Just as a stand-up comedian carefully places his punch line at the end of the joke, I also usually leave my conclusions for the end of a post. Except for this time. This time, I would like to start with the conclusion: For an ongoing investigation not to be jeopardized, it is extremely important that all information related to those being investigated does not become public.
When (cyber)criminals suspect they’re being investigated, they become more careful. But when they are sure that someone is after them, they become unpredictable in their actions. Simply hiding, making a run, covering their tracks, buying their freedom, fighting back or any combination of these are just some of the options. I’m sure you know this if you watch the Discovery Channel.
You also know this if you’re actively tracking the latest disclosures around the Koobface botnet.
What happened with Koobface after the identities of its authors and the inner workings of their underground business became public? The obvious happened, of course. They began wiping out all public information about themselves from the Internet: Facebook profiles, Twitter feeds, Foursquare check-ins, Flickr pictures, you name it. They are covering their tracks in the cyber-world as we speak, and only God knows what else they are doing in the real world to protect the most valuable thing they have right now: their freedom.
A disclosure of information that can jeopardize an ongoing investigation is not something which I support, nor something with which I agree.
I’ve heard OSINT (Open-source intelligence) as an argument for this public disclosure. It’s not. OSINT is about using freely available information to produce actionable intelligence, not about making actionable intelligence freely available on the Internet. Was it done to push authorities by creating pressure or to aid them, in any way? I’m not sure the pressure supposed to push law enforcement into actually doing something in this case will be enough to compensate for the fact that the gang behind Koobface are now destroying evidence and going further underground. The public exposure has obviously hurt efforts.
Investigations can take years – many years. Anyone who has actually been involved in such an investigation knows how frustrating it can be. But it doesn’t mean that we should at one point make everything public and hope for the best. Bad guys go to jail after being on trial, not after being on trial by the media.
Therefore I am making a public plea to all security researchers that were, are or will be involved in cybercrime investigations: Don’t publish data that can ruin years of investigative work. Only share information regarding attribution with law enforcement and trusted contacts. Make sure you understand that certain legal procedures need to be followed and they might take time. Be patient and don’t become frustrated. In the end, everything will be ok. If it’s not ok, then it’s not the end.
I would love to be able to end this text in an optimistic note. However, in real life things are not black and white all the time. There are countless other e-crime related activities in which it’s not clear if law enforcement, either alone or with private partners, are working on a case. That often makes it difficult to ‘stand by’ while it seems that nothing is being done. It’s a fine line. What is needed is a better way to determine whether something is being worked across various levels of law enforcement, and what level of participation is occurring with private partners.
*My thanks to Kurt Baumgartner, Andre’ M. DiMino, Costin Raiu, Roel Schouwenberg, Dmitry Tarakanov and countless other researchers for contributing to this article.
Stefan Tanase is a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team.