Agencies work to prevent, counter cyber crime

By Ms. Ashley E Braun (IMCOM)August 19, 2010

Agencies work to prevent, counter cyber crime
Robert J. Lucas, network manager, 69th Signal Battalion, Operations Center Bamberg, uses a Fluke Network Analyzer. The device is used to detect and locate rogue wireless access points on base, and to scan the base network traffic for unauthorized mac... (Photo Credit: U.S. Army) VIEW ORIGINAL

BAMBERG, Germany -- News agencies across the United States have been highlighting an alarming, invisible and rising threat, affecting citizens and therefore service members, worldwide.

Though technology has enhanced the capabilities of government agencies, financial institutions and individuals in a number of positive ways, criminal activity has advanced along with it, seeking out vulnerabilities in a world that is globally accessible and technologically-powered.

As an organization handling sensitive information on a regular basis, and whose servicemembers depend on the security of that information, the DoD has a special interest in keeping its personnel informed and protected against cyber crime. Other government organizations and many private ones are feeling the effects of this rising threat as well.

The Threat

As reported by "60 Minutes," in 2007, hackers from a foreign country broke into the DoD, the Department of Commerce and the Department of State and downloaded terabytes of information. In 2009, a hacker stole millions of patient records and prescriptions from the Virginia Department of Health in an extortion plot.

Hackers downloading classified data, infiltrating defense systems, stealing millions from banks and public companies and disrupting weapons systems are all possible scenarios in today's technology-driven world. These threats have caused cyber defense to become a top national priority.

The Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, released its 2009 Annual Report on Internet Crime in March. The report claims that in 2009 alone, 336,655 complaints were received and an estimated $559.7 million dollars lost as a result of cyber crime.

"Although the IC3 does receive reports from victims of cyber crime in the U.S. and many other countries, the vast majority of our complaints are received from people living in the U.S." said Charles Pavelites, supervisory special agent for the FBI's IC3. Over 90 percent of reports filed this year are from victims in the U.S."

Criminals who steal data via the Internet are often difficult to track, as a criminal's physical proximity to a victim has become irrelevant.

"From a cyber crime perspective, it's often hard for us...once someone has had their identity stolen, to figure out how exactly it happened," said John Lynch, deputy director of the Department of JusticeAca,!a,,cs Computer Crime and Intellectual Property Section.

When servicemembers are stationed overseas, this threat is sometimes heightened as they are more dependent on the Internet for communication, banking and purchasing stateside items.

Cyber crime is not limited to the Internet. Much of the data accessible on a computer hard drive can be abused by criminals. Deleting information or emptying a computer's recycle bin does not completely eradicate information from the hard drive. Criminals can still acquire information from a hard drive, even after it has been formatted or wiped clean of information.

People are less careful about disposing of personal information, said Juan Perez, U.S. Army Garrison Bamberg Network Operations Security Center chief. Everybody is a target.

Individual versus Organizational Security

According to experts, both website users and providers must follow safe online practices to ensure information security.

The user has the responsibility of reading security agreements and adjusting privacy settings when using a website, as well as keeping their computer clean of viruses.

"Self-protection is very important to defend against Internet crime," Pavelites said. "An individual can protect his or her own information by ensuring that they have a good virus detection or malware protection program on their computer and by using a firewall program. All software on a computer needs to be updated frequently including the patches for the computer's operating system. The individual user must exercise common sense in that they don't open e-mail attachments from unknown users or even from known users without scanning them. Most scams try to create a false sense of urgency, so you have to take enough time to determine if any legitimate business or person would want or need to do business this way."

The financial sector has been particularly affected in the last few years.

"The DOJ handled multiple cases in the past few years of retailers and payment processors who had hackers break into their systems and essentially steal millions of credit card numbers," Lynch, said.

Website providers are also beholden to users to protect their financial security.

