- James E. Farnan,
- Deputy Assistant Director, Cyber Division, FBI
- Federal Bureau of Investigation
- Before the House Committee on Government Reform
- Washington DC
- May 15, 2003
Thank you for inviting me here today to testify in this hearing at which the Committee is examining privacy and security issues associated with the use of peer-to-peer file sharing programs. This hearing and the Committee's Web page, in which you provide a link to: "Parental Tips for Internet File-Sharing Programs," demonstrate your commitment to improving the abilities of our Nation's families and businesses to be safe, secure, and crime-free while using the Internet as a tool for research, entertainment and commerce. Our work here is vitally important because Internet use grows each day, and each day there are thousands of new victims. My testimony today will address the activities of the FBI's Cyber Division as they relate to a broad spectrum of criminal acts involving identity theft, fraud, information security and computer intrusions.
A May 8th cover story in the Washington Post is nothing new to Americans today. Another gang of thieves was discovered in possession of a "veritable factory for counterfeit credit cards," including "600 pages containing more than 40,000 allegedly stolen names and credit card numbers; more than 100 newly minted cards under 100 different names, featuring the trademark Visa logo." The police also found "stacks of plastic cards, software to create identity cards, laptop computers, machinery to encode magnetic strips, and a 'skimmer' that captures a facsimile of credit card information and stores it...(and) 16-digit credit card numbers, with their expiration dates, that had been downloaded from one major retail store in the area." As the investigation continues, we will probably find that these criminals have affected the lives of hundreds of victims, perhaps destroying their credit ratings and creating hardships that will take years to abate. These thefts could be the result of computer hacking, insider theft and/or social engineering. The FBI treats each of these techniques as criminal acts, and we continue to seek out those who would use them to illegally enrich themselves. Stolen information can also be sold and used to establish new identities for fugitives or terrorists. In these cases, identity theft can have much more serious consequences.
The Federal Trade Commission's annual report lists identity theft as it's most substantial category of reported crime, at 43% of the total. Its impact on citizens and businesses both domestically and abroad, as well as the growing number of ways that such schemes can be initiated or advanced, primarily through the Internet, is a priority interest for the FBI. An understanding of the scope of the problem can only be gained by identifying the variety of acts related to identity theft, including insider theft, hacking, spam, spoofing, account hijacking, auction fraud and peer to peer (P2P) sharing. Below are some examples and definitions:
Identity theft is the fraudulent use of an individual's personal identifying information, such as a social security number, mother's maiden name, date of birth or bank account number. Identity theft includes alias identity crimes in which an individual's true identity is completely fabricated and not identified with a real person, whether living or deceased. Identity theft is normally a preliminary step toward committing other crimes. Some will engage in identity theft for financial gain, others to avoid arrest or detection, attain legal immigrations status, or obtain government benefits. Victims of identity theft may not realize that someone has stolen their identity until they are denied credit or until a creditor attempts to collect an unpaid bill. Identity theft can be a component of many crimes, including bank fraud, telemarketing fraud, Ponzi schemes, credit card fraud, bankruptcy fraud, money laundering, insurance fraud, cyber crimes and unlawful flight to avoid prosecution (fugitives). The FBI's Criminal Investigative Division has recently begun to track identity theft as a component of other criminal activities. Their efforts will statistically measure the increase in crimes involving identity theft.
Spam generally refers to unsolicited incoming messages inviting an individual to buy, sell, invest or join a certain club. Significantly, The Internet Fraud Complaint Center (IFCC) is seeing more and more spam referrals in which individuals are being directed to provide certain personal, including financial and password information, to remedy a credit problem, update their account information, or to avoid being part of an undesirable mailing list.
In one investigation, subjects collected individual e-mail addresses from Internet chat rooms and other Internet sources. The subjects then sent e-mail to individuals requesting credit card and personal information. The e-mail appeared to be from the victims' Internet service provider (ISP) (spoofed e-mail) claiming that the victims needed to provide current billing information. Victims would respond and provide their credit card and personal information, believing the information was going to their ISP. The subjects used credit card and personal information to obtain cash advances and purchase items utilizing the Internet.
