The Life of a Cybercrime Investigator

An anonymous reader writes "Steve Santorelli gets computing experts and law enforcers to cooperate in a global fight against organized Internet crime. This article talks about the role of law enforcement in identifying and battling online threats as they change and evolve. Quoting: 'The common wisdom about hacking and cybercrime is, in Santorelli's view, severely out of date. He says cybercriminals aren’t lone wolves; they are financed and directed by international criminal syndicates. ... Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world. There is even evidence that some syndicates are investing in research and development, looking to create proprietary, next-generation hacking tools, Santorelli says.'"

Not just criminal syndicates, governments too

[elrous0]

Much of the hacking now is government-sponsored too. China, Israel, the U.S., and Russia have all been allegedly involved in this for some time (probably a lot of others too). Stuxnet, theft of Google source code, you name it. Seems like everyone is in the cybercrime (or cyberwarfare if you want to stick a more polite euphemism on it) business these days.

No. Government militarization dates back to 1990s

I personally observed at least six or seven countries' military domains looking at one of my sites in the late 90s which focused on then unrealised methods of remote operating system fingerprinting (many of which were ICMP-based, and not implemented publicly until years later). As well as many parts of the US military, there was (South, obviously) Korea, Japan, and Germany I believe. Of course, back then they were happy to browse from a .mil.* IP, these days none of them would do that. Australia used to have a lot of network warfare information up on the DSTO website, there's less these days, however they are still a good source for the multi-military JWID events (Joint Warfare Interoperability Demonstrations), a regular compatibility-of-command-and-control event that involves many western militaries. The trend I have seen thus far is for government/military to co-opt hackers through establishing corporate fronts, usually led by an otherwise-reputable hacker who is on the take or convinced to 'help the country' with nationalism. They also pay hackers with basic community cred as informants, and send them to security-related events all around the world in the hopes of acquiring actionable intelligence. We all need to be very careful who we give information to. Furthermore, the increasingly commercial development of some areas of our industry (open source intelligence gathering / computational linguistics / passive traffic analysis + surveillance / video surveillance systems) are strongly contributing to the further degradation of society in to a 1984-like situation. The best thing we can do as people is to avoid the allure of money and refuse to work in these areas, whilst publicly pointing the ethical finger at those that do.

It's coming

And is that something we really want to happen, locked "consoles" for everyone?

It's already here and it's called iOS iPad, iTouch, and iPhone.

Re:It's coming

[Billy+the+Boy]

It's already happening too. All those jailbreaks are really remote exploits. That's right, just by going to a website your OS gets rooted. Great.

Re:It's coming

[Billy+the+Boy]

If Linux was mainstream OS, that wouldn't work. People need the ability to install freeware, shareware, commercial, their friends apps or their own apps and so on.

Look, the cause is stupid people. But you cannot fix stupid people. So what to do?

Some lone wolves still

[trollertron3000]

Although all of the powerful crackers know others, some of them truly are lone wolves. For instance, The Jester (th3j35t3r ) with his Xerxes botnet. He doesn't claim any affiliation AFAIK and is self-proclaimed former military hacker. I always wondered if they give him a pass because he helps with other things, like taking down Islamic-jihad websites which he's know to do. No man is an island after all and he definitely has connections. But still he seems to be the "lone wolf" acting with impunity at times.

And that's just one of many that have never claimed a group affiliation and seem to be driven more by underground fame and rage than money or crime.

Re:Some lone wolves still

[trollertron3000]

Don't usually post to my own comments but a correction - he is self proclaimed former military and served in Afghanistan. He never claimed he hacked for them AFAIK.

Best/Worst part of the article

[GameboyRMH]

Santorelli has devoted his career to identifying, tracking and apprehending cybercriminals in a new cyber-environment in which police chases are clocked at light speed and villains drive on a global superhighway congested with 1.8 billion law-abiding commuters.

LMAO! XD

Re:Do they have a pi license?

[davidwr]

No, but they have 3 beautifully-handcrafted fake "1" licenses and they are about 1/7th of the way through the artwork of a 4th.

Re:"The Life of a Cybercrime Investigator"

[cultiv8]

That should be 3 steps:

1. Investigate cybercrime
2. ???
3. Profit

#2 is mostly filled with commenting on /., reading xkcd (again), and boobies.

Re:Lets stay positive..

[Cornwallis]

.... and hope that these organizations don't band together, start sharing innovations and start developing 'next level threats' as I'd call them. With those resources and people behind them, evil people could do bad things to the internet. Gah, lets hope not. Lets hope.

That reads like a description of the U.S. Gubmint.

We noticed

[DCFusor]

A good while back, while we were still on dialup, actually. Being a small software shop who delivered results and of course our bills over the 'net, we did a ton of email traffic. At the time it was a windows shop as well (by customer demand). We "captured" many viruses in emails, didn't catch them -- we were all pros and knew better. Since we had all the best tools money could buy, we looked pretty closely at these "captured" (eg, not caught) viruses. At first, they were obviously not the work of very skilled or well financed people. Many still had debug symbols in the code, and things like Devstudio and reverse compilation showed they were usually done with a "free" C compiler, not GCC, but Borland.
Most were pretty crummy code, at least by our standards, though there were a few interesting tricks, like pushing data on the stack and then doing a return to get a goto to happen, often into a system function.
All of a sudden, things got better or worse, depending on your POV. The stuff we were capturing suddenly changed, a lot - it was well written, well obfuscated, and tricky stuff -- we even got a cool idea or two from it, and the new stuff was much smaller and made better use of the system API to do nearly all the work -- none of the obviously malicious code was in the virus itself, just system calls with destructive parameters. This would have been around the 2006 timeframe.
It was obvious that someone had started putting money into the game, or for whatever reason the quality of the crackers had suddenly gotten a heck of a lot better, which usually implies the former. Real talent.
To the fanboi who said "it's not windows", sorry pal. Might have been true once, for bot farms and so on, that need volume. Today's cracking is financially based, and much more targeted. And most machines that deal with tons of money aren't running windows -- after being burned a few times, you think the financial business has any loyalty to the guys in redmond? Or anyone at all, for that matter? Linux is just plain more difficult to crack, and more proactive about patching when possible vuln's are discovered. Anyone who looks at the flow of updates to Ubuntu and how many of them "fix a possible security bug" knows this. Many bugs that would have been zero-day exploits are fixed before anyone has put an exploit out for them at all, just by doing some fairly obvious code analysis, looking for ways to overflow allocations and such.
Could be windows guys do that some too, but since they long-delay even well known holes, and you can't see what is in those closed source, uncommented updates, (sometimes there's a KB entry, but not always and always little detail) how could you prove that? I don't think you can.

Have been teaching that for a long time...

[HikingStick]

The fact that there's been a move from the idealistic and casual hackers to organized crime has been sounded by wise security folks for years and years and years. The writing seemed to be on the wall pretty clearly since about 2004, and I was warning IT auditors and bank examiners about it from the mid-2000s onward.

It should be no surprise to anyone in the IT field, but I can see how there might be a big disparity between contemporary IT thought and the knowledge held by law enforcement units around the country (and, perhaps, around the world). Sure, not all of them are that far behind, but only those who have been engaged in the fight really have any feel for what is going on, so many of the smaller police departments and rural units probably have limited exposure, and even fewer resources for dealing with IT threats.

Where to send my CV

[Curunir_wolf]

Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world.

How do I get in on that?