Federal Bureau of Investigation Salt Lake City Field Office Cybercrimes Program

1
Federal Bureau of InvestigationSalt Lake City
Field OfficeCybercrimes Program

• Society for Information Management

3/08/07
2
Agenda

• FBI Cybercrimes Program
• Cybercrime Survey
• Cybercrimes
• Case Studies
• Incident Response
• InfraGard

3
FBI Priorities

• Counterterrorism
• Counterintelligence
• Cyber

4
Salt Lake City Cyber Squad

• FBIHQ Cyber Division
• Salt Lake City Division Cybercrime Squad created
  August 2001
• 1) Computer Intrusions
• 2) Crimes Against Children
• 3) Intellectual Property Rights
• 4) Internet Fraud

5
There Are 10 Types Of People In This World Those
who can read binary, And those who cant
6
Cyber Threat Assessment

• 2006 Salt Lake City Division Survey
• Background
• Significant Problem
• Computer Security Incidents
• Unauthorized Access
• Insider Threat
• Origination
• Reporting reported computer security incidents
• Law enforcement interest
• Financial Impact

7
Computer Intrusions

• Profit Driven
• Types of Attacks
• Incident Reporting
• Foreign Origins

8
Computer Intrusion

• Case Studies

9
Case Study
10
Case Study

• 12 Months Probation
• Restitution
• Title 18 USC 1030
• Title 18 USC 875

11
University of Utah Case

• Subject You Li
• Chinese National
• Computer Science Major
• Victim University of Utah Math Professor
• Also a part-time contractor for National Security
  Agency (NSA)
• Crime Computer Intrusion
• Title 18 u.s.c. 1030, unauthorized access of a
  protected device.

12
University of Utah Case

• The log files provided by the U of Us network
  administrator showed that You Li logged into his
  own account from IP address 67.171.124.227
• The log files also showed numerous successful
  logins using the Professors account from the
  same IP address 67.171.124.227

13
University of Utah Case

• The Hack
• Li logged into the Math Departments sever.
• Li ran a command to obtain the password hash
• ypcat passwd grep 'levin
• Li ran a password cracking program called John
  the Ripper
• Results file was found in Lis U of U directory
• History files from the UNIX server showed Lis
  keystrokes.

14
University of Utah Case

• You Li obtained personal information about his
  Professor.
• Bank account information
• Bill pay information
• E-mails
• E-mailed Professor from anonymous e-mail about
  being a hacker and that he had his personal
  information.
• You Li was confronted by the school and Professor
  about the intrusion.
• Li stated that it was his roommate that was the
  hacker.
• Li stated that his roommate used his account to
  hack the Professors account.
• Li told the school that his roommate left the
  country and went back to China.

15
University of Utah Case

• The FBI was contacted
• Interviews with the U of Us IT staff and the
  Professor were conducted.
• Log files and computer records were collected
  from the servers at the U of U.
• E-mails sent by the hacker to the Professor were
  obtained.
• You Li was interviewed and a full written
  confession was obtained.

16
University of Utah Case

• You Li
• Computer evidence matched Lis confession.
• Li was indicted and arrested.
• Li pled guilty and was sentenced to 4 months jail
  time and 36 months probation.

17
University of Utah Case
18
Internet Fraud

• Internet Crime Complaint Center
• www.ic3.gov
• Auction Fraud
• Nigerian Scams

19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
What You Should Do If Attacked

• Notify corporate security, legal counsel, and law
  enforcement.
• Activate your incident management team.
• Keep a chronological log of events - record
  everything your team does.
• Activate all available audit trails logging
• Consider keystroke monitoring
• Identify and recover available evidence
• Secure evidence and maintain simple
  chain-of-custody records

24
What To Do (continued)

• Identify source(s) of the attack.
• Record specific damages and losses
• Including hours spent on recovery
• Now recoverable under Patriot Act provisions
• Important for prosecution
• Prepare for repeat attacks.
• Protecting Mission Critical vs. Proprietary Data
• Theorize - nobody knows your system better than
  you.
• Determine how the intrusion happened.
• Identify possible subjects and motives.
• Be patient with law enforcement.

25
What to Expect if you call the FBI

• Agents will interview staff and obtain evidence
• Obtain prosecutive opinion
• Trace the attack (subpoenas, 2703(d) orders,
  sources
• Identify the subject(s)
• Obtain/execute search warrants, interview
  subjects
• Examine evidence, identify more victims, develop
  more leads
• Obtain Federal Grand Jury Indictment
• Arrest and Possible Trial
• Disclosure Issues
• Can sometimes be overcome by documents filed
  under seal

Confidential
Public
26
InfraGard

• A Government and Private Sector Alliance

27
(No Transcript)
28
InfraGard

• FBI Program to promote the protection of our
  nations critical infrastructures and improve
  intelligence base
• Information Sharing Partnership
• Two way information sharing
• Nationwide Program
• Critical Infrastructure Protection (Sectors)
• Cyber
• Physical
• Created in 1996
• Chapters supported by all 56 Field Offices
• Over 80 Chapters
• Membership exceeds 15,000

29
InfraGard

• InfraGard Members Alliance
• 170 Members
• Quarterly Chapter Meetings
• Two way information sharing
• Secure Website Access
• Intelligence Bulletins, IIR, alerts, advisories
• No Fee to join
• www.infragard.net

30
(No Transcript)
31
SA Cheney Eng-Tow FBI 257 East 200 South,
1200 Salt Lake City, UT 84111 (801)
579-4677 c.eng-tow_at_ic.fbi.gov