Cyberspies protect the virtual business world

[William Knowles <wk () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2767657,00.html

By Max Smetannikov
Interactive Week 
June 4, 2001 2:33 AM PT
 
Many who have done business in developing countries where wealth is
disproportionate, hostage-taking is common and Americans are always a
target, know the value of a couple of bodyguards and an armored escort
when driving, no matter how much the service costs.

The main reason why companies budget for physical protection in some
locales is a certainty on their part that if they don't defend
themselves, the local law won't defend them either.

The same is true on the Internet, where business conditions are
probably comparable to working conditions in Uzbekistan or North
Korea--the 149th and 155th least-free economies on the planet,
according to the 2000 Index of Economic Freedom. But in the last year,
a handful of private companies have started to take enforcement into
their own hands, quietly developing security units to protect their
clients' assets in cyberspace.

Web hosters such as Exodus Communications, Metromedia Fiber Network
and ServerVault have been hiring retired agents from the Federal
Bureau of Investigation, National Security Agency, Secret Service,
Royal Canadian Mounted Police, Scotland Yard, U.S. Army and U.S. Navy,
and whisking others away from their government salaries and security
clearances to build private cybersecurity divisions.

What has emerged is a powerful, albeit clandestine, industry within an
industry, with an unsurpassed access to otherwise classified security
information that is now seeking to exercise its political clout to
make the virtual business world safer for commerce.

In 1998, the Pentagon computer system--the holiest of the holy--was
hacked by a ring of five Israeli and three American hackers, who
picked their target because of a shared dislike of organizations.
Their attack was so fierce that early reports of what was later dubbed
"Solar Sunrise" caused Rep. Curt Weldon, R-Pa., to conclude that the
U.S. had entered a cyberwar. The perpetrators, all under the drinking
age, were caught by a phenomenal joint American-Israeli law
enforcement effort. No trial date has been set yet.

Private companies' sites--as evidenced by an avalanche of
denial-of-service strikes in February 2000 against Amazon.com, CNN and
ZDNet, the site of this magazine's then-parent company--are just as
attractive as targets.

But law enforcement's track record in catching the bad guys and
protecting business interests in cyberspace is spotty at best.

Last month, the General Accounting Office published an extensive
report on the performance of the FBI's National Infrastructure
Protection Center, which has been assigned a broad set of
responsibilities aimed at both warning private and public
organizations of the attacks, and catching the bad guys. The report
concluded that the NIPC has fallen behind in its investigations,
overpowered by both the volume of crimes and the lack of cooperation
from the FBI's local offices.

What this means for private businesses is that unless the president is
making a statement about your e-mail server being hacked into, the
U.S. authorities are probably not going to do anything about your
request to investigate the crime. And if the perpetrator has staged an
attack from a far-off land, you might as well patch the security hole
and forget about justice.

The FBI is legally barred from doing investigations overseas, which
leaves businesses with a choice of the Central Intelligence
Agency--which arguably has other issues on its plate than catching
cybervandals--the Department of Justice or the Department of State,
according to law enforcement community participants.

A case that piques the interest of the DOJ or the State Department
would be forwarded from Washington, D.C., to a respective embassy.
> From there, the embassy would contact local law enforcement
organizations and, "depending on the personalities involved," some
people who have walked down that lane explain, a criminal case might
be opened. This, of course, is not the same as bringing an identified
criminal to justice, as is evidenced by the Solar Sunrise episode.

Lousy cyberpolicing is precisely the reason why most companies driving
their business down the fast lane of the information superhighway want
the equivalent of a bumper-squashing, siren-wailing, privately owned
Mercedes-Benz Gelaendewagen protecting their Web site.

The burden of meeting this business request falls squarely on the
shoulders of the companies that host the very sites that are used as
either targets or as the means to break into corporate networks: Web
hosters and Internet service providers.

Just as the Roman emperors developed the need for the Praetorian
Guard, a special task force that acted as bodyguards and special army,
modern-day Web rulers feel the need for private security when it comes
to policing the Internet.

It's no longer enough to be just technically savvy. Managed firewalls,
security patches and hardened operating systems on Web servers seem
too basic to many customers.

Businesses that come to Web hoster ServerVault want to be sure their
machines--and the information they contain--can't be fried with a ray
gun from outside the data center. Users of MFN's colocation, managed
and network services want to be assured their business partner knows
how to handle information security forensics when investigating
attacks internally, so the evidence is admissible in the court.
Companies that work with Exodus want to be sure that if a strike
breaks through their hoster's defenses, Exodus would be able to
coordinate the efforts of international security agencies to ensure
attackers are caught.

Charles Neal is a 20-year veteran of the FBI who started his career in
the bureau's cybercrime division with the investigation of hacker
Kevin Mitnick, and ended his government work with the MafiaBoy case
almost exactly a year ago. He left the FBI to head development of
Exodus' Cyber Attack Tiger Team (CATT) and, as such, is an apt
spokesman for this new class of security powerbrokers.

