A storm that dumped three inches of snow on Washington D.C. on Tuesday forced FBI Director James Comey to postpone by a day his keynote address to the 2015 International Conference on Cyber Security, but the conference kicked off nonetheless at the Fordham School of Law.
The four-day conference, now in its fifth iteration, brings together nearly 500 representatives from law enforcement, academia, and the private sector to discuss the most pressing matters regarding everything from cyber warfare, malware, the “internet of things,” and encryption, among others.
In his welcoming remarks in the spacious Costantino Room, Joseph M. McShane, S.J., president of Fordham, placed the mission of attendees in the context of history. From its founding in 1540, he noted, the Society of Jesus was governed based on the sharing of accurate information that would flow to central offices in Rome.
“This became a challenge when, within a few decades, Jesuits were based in Asia and Africa, and on their way to the Americas. Every year, the province heads were required to send an annual report to headquarters. Apparently, in an effort to ensure the security of the reports that the Provincials sent to Rome, they would routinely use cyphers,” Father McShane said.
“We’re comrades, colleagues, and companions in a great mission. Make deep and abiding friendships, share great insights and, through your insights and friendships, make sure your work here has a lasting and important impact on world affairs, local and national politics, and international business.”
George Venizelos, GSB ‘82, assistant director in charge, New York Office, FBI, likewise focused on the high percentage of attendees from abroad, noting that 50 countries are represented.
“Cyber[security]is not a U.S. problem, it’s an international problem. Our goal has always been to take it somewhere overseas,” he said.
“This conference is about building relationships to fight a problem that no one can fight alone. The FBI can’t fight it alone, the Secret Service can’t fight it alone. Even law enforcement can’t. It has to be a private sector/law enforcement [collaboration,] including international law enforcement, to fight this crime that’s happening every day.”
The previous conference took place in 2013 shortly after the revelations of spying by Edward Snowden; this year’s conference arrives less than two months after the massive hacking attack on Sony, once again illustrating the urgency the problem, he noted.
“Down the road, you’re going to need each other to fight these problems,” he said.
Speaker Cyrus Vance:
Encryption and Private-Sector Responsibility
Manhattan District Attorney Cyrus Vance Jr.’s office handles more than 100,000 criminal complaints a year, a full one-third of which are cybercrimes and identity theft.
Speaking in the afternoon session, Vance encouraged more public agency-private industry partnerships in battling the rising numbers, yet reserved strong words against new encryption programs enacted by two private companies—Apple and Google.
Although the programs are reactions to the National Security Agency’s theft of private information, Vance said they could seriously hamper law enforcement. He used the example of an encryption preventing the recovery of data from the abandoned cellphone of a child gone missing.
“Think about the consequences of not being able to get into cellphones—pictures, videos, texting—when so much of our lives are conducted there, and when criminal evidence is created and stored on those items,” said Vance. “Do we really want, in service to privacy, to prevent government from getting into phones to solve crimes?”
The days of thinking of crime scenes as being cordoned off with yellow tape, Vance said, have passed. Today’s typical D.A. target is someone sitting in a coffee shop with a computer, linking to institutional sites and stealing reams of personal information. The criminal is forging tax returns in the victims’ names and netting approximately half-million dollars a year, which is then laundered through international channels.
To meet the needs of following these criminal cyber trails, Vance said his office has created a cyber academy that has trained 1500 law enforcement personnel in 70 different agencies. The academy was necessary because other local law enforcement agencies could not process data fast enough for the prosecutors—and research material keeps increasing. In 2014 alone, his office processed 200 terabytes of data.
Vance’s office has also begun a partnership with a London unit policing cybercrime in the Square Mile financial district, he said, as both London and New York city are capitals of finance.
“The same guys hitting New York are also hitting Paris, London, and others,” he said. “It is no longer sufficient to limit relationships to prosecutors in New York.”
Infrastructure Panel:
On Science, Technology, and Cyber Security
Just like the infrastructure of the nation’s bridges and roads are aging, so is the Internet.
