Information Security News
mailing list archives
Break Glass, Pull Handle, Call FBI
From: William Knowles <wk () c4i org>
Date: Tue, 5 Jun 2001 22:32:39 -0500 (CDT)
[Check out the URL for the additional sidebars, with tips on what to
do if you suspect a third party has compromised your network.
Already I am questioning one of the tips supplied by the author below.
PROTECT AND PROSECUTE
To preserve any evidence and help the federal, state and local law
enforcement agencies investigate the incident, take the following
1. Make backup copies of damaged and altered files and keep backups in
a secure location.
Now I have been told if you suspect your network has been broken in,
to yank the power cord out of the back of the suspected computer(s)
BEFORE doing anything else like making backup copies of the hard
drive, since that might taint the evidence chain. While I am at it,
is there is a recommended computer forensics guide that someone could
forward to the list?
Nice to see an article anyways on calling in the Feds. - WK]
BY TRACY MAYOR
Jun. 1, 2001
WE'RE GOING TO CONVINCE YOU that you should call the FBI if your
company is ever the victim of a computer crime. That's right, the
Federal Bureau of Investigation. The feds. Government agents. Now,
before you say "I don't think so" in your most sarcastic voice, read
There's a prevailing misconception that as soon as you pick up the
phone to call the FBI, teams of agents will swoop down on you with
guns drawn to confiscate your computers and seize controleffectively
closing down your business. That's how it happens in the movies. This
is life. Here's how it really happens.
Usermagnet had survived distributed denial-of-service attacks before,
but nothing like what it experienced on a Sunday night in February of
last year. Packet kiddies - international hacking groups comprising
teenagers looking for a thrill - had taken over an online Java chat
channel the company was hosting.
"It was vicious. These guys were completely suppressing our
circuits," recalls Rick Ross, president of the Cary, N.C., Web
services company. "We're talking 50 megabits per second massively
overloading our servers. It went on for something like 14 hours."
When he and Vice President of Development Mike Sick went
looking for other channel users under attack they found the same
assault happening simultaneously in at least a dozen places. The pair
also found a friend who had managed to start a conversation with one
of the hackers and gained access to his system. "There was a large
amount of information on a whole hacker network," says Ross. There was
also a list of about 500 machines the group had compromised and the
passwords used to hack each unit. "We said, 'Whoa, we're over our
After calling the FBI and getting its approval, Ross and Sick set out
to turn several of the group members into informants. One of the
hackers even asked to have a pizza sent to his house as a show of
fidelity. Meanwhile, federal agents tracked entry points, contacted
ISPs, pored over logs, monitored hacking channels and contacted owners
of each machine that had been hit. The result? As this issue went to
press, the one nonjuvenile member of the group had pleaded guilty and
was awaiting sentencing.
To Call or Not to Call
Calling the Feds is still filed under unthinkable acts in most
organizations. The few brave companies that have made the call and
lived to tell the tale say they got the help they needed and in some
cases saw the perpetrators arrested.
Federal agents have investigative skills, forensic knowledge,
access to attachs in foreign countries, and established relationships
with Internet players as big as Cisco Systems and as small as the
local ISPs often used by hackers to launch attacks. (Do you? Does
anyone at your company?) The feds can also build a case by aggregating
your information with data from other cybercrime victims you'd
probably never find on your own. When you really need it, they can
also find someone who speaks Dutch.
That's just what Susan Iverson needed in May 2000. Iverson, the
information technology manager at J.H. Baxter, a San Mateo, Calif.,
wood-treatment company, came to work one morning and heard a voice
mail that would raise the hairs on the back of any IS exec's neck. An
official from the DOD (yes, that DOD, the U.S. Department of
Defense) had called to say one of his servers was being attacked from
an IP address registered to J.H. Baxter, and would Iverson be so kind
and find the break and shut down the intruder?
Iverson and her team found the break and traced it to an IP address in
the Netherlands registered to IBM but recently sold to AT&T. When
Iverson tried to get someone to shut it down, she had trouble
negotiating between the two companies, juggling two time zones and two
languages. With the IP address still open and the assault still in
process the next morning, she decided to bring in the big gunsthe
FBI's Northern California field office. IBM and AT&T took notice, the
hacker was shut out, and Iverson was free to start repairing and
securing her own systems.
In one sense, Usermagnet and J.H. Baxter are typical, modern
corporations. They've been victims of a cyberattack. If you believe a
similar attack, or worse, can't happen to you, you're either naive or
deep in denial.
In another sense, the two companies are rarities in the IT
universeorganizations willing to call in federal law enforcement when
they've been hacked. "That's extremely rare. Extremely!" exclaims a
spokeswoman for a financial services trade organization when asked if
any of her members had ever contacted the feds.
