Army 'geeks with guns' track down hackers

[William Knowles <wk () C4I ORG>]

http://www.govexec.com/dailyfed/0700/070300j1.htm

By Joshua Dean
jdean () govexec com

Late last year, Aaron J. Eden, a disgruntled Army private stationed in
Indianapolis, Ind., hacked into the Army's Enlisted Records and
Evaluation Center system and deleted 38,000 personnel-related files.

At work, he was able to install Back Orifice 2000, a remote control
software program that allowed him to access Army computers from his
home. He also installed a "sniffer," an application that gathered
passwords for him clandestinely. By using these tools, Eden was able
to pass himself off as a systems administrator.

Eden covered his tracks by deleting the log files of any computer that
would have revealed his activities, a common hacker ploy. But like
many hackers, he couldn't keep his mouth shut. Eden had a buddy on the
Internet he met in a chat room with and bragged about his exploits.

In the end, Eden helped himself get caught. He forgot to delete those
chat files. And when Army investigators came knocking at his door
after their detective work turned him up as a suspect, his forgotten
files amounted to a confession. In May, he pled guilty to conspiracy
as well as intentionally accessing and damaging a government computer.

Special agents at the Army's new Computer Crimes Investigative Unit
(CCIU) based at Ft. Belvoir, Va., broke the case and produced the
damning evidence.

James Smith, commander of the CCIU, calls his six agents "geeks with
guns."

The Eden case is one of the first successes of the CCIU. The Army's
Criminal Investigation Command recently formed the CCIU as a result of
an increasing number of hacking incidents and more serious intrusions.
Hackers attempted to break into Army systems 3,077 times in 1999. So
far this year, there have been 3,371 hacking incidents. But the number
the agents worry about most are actual intrusions. In 1999, the Army's
computer security was breached 58 times. This year, that number is
already at 49.

While none of the hacks have been of the magnitude that would have
brought the Army to its knees, the agents want to investigate and
eventually prosecute as many hackers that target Army systems as they
can.

The CCIU formally began operations in March and is made up of agents
who have picked up significant computer forensic experience. Operating
out of a newly designed lab, they have access to multiple operating
systems and even a self-contained network for trying out the latest
hacking techniques.

The CICU is not yet a fully funded entity within the Criminal
Investigation Command. Its its function is too new for a budget
process that is already set five years out. So for now, the command is
"taking funding for the CCIU out of its hide," said an Army spokesman.
But the leaders of the investigation command have decided that
computer crime potentially touches every aspect of the work they do,
which includes investigations of contract fraud, supply theft and
other criminal activities.

So far, the CCIU has spent $67,000 on equipment for its lab. Some
agents have as many as four computers in their work areas. These
include a laptop, a unit running Microsoft's Windows NT or Windows
2000 operating systems, another computer running Unix and most likely
a final with Linux installed.

When agents travel to a crime scene, which could be anywhere in the
world, they bring a "lunch box"a special computer designed for the
gathering of forensic computer evidence.

The office is expanding to help agents handle the increasing caseload.
Already there is a legal advisor who helps agents prepare subpoenas
and deal with the State Department when their investigations take them
across jurisdictional and national boundariesas often happens.

Currently, the agents are investigating a hacker who compromised six
Army systems in a distributed denial of service attack similar to
those that brought down Amazon.com, eBay, E-Trade and Yahoo! earlier
this year. The special agents began two investigations last month as a
result of what they called "significant intrusions."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".