Careful! The NCIS Cybersleuths Are Watching!
News


Careful! The NCIS Cybersleuths Are Watching!


By: Diane Hamblen

Policemen believe in crime prevention. In an ideal world when a policeman says, "Don't do that; it's wrong." people don't do it. This isn't an ideal world, and this article is meant as a message for those people who don't listen and commit computer crimes anyway. Committing the perfect computer crime isn't as easy as it used to be. The punishments are getting stiffer - a lot stiffer.

For example, up until a year ago Federal Agencies had mixed responses getting across the board assistance from the United States Attorney's Office on new computer crime matters. Now there's a designated Assistant U. S. Attorney in each of their offices to deal with these problems. If you're interested in what laws are involved, take a look at Figure 1 (Federal Violations).

The very term computer crime is subject to interpretation - or so some people think. It seems to depend on what problems a person is having and what their interests are. Since that seems to be the case, I'll give you examples of what the Naval Criminal Investigative Service's (NCIS) Computer Crime Investigation Group (CCIG) considers computer crime. It's pretty simple. If you didn't buy it or have the authority to use it, it's stolen.

That's particularly true when you're talking about software piracy. Is NCIS going to come after everyone who has a bootleg piece of software? No, of course not. However, the Software Publisher's Association (SPA) of Washington is very aggressive.

A couple of years ago, they went after a university computer center when somebody reported widespread software piracy. SPA pursued a case in civil court and won, although the judge reduced the award from $36 million to $100,000. The computer center in question was forced to scrub their 60 computers and buy legitimate copies of each of the six programs they were using illegally.

DoD isn't immune, either. Just recently the CCIG received a message from a supervisor at a major command who described essentially the same problem. The command had more than 450 computers running four or five copies of illegal software - each. The initiative had been to buy one copy and load it on every system. The Commanding Officer probably didn't know anything about it. NCIS Agents headed off the problem through liaison and a short training session with the command. If the SPA had discovered what was going on, there would have been big trouble.

The penalties are real. Not only is software piracy a violation of Navy policy (SECNAVINST 5239.1), it's a violation of Title 17 U.S. Code Section 106: "It's illegal to make or distribute copies of copyright material without authorization." The penalty is 10 years in jail and a fine. The penalty for a civil violation is $500 to $20,000 per violation, or $1,000,000 per offense, if willful intent is shown.

However, software piracy is only a piece of what goes on in the computer crime business - a small piece. As an agency, the NCIS is using the umbrella approach to help get their arms around the problem. According to Special Agent Matt Parsons, "Right now, it's bigger than all of us put together. It's bigger than counterintelligence, it's bigger than fraud, it's bigger than criminal investigations. If Federal Agencies don't stick with this, it's going to eat us up."

The questions faced by NCIS deal with the methods and the resources necessary for beating computer crime. CCIG's mission is to:

The NCIS is concentrating very heavily on crime prevention. One way they're doing this is through awareness presentations at various commands, and they've developed three pamphlets on the different aspects of computer crime. These pamphlets are specifically designed to be left laying around where folks who have a few minutes will stop and read, and they can be reproduced at little cost. NCIS also uses vehicles such as Chips to help promote awareness of the problem.

It isn't as glamorous as actively chasing the bad guys; the street agents do that. However, the headquarters agents, such as Matt Parsons, are working just as hard trying to keep the number of bad guys from multiplying on the computer front. There's more than enough business for everyone. According to Parsons, "I'd equate our jobs to being Marshalls in West Texas in 1870. Think about it. The police are just starting to catch up. The bad guys are out there just having a wonderful time."

Please, don't confuse the NCIS with the Navy Computer Incident Response Team (NAVCIRT). They're two very separate entities who compliment rather than conflict with one another. NCIS' focus is investigative from a law enforcement side. NAVCIRT's role is to respond administratively to hacks, network problems, viruses, Trojan Horses, etc. Nearly every intrusion into Navy or Marine Corps, or any government network for that matter, is a felony, but not every intrusion will be investigated as a crime.