In another investigation, subjects established a spoofed web-site, which was made to appear to be a U.S financial institution. This site was used to lure victims into providing personal financial information, including credit card and debit card numbers, which were than transmitted abroad to criminals who used the stolen cards at automatic teller machines throughout Europe.
Auction Fraud and Account Hijacking
Over the past year, the IFCC has received many complaints regarding auction sites wherein a customer's account was hijacked. In such cases the perpetrator gains unauthorized access (via computer intrusion) to customer accounts, determines which accounts have a good reference/feedback history, and represent themselves as that individual, selling merchandise, which is ultimately never delivered. Losses in such schemes range from hundreds of dollars to upwards of $100K with numerous victims. These types of schemes can also result in identity theft when unsuspecting customers provide credit card information to the criminal.
Computer intrusions are a different category from most fraud schemes. Many intrusions are never reported because companies fear a loss of business from reduced consumer confidence in their security measures or from a fear of lawsuits. Most of the outsider-intrusions cases opened today are the result of a failure to patch a known vulnerability for which a patch has been issued. Theft of consumer information from a computer system can only be facilitated two ways: by insiders or by outside hackers. Insiders have various motivations, including retribution and money. Outsiders are usually motivated by challenge and/or greed.
The IFCC recently received a referral through its website, in which the computer system of a small business that sold certain pharmaceutical products online was compromised by a hacker, who acquired credit card numbers, and the names and addresses of approximately 200 customers. This information was then posted on an Internet message board, where access to this personal data could be gained by anyone with an computer and an Internet account.
The FBI has seen a steady increase in computer intrusion/hacking cases. With the proliferation of "turn key" ("turn key" in that no special knowledge is needed to apply the tool - you only need to download the tool and apply it) hacking tools/utilities available on the Internet, this trend is not surprising. In many cases, computer intrusion incidents may represent the front end of a criminal matter, where credit card fraud, economic espionage, and/or identity theft represent the final result, and the intended purpose of the scheme. In some cases, a computer intrusion may also have been for the purpose of installing a Trojan, or back door that the hacker can later access. The hacker may want to launch a denial of service (DOS) attack, or to access personal financial, or other sensitive data contained on that system.
P2P networks primarily serve as a "come and get it" resource on the Internet. In using such a utility, the user specifically searches for the item they want, e.g. music, images, or software. The most significant criminal activity involving P2P sharing centers largely on intellectual property rights (music and software piracy) matters, an area in which the FBI has been working closely with private industry. The FBI has also seen an increase in P2P sharing of child pornography files.
Although no instances of identity theft have been reported to be associated with P2P networks, there are several dynamics that should also be considered:
The FBI has seen an increasing number of instances where a victim has determined that a Trojan/back door was installed on their computer during a download from a P2P network. In some cases, the victim also learned that personal, financial information had also been removed from their computer via the back door.
In addition to traditional Trojans/back doors, The FBI has seen an increase in matters where certain "bots" (active Trojans) have been installed inadvertently via a P2P download. In these instances, the victim computer, via the bot, essentially reports to a designated Internet relay chat (IRC) site, awaiting further instructions from its creator. The creator of the bot will often use the compromised computers to launch coordinated denial of service attacks against a targeted site or sites. These bots could also be used to retrieve sensitive information from victim computers in furtherance of an identity theft scheme.
A person using P2P utilities for unauthorized or illegal purposes is not as likely to tell the FBI that an exploit (back door) was found on their system, or that as a result, certain personal or financial information may have been taken. The FBI has been made aware of instances where Trojans or bots have been found on computer systems where P2P programs are present, and where certain personal, financial or other sensitive information has been taken.
The FBI is in a unique position to respond to most cyber crimes, because it is the only Federal agency that has the statutory authority, expertise, and ability to combine the counterterrorism, counterintelligence, and criminal resources needed to effectively neutralize, mitigate, and disrupt illegal computer-supported operations.
The FBI's Cyber Division
The FBI's reorganization of the last two years included the goal of making our cyber investigative resources more effective. In July 2002, the reorganization resulted in the creation of the FBI's Cyber Division. In prioritizing Cyber Crime, the FBI recognizes that all types of on-line crime are on the rise.
