[Clips] To Catch Crooks In Cyberspace, FBI Goes Global
R.A. Hettinga
rah at shipwright.com
Tue Nov 21 04:17:23 PST 2006
Pick a horseman, any horseman...
Cheers,
RAH
--- begin forwarded text
Delivered-To: rah at shipwright.com
Delivered-To: clips at philodox.com
Date: Tue, 21 Nov 2006 07:03:30 -0500
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] To Catch Crooks In Cyberspace, FBI Goes Global
Reply-To: clips-chat at philodox.com
Sender: clips-bounces at philodox.com
<http://online.wsj.com/article_print/SB116406726611228873.html>
The Wall Street Journal
PAGE ONE
Criminal Network
To Catch Crooks
In Cyberspace,
FBI Goes Global
Agency Works With Police
In Foreign Countries
To Track Down Hackers
Zeroing In on the Zotob Worm
By CASSELL BRYAN-LOW
November 21, 2006; Page A1
ANKARA, Turkey -- On Aug. 16, 2005, a CNN television news bulletin alerted
viewers that computers at the network's New York and Atlanta offices were
infected with a new virus called Zotob. Soon, U.S. companies from coast to
coast were hit.
Halfway around the world, two young computer hackers in Turkey and Morocco
got spooked by the ensuing media coverage, but mocked the ability of
authorities to track them down. "They can't find me," wrote Atilla Ekici, a
23-year-old Turk, in an email to his accomplice, a 19-year-old Moroccan
called Farid Essebar. "Ha, ha, ha," replied Mr. Essebar.
The U.S. Federal Bureau of Investigation, however, was already hot on their
trail. The 98-year-old FBI, which has traditionally focused on domestic
crime, is extending its reach beyond U.S. borders and boosting cooperation
with other law-enforcement agencies in pursuit of cybercriminals, much as
the agency has done in tracking down terrorists overseas.
The shift reflects the global nature of computer crimes, which include
unleashing viruses, worms and other rogue programs onto victims' computers
to disrupt them or steal information. As electronic borders between
countries blur, hackers in one nation can easily commit crimes against
individuals, corporations and governments on the other side of the world.
The FBI now ranks cybercrime as its third priority behind terrorism and
espionage. Computer-based crimes caused $14.2 billion in damages to
businesses around the globe in 2005, including the cost of repairing
systems and lost business, estimates Irvine, Calif., research firm Computer
Economics.
Building relationships with police in other countries is "the only way we
are going to effectively get a handle on the problem," says Christopher
Painter, deputy chief of the Justice Department's Computer Crime Section.
The FBI is running into limits fighting international computer crime.
Cybercrooks remain difficult to pinpoint in part because hackers can hide
their tracks by commandeering computers from afar and routing their
activities through machines dotted around the world.
Even when the agency does find suspects overseas, local authorities
sometimes lack the resources or laws to prosecute. In its pursuit of
LoveBug, one of the first big international computer viruses, which spread
around the world in 2000, the FBI located its creator in the Philippines.
But he was never charged because local laws didn't specify the virus
writer's activities as illegal at the time.
"The criminal community is winning," says Nicholas Ianelli, a security
analyst at the CERT Coordination Center at Carnegie Mellon University, a
federally funded group that coordinates responses to computer-security
incidents.
But the agency is making some headway, thanks partly to a diplomatic
offensive to enlist help from foreign agencies. It now has about 150 agents
deployed in some 56 offices around the world, including in Iraq and China,
which deal with computer intrusions, as well as terrorism and other crimes.
That has grown from about a dozen offices in the early 1990s.
During the past two years or so, the FBI has also built up Cyber Action
Teams, or CATs -- a group of about 25 people that includes agents, computer
forensic experts and specialists in computer code, according to David
Thomas, the deputy assistant director of the FBI's science and technology
branch. Establishing the team has taken longer than expected, in part
because of the challenges of hiring people with the right skills, Mr.