NCIS has a Memorandum of Understanding with numerous commands to place agents at the site to combat crime and provide other types of support. Agents are stationed aboard ships as well as shore commands to support specific objectives. In keeping with NCIS' policy of service to the fleet, the CCIG has also established the intrusion response group located the the Fleet Information Warfare Center (FIWC). The IRG is responsible for coordinating the law enforcement response and other activity into the Navy and Marine Crops network intrusions. While IRG's mission is the Navy's law enforcement response to these events, this is only a small part of the overall operation at FIWC.

The CCIG isn't trying to handle the computer crime issue alone. According to Parsons, "We couldn't even if we wanted to; it's just too big. We deal regularly with the Naval Security Group (SECGRU), the Fleet Information Warfare Center (FIWC) and more frequently with the other military computer crime investigators as well as our counterparts from the Department of Justice and the Department of Treasury."

The NCIS also participates in a group called the Federal Computer Investigators Committee. That started out at the federal level and is now open to state and local law enforcement. Some industry people attend, but they aren't allowed to sit in on the afternoon sessions where the Agents roll up their sleeves and say things like, "We had this kind of case, and we messed things up because..." It's a special type of environment, and it works well. The only caveat to the meetings is that it's non-attribution and non-disclosure. There's a similar group in the Washington, D.C. area which functions much the same way.

NCIS also works with local law enforcement agencies. One group is called the High Tech Crime Investigators which started on the West Coast and is now in many areas of the United States. A charter group started in Washington last January, and the NCIS Agents are working with them. On the international side, there's a group called the International Organization on Computer Evidence. In participating with IOCE, the NCIS has found that international computer crime investigators share many of the same concerns. As much as the laws of the United States are subject to interpretation with regards to personal privacy, etc., the United States is light years ahead of many other nations, in this area. The bottom line is that the NCIS Special Agents involved in computer crime communicate with a great many people in a great many places.

Obviously, the commercial industrial side is interested in what the CCIG is doing also. According to Parsons, "Our U.S. Secret Service contacts tell us they estimate that 10 percent of the cellular phone industry in the United States is fraudulent. They estimate $360 million in losses each year."

Getting started hasn't been exactly smooth. When the NCIS first became involved in establishing the computer crime response, they called the Pentagon and asked some fairly fundamental questions concerning what the Navy expected:

The response was a rather cryptic, "Don't know." The NCIS has been trying to comply with those guidelines.

However, positive things are now beginning to happen:

The last one is vitally important because when something happens, the agents in the field must be capable of responding and gathering the evidence that will enable us to go for prosecution. If we don't do everything legally correct, we're going to be stuck with bad case law which will make everyone's job much more difficult for years to come.

What areas are rife for computer crime? You name it. For example, did you realize that the telephone system is the largest computer network in the world? Telecommunications fraud is something the NCIS is very concerned about - and with good reason. For example, in 1995, a Navy command was victimized by widespread fraud associated with the use of the command long-distance telephone credit card. The reported loss was in excess of $90,000 which got everyone's attention at the command.

Remember, not all computer crime involves espionage and the cloak and dagger stuff. Although our country's secrets are at risk, so are our wallets.

Forgery cases can be a computer crime. In one case, an employee at the Bank of Chicago noticed that two government checks were different colors. As it turned out, the account number on one of the checks belonged to a command at the Naval Shipyard in Portsmouth, Virginia. The serial number on that check belonged to the Naval Shipyard in Bremerton, WA. The fictitious signature on the check was computer generated, and the payees weren't associated with the Navy in any capacity.

And the checks had been cashed in Los Angeles. In the old days if somebody stole a check, they'd take it down to the corner store and cash it. Distance doesn't have the meaning it had before. The old concept of boundaries and borders is out of date when you're talking about computer networks.

Who commits these crimes? For DoD, command personnel and contractor personal are certainly potential suspects - especially in this era of BRAC reductions where people are being laid off. Disgruntled people will walk out with everything from memory chips to software to entire computers. On the information superhighway, anyone who has access to the Internet is a potential victim of a wide variety of criminal activity as well as being a potential suspect. The bottom line is that you can narrow your list of suspects for a particular crime down to any one of 26 million people.