The Cyber Division addresses cyber threats in a coordinated manner, allowing the FBI to stay technologically one step ahead of the cyber adversaries threatening the United States. The Cyber Division addresses all violations with a cyber nexus, which often have international facets and national economic implications. The Cyber Division also simultaneously supports FBI priorities across program lines, assisting counterterrorism, counterintelligence, and other criminal investigations when aggressive technological investigative assistance is required. The Cyber Division will ensure that agents with specialized technology skills are focused on cyber related matters.
At the Cyber Division we are taking a two-tracked approach to the problem. One avenue is identified as traditional criminal activity that has migrated to the Internet, such as Internet fraud, on-line identity theft, Internet child pornography, theft of trade secrets, and other similar crimes. The other, non-traditional approach consists of Internet-facilitated activity that did not exist prior to the establishment of computers, networks, and the World Wide Web. This encompasses "cyber terrorism," terrorist threats, foreign intelligence operations, and criminal activity precipitated by illegal computer intrusions into U.S. computer networks, including the disruption of computer supported operations and the theft of sensitive data via the Internet. The FBI assesses the cyber-threat to the U.S. to be rapidly expanding, as the number of actors with the ability to utilize computers for illegal, harmful, and possibly devastating purposes is on the rise.
The mission of the Cyber Division is to: (1) coordinate, supervise and facilitate the FBI's investigation of those federal violations in which the Internet, computer systems, or networks are exploited as the principal instruments or targets of terrorist organizations, foreign government sponsored intelligence operations, or criminal activity and for which the use of such systems is essential to that activity; (2) form and maintain public/private alliances in conjunction with enhanced education and training to maximize counterterrorism, counterintelligence, and law enforcement cyber response capabilities, and (3) place the FBI at the forefront of cyber investigations through awareness and exploitation of emerging technology.
To support this mission we are dramatically increasing our cyber training program and international investigative efforts. Consequently, specialized units are now being created at FBI Headquarters to provide training not only to the 60 FBI cyber squads, but also to the other agencies participating in existing or new cyber-related task forces in which the FBI is a participant. This training will largely be provided to investigators in the field. A number of courses will be provided at the FBI Academy at Quantico.
The importance of partnerships like law enforcement cyber task forces and alliances with industry can not be overstated. Those partnerships help develop early awareness of, and a coordinated, proactive response to, the crime problem. The cyber crime problem is constantly changing, requiring law enforcement to develop a flexible and dynamically evolving approach as well. Critical infrastructures and e-commerce are truly on the "front lines" and most often better positioned to identify new trends in cyber crime. Similarly, because of the actual and potential economic impact of cyber criminals, private industry has a vested interest in working with law enforcement to effectively detect, deter and investigate such activity.
The Cyber Division is also embarking on a significant effort to improve our overseas investigative capabilities. We will be training more foreign police officers, and sending FBI personnel throughout the world to help investigate cyber crimes when invited or allowed by a host country. We believe this dramatic increase in high tech training and overseas investigations is justified by the increasing internationalization of on-line crime and terrorist threats.
Through the Internet Fraud Complaint Center (IFCC), established in 1999 in partnership with the National White Collar Crime Center (NW3C), the FBI has appropriately positioned itself at the gateway of incoming intelligence regarding cyber crime matters. The IFCC receives complaints regarding a vast array of cyber crime matters, including: computer intrusions, identity theft, economic espionage, credit card fraud, child pornography, on-line extortion and a growing list of internationally spawned Internet fraud matters. The IFCC received 75,000 complaints in 2002, and is now receiving more than 9000 complaints per month. We expect that number to increase significantly as the American and international communities become more aware of our mission and capabilities. Later this year, the IFCC will be renamed as the Internet Crime Complaint Center (IC3) to more accurately reflect its mission.
