2.2 CATEGORIES OF CYBER THREATS
The following are some of the categories of cyber threats that we confront today include, but not limited to:
Insiders, Hackers (or “crackers”), “Hacktivism.” Or Political Hacking, Criminal Groups, The Phonemasters’, Internet Fraud, Foreign intelligence services. Information Warfare, Virus Writers, Internet Fraud, Identity Theft, Child Pornography, Terrorists Etc.
2.2.1 Insiders. The disgruntled insider (a current or former employee of a company) is a principal source of computer crimes for many companies. Insiders’ knowledge of the target companies’ network often allows them to gain unrestricted access to cause damage to the system or to steal proprietary data. The year 2000 survey by the Computer Security Institute and FBI reports that 71% of respondents detected unauthorized access to systems by insiders.
One example of an insider was George Parente. In 1997, Parente was arrested for causing five network servers at the publishing company Forbes, Inc., to crash. Parente was a former Forbes computer technician who had been terminated from temporary employment. In what appears to have been a vengeful act against the company and his supervisors, Parente dialed into the Forbes computer system from his residence and gained access through a co-worker’s log-in and password. Once online, he caused five of the eight Forbes computer network servers to crash, and erased all of the server volume on each of the affected servers.
No data could be restored. Parente’s sabotage resulted in a two day shut down in Forbes’ New York operations with losses exceeding $100,000. Parente pleaded guilty to one count of violating of the Computer Fraud and Abuse Act, Title 18 U.S.C. 1030.
In January and February 1999 the National Library of Medicine (NLM) computer system, relied on by hundreds of thousands of doctors and medical professionals from around the world for the latest information on diseases, treatments, drugs, and dosage units, suffered a series of intrusions where system administrator passwords were obtained, hundreds of files were downloaded which included sensitive medical “alert” files and programming files that kept the system running properly.
The intrusions were a significant threat to public safety and resulted in a monetary loss in excess of $25,000. FBI investigation identified the intruder as Montgomery Johns Gray, III, a former computer programmer for NLM, whose access to the computer system had been revoked. Gray was able to access the system through a “backdoor” he had created in the programming code. Due to the threat to public safety, a search warrant was executed for Gray’s computers and Gray was arrested by the FBI within a few days of the intrusions. Subsequent examination of the seized computers disclosed evidence of the intrusion as well as images of child pornography. Gray was convicted by a jury in December 1999 on three counts for violation of 18 U.S.C. 1030. Subsequently, Gray pleaded guilty to receiving obscene images through the Internet, in violation of 47 U.S.C. 223.
2.2.2 Hackers. Hackers (or “crackers”) are also a common threat. They sometimes crack into networks simply for the thrill of the challenge or for bragging rights in the hacker community. Recently, however, we have seen more cases of hacking for illicit financial gain or other malicious purposes. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the World Wide Web and launch them against victim sites. Thus while attack tools have become more sophisticated, they have also become easier to use. The distributed denial-of-service (DDOS) attacks last month are only the most recent illustration of the economic disruption that can be caused by tools now readily available on the Internet.
Another recent case illustrates the scope of the problem. On Friday authorities in Wales, acting in coordination with the FBI, arrested two individuals for alleged intrusions into e-commerce sites in several countries and the theft of credit card information on over 26,000 accounts.
One subject used the Internet alias “CURADOR.” Losses from this case could exceed $3,000,000. The FBI cooperated closely with the Dyfed-Powys Police Service in the United Kingdom, the Royal Canadian Mounted Police in Canada, and private industry. This investigation involved the Philadelphia Division, seven other FBI field offices, our Legal Attache in London, and the NIPC. This case demonstrates the close partnerships that we have built with our foreign law enforcement counterparts and with private industry.
2.2.3 “Hacktivism.” Or Political Hacking. The is another cybercrime. We have also seen a rise recently in politically motivated attacks on web pages or email servers, which some have dubbed “hacktivism.” In these incidents, groups and individuals overload e-mail servers or deface web sites to send a political message. While these attacks generally have not altered operating systems or networks, they have disrupted services, caused monetary loss, and denied the public access to websites containing valuable information, thereby infringing on others’ rights to disseminate and receive information.