A recent Sound Off column on CIO.com (see "Will You Partner with the
FBI on Security?" at comment.cio.com) solicited opinions on the
National Infrastructure Protection Center's InfraGard program, which
lets companies anonymously share data on cyberbreaks. This drew a
similar level of alarm among IT execs, if not outright vitriol. "There
is no such thing as a partnership with the government. My interests
don't even appear on their radar," said one IT director. Another
respondent wrote, "Keep corporate security where it belongsout of the
hands of the government!"
Balance that level of distrust against the increasing frequency and
severity of cybercrime threats. The latest Computer Crime and Security
Survey, conducted by the San Francisco-based Computer Security
Institute, indicated that 85 percent of the respondents (primarily
large corporations and government agencies) had detected computer
security breaches during the past year. Sixty-four percent
acknowledged financial losses due to computer breaches. (Details on
the annual poll, conducted in conjunction with the San Francisco FBI's
Computer Intrusion Squad, are available at
The authorities are improving their expertise by establishing
dedicated electronic-crimes units to boost their cybercrime savviness
and win the trust of corporate America. The FBI, for example, has
almost finished outfitting its field offices with Regional Computer
Crime Intrusion squads. The Department of Justice has established
special Computer Crime & Intellectual Property divisions. The
multiagency New York Electronic Crimes Task Force, which is
coordinated by the U.S. Secret Service, attracted so many requests for
help that the Secret Service plans to expand the concept to other
Also, the feds insist that despite overwhelming fears to the contrary,
they won't screw up your company by seizing your computers or
overpublicizing your case. "They left control with us. All they did
was assist," says Iverson. "There were no guns, and I never felt like
they were going to take off with our servers."
Finally, cybercrime won't evolve from being shameful to being
aggressively prosecuted until the trickle of reported cases grows to a
torrent. "The best deterrents for these kinds of crimes is the strong
message that there are very serious consequences," says Ross Nadel,
chief of the Computer Hacking and Intellectual Property (CHIP) Unit in
the U.S. Attorney's Office for the northern district of California,
based in San Jose. "And a few good, serious cases can get that message
across, if companies are willing to come forward."
Making the call isn't just a moral imperative, it's a practical one,
says Usermagnet's Ross. "If we expect the information economy to
create new sources of prosperity, it's got to be a reasonable, orderly
place to do business," he says. "Packet kiddies are nothing more than
juvenile delinquents running around with the Internet version of
high-powered semiautomatic weapons. If the norm on the Internet
becomes terrorist thugs pushing you around, nobody will bring their
Time to Call the Cops
Three situations motivate companies to call the authorities: if
they're legally required to do so, if it's "the right thing to do" and
if it will help their bottom line, says Mark Rasch, vice president of
cyberlaw for network consultancy Predictive Systems in Reston,
Va. Rasch is the former head of the computer crimes division for the
U.S. Department of Justice who investigated renowned hacker Kevin
Mitnick and prosecuted Robert Morris, the Cornell student who created
a worm that brought the Internet to a standstill.
Banking and finance, nuclear power, air traffic control,
health care and other critical industries are required by law to
report certain types of security breaches or data loss. If you don't
know what laws apply to your company, you should find out before
you're attacked, Rasch suggests. You may also be required under
contract to report attacks or breaches.
The "right thing to do" isn't as easy to define. Rasch and other
security consultants say there are certain instances when you
absolutely, positively should call in law enforcement. Things like
bomb threats and child pornography should never be swept under the
rug, not only because of the potential damage to human life but
because a company can be held liable for such behaviors from its
employees. Further down the severity scale are cyberstalking,
extortion threats, denial-of-service attacks and the proliferation of
The toughest call to make is determining your bottom-line impact, says
Rasch. If your company loses trade-secret data to a random 15-year-old
hacker, it may be better to handle the matter privately instead of
risking a public relations fiasco. "But if it's a competitor who now
has the blueprints for your new widget," he says, "it becomes very
important for you to find out who did it."
The problem with that reasoning is that during an attack or at the
moment you detect an intrusion, you're working blind, say law
enforcement officials. You can't know if you're dealing with a random
hacker or an underhand competitor until afterward. That should be
reason enough to quickly call in reinforcements.
"If there is destruction or loss or theft of data, if there is a loss
of $5,000 or more for a nongovernment nonfinancial institution, if
there's been a root-level compromise or a denial of service, you
should call," says Doris Gardner, supervisory special agent in charge
of the FBI's Charlotte, N.C., Regional Computer Crime Squad. As clear
as those guidelines sound, Gardner and her counterparts in other task
forces acknowledge that there won't be an increase in the number of
crimes reported until they address corporate America's three biggest
fearsthe loss of control once they call the cops, being played for
fools in the national media, and that in the end the feds will fail to
catch the perpetrators or return a conviction.
