Cybercops

What do you get when you cross computer forensic specialists with street cops? The Secret Service knows: crimefighters trained to stop some of today's craftiest cyberthiefs in their virtual tracks.

When agents directed by the Secret Service kicked in the door of a well-kept ranch house in Winter Garden, Fla., they were intent on getting their hands on one thing: a computer keyboard.

In the sophisticated and ingenious world of cybercrime, hackers use hot-keys to cover their tracks, and keeping the 22-year-old resident of the house from freezing his computer and encrypting data on the hard drive would save months of forensic lab work to uncover evidence.

There was another challenge: The Secret Service wasn't after a lone identity thief. For Operation Firewall, it obtained warrants for 28 people, suspected members of the 4,000-strong international cybergang known as ShadowCrew. Authorities did their best to coordinate simultaneous raids in the United States, Canada and Europe, but instant messaging could let gang members quickly tip one another off and give them time to scrub crucial data or bury it deep in members' systems.

Keith Hoover, assistant to the special agent in charge and supervisor of the service's Electronics Crime Special Agent Program, along with several other Secret Service supervisors, helped coordinate the precisely timed October raids. The 13-year veteran of the Secret Service is one of the first graduates of ECSAP, an elite program that trains this new breed of crimefighter, one with a blend of bleeding-edge computer skills and the old-fashioned street smarts of a beat cop.

"In the cyberworld, messages travel at light speed and may instantly go to dozens of countries," he says. That fact was a defining factor in how the Secret Service planned and staged the raids for Operation Firewall.

Begun eight years ago, ECSAP is a relatively new approach to crimefighting for the Secret Service. The program's agents comfortably wield notebook computers alongside their Sig-Sauer 229 pistols and MP5 semiautomatic machine guns. It's a mix of techie and warrior that the Secret Service believes is necessary to fight well-armed cybergangs like ShadowCrew.

A Gumshoe With a Foot in Two Worlds
Beat Cop Cybercop
Sig-Sauer 229 pistols Notebook computers
Raid vest Grid computing
Investigative skills Computer forensic software
Informants White-hat hackers
Phone taps E-mail taps
Coffee Red Bull

"They're supercops," says Gerry Cavis, a private security consultant, who formerly worked as a Secret Service agent guarding President Bush and before that President Clinton. "They take the computer geek and the super investigator and create an agent who has unbelievable criminal investigative skills."

For good reason. Indictments spawned from Operation Firewall estimate that ShadowCrew snared at least 1.7 million stolen credit card numbers and parlayed the information into $4.3 million in illegal profits, although authorities believe those figures could go much higher. The young Winter Garden hacker alone allegedly possessed more than 100,000 stolen numbers.

"A 22-year-old kid involved with that scope of fraud is mind-boggling and poses a serious threat in terms of potential for mass victimization," says Jim Glendinning, the assistant special agent in charge of the Secret Service's Orlando, Fla., field office and a member of the Winter Garden raid team. "This is not just kids hacking around simply for the thrill of it."

The case of the Florida suspect is now pending in federal court.

Authorities say today's hacker is no longer the stereotypical Jolt-swigging rogue who breaks into government and corporate systems for sport. Thanks to sophisticated high-tech tools and international organizations like ShadowCrew's, hacking is big business, ringing up billions of dollars in losses worldwide and even promoting terrorist causes.

"Billy the Geek has teamed up with Johnny the Thug, and together they are stealing and then fencing credit card numbers," says Larry Johnson, special agent in charge of the Secret Service's Criminal Investigative Division.

All in the Details

In the year-long investigation leading up to Operation Firewall, the Secret Service developed a detailed profile of an underground organization that was impressive for its size and efficiency.

ShadowCrew's main Web server in Eastern Europe, and related sites throughout the world, shared tutorials on how to commit fraud and hosted electronic clearinghouses where gang members could buy and sell stolen credit card and bank account numbers, as well as phony driver's licenses, passports and birth certificates.

Phishing (posing electronically as a reputable organization to trick unsuspecting victims into giving up financial information), hacking, identity theft and money laundering were all part of the group's repertoire. Aided by high-end computers and intrusion tools, the gang also exhibited a culture reminiscent of organized crime. For example, new recruits had to prove themselves to ShadowCrew kingpins. Criminal wannabes posted stolen numbers in a chat room and waited for a ranking member to vet the information.

