A visit from the FBI
We come in Peace
Well, it finally happened. Right before Christmas, I had a little visit from the FBI, writes SecurityFocus columnist Scott Granneman. That's right: an agent from the Federal Bureau of Investigation came to see me. He had some things he wanted to talk about. He stayed a couple of hours, and then went on his way. Hopefully he got what he wanted. I know I did.
Let me explain. I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI.
Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences.
I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class.
It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not.
Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.
Dave is from Tennessee, and you can tell. He's got a southern twang to his voice that disarms his listeners. He talks slowly, slightly drawling his vowels, and it sort of takes you in, making you think he's not really paying attention, and then you realize that he knows exactly what he's doing, and that he's miles ahead of you. He wears a tie, but his suit is ready to wear and just a bit wrinkled. His dark hair is longer than you'd think, hanging below his collar, further accentuating the country-boy image, but remember, this country boy knows his stuff. All in all, he gives off the air of someone who's busy as heck, too busy to worry about appearances, and someone who's seen a lot of things in his time.
A-cracking we will go
Dave focused most of his talk on the threats that ordinary computer users face: what those threats are, who's behind them, and why they exist. He spent quite a bit of time talking about the intersection of Trojans and viruses. He started by showing us how easy it is to create a virus, using one of several virus creation wizards that can be easily found on the Net (of course, real men and women write their own).
More and more, however, the viruses circulating on the Internet are quite purposeful in design. The goal is to install a Trojan on the unsuspecting user's machine that will then allow the bad guy to control the machine from afar, turning it into a Zombie machine under the control of another. All too often, this tactic is successful. Hundreds of thousands if not millions of machines are "owned" by someone other that the user sitting in front of the keyboard and monitor.
These Trojans are often the ones that security pros have been watching for years: "SubSeven, Back Orifice, and NetBus. A lot of the time, script kiddies are the ones behind these Trojans, and they do the usual stuff once they have control of a user's PC: grab passwords, use groups of machines to organized DDOS attacks (often against other script kiddies), and jump from machine to machine to machine in order to hide their tracks.
What surprised me, however, were how often Trojans are used to mess with the heads of the poor unsuspecting suckers who own the zombie machines. A favorite trick is to surreptitiously turn on the Webcam of an owned computer in order to watch the dupe at work, or watch what he's typing on screen. This part isn't surprising. But Dave had countless screenshots, captured from impounded machines or acquired online from hacker hangouts, where the script kiddie, after watching for a while, just can't help himself any longer, and starts to insult or mock or screw with the duped owner.
In one, a hacker sent a WinPopup message to a fellow: "Hey, put your shirt back on! And why are you using a computer when there's a girl on your bed!" Sure enough, the camera had captured a guy using his computer, sans shirt, and in the background you could clearly see a young woman stretched out on a bed.
In another, a man was working a crossword puzzle online when the hacker helpfully suggested a word for 14 Down (I think it was "careless"), again using WinPopup. In a third, a screenshot captured the utterly shocked expression on a man's face - mouth agape, eyes open wide in amazement - when his computer began insulting him using, you guessed it, WinPopup.
This is bad enough and it's also cruelly funny, but the scary part came in when Dave started talking about the other group behind the explosion of viruses and Trojans: Eastern European hackers, backed by organized crime, such as the Russian mafia. In other words, the professionals.
These people are after one thing: money. The easiest way to illegally acquire money now is through the use of online tools like Trojans, or through phishing: set up a fake Web site for PayPal or eBay or Amazon, and then convince the naíve to enter their usernames, passwords, and credit card information. Viruses and spam also intersect in this nasty spiderweb. Viruses help spread Trojans, and Trojans are used to turn unsuspecting users' computers into spam factories, or hosts for phishing expeditions, and thus furthering the spread of all the elements in this process: viruses, Trojans, spam, and phishing. It's a vicious cycle, and unfortunately, it appears to be getting worse. The FBI is working as hard as it can, but the nations of Eastern Europe are somewhat powerless to solve the problem at this time.
One way to trace just how bad the situation has gotten: track the price for a million credit card numbers. Just a few years ago, Dave saw prices of $100 or more for a million stolen credit card numbers. Now? Pennies. Stealing credit cards is so easy, and so rampant, that prices have dropped precipitously, in a grotesque parody of capitalist supply and demand.
Along with this comes intrusions into banks and other financial institutions. Dave wouldn't name names, but he said several organizations that we would all know have been infiltrated electronically by Eastern Europeans, who then grab customer data. A few days later, the unsuspecting president of the bank gets an email demanding $50,000, or else the media will be told of the break-in. Of course, the break-in is news to the bank. As proof of their exploit, a spreadsheet is attached to the email, with a few hundred rows of client data: bank account numbers, home addreses, balances.
Unfortunately, many banks decide to keep it all a secret from their customers, so they reluctantly decide to go ahead and pay the extortion. $50,000 goes to the criminals, and the bank breathes a sigh of relief.
Three days later, ten emails arrive, from ten different criminal organizations, each demanding $25,000. Ooops. Far from buying protection, the bank revealed itself as a easy mark, amenable to blackmail. And it will only get worse. Time to call in the FBI, as it should have done from the beginning.
American companies have tried to respond to the massive fraud being perpetrated online. One common preventive, adopted by most companies that sell products online, has been to refuse shipments outside of North America, or allow international shipping, except for Eastern Europe. Criminals have figured out a way around this, however. They hire folks to act as middlemen for them. Basically, these people get paid to sit at home, sign for packages from Dell, Amazon, and other companies, and then turn around and reship the packages to Russia, Belorussia, and Ukraine. You know those signs you see on telephone poles that read "Make money! Work at home!"? A lot of that "work" is actually laundering products for the Russian mob. Of course, anyone caught acting as a middleman denies knowledge of their employer: "I had no idea why I was shipping 25 Dell computers a day to Minsk! I just assumed they liked computers!"
Proof once again that social engineering, coupled with greed, is the easiest way to subvert any security.
Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!
Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.
(I hope I'm not helping increase the number of sales Apple has to drug traffickers.)
The biggest surprise was how approachable and helpful Dave was to everyone in the room. According to Dave, the FBI has really made reaching out to the local communities it's in more of a priority. Since the September 11th attacks, the FBI has shifted its number one focus to preventing terrorism, but the number two priority remains preventing and capturing crimes based around technology. In order to best achieve both goals, the FBI has been working hard to reach out to American citizens, and Dave's talk to my class was part of that effort.
I'm a civil libertarian at heart, and that brings with it an innate mistrust of governmental authority - power corrupts, after all. But I'm glad people like Dave Thomas are in the FBI. He's a good man, and he has a good understanding not just of technology, but also of the complexities of the moral and ethical issues surrounding technology in our society today. He did a great job enlightening my students, and he really made the FBI sound like a pretty cool environment for people interested in pursuing security as a career. My advice: call your local FBI and see if they won't come visit your class, or Users Group, or club. I guarantee you'll learn something.
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.