Examples of “hacktivism” include a case in 1996, in which an unknown subject gained unauthorized access to the computer system hosting the Department of Justice Internet web site. The intruders deleted over 200 directories and their contents on the computer system and installed their own pages. The installed pages were critical of the Communications Decency Act (CDA) and included pictures of Adolf Hitler, swastikas, pictures of sexual bondage scenes, a speech falsely attributed to President Clinton, and fabricated CDA text.
2.2.4 Virus Writers. Virus writers are posing an increasingly serious threat to networks and systems worldwide. Last year saw the proliferation of several destructive computer viruses or “worms,” including the Melissa Macro Virus, the Explore.Zip worm, and the CIH (Chernobyl) Virus. The NIPC frequently sends out warnings or advisories regarding particularly dangerous viruses, which can allow potential victims to take protective steps and minimize the destructive consequences of a virus.
The Melissa Macro Virus attack and response. The response was two-fold — encompassing both warning and investigation — to a virus spreading in the networks.
The NIPC sent out warnings as soon as it had solid information on the virus and its effects; these warnings helped alert the public and reduce the potential destructive impact of the virus. On the investigative side, the NIPC acted as a central point of contact for the field offices who worked leads on the case. A tip received by the New Jersey State Police from America Online, and their follow-up investigation with the FBI’s Newark Division, led to the April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one count of violating 18 U.S.C. § 1030 in Federal Court, and to four state felony counts. As part of his guilty plea, Smith stipulated to affecting one million computer systems and causing $80 million in damage.
2.2.5 Criminal Groups. Today, there is an increasing use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain. In September, 1999, two members of a group dubbed the “Phonemasters” were sentenced after their conviction for theft and possession of unauthorized access devices (18 U.S.C. § 1029) and unauthorized access to a federal interest computer (18 U.S.C. § 1030). The “Phonemasters” were an international group of criminals who penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even the National Crime Information Center. Under judicially approved electronic surveillance orders, the FBI’s Dallas Division made use of new data intercept technology to monitor the calling activity and modem pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded thousands of Sprint calling card numbers, which he sold to a Canadian individual, who passed them on to someone in Ohio. These numbers made their way to an individual in Switzerland and eventually ended up in the hands of organized crime groups in Italy. Cantrell was sentenced to two years as a result of his guilty plea, while one of his associates, Cory Lindsay, was sentenced to 41 months.
2.2.6 The Phonemasters’ methods included “dumpster diving” to gather old phone books and technical manuals for systems. They used this information to trick employees into giving up their logon and password information. The group then used this information to break into victim systems. It is important to remember that often “cyber crimes” are facilitated by old fashioned guile, such as calling employees and tricking them into giving up passwords. Good cyber security practices must therefore address personnel security and “social engineering” in addition to instituting electronic security measures.
Another example of cyber intrusions used to implement a criminal conspiracy involved Vladimir L. Levin and numerous accomplices who illegally transferred more than $10 million in funds from three Citibank corporate customers to bank accounts in California, Finland, Germany, the Netherlands, Switzerland, and Israel between June and October 1994. Levin, a Russian computer expert, gained access over 40 times to Citibank’s cash management system using a personal computer and stolen passwords and identification numbers. Russian telephone company employees working with Citibank were able to trace the source of the transfers to Levin’s employer in St. Petersburg, Russia. Levin was arrested in March 1995 in London and subsequently extradited to the U.S. On February 24, 1998, he was sentenced to three years in prison and ordered to pay Citibank $240,000 in restitution. Four of Levin’s accomplices pleaded guilty and one was arrested but could not be extradited. Citibank was able to recover all but $400,000 of the $10 million illegally transferred funds.
Beyond criminal threats in cyber space, we also face a variety of significant national security threats
2.2.7 Terrorists. Terrorists groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate securely. While we have not yet seen these groups employ cyber tools as a weapon to use against critical infrastructures, their reliance on information technology and acquisition of computer expertise are clear warning signs. Moreover, we have seen other terrorist groups, such as the Internet Black Tigers (who are reportedly affiliated with the Tamil Tigers), engage in attacks on foreign government web-sites and email servers. “Cyber terrorism” – by which I mean the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population – is thus a very real, though still largely potential, threat.