"They would download a purloined card number and try it on an ATM," Glendinning says. "If it worked, they'd spread the word that this guy provided good information and the authorities didn't come calling. They'd then take him to the next step in the organization."

Unfortunately, ShadowCrew isn't an anomaly; there are a number of sophisticated cyberworld gangs preying on businesses and consumers.

Almost 10 million Americans were victims of identity theft in 2003, representing losses of more than $50 billion, according to the Federal Trade Commission. Technology researcher Gartner of Stamford, Conn., estimates phishing attacks in the United States alone account for $1.2 billion in losses annually.

Cybercrime is also a big problem for the federal government. Last year, an investigation into the theft of software code from a large network vendor turned up related breaches in systems within the U.S. military, NASA and the TeraGrid high-speed network run by government research laboratories.

Authorities fear that some cybertheft rings also have ties to terrorist organizations. The mastermind of the 2002 Bali nightclub bombings promoted hacking as a way for radicals to disrupt U.S. institutions and generate cash for other attacks, for example.

ECSAP agents are on the front lines of these threats, but the Secret Service isn't alone in training computer forensics specialists. The FBI's Regional Computer Forensics Laboratory Program provides digital examination services for its agents and those from other agencies. The Homeland Security Department's Immigration and Customs Enforcement bureau, Internal Revenue Service and Justice Department also train high-tech investigators. The Secret Service is unique, however, because ECSAP gives agents a combination of investigative law enforcement and high-tech skills.

"We know how to work a criminal investigation and what to look for in a computer," says Hoover, who entered ECSAP training in 1997, spent four years as a supercop and now supervises the program's agents.

Approximately 160 men and women work as active-duty ECSAP agents; 200 or so have gone through the program and remain active or have moved into management positions or retired from the service. Most of the supercops spent three to eight years as Secret Service agents before entering the high-tech program.

After two weeks of basic computer training, ECSAP agents follow two tracks. One focuses on computer forensics, the second trains agents in the details of network intrusions and denial-of-service attacks. The Secret Service spends about $100,000 per agent on training, software, and notebook and desktop PCs for forensics during an agent's first four years of participation in the program.

Using commercial forensic software, the agents copy the contents of seized hard drives, including deleted files, onto their own separate hard drives. ECSAP teaches agents how to preserve digital evidence in an untainted form, just as if they were gathering proof from a physical crime scene. Agents also learn how to present the evidence when testifying in court.

A new high-tech tool in the ECSAP arsenal is the Secret Service's Distributed Networking Attack program, which links 4,000 agency PCs together in a computing grid to amass processing power to break encryption codes used by suspects.

Supercops return for three weeks of advanced training each year. The pace of technological advancement makes training a never-ending activity, Hoover says.

"Maybe instead of reading a novel in their personal time, ECSAP agents will read a computer science book," he says. "We can give them training, but the science is such that they need more than their 40 or 50 hours a week on the job to keep their skill set current."

Although ECSAP agents know computers inside and out, their greatest skill is investigatory doggedness. "They have to be investigators first," Johnson says.

The best candidates have natural analytical skills. "If an agent is searching for 'X' or 'Y' and comes across 'Z,' he shouldn't discard that new information," he explains. "An agent looks at the totality of the problem, and that's what we like about using criminal investigators in this position."

Of course, criminal hackers have their own tools and techniques for thwarting supercops. One essential hacker tool is the root kit, a software suite that hackers surreptitiously load on a vulnerable computer. The suite hides its presence and develops administrator-level access to the network by monitoring keystrokes as people enter their user names and passwords. Root kits help hackers find backdoors into systems and can let them enter a network undetected.

Knock, Knock

Gaining access to that first vulnerable machine can happen in a number of ways, says Gary C. Morse, a self-described white-hat professional hacker who breaks into organizations' systems at their request to uncover security vulnerabilities. He says most agencies and businesses are buzzword-compliant when it comes to security but not truly safe from cyberintruders.

"Firewalls, encryption, authentication—those things don't mean anything by themselves. All of our clients have firewalls. So what? We show them screenshots of files from their CEOs' laptops, and it drives the point home," Morse says.

