[ISN] High-Tech Crimes Revealed: An Interview with Stephen Branigan

InfoSec News isn at c4i.org
Mon Oct 25 05:58:10 EDT 2004


By Steven Branigan, Seth Fogie.
Date: Oct 22, 2004

Stephen Branigan, one of the founders of the New York City task force
on cybercrime and author of High-Tech Crimes Revealed: Cyberwar
Stories from the Digital Front [1], talks to Seth Fogie about hacker
motivations and how to solve cyber crimes.

Seth: Who are your real-life influencers? Fictional influencers? (With
regard to this book's subject, that is.)

Steven: Real life influencers:

* Police: Sergeants J. Cheney and Richard "Fox" Foster taught me all 
  the real-life lessons of patrolling the streets that the academy hadn't.

* Network security: My friends Bill Cheswick, Matt Blaze, Steve 
  Bellovin, Avi Rubin, and Hal Burch have helped shaped my views on 
  how to conduct secure networking and secure computing.

* Legal: Scott Charney and Martha Stansel-Gamm have each led the 
  Computer Crime and Intellectual Property Section of the Department 
  of Justice, and they always seem to know how to balance the 
  competing forces of protecting the innocent and convicting the 

Seth: If you can give us a name and brief summary, who was the most
talented hacker you ever caught and what did he/she/they do?

Steven: I'm generally uncomfortable with giving the names of the
hackers caught, as I would be hesitant to provide the names of anyone
I arrested. It's better for the subjects, should they wish, to provide
that information.

With that said, I believe that one of the best was the "hot-ice"  
character detailed in Chapter 2 of my book. Technically very
competent, and able to maneuver across country boundaries very well.  
The character "Bob" from Chapter 6 was possibly the brightest hacker I
ever met.

Seth: Do you attend any hacker conferences? What's your opinion about
their focus and content? Have you ever been tagged in "Spot the Fed"?

Steven: Actually, I haven't been to a single hacker conference. I
guess it's because I would expect to be handed a "Fed" T-shirt at the
door as I walked in!

Seth: There's a lot of discussion in this book about the motivators of
a hacker, and most of it is right on! I myself would fall into the
curious category. :) However, IMHO, these are the same motivators that
drive almost everything and everyone.... What motivated you to write
this book?

Steven: Motivations for me? Here goes:

* I think that computer crimes are very misunderstood. This book 
  explains who does them, why they do them, and what the impacts can 

* Further, I know that as people become more aware of what computer 
  crimes are, they will be able to make better decisions about how to 
  protect their networks.

Seth: Throughout the book, chance seems to play a paramount role in
finding and catching talented hackers. What's your experience with the
reality of this unnerving concept? What chance do we have if we never
see them coming?

Steven: An over-used clich applies here: It's better to be lucky than
good. I believe that there's an element of luck in catching criminals.  
And that really is a frightening concept.

The good news is that criminals always take a chance when they commit
a crime. We can use that in our favor. That's why I'm a big fan of
improved logging and surveillance. Audit trails are an incredible
resource for trying to catch a hacker after you discover the problem.

Seth: The book discusses how to handle a break-in and the significant
damage that can be done by not following proper protocol. However, in
many of your cases, you have prior evidence of hacker activity. What's
the proper protocol for addressing a computer that may or may not be a
hacker tool-for example, troubleshooting a malfunctioning computer and
finding 3GB of warez and four rootkits causing the problem?

Steven: I would suggest that in a couple of the cases, it wasn't that
there was initial evidence of hacker activity. For example, in Chapter
3, our friend Wesley's hacking was discovered because he hadn't paid
his rent.

Let me say that it was the methodical investigations that ultimately
led to us uncovering the hacker activities in Chapters 1 and 3.

My best advice is to walk that fine line between trust and suspicion
when investigating computer malfunctions. Maybe it's nothing, or maybe
it's the work of a hacker...

Seth: While it would be nice for everyone to get fair play with the
FBI when a hack occurs, they're limited on time and resources, and not
everything requires FBI-level attention. Based on your experience,
what kind of support/interest can a SOHO user expect from the
authorities (local police, FBI, state police, and so on)?

Steven: I agree that not everything needs FBI-level attention! That's
a very important point. Law enforcement really, really wants to do the
right thing. I have been very fortunate to have worked with many cops
around the world who work hard to protect their citizens.

Many state and local police agencies are getting much better at
handling computer crime issues. They're very interested in dealing
with these issues, and the issues they deal with directly translate
into the training they'll receive in the future!

My best advice, should you find yourself in a position where you need
[law enforcement assistance], is to be sure to take the time to
explain how the crime has affected you personally.

Seth: I grew up in a cop's family, and I know a little of how being a
cop changes your perspective on life. I can see some of this
perspective in your book, and it's a refreshing reading experience,
especially since most other books are written by "hackers." What's
your take on these other books?

Steven: I spent a lot of time reading publications such as 2600,
phrack, and the like. To be honest, I have never really been sure what
the justification is for hacking into telephone systems, cellular
systems, banks, and so on.

Whether it's invasion of privacy, theft of services, or even fraud,
computer crimes usually result in real victims. I think that is often
missed with the anonymity that computers and the Internet provide.

Seth: This book addresses the options available to a company after a
system compromise. What's your personal recommendation to companies
facing that catch-22 situation where they learn their server is host
to hacker activity, but they can't shut it down until the end of the
day or even week?

