Section 21.1 Police: Dragnet or Keystone Kops?

21.1 Police: Dragnet or Keystone Kops?

Some state and federal agencies are now very well set up and will investigate and follow through to getting a conviction. Policies and laws regarding computer crime are changing very rapidly with the increase in cracker activity and the rapidly increasing importance of the Web. Contact a variety of law enforcement agencies having jurisdiction until you find those that seem interested in your case.

The amount of help varies tremendously between jurisdictions and even between different offices of the same agency, such as the FBI. My rule is to contact "the boys and girls with guns" only if there has been thousands of dollars of damage or more than a few days' worth of cleanup work for the SysAdmin as a result of the intrusion, and only if you have good evidence. Even then, other than scaring the cracker, the odds are against making the cracker's life miserable.

21.1.1 FBI

The FBI now investigates all computer crime involving interstate commerce (which means involving any computer which has received e-mail or other traffic from computers across state boundaries). Based on reported experiences of other SysAdmins, it generally appears that the FBI will conduct a major investigation of ordinary crimes against a commercial or private entity only if there is substantial dollar loss.

This is likely due to limited budgets rather than desire. I suspect that the minimum loss to get their interest can vary between $3,000 and $25,000. Damage thresholds to trigger an investigation are less for cases involving viruses that could become widespread, banks, espionage, and, of course, high-visibility cases. The FBI will be especially interested in attacks on banks, airlines, or U.S. government agencies, or crackers trying to get classified data.

Even within the FBI, different field offices have different policies on what they investigate and differing levels of ability and interest. The policy of the Atlanta, Georgia office seems to be to consider cracker incidents where there has been substantial dollar loss to the victim beyond lost time of its employees. The author is aware of a case where the FBI's Atlanta office investigated the theft of a laptop computer containing proprietary data, even though the hardware was not especially valuable.

Understand that the FBI's job is to collect information for the U.S. Justice Department to get convictions. At the start of a federal case, the FBI will discuss the case with Justice and will continue only if Justice believes a prosecution and conviction are possible. Just as a salesman is judged on sales and an engineer is judged on completed projects, the FBI and Justice Department people are rated by their convictions.

Recently, a client of mine received an unexpected visit from an FBI Special Agent out of the Atlanta office. It seems that one of their other consultants, whom I shall call Professor Moriarty, had a copy of a virus that was traced to damage at a university. Moriarty claimed that he had it only "for study," including the source. Because he previously had extorted money from my client to release notes he already had billed it to write, I suspect his plans included more than just study.

^[a] This statistic is for 1998 and is the most recent year that the U.S. Justice Department has figures for. Reported in isn@securityfocus.com, April 6, 2000, from The Associated Press Special to CNET News.com April 6, 2000.

This same article states that the average cost of investigating an intrusion, repairing, and securing the system is $1 million, according to a study by the FBI and the Computer Security Institute.

People are aware that most U.S. states and many countries outside the U.S. have laws against stealing trade secrets. Many are not aware of the U.S. Economic Espionage Act of 1996. This law made theft of trade secrets a federal crime. For some reason this law has been used very rarely. However, it has been used for the first time in Silicon Valley in 2000 to bring in a federal indictment against Say Lye Ow for allegedly stealing trade secrets from Intel, regarding their upcoming 64-bit microprocessor chip so that they can compete against Sun, HP, and IBM.^[1]

^[1] Reported by the San Jose Mercury News on March 30, 2000. Silicon Valley is fortunate to have such a fine newspaper.

The phone number of your local FBI office may be obtained from Telephone Information for the nearest large city. Local FBI contact information may be downloaded from

www.fbi.gov/contact/fo/fo.htm

The FBI's main number is +1 202-324-3000.

21.1.2 U.S. Secret Service

Do not forget that there are other federal agencies that might have jurisdiction. The U.S. Secret Service will investigate computer intrusions involving credit card fraud or illegally publishing or telling credit card numbers. Also, they investigate cases of "access device fraud." This includes fraudulent use of passwords relating to online banking and online purchasing.

