How the FBI and Secret Service Know Your Network Has Been Breached Before You Do

coondoggie writes "By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement: the Secret Service and Federal Bureau of Investigation. But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance? The agencies do the one thing companies don't do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk."

NSA

[just_another_sean]

And here I thought the answer was the NSA tells them and they know because they have root access to these systems.

The fact that it's actually through real police efforts actually makes me feel a tiny bit better.

Re:NSA

yes the real police work is, call NSA, get info, plant evidence, viola, pay us we did work.

Re:NSA

[ackthpt]

And here I thought the answer was the NSA tells them and they know because they have root access to these systems.

The fact that it's actually through real police efforts actually makes me feel a tiny bit better.

The NSA is watching you. The FBI is watching the NSA. The Secret service is watching the FBI. The CIA is watching the Secret Service. And of course the NSA is also watching the CIA.

What we have here, is a Conga Line of people in trench coats and fedoras, wearing Ray Ban sunglasses and using headphones, HUD displays or binoculars.

I'd pay to see that, but if I did they'd have to kill me.

Re:NSA

[NatasRevol]

Seems like that would be an easier route.

Re:NSA

[TheCarp]

Perhaps you are not familiar with "Parallel Construction": http://en.wikipedia.org/wiki/P...

I would expect that if that were the answer, that it would never be the answer.

Re:NSA

Yeah, we pay them already... its called TAXES.

Captcha: dollar

Re:NSA

[roc97007]

But now we pay them more. It's for the children.

Re:NSA

I'd pay to see that, but if I did they'd have to kill me.

Not mutually exclusive.

Re:NSA

[Common+Joe]

You don't have to pay anything, you can watch it, and you won't even have to die. Mostly to your specifications.

For your viewing pleasure: Feds Deconfliction

Re:NSA

"everybody's gotta watch everybody else. Since the players are looking to beat the casino, the dealers are watching the players. The box men are watching the dealers. The floor men are watching the box men. The pit bosses are watching the floor men. The shift bosses are watching the pit bosses. The casino manager is watching the shift bosses. I'm watching the casino manager. And the eye-in-the-sky is watching us all. " - Sam

Re:NSA

[DarkOx]

And here I thought the answer was the NSA tells them and they know because they have root access to these systems.

The fact that it's actually through real police efforts actually makes me feel a tiny bit better.

Probably just parallel construction

Re:NSA

[antdude]

I would pay my life for that. ;)

Re:NSA

[jeffmeden]

But now we pay them more. It's from the children.

FTFY

Re:NSA

[Jmc23]

For the most part I agree, though I'm not sure what luthiering has to do with everthing.

Re:NSA

[Jmc23]

Shades of dancing baby!

Re:NSA

[Phreakiture]

Viola? I think you meant "voila"

Re:NSA

And here I thought the answer was the NSA tells them and they know because they have root access to these systems.

The fact that it's actually through real police efforts actually makes me feel a tiny bit better.

I would really be surprised if any actual investigation takes place, from what I've seen in the news the last couple of years the FBI couldn't investigate themselves out of a wet paper bag. All the big time high profile criminals in recent years have either been caught purely by accident, or turned in by relatives. I'll bet the truth is that the FBI knows a company has been compromised because THEIR malware quits sending information because its now reporting to it's new chinese masters.

The NSA has deliberately weakened computer security and encryption to the point that an eight year old North Korean script kiddie could easily hack a US corporation using a TRS-80 and 2400 baud dial-up. That's why Alexander needs to be prosecuted for high treason against the people of the United States for his activities in deliberately making it trivial for enemy countries to hack into US computer systems.

Re:NSA

I don't care who it is, government agency wise. If my network gets breached, and I get some type of warning, I will be VERY grateful.

This is what we Americans pay taxes for, so it is (IMHO) money well spent.

Re:NSA

In multiple cities, I've seen the following. Innocent people are shot by police, with lots of excuses and "no wrong doing" on the part of the police. People are shot more frequently and still no policy changes. The finally one day a police officer guns down another one. Suddenly, policy changes take place and many fewer innocent people are shot, for a while.

Re:NSA

We'll just have to hope that any US corporations using TRS-80s and 2400 baud modems can afford to upgrade soon.

Re:NSA

| ...What we have here,...

A Vicious Circle ?

Re:NSA

[guises]

This is a joke, but it would be great if it were true. This would represent some kind of oversight at least.

If I'm not mistaken, this is basically how the British police have managed to keep corruption levels so low - one district polices another.

Re:NSA

[davester666]

They aren't watching each other.

They are giving each other a reach-around.

Re:NSA

[Marful]

Of course "on paper" they actually did police work.

But what do you think gave them "the hunch" that so-and-so was the badguy and just so happened to have exactly the incriminating evidence they needed to bust him in folder XYZ in his "My Documents" folder?

"Police Work" is often just another term for collecting the evidence and creating the link from A to Z, after the fact, to justify the police's actions.

Re:NSA

Posting as anon because it's probably in my best interest, but in my experience in dealing with them (and having friends who have or are involved with them), each 3-letter agency pretty much hates all the other 3-letter agencies (and pretty much none of them like local law enforcement (regular police, sheriff departments, state troopers etc).

I deal with the FBI and they're probably the worst (hell, the FBI doesn't even get along with itself between field offices).

I also have a friend in the DEA who tells me the DEA don't get along with the FBI, even though they're situated in the same building, and another friend in another agency who finds the lot of them impossible.

On topic, though, the FBI has a lot of CIs (informants) that it uses to obtain the information they're after (sometimes they'll even supply equipment and re$ource$ and/or reimburse expenses) - so it's a little bit police-work, a little bit crowd-sourcing.

Cos they are already in your network...

Just waiting for someone else to login ..

Step 2 - they go and post in the credit card forums .. excuse me, my tinfoil hat is slipping a bit..

HOW DO THE FBI KNOW FIRST?

[Jeremiah+Cornelius]

They set it all up...

Re:HOW DO THE FBI KNOW FIRST?

[roc97007]

'S what I was thinking. In at least some cases, it's because they took part in the crime.

Sometimes...

"...and sometimes get court permission to break into..."

Hehe... lawl

Trolling the Internet

[hermitdev]

Law enforcement is very actively trolling the Internet to discover things, he says.

Funny, I'd be happier if they were trawling the internet for info instead of trolling.

Re:Trolling the Internet

[lgw]

I've seen two news stories this week that made that mistake. It's going to be lose/loose all over again. *shudder*

Re:Trolling the Internet

Trolling is a fishing technique where you rig lines out the back of your boat and move at a good pace through the water. It is a good word for "skimming a large portion of something in hope of easily finding something", whether it be to discover security breaches or to enrage sensitive people.

Re:Trolling the Internet

There, their, they're now. Don't get all worked up over it.

Re:Trolling the Internet

In my day the word was: Trawling.

Re:Trolling the Internet

[NeoNormal]

"Trawling is a method of fishing that involves pulling a fishing net through the water behind one or more boats. The net that is used for trawling is called a trawl."

From Wikipedia.

Re:Trolling the Internet

"Trawling can be contrasted with trolling, where baited fishing lines instead of trawls are drawn through the water."

From Wikipedia, two paragraphs down.

So that's how they justified WoW agents

[Ranbot]

I'll bet they got a lot of good leads from their imbedded World of Warcraft agents! ( http://games.slashdot.org/stor... )

no way?

Verizon 2013 DBIR: http://www.verizonenterprise.com/DBIR/2013/

for several years now.

So the govenment is helping the criminals by going

Is that what is going on?

The processor...

[MobSwatter]

They have real time access to credit card processors and to all major credit cards, they had this long before so they can effectively track an individual under warrant by their spending, they can tell by time and usage if a number has been compromised. There was never a reason to penetrate the store front credit card processing environment so Dell, apology accepted for the "inconvenience" -jerks. These numbers they come across in their hacking endeavors should be flagged by the major credit cards and credit source charges rerouted if they wanted to pursue individual targets, aside from that they should be immediately cancelled. I've seen bad investigative calls made by the Secret Service by determining malware that monitored keystrokes detected on the fileserver, but it would have been required to be present on the terminals as that is where the keyboard wedge MSR's were installed. I'm pretty sure these guys are quite busy on their forensics but they need to better substantiate root cause to rule out inside jobs.

