Incident of the Week: Army Intelligence Analyst In Custody After Claiming that He Leaked Thousands of Classified Documents

Posted on June 11, 2010 by Gabriel M. Helmer

22-year old U.S. Army intelligence analyst Bradley Manning is reportedly in custody in Kuwait after claiming that he sent 260,000 classified documents to the WikiLeaks website. According to WIRED, Manning, who served at Forward Operating Base Hammer near Baghdad in Iraq, made the admission after reaching out to former hacker Adrian Lamo in a series of Internet chats beginning on May 21st.  Manning ominously began the conversation with the following:

(1:41:12 PM) Bradley Manning: hi
(1:44:04 PM) Manning: how are you?
(1:47:01 PM) Manning: im an army intelligence analyst, deployed to eastern baghdad, pending discharge for “adjustment disorder” [. . .]
(1:56:24 PM) Manning: im sure you’re pretty busy…
(1:58:31 PM) Manning: if you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?

[Read more of Manning's discussions with Lamo at WIRED.]
 
Lamo continued Internet discussions with Manning after tipping off the FBI and Army CID of the potential leak.  "I wouldn't have done this if lives weren't in danger," Lamo told reporters at WIRED. "He was in a war zone and basically trying to vacuum up as much classified information as he could, and just throwing it up into the air."
 
The turning point for Manning apparently came when he was ordered to investigate the arrest of Iraqis for the distribution of "anti Iraq" literature by the Iraqi Federal Police.  When Manning discovered that the literature in question was a "benign political critique" of Iraq Prime Minister Al-Maliki, Manning reported the incident to Army superiors who told Manning "to shut up."  Manning apparently then began to leak classified materials in an effort to "do the right thing."  The materials Manning leaked apparently included a video of a 2007 U.S. Army helicopter attack in Baghdad that killed a number of civilians.
 
Tags: , , , , ,

Incident of the Week: "Huge Social Networker" Indicted For Threatening Spam Email Campaign Against New York Life

Posted on April 23, 2010 by Gabriel M. Helmer

Yesterday, a federal grand jury in New York issued an indictment (.pdf) against Anthony Digati based on his threats to use spam email and the www.newyorklifeproducts.com domain to drag New York Life Insurance Company "through the muddiest waters imaginable."  Both the U.S. Attorney's Office press release (.pdf) and the FBI press release announced the indictment. 

Digati was arrested on March 8, 2010 for violations of 18 U.S.C. Sec. 875(d), which prohibits extortionate communications "containing any threat to injure the property or reputation of the addressee."

The resident of Chino, California, was a former agent and manager at New York Life, but the relationship apparently soured after Digati purchased a variable universal life insurance policy.  When Digati was disappointed by the financial returns on his investment, he began to demand a refund a refund of the $49,576 in premiums he had paid. These demands apparently escalated to around $200,000 and then $3 million.

When his demands were denied, Digati allegedly registered the www.newyorklifeproducts.com domain and threatened to use the site, along with his presence on social networking sites and spam email sent to millions of potential customers to smear New York Life.  The indictment provides some colorful excerpts from Digati's threats, including:

At this point, you're probably asking yourselves why should I even listen to this crazy fool, what can he do and why should I pay him.  NUISANCE VALUE is why, I am going to cause you millions of dollars in lost revenue, good faith and general trust in your company.

I have 6 MILLION emails going out to couples with children age 25-40, this email campaign is ordered and paid for.  2 million go out on the 8th and every two days 2 million more for three weeks rotating the list.  Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.

I am huge social networker, and I am highly experienced.  200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.

New York Life turned Digati's emails over to the FBI, who investigated and ultimately arrested him in California.  Digati faces a maximum sentence of 2 years in prison and $250,000 fine. 

Tags: , , , , , ,

Incident of the Week: NSA Officer Indicted For Emailing Classified Documents to Reporter

Posted on April 16, 2010 by Gabriel M. Helmer

On Wednesday, a federal grand jury in Maryland indicted Thomas A. Drake, a former employee of the National Security Agency (NSA), on charges that he emailed classified NSA documents and information to Siobhan Gorman, then a reporter for the Baltimore Sun.  Drake worked for the NSA first as a contractor and then as a high level employee in the NSA's Signals Intelligence Directorate between 1991 and 2008, when he resigned following the suspension of his security clearance. 

The 14-page indictment (.pdf) alleges that in 2005 Drake received Gorman's contact information from "Person A," an unnamed congressional staffer that had a "close, emotional friendship" with Drake.  Drake allegedly obtained an anonymous email account with Hushmail and contacted Gorman to "volunteer[ ] to disclose information about NSA." 