"Retailers and other financial institutions are a big part of this," Lynch said. "People need to be vigilant when they're online, but there's also a responsibility from the retailers' side to be vigilant. The FTC (Federal Trade Commission) and the government's cyber security policy over the last several administrations have emphasized the need to protect our financial security online."

The hundreds of millions of dollars lost each year due to cyber crime has had a greater effect on institutions than individuals.

"The financial costs are primarily borne by the credit companies and retailers due to the allocation of responsibility on the civil side," Lynch said. "In general, the individuals have had limited losses. That is a burden on the private sector and the companies, so there is an economic incentive for them to tighten up their security. There is an economic driver there to encourage companies to protect their systems."

Though criminals may use sophisticated wording or documentation to commit fraud, individual's can always check sources.

"Using reputable websites and checking the public information available on the Internet on any lesser known sites will help protect against the loss of personal data," Pavelites said. "Following the security precautions on a reputable website will help them protect your data. If you ever have questions about a communication from a brick and mortar or an Internet company, you can always contact them directly without using information received in a suspicious telephone call, text message or e-mail. Use the telephone number on your bank statement, the back of your credit card or by going directly to the company's known website to obtain an e-mail address if you have any doubts that a telephone call or e-mail is legitimate.

"If an individual has previously had a problem with identity theft or conducts a large volume of business on the Internet and doesn't have time to check account statements monthly and credit report at least annually, there are credit/identity protection services which can protect their information and monitor for suspicious activity in their name and on their accounts."

The costs vary, but these services may be beneficial to people who need assistance keeping up with their information, he said. Personal and institutional information should always be carefully guarded.

"In general, organizations and individuals both need to be looking at where their information is and what people are sharing online; if it belongs to the organization or is relevant to the organization; where it's going and how it affects safety," Lynch said.

Lynch compared using the Internet to being outside late at night; a time when people often use heightened awareness to avoid dangerous situations.

"You should approach the Internet in that way," he said.

Social and E-media

Social media sites are becoming a more prevalent means of networking and communicating, not only for individuals but for organizations.

"Facebook is a tool and a place where, like any tool, people are sharing information," Lynch said. "That's where criminals are going to go and try to obtain information that is useful for committing crimes ... People need to be aware of the amount of information they're sharing, who it's going to and make sure they're comfortable with their online portfolio of information."

Pavelites had similar advice for social sites.

"Social networking sites don't necessarily contribute to cyber crime as much as their popularity creates a target rich environment for criminals," Pavelites said. "Social networking sites allow people to communicate, share and have some fun. This may lead people to let down their guard and put information out on their personal sites that should be protected. Criminals know that the more targets they have for a scheme, the more likely they will find a victim."

Individuals have a high amount of control in remaining secure while using social networks.

"You can protect yourself on a social networking site by following the security rules posted for the site," Pavelites said. "Don't let your guard down. Protect your personal information. Don't give everyone with whom you communicate the same level of access to your site. If you have information that you only want your immediate family or closest friends to see, lock that information down where only they can see. Don't post all of your messages on a public section of the site. You could be giving away important information about yourself even indirectly. Check out links and attachments before accessing them. Don't trust the person who sent the message to do the checking for you."

Most social media sites provide guidance on who can access the information you provide on the site and how to customize your security settings. Perez suggested individuals be aware of these settings and adjust them for optimal security.

Thumb drives, CDs and external hard drives are all examples of e-media, devices that transfer and save data.

In November 2008, the DoD issued a ban on USB drives and other portable media after a virus was discovered to be spreading on military networks by copying itself to government computers through these devices. The malicious code allowed a foreign power access to massive amounts of data. In February 2010, that ban was lifted. Regional policies still vary on these devices.

"Users are the number one threat," Perez said. "Users don't take into consideration all the threats that are out there in the sense that first, they don't educate themselves and secondly they don't follow policies because they don't read policies. Even though they go to training, they don't take that training seriously."

