Federal Bureau of Investigation. Los Angeles Field Office Computer Crime Squad

Transcription

1 Federal Bureau of Investigation Los Angeles Field Office Computer Crime Squad

2 Overview FBI and Infrastructure Protection Cyber Crime Cases Cyber Law What to do

3 Infrastructure Protection: Traditional Threat Paradigm Classic Military Threat Foreign Military Antagonist United States Armed Forces

4 The New Cyberspace: Critical Infrastructures Infrastructure Protection: A New Threat Paradigm The New Threats: Anybody

5 FBI Cyber History National Computer Crime Squad» Washington D.C.» Later: New York and San Francisco, then others» Computer Analysis Response Team (CART) Computer Investigations and Infrastructure Protection Center Regional CITA Squads created. National Infrastructure Protection Center (NIPC) created.» Supporting the PCCIP

6 National Infrastructure Protection Center Mission Manage FBI computer intrusion investigations program Detect, deter, assess, warn of, investigate, and respond to attacks on critical infrastructures Fully support the FBI s law enforcement, counterterrorism, and foreign counterintelligence missions Support other agencies and state & local governments involved in infrastructure protection

7 Additional NIPC Roles Share, analyze, and disseminate information Provide training for federal, state and local cyber investigators, and private sector entities involved in the infrastructure protection Clearinghouse for technological developments 24/7 watch and warning capability Support National Security Authorities in acts of terrorism or foreign attacks on U.S. interests

8 Who are today s Cyber Bandits? Hackers (recreational & professional) Cyber Terrorists Intelligence Officers Information Brokers Competitors Insiders

9 Likely Sources of Attack Foreign Government Foreign Corporation Independent Hackers U.S. Competitors Disgruntled Employees

10 Source: Information Week magazine annual security survey, July 12, 1999 Computer Crime Surveys

11 Source: Information Week magazine annual security survey, July 12, 1999 Computer Crime Surveys

12 1999 CSI / FBI Computer Crime Survey 30% reported intrusions from outsiders 55% reported unauthorized access by insiders Total losses exceeded $100 million Dramatic increase in respondents reporting serious incidents to law enforcement (32% from 17% in 1998) Increased use of digital IDs and intrusion detection systems

13 Cases Citibank hack by Vladimir Levin Cyber Terrorism by Mafiaboy Kevin Mitnick The Analyzer Web Page Hacks

14 FBI Case Briefing Vladimir Levin/Citibank Group of Russian hackers led by Vladimir Levin, a 24-year year-old computer expert Targeted Citibank s cash management system by compromising passwords to impersonate account holders Attempted 40 transfers to offshore accounts totaling $10 million, with actual losses of $400,000 2 arrested in U.S., 1 in Israel, and 1 in the Netherlands Levin sentenced to 36 months and ordered to pay restitution

15 FBI Case Briefing MAFIABOY - Feb 2000 DDOS On Feb. 8, 2000, EBAY, ETRADE, CNN.COM, YAHOO!, BUY.COM were subjected to a DDOS Highest Profile DDOS resulting in lost ad sales & interruption costs of several million dollars DDOS conducted from several business, individual & universities computer networks on the Internet FBI Los Angeles identified Michael Calce and provided info to RCMP who obtained voice & data intercepts

16 FBI Case Briefing Tamil Tigers In June, 1997 Tamil Tigers terrorist group hacked into Sheffield University, UK computer network Aim was to spread propaganda and conduct an illegal fund raising scheme via the Internet Terrorists spoofed authorized accounts to carry out the fraudulent fund raising scheme Also launched denial of service attacks against Sri Lanka government systems

17 FBI Case Briefing Kevin Mitnick - Pled guilty March Sentenced to 54 months, 5 years probation, fined $4,125 - $1.5 Million loss to Nokia, Novell, Motorola, Fujitsu, Sun, et. al. - Social engineering - Cult following to Free Kevin - Will be released 1/21/00

18 FBI Case Briefing Handle: Analyzer Name: Hack: Ehud Tenebaum Series of intrusions to U.S. Department of Defense computers from multiple locations.

19 CIA Web Page Hacks

20 DOJ Web Page Hacks

21 Web Page Hacks New York Times plus many more

22 Cyber Law Federal Criminal Statutes Specific Federal Cyber Laws California Penal Code Section 502

23 Possible Federal Violations 18 USC 641 Embezzlement and Theft of Public Money, Property or Records 18 USC 659 Interstate or Foreign Shipments by Carriers 18 USC 793 Gathering, Transmitting, or Losing Defense Information 18 USC 794 Gathering/delivering Defense info to Aid Foreign Government 18 USC 1001 False Statements 18 USC 1029 Fraud and related activity in connection with access devices 18 USC 1030 Computer Fraud and Abuse Act of USC 1366 Destruction of an Energy Facility 18 USC 1343 Fraud by wire, radio, or television 18 USC 1361 Malicious Mischief 18 USC 1831 Economic Espionage Act of USC 2071 Records and Reports: Concealment, removal, or mutilation 18 USC 2155 Sabotage: Destruction of national defense material, national defense premises, or national defense utilities 18 USC 2314 Interstate Transportation of Stolen Property 18 USC 2511 Interception and Disclosure of Wire, Oral, or Electronic Communications

24 Specific Federal Cyber Laws 18 U.S.C Computer Fraud and Abuse 18 U.S.C Economic Espionage 18 U.S.C Industrial Espionage (Theft of Trade Secrets) 18 U.S.C Access Device 18 U.S.C Fraud By Wire No Electronic Theft (NET) Act (strengthening 17 USC 506 and 18 USC 2319)

25 On-Line Resources Federal Bureau of Investigation U.S. Department of Justice Computer Crime and Intellectual Property Section

26 You ve just been hacked. What should you do? What should you NOT do?

27 What You Should Do If Attacked? Notify corporate security, legal counsel, and law enforcement. Activate your incident management team. Created PRIOR to any incident One person in charge One person responsible for evidence. Keep a chronological log of events - record everything your team does.

28 What To Do (continued) Activate all available audit trails & logging. Begin keystroke monitoring (if acceptable). Identify and recover available evidence. System log files, system images, altered/damaged files, intruders files, network logs (routers, SNMP, etc.), traditional evidence. Secure evidence and maintain simple chain-ofcustody records.

29 What To Do (continued) Identify source(s) of the attack. Record specific damages and losses. Prepare for repeat attacks. Theorize - nobody knows your system better than you. Determine how the intrusion happened. Identify possible subjects and motives. Be patient with law enforcement.

30 What NOT To Do Do NOT use the compromised systems before preserving any evidence. Do not make assumptions as to Federal jurisdiction or prosecutorial merit. Do not assume that by ignoring the incident, or damage to your files, that it will go away. Do not correspond via on a compromised network regarding the incident or the investigation.

31 What to Expect if you call the FBI Interview staff and obtain evidence Obtain prosecutive opinion Trace the attack (subpoenas, 2703(d) orders, sources) Identify the subject(s) Obtain/execute search warrants, interview subjects Examine evidence, identify more victims, develop more leads Obtain Federal Grand Jury Indictment Arrest

32 What to Expect if you call the FBI Possible plea bargaining Possible trial Sentencing (if convicted) These steps do NOT occur quickly!

33 Questions? Special Agent Ken McGuire Contact Information: Federal Bureau of Investigation Los Angeles Field Office Computer Crime Squad (Squad WCC-3) Wilshire Blvd., Suite 1700 Los Angeles, California Main telephone number: (310)