How do you know if the FBI is going to come after you for an innocent little hack?
Documents reveal feds' methods, though not priorites that make FBI's attention unpredictable
Ever wonder how the FBI decides a case is worth investigating, and how it decides whether the investigation is justified just because a crime was committed, or because it was committed by or in the name of some counter-cultural force such as Anonymous that needs to be squelched?
So did Ars Technica, which filed a Freedom of Information Act asking for case documents describing how the FBI investigated attacks by members of Anonymous on web pages and Facebook accounts connected with Fox pundit Bill O'Reilly and his staff in 2008.
The FBI case documents on Anonymous (PDF) showed the FBI opened the investigation only a day after members of Anonymous broke into the member database of O'Reilly's Fox web site, which held contact and login information for 205 members paying $5 a month for more streams of bloviation than they could get straight from Fox or O'Reilly free.
Hackers took the membership data and used some of it to buy joke products (penile enlargement products for one woman member) and to break into AOL, Facebook and other accounts for which the O'Reilly members used the same login information.
The FBI got involved after Fox staffers claimed members of Anonymous contacted the network to threaten they planned to rape the woman to whom they'd sent penile enlargement products.
Agents' first concern, apparently, was that evidence would be lost or deleted. They sent "preservation letters" to Facebook and ISPs ordering that activity logs, messages and other records relevant to the attacks not be deleted or modified.
By analyzing server logs, the FBI found attackers got in by using an applet designed to create a list of new members without going through the security that protected the rest of the site's administrative functions and data.
Anonymi found the error, the documents theorize, by running searches from "various IPs" looking for pages within the administrative section but not controlled by security. The new-member report gave them the 205 names, emails and logins they used.
The FBI traced the "various IPs" back to a proxy server web site, from which they traced it to another proxy service called VTunnel. Because VTunnel didn't keep IP address logs covering the time of the attack and the identities stolen from O'Reilly's site were outside the normal security wall, investigators gave up and closed the case.
Though the FBI's reputation for tracking down and arresting members of Anonymous particularly, and hackers in general, is lower than that of British police agencies (who routinely exercise powers of search and seizure verboten by the Constitution in this country, and often arrest the wrong people anyway), the FBI's online investigations are in line with techniques common to commercial IT security firms.
There are a few big differences, most of which are advantages:
First, the FBI goes real-world quickly.
Once an investigation is launched, the FBI is much more able and willing to go interview victims, suspects and anyone else than a commercial security company, which will do as much investigation as possible digitally or by interviewing employees of the company that hired it.
Getting approval from the client for the expense and trouble of having agents interview external witnesses or potential suspects is more expensive and comes with legal-liability hurdles.
The FBI has agents (theoretically) trained in cyber-crime investigations in a "cyber-squad" in each of its 56 regional offices, so it has more feet on the street at lower cost than most security consultants.
Second: the FBI has badges.
If a Kroll Security employee knocks on your door and asks whether you'd like to talk about whether you spent last night wandering around inside a client's network, you can say 'no' and close the door. Kroll might go to the cops or FBI to get a search warrant, but could only get a reaction by presenting some convincing evidence you were personally involved – evidence it might not have until the end of the investigation you're obstructing and which it might not want to present to police until the client has made a decision about what to do about an incident.
If the agent knocking at your door has an FBI badge you can still just close the door. It's much easier for the FBI to accessorize an investigation with search warrants, subpoenas or battering rams than commercial security organizations. So, even if you're not intimidated enough by the badge or the wish to seem innocent, a federal knock on the door carries a much higher level of threat than a commercial one.
Third, the FBI can be really persistent.
Say, just for the sake of argument, that you attacked Bill O'Reilly's web site and took account data that included credit-card numbers, Social Security numbers and bank accounts.
If three or four years passed and you hadn't heard from investigators hired by Fox, odds are, you never would.
In November of 2010, the FBI raided the dorm room of University of Akron student Mitchell Frost and used a disk it found hidden above a ceiling tile to get him a sentence of two years in jail and fines totaling $50,000 for attacks on O'Reilly in 2006 and 2007 and hacks against the University of Akron.