If the IFCC received an intrusion report from a company in Birmingham, Alabama, we would first attempt to locate where the intrusion took place. That same company may have its servers in Minneapolis, while the intruder is routing attacks through Internet providers in California and Europe. If the servers in Minneapolis were hacked, the Minneapolis Cyber Crime Task Force would be assigned the lead on the case. The leads could start in California, but end up in Eastern Europe, Nigeria or even back to Birmingham, if an insider was involved. One of the FBI's Computer Analysis Response Teams (CART) would be called upon to preserve computer forensic evidence, and that evidence could be forwarded to one of our new Regional Crime Forensic Labs, now located in Chicago, Dallas and San Diego. The Lab would determine the extent and duration of the intrusion, and whether the attacker came from inside or outside the company. Depending on the sophistication of the intruder, the case can be cracked in a few days or take years. It is important to note again that an intrusion may only be the first indication of another crime. An intrusion could finally result in anything from identity theft, terrorism, or espionage. Cases are routinely complex, and often involve international connections. The following cases serve as examples of typical cyber crimes:
Raymond Torricelli, aka "rolex"
Raymond Torricelli, aka "rolex," the head of a hacker group known as "#conflict," was convicted for, among other things, breaking into two computers owned and maintained by the National Aeronautics and Space Administration's Jet Propulsion Laboratory ("JPL"), located in Pasadena, California, and using one of those computers to host an Internet chat-room devoted to hacking.
Torricelli admitted that, in 1998, he was a computer hacker, and a member of a hacking organization known as "#conflict." Torricelli admitted that he used his personal computer to run programs designed to search the Internet, and seek out computers which were vulnerable to intrusion. Once such computers were located, Torricelli's computer obtained unauthorized access to the computers by uploading a program known as "rootkit." The file, "rootkit," is a program which, when run on computer, allows a hacker to gain complete access to all of a computer's functions without having been granted these privileges by the authorized users of that computer.
One of the computers Torricelli accessed was used by NASA to perform satellite design and mission analysis concerning future space missions, another was used by JPL's Communications Ground Systems Section as an e-mail and internal web server. After gaining this unauthorized access to computers and loading "rootkit," Torricelli, under his alias "rolex," used many of the computers to host chat-room discussions.
Torricelli admitted that, in these discussions, he invited other chat participants to visit a website which enabled them to view pornographic images and that he earned 18 cents for each visit a person made to that website. Torricelli earned approximately $300-400 from per week from this activity. Torricelli also pled guilty to intercepting user names and passwords traversing the computer networks of a computer owned by San Jose State University. In addition, Torricelli pled guilty to possession of stolen passwords and user names which he used to gain free Internet access, or to gain unauthorized access to still more computers. Torricelli admitted that when he obtained passwords which were encrypted, he would use a password cracking program known as"John-the-Ripper" to decrypt the passwords. He also pled guilty to possessing stolen credit card numbers that he obtained from other individuals and stored on his computer. Torricelli admitted that he used one such credit card number to purchase long distance telephone service.
Much of the evidence obtained against Torricelli was obtained through a search of his personal computer. In addition to thousands of stolen passwords and numerous credit card numbers, investigators found transcripts of chat-room discussions in which Torricelli and members of "#conflict" discussed, among other things, (1) breaking into other computers; (2) obtaining credit card numbers belonging to other persons and using those numbers to make unauthorized purchases; and (3) using their computers to electronically alter the results of the annual MTV Movie Awards. This case illustrates the wide variety of criminal acts which can result from security vulnerabilities.
Raphael Gray, aka "Curador"
On March 1, 2000, a computer hacker using the name "Curador" compromised several e-commerce websites in the U.S., Canada, Thailand, Japan and the United Kingdom, and stole as many as 28,000 credit card numbers with losses estimated to be at least $3.5 million. Thousands of credit card numbers and expiration dates were posted to various Internet websites.. After an extensive investigation, on March 23, 2000, the FBI assisted the Dyfed Powys (Wales, UK) Police Service in a search at the residence of "Curador," Raphael Gray. Mr. Gray, age 18, was arrested and charged in the UK along with a co-conspirator under the UK's Computer Misuse Act of 1990. This case illustrates the benefits of law enforcement and private industry around the world working together in partnership on computer crime investigations.
Cyber crime continues to grow at an alarming rate, and identity theft is a major part of the increase. Criminals are only beginning to explore the potential of crime via peer-to-peer networks while they continue to steal information by hacking, insider exploitation and social engineering. The FBI is grateful for the efforts of your Committee and others dedicated to the safety and security of our Nation's families and businesses. The FBI will continue to work with your Committee and aggressively pursue cyber criminals as we strive to stay one step ahead of them in the cyber crime technology race.
I thank you for your invitation to speak to you today and on behalf of the FBI look forward to working with you on this very important topic.