FIRST Conference - We can’t cope without you, Law Enforcers tell FIRST

Law enforcement agencies are unable to mount an effective fight against cyber-crime without help from outside emergency response and security teams.

WASHINGTON – LONDON – TOKYO – June 28, 2006. Law enforcement agencies are unable to mount an effective fight against cyber-crime without help from outside emergency response and security teams, top figures from the US Secret Service, FBI, Japan’s police force and Britain’s Serious Organised Crime Agency told a meeting yesterday [Tuesday June 27] at the FIRST conference in Baltimore, Maryland, USA. FIRST (The Forum of Incident Response and Security Teams) agreed to set up a special interest group to enable Law Enforcers and CERTs to debate how to co-operate more closely against worms, viruses, phishing, botnets, and other criminal attacks. "There’s never been a time before when law enforcers needed civilian computer emergency response team expertise so often and so much", said Yurie Ito of JPCERT/CC Japan, which already has a working relationship with Japan’s National Police Agency High Tech Crime Technology Division. "This isn’t unlike the Da Vinci Code for real – cop turning to cryptographer and saying, I can’t unscramble this thing without you. Help me". Erkan Chase of the FBI Criminal Computer Intrusion Unit described the Bureau’s transatlantic pursuit of the Moroccan and Turkish perpetrators whose MyTob worm attacked Windows 2000 last year and crippled, among thousands of systems, the New York Times and Disney networks. That pursuit became break-neck when news of MyTob’s devastations hit the media and the perpetrators moved to erase or destroy evidence. Both were caught in a swift joint operation between the FBI, Turkish and Moroccan police, Microsoft and CERTs. Mr Chase said it would have been impossible to make arrests in the limited time available without an alliance with CERTs and Microsoft. Howard Lamb of the British police SOCA said: "We need your help – we need help from FIRST – because we do not have your skills. We need to be able to come to you and ask for your assistance." Mr Lamb said SOCA would be working on a business case to join FIRST. The Japanese police HTCTD is already a part of the organisation – the first police force to join. Kenichi Aoyama, director, described the connection with FIRST as "vital" to the division’s drive against cyber-crime. Both Chris Geary of the FBI and Robert Steinau of the US Secret Service stressed that they needed to draw on CERT knowledge and assistance in investigations where the agencies did not have the time, expertise or manpower to crack cases which haven’t gone anywhere… cases where the victims just don’t know what’s happening. Jeffrey Carpenter of the CERT Co-ordination centre at Carnegie Mellon University told delegates that usually CERTs focused exclusively on the "what" and "how" of incidents, while Law Enforcers were conversely exercised by the "who" and "why" – although this was changing. But Martijn [SIC] van der Heide, Security Officer at KPN-Netherlands pointed up differences of approach: "CERT teams want to solve problems right here, right now, if possible within ten minutes and be done with them. Law enforcers want to take more time to collect evidence, piece things together, and get an arrest." "If there’s a botnet we want to take it down immediately. The law enforcement agencies might want to leave it for weeks or months to trace the culprit." He added that closer and more formal collaborations posed questions of trust: "is it in one direction only? What to LEA’s offer CERTs? What happens to our reports and data? Who uses them? For what purpose? Where do they go?" Richard Painter, chairman of the G8 High Tech Crime group, which facilitated the LE-CERT liaison session, responded: "If people know that the consequence of an attack is not just that they are going to be shut down, but that they may go to jail, then surely that’s a plus?" He promised to take CERT reservations to the G8 HTC group’s meeting in Moscow in November for further consideration. Mike Caudill, FIRST’s chairman, said in wrapping the meeting: "The key issue is understanding between the two sides. There’s a keen interest in keeping the dialogue going, in working out what we need to do and ought to do; in establishing our expectations of each other and publishing what they are, and identifying, documenting and publishing success stories and keeping them fresh." More about the FIRST Baltimore Conference at www.first.org/conference/2006 More about FIRST at http://www.first.org&http://www.first.org/about FIRST hosts a Global Security News Feed at http://www.first.org/newsroom/globalsecurity

Wed, 28 Jun 2006 16:35:00 +0000

FIRST Conference - We can’t cope without you, Law Enforcers tell FIRST

Law enforcement agencies are unable to mount an effective fight against cyber-crime without help from outside emergency response and security teams.