"At the FBI, we recognized that there was a serious problem of
underreporting, which continues to this day," says Neal, now vice
president of cyberterrorism and incident response at Exodus.

The FBI, Neal says, has run an undercover project for a number of
years, seeking to find out the exact number of compromised sites
around the world. The results were anything but soothing. "We have
identified thousands of compromised sites, and we identified so many
so quickly we couldn't tell all the victims they were victims -
otherwise, we would have no time to do anything else," he says.

Only 2 percent of the companies that discovered their sites had been
compromised reported the incidents to investigators, Neal says. And
the ones that did work with the FBI found themselves spending a lot of
money with few results, he says.

Exodus' CATT was built to compensate for the pitfalls of law
enforcement that Neal learned about in the school of hard knocks, and
to patch up the cracks through which cases affecting Exodus' hosting
customers would ordinarily fall. His personal goal is to use his
agency background to improve the security of the Internet through
Exodus, which he calls a "private platform."

"The trend I see is more teams like ours doing incident response,
because companies don't want to go to law enforcement," Neal says

The two biggest disappointments that Neal had at the FBI were juvenile
cases, which the federal government doesn't prosecute unless the
circumstances of the case are extraordinary, and dealing with
international issues, since the agents are precluded from even calling
their sources overseas to collect information on the case. With CATT,
as a private citizen, he can both call on colleagues overseas and
advise customers to go after juveniles in countries with the toughest
laws on the books.

Four divisions

Catt is broken into four divisions. digital firemen is the physical
incident response team, which consists of individuals that carry
pagers and let customers know of an intrusion at all hours of the day.
Infrastructure is the team that handles security nuts and bolts, such
as firewalls and probe monitoring. Forensics consists of ex-security
gurus that prepare evidence for prosecutors, making sure the evidence
is admissible in court and is transparent enough for even the least
savvy district attorney to make the case against an Exodus customer's
attacker. And then there is an intelligence division, modeled after an
FBI infiltration unit that monitors the hacker community from the
inside.

Most customers avoid going to the authorities, Neal says, aiming to
just patch up the security hole and go on with their business. But
there are situations when prosecution is very much desired.

Jill Knesek, Exodus' West Coast team leader for the incident response
team, recalls a recent episode when CATT traced a hack to a customer's
competitor, which was seeking to gain advanced intelligence to get an
edge in a bidding war for a large contract. The Exodus customer was
motivated to bring the case to authorities, which resulted in
successful prosecution, Knesek says.

Exodus will strive to inspire other Web hosters to develop units
similar to CATT, so that the private sector could become the missing
link that would connect an international information security network,
Neal says.

Information sharing and black helicopter tales

That missing link could appear sooner than anybody expects. in a
recent study by Meta Group comparing the overall security of Web
hosting organizations, ServerVault topped the list, followed by
Telenisus, Genuity, Exodus, Electronic Data Systems and UUnet.

The exchange of information with federal officials is very much on the
mind of Patrick Sweeney, ServerVault's president and CEO. The company
has been designed with security as its main focus, and is one of the
few hosters that builds its data centers with the Department of
Defense's, the NSA's and the Pentagon's specifications in mind.
Sweeney expected to meet last week with folks from the NIPC "with a
specific idea in mind of sharing information between public and
private-sector companies."

ServerVault would know a thing or two about setting up a process like
that. The company is working with the Secret Service on a pilot
program in which ServerVault would help the agency with collecting
hacker information.

Sweeney views his company's efforts as part of the conceptual change
in how governments protect themselves in the information age. Warfare
has historically been conducted with large armies, he reasons. But why
make bombs if just as much damage could be inflicted electronically by
taking out, say, a power grid or a stock exchange? A single person
here could cause as much damage as a tank division, and it's just a
matter of time before agencies such as the CIA, the FBI and Interpol
all work together against cybercrime, Sweeney says.

In the meantime, Exodus, ServerVault and others do what they can to
fend off attacks themselves. Sweeney says that a lot of unfriendly
traffic aimed at compromising ServerVault comes from China and former
Eastern Bloc countries. But what can ServerVault do, even if it knows
who the cracker is?

Sometimes the best thing to do is to do nothing but collect
information on the criminal and ensure the customers' data is safe
against their exploits, Sweeney says.

Security industry experts say that while many companies avoid taking
their cases to the authorities, the tales of black helicopters and
midnight visits to the homes of suspected crackers by men in black
leather jackets are greatly exaggerated. Some companies do, however,
take matters into their own hands. "Some companies get fed up, find
out who is attacking them and just lay it out for them, asking them to
stop and telling them they know who they are and where they live,"
says Elias Levy, Internet defense firm SecurityFocus.com's co-founder
and chief technology officer. "Or they simply contact their employers
or parents."

 

*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.