Feds want help from private sector on IT security
- By William Jackson
- Aug 02, 2006
LAS VEGAS'For a decade federal law enforcement officials have been preaching the gospel of private-sector cooperation. The need for cooperation has long been obvious, but an FBI official told a gathering of computer security experts and hackers that the government is getting serious about the effort.
'Critical information about terrorism and other cybercrimes we are working on often resides with you folks, and will come to you first,' Dan Larkin, a unit chief of the FBI's Internet Crime Complaint Center, said Wednesday at the opening of the Black Hat Briefings security conference.
But gaining the trust of the private sector has been difficult, and a good part of that problem has been the government's failures to follow through in using data it collects and to accommodate the private sector's needs.
An academic study on the use of the Internet to investigate organized crime, commissioned by the FBI in 1999, identified two channels of funding used by al-Qaeda in planning the Sept. 11, 2001, attacks on the United States. When that was realized, a light went on in the bureau, according to Larkin.
'We need to go after these partnerships more aggressively,' he said.
The stakes in this game of cat and mouse between law enforcement and cybercriminals are getting higher.
'Spam and cybercrime are really about the money,' Larkin said. 'It's not just the script kiddies any more. There are people making a lot of money out there.'
Security experts have been noting the commercialization of malicious code for several years now as a sophisticated black market in malware has changed the goal of hacking from bragging rights to financial gain.
Unreported vulnerabilities are auctioned off in this online marketplace and exploits are packaged into retail toolkits that can be used to snare potentially valuable information.
Finjan Inc. of Santa Clara, Calif., reported in a quarterly study of threat trends that new exploits are focusing on active content used on Web sites. These can perform stealthy attacks that maintain a steady leak of data from unsuspecting victims.
Finjan's Malicious Code Research Center found vulnerabilities in Microsoft's Internet Explorer and Vista operating system
being offered to the highest bidder through the Full Disclosure e-mailing list. The list is hosted and sponsored by Secunia, a Danish security company that monitors vulnerabilities and reverse engineers software.
According to the list's guidelines, 'any information pertaining to vulnerabilities is acceptable,' including announcements of exploits, code and tools.
The center also found a Web Attacker toolkit offered on a Russian Web site for about $300. The kit, which lets the user create a malicious Web site that infects browsers with drive-by installations, even comes with an update subscription for $20.
'Befitting a professional software product, the toolkit is provided with detailed user guide and friendly user interface,' and 'also provides well-designed reports' on the numbers of infections broken down by exploit, the report said.
The result of these developments is an increasingly organized underground economy in which malware is bought, sold and deployed for financial gain.
In the last three years, the FBI has responded with improved cooperation with the private sector. Larkin now heads up the ICCC's Cyber Initiative Resource Fusion Unit, which is coordinating a number of initiatives targeting specific areas of crime.
Operation ReLEAF (Retail and Law Enforcement Against Fraud), started in 2003, helped gather private-sector data that could spot emerging fraud schemes. The Slam Spam initiative has assembled two teams of analysts funded by industry and staffed in part by law enforcement to respond to spam problems, and is a model for the news Digital Phishnet that addresses phishing expeditions'the use of legitimate-seeming e-mail to coax people into revealing personal and financial information.
One thing the FBI has learned is that high-profile events spawn scams. In the wake of Hurricane Katrina, more than 5,000 reports of fraudulent schemes were received within weeks. Some of the Web sites used in the fraud were being registered even before Katrina made landfall, Larking said.
William Jackson is freelance writer and the author of the CyberEye blog.