Conference Draws Experts in Fight Against Cyber Crime

Some 300 experts on cyber security gathered at Fordham in early January for a three-day conference on the emerging global threat of cyber crime and cyber terrorism.

The conference, which attracted representatives from 37 nations, was sponsored by the FBI’s New York Division and Fordham’s Department of Computer and Information Sciences.

“We live in a world of instant connectivity . . . where we have no geographic boundaries, are not limited by time zones nor foreign languages,” said John Tognino (FCLS ’75), chairman of Fordham’s Board of Trustees, who joined Joseph M. McShane, S.J., president of Fordham, in welcoming conference participants to the Lincoln Center campus on Jan. 6. “How then, do we protect our nation, our local communities and even our very own identities?”

In little more than a decade, the growth of the Internet has enabled the creation of cyber crimes that range from individual identity theft to corporate financial and intellectual property fraud to state-sanctioned terrorism through virtual terrorist cells. According to a 2006 FBI survey, U.S. companies spend about $67 billion annually to combat viruses, data-theft and other computer-related crimes.

Christopher M.E. Painter, deputy assistant director of the FBI’s Cyber Division and a leader in the investigation of cyber crime, said that cyber criminals have morphed in the last decade from an insular group of hackers and fraudsters motivated by bragging rights into a networked industry that causes billions in monetary losses.

Painter was involved in the prosecution of hacker Kevin Mitnick, who infiltrated the systems of several corporations in the 1990s on his own and stole company software.

He contrasted Mitnick’s relatively unsophisticated escapades with a group of contemporary cyber thieves, based in Thailand and India, who have infiltrated several financial firms and stolen millions of dollars through online stock manipulations. Today, Painter said, it is impossible to know how much financial damage is being caused globally by cyber crime.

On Jan. 8, a National Security Agency spokeswoman said that the United States must adopt a proactive approach to protecting its cyber infrastructure, which she called the country’s newest national security asset.

Sandra Stanar-Johnson, deputy special assistant to the director of NSA/Central Security Service, outlined the 2008 Comprehensive National Cyber Security Initiative (CNCI) created by President George W. Bush to unify government agencies in the war on cyber crime.

She said that, in the past year, U.S. computer emergency response teams have reported a 55 percent increase in Internet intrusions to the nation’s computer systems.

“That’s huge,” she said. “The U.S. is facing the most serious economic and national challenge of the 21st century—threats to our economy, and to our national security are now being addressed by the highest levels of our government.

“Information is a strategic asset because the business of America is conducted on the Net,” Stanar-Johnson continued. “We are being exploited now, and if that exploitation continues at this rate, we could lose our strategic, technological, economic and military advantage.”

White Hats to the Rescue
In a presentation on Jan. 7, Cynthia Cama (FCLC ’86), principal technical staffer at AT&T Security, led an “ethical hacking” team in a mock test of a company’s computer network. Ethical Hackers, also known as “white hats,” routinely try to breach their companies’ systems or applications to uncover their vulnerabilities.

“It’s all very ‘wild west.’ Traditional hackers are ‘black hats,’ out to destroy the system or gain money or fame, or cause damage or embarrassment,” Cama said. “We do the same things, but on the side of good.”

The team presented a mock hack job into a make-believe bank, the “Bank of Lake Alphatown” in which they broke into the bank’s database by going through another company’s website located on the same server. They were then able to access the bank’s private account information by password testing.

One common mistake that exposes companies to vulnerability, said Cama, is making user names and passwords too easy to guess. For example, some security questions, such as “What is your favorite color?” are easily guessable. Others, such as “What is your mother’s maiden name?” can be breached by an automatic program that runs the entire contents of a phone book.

Another common oversight is not doing an operating system upload patch when it is released from Microsoft or Apple.

“That is like leaving your house window broken when someone offers to fix it,” she said.

Hunting the Hunters
The need for increased U.S. vigilance and defense capabilities in cyberspace was reinforced later that day in a session led by James J. Barlow of the National Center for Supercomputing Applications (NCSA).

Barlow, the director of security operations and incident response at NCSA, detailed how a 16-year-old Swedish boy hacked into the TeraGrid—a network of 11 supercomputing sites across the United States. The attacks on TeraGrid were part of a wide network of compromised machines that the hacker was using to collect data such as personal information, account numbers and passwords.

The NCSA began a manual traceback, a time-consuming and lengthy process to find the hacker’s original machine and, therefore, his location and identity, Barlow said.

After following the path of compromised machines from the United States to computers in France and Croatia, the NCSA team discovered the hacker in Sweden. He was convicted in Swedish court and given two years of probation and a $28,000 fine.