Long content to talk about the “what” behind cyber crime, the nation’s top computer security cops descended on New York City this week for the FBI’s International Conference on Cyber Crime ready to talk about “who.” But while discussions of tools and techniques for identifying criminal actors online dominate the schedule, cyber security experts say law enforcement still has a long way to go.
Senior law enforcement officials who gathered at Fordham University for the annual white hat conference trumpeted their successes in the last year, including the take down of the GhostClick network in October. But attendees and guest speakers alike said that law enforcement is still playing catch up with sophisticated adversaries who are quick to adopt the latest technology to facilitate online crime and cover their tracks.
The gathering, in its third year, is jointly sponsored by The FBI and Fordham University and draws cyber security experts and law enforcement luminaries from across the globe to attend workshops and lectures on cyber threats and investigative techniques.
With FBI special agents providing the security on site, leading law enforcement figures trumpeted the successes of the past year, including the October crackdown on the so-called GhostClick network, a global scheme that affected some 4 million victims and generated $14 million in illicit profits for displaying online advertisements.
Speaking to attendees, Janice Fedarcyk, the assistant director in charge of the New York Division of the FBI, cited the cooperation of authorities in the U.S. and Estonia in the GhostClick crackdown as evidence of greater international cooperation in combating sophisticated, multi national cyber criminal groups.
Barry Green, the President of the Internet Systems Consortium (ISC) went further: predicting that 2012 would be a banner year for law enforcement in the battle against cyber criminals. Green said increased use by law investigative tools such as passive DNS and the creation of shared operational security portals would allow law enforcement to better coordinate their activities and to understand and map the doings of cyber criminals – even before crimes have been committed, in some cases.
Timothy Williams, a director for INTERPOL in Washington D.C. said that his organization was readying a new global complex for innovation in Singapore that would focus on developing new investigative and educational tools to improve the cyber security capabilities of that organization.
However, conversations with security experts and law enforcement attendees alike suggests that, despite their successes, many in law enforcement are struggling to keep up with the pace of technological change, and are just beginning to embrace technologies – like social media – that were long ago adopted by criminals.
In a closed session on Monday, Aaron Barr, the director of Cyber Security at Sayres and Associates, talked to members of the law enforcement community about how to use free and open source tools to mine the rich seams of public data online on sites like Facebook, Twitter and other social networks. Barr said that many cyber investigators working within local, state and federal law enforcement still don’t realize the wealth of information that is available in the public domain, or choose to confine themselves to first generation computer investigative techniques, such as searching through lists of suspect IP addresses to try to connect suspicious activities to actual persons. While law enforcement’s power to supeona can be extremely useful in getting data, Barr said that law enforcement can often struggle to assemble enough evidence to justify asking for one.
In his talk, Barr highlighted ways that publicly accessible information and free and open source tools can be used to analyze patterns of online behaviors, make connections between seemingly different online personas and build detailed profiles of suspects and known criminals. The tools – many honed for use managing social media campaigns for public relations – are common enough, but most are still unknown to cyber investigators, he said.
Speaking in a session about anonymous online payment systems, Scott Dueweke, a senior associate in charge of virtual identity management at Booz Allen Hamilton, talked to a rapt audience about the proliferation of shadowy online payment networks – many based overseas – that are increasingly being used by cyber criminals and others to transact business outside of the regulated banking system. The networks, which can also include in-game virtual currency systems, provide buyers and sellers of illicit goods a reliable system for carrying out transactions and, ultimately, laundering profits. However, almost all operate outside the jurisdiction of the U.S. or its allies and, thus, continue to operate.
“Most of these systems are poorly understood,” Dueweke said. “I’d estimate they have a six or seven year head start on law enforcement.”
A cultural and generational gap between the law enforcement community and cyber criminals and sophisticated hacking groups may also explain the difficulty law enforcement has had keeping up with the bad guys. When Dueweke asked a crowded lecture hall full of law enforcement personnel how many played massively multi-player online roll playing games (MMORPGs) like World of Warcraft or delved into virtual online worlds like Second Life, not a single hand went up. “This is part of the problem,” Duewke explained. Cyber criminals as well as terrorists and nation state actors today move seamlessly between different online and physical worlds, whereas law enforcement officers are too often ignorant of environments such as MMORPGs and inclined to dismiss them as legitimate arenas where criminal activity might take place.
Others, however, were hopeful that the capability gap between the black hats and the white hats was closing, as law enforcement and intelligence agencies invested more heavily in cyber security.
Speaking on the topic of “Malware Research, Trends and Victimology,” Kevin Swindon, a supervisory special agent in the Boston office of the FBI said that law enforcement still had much to teach the private sector about threats and attacks. Even if preventing attacks outright wasn’t possible, investigators could still help companies “be good victims” by educating them about how to respond to an attack and how to limit its effectiveness by identifying and securing critical data, limiting user access to sensitive data and training employees to be on the lookout for suspicious activity on e-mail or other mediums.