[iwar] Interesting article


From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com

Fri, 7 Jul 2000 12:01:58 -0700 (PDT)


fc  Fri Jul  7 12:02:14 2000
Received: from 207.222.214.225
	by localhost with POP3 (fetchmail-5.1.0)
	for fc@localhost (single-drop); Fri, 07 Jul 2000 12:02:14 -0700 (PDT)
Received: by multi33.netcomi.com for fc
 (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Fri Jul  7 19:02:14 2000)
X-From_: sentto-279987-444-962996520-fc=all.net@returns.onelist.com  Fri Jul  7 14:02:05 2000
Received: from fl.egroups.com (fl.egroups.com [208.50.144.74]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id OAA21627 for ; Fri, 7 Jul 2000 14:02:05 -0500
X-eGroups-Return: sentto-279987-444-962996520-fc=all.net@returns.onelist.com
Received: from [10.1.10.35] by fl.egroups.com with NNFMP; 07 Jul 2000 19:02:02 -0000
Received: (qmail 28776 invoked from network); 7 Jul 2000 19:01:59 -0000
Received: from unknown (10.1.10.26) by m1.onelist.org with QMQP; 7 Jul 2000 19:01:59 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta1 with SMTP; 7 Jul 2000 19:01:59 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id MAA14011 for iwar@onelist.com; Fri, 7 Jul 2000 12:01:58 -0700
Message-Id: <200007071901.MAA14011@all.net>
To: iwar@egroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen 
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe: 
Date: Fri, 7 Jul 2000 12:01:58 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] Interesting article
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Defense Information and Electronics Report
July 7, 2000
Pg. 1 

Special Army Unit Investigates Cyber-Attacks, Electronic Infections 

The two most common threats to Army automated systems are computer 
intrusions and distributed denial-of-service attacks that turn those 
systems into "slaves" for viruses, special agents with the Army's 
Computer Crime Investigative Unit (CCIU) said last week. 

Opening their facility at Ft. Belvoir, VA, to reporters for the first 
time, agents said they have about 30 ongoing investigations into cases
where Army computer systems were invaded or hit with a virus. 

With a staff of six agents, all of whom are active-duty personnel, one 
legal adviser and a modest budget of about $125,000 per year, CCIU
was officially established in March as part of the Army Criminal 
Investigation Command (CID) and directed to specialize in criminal
investigations of intrusions into Army computer systems. 

Chief Warrant Officer 3 James Smith, who is the acting commander of 
CCIU, said computer intrusions can "potentially bring the Army to 
its knees." 

So far this year, 49 intrusions into Army automated systems have been 
detected according to briefing charts presented by Smith. During
1999, 58 intrusions were recorded; 47 were identified in 1998. An 
intrusion occurs when a file is illegally accessed. However, not every
intrusion warrants an investigation, said Smith. 

The number of incidents in which Army computer systems have been at 
least scanned by hackers stands at about 3,400 for this year, up
from about 3,000 during all of 1999, according to the charts. 
Comparatively, about 230 incidents were recorded in 1997. 

However, Smith said the Army has not faced a "significant" breach of its 
critical weapons or logistical systems. 

CCIU was provisionally established as the Computer Crime Investigative
Team in 1998. Since then, it has evolved into the main unit that
investigates intrusions into Army computer networks worldwide. 

In addition to investigating computer crimes, agents also provide 
technical assistance to CID organizations and assist the Army Criminal
Investigation Laboratory at Ft. Gillem, GA, with forensic analysis. 

In their facility at Ft. Belvoir, agents can track computer intrusions,
lift forensic evidence from almost any computer device using a "black
box," and simulate attacks on a local area network to observe how 
viruses spread. 

"We basically have to have everything out there that is commonly used," 
said special agent David Black, also a chief warrant officer. 

CCIU agents are divided into two teams, one focusing on intrusions and
the other providing technical support. The intrusion team conducts
criminal investigations while the technical team performs analysis of 
evidence. 

Brent Pack, leader of the technical team, said CCIU last week opened two
cases involving intrusions into Army servers that are
considered "mission-essential." He declined to discuss details of the 
investigations. 

Cases that CCIU agents have helped solve include an attack on the Army's 
home page last summer and an intrusion into files at the
Enlisted Records and Evaluation Command in Indianapolis, IN, Smith said. 

For the home page attack, CCIU agents helped compile evidence against a 
20-year-old civilian who eventually pleaded guilty to the crime.

In the investigation of the attack against EREC, in which 58,000 files 
were deleted, agents compiled evidence that led to the conviction of
a 22-year-old disgruntled Army private who worked for the command. 

To conduct investigations, CCIU will first determine whether an 
intrusion has been made. If an intrusion is confirmed, CCIU will often
apply for a network intrusion device (NID) that will allow agents to 
monitor a network, Smith said. The NID gives agents legal permission
to monitor a network or an Internet service provider (ISP), such as
America Online, to find a suspect. 

However, Smith said getting permission to use an NID is often difficult 
because it can involve monitoring a commercial network that may
not be hosted in the United States. 

Once a suspect is located, CCIU will seek a subpoena to obtain 
information on the suspect's account from the network provider or ISP.
Evidence then is compiled, a process that may include confiscating a 
suspect's equipment for forensic testing. 

After all evidence is collected, the case is turned over to a 
prosecuting authority, Smith said. 

Smith said CCIU often works with other organizations during 
investigations, including the Army's Computer Emergency Response Teams 
and Land Information Warfare Activity. He added that investigations also
are coordinated with the Defense Department's Joint Task
Force-Computer Network Defense to ensure that work is not being 
duplicated by the services. 

To help combat computer crime, CID has undertaken several initiatives 
that include conducting computer crime vulnerability assessments
at command posts, refining automated investigative tools, developing
Army policy for investigating crime and enhancing training for agents. 

------------------------------------------------------------------------
Missing old school friends? Find them here:
http://click.egroups.com/1/5534/14/_/595019/_/962996520/
------------------------------------------------------------------------

------------------
http://all.net/