2.2.8 Foreign intelligence services. Not surprisingly, foreign intelligence services have adapted to using cyber tools as part of their espionage tradecraft. Even as far back as 1986, before the worldwide surge in Internet use, the KGB employed West German hackers to access Department of Defense systems in the well-known “Cuckoo’s Egg” case. Above all, we would not be surprised to hear that foreign intelligence services increasingly view computer intrusions as a useful tool for acquiring sensitive U.S. government and private sector information.
2.2.9 Information Warfare. The prospect of “information warfare” by foreign militaries against our critical infrastructures is perhaps the greatest potential cyber threat to any national security. It is common knowledge that several foreign nations are developing information warfare doctrine, programs, and capabilities for use against perceived enemy nations. Knowing that they cannot match our military might with conventional or “kinetic” weapons, nations see cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America’s Achilles heel – our growing dependence on information technology in government and commercial operations. A Russian official has observed and commented that an attack on a national infrastructure could, “by virtue of its catastrophic consequences, completely overlap with the use of [weapons] of mass destruction.”
The categories described above involve computers used as weapons and as targets of a crime. We are also seeing computers used to facilitate more traditional forms of crime.
2.2.10 Internet Fraud. One of the most critical challenges facing the law enforcement in general, is the use of the Internet for fraudulent purposes. Understanding and using the Internet to combat Internet fraud is essential for law enforcement. The accessibility of such an immense audience coupled with the anonymity of the subject, require a different approach. The Internet is a perfect medium to locate victims and provide an environment where victims do not see or speak to the “fraudsters.” Anyone in the privacy of their own home can create a very persuasive vehicle for fraud over the Internet. Internet fraud does not have traditional boundaries as seen in the traditional schemes. The traditional methods of detecting, reporting, and investigating fraud fail in this environment. By now it is common knowledge that the Internet is being used to host criminal behavior.
2.2.11 Identity Theft: Identity theft has been referred to by some as the crime of the new millennium. It can be accomplished anonymously, easily, with a variety of means, and the impact upon the victim can be devastating. Identity theft is simply the theft of identity information such as a name, date of birth, Social Security number (SSN), or a credit card number. The mundane activities of a typical consumer during the course of a regular day may provide tremendous opportunities for an identity thief: purchasing gasoline, meals, clothes, or tickets to an athletic event; renting a car, a video, or home-improvement tools; purchasing gifts or trading stock on-line; receiving mail; or taking out the garbage or recycling. Any activity in which identity information is shared or made available to others creates an opportunity for identity theft.
2.2.12 Child Pornography : Child Pornography is high on the agenda of Cyber Crime chart on the Internet. On September 29, 1999, Deputy Attorney General Eric Holder gave remarks on “Combating Child Pornography on the Internet” at Vienna, Austria International Child Pornography Conference. The conference sought to combat child pornography and exploitation on the Internet and was based on existing international obligations and committments for the protection of children, including the Conventionon the Rights of the Child. The conference built and acted upon commitments undertaken at the Stockholm World Congress against the Commercial Sexual Exploitation of Children (1996) and ongoing initiatives in many countries and regions.
2.2.13 Sale of Prescription Drugs Over the Internet :On October 25, 2000, a New Jersey man pleaded guilty to one count of fraud. The man, Stanley Lapides, admitted to selling via the Internet home HIV test kits. However, Lapides neglected to tell his customers that these kits had not yet been approved for use by the FDA. On May 25, 2000, Deputy Associate Attorney General Ethan M. Posner testified before the Subcommittee on Oversight and Investigations of the House Committee on Commerce on the subject of Online Pharmaceutical Drug Sales. His testimony detailed the role of the Department of Justice in Internet drug sales, including current specific efforts by the Department and information on the Internet Prescription Drug Sales Act of 2000. On December 9, 1999, a federal grand jury charged Kent Aoki Lee with selling Viagra over the Internet without a prescription. Lee was also charged with wire fraud and trademark violations growing out of his operation of a separate pirated Internet website.
The top ten most frequently reported frauds committed on the Internet include Web auctions, Internet services, general merchandise, computer equipment/software, pyramid schemes, business opportunities/franchises, work at home plans, credit card issuing, prizes/sweepstakes and book sales.