Chapter VII: Reference Materials

Cyber Vulnerabilities

Anyone with a basic computer interest is probably aware of the existence of security vulnerabilities, at least in a general sense, in our networks and computers. These vulnerabilities are widely discussed in the media. Using a simple Internet search, a 12 year old could locate a variety of hacker tools, then download and implement them. When we first saw the dramatic increase in home computers in early 1990s, we did not worry about attacks on our family computers. Most casual users were not aware that security vulnerabilities even existed. Today, we worry about our systems getting hit with viruses, worms and Trojans. Companies secure web sites and web pages against attacks and defacements. Consumers are concerned that companies are not maintaining adequate security on our personal and financial information as we hear weekly news reports about hackers and new intrusions.

American consumers and businesses increasingly are relying on the Internet to complete transactions. E-commerce is growing in all sectors of the U.S. economy. Most e-commerce transactions are business-to- business (B2B), but e-commerce retail sales reached $46 billion in 2002, up from $36 billion in 2001. When Internet users ” be they businesses or consumers ” are crippled by Internet fraud schemes, the viability of e- commerce is compromised.

Computer intrusions are a different category from most fraud schemes. Many intrusions are never reported because companies fear a loss of business from reduced consumer confidence in their security measures or from a fear of lawsuits. Most of the outsider-intrusions cases opened today are the result of a failure to patch a known vulnerability for which a patch has been issued. Theft of consumer information from a computer system can only be facilitated two ways: by insiders or by outside hackers. Insiders have various motivations, including retribution and money. Outsiders are usually motivated by challenge and/or greed.

The National Research Council issued a report in 2001 titled, Cybersecurity Today and Tomorrow: Pay Now or Pay Later. If you have not seen the report, I would urge you to obtain a copy. The report makes a number of significant points and general observations, including a key one for this Hearing:

Note also that an attacker may be able to exploit a flaw accidentally introduced into a system. System design and/or implementation that is poor by accident can result in serious security problems that can be deliberately target[ed] in a penetration attempt by an attacker.

If security on a system is inadequate, and someone chooses to exploit the weaknesses, consequences are inevitable. According to the report, there are three things that can go wrong with a computer system or network:

1. It can become unavailable or very slow. That is, using the system or network at all becomes impossible , or nearly so.

2. It can become corrupted, so that it does the wrong thing or gives wrong answers. For example, data stored on the computer may become different from what it should be, as would be the case if medical or financial records were improperly modified.

3. It can become leaky. That is, someone who should not have access to some or all of the information available through the network obtains such access.

When one of these things happen, the FBI is in a unique position to respond because it is the only Federal agency that has the statutory authority, expertise, and ability to combine the counterterrorism, counterintelligence, and criminal resources needed to effectively neutralize, mitigate, and disrupt illegal computer-supported operations.

The FBI s Cyber Division

The FBI s reorganization of the last two years included the goal of making our cyber investigative resources more effective. In 2002, the reorganization resulted in the creation of the FBI s Cyber Division.

The Cyber Division addresses cyber threats in a coordinated manner, allowing the FBI to stay technologically one step ahead of the cyber adversaries threatening the United States. The Cyber Division addresses all violations with a cyber nexus, which often have international facets and national economic implications. The Cyber Division also simultaneously supports FBI priorities across program lines, assisting counterterrorism, counterintelligence, and other criminal investigations when aggressive technological investigative assistance is required. The Cyber Division will ensure that agents with specialized technology skills are focused on cyber related matters.

At the Cyber Division we are taking a two-tracked approach to the problem. One avenue is identified as traditional criminal activity that has migrated to the Internet, such as Internet fraud, on-line identity theft, Internet child pornography, theft of trade secrets, and other similar crimes. The other, non-traditional approach consists of Internet-facilitated activity that did not exist prior to the establishment of computers, networks, and the World Wide Web. This encompasses cyber terrorism, terrorist threats, foreign intelligence operations, and criminal activity precipitated by illegal computer intrusions into U.S. computer networks, including the disruption of computer supported operations and the theft of sensitive data via the Internet. The FBI assesses the cyber-threat to the U.S. to be rapidly expanding, as the number of actors with the ability to utilize computers for illegal, harmful , and possibly devastating purposes is on the rise.

