ZIFFPAGE TITLECovering Their TracksBy Deborah Gage | Posted 2005-03-07 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Crime is now organized on the Internet. Operating in the anonymity of cyberspace, the Shadowcrew and Web mobs like it threaten the trust companies have spent years trying to build with customers, online.
Covering Their Tracks
While the actions of some Shadowcrew operators were witnessed and others were recorded by wiretap devices the Secret Service used to monitor the group's data traffic, the Shadowcrew tried to hide what it was doing.
For instance, Shadowcrew members used a free software program called Trillian to encrypt the instant messages they sent over the normally wide open Internet Relay Chat service or America Online's ICQ.
The group also used "proxy" servers to make their online activities hard to trace. A proxy sits between a sending and a receiving server. When someone accesses a Web site through a proxy server, the site records the Internet Protocol (IP) address of the proxy, not the IP address of the computer that initiated the original Web request.
That has the effect of hiding the IP address of a computer making a Web page request. Hackers tend to break into computers where there's a constant turnover of new users—think hotels or universities—and send their Web page requests through those machines.
The use of proxies was often augmented by "anonymizers," according to court documents. One type: a virtual private network that lets many computers connect to it at the same time. They all share one IP address, and if a person tries to trace a page request, he finds the IP address of the VPN, not the computer that initiated the session.
The combination of instant messaging, proxy servers and anonymizers, says Steve Orrin, vice president of technology at security software supplier Watchfire, "is definitely the measure that you would take if you wanted to hide your activities."
The combination also made the Shadowcrew confident, maybe overconfident, about its ability to escape detection.
But the Secret Service had a couple of aces in the hole as it began to dig in 2003. One was its ability to override the VPN defense.
On the Secret Service-operated VPN that many of the Shadowcrew defendants used, the agency filtered traffic through software that could "trap and trace" its contents—basically capturing a message and stripping out and recording the sender's IP address.
Then, using the publicly available Whois database, they could map those IP addresses back to the Internet service provider that owned and assigned the numbers. The provider would then be served with a subpoena that required it to disclose customer records and billing addresses.
A second ace was a court-approved wiretap. Law-enforcement officials and Appleyard's lawyer both confirm that the Secret Service won a court order to use a wiretap to pick and record electronic messages between Shadowcrew members. Frazzini says most electronic wiretaps are software monitors placed on the servers of an Internet service.
But the biggest break was securing the confidential informant, whom the Secret Service refuses to identify. "They can get to you fairly easily," says Johnson of Web mobs once they, like the Mafia, spot a rat.
The Secret Service, however, had strokes of bad luck as well. In fact, the investigation was nearly compromised three months before the agency moved to shut down the Shadowcrew.
Nicolas Jacobsen, a vendor also known as Ethics, hacked into a database belonging to T-Mobile to grab information on T-Mobile's customers, and offer it for sale on a bulletin board called Muzzfuzz.com, according to an affidavit filed by the Secret Service in U.S. District Court in Los Angeles.
Along the way, he stumbled onto an e-mail account belonging to Peter Cavicchia, one of the Secret Service's top cybersecurity agents.