When I called the main number in Washington, D.C. while conducting research for this book, I got switched around between at least half a dozen people, was given phone numbers that were disconnected, and finally after a half hour's worth of long distance calls, I ended up in a Public Affairs agent's voice mailbox. Along the way, it was explained several times that the agency has a "One Voice Policy" which means that most employees are not allowed to be interviewed. Although I found this rather frustrating, if your organization hosts e-commerce and you have suffered a major theft of customers' credit card numbers, you may want to contact them.

The Secret Service's main telephone number is +1 202-406-5800 and their Financial Crimes Division phone number is +1 202-406-5850. Their Web site is listed here and contains links to telephone numbers for their many field offices. Understand that their main responsibility is protecting the U.S. President and fighting currency counterfeiting.

www.treas.gov/usss/

However, I am happy to say that the Atlanta field office was a model of efficiency. The agent that answered the phone was very helpful and knowledgeable. The agent explained that the minimum loss that will be investigated varies by jurisdiction and varies from $50,000 $100,000 in large jurisdictions such as Atlanta, to perhaps $10,000 for smaller jurisdictions. Clearly, your personal credit card or mine will "max out" before reaching this threshold but an e-commerce site that suffers a large theft of credit card data should contact the Secret Service. They have joint responsibility with the FBI for investigating financial crimes.

21.1.3 Other Federal Agencies

If military computers are involved, contact the controlling military branch. Yes, the Army, Navy, Air Force, Marines, and Coast Guard all have separate Military Police agencies. The CIA has jurisdiction if someone located outside the United States attempts to get at U.S. confidential data. The NSA has a special branch involved with helping other organizations, principally those that are a part of the U.S. government civilian agencies and the U.S. military, keep their computers secure. They might be interested in cases involving these computers. In some cases, the Bureau of Alcohol, Tobacco, and Firearms will have jurisdiction.

Most other countries now investigate computer crimes involving systems or perpetrators within their borders.

21.1.4 State Agencies

21.1.4.1 State of Georgia

The jurisdiction and ability of state police varies immensely between U.S. states. In some states they just hand out speeding tickets on the Interstate. Georgia is very fortunate to have the Georgia Bureau of Investigation (GBI) that is patterned after the FBI. Like the FBI, GBI's mission is to provide specialized assistance to local police forces that are not large enough to have their own departments to solve certain kinds of crimes.

When I telephoned the GBI's main business number and asked to speak with someone regarding computer crime she gave me the number of a special department. When I called that number, the lady I talked to was quite knowledgeable and was happy to talk with me. She explained how they were experienced in dealing with Linux, UNIX, Windows, and Macs, how they would remove the disk from a suspected computer, make a copy of the disk, and work with the copy while carefully securing the original so that the data on it would not be damaged accidentally. She went on to explain how they have special programs to analyze the disk for information and routinely made use of outside consultants that were expert in particular areas when necessary. It was clear that if a Linux, VMS, or other system was involved they could handle it! They are working on a capital murder case as I write this.

I asked her what kind of crimes they have handled. Sadly, she said that crimes against children were common, as were stalking crimes. In one stalking case, a man had met a woman in an online chat room and later murdered her. I had thought that this stuff only happened in the movies. Do not let this one incident deter you: I met the love of my life online. For her protection, she brought along her brother, a former police officer, on our first date.

The woman at GBI told of one case where a cracker with his own UNIX box was causing trouble. They were able to trace the problem back to him and package up the evidence to the point of satisfying a judge who then issued a search warrant. The local police force then seized the cracker's computer which the GBI then analyzed. I posed the scenario of someone breaking into my computer over the Internet and asked her whether they would investigate. She said that it was quite likely and to certainly contact them in such a case.

21.1.4.2 State of North Carolina

A disgruntled motorist did a DoS attack on the state's Department of Motor Vehicles. He did not try to hide his identity. The state tracked him down and arrested him in one hour!

21.1.4.3 State of New York

The State of New York's Attorney General's office now has a special department devoted to Internet crimes, including e-commerce and privacy. As I write this, they are investigating DoubleClick Inc., among others.

