The FBI's Dave Thomas says today's cybercrook is all about the bottom line.
The Internet can be a dangerous place to do business these days. No one knows this better than Dave Thomas, chief of the FBI's Computer Intrusion Section, which oversees the FBI's counter-terrorism and criminal computer intrusion investigations. Thomas talked with Network World Senior Editor Phil Hochmuth about who is committing cybercrime and what the FBI is doing to stop them.
Main index: Profiling cybercrime: Network threats and defense strategies
Who are these people committing cybercrime?
There are groups of people out there that are targeting businesses. We're seeing an increase in that more now because a lot of the Eastern European hacker groups have determined that you can make money from gaining access to computers. And it's all about money now. It used to be about access, but now the entire scope of the way we do things has changed.
A lot of the phishing schemes - where they're exploiting computers to get access to databases of credit cards - [are] coming from Eastern Europe, from Russia, Latvia, Moldova, Estonia and Romania. . . . As access becomes better, we see more people attacking systems from those areas of the world.
Why those areas?
There are very prolific hackers in those regions. They're very good coders and programmers. Now if you're looking at Trojans and viruses, we see a lot of those coming out of Germany, Russia and Poland. [Attacks come from...] different parts of the world depending on what aspect of computer intrusions you're looking at. A lot of Web page defacement-type activity is coming out of Brazil, for instance.
Are these people who have always been criminals and are just now using computers to do their trade?
We do see a lot of crime migrating to the Internet now - like the old Nigerian scams . . . and identify theft. We're seeing the computer used in ways that we hadn't seen before, like extortion cases. ... We're seeing denial-of-service [attacks] where the money aspect is being used for extortion - I will take your computer down or I will knock you offline until you pay me enough money. . . . That kind of thing.
It sounds like cybercrime is more organized now, as opposed to just a kid in a basement.
What we've seen certainly over the past year is that you still have kids out on the Internet, but a lot of it [is being done by] adults now. And it's because of the money that's involved. The Eastern European groups and the people breaking into the databases doing the extortions and denial of service, the virus-writing crews, the spammers - this is all very adult-oriented, centered around how to make money from this criminal activity. There are loose groups, we know a lot of the virus writing people are associated and affiliated in a group, but it may be a virtual group, unlike traditional crime where you see people living in the same community. These are virtual gangs, if you will.
Are there any new technologies, or specific tools, that the FBI or law enforcement is using to catch bad guys?
We basically rely on the good investigative skills of the agents; we try to treat these cases just like any other case the FBI has. We do have to use technology sometimes to trace things back, and to get IP addresses, but a lot of it is the same type of technology that's available to a system administrator or anyone else. We use a lot of off-the-shelf tools . . . because the Internet is pretty much the same everywhere.
So it sounds like old-fashioned police work is really what's going to catch these types of people, as opposed to any new type of technology.
It is. We have been beat up in the media somewhat; people say the FBI doesn't understand technology and we can't investigate these cases. But we probably have a workforce as technically equipped as anyone out there. But there are things that prevent us from solving some of these cases that are really different than our traditional crime. [We] can track an IP address back to another country, but depending on the laws of that country, [we're] totally dependent on that host country then to be able to continue that investigation. And it may be a country where the laws haven't been developed, or where the technology hasn't been developed that allows us to do that.
When a company comes under the types of attacks you mentioned, how is that reported?
It depends company to company. I like to tell [companies] . . . don't wait until you have an incident to decide who to call. You should have that built into the framework as you build your security policy so your system administrators know whether or not to call the FBI, and who the contact people are. [Large businesses] should also have a media strategy. We generally encourage them to be open about things. Take a proactive stance with the media and go out and admit, yes, there was an intrusion, but we're working with law enforcement and we have it contained.
How do you help companies approach their security beyond what they do as standard practice?
What we generally tell them is to make it hard for someone to hack you. Layer your security. It's no different than your home. You have a lock on your door. You may have an alarm. You may have a dog. You make it hard for someone to get into your system. You've got to have your anti-virus software installed on your computer. You've got to update those virus definition files . . . . Keep your computers as up-to-date as possible with security patches. Most of the intrusions we see are not from what we call zero-day exploits - that is, someone has found a new way to break into a computer that no one has ever seen before. Most of the time, it's from an exploit that's at least one to two years old that should have been patched a long time ago. And they just walked right in the front door.
What's the most damaging intrusion or hacking activity to a business?
The most damaging [thing] is the access to databases, if [an intruder] breaks into a company's computer and steals their databases of information. Those databases contain customer records for every one of their customers. All their financial information for the most part can be contained in those. Probably even more [damaging] is [theft of] research and development data. If you're a company and you're trying to get a product out to market and someone breaks in and steals your intellectual property and beats you to the market with that, it can have a devastating effect. There's been cases over the last four or five months in the gaming industry when source code of a new game was stolen. And if that source code is leaked, and those games [are] on the Internet where someone could download them for free, it has a very devastating effect on that business.