After Gorman obtained her own Hushmail account, Gorman allegedly emailed her hundreds of times with information about the NSA and its Signals Intelligence (SIGINT) activities.  Drake is also accused of smuggling classified documents out of the NSA, including his own handwritten notes, and doctoring documents so he could provide them to Gorman without the markings that identified the information as classified.  Based on these emails, Gorman published a series of articles between 2006 and 2007 that federal prosecutors claim contain classified information.  Drake is charged with violations of the Espionage Act, as well as lying to FBI agents, destroying evidence and obstructing the investigation of his activities. 

In its press release on Thursday, the U.S. Department of Justice stated that:

As alleged, this defendant used a secret, non-government e-mail account to transmit classified and unclassified information that he was not authorized to possess or disclose. As if those allegations are not serious enough, he also allegedly later shredded documents and lied about his conduct to federal agents in order to obstruct their investigation

The federal public defender representing Drake, James Wyda, told the New York Times that “Mr. Drake loves his country.  We look forward to addressing these matters in a public courtroom.”

Hushmail is an encrypted email service that allows users a certain level of anonymity.  Hushmail's website states:

Hushmail can protect you against eavesdropping, government surveillance, unauthorized content analysis, identity theft and email forgery. But using Hushmail does not put you above the law.

and

We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located.

From the face of the indictment in the Drake case, it appears that the FBI and federal prosecutors managed to obtain a court order in Canada to obtain the release of Drake's email archives.

Tags: , , , , , ,

Internet Crime Complaint Center (IC3) Releases 2009 Report on Internet Crime

Posted on March 12, 2010 by Gabriel M. Helmer

Today, the Internet Crime Complaint Center (IC3), a federal organization run as a partnership between the FBI and National White Collar Crime Center, released its 2009 Internet Crime Report (.pdf).  Highlights include:

  • IC3 received 336,655 complaints in 2009, an increase of 22% over the prior year.
     
  • The dollar loss caused by incidents reported to IC3 increased more than 100% to $559.7 million.
     
  • 146,663 complaints were referred to local, state and federal law enforcement agencies.
     
  • Complaints were typically not referred to authorities when "there was no documented harm or loss (e.g., a complainant received a fraudulent solicitation email but did not act upon it)" or when there was no jurisdictional tie to the United States.
     
  • 16.6% of all complaints involved fraudsters pretending to be affiliated with the FBI.
     
  • 11.9% of all complaints involved a seller's failure to deliver items purchased online or a buyer's failure to pay for goods delivered.

Tags: , , ,

Incident of the Week: OIG Reports that the FBI Routinely Circumvented Electronic Communications Privacy Act

Posted on January 29, 2010 by Gabriel M. Helmer

A report entitled A Review of the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records (.pdf) from the Department of Justice Office of the Inspector General (OIG) indicates that between 2003 and 2005, FBI routinely "circumvented the requirements of the Electronic Communications Privacy Act (ECPA)" by using so-called "exigent letters" to obtain telephone call data from telecommunications companies.  The ECPA, 18 USC Sec. 2702, provides that service providers will not provide customer data to government authorities, absent a national security letter signed by the Director of the FBI or a subpoena. 

The 700+ "exigent letters" examined by the OIG became common after the terrorist attacks on September 11, 2001.  In reaction to the attacks, a telecommunications company (referenced as "Company A" in the report) provided a "fraud detection analyst" to the FBI's New York field office to access telephone records in response to subpoenas from the U.S. Attorney's Office.  Apparently, over time the Company A analysts began to provide the requested customer data in response to "placeholder" letters signed by FBI special agents while the grand jury subpoenas were in the process of being obtained.  These letters, which claimed "exigent circumstances" and requested the production of customer data before the submission of a subpoena, became known as "exigent letters."  When the FBI's investigation moved to Washington, D.C., three service providers moved analysts into the FBI's offices to respond to the requests for telephone data covered by the ECPA.  

Observations from the OIG report include:

  • The "concept of using exigent letter originated as a time-saving technique" in the wake of 2001 terror attack, but over the years the embedding of service provider analysts with the FBI "led to a culture in which exigent letters and other even less formal and equally inappropriate requests for information became the [FBI Communication Analysis Unit's] accepted and customer method of conducting business."
     
  • Some letters called for the production of thousands of telephone numbers and customer transaction data.
     
  • OIG concluded that exigent letters were issued and customer records were obtained even though the "circumstances . . . were not exigent," including "media leak investigations . . . and other investigations that did not include exigent or life-threatening circumstances."
     