Fear One: Loss of Control
Gardner is emphatic when trying to reassure nervous companies that an
investigation will not spin out of control. When agents start
examining evidence, she explains, they will most likely begin with the
servers and inspect the logs to try to determine who touched what
parts of the system and where they were coming from. A company's IS
staff members are vital players during this type of
investigation. "You're going to be involved," she says. "It's a
That's a mantra repeated by cybercrime experts in the
Department of Justice, the U.S. Attorney's Office and the Department
of the Treasury. "We're not the cavalry. We're not going to come
storming in and take off with your equipment," says Jessica Herrera, a
federal prosecutor in the Computer Crime & Intellectual Property
Section of the Department of Justice's Criminal Division in
Washington, D.C. "We're there to work with the company, and we've
found the best experts for examining computers are the people who
operate them on a day-to-day basis."
Utenzi Corp., a data center outsourcer and corporate ISP, has worked
with the FBI as a victim and other times assisting its customers who
have been hit. The FBI leaves data-intensive tasks to the IS staff
while its agents handle the forensic and legal aspects of a case, says
Mark Nilsson, chief technology officer for the Research Triangle Park,
N.C., company. "IS isn't their core competency, and they know
that. Their core is investigative."
In one instance, he explains, "we gave them the signature of the hack
and some log information, and they subpoenaed logs from another ISP,
traced the user, served a warrant and made an arrest."
Fear Two: Front-Page Coverage
Of all the reasons companies suffer in silence after a cybercrime, the
most potent is the fear of bad publicity. Predictive System's Rasch
sketches out a nightmarish scenario, only partly in jest"Let's see,
investigation on CNN, trial on Court TV, and conviction and sentencing
on the front page of The New York Times." In all seriousness, though,
he says one goal of prosecutors is to deter other would-be
criminals. "If some guy goes to jail and nobody hears about it,
they're not reaching that goal."
Law enforcement officials insist they take care to keep victims' names
out of the public eye. "We've had plenty of cases when we wanted to
blow our own horn and didn't," says Nadel of the U.S. Attorney's CHIP
"We can't make any absolute guarantees, but in many cases, when a
criminal charge is filed, we don't even name the victim in the
indictment," says Nadel. "Unless there's a particular reason, we
usually won't confirm that a particular company has been a victim." In
fact, when CIO tried to follow up on the break at J.H. Baxter, the FBI
agent who handled the case referred us to a spokesperson who wouldn't
even say whether the case was closed or ongoing.
Iverson and executives at Utenzi and Usermagnet reported
no unwanted publicity in their dealings with the feds. "An
organization like ours is very sensitive to having our name attached
to security stories," says Utenzi's Nilsson. "The FBI has been very
discreet. We've not seen a hit in the press or anything."
IT managers and security consultants say the best way to increase
trust of law enforcement agencies is to establish a relationship with
an agent that specializes in cybercrime before a breach occurs. "You
don't ever want to just call the police. You want to call your friend
Bob down at the FBI," says Rasch.
Nilsson seconds that advice. Having once worked with a particular
agent, he was much more comfortable calling that person when another
Fear Three: Lack of Results
When it comes to involving the feds, skeptics seem divided into two
camps: those who believe federal law enforcement should never be
trusted, and those who believe the FBI and other groups mean well but
are ultimately ineffective.
"The sense that I get in cases where the FBI has been involved is that
they didn't provide a lot of value add," says Peggy Weigle, CEO of
Sanctum, a Santa Clara, Calif., manufacturer of security and control
software for Web applications. "The top priority for any company is to
seal and secure the site. It's difficult to catch hackers. Our feeling
is you should focus instead on getting back into shape."
Chip Smith is cautiously optimistic about the legal clout of law
enforcement. Now director of corporate security for the Bank of New
York, he's the former special agent in charge of the New York Field
Office for the U.S. Secret Service. On one hand, he says, "law
enforcement has come a long way in five years. They're making leaps
and bounds in understanding all these things." On the other hand, he
concedes, they still have a long way to go. "A lot of prosecutors
still aren't familiar [with cybercrime]. A lot of law enforcement
still isn't familiar with it. The laws have to become commensurate
with the crimes being committed."
Many crime fighters say the current laws already allow sufficient
latitude for them to pursue criminals and win convictions. "In the
United States, we have strong laws," says the Department of Justice's
Herrera. "If we're able to figure out who the intruder is and if
there's a climate where [the victim] wants to pursue an investigation,
then the laws are enough."
If the FBI and other authorities hope to send a message in such cases,
it's a message aimed just as much at corporate America as it is at the
cybercriminals. "You can have all the firewalls and intrusion
detection systems you want, but nothing is 100 percent secure if it's
connected to the Internet," Gardner says. "If companies have had
things stolen and they don't want it to happen again, we're hoping
they'll want to come forward and set an example."
How do you feel about calling the FBI? Tell Senior Writer Sarah
D. Scalet at sscalet () cio com Tracy Mayor is a freelance writer
specializing in technology topics.
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com
- Break Glass, Pull Handle, Call FBI William Knowles (Jun 06)