Thomas says.
Earlier this month, the FBI announced the arrest of at least 16 individuals
involved in a credit-card theft scam as part of an investigation spanning
the U.S., Poland and Romania. As part of the probe, the FBI temporarily
posted several agents with Polish and Romanian police to assist with
surveillance and information sharing.
Some overseas police agencies have noticed the change. The FBI is "much
more open to interaction" than it was even a few years ago, says Kevin
Zuccato, director of the Australian federal police's high-tech crime
center. One FBI agent is even embedded full-time with Australia's high-tech
crime center. Usually, FBI agents are posted within U.S. embassies and
consulates abroad.
Police in other countries can also get touchy about defending their turf
from outsiders, just as a local beat cop in the U.S. might resent
interference from the FBI on a murder case. In 2002, Russian police accused
an FBI agent with computer hacking after the agent seized evidence against
two Russian hackers by downloading data from their computers in Russia
without approval from local authorities. Russia hasn't pursued the charges,
however, and the agent is still at the FBI. The two countries since then
have worked on several cybercrime cases.
The FBI's overseas push is still a long way from winning the borderless
battle against cybercrime. But as the tale of the Zotob virus shows, the
agency is scoring some victories.
By Sunday Aug. 14, 2005, the FBI and antivirus software companies noticed
that a virus called Zotob had started to spread. The virus infected
computers by taking advantage of a weakness in some versions of Microsoft
Corp.'s popular Windows operating system, causing them to slow or reboot
repeatedly.
But that wasn't all: Zotob opened a door for other malicious software to be
installed, such as "key-logging" programs that record what a PC user types
into a keyboard -- a way to snatch credit-card numbers and other
information that is sold to criminal gangs. Zotob hit some 100,000
companies or more, some analysts estimate, including Time Warner Inc.'s CNN
division and New York Times Co.
Even before the virus became famous by attacking CNN's computers, FBI Agent
Erkan Chase and his colleagues were tracking the code. They discovered that
the Zotob computer program had a signature line "by Diabl0". Mr. Chase, a
41-year-old former New York cop, recalled the nickname from another virus
that he had started monitoring earlier in the year, called Mytob. That
suggested the same person created both viruses.
Mr. Chase, who was overseeing the FBI's Cyber Action Teams at the time,
checked in with the FBI's U.S. field offices and found that agents in
Seattle had opened an investigation into Diabl0 after Mytob hit, linking
him to an email account at Microsoft in nearby Redmond, Wash. With search
warrants served on the software giant, Mr. Chase and his colleagues
obtained emails between Diabl0 and another suspect using the nickname
"Coder." They also received subscriber information and other evidence
indicating the two were using computers in Morocco and Turkey, respectively.
In their email traffic, the tone of the hackers became cautious after media
coverage of the virus, especially a local report in Turkey that authorities
believed one of the hackers might be living there. The two suspects
discussed whether to take precautions by getting rid of the evidence, by
wiping or ditching their computer hard drives.
That raised the pressure on Mr. Chase to act quickly and try to arrest the
two young men before it was too late. "We had to respond pretty quickly
because we didn't want to get out there and find there was no evidence," he
said.
Late afternoon on Aug. 18, 2005, just days after the virus hit, the head of
the Turkish national police's cybercrime unit, Omer Tekeli, received a call
from the U.S. Embassy in Ankara asking for help. The FBI teams only travel
overseas at the behest of local authorities and don't have special powers
to make arrests, but can offer technical and investigative assistance.
Mr. Tekeli agreed, and later that same day, an FBI agent from the Seattle
office called to brief Turkish police on the details, including information
they had gathered on Coder, Mr. Tekeli says. Mr. Tekeli's team soon
identified Coder as Mr. Ekici, a farmer's son who had taught himself about
computers at Internet cafes. Turkish authorities already knew of Mr. Ekici
from an earlier investigation into a gang of credit-card thieves. Among
other details, the FBI provided an email address for Coder that included
part of Mr. Ekici's name as well as the equivalent of digital fingerprints
that linked Coder's computer with Mr. Ekici's home address.
