Security Experts:

Crowd Sourcing Cyber Investigations: Untapped Potential or Risky Business?

For many years law enforcement turned to the public for aid in identifying and tracking criminal suspects. This was done through famous WANTED posters and, later as technology progressed, featuring them in television shows such as “America’s Most Wanted”. If we put it in today’s terms, law enforcement use crowd sourcing in criminal investigations and manhunts, receiving leads of the criminal’s identity and whereabouts from the public when such leads were not obtained through the normal course of the investigation. Surprisingly, in the world where some individuals from the public have as much knowledge and resources at their disposal than the law enforcement investigators, crowd sourcing isn’t done enough. I’m talking, of course, about the world of cybercrime.

Crowd Sourcing Cybercrime InvesigationsNot to belittle law enforcement investigators, when it comes to cyber investigations the “public” is filled with white-hat hackers, security professionals, researchers and private investigators who have access to online investigation resources, closed security mailing lists, and more. While you can’t expect the public to assist in a victim’s autopsy, you can expect the security community to identify links between malicious websites or activities, or be able to link a known cybercriminal’s moniker to other nicknames he or she used in the past. At least in some cybercrime investigations, some (or even a lot) of the information on the criminal is publically available on the web in open source resources. Collecting this information is like building a puzzle, with one missing piece potentially making the difference between identifying the criminal’s real identity and reaching a dead-end. This piece could be in a small closed mailing list of security professionals, a Google search query that has been overlooked or even in a closed investigation done for a customer by a security firm.

The idea is not that far-fetched and has actually been attempted in the past. In September 2003, a German hacker named Axel