Cyber attacks and warfare are among the greatest threats to the United States. The federal government and private industry spend billions of dollars every year in people and technology to defend critical systems and data. Our cyber defenders must stop the threat every time an intrusion attempt is made, but our adversaries only have to get it right once. Daily media reports of cyber breaches, loss of personal information, disclosure of classified information, and state-sponsored advanced persistent threats (APTs) fill the headlines.
Image courtesy of TrendMicro
Government agencies and the private sector are attacked literally every hour of every day by unskilled hackers trying for any vulnerability they can find. The real concerns however, are organized crime rings and foreign countries that have armies of highly skilled attackers with the financial backing and patience to get into networks and stay inside once they have created an opening. These organizations will pay developers thousands of dollars to create custom malware, often referred to as “zero day” attacks that will slip past network security defense-in-depth systems and exploit computers because security systems haven’t seen this new threat before and don’t know to stop it.
A common tactic used by attackers is to obfuscate their Internet Protocol (IP) address, making it more difficult to trace illegal activity and to put blocks in place on network devices such as firewalls or routers. One way this obfuscation occurs is when an attacker hijacks another computer and then uses the hijacked computer to do their criminal activity. These hijacked computers are often referred to as “jump points.” When an attacker uses a jump point to do their hacking, it will make it look like the jump point was the source of the attack.
When I was in law enforcement I investigated a case just like what was described above. An organized crime ring found a vulnerable computer in the Pacific Northwest that they exploited and took control over, making it their jump point. The attacker then used this jump point to exploit another computer that belonged to an employee of a medical facility. Once the medical center computer was compromised, the attacker proceeded to obtain the credentials necessary to drain tens of thousands of dollars from the medical center’s bank account.
During the investigation, an IP address was identified as the source of this attack. I obtained a subpoena for the Internet Service Provider (ISP), which held that IP address and discovered it was assigned to an elderly couple in a nearby state at the time of this attack. A search warrant was obtained for their residence and law enforcement seized their computer and sent it to us for analysis. In short, we discovered that this unfortunate elderly couple had nothing to do with this attack except for providing a high-speed Internet connection and vulnerable computer to the attacker. We were never able to identify the attacker in this case.
Image courtesy of techweekeurpose.co.uk
The case highlighted above is financially motivated, but it could have easily been an attacker using this jump point to hack into national security information or the energy infrastructure. There are some easy steps any computer owner can take to harden themselves against becoming an accomplice to a cyber-terrorist. Some of the steps computer users can do to protect themselves and the country include:
- Always have anti-virus software installed and updated daily with the latest definitions.
- Install operating system security patches and updates.
- Keep third-party software applications updated.
- If using WiFi at home, ensure it is protected with encryption and consider other steps such as MAC address filtering and hiding the SSID.
- Turn off your computer and/or Internet connection if away for an extended amount of time.
- Use a firewall (software or hardware).
- Don’t click on links embedded in email messages when they are suspicious or untrusted.
- Use tough passwords and don’t re-use passwords (e.g., don’t use the same password to login to your computer as you do for your email and Internet banking).
- Use encryption on all your devices when available.
Everyone should practice these and other information security steps to protect themselves from becoming a victim of identity theft, financial fraud, forgery, and other criminal activity. By reducing the number of exploitable computers within the United States it protects our citizens and our nation from this type of cyber attack.
* * *
Josh Moulin has a long history of public service, beginning in 1993 as a Firefighter and EMT. After eight years of working assignments including; suppression, prevention, training, and transport ambulance, Josh left the fire service with the rank of Lieutenant when he was hired as a police officer.
Josh spent the next eleven years in law enforcement working various assignments. Josh worked as a patrol officer, field training officer, arson investigator, detective, forensic computer examiner, sergeant, lieutenant, and task force commander.
The last seven years of Josh’s law enforcement career was spent as the commander of a regional, multi-jurisdictional, federal cyber crime task force. Josh oversaw cyber crime investigations and digital forensic examinations for over 50 local, state, and federal law enforcement agencies. Under Josh’s leadership, the forensics lab was accredited by the American Society of Crime Lab Directors / Laboratory Accreditation Board (ASCLD/LAB) in 2009.
Josh has been recognized as a national expert in the field of digital evidence and cyber crime and speaks across the nation on various topics. He has testified as an expert witness in digital forensics and cyber crime in both state and federal court on several occasions. He also holds a variety of digital forensic and law enforcement certifications, has an associate’s degree and graduated summa cum laude with his bachelor’s degree.
In 2012 Josh left law enforcement to pursue a fulltime career in cyber security, incident response, and forensics supporting a national security federal agency. Josh now leads the Monitor and Control Team of a Cyber Security Office and his team is responsible for daily cyber security operations such as; incident response, digital forensics, network monitoring, and log analysis. Josh also holds an active Top Secret security clearance.
Josh is happy to answer questions for authors and can be contacted at: