NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> 2007-q1

[ISN] CSI: TCP/IP

From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jan 03 2007 - 00:17:19 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/wired/archive/15.01/cybercop.html

By Robin Mejia
Wired Magazine [1]
Issue 15.01
January 2007

Keep your friends close and your enemies closer. Why the Pentagon's
toughest Internet crime fighter likes hanging out with blackhat hackers.
By Robin Mejia

LOCATED ON THE LESS FASHIONABLE north end of the Las Vegas strip, the
Riviera Hotel and Casino has seen better days. Even the girls in posters
for the hotel's topless revue could use a makeover. But hey, it's cheap.
Which is why 6,000 hackers have descended upon it for DefCon, billed as
the "largest underground hacking event in the world." So while the hotel
is no doubt happy for the business, it's also in classic Vegas fashion
hedging its bet. Employees received a memo warning them to be on the
lookout for people skimming guests' card numbers. Credit card processing
has been suspended in the food court. The Riviera doesn't need the
grief.

Yet the Riviera's conference facilities are strangely tranquil. In the
"chill-out room," a bored-looking cashier is selling burgers, chicken
sandwiches, and salads to people too focused or too lazy to walk across
the hotel to the Quizno's. On the wall next to the bar, someone is
projecting usernames and the first few letters of the associated
passwords noobs sent that info unencrypted over the conference's
wireless network. At the front of the room, a middle-aged man in khaki
shorts sits with a small group having a beer. He's graying, a little
thick around the middle. Across the back of his polo shirt are the words
dod cyber crime response team as in US Department of Defense.

A big guy with a shaved head walks up. "You're Jim Christy," he says,
smiling. He has a hint of an accent.

Christy smiles back: "What's your handle?"

"Oh, I don't really have a handle."

All hackers have handles. Christy pushes it. "But really," he says,
"what's your handle?"

"Most guys go through that phase for a while, but for me, it was really
just a couple of days. Not enough time for a handle." They're both
smiling. Neither has broken eye contact.

Christy points out a pulsing vein in the guy's neck suggesting it's a
sign he is lying. The guy calls Christy an old man. He hints that maybe
he might have some small connection to Mossad. As he finally sits down,
Christy passes him a business card.

"You know, sometimes I become aware of botnets running on DOD networks,"
the maybe-ex-intelligence agent says. "It would be nice to have someone
to contact." Christy says he'd be happy to oblige.

Bingo: another node in the Jim Christy network. That's why he comes to
DefCon, to extend his already vast informal intelligence web of hackers,
security professionals, and computer geeks. He's also here to pick up
tips, of course. And to try to recruit a few of the blackhats to the
side of justice or at least to scare them straight. "We're appealing to
their patriotism," he says. "And if that doesn't work, then fear works,
too."

Fifteen years ago, Christy founded the Pentagon's first digital
forensics lab. Back then, most cops didn't even bother to seize
computers when they executed a search warrant. Ten years ago, he was the
guy they tapped to explain computer security to senators and the White
House. Now Christy has built his shop into the world's largest center
for pulling evidence off damaged or encrypted hard drives, tracking
hackers across networks, reconstructing terrorists' computers, and
training a new generation of law enforcement. He's the government's
original geek with a gun.

JIM CHRISTY was 19 when he joined the military. It was 1971; he was
barely passing his classes at a Baltimore-area junior college and
working full time at a car wash to help support his parents. Christy
knew he wouldn't qualify for a student deferment. He figured that if he
had to go in, he'd choose how. He enlisted in the Air Force.

But Christy didn't end up in Vietnam. He became a computer operator,
eventually landing on the night shift at the Pentagon. He stayed on
after his discharge, and in 1986 he heard the Air Force Office of
Special Investigations was looking for a computer crime investigator. "I
read the job announcement and said, 'Wow, I get to stay with technology
and carry a gun and be a cop play cops and robbers for real?'"
Apparently, his experience writing Cobol and Fortran algorithms to
organize how people paid for parking at the Pentagon gave him an edge;
Christy was hired as the assistant chief of the 16-person unit.

About the same time, Cliff Stoll, a UC Berkeley astronomer turned
computer security guru, found hackers on his network. In The Cuckoo's
Egg, Stoll's now-classic account of the story, he says that local police
had no idea what he was talking about, and the FBI dismissed it as
small-potatoes fraud. They told him to call back when he'd lost half a
million dollars.

Stoll finally found Christy. Though Stoll's hackers had accessed only
unclassified military computers, Christy thought it was espionage. "I
realized the guy was searching for 'SDI,' which was the old Star Wars
Strategic Defense Initiative, or 'nuclear,' or 'chemical,' or
'biological,'" Christy says.

Stoll turned out to be a good teacher, full of tricks for tracking bad
guys online. Together with a like-minded FBI agent, the pair traced the
hackers back to West Germany. They sent police there to pick up five
men, in their late teens to early twenties, selling US military
documents to the KGB. The bust made his reputation. As DefCon founder
Jeff Moss (handle: the Dark Tangent) tells it, in the late '80s and
early '90s there were only three people hackers worried about. Christy
was one of them. "It was like, be fearful, there's Jim Christy. Holy
crap, stay out of his way."

As computers and networks became common, Christy's caseload grew. In
1991, a murder suspect on an Air Force base chopped up two floppy disks.
Investigators found 23 pieces, which Christy took to forensic
specialists in law enforcement and intelligence. They said they couldn't
help. Eventually, he and a deputy put the fragments together with tape
and a magnifying glass; he recovered about 95 percent of the data,
practically handing the military prosecutor a conviction. (Will he
reveal who said it couldn't be done? "No way," Christy says. "I have to
work with those agencies.") That same year, Christy founded his digital
forensics lab, which was really just him and another guy reading
confiscated hard drives with scavenged equipment at Bolling Air Force
Base in DC. But the Pentagon started to see their value, and in 1998,
Christy's lab was moved from the Air Force to the Department of Defense.

The team became known for recovering ungettable evidence. Once, the
Naval Safety Center sent them a mass of unspooled black recording tape,
the remains of a flight data recorder destroyed in a collision of two
F-18s. One of the pilots had died in the crash, and the Navy thought the
blame lay with the surviving pilot. Christy's group cleaned the
firefighting foam off the tape, reconstructed and respooled it, and
salvaged most of the data. The safety board used it to determine that
the dead pilot was actually at fault.

In another case, the wife of an airman thought her husband was trying to
kill her. Office of Special Investigations agents taped her confronting
him over the phone. When the suspect got wind of the recording, he set
fire to the office where the tape was stored. The team found the charred
and melted remains of the cartridge, but they realized that the tape was
wound so tightly inside that only its edges were burned. Christy's team
recovered the audio and the Air Force charged and convicted the airman
with conspiracy to commit murder and arson.

Meanwhile, Christy was putting in time on Capitol Hill. He'd get up
early, do a few hours at the lab, then go coordinate cybersecurity
hearings for the Senate or work on the President's Task Force on
Infrastructure Protection. "We'd send him to see a senator," says Dan
Gelber, a Florida state representative and former staff director for the
US Senate Investigations subcommittee. "He'd go in there and explain not
only how the Internet worked, but how it was breached." Other staffers
started calling Gelber to find Christy their bosses wanted his
briefings. "They finally had someone explain to them what happened on a
computer and why it was important."

That's when Christy started hanging out with hackers. His superiors
didn't quite understand why he was going to DefCon; why not just send
undercover agents? But Christy knew that if he talked to hackers,
hackers would talk to him. One former blackhat says that meeting Christy
and his fellow government operatives at DefCon over the years convinced
him to switch sides. "When you realize that all the hackers in other
countries, especially China, are ganging up on America, it doesn't take
a rocket scientist to decide what side you want to be on," he says.
After a couple of years working undercover "with, not for" various
agencies with three-letter initialisms, he enlisted in the Army. He
plans to try for Special Forces and hopes to get a job in law
enforcement when he's done.

THE DEFENSE Cyber Crime Center, or DC3, occupies a low unmarked brick
building just off Highway 295, the Baltimore-Washington Parkway. Christy
now heads its research lab, the Defense Cyber Crime Institute, on the
top floor. It's tasked with ensuring that the tools and technologies
used by the guys downstairs actually perform as advertised, a process
called validation. Digital forensics is still a relatively young field;
most of the applications Christy used in the 1980s were written by two
really smart IRS agents at home in their off hours. "We'd say, 'We need
stuff that does X,' and they'd go develop it," Christy says. But these
days the institute spends months evaluating everything homegrown or not
before deployment. "You need to make sure that the tool doesn't create
evidence," Christy says. One piece of software reported that a cell
phone had sent a text message when it hadn't not cool if you're trying
to figure out when two suspects were in contact.