That was the opinion of Brian Krebs of KrebsOnSecurity.com, one of four members of a distinguished panel on science and technology and cyber security.
Krebs said aging systems makes cyber crime easier. He said that a national response on a scale similar to that used to eradicate polio is needed. He also suggested a “sort of homeowners association for the Internet, fed by countries like the United States, whose infrastructure depends on it.”
But he added that without a sense of urgency, other countries would be less likely to join the United States in a call to action.
“Our entire culture runs on these networks. As much as we have riding on it you’d think there be a little more urgency.”
Panelist and FBI Executive Assistant Director Amy Hess, of the department’s science and technology branch, said that in years past the agency wasn’t using the right people with the right skill sets “to do the day in and day out work.” But now the agency aims to have a computer scientist in each of their field offices.
She described “triage tools” for handling the increasing amount of data, that have vastly improved in the last year alone, resulting in instant ability to analyze data affecting investigations.
“Data that would’ve taken us several weeks to analyze then took 25 minutes, then ten minutes, and then five,” she said.
Panelist Koki Nakao, of Japan’s nationally funded Network Security Research Institute, said that international cooperation is key to fighting cyber crime.
“The framework for sharing may be very important, but not so easy,” he said.
Krebs said that voluntary information sharing among industry players is gaining traction. Nakao said, however, that sharing must be done between state and non-state actors—and in real time. He cited the manner in which the FBI took the lead in the Gameover Zeus virus as a good way forward.
“Such an operation initiated by the FBI succeeded because they found other countries’ support,” he said. “Maybe a strong country like the United States may initiate future operations, but the most important thing will still be the real evidence.”
Blackshades: Malware That Can Spy on You Through Your Own Webcam—Unknowingly
The name “Blackshades” entered the public lexicon when Miss Teen USA Cassidy Wolf was blackmailed in 2013 by an anonymous hacker who had broken into her webcam and taken nude photos of her without her knowledge.
Since then, the FBI has uncovered more than half a million victims of Blackshades, an insidious computer malware that allows hackers to remotely access other computers. But before the FBI took down the two hackers behind Blackshades—24-year-old Swedish citizen Alex Yücel and 23-year-old U.S. citizen Michael Hogue—in 2014, the users who purchased it wreaked havoc, said special agent Patrick Hoffman at a breakout session of the 2015 International Conference on Cyber Security.
Blackshades was sold to thousands of people in more than 100 countries and even launched websites to provide online education and support to those who purchased the malware.
“This user interface enabled users of various skill levels,” Hoffman said. “If you were a beginner and you didn’t know how to hack someone’s computer, this was a really good way to do it.”
To use it, hackers simply had to purchase a dynamic domain account, create an .exe file on the Blackshades service, and then send the link to their victims and have them click on it. With remote access, hackers could steal passwords, access bank accounts, hack into social media and email accounts, access documents and photos, record keystrokes, activate webcams, hold a computer for ransom, and more.
Ultimately, the creators’ business acumen is what brought the whole network down. To authenticate that they had paid for the purchased malware, Yücel and Hogue required users to provide their names, addresses, and credit card information or PayPal account.
“Once we identified the Blackshades server, we got an email search warrant and found all of the payment receipts, which contained the real names, addresses, emails, and IPs of every user,” Hoffman said. “From there you could pursue each individual accordingly.”
In addition to taking down users of a particularly invasive program, this case was successful in its use of international cooperation, Hoffman said. The FBI teamed up with Eurojust, a European Union agency that deals with international judicial cooperation, to share intelligence so that European countries could pursue and prosecute their Blackshades users.
“This case drives home the fact that we need a global partnership to fight cyber crimes,” Hoffman said.
Cracking the case had another positive upshot, Hoffman said.
“This program was popular among minors. Identifying them meant we could reach out to them while they’re young, get them to realize that hacking is wrong, and help them turn things around before it’s too late.”