On Aug. 21, a week after noticing the virus, Mr. Chase left with a team of
about a dozen people for Morocco and Turkey, flying in an FBI Learjet. The
fact that Mr. Chase, whose mother is Turkish, spoke some of the local
language helped smooth the process. After dropping half the group in the
Moroccan capital of Rabat, Mr. Chase landed in Ankara, Turkey.
At the sparsely furnished offices of Turkey's cybercrime police, the FBI
team handed over evidence they had obtained about the suspects from
Microsoft and about 25 pages of analysis of the malicious code. FBI
engineers gave a roughly hour-long presentation on how the code worked,
complete with slides. In Rabat, meanwhile, emails provided by the FBI
enabled Moroccan authorities to locate Diabl0 -- Mr. Essebar -- as well as
an accomplice. Emails typically carry a unique set of numbers, known as an
Internet protocol address, which identifies each computer connected to the
Internet. Moroccan police were able to obtain the name and contact details
associated with the Internet protocol addresses received from the FBI from
a local Internet service provider.
The FBI's documents also helped local authorities swiftly secure arrest and
search warrants. Concerned that the arrest of one suspect would tip off the
others, Mr. Chase helped the two countries coordinate the raids. In the
early hours of Aug. 25, Turkish police officers surrounded Mr. Ekici's home
and took him into custody. About 2,000 miles away in Rabat, police moved in
on Mr. Essebar and his accomplice. The FBI wasn't invited to be present at
either of the arrests. Turkish and Moroccan authorities say that is because
only local police are allowed to charge suspects under the respective
national laws.
Mr. Ekici in Turkey had disposed of his computer hard drive so Turkish
investigators weren't able to gather much evidence from his machine. But
Mr. Essebar in Morocco only reformatted his hard drive, which wipes out
files but let the Moroccan police's computer specialists recover most of
them because copies often still exist.
Among the finds were copies of the code itself and other information
identifying Mr. Essebar as Zotob's author. Police also found emails between
Diabl0 and Coder discussing Zotob as well as the numbers of about 1,600
stolen credit cards.
In parallel, FBI specialists worked off a copy of the hard drive, searching
for relevant emails and writing a piece of computer code on the fly to help
them analyze the program. "We were able to use that information from
Morocco and give it to Turkish authorities to further [their]
investigation," says Mr. Chase.
In September of this year, a Rabat court sentenced Mr. Essebar, a
Russian-born Moroccan national, to two years in prison for virus-writing,
illegal access to computers and conspiracy to commit credit-card fraud. The
court also sentenced his 21-year-old accomplice to one year in prison for
conspiracy to commit fraud. A lawyer for Mr. Essebar couldn't be reached.
At the time of the sentencing, news service Agence France Presse cited a
lawyer for the defendants saying they planned to appeal.
Authorities allege Mr. Ekici, whom they believe met Mr. Essebar at a Web
site for credit-card fraudsters, was responsible for disseminating the
Zotob worm and intended to use it to steal financial information. But they
say it is unclear whether he had time to swipe any information or profit
from it given the speed with which they were able to arrest him, less than
two weeks after the worm first spread.
The trial of Mr. Ekici, whom Turkish authorities have charged with
unauthorized access to computers and disseminating a virus, continues in
Turkey. He couldn't be reached for comment.
The Zotob case marked the first time foreign law enforcement has come to
Turkey to assist in a cybercrime investigation, says Mr. Tekeli, the
cybercrime unit chief in Turkey. Without the FBI's help, the investigation
"would have been more difficult and more time consuming," he says. Hakim
Aarab, an engineer in the Moroccan police's computer division, says because
of the borderless nature of cybercrime, "international collaboration is an
obligation, it's not an option."
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list