Bans and monitoring of e-media has been a focus of the Army's Network Operations Security Center.

Government Response

The IC3 originated in 2000, when the FBI and National White Collar Crime Center partnered to create the first version of the unit, the Internet Fraud and Complaint Center.

"Its mission was to alert federal, state, local and international law enforcement agencies to occurrences of Internet fraud and to provide these agencies with investigative support," Pavelites said. "Complaints involving multiple offenses, some of which were cyber crimes but not Internet fraud, effectively expanded the scope of the IFCC to comprise such crimes as identity theft, cyber-stalking and child exploitation. In order to reflect this broader mission, the IFCC changed its name to the Internet Crime Complaint Center in October 2003.

The IC3 has helped revolutionize how law enforcement collects and disseminates information, Pavelites said. Beyond gathering the complaints through a central filing mechanism, the IC3 provides analytical services to research the information contained in complaints and enhances the information by including additional public and law enforcement resource data. The center develops referrals to potentially link complaints that might otherwise appear unrelated or identify a larger scheme which is more likely to be investigated by law enforcement. Since its inception, the IC3 complaint database had grown to over 1.9 million complaint files as of August 2010 and currently receives 28,000 consumers' complaints of Internet crime per month.

Although private utilities are not held to government regulations, many are now working with government agencies to ensure their networks are protected.

"Representatives of several countries have visited the IC3 and the FBI's Cyber Division to discuss using the IC3 model in their countries and how the FBI has leveraged partnerships with law enforcement and private industry to fight cyber crime," Pavelites said.

One of the things that is hard to repay, in Lynch's opinion, is the emotional and reputational damage caused by fraud or identity theft.

"In many cases the individuals have their credit rating damaged," he said. "One of the things the department pushed for in the past few years has been, when we catch individuals who are responsible for this type of fraud and identity theft, allowing the prosecutor to seek restitution. It is beyond the monetary loss. There's time spent trying to put back together your financial life and...what is hard to recompense-the stress and worry."

In May, the DoD officially activated the U.S. Cyber Command, a U.S. Armed Forces sub-unified command subordinate to the U.S. Strategic Command, to focus more manpower on countering cyber crime.

An installation's NOSC provides training and ensures that users meet network requirements before logging on.

"For the installation, we're the providers of the network and the infrastructure, so it is our responsibility to make sure everybody is complying with the information in place," Perez said. "There's always a threat to the network, that's why we have to be very wise in what we do."

Routine monitoring is a large part of that.

Network operators monitor communications on information systems to see what the users are doing, Perez said. Information on any of the computers is not private and is subject to monitoring.

USAG Bamberg's Criminal Investigation Division offers a fraud awareness brief every Friday to incoming Soldiers.

CID Special Agent Kristopher Watkins said that the very least action a Soldier or family member should take against Internet fraud or identity theft is to file a police report.

"If you have a police report, you can at least attempt to make a claim at legal," he said. Understanding and practicing safe computer practices is crucial to the security of the network.

Corrupt files, the accessibility of private information on a work computer and the transferring of official data can all put an individual and organization at risk for identity theft or internet fraud.

"Documents should be shredded, CD's should be wiped and destroyed," Perez said. "When an employee leaves a job on Warner Barracks, a computer should be completely checked by the IMO (Information Management Officer) to ensure it is clean."

The FBI provides information on popular scams and criminal activity through multiple public venues.

"The IC3 also identifies new or large-scale trends in cyber crime and creates reports that are passed on to law enforcement to alert them to new threats," Pavelites said.

For more information, visit www.ic3.gov, www.lookstoogoodtobetrue.com or www.fbi.gov.

The IC3's Public Service Announcements are also often utilized by news media to further distribute the message.

Related Links:

Army Chief Information Officer/G-6

IMCOM on Army.mil

DoD Cyber Security

Internet Crime Complaint Center (IC3)

Installation Management Community YouTube