An especially smooth hacker doesn't need anything more sophisticated than a telephone to find a network's vulnerable entry point. Posing as "Joe" from the IT department, a hacker might finesse passwords out of users who are convinced they're helping troubleshoot an IT problem.

Sound far-fetched in a world of cybercrime headlines and formal security policies? It's not.

In March, the Treasury Department inspector general reported the results of a security test at the IRS using a similar scenario. Of 100 IRS employees and managers called, 35 gave secure login information and changed their passwords to alternatives suggested by the caller. In a real-world intrusion, those 35 passwords would have given a hacker access to tax returns and personal financial data.

But as startling as these test results seem, they actually show that IRS security policies are taking effect. During a comparable test four years ago, twice as many employees coughed up their passwords.


Photo courtesy of the Secret Service
An agent monitors operations during the ShadowCrew raid.

In the ShadowCrew case, law enforcement authorities stayed a step ahead of their adversaries.

By using advanced techniques and the right tools and skills, ECSAP agents were able to penetrate ShadowCrew. Although a significant portion of the investigation can be attributed to good old-fashioned investigative techniques, the groundwork for this case grew out of the timely and sensitive information gathered by the high-tech ECSAP agents.

"Our guys were good enought to crack ShadowCrew and develop the information needed to go after some major offenders," Glendinning says.

The Secret Service estimates that it gathered almost 2 terabytes of evidence on the gang before moving in.

A crucial break in the case came when a gang member turned informant, a staple technique of traditional gumshoe police work that ECSAP agents regularly use. "We utilize hackers because they know so much about other hackers," Johnson says. "They speak the whole language of someone who's online 18 to 20 hours a day and lives off Red Bull."

The Roundup

When the Operation Firewall raid was over, agents had charged 28 suspects from eight states and six foreign countries with identity theft, computer fraud, credit card fraud and conspiracy. Supercops collaborated with local law enforcement, the Justice Department, private financial services companies and foreign agencies, including the Royal Canadian Mounted Police and Europol.

"Hackers used to believe there wasn't a law enforcement agency on their tail," Johnson says. "But for the last few years, the Secret Service and other agencies have directed a lot of resources to cybercrime, and we're starting to catch up."

Nevertheless, Johnson resists complacency, knowing the resourcefulness of cybercriminals: "It's still a horse race, with each side going back and forth in terms of who's ahead."

New Technologies Needed to Disrupt Terrorists

Photo: Robert Houser
Military commanders "will always tell you to use new technologies in ways that sustain current practices. Innovation does not happen when you stay too close to Rome," Navy Capt. Terry C. Pierce says.

The for-profit hackers who reign as high-profile targets of the Secret Service's supercops aren't the only cyberthreats that exist in today's wired world. Deadlier terrorist adversaries are using so-called disruptive technologies in ways that can stymie the might of the U.S. military.

What are these radical high-tech wonders? Often they're nothing more mysterious than cell phones or the ubiquitous Web, says Navy Capt. Terry C. Pierce, associate dean for the School of International Graduate Studies at the Naval Postgraduate School in Monterey, Calif.

Pierce defines disruptive technologies as innovations that are used in unexpected and often ingenious ways. This includes commercial jetliners hijacked to act like deadly missiles or using the Internet and cell phones to create virtual command centers to direct terrorist strike forces throughout the world.

These virtual organizations are especially potent threats to U.S. interests because our military excels at fighting well-defined, separated forces—targets that stand apart from noncombatants. Not even those on the leading edge of U.S. warfare, the quick-hit expeditionary strike groups and the elite special operations forces, can prevail when such organizations make it possible for enemies to stay hidden.

Keeping Pace

The U.S. military is also at an innovation disadvantage, Pierce says, because it looks at emerging information technology primarily as a way to facilitate current warfighting strategies.

"The Defense Department is not driving the information revolution—it's being driven by all the businesses out there that are inventing things more rapidly than DOD can handle," he says. "To cope with this, DOD tends to use the emerging new technologies in a sustaining way rather than a disruptive one."

The situation is analogous to when the British invented aircraft carriers that could withstand attacks from land-based aircraft but carry only 20 or so aircraft. The United States and Japan later perfected the concept, packing the ships with smaller but greater numbers of aircraft for pulse-strike bombing.

"We are inventing new technology, but our opponents are using it or redesigning it in very disruptive ways," Pierce says.