The insider is obviously someone who works for an organization, exceeds their access authority and is smart enough to give themselves additional access rights. NCIS Agents are most concerned about insiders because they know the organization's weaknesses and occasionally try to take advantage of what they feel may be an easy target or victim.

For example, there was a person in California that the Agents took an interest in. He was a blue-collar worker who swiped his bosses password. He used it to log into his boss' account and authorize himself overtime to the tune of $18,000. Not bad - except he's been caught and now faces a potential jail sentence as well as the loss of his career.

Every case that relates to computer crime comes to NCIS's Computer Crime Group, and they learn something new every day. According to Parsons, "It's incredible. If you're a crook and you use your imagination, it's unbelievable what you can come up with. We enjoy the opportunity to match our wits with those who think they are above the law or won't get caught."

However, not all criminals are smart. We had a gentleman working in a credit union at a major DoD facility. Although he was nearly blind, he could use a computer to do his job. Unfortunately, he was a drug addict. To support his habit, he started skimming interest and putting it in his wife's account, then he'd use her ATM card to get the money. With money in hand, he'd walk a couple of blocks to buy dope. Unfortunately, kids would see him coming and knowing he was blind steal his money. It didn't take a rocket scientist to figure this one out. We knocked on his door and asked him what he did with the money. He said, well you're not going to believe this, but... He's currently a guest of the government.

In another case, a couple of engineers who were on official travel thought they were entitled to a slightly different interpretation of the Joint Travel Regulations (JTR) so they created their own receipts, forged a signature with their computer and balanced their books.

On the counterintelligence side, an active-duty sailor installed a personal modem on the command's Gateguard system. During slow time, he would dial out from his command and log onto alternate lifestyle BBSs. Isn't it strange how most people feel they're invisible when they're sitting at their computer or how some people do incredibly foolish things without using their heads?

Another counterintelligence case involved a civilian engineer who was hired to work in a very sensitive environment dealing with leading-edge aviation technology. The trouble was, he hadn't received his security clearance. A couple of helpful people in the section where he was working logged the new engineer into the network using one of their passwords. Just to get the new guy familiar with the keyboard - you know - this is the ENTER key. Unknown to the helpful coworkers, this engineer also had a minor in computer science. It was found out later that the engineer had hacked the system and given himself root privileges.

Later, it was discovered that the engineer had been wandering the hallways of the command trying to gain access to the classified laboratories. The command fired him on his last day of probation after a heated discussion between two groups - one of whom was begging to keep him. About a week after he was fired, the engineer left the country. Makes one wonder doesn't it?

The tactics and scope of theft are changing. One of the latest tactics is stealing laptops from conveyer belts at airports. Here's how it works. As you place your computer on the belt, a pair of scoundrels who have been watching you, start their plan. One of them will cause a disturbance and when you turn to see what's happening, your laptop walks off with the other. Ask yourself, what would your loss be if your laptop were stolen. Do you have a backup of the information? If you could replace the information, how long would it take for you to regain your operational tempo? Is there anything on the machine which could cause damage to the government? How would this effect your command?

Scope is a different issue. There are inexpensive, portable tape backup systems available that run on batteries. They're slow, but the tapes hold 1.2 gigabytes. That's approximately half a million sheets of paper, which to save you from doing the math is nearly enough paper to go to the top of the Washington monument.

Here's a scenario that will scare the thinking person. On a Friday afternoon at 5:05 p.m. after everybody has gone home, our culprit fires up the little gadget, logs onto the command's secret network and downloads everything that's on the server. On Monday morning at 6:55 a.m., he comes in, shuts the device off, throws it in his gym bag and later goes home with the contents of everything.

Remember John Walker? He was arrested after putting ten pounds of secret documents wrapped in a black, plastic garbage bag under a bush. That was less information than Aldrich Ames had on one disk! In fact, during investigation into the Ames case, Ames said that LAN access was a significant event in his espionage career since it allowed for a substantial increase in the amount of data he could carry out of the building with reduced chance of detection. As you can see, criminals of all types are adapting to the technology regardless of their goals or motivation.