To accomplish its mission, the Cyber Division will form and maintain public/private alliances in conjunction with enhanced education and training to maximize counterterrorism, counterintelligence, and law enforcement cyber response capabilities. The FBI will also maximize the success of cyber investigations through awareness and exploitation of emerging technology.

To support this mission we are dramatically increasing our cyber training program and international investigative efforts. Consequently, specialized units are now being created at FBI Headquarters to provide training not only to FBI cyber squads, but also to the other agencies participating in existing or new cyber-related task forces in which the FBI is a participant. This training will largely be provided to investigators in the field. A number of courses will be provided at the FBI Academy at Quantico.

A typical case will come to the FBI through the Internet Fraud Complaint Center (IFCC), In its fourth year of operation, IFCC has proven to be a very successful clearinghouse, receiving over 75,000 complaints in 2002 on crimes ranging from identity theft and computer intrusions to child pornography.

If the IFCC received an intrusion report from a company in Birmingham, Alabama, we would first attempt to locate where the intrusion took place. That same company may have its servers in Minneapolis, while the intruder is routing attacks through Internet providers in California and Europe. If the servers in Minneapolis were hacked, the Minneapolis Cyber Crime Task Force would be assigned the lead on the case. The leads could start in California, but end up in Eastern Europe, Nigeria or even back to Birmingham, if an insider was involved. One of the FBI s Computer Analysis Response Teams (CART) would be called upon to preserve computer forensic evidence, and that evidence could be forwarded to one of our new Regional Crime Forensic Labs, now located in Chicago, Dallas and San Diego. The Lab would determine the extent and duration of the intrusion, and whether the attacker came from inside or outside the company. Depending on the sophistication of the intruder, the case can be cracked in a few days or take years. Cases are routinely complex, and often involve international connections. The following cases serve as examples of typical cyber crimes:

Raymond Torricelli, aka rolex

Raymond Torricelli, aka rolex, the head of a hacker group known as #conflict, was convicted for, among other things, breaking into two computers owned and maintained by the National Aeronautics and Space Administration s Jet Propulsion Laboratory ( JPL ), located in Pasadena, California, and using one of those computers to host an Internet chat-room devoted to hacking.

Torricelli admitted that, in 1998, he was a computer hacker, and a member of a hacking organization known as #conflict. Torricelli admitted that he used his personal computer to run programs designed to search the Internet, and seek out computers which were vulnerable to intrusion. Once such computers were located, Torricelli s computer obtained unauthorized access to the computers by uploading a program known as rootkit. The file, rootkit, is a program which, when run on computer, allows a hacker to gain complete access to all of a computer s functions without having been granted these privileges by the authorized users of that computer.

One of the computers Torricelli accessed was used by NASA to perform satellite design and mission analysis concerning future space missions, another was used by JPL s Communications Ground Systems Section as an e-mail and internal web server. After gaining this unauthorized access to computers and loading rootkit, Torricelli, under his alias rolex, used many of the computers to host chat-room discussions. Torricelli admitted that, in these discussions, he invited other chat participants to visit a web site which enabled them to view pornographic images and that he earned 18 cents for each visit a person made to that web site. Torricelli earned approximately $300-400 per week from this activity. Torricelli also pled guilty to intercepting usernames and passwords traversing the computer networks of a computer owned by San Jose State University. In addition, Torricelli pled guilty to possession of stolen passwords and usernames which he used to gain free Internet access, or to gain unauthorized access to still more computers.