A prime goal of U.S. military innovators should be to develop their own disruptive technologies that precipitate virtual terrorist organizations and force enemies out into the open, where U.S. troops have a clear military advantage, he argues.

Terrorists are most vulnerable when they try to communicate using cell phones, e-mail or videos on Web sites. Pierce says the precipitation work to exploit this vulnerability is under way but classified, while other efforts are little more than blue-sky concepts. But whatever the technological response, its design and implementation must be a joint effort between the military and law enforcement organizations such as the CIA, FBI and Secret Service.

"It has to be a seamless effort to be effective," he contends.

Success also requires distance between disruptive-technology developers and traditional thinkers. Military commanders "will usually tell you to use new technologies in ways that sustain current practices," Pierce says. "Innovation doesn't happen when you stay too close to Rome."

—Alan Joch

The Serious Side of Gaming

Photo: Cameron Davidson
"Simulations augment live training; they don't replace it," Marine Capt. Erik Jilson says.

If you put four Marines in a room with a video game, it becomes a shoot-'em-up contest. But add a facilitator with a training objective to the mix, and the same software becomes a learning accelerator and perhaps, ultimately, a life-saving experience.

In a world where opponents gain strength through nefarious use of information technology, gaming technology is helping impart fighting skills to military personnel.

That's one reason the Marine Corps takes gaming so seriously. The Training and Education Command's Technology Division in Quantico, Va., and its acquisition partner, the Systems Command's Training Systems Program in Orlando, Fla., run a wide range of gaming and simulation technology.

These programs teach new recruits to fire military weapons, drive Humvees and even pilot F-18 fighters. But perhaps the most important games are those that combine technology and live battlefield maneuvers in a marriage of virtual reality and the real world.

"Simulations augment live training; they don't replace it," says Capt. Erik Jilson, a modeling and simulation analyst for the Technology Division. "The goal is for trainees to be better prepared when they go to field exercises so their time there is more effective."

Real and Not So Real

The Marines rely on two types of training simulations: constructive and virtual.

Constructive simulations put Marines in front of command and control PCs (C2PCs), the standard command computers used in combat. During training exercises, C2PCs display battlefield maps and symbols representing Marine units and enemy troops—the enemies being contractors hired to enact fighting strategies who relay messages to Marines based on events occurring in the constructive simulations. The Marines also use standard gear, such as communications radios, rather than all virtual tools within the gaming software.

"You don't want to train a Marine how to use the simulator if you don't have to," Jilson says. "It's best if they're using the tools they'd use in the field."

Virtual simulations, which range from rolling, pitching and yawing full-cockpit mock-ups to PC games, provide a sense of realism that is better than classroom discussions yet less expensive than training in the field.

Training Gain

When trainers combine the two simulations, Marines can experience the cutting-edge instruction known as live virtual and constructive (LVC) training. LVC exercises combine PC training maneuvers—virtual fighters that hit targets on a computer-generated battlefield grid, for instance—and Marines on an outdoor mock battlefield who wear special sensors to feed their coordinates to a computer managing all of the exercise's elements. The sensors even show where battlefield weapons are aimed, when soldiers shoot the weapons and whether the ammo hits the intended target.

"We usually don't have enough money, time or people to conduct a large exercise," Jilson says. "Augmenting a small number of troops with a virtual force and a constructive force lets us carry out those kinds of exercises."

In time, such exercises will span all branches of the military so that an Air Force virtual simulation will work in conjunction with Marine and Army ground units that receive supporting fire from Navy vessels.

"The Defense Department has a large investment in games, so we're digging in to make sure from an architectural standpoint that these games and gaming engines will be able to link with one another and communicate data," says Paul Jesukiewicz, director of DOD's Advanced Distance Learning Laboratory in Alexandria, Va.

Integration is still a problem because simulation systems until recently were developed separately without common communications standards. Jesukiewicz's group is developing new standards that will eventually be made available to civilian agencies and industry.

In the meantime, virtual simulations will advance within the Marine Corps to include mission rehearsal. The service has taken the initial steps to create a database of information about the physical characteristics of potential battle sites.

"The idea is to be able to generate a true virtual representation of anywhere on Earth with the ability to incorporate intelligence updates, so we'll have an environment to do rehearsals prior to an operation," Jilson says.

—Alan Joch