21.1.5 Local Police

Common experience is that in other than the very largest cities, the police are not trained to cope with or to understand computer crime. Other SysAdmins who have dealt with this have said that, essentially, you have to do all of the work of gathering the evidence, analyzing it, and putting it together so that even a 60-year-old judge who does not know how to change a light bulb can understand it and maybe they will pursue the case. If your organization is a branch of a governmental organization or a large company, it is much more likely to get involved. My brief research in this area confirmed this.

21.1.6 Prepare Your Case

This is a fine time to involve your organization's legal counsel. Remember that the lawyers will probably know no more about computers than you do about brain surgery. Their specialties almost certainly will be contracts, corporate law, and human resources.

The summary that you prepare might include an annotated portion of log files that show a computer with a particular numeric IP address tried to telnet into your computer unsuccessfully, then tried FTP unsuccessfully, then tried a well-known NFS buffer overflow vulnerability, and was successful in breaking in. (You knew you should have shut down NFS.) The logs then could show that your Director of Marketing's list of your biggest clients was copied to this system via FTP. You then could show that a reverse DNS lookup of this IP (as discussed in the "Tracing a Numeric IP Address with nslookup" on page 707) points to the domain of an upstart competitor that one of your recently sacked engineers went to. Please keep in mind that you want to have prepared both a quick summary of the evidence that can be reviewed and understood by legal types in a few minutes and also detailed evidence that proves the guilt and which cannot legitimately be disputed by whatever "expert" the defendant comes up with.

Be honest with yourself regarding the evidence. If it is weak, reconsider yelling "wolf." If said competitor just did a ping shortly before your system crashed, it might just have been testing to see if its connection to the Internet had gone down. This ping would be considered very weak circumstantial evidence and unacceptable by itself. The ping service is considered by most people to be a public service that anyone may use (so long as it is not done so frequently as to constitute a DoS).

Refer to "Upgrade WU-FTPD" on page 112, "FTP" on page 190, and "Shadowed MD5 Passwords for Good Security" on page 47 for protecting against these problems. Some might consider that someone seeing whether telnet offers a "guest" account is a legitimate action. Calling the cops for these might get someone branded as the child who cried "Wolf!" This might, however, be reason to contact the company that these connections were launched from and ask that the person involved be told to stop.

21.1.7 Tracing Stolen Data

If you trace the point of entry to a competitor (for those at commercial companies), understand that the intrusion might be the work of an individual on his own and without the authorization of management. Evaluate the general ethics already seen on the part of the company and the risks of it getting caught (bad publicity, lawsuits, and criminal investigation) versus the likely value of the data. If it appears likely that it is the work of one individual working alone, his company might not even realize that his "great idea or code" is stolen.

His company would be no more interested in the stolen data being used than you are. They might be very interested in helping you to track down the intruder and destroying their copy of the data and whatever it tainted. If this situation might apply, consider suggesting to management that you contact the system administrators at the other company and work together to resolve the problem. Most SysAdmins are very protective of their systems and will want to root out such a problem.

21.1.8 Care of Evidence

A common and frequently successful ploy of defense attorneys is to question the chain of evidence. This means that if at any point from when the evidence first is generated until the time that it is presented in court there is any possibility that someone might have tampered with it, it is considered tainted. In this case, the defense attorney (barrister) might be able to get the judge to exclude the evidence or at least put doubt in the mind of the judge or jury as to the reliability of the evidence.

The practical implication is that all evidence either must be securely locked or must be under guard at all times. Simply locking it in your desk is not acceptable because any average person can defeat a desk lock. If there was a delay between the event "allegedly" happening and the time that you first observed the log files, the defense attorney will assert that some other cracker may have planted the data and that it is false.

Be prepared to contradict this assertion of tainted evidence with log files or other evidence. Implementing the capability discussed earlier of paging your pager with the name and numeric IP of the cracking system is an excellent response to any claims that the logs could have been altered later. The paging company might keep a log of the pages too. (See "An Example for Automatic Paging" on page 620.)