Steven: Hmm... No matter which option you choose, at some point the
other option will have seemed better! It's a tough call that needs to
be made by the business leaders with expert consultation from their
technical people, because either option is a business-impacting
operation. Usually it depends on the severity of the suspected attack
and the ability to investigate while continuing operations. Those are
the most relevant factors.

Seth: One of the first pages in the book outlines your work experience
based on your attire. I noticed that you served time as a cop (pun
intended). How has this helped and hindered your computer security

Steven: Served time indeed!

* Helpful: Law enforcement encourages you to document your activities, 
  and that's very helpful for computer security.

  It taught me to follow up on even the smallest of suspicious items. 
  I remember very well the story from my academy days of a police officer 
  who broke a large cocaine ring just by stopping a car with an 
  expired inspection sticker. That one stop led to the discovery that 
  the driver's license was revoked. That led to finding there was a 
  warrant for his arrest. And that led to the subject giving up 

  It taught me that even when you may think someone has done something 
  wrong, always treat all people equally until you have proof.

* Harmful: I get suspicious very easily, perhaps too easily.

Seth: On the subject of careers, what advice can you give to people
who find computer security an attractive field? Is there a fast path
to getting a job as a forensics specialist with a police department?

Steven: Free advice (and remember, money back if you are not

I will limit this to legitimate jobs with the police, and exclude the
attractive career of confidential informants.

Law enforcement is looking for reliable, trustworthy people with
excellent technical skills. Look into a computer security or forensic
problem and help solve it. Present your results at a conference. That
will help to get you noticed.

Seth: On the same subject, you [wondered] why anyone would write a
program like NetStumbler. Why do you think NetStumbler was written?

Steven: I have no idea why it was written and given away for free!  
While I imagine that curiosity and conquering the technical challenge
inspired the initial writing, I'm not sure why the authors didn't
release it as a commercial product.

Seth: What are your interests outside your industry?

Steven: Sports. In particular, soccer (which I play often), baseball,
and football. I find that I'm always learning from playing or watching
team sports.

Seth: Have you ever downloaded an "illegal" MP3?

Steven: I have tried napster/aimster and gnutella. I discovered that
it was incredibly easy to find and download MP3s. They certainly
proved a serious threat to the music industry. I downloaded "The
Cars-Door to Door" (from a CD that I had already purchased). The
quality of the download was not very good. The version I ripped from
my CD was better.

Ultimately, it's important that artists have the chance to be rewarded
for their work. That's why downloading copyrighted MP3s is wrong, and
is a problem for the industry. And that's why I'm pleased to see that
iTunes, Musicmatch, Wal-mart, Amazon.com, and others are now selling
MP3 singles over the Internet. I think that most people want to do the
right thing and pay for a song, and now they have the opportunity to
do so. I think that this will be the most effective strategy to get
the majority of the people to stop illegal copying of music.

Seth: The book discusses some of the difficulties authorities face as
a result of boundaries. How is globalization changing this situation?  
Are things getting easier for the good guys when trying to track down
and stop the bad guys? Or is globalization not affecting this arena?

Steven: Globalization and the Internet are inseparable. I am
cautiously optimistic about the progress that has been made over the
past few years with multinational organizations such as the G-8, North
Atlantic Treaty Organization (N.A.T.O.), and the Organization of
American States (OAS). They're working very hard at making
transnational computer crime investigations easier for law

Seth: Government and big business are repeated targets for the hackers
in the book. Are they easier targets, and are they aware of the
threats of a hacker attack? How are they dealing with it?

Steven: I don't think it's that they're easier targets. I think that
both government and big business are attractive targets because
they're perceived to have interesting information. They're also better
able to detect attacks than home users are. Not many home users track
the number of times hackers are attacking them. But I do! Just a quick
look at my August 2004 stats [2] reveals that this one system was
attacked 154 times in one month!

The best I've seen are dealing with the threats by:

* Improving awareness among their people

* Improving the technology that they use to secure their networks

* Re-architecting their infrastructure to limit the damage from a 
  single hacker attack

Seth: What's your normal workday like? Do you spend a lot of time

Steven: There's no such thing as a normal workday for me! I'm devoting
my efforts to growing CyanLine [3], my new company which is focused on
"untethered" security.

Seth: What are some of your favorite security books?


* Firewalls and Internet Security: Repelling the Wily Hacker by 
  William Cheswick, Steven M. Bellovin, and Aviel D. Rubin 
  (Addison-Wesley, 2003, ISBN 020163466X)

* Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage 
  by Cliff Stoll (Pocket, 2000) 0743411463 

* Masters of Deception: The Gang That Ruled Cyberspace by Michelle 
  Slatalla and Joshua Quittner (Perennial, 1996)

Seth: Do you ever work with "Whitehat" hackers? What do you think of
this practice (hacking with the intention of bringing security holes
to light, without the intention to cause harm)?

Steven: I am a little uncomfortable with the term Whitehat hacker. I
love the computer security research community that has proven their
ability to discover weaknesses and bring them to light in a way that
doesn't cause harm. They're successful because they're self-policing
and they use peer review. Without these controls in place, it's hard
to ensure that you're truly not causing harm

[1] http://www.amazon.com/exec/obidos/ASIN/0321218736/c4iorg
[2] http://www.sbranigan.com/stats/Aug-2004.html
[3] http://www.cyanline.com/

More information about the ISN mailing list