Posted on 1/30/2004, 3:33:13 AM by justlurking
Well, it finally happened. Right before Christmas, I had a little visit from the FBI. That's right: an agent from the Federal Bureau of Investigation came to see me. He had some things he wanted to talk about. He stayed a couple of hours, and then went on his way. Hopefully he got what he wanted. I know I did.
Let me explain. I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI.
Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences.
I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class.
The easiest way to illegally acquire money now is through the use of online tools like Trojans, or through phishing: set up a fake Web site for PayPal or eBay or Amazon...
It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not.
Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.
Dave is from Tennessee, and you can tell. He's got a southern twang to his voice that disarms his listeners. He talks slowly, slightly drawling his vowels, and it sort of takes you in, making you think he's not really paying attention, and then you realize that he knows exactly what he's doing, and that he's miles ahead of you. He wears a tie, but his suit is ready to wear and just a bit wrinkled. His dark hair is longer than you'd think, hanging below his collar, further accentuating the country-boy image, but remember, this country boy knows his stuff. All in all, he gives off the air of someone who's busy as heck, too busy to worry about appearances, and someone who's seen a lot of things in his time.
and they do the usual stuff once they have control of a user's PC: grab passwords, use groups of machines to organized DDOS attacks (often against other script kiddies), and jump from machine to machine to machine in order to hide their tracks.
What surprised me, however, were how often Trojans are used to mess with the heads of the poor unsuspecting suckers who own the zombie machines. A favorite trick is to surreptitiously turn on the Webcam of an owned computer in order to watch the dupe at work, or watch what he's typing on screen. This part isn't surprising. But Dave had countless screenshots, captured from impounded machines or acquired online from hacker hangouts, where the script kiddie, after watching for a while, just can't help himself any longer, and starts to insult or mock or screw with the duped owner.
In one, a hacker sent a WinPopup message to a fellow: "Hey, put your shirt back on! And why are you using a computer when there's a girl on your bed!" Sure enough, the camera had captured a guy using his computer, sans shirt, and in the background you could clearly see a young woman stretched out on a bed.
In another, a man was working a crossword puzzle online when the hacker helpfully suggested a word for 14 Down (I think it was "careless"), again using WinPopup. In a third, a screenshot captured the utterly shocked expression on a man's face - mouth agape, eyes open wide in amazement - when his computer began insulting him using, you guessed it, WinPopup.
This is bad enough and it's also cruelly funny, but the scary part came in when Dave started talking about the other group behind the explosion of viruses and Trojans: Eastern European hackers, backed by organized crime, such as the Russian mafia. In other words, the professionals.
These people are after one thing: money. The easiest way to illegally acquire money now is through the use of online tools like Trojans, or through phishing: set up a fake Web site for PayPal or eBay or Amazon, and then convince the naíve to enter their usernames, passwords, and credit card information. Viruses and spam also intersect in this nasty spiderweb. Viruses help spread Trojans, and Trojans are used to turn unsuspecting users' computers into spam factories, or hosts for phishing expeditions, and thus furthering the spread of all the elements in this process: viruses, Trojans, spam, and phishing. It's a vicious cycle, and unfortunately, it appears to be getting worse. The FBI is working as hard as it can, but the nations of Eastern Europe are somewhat powerless to solve the problem at this time.
One way to trace just how bad the situation has gotten: track the price for a million credit card numbers. Just a few years ago, Dave saw prices of $100 or more for a million stolen credit card numbers. Now? Pennies. Stealing credit cards is so easy, and so rampant, that prices have dropped precipitously, in a grotesque parody of capitalist supply and demand.
Along with this comes intrusions into banks and other financial institutions. Dave wouldn't name names, but he said several organizations that we would all know have been infiltrated electronically by Eastern Europeans, who then grab customer data. A few days later, the unsuspecting president of the bank gets an email demanding $50,000, or else the media will be told of the break-in. Of course, the break-in is news to the bank. As proof of their exploit, a spreadsheet is attached to the email, with a few hundred rows of client data: bank account numbers, home addreses, balances.
Unfortunately, many banks decide to keep it all a secret from their customers, so they reluctantly decide to go ahead and pay the extortion. $50,000 goes to the criminals, and the bank breathes a sigh of relief.
Three days later, ten emails arrive, from ten different criminal organizations, each demanding $25,000. Ooops. Far from buying protection, the bank revealed itself as a easy mark, amenable to blackmail. And it will only get worse. Time to call in the FBI, as it should have done from the beginning.
American companies have tried to respond to the massive fraud being perpetrated online. One common preventive, adopted by most companies that sell products online, has been to refuse shipments outside of North America, or allow international shipping, except for Eastern Europe. Criminals have figured out a way around this, however. They hire folks to act as middlemen for them. Basically, these people get paid to sit at home, sign for packages from Dell, Amazon, and other companies, and then turn around and reship the packages to Russia, Belorussia, and Ukraine. You know those signs you see on telephone poles that read "Make money! Work at home!"? A lot of that "work" is actually laundering products for the Russian mob. Of course, anyone caught acting as a middleman denies knowledge of their employer: "I had no idea why I was shipping 25 Dell computers a day to Minsk! I just assumed they liked computers!"
Proof once again that social engineering, coupled with greed, is the easiest way to subvert any security.
his next assignment will be some place like rural Wisconsin.
It's already a problem. I set up a wireless network for someone (disabled the SSID broadcast, enabled 128-bit encryption, and authorized specific MAC addresses), and she is having problems with the wireless card latching on to other unsecured networks when the signal from her own access point "fades".
If put my wireless card in my laptop, I can detect two different wireless networks near my home. I don't know if they are unsecured: I'm not going to try to connect.
Mostly they just read them. For some different views on security, check out COUNTERPANE on the internet. Alse the news group comp.risks is interesting (especially on electronic voting.)
Not with Windows XP. It puts up a "balloon" over the task bar that says "One or more wireless networks are available". If you (double?) click the icon, you get a list of the ones that have been detected.
It detects them by listening for the SSID broadcast from the access point. Most of the recently manufactured access points allow you to turn off the SSID broadcast, making it more difficult to detect it -- you have to configure the SSID (and WEP key, if appropriate) yourself.
Can the SSID and WEP be turned off at the same time?
It's not just the unsecured home networks, either. We live in the NW suburbs of Atlanta, Georgia.
Yesterday, I went with my son to the dentist. I had his notebook computer so that I could work while waiting for him. In the office complex where our dentist is located, I was able to access five different companies' networks.
4 of the 5 had no security provisions at all. None. Nada. The fifth one said something about having to enable something (I'm no techie!). At any rate, I simply clicked "no" or "cancel" and presto! I was in!
One of the companies was a CPA. The others were home design/decorating, contractors, and an attorney. One was a networking outfit. Go figure!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.