Agencies close net on illicit use of government IT
Recent child porn busts are one result of stepped-up Internet monitoring
- By Patience Wait
- Apr 17, 2006
"It appears to be a race between the folks who are filtering and those who are hosting or promoting unwanted material." ' Scott Santiago, NASA
Bruno Budrovic/Chester Hawkins
When federal agents last month seized the office computer of a NASA official for allegedly trafficking in child pornography on the Internet, a key piece of evidence came from technology developed at the agency to identify that kind of content.
A special agent in the computer crimes division in NASA's inspector general's office analyzed data captured by a Web activity monitoring application to build the case against NASA program executive James Robinson.
NASA uses a number of filtering technologies to block out 'locations that are inappropriate, [using] the normal, 'net nanny' types of software products and appliances,' said Scott Santiago, deputy CIO for IT security at NASA.
Unfortunately, he said, many of the illegal sites are will-o'-the-wisps, setting up shop at one Internet address for a few weeks, then changing name or location, making it difficult to keep filters up to date. 'It appears to be a race between the folks who are filtering and those who are hosting or promoting unwanted material,' Santiago said.
But the monitoring app, called Web ContExt, which can be set to identify if a certain percentage of an image is composed of flesh tones, did give NASA officials enough information to identify illicit content.
'We have a particular product that keys off pixels that determines whether or not skin tones are present,' Santiago said. 'We record a thumbnail and a 'To' and 'From.' '
A security professional has to actually look at each of the thumbnails to determine if it is illicit, but the tool archives data automatically, letting Santiago or others go back and check what employees have been viewing and, if called for, provide images that law enforcement agents can examine.
'It has about a 99 percent accuracy,' Santiago said.
In what is becoming an all-too-familiar story, Robinson, a GS-15 employee at NASA's In-Space Propulsion, Mission and Systems Management Division, based at NASA headquarters in Washington, was one of three federal employees in a month who were targets of computer crime investigations.
Just days after Robinson's computer equipment was seized, the Secret Service and Montgomery County, Md., police arrested the Homeland Security Department's deputy press secretary, Brian J. Doyle, for allegedly attempting to seduce a child over the Internet.
And a Defense Information Systems Agency official is under investigation by the Defense Criminal Investigative Service, the FBI and the DISA inspector general for allegedly possessing child pornography and operating a peer-to-peer network to trade images using government computers. Agents seized equipment and more than 1,000 CD-ROM disks from his office alone for examination.
The federal government over the past year has stepped up its efforts to eliminate child pornography from the Internet, from asking search companies such as Yahoo! and America Online for search information to running sting operations.
Attorney general Alberto Gonzalez announced Project Safe Childhood in February, an initiative by the Justice Department to strengthen the work of 46 regional task forces around the country targeting child pornographers.
But the discovery of illegal activities being carried out by government employees on government computers demonstrates that CIOs and chief information security officers have to add to their list of concerns. In addition to hackers, viruses and worms, the scope of insider threats includes not just risking the security of classified or sensitive information, but a wide range of illegal activities.
Within the Defense Department, there is no central agency responsible for monitoring computer use to look for illegal or inappropriate activity. Instead, each agency has to devise its own approach to monitoring.
'There is no one-size-fits-all panacea for detecting this type of activity,' said Michael Milner, enterprise program manager within DCIS.
But once suspicious activity turns up, DCIS investigates, said Rick Beltz, director of investigative operations at DCIS.
'All of our efforts are geared to protecting the Global Information Grid network,' Beltz said. 'That could mean intrusions, denial-of-service attacks [or] child pornography. If a DOD worker is using the network for child pornography, that has a negative impact on the integrity of the GIG.'
The risk to the GIG is multilevel, Beltz said. Transmitting very large files, such as movie clips, can degrade network performance. But many porn files also contain malicious code.
'With peer-to-peer file sharing, you don't know what you're getting; it could be child pornography, but it could be a worm,' Beltz said.
Child pornography cases can frequently involve dozens or hundreds of images that have to be examined.
'In a hypothetical case ... when there is a lot of digital media that needs analysis, it goes to the Defense Computer Forensics Lab in Linthicum, Md.,' Milner said. 'We may have a very large amount of digital media that has to be reviewed and examined,' to get enough evidence to support an indictment.
NASA also uses applications that watch network traffic, looking for signs that get flagged from an intrusion detection standpoint.
'We complement that with another tool that allows us to look at network traffic flows, so we can look at what type of application is actually running, how much information is actually moving, who is talking to whom, what types of files are moving across the network,' Santiago said.
By defining what constitutes 'normal' network performance, these applications look for the abnormal.
'You're bombarded with a lot of data and have to go through it very quickly. Within NASA, we're always resource-challenged, so it's a matter of the appropriate balance between people and tools,' he said.
But resource limitations are not the only obstacle.
'If people are going to be prosecuted, it's almost always got to be a known, documented victim image, or you have to catch someone engaged in the activity,' said a senior federal agent with experience in technology-based investigations.
The problem with trying to snare government employees engaged in illegal activities using their office computers is the spread of concerns about privacy issues, he said.
'You can get hash values [for pornographic images] at the National Center for Missing and Exploited Children and compare them against the hash values for content' on an agency network, the agent said. 'A lot of big government agencies subscribe to databases that record sites that should be blocked, but the really seedy stuff you have to attack at the content level, [and] content monitoring really has been kind of touchy.'
While NASA uses these and other technologies to keep a sharp eye out for bad actors, it was a combination of old and new techniques that identified Robinson.
The Postal Inspection Service learned that Robinson was using his office computer to store and trade numerous images of minors engaged in a variety of sexual acts.
The USPIS identified his office computer by monitoring the IP addresses generating messages sent to undercover agents posing as traffickers in child pornography. A NASA special agent in the inspector general's office compared records provided by USPIS with logs of computer activity on Robinson's NASA account to confirm that he was on the government system at times corresponding to his activities in viewing and sending images.
Based on these records of Internet activity, the IG's office obtained a search warrant and seized Robinson's computer equipment.