EU cybercop: Europe battles insiders-turned-hackers

03/08/2003 Written by Dan Verton

The secu­rity adviser for the Euro­pean Elec­tronic Crimes Task Force (EECTF) in Milan, Italy, warned last week that Europe is deal­ing with a grow­ing prob­lem that has already had ram­i­fi­ca­tions for gov­ern­ments and busi­nesses around the world: insid­ers who become hack­ers for profit.

“The ‘gray hat’ phe­nom­e­non is grow­ing in Europe,” says Dario Forte, refer­ring to peo­ple employed as secu­rity con­sul­tants who also engage in crim­i­nal com­puter hack­ing.

“Com­pa­nies should increase screen­ing and con­trol of IT per­son­nel. And cus­tomers should think twice before leav­ing their IT sys­tems in the hands of con­trac­tors.”

Forte, who prior to join­ing the EECTF was the direc­tor of the Ital­ian finan­cial police, spoke at the Black Hat secu­rity con­fer­ence here.

He out­lined a recent inves­ti­ga­tion into an Ital­ian hacker group known as the Reser­voir Dogs. Of the 14 mem­bers arrested last August by the Ital­ian finan­cial police in what became known as Oper­a­tion Rootkit, 10 were employed as secu­rity experts and four were minors. The group was respon­si­ble for a series of hack­ing inci­dents that spanned the globe and included the likes of NASA, the US Army and Navy and var­i­ous finan­cial com­pa­nies in the US and abroad.

“Some were work­ing as infor­ma­tion secu­rity man­agers in big con­sult­ing firms and Inter­net ser­vice providers, even Ital­ian branches of US com­pa­nies,” says Forte. “They were white hats by day and black hats by night.”

Because the case is still open, Dario couldn’t name the com­pa­nies involved. How­ever, he did say that Oper­a­tion Rootkit involved inves­ti­ga­tions into more than 1,000 com­pro­mised sys­tems in the US and Europe, includ­ing 100 US mil­i­tary and gov­ern­ment sys­tems. Law enforce­ment offi­cials from the US and Europe seized more than 40 com­put­ers belong­ing to the hack­ers, as well as nearly a ter­abyte worth of evi­dence that included hun­dreds of stolen credit card num­bers.

The Reser­voir Dogs, led by a hacker known as Pen­toz, employed inter­nal com­mu­ni­ca­tions meth­ods sim­i­lar to those used by organ­ised crime rings, such as encrypted Inter­net Relay Chat ses­sions, secure shell and IPv6 tun­nels, says Forte. In addi­tion, “they used com­pro­mised machines for one sin­gle crim­i­nal act and then they burned it (clean of evi­dence),” he says.

In addi­tion to using a com­pro­mised Uni­ver­sity of Penn­syl­va­nia sys­tem to launch attacks, the group also took con­trol of a cor­po­rate Web server in Ger­many and used it to attack US Army sys­tems. Work­ing with the US Army’s crim­i­nal Inves­ti­ga­tion Divi­sion, Forte was able to trace many of the attacks back to a flat-​rate dial-​up ser­vice in Italy that was used by mem­bers of the group.

“With­out inter­na­tional coop­er­a­tion, it wouldn’t have been pos­si­ble to achieve a good cor­re­la­tion of events,” says Forte.

In a more recent case dubbed the Cyprus Credit Card Case, Forte was noti­fied that the leader of a world­wide credit card traf­fick­ing ring had been arrested in Cyprus. The EECTF was able to arrange for the travel of both the evi­dence and police offi­cers involved in the case to its foren­sic lab in Italy. Once in Italy, the EECTF was able to con­duct a foren­sic exam­i­na­tion that recov­ered enough evi­dence to keep the defen­dants in jail until a more com­plete inves­ti­ga­tion could be com­pleted in the US.

Share this content: