CONFERENCE REPORT
An FBI Cybercrime Agent's Tales From the Trenches

The FBI official in charge of major cybercrime investigations told a international gathering of computer security experts last week that financial services companies have suffered massive thefts due to hackers.

"The financial services sector has seen losses in the hundreds of millions of dollars in actual cash removed through the infrastructure," FBI Assistant Director of Cybersecurity Shawn Henry said in a Tuesday keynote address to the Information Security Forum's World Congress in Vancouver, B.C. "We can talk about the value of intellectual property, the value of research and development. But from an actual cash perspective, we've seen cases where hundreds of millions of dollars was lost."

Henry's comments have substantial implications on the ISF's membership. The global nonprofit organization, celebrating its 20th year of existence, includes network security and information technology experts from private companies in a wide variety of industries, as well as those whose job it is to protect networks for public and governmental agencies. Despite the temptations that banks and financial services companies present to cybercriminals, there aren't many economic sectors immune to the problem, siad Henry, who oversees the bureau's worldwide investigations of infrastructure attacks.

"The threat we see to every piece of infrastructure is significant and continuing to grow," Henry said. "Energy, transportation, banking and finance, information technology, retail -- they've all been breached across the spectrum. There are a half-dozen companies represented here that I know have been significantly breached, based on operations that I've been involved in."

Cybercrime Horror Stories

Henry told his audience about some recent investigations that involved a disturbingly effective range of hacking techniques:

• A major financial network was breached, and it was four months before anybody found out. "They opened for business on Monday morning and their books were off by (US)$10 million," Henry said. "On (the previous Friday), the books were balanced." The criminals had penetrated the network, stolen account information, broke encrypted personal identification numbers and were able to "withdraw in a 24-hour period, in 49 different cities, $10 million. That's a minimum of 49 people involved. The only thing that capped the loss was the fact the ATMs ran out of money."
• A U.S. company operating ship canals had to manually move gates that controlled water levels because of a disgruntled former employee who had tampered with the firm's infrastructure.
• A former oil services company employee who still had access to the network had remotely turned off the capability for offshore oil platforms to monitor leaks happening on facilities in the Pacific Ocean. "Fortunately, [company officials] were able to recover that relatively quickly with no damage," Henry said.
• After a recent conference, someone left about two dozen USB thumb drives in a nearby parking lot, each containing malware. Any conference attendee plugging the drive into their laptop to see who it belonged to "was providing egress for a potential adversary."

Supply chains and vendors are also being targeted, Henry said. "We've seen an increase in counterfeit hardware loaded onto a network. Or software that was shrink-wrapped and somewhere in the delivery process, somebody added something special to the code, providing them an ingress to that network."

Turning a Law Enforcement Corner

Despite those examples, progress is being made in tracking down cybercriminals, Henry said, particularly regarding cooperation with international law enforcement agencies. One recent case he cited involved the arrest of some 60 U.S. citizens and 30 Egyptians suspected in a major phishing scheme that involved sharing information that would not have happened five years ago.

"We have people sitting next to police officers every single day in intenational police headquarters buildings," Henry said. "They recognize the impact these crimes are having on their economy and national security and their citizens. This gives me some cautious optimism as to where we're headed as a society."

Some of the same techniques used to bring down organized crime figures -- legal data interception, informants -- are also being applied to cybercriminals. However, the global nature of the crime demands increased sharing with other police agencies, he said. In a case Henry called "unprecedented," information collected in the U.S. was given to an international law enforcement agency. It in turn began gathering information on co-conspirators. "We got a phone call on a Friday night from this agency, and they said, 'We've identified four banks that our going to be hit. This is the (network) vulnerability, this is when they are going to do it.' We were able to sit with the banks and let them know what was going to be attacked and what they might be able to do to mitigate that attack. The feedback we got was, 'Yes, they attacked us, and we were able to prevent it because of the information you provided us.'"

Greater Consumer Access = Wider Threats

Henry was named to his current position in December 2008, but he has worked on high-tech criminal investigations since he joined the FBI as a special agent in 1989. During that time, he's seen the Internet take its place as a major business and cultural force. "The focus of our investigations started with threats to CPUs and small networks. But now it's BlackBerries, mobile PCs, iPhones. The perimeter continues to expand. The processing power in these devices creates another tool for an adversary in their constant attack against global infrastructure. As the access grows, the access, the capability, the barrier to entry gets lower."

The modern cybercrook falls into three categories, Henry said: organized criminals following the money, terrorists looking to cause damage to infrastructure, and nation states. Generational differences in how potential victims view the Internet's role in their lives -- and how much they trust it -- are also determining how successful those criminals could be.

"You have digital natives versus digital immigrants," Henry said. Younger people have grown up in an environment of online banking and shopping and sharing personal information on social networks.

"They don't have the same concern for privacy, for security, as I do, as many of us here do," he said. "That creates a bigger challenge, a bigger threat for us. And many of the folks who are coming up the ranks in major corporations don't have the same sense that there's a threat, because they've been surrounded by the technology, the openness, that is supposed to make their lives easier and faster. Those very capabilities are the ingress for the threat."