Re:The processor...

Are you drunk? That read like it was written by a drunk person.

Re:The processor...

[MobSwatter]

Well sure, only as much as you are truly anonymous... ;)

I'm sure the NSA Will delete this soon......

   

Re:I'm sure the NSA Will delete this soon......

"This is not the comment you are looking for... keep moving"

- Agent John Smith of the NS... never mind

Simple...

Companies do not focus on security.

They spend money. They are compliant. But they are FAR from secure.

Re:Simple...

[MobSwatter]

Yep, that happened sometime around RSA generating not so random numbers. And all the money spent by store fronts on encryption for POS systems was fraud because we the people cannot have encryption unless it is broken. Looking back on some of the people in my life I do not doubt subtlety, resources or intellect of a criminal.

goofball website

wtf yo send me to that gay website for this user should get kick in teeth

You're seriously asking that?

[BitZtream]

Really? Millions spent on 'compliance' ... are you new to the business world in general?

I can't think of a single business other than credit card processors and banks that ACTUALLY put EFFORT into security.

For pretty much everyone else, the standard is 'fix the breech after the fact that it happened'

The police know your car is stolen before you do if you're out of town and someone steals it to rob a bank.

When investigating crime, you generally follow the leads back to the source to find the perpetrator. That means unless the perp was a moron, (S)he probably bounced through some networks that would make it harder to track them ... and thats why the FBI goes to them.

Second, if they knew they were breeched and what it was, they'd just fix it.

99 times out of 100, someone else informs you that you've been breeched.

Re:You're seriously asking that?

[nexex]

Bingo, I saw, "...especially given the millions companies spend on security and their intense focus on compliance?" and laughed.

Re:You're seriously asking that?

[ThatAblaze]

The word "millions" is misleading here. For a large company, and especially when you make it the plural "companies", this is the equivalent of saying "...especially given the pennies companies spend on security and their intense focus on compliance."

Individual users spend a larger portion of their income on a virus scanner than companies typically spend on security, even if that amount adds up to millions for the companies. Half the time this is true even of the computer security providers themselves.

Re:You're seriously asking that?

[im_thatoneguy]

I've talked to security guys from two big name companies, they both work in large departments. I have absolutely no question that a department of > 5 people costs more than a million dollars per year.

Re:You're seriously asking that?

[im_thatoneguy]

Really? An average security employee probably costs $200k or more per year. If Target has 5 people working on network security they spend "millions" per year.

I would wager there are at least probably 1,000 developers actively working on corporate security every year. $200,000 * 1,000 people = $200m per year on security.

Shouldn't Congress be watching?

Shouldn't Congress be doing some watching of its own?

Re:Shouldn't Congress be watching?

[ackthpt]

Shouldn't Congress be doing some watching of its own?

The only things members of Congress monitor are polls, donations and any move by their opposition they think they can leverage. To expect congress to do anything other than score personal points seems naïve.

Ohh look at all the smart, creative people here

Ohh look at all the smart, creative people here making the same comments about the FBI/NSA being in on or part of the crimes.

bot ip addresses

I would think that it would be much easier to use an ip list for a botnet attack to find out who is infected.

Re:bot ip addresses

[ShaunC]

If you infiltrate, say, Target's internal network and POS systems, you aren't going to use them for a botnet and tip your hand.

Really?

[Hamsterdan]

"get court permission"

Please... Like they ask for permission before doing stuff like that.

Here's how I found out....

[SethJohnson]

Back in 2005, I had a personal blog site defaced. I didn't even know it had happened.

The way I spotted the issue was through an open terminal window that was tailing the apache access log. I'd glance at it every once in a while as traffic trickled over the blog. I saw a request come in from the PENTAGON domain. I thought it was odd because my blog was about skateboarding and didn't think it would be of interest to anyone working at the Pentagon. I looked at the referrer and it was a site I was unfamiliar with: http://www.zone-h.org/.