What technologies are out there that criminals use - whether it be encryption or denial-of-service tools or other hacking tools - that really pose a challenge to what you do?
One thing that gives a challenge to us and the business community is the awareness. It's not that the technology is bad; it's the deployment and implementation, sometimes, of the technology, like wireless access for instance. There are a lot of homes out there that have open wireless access, where people can use that bandwidth. They can borrow it to send spam, to launch denial of services. The appliances to do wireless are so cheap now that if you're a company, you may have a policy that prohibits wireless being run in your company because of the security risk associated with it. But for $50 one of your employees can walk down and buy one of these [wireless appliances] and plug it in because they want to surf the Internet on their lunchtime for instance. And now there's a gaping hole in your security that never was there before. And there's no way for you as a sys admin to prevent that type of activity. And so we talk to a lot of businesses and tell them that even if you don't allow a technology like wireless, you should look for it anyway. It doesn't mean it hasn't been deployed within your architectures just because it's banned. It only takes one employee to do that. And it's so cheap and it's so easy to do ... you can take a $79 appliance and ruin $10 million worth of security architecture with it.
Does the FBI cooperate with other law enforcement branches on cybercrime? How does that work?
We work with Secret Service all the time, Customs all the time. We all have joint and concurrent jurisdiction in a lot of these matters, and for the most part, there's very few of these cases that aren't a multi-agency type investigation.
How has the FBI's cybercrime fighting capabilities advanced over the years? Obviously the FBI has had computers for a long time, but with the explosion of Internet technology in the last 10 years, how has the FBI evolved?
We've done very well at [evolving our technology]. The important thing for us was training our workforce to be able to understand cybercrime, the dynamics of it. The FBI is an evolving organization; we always have been. We've always risen to the challenge on the newest technology for crime fighting, or whatever the crime of the day is. We've always managed to do that. But we have a very active recruitment on right now, as we're hiring agents with technical backgrounds and skills. Right now . . . we have a very adept workforce in that they're able to work these cases without a problem. The impediments we see are more jurisdictionally based and dealing with laws that don't really address the Internet in other countries - that's a stumbling block.
Does the emergence of VoIP technology offer any challenges, in terms of wire-tapping?
If we have lawful court orders, if a court has issued us an order allowing us to monitor those type of activities, then we can [tap]. We're not afraid of the technology . . . We have research and development groups, the same as any company would, that are always looking at the new technologies that are evolving, and then adapting whatever tools and methods we have to be able to do that. So we're aware of it and we've worked with it, and it really hasn't presented itself to be a big problem.
Does the FBI keep statistics on cybercrime in the U.S., as it does with more traditional crime?
I don't know if the UCR [Uniform Crime Reports] can cover cybercrime because it crosses so many different aspects of the FBI, and it would be so hard to log. A traditional murder is a murder. [But] I could hack into your computer and steal a database of credit cards . . . and it could be an intrusion because I broke into your computer. It could be extortion. You could categorize it so many different ways. It's very, very difficult to put it into a UCR set of statistics. And again, we still believe that probably 80% of cybercrime goes unreported. So the statistics themselves really wouldn't mean a lot if we did publish those. We do have very good statistics on things [such as Internet] child pornography, child exploitation. Those cases are always on the rise. We do have statistics posted on our Internet crime complaint center IC3 Web site that gives some indication of the types of crimes we're seeing and the dollar amounts that we're seeing. But we have no idea how complete a picture you're looking at when you see that.
With traditional crimes, it seems like time is always a major factor, from when a crime is reported to when a case is opened. Is that the case with cybercrime too?
Absolutely. It's probably even more so with some of the things we do, because you're dealing with information that's highly perishable. If you break into my computer and there's log records out there on an ISP, those log records are so voluminous [that] most companies and institutions only keep them for a very short time. So by the time we find out about it, that information could already be wiped and the tools that we need to follow back and track on who that may be may already be gone. The quicker that's reported, the quicker that we will be able to find out, at least in a region of the world where it's coming from, and then try to narrow it down from there. But again, people can hop across computers, across multiple countries, and they can do that within a very, very short time frame. So it is a lot of different dynamics with cybercrime. But time is very important to us.
Are there instances of traditional criminals or organized crime gangs using technology more?
We're seeing them use the technology more, not necessarily on the intrusion side. We haven't seen a big move with the traditional Italian-based mafia groups to the Internet . . . not like we have with the Eastern European hacking groups. But as the money [to be made] becomes more and more widely publicized, they probably will. But we certainly see gangs and traditional criminals using the technology, using the computer, using e-mail, using PDAs, using all types of ways to send and receive communication.
Of the types of companies that report the crimes that they've seen against them, is there one type of company that's particularly vulnerable? Are online financial institutions the biggest targets, or is just anyone fair game?