Fourth (and weakness No. 1): the FBI has limited attention, but lots of friends:
The FBI wouldn't have nailed Frost for the O'Reilly attack if he hadn't also been under investigation for other attacks. He got on the radar of IT people at the University of Akron by launching malware and penetration attacks through their network to other sites and, at one point, taking the whole network offline for more than 8 hours after attacking a game server in the U. Akron library.
A network administrator started collecting activity logs on Frost, reported the attacks to University Police, who reported them to the Secret Service, which brought in the FBI.
So, even hackers who manage to keep the feds from noticing them – or eluding capture for long enough that it's not worth the time of individual agents to keep pursuing that one case -- have a good chance of being dimed out for other things
None of those friends – whether commercial security firms like Kroll or humble network admins from your alma mater – has the kind of power the FBI does. They all have one power it doesn't – they're a lot closer to you, are much more likely to realize what you're up to, and are able to bring the feds down on you with a phone call.
And if it's the IT people you piss off, there will be some hard evidence of your activities from server, network and firewall activity logs – information the agents themselves may either never request or may take far too long
Fifth (and weakness No. 2): The FBI's short attention span is focused by outrage
There are a lot of crimes of all kinds going on all the time, far more than even the FBI has time or resources to investigate.
So it has to divide its time according to priorities that sometimes favor hackers by pushing them far down the list of potential public enemies, and sometimes punishes them unfairly by raising hacking or hactivism to an unreasonably high profile considering the amount of damage it does.
Despite reports showing attacks on military, government and utility companies had increased 40 percent to 50 percent in just the previous year, the Dept. of Justice concluded in April that the FBI's cyber security division doesn't get enough time or funding to train its agents properly and, when it does, has them spend twice as much time on child-porn cases as it does on cybercrime and cyberespionage.
That's a political decision based on the number of citizens screaming about child abuse and child porn compared to security consultants soberly warning about the threat to the national IT infrastructure.
Members of Congress and political appointees in the DoJ and other federal agencies set those priorities, not FBI agents or supervisors in the field – which means the agency's priorities, available resources and determination to lock up one type of criminal vs. another can change in the blink of an eye.
That eye blinked last year, when Anonymous attacked Visa, Mastercard and Paypal following the arrest of WikiLeaks founder Julian Assange.
Those high-profile attacks and the purposeful provocation of LulzSec's attacks on FBI-affiliate organizations and the U.S. Senate added fuel to increase the heat the FBI was willing to bring to cybercrime and, just as important in political terms, its interest in bragging about its successes.
In January it got and executed 40 warrants simultaneously as part of the investigation into Anonymous DDOS attacks. In July it arrested 14 alleged Anonymous members in connection with the attacks and pointed the finger at two that British police arrested.
And – all in July – it arrested a 21-year-old AT&T employee for posting confidential company documents on a public site, got a conviction for a former pharmaceutical company IT guy for wiping out his former employer's VMware infrastructure and arrested the "neighbor from hell" who hacked into a Minneapolis neighbor's WLAN network.
A year ago it might not have pursued those cases, but definitely wouldn't have been bragging about them.
In the politics of federal bureaucracies, things an agency is willing to brag about, it's willing to spend a lot of budget on to appear successful.
The FBI is apparently working off a list of the 1,000 top DDoS IP addresses in those attacks as it hunts down those responsible. And the UK recently arrested the young man believed to be "Topiary," who functioned as the voice of Anonymous and a spin-off group called LulzSec and was involved in the HBGary Federal debacle earlier this year. – Ars Technica
The FBI wouldn't give up any more recent documents or details on how it's increasing its attention or investigation of Anonymous, LulzSec or the rest, according to Ars Technica.
Considering the amount of attention drawn to the whole area by both Anonymous and LulzSec, you can bet it's a lot safer to trade child porn online than it was last year and a lot more dangerous to be Anonymous, whether you're hacking to make a political statement, deflate an ego like O'Reilly's or to make a buck.
That the increase in attention and resources hasn't resulted in wholesale roundups of Anonymi you can attribute to either the stealth of the hackers or ineptness of investigators.
The FBI, imperfect, understaffed and inexpert as it often unquestionably is when dealing with cybercrime of any kind, has clearly pushed the whole issue way, way up in its priority list and will keep it there for as long as Congress or the public seems ticked off about it.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.