  • The FBI special agent responsible for signing over 100 exigent letters told OIG investigators "that the communications service providers' employees often gave him exigent letters to sign after he had already been given the requested records -- and he simply signed the letters.  This SSA also said that while he realized the exigent letters inaccurately states that grand jury subpoenas had been submitted, he signed the letter because he 'thought it was all part of the program coming from the phone companies themselves[.]'"
     
  • Another FBI special agent responsible for a large number of the letters told the OIG that the telecommunications analyst from "Company A" informed him about the letters and told him that the letters had been approved by legal counsel.
     
  • When asked, the FBI unit chief described the exigent letters as "standard operating procedure."
     
  • Telecommunications company analysts interviewed by the OIG described pressure from the FBI to accept the "placeholder" exigent letters.  One noted: "personally, it wasn't my place to police the police."
     
  • FBI sought court orders under the Foreign Intelligence Surveillance Act (FISA) using customer data obtained through exigent letters in violation of the ECPA.  Howeveragents mischaracterized how the FBI had obtained the data -- suggesting that the data had been properly produced in response to a national security letter or subpoena.
     
  • OIG "found that numerous, repeated, and significant management failures led to the FBI's use of exigent letters and other informal requests for telephone transactional records over an extended period of time."
Tags: , , , , , ,

Incident of the Week: U.S. Law Firms and Public Relations Firms Hit By E-mail Attack

Posted on November 19, 2009 by Gabriel M. Helmer

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week.  On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using "spear phishing" attacks -- personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software.  "Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link." 

While the FBI indicates that it may not be possible to flag the emails attacks themselves, system administrators will be able to detect the malware infection once a computer has been compromised:

Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘http://d.ueopen.com’; e.g. http://d.ueopen.com/srhost.exe. Any traffic associated with ‘ueopen.com’ should be considered as an indication of an existing network compromise and addressed appropriately.

The FBI has asked that firms that have detected a breach direct incident response notifications to the Department of Homeland Security and U.S. CERT.

FBI unit chief Bradford Bleier commented to the Associated Press: "Law firms have a tremendous concentration of really critical, private information," and infiltrating those computer systems "is a really optimal way to obtain economic, personal and personal security related information." 

Allen Paller, director of research at SANS Institute, told reporters that an attack on a major New York law firm in 2008 has been linked to a group of Chinese hackers.  Paller told the AP that the hackers going after law firms, "often target companies that are negotiating a major international deal -- anything from seeking a patent on a sensitive new technology to opening a plant in another country."  "The best documents to steal are in the law firm that represents that company."

As hackers become more organized and strategic, law firms may need to reassess the risks they face in light of the value of the information they manage for their clients. 

Links:

 

Tags: , , , , , , ,

Subject of FBI Investigation Reveals Government Concerns About Access to Federal Courts' Public PACER System

Posted on October 6, 2009 by Aaron Wright

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.” 

Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim, the Administrative Office of the US Courts, approximately $1.5 million. The file suggests, but does not explicitly sate, that the crime may have been a violation of the Computer Fraud and Abuse Act (18 U.S.C. §1030), as the FBI apparently asked the Administrative Office of the US Courts how Mr. Swartz would have know his access was unauthorized.

The FBI closed its investigation of Mr. Swartz without filing charges. The investigation of Swartz's activity, coupled with questions about what constitutes accessing a computer "without authorization" under anti-hacking statutes (as I previously discussed here), suggests that future efforts to open the PACER system (as well as existing efforts, like RECAP) may meet with some government resistance.

For more on efforts to make the PACER system more accessible to the public se our previous posts on the subject.

Links

Tags: , , , , , ,

Incident of the Week: Declassified Documents Show FBI Expanding Data Mining Efforts Over 1.5 Billion Personal Records (And Counting)

Posted on September 24, 2009 by Gabriel M. Helmer

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans' personal and financial information.  According to WIRED, the FBI's National Security Branch Analysis Center (NSAC) has compiled a database of  "more than 1.5 billion government and private-sector records" and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database dwarfs the largest know data breach to date, which involved a mere 130 million records. One hopes that they have policies in place to prevent abuse.]  The records include:

  • International travel records of citizens and foreigners
  • Financial forms filed with the Treasury by banks and casinos
  • 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites
  • 730 records from rental-car company Avis
  • 165 credit card transaction histories from Sears
  • Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint
  • 17,000 traveler itineraries from the Airlines Reporting Corporation

This program is picking up speed. Declassified documents obtained by WIRED apparently show that the FBI has 103 full-time employees and contractors devoted to the protect and has requested funding for 71 more.   Funding for the program has expanded from $47.5 million in 2007 to $78.7 million in 2008.  A U.S. Department of Justice document (.pdf) indicates that in 2009 alone, NSAC received 18 new employees and a more than $10 million increase in its budget.