Losing information is devastating, but so is the loss of very expensive hardware and software. (See Figure 2. Reported Loss of DoN Computer Equipment.) There aren't any figures that address the replacement costs of the hardware and the work that went with it. Nor does it include the dollar value associated with extra work required to meet the agency's mission. That 28.4 million just got much larger.

Reported Loss of DoN Computer Equipment (Figure 2)

MLSR Reporting Navy

Incidents 1991 1992 1993 1994 1995 Total
Loss Value 1861 1850 2487 1833 1979 10010
6.5m 6.9m 5.5m 3.3m 3.7m 25.9m

MLSR Reporting Marine Corps

Incidents 4 54 28 2 9 97
Loss Value 29.2k 433.9k 324.4k 25k 102k 914.5k

Loss Value Reported During NCIS Investigations

Loss Value 47.1k 588.9k 39.3k 310k 549k 1.5m
Total Loss 6.6m 7.9m 5.9m 3.6m 4.4m 28.4m

Now for Hackers - everyone's favorite subject. In the '60s, the term hacker wasn't negative. It was just somebody who worked on a computer system. According to Parsons, "That's changed significantly. The hackers of old are now calling themselves crackers, and these people have no problems with stealing files, or causing damage to hardware, software or networks." A 1994 profile developed by The Search Group shows that a hacker/cracker, is likely to:

  • Be a teenaged male.
  • Focus on technology.
  • Be anti-establishment.
  • Have insatiable curiosity.
  • Desire forbidden knowledge.
  • Have poor interpersonal skills.
  • Substitute computers for friends.

When these teenagers reach 18 or 19, where do you think they'll look for their technology fix? Right - some choose the military. We're obviously beginning to see some of them.

Hacking has many variations. To understand what it takes to protect your information, you need to understand a little bit of the concept of what is known as social engineering.

Here's just one example of the technique:

Sergeant: Private! This is Gunnery Sergeant Smith from Base Communications. "Private, Can you tell me why the General's E-mail isn't working?"
Private: "No Gunnery Sergeant."
Sergeant: "What's his password?"
Private: "It's Marine, Sergeant."
Sergeant: "Don't let this happen again Private!"

It's truly incredible what people will tell complete strangers over a phone line. If someone calls and asks for your password saying there is a problem on your network, your security manager will know what the problem is. Never give out your password over the phone!

Ever hear the acronym, GIRKS? It stands for Garbage Information Retrieval Kit. You'll find would-be hackers carrying plastic garbage bags and searching through trash containers outside computer centers. They're looking for computer manuals, software print outs or anything with a password or access information. If somebody asks them what they're doing, they'll say, "I'm just collecting aluminum. I'm into recycling. Do you recycle?" It works almost every time. The people who use this technique dress for the occasion and will have a dozen dry, empty soda cans inside their garbage which they will rattle during the confrontation. Remember, they also practice OPSEC.

Are intrusions really happening? They sure are! In 1995, AFCIRT logged 2,500 intrusions of the Air Force systems - 130 of them were deemed significant enough to warrant further review and investigation by OSI. Our NCIS field agents investigated 17 intrusions. There were an additional 51 incidences reported from DISA dealing with malicious code. Because our reporting procedures are lacking, the actual numbers are probably many times higher.

The really big question is: "Who is vulnerable?" Answer: "Nearly everybody."

Here's the proof. During an online survey by the Naval Security Group (NSG) early in 1995, more than 55,000 Navy systems were found registered on the Internet. Of these, 16,000 were alive for communication. A program written by NSG to determine vulnerability found that 95 percent of the remaining LAN systems were susceptible to penetration and/or monitoring. By accessing one of these vulnerable systems and capturing User IDs and passwords, the potential for compromise is enormous. Bottom line... if you can get into 11 percent of the Navy's networks, you can compromise 97 percent of the unclassified Navy systems on the Internet.

Statistics and stories abound. But we have documented proof that the bad guys do get caught - sometimes. Read about the NCIS' biggest hacker success so far - the Ardita case - in a separate article listed in the Table of Contents.