So I browsed over to that server and saw that the page linking to my site was a list of defaced sites. Then I checked my own homepage and sure enough, Wordpress had been compromised by an exploit and someone had posted an article on the front page.

So, it seems like someone at the pentagon had a script scraping the defacement indexing sites and was then visiting each affected server and scraping that. Never got an email or phone call or anything.

Re:Here's how I found out....

[Vertigo+Acid]

Indeed, I've received notification from the FBI at $dayjob based on information they scraped from Shodan.
Specifically, it looked like they were looking for "siemens" anywhere in the results, and then sending out notifications, most likely intended for SCADA/Industrial Automation kind of gear. We just happen to have a handful of Siemens CPEs... because apparently they make DSL modems too?

They know because they are breaching it

Simple. If you are hacking into someone's network, you know you are breaching it.

OF course

FBI: Your network has been breached.

Network Admin: By who?

FBI: Us, how do you think we know it was breached?

Before I know on my network? Doubtful.

[BitZtream]

Some random guy who is 'a windows admin' (meaning he clicked next until Server was installed) ... yes, the FBI knows first because that douche doesn't have a clue.

99.9% of the admins on the planet are absolutely clueless. Being an 'admin' no longer means you know what you're doing, it now its just means anyone who can click next calls themselves an admin ... and as such, their networks are generally piles of crap.

Not a big deal

[PPH]

I'd much rather have the FBI/CIA/NSA hang around with all the miscreants than spying on individuals at large. Sure, there's an issue of what probable cause they have to participate in such forums. But its the same thing that they do when undercover cops hang around a bar and wait for some moron to come in and look for a hit man.

It would be nice if they'd give the owners of compromised networks a call once in a while to get them started making repairs.

Funniest line ever!!!

[w1zz4]

"especially given the millions companies spend on security and their intense focus on compliance" You wish! For 99% of company, network/computer security is on last tier priority list, even farther when you talk about investment... From a Network Security Specialist.

Spy Vs. Spy

[ComputersKai]

With a serious identity problem

oh yeah

[strstr]

plus they have automated surveillance systems that:

1. track all IP connections for them, so they know who connects and to where.
2. all IP, SMTP, and HTTP, FTP and other protocols that aren't encrypted are being watched, so they know what is accessed and what information is sent to the server (GET/PUT/PUSH) requests.
3. All this is monitored because they have splits in the fiber and telecommunication system to passively monitor and record all traffic, 24/7.

On top of this, satellites and radar systems automate tracking of individuals and their behavior. Including heart rate, breathe, brain activity, and more. All ground activity is automatically tracked for them.

The Artificial Intelligence that runs the system is more effective than human brains at scanning and tracking things. Kind of like Facebook's image recognition software that uses virtual neurons, which beats human visual scanning capability.

The stats of the 32+ satellites pointed at earth indicate that all modernly launched models are 53,000 times more powerful than Hubble, pointed right into your homes and backyards and businesses, remotely tapping the emissions and radio frequencies of electronics and human beings.

Dr. Robert Duncan for reference is the guy who whistleblew about most of this; he has been to secret Naval bases and designed several of their surveillance and weapons systems for the DOD/NSA/FBI/USDOJ/CIA. Details about all this on this page (scroll down for some of the interviews with Dr. Robert Duncan, PhD from MIT/Harvard/Darthmouth): http://www.oregonstatehospital...

Of course it's true that the internet forums and shit are monitored; without encryption and/or heavy shielding to block signals emissions, like a foreign nation uses, you cannot hide any of your activity. The NSA/FBI basically uses all the same techniques that they use on foreign nations to spy on Americans. IN fact, they monitor Americans with this technology MORE than other nations. And it's easier because they have direct-access to all the land, laws, and agents who will willingly corporate with these abuses, and won't fight back or start a war like another nation might.

We already know...

The answer is Brian Krebs from his relatively unsophisticated home office.

The feds are way behind..

Police knows things because they do police work?

Humbug I say, Humbug!