apprehended, and we will not put up with this. And we don't think anybody else should.' "

Copyright © 2000 IDG Communications, Inc.

  
Shop Tech Products at Amazon