Federal Bureau of Investigation Los Angeles Field Office Computer Crime Squad
Overview FBI and Infrastructure Protection Cyber Crime Cases Cyber Law What to do
Infrastructure Protection: Traditional Threat Paradigm Classic Military Threat Foreign Military Antagonist United States Armed Forces
The New Cyberspace: Critical Infrastructures Infrastructure Protection: A New Threat Paradigm The New Threats: Anybody
FBI Cyber History 1992 1996 1998 National Computer Crime Squad» Washington D.C.» Later: New York and San Francisco, then others» Computer Analysis Response Team (CART) Computer Investigations and Infrastructure Protection Center Regional CITA Squads created. National Infrastructure Protection Center (NIPC) created.» Supporting the PCCIP
National Infrastructure Protection Center Mission Manage FBI computer intrusion investigations program Detect, deter, assess, warn of, investigate, and respond to attacks on critical infrastructures Fully support the FBI s law enforcement, counterterrorism, and foreign counterintelligence missions Support other agencies and state & local governments involved in infrastructure protection
Additional NIPC Roles Share, analyze, and disseminate information Provide training for federal, state and local cyber investigators, and private sector entities involved in the infrastructure protection Clearinghouse for technological developments 24/7 watch and warning capability (nipc@fbi.gov) Support National Security Authorities in acts of terrorism or foreign attacks on U.S. interests
Who are today s Cyber Bandits? Hackers (recreational & professional) Cyber Terrorists Intelligence Officers Information Brokers Competitors Insiders
Likely Sources of Attack 90 89 80 70 72 60 50 48 40 30 20 21 29 10 0 Foreign Government Foreign Corporation Independent Hackers U.S. Competitors Disgruntled Employees
Source: Information Week magazine annual security survey, July 12, 1999 Computer Crime Surveys
Source: Information Week magazine annual security survey, July 12, 1999 Computer Crime Surveys
1999 CSI / FBI Computer Crime Survey 30% reported intrusions from outsiders 55% reported unauthorized access by insiders Total losses exceeded $100 million Dramatic increase in respondents reporting serious incidents to law enforcement (32% from 17% in 1998) Increased use of digital IDs and intrusion detection systems
Cases Citibank hack by Vladimir Levin Cyber Terrorism by Mafiaboy Kevin Mitnick The Analyzer Web Page Hacks
FBI Case Briefing Vladimir Levin/Citibank Group of Russian hackers led by Vladimir Levin, a 24-year year-old computer expert Targeted Citibank s cash management system by compromising passwords to impersonate account holders Attempted 40 transfers to offshore accounts totaling $10 million, with actual losses of $400,000 2 arrested in U.S., 1 in Israel, and 1 in the Netherlands Levin sentenced to 36 months and ordered to pay restitution
FBI Case Briefing MAFIABOY - Feb 2000 DDOS On Feb. 8, 2000, EBAY, ETRADE, CNN.COM, YAHOO!, BUY.COM were subjected to a DDOS Highest Profile DDOS resulting in lost ad sales & interruption costs of several million dollars DDOS conducted from several business, individual & universities computer networks on the Internet FBI Los Angeles identified Michael Calce and provided info to RCMP who obtained voice & data intercepts
FBI Case Briefing Tamil Tigers In June, 1997 Tamil Tigers terrorist group hacked into Sheffield University, UK computer network Aim was to spread propaganda and conduct an illegal fund raising scheme via the Internet Terrorists spoofed authorized accounts to carry out the fraudulent fund raising scheme Also launched denial of service attacks against Sri Lanka government systems
FBI Case Briefing Kevin Mitnick - Pled guilty March 1999 - Sentenced to 54 months, 5 years probation, fined $4,125 - $1.5 Million loss to Nokia, Novell, Motorola, Fujitsu, Sun, et. al. - Social engineering - Cult following to Free Kevin - Will be released 1/21/00
FBI Case Briefing Handle: Analyzer Name: Hack: Ehud Tenebaum Series of intrusions to U.S. Department of Defense computers from multiple locations.