The rest of the team works on problems that commercial software can't
yet handle, like decoding information hidden inside images or audio
files. It's called steganography, and there are more than 100 free tools
that can do it. The trouble is, pedophile rings are increasingly relying
on steganography to hide child pornography. And while some commercial
software can sniff out a steganographically concealed file, it can't
decrypt it. Christy's institute is working on software that can reveal
the contents of a steg file. "It could be like a virus scan," Christy
says.

But even with 38 staffers, Christy has more problems than time. So this
summer, he decided to get outside help. At DefCon, Christy announced the
DC3 Forensics Challenge: 12 problems covering everything from
recognizing faked images to cracking passwords Christy had answers to
only 10. Whoever solved the most first (or best) would win a free trip
to Christy's annual DOD Cyber Crime Conference. More than 130 teams
signed up.

Of course, Christy will never keep pace with every tool the bad guys or
the good guys, for that matter can come up with. "One of the big things
we're struggling with is gonna be Vista and BitLocker," he says.
Microsoft's BitLocker Drive Encryption locks down an entire hard drive
if the startup information is changed or a particular chip is removed.
Microsoft has pledged never to create a BitLocker backdoor, and Christy
worries about what that means for his team. "Right now, a dead box comes
to us, and with the tools we have, we can exploit it," he says. "With
Vista, we're gonna get dead boxes and they're gonna stay dead."

Maybe it's a good problem for next year's Forensics Challenge. Or maybe
he won't have to wait that long for help. The contest has introduced
Christy to universities and research groups across the country that,
before last August, had no idea DC3 existed. Now many want to be his
partner.

AT 7 O'CLOCK on the opening night of DefCon, Christy and 10 other
middle-aged, casually dressed white guys settle into their seats at the
front of the Riviera's grand ballroom. Most have the short hair and
perfect posture that come from long stints in the military or law
enforcement. They're all old friends of Christy's. One is an assistant
secretary of defense, another is ex-NSA. The title of the panel is Meet
the Fed, an oddity at a conference where the badges have no names on
them and registration is cash-only to preclude the creation of an
attendee roster.

In fact, any registered conference attendee who outs an undercover agent
gets a T-shirt that reads i spotted the fed. So Christy decides to have
some fun. "We're gonna play a little game here," he says. "It's gonna be
called 'Spot the Lamer.'" He sends two of his programmers out into the
room to pick six candidates.

The unlucky six line up, and panel members start in with questions.
"Number two, have you ever participated in a Star Trek marathon?"

"No sir, I'm a Star Wars fan."

"Number four, have you compiled your kernel yet today?"

He did it yesterday.

"Number three, have you ever been caught playing with a 3-inch floppy?"

It's hard to hear the answer over the laughter.

The winner, by audience acclaim, turns out to be number three, who
apparently speaks fluent hexadecimal.

Christy wraps things up with a pitch. "It's a lot harder to defend a
network than it is to break into one," he says. "And we could use a lot
of talented people. So if you haven't crossed that line yet, don't. Come
to work for us."

The hackers start to ask questions of their own. One guy says he's in a
band called Preteen Porn Star, and he wants to know what to do with the
creepy inquiries that come in through its Web site. Others want to talk
about the government's support of open source. But the paycheck Christy
hinted at is what really gets their attention.

"So," says an attendee in de rigueur black, "a few youthful
indiscretions will they disqualify you from jobs at a federal agency?"

"Not forever," Christy says. "But if you were doing it last week, you'd
probably be ineligible."

A long line of fans trails Christy out the door, hackers and script
kiddies queued up to ask advice and hand over tidbits of information.
One tells Christy about a way he's discovered to strip information off
of RFID chips. Another wants a business card so he can email about
future employment.

So does Christy have undercover informants at DefCon? He shrugs. Of
course. Then why go himself? "We not only find out what's happening," he
says, "we find out who's doing it."

Even better, a few months after the conference, he got a call from one
of the organizers, a fixture in the hacker community. The guy wanted
advice on how to get a job doing digital forensics. Another node in the
Jim Christy network.

Robin Mejia (mejia (at) nasw.org) wrote about computer surveillance and
the movie Enemy of the State in issue 14.06.

[1] http://www.amazon.com/exec/obidos/ASIN/B00005N7TL/c4iorg

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]