WASHINGTON – LONDON – TOKYO – June 28, 2006. Law enforcement agencies are unable to mount an effective fight against cyber-crime without help from outside emergency response and security teams, top figures from the US Secret Service, FBI, Japan’s police force and Britain’s Serious Organised Crime Agency told a meeting yesterday [Tuesday June 27] at the FIRST conference in Baltimore, Maryland, USA.

FIRST (The Forum of Incident Response and Security Teams) agreed to set up a special interest group to enable Law Enforcers and CERTs to debate how to co-operate more closely against worms, viruses, phishing, botnets, and other criminal attacks.

"There’s never been a time before when law enforcers needed civilian computer emergency response team expertise so often and so much", said Yurie Ito of JPCERT/CC Japan, which already has a working relationship with Japan’s National Police Agency High Tech Crime Technology Division.

"This isn’t unlike the Da Vinci Code for real – cop turning to cryptographer and saying, I can’t unscramble this thing without you. Help me".

Erkan Chase of the FBI Criminal Computer Intrusion Unit described the Bureau’s transatlantic pursuit of the Moroccan and Turkish perpetrators whose MyTob worm attacked Windows 2000 last year and crippled, among thousands of systems, the New York Times and Disney networks.

That pursuit became break-neck when news of MyTob’s devastations hit the media and the perpetrators moved to erase or destroy evidence. Both were caught in a swift joint operation between the FBI, Turkish and Moroccan police, Microsoft and CERTs.

Mr Chase said it would have been impossible to make arrests in the limited time available without an alliance with CERTs and Microsoft.

Howard Lamb of the British police SOCA said: "We need your help – we need help from FIRST – because we do not have your skills. We need to be able to come to you and ask for your assistance."

Mr Lamb said SOCA would be working on a business case to join FIRST. The Japanese police HTCTD is already a part of the organisation – the first police force to join. Kenichi Aoyama, director, described the connection with FIRST as "vital" to the division’s drive against cyber-crime.

Both Chris Geary of the FBI and Robert Steinau of the US Secret Service stressed that they needed to draw on CERT knowledge and assistance in investigations where the agencies did not have the time, expertise or manpower to crack cases which haven’t gone anywhere… cases where the victims just don’t know what’s happening.

Jeffrey Carpenter of the CERT Co-ordination centre at Carnegie Mellon University told delegates that usually CERTs focused exclusively on the "what" and "how" of incidents, while Law Enforcers were conversely exercised by the "who" and "why" – although this was changing.

But Martijn [SIC] van der Heide, Security Officer at KPN-Netherlands pointed up differences of approach: "CERT teams want to solve problems right here, right now, if possible within ten minutes and be done with them. Law enforcers want to take more time to collect evidence, piece things together, and get an arrest."

"If there’s a botnet we want to take it down immediately. The law enforcement agencies might want to leave it for weeks or months to trace the culprit."

He added that closer and more formal collaborations posed questions of trust: "is it in one direction only? What to LEA’s offer CERTs? What happens to our reports and data? Who uses them? For what purpose? Where do they go?"

Richard Painter, chairman of the G8 High Tech Crime group, which facilitated the LE-CERT liaison session, responded: "If people know that the consequence of an attack is not just that they are going to be shut down, but that they may go to jail, then surely that’s a plus?"

He promised to take CERT reservations to the G8 HTC group’s meeting in Moscow in November for further consideration.

Mike Caudill, FIRST’s chairman, said in wrapping the meeting: "The key issue is understanding between the two sides. There’s a keen interest in keeping the dialogue going, in working out what we need to do and ought to do; in establishing our expectations of each other and publishing what they are, and identifying, documenting and publishing success stories and keeping them fresh."