CIA Web Page Hacks
DOJ Web Page Hacks
Web Page Hacks New York Times plus many more
Cyber Law Federal Criminal Statutes Specific Federal Cyber Laws California Penal Code Section 502
Possible Federal Violations 18 USC 641 Embezzlement and Theft of Public Money, Property or Records 18 USC 659 Interstate or Foreign Shipments by Carriers 18 USC 793 Gathering, Transmitting, or Losing Defense Information 18 USC 794 Gathering/delivering Defense info to Aid Foreign Government 18 USC 1001 False Statements 18 USC 1029 Fraud and related activity in connection with access devices 18 USC 1030 Computer Fraud and Abuse Act of 1996 18 USC 1366 Destruction of an Energy Facility 18 USC 1343 Fraud by wire, radio, or television 18 USC 1361 Malicious Mischief 18 USC 1831 Economic Espionage Act of 1996 18 USC 2071 Records and Reports: Concealment, removal, or mutilation 18 USC 2155 Sabotage: Destruction of national defense material, national defense premises, or national defense utilities 18 USC 2314 Interstate Transportation of Stolen Property 18 USC 2511 Interception and Disclosure of Wire, Oral, or Electronic Communications
Specific Federal Cyber Laws 18 U.S.C. 1030 Computer Fraud and Abuse 18 U.S.C. 1831 Economic Espionage 18 U.S.C. 1832 Industrial Espionage (Theft of Trade Secrets) 18 U.S.C. 1029 Access Device 18 U.S.C. 1343 Fraud By Wire No Electronic Theft (NET) Act (strengthening 17 USC 506 and 18 USC 2319)
On-Line Resources Federal Bureau of Investigation http://www.fbi.gov/nipc/index.htm http://www.nipc.gov U.S. Department of Justice Computer Crime and Intellectual Property Section http://www.usdoj.gov/criminal/cybercrime
You ve just been hacked. What should you do? What should you NOT do?
What You Should Do If Attacked? Notify corporate security, legal counsel, and law enforcement. Activate your incident management team. Created PRIOR to any incident One person in charge One person responsible for evidence. Keep a chronological log of events - record everything your team does.
What To Do (continued) Activate all available audit trails & logging. Begin keystroke monitoring (if acceptable). Identify and recover available evidence. System log files, system images, altered/damaged files, intruders files, network logs (routers, SNMP, etc.), traditional evidence. Secure evidence and maintain simple chain-ofcustody records.
What To Do (continued) Identify source(s) of the attack. Record specific damages and losses. Prepare for repeat attacks. Theorize - nobody knows your system better than you. Determine how the intrusion happened. Identify possible subjects and motives. Be patient with law enforcement.
What NOT To Do Do NOT use the compromised systems before preserving any evidence. Do not make assumptions as to Federal jurisdiction or prosecutorial merit. Do not assume that by ignoring the incident, or damage to your files, that it will go away. Do not correspond via E-mail on a compromised network regarding the incident or the investigation.
What to Expect if you call the FBI Interview staff and obtain evidence Obtain prosecutive opinion Trace the attack (subpoenas, 2703(d) orders, sources) Identify the subject(s) Obtain/execute search warrants, interview subjects Examine evidence, identify more victims, develop more leads Obtain Federal Grand Jury Indictment Arrest
What to Expect if you call the FBI Possible plea bargaining Possible trial Sentencing (if convicted) These steps do NOT occur quickly!
Questions? Special Agent Ken McGuire Contact Information: Federal Bureau of Investigation Los Angeles Field Office Computer Crime Squad (Squad WCC-3) 11000 Wilshire Blvd., Suite 1700 Los Angeles, California 90024 email: los.angeles@fbi.gov Main telephone number: (310) 477-6565