This is not the first data mining project developed for the purposes of investigating terrorism and criminal activities.  In the wake of the September 11, 2001 attack, the U.S. government began development on a data mining project called "Total Information Awareness" or "TIA" which would analyze vast amounts of information regarding financial transactions, travel, health records and other types of customer data to detect terrorism and criminal activity.  The Defense Advanced Research Projects Agency (DARPA) and the Pentagon's short-lived Information Awareness Office was chiefly responsible for this project.  Based on concerns about the scope and privacy implications of the project, Congress pulled funding for the TIA program and shuttered the Information Awareness Office in September 2003. 

The current NSAC program makes it clear that the governments has not given up on efforts to use large-scale data mining in criminal investigations.  To many, however, the program implicate the same privacy concerns as TIA and should be subject to strict scrutiny and oversight.  In 2007, congressmen Brad Miller and James Sensenbrenner sent a letter (.pdf) to the Government Accountability Office asking them to look into the NSAC project. One year later, congressman Miller sent a second letter (.pdf) to the House Committee on Appropriations demanding that funding to NSAC be suspended until the FBI outlines the program's purpose and provides "a clear idea of how NSAC intends to ensure that the program complies" with privacy guidelines.  According to congressman Miller, the U.S. Department of Justice refused to provide any information on the FBI's plan for the program and what information they planned to obtain.  In addition, the FBI apparently told GAO officials that the NSAC program was "not yet 'operational'" in an April 3, 2008 meeting.  In contrast, documents obtained by WIRED apparently indicate that the NSAC data mining operations have been used in prosecuting a number of individuals.

Links:

Tags: , , , , , , , , , , ,

Incident of the Week: Indictments Issue Against The Individuals Behind RNS, Pirate Site for "Pre-Release" Music

Posted on September 10, 2009 by Gabriel M. Helmer

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release.  According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released, including "Blue Print 2" by Jay-Z, "Encore" by Eminem and "How to Dismantle an Atomic Bomb" by U2. 

The indictment claims that Adil R. Cassim, who used the handle "Kali," was the leader of RNS, while Matthew D. Chow ("RL"), Bennie L. Glover ("ADEG") and Edward L. Mohan, II ("MistaEd") all played high-level roles in the group.  According to federal investigators, these individuals set up and maintained a number of file transfer sites containing thousands of copies of copyrighted music, movies, video games and commercial software.  The Department of Justice press release states that, if convicted, the RNS Four face five years of jail time and a $250,000 fine.

Tags: , , , , , , , , , , , ,

Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft

Posted on August 13, 2009 by Gabriel M. Helmer

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. 

Especially when a household computer is shared between parents and children, the installation of peer-to-peer software may make tax returns, bank statements and other personal information saved on that computer available to everyone else on the peer-to-peer network.  During questioning by state and federal investigators, Wood explained that "kids put Limewire on the computer and the parents don't know."  As a result, Wood was able to obtain personal information from approximately 120 different individuals from Massachusetts, New York, Georgia, Florida, Ohio, Iowa, Louisiana, Oregon and California.  He then used this information to create counterfeit checks and driver's licenses and to open credit accounts in the victim's names.

Note that failing to limit the files shared by peer-to-peer software is not just a problem for household computers. In an earlier post, we discussed the problems caused when an employee installed LimeWire at work.  Also note that LimeWire's user guide and FAQ provide directions on how to make sure you are not sharing personal or sensitive information with the world.

Wood's scheme was discovered after he posted an ad on Craigslist.com purporting to sell a "brand new" Apple MacBook Pro for $1,500 and instead shipped a box containing a book and a glass vase instead of a computer.  Working with Seattle Police, the victim set up a meeting with Wood and he was arrested.  Upon investigation, Seattle Police discovered that Wood possessed a number of counterfeit driver's licenses and sought the assistance of the Social Security Administration's Office of Inspector General.  The Kings County Sherriff's Office, FBI, U.S. Postal Inspection Service and U.S. Secret Service's Electronic Crimes Unit also assisted in the investigation. 

Wood pled guilty to violations of federal laws governing identity theft (18 U.S.C. sec. 1038(A)), wire fraud (18 U.S.C. sec. 1343) and the Computer Fraud and Abuse Act (18 U.S.C. sec. 1030(a)(4)).  He is also required to pay over $25,000 in restitution to a number of parties, including Bank of America, American Express and other financial institutions (for the complete list, see the judgment filed in court earlier this week (.pdf)).

Tags: , , , , , , , , , , , ,