Torricelli admitted that when he obtained passwords which were encrypted, he would use a password cracking program known as Johnthe-Ripper to decrypt the passwords. He also pled guilty to possessing stolen credit card numbers that he obtained from other individuals and stored on his computer. Torricelli admitted that he used one such credit card number to purchase long distance telephone service.

Much of the evidence obtained against Torricelli was obtained through a search of his personal computer. In addition to thousands of stolen passwords and numerous credit card numbers, investigators found transcripts of chat-room discussions in which Torricelli and members of #conflict discussed, among other things,(1) breaking into other computers; (2) obtaining credit card numbers belonging to other persons and using those numbers to make unauthorized purchases; and (3) using their computers to electronically alter the results of the annual MTV Movie Awards. This case illustrates the wide variety of criminal acts which can result from security vulnerabilities.

Raphael Gray, aka Curador

On March 1, 2000, a computer hacker using the name Curador compromised several e-commerce web sites in the U.S., Canada, Thailand, Japan and the United Kingdom, and stole as many as 28,000 credit card numbers with losses estimated to be at least $3.5 million. Thousands of credit card numbers and expiration dates were posted to various Internet web sites. After an extensive investigation, on March 23, 2000, the FBI assisted the Dyfed Powys (Wales, UK) Police Service in a search at the residence of Curador, Raphael Gray. Mr. Gray, age 18, was arrested and charged in the UK along with a coconspirator under the UK s Computer Misuse Act of 1990. This case illustrates the benefits of law enforcement and private industry around the world working together in partnership on computer crime investigations.

Bloomberg Extortion

Kazakhstan citizens Oleg Zezov, and Igor Yarimaka were arrested on August 10, 2000 in London, England for breaking into Bloomberg L.P. s Manhattan computer system in an attempt to extort money from Bloomberg. Zezov gained unauthorized access to the internal Bloomberg Computer System from computers located in Almaty, Kazakhstan. In the Spring of 1999, Bloomberg provided database services, via a system known as the Open Bloomberg, to Kazkommerts Securities located in Almaty, Kazakhstan. Zezov was employed by Kazkommerts.

Zezov sent a number of e- mails to Michael Bloomberg, the founder and owner of Bloomberg, using the name Alex, demanding that Bloomberg pay him $200,000 in exchange for providing information to Bloomberg concerning how Zezov was able to infiltrate Bloomberg s computer system. Michael Bloomberg sent e-mail to Zezov suggesting that they meet. Zezov demanded that Michael Bloomberg deposit $200,000 into an offshore account. Bloomberg established an account at Deutsche Bank in London and deposited $200,000. Michael Bloomberg suggested that they resolve the matter in London and Zezov agreed.

On August 6, 2000, Yarimaka and Zezov flew from Kazakhstan to London. On August 10, 2000, Yarimaka and Zezov met with officials from Bloomberg L.P., including Michael Bloomberg, and two London Metropolitan police officers, one posing as a Bloomberg L.P. executive and the other serving as a translator. At the meeting, Yarimaka allegedly claimed that he was a former Kazakhstan prosecutor and explained that he represented Alex and would handle the terms of payment. According to the Complaint, Yarimaka and Zezov reiterated their demands at the meeting. Shortly after the meeting Yarimaka and Zezov were arrested. On February 27, 2003, the trial of Anatoljevich Zezev concluded with a guilty verdict for computer fraud, extortion, use of interstate communications for extortion, and conspiracy . He faces a maximum of 28 years in prison . This case is an example of a traditional crime facilitated by a computer.

Cyber crime continues to grow at an alarming rate, and security vulnerabilities contribute to the problem. We encourage administrators and security professionals to reduce opportunities for criminals by employing best practices and patching vulnerabilities before they can be exploited. The FBI will continue to aggressively pursue cyber criminals as we strive to stay one step ahead of them in the cyber crime technology race.

I thank you for your invitation to speak to you today and on behalf of the FBI look forward to working with you on this very important topic.