Dec 31 2009


What do you get when you cross computer forensic specialists with street cops? The Secret Service knows: crimefighters trained to stop some of today's craftiest cyberthiefs in their virtual tracks.

When agents directed by the Secret Service kicked in the door of a well-kept ranch house in Winter Garden, Fla., they were intent on getting their hands on one thing: a computer keyboard.

In the sophisticated and ingenious world of cybercrime, hackers use hot-keys to cover their tracks, and keeping the 22-year-old resident of the house from freezing his computer and encrypting data on the hard drive would save months of forensic lab work to uncover evidence.

There was another challenge: The Secret Service wasn't after a lone identity thief. For Operation Firewall, it obtained warrants for 28 people, suspected members of the 4,000-strong international cybergang known as ShadowCrew. Authorities did their best to coordinate simultaneous raids in the United States, Canada and Europe, but instant messaging could let gang members quickly tip one another off and give them time to scrub crucial data or bury it deep in members' systems.

Keith Hoover, assistant to the special agent in charge and supervisor of the service's Electronics Crime Special Agent Program, along with several other Secret Service supervisors, helped coordinate the precisely timed October raids. The 13-year veteran of the Secret Service is one of the first graduates of ECSAP, an elite program that trains this new breed of crimefighter, one with a blend of bleeding-edge computer skills and the old-fashioned street smarts of a beat cop.

"In the cyberworld, messages travel at light speed and may instantly go to dozens of countries," he says. That fact was a defining factor in how the Secret Service planned and staged the raids for Operation Firewall.

Begun eight years ago, ECSAP is a relatively new approach to crimefighting for the Secret Service. The program's agents comfortably wield notebook computers alongside their Sig-Sauer 229 pistols and MP5 semiautomatic machine guns. It's a mix of techie and warrior that the Secret Service believes is necessary to fight well-armed cybergangs like ShadowCrew.

"They're supercops," says Gerry Cavis, a private security consultant, who formerly worked as a Secret Service agent guarding President Bush and before that President Clinton. "They take the computer geek and the super investigator and create an agent who has unbelievable criminal investigative skills."

For good reason. Indictments spawned from Operation Firewall estimate that ShadowCrew snared at least 1.7 million stolen credit card numbers and parlayed the information into $4.3 million in illegal profits, although authorities believe those figures could go much higher. The young Winter Garden hacker alone allegedly possessed more than 100,000 stolen numbers.

"A 22-year-old kid involved with that scope of fraud is mind-boggling and poses a serious threat in terms of potential for mass victimization," says Jim Glendinning, the assistant special agent in charge of the Secret Service's Orlando, Fla., field office and a member of the Winter Garden raid team. "This is not just kids hacking around simply for the thrill of it."

The case of the Florida suspect is now pending in federal court.

Authorities say today's hacker is no longer the stereotypical Jolt-swigging rogue who breaks into government and corporate systems for sport. Thanks to sophisticated high-tech tools and international organizations like ShadowCrew's, hacking is big business, ringing up billions of dollars in losses worldwide and even promoting terrorist causes.

"Billy the Geek has teamed up with Johnny the Thug, and together they are stealing and then fencing credit card numbers," says Larry Johnson, special agent in charge of the Secret Service's Criminal Investigative Division.

All in the Details

In the year-long investigation leading up to Operation Firewall, the Secret Service developed a detailed profile of an underground organization that was impressive for its size and efficiency.

ShadowCrew's main Web server in Eastern Europe, and related sites throughout the world, shared tutorials on how to commit fraud and hosted electronic clearinghouses where gang members could buy and sell stolen credit card and bank account numbers, as well as phony driver's licenses, passports and birth certificates.

Phishing (posing electronically as a reputable organization to trick unsuspecting victims into giving up financial information), hacking, identity theft and money laundering were all part of the group's repertoire. Aided by high-end computers and intrusion tools, the gang also exhibited a culture reminiscent of organized crime. For example, new recruits had to prove themselves to ShadowCrew kingpins. Criminal wannabes posted stolen numbers in a chat room and waited for a ranking member to vet the information.

"They would download a purloined card number and try it on an ATM," Glendinning says. "If it worked, they'd spread the word that this guy provided good information and the authorities didn't come calling. They'd then take him to the next step in the organization."

Unfortunately, ShadowCrew isn't an anomaly; there are a number of sophisticated cyberworld gangs preying on businesses and consumers.

Almost 10 million Americans were victims of identity theft in 2003, representing losses of more than $50 billion, according to the Federal Trade Commission. Technology researcher Gartner of Stamford, Conn., estimates phishing attacks in the United States alone account for $1.2 billion in losses annually.

Cybercrime is also a big problem for the federal government. Last year, an investigation into the theft of software code from a large network vendor turned up related breaches in systems within the U.S. military, NASA and the TeraGrid high-speed network run by government research laboratories.

Authorities fear that some cybertheft rings also have ties to terrorist organizations. The mastermind of the 2002 Bali nightclub bombings promoted hacking as a way for radicals to disrupt U.S. institutions and generate cash for other attacks, for example.

ECSAP agents are on the front lines of these threats, but the Secret Service isn't alone in training computer forensics specialists. The FBI's Regional Computer Forensics Laboratory Program provides digital examination services for its agents and those from other agencies. The Homeland Security Department's Immigration and Customs Enforcement bureau, Internal Revenue Service and Justice Department also train high-tech investigators. The Secret Service is unique, however, because ECSAP gives agents a combination of investigative law enforcement and high-tech skills.

"We know how to work a criminal investigation and what to look for in a computer," says Hoover, who entered ECSAP training in 1997, spent four years as a supercop and now supervises the program's agents.

Approximately 160 men and women work as active-duty ECSAP agents; 200 or so have gone through the program and remain active or have moved into management positions or retired from the service. Most of the supercops spent three to eight years as Secret Service agents before entering the high-tech program.

After two weeks of basic computer training, ECSAP agents follow two tracks. One focuses on computer forensics, the second trains agents in the details of network intrusions and denial-of-service attacks. The Secret Service spends about $100,000 per agent on training, software, and notebook and desktop PCs for forensics during an agent's first four years of participation in the program.

Using commercial forensic software, the agents copy the contents of seized hard drives, including deleted files, onto their own separate hard drives. ECSAP teaches agents how to preserve digital evidence in an untainted form, just as if they were gathering proof from a physical crime scene. Agents also learn how to present the evidence when testifying in court.

A new high-tech tool in the ECSAP arsenal is the Secret Service's Distributed Networking Attack program, which links 4,000 agency PCs together in a computing grid to amass processing power to break encryption codes used by suspects.

Supercops return for three weeks of advanced training each year. The pace of technological advancement makes training a never-ending activity, Hoover says.

"Maybe instead of reading a novel in their personal time, ECSAP agents will read a computer science book," he says. "We can give them training, but the science is such that they need more than their 40 or 50 hours a week on the job to keep their skill set current."

Although ECSAP agents know computers inside and out, their greatest skill is investigatory doggedness. "They have to be investigators first," Johnson says.

The best candidates have natural analytical skills. "If an agent is searching for 'X' or 'Y' and comes across 'Z,' he shouldn't discard that new information," he explains. "An agent looks at the totality of the problem, and that's what we like about using criminal investigators in this position."

Of course, criminal hackers have their own tools and techniques for thwarting supercops. One essential hacker tool is the root kit, a software suite that hackers surreptitiously load on a vulnerable computer. The suite hides its presence and develops administrator-level access to the network by monitoring keystrokes as people enter their user names and passwords. Root kits help hackers find backdoors into systems and can let them enter a network undetected.

Knock, Knock

Gaining access to that first vulnerable machine can happen in a number of ways, says Gary C. Morse, a self-described white-hat professional hacker who breaks into organizations' systems at their request to uncover security vulnerabilities. He says most agencies and businesses are buzzword-compliant when it comes to security but not truly safe from cyberintruders.

"Firewalls, encryption, authentication—those things don't mean anything by themselves. All of our clients have firewalls. So what? We show them screenshots of files from their CEOs' laptops, and it drives the point home," Morse says.

An especially smooth hacker doesn't need anything more sophisticated than a telephone to find a network's vulnerable entry point. Posing as "Joe" from the IT department, a hacker might finesse passwords out of users who are convinced they're helping troubleshoot an IT problem.

Sound far-fetched in a world of cybercrime headlines and formal security policies? It's not.

In March, the Treasury Department inspector general reported the results of a security test at the IRS using a similar scenario. Of 100 IRS employees and managers called, 35 gave secure login information and changed their passwords to alternatives suggested by the caller. In a real-world intrusion, those 35 passwords would have given a hacker access to tax returns and personal financial data.

But as startling as these test results seem, they actually show that IRS security policies are taking effect. During a comparable test four years ago, twice as many employees coughed up their passwords.

Photo courtesy of the Secret Service
An agent monitors operations during the ShadowCrew raid.

In the ShadowCrew case, law enforcement authorities stayed a step ahead of their adversaries.

By using advanced techniques and the right tools and skills, ECSAP agents were able to penetrate ShadowCrew. Although a significant portion of the investigation can be attributed to good old-fashioned investigative techniques, the groundwork for this case grew out of the timely and sensitive information gathered by the high-tech ECSAP agents.

"Our guys were good enought to crack ShadowCrew and develop the information needed to go after some major offenders," Glendinning says.

The Secret Service estimates that it gathered almost 2 terabytes of evidence on the gang before moving in.

A crucial break in the case came when a gang member turned informant, a staple technique of traditional gumshoe police work that ECSAP agents regularly use. "We utilize hackers because they know so much about other hackers," Johnson says. "They speak the whole language of someone who's online 18 to 20 hours a day and lives off Red Bull."

The Roundup

When the Operation Firewall raid was over, agents had charged 28 suspects from eight states and six foreign countries with identity theft, computer fraud, credit card fraud and conspiracy. Supercops collaborated with local law enforcement, the Justice Department, private financial services companies and foreign agencies, including the Royal Canadian Mounted Police and Europol.

"Hackers used to believe there wasn't a law enforcement agency on their tail," Johnson says. "But for the last few years, the Secret Service and other agencies have directed a lot of resources to cybercrime, and we're starting to catch up."

Nevertheless, Johnson resists complacency, knowing the resourcefulness of cybercriminals: "It's still a horse race, with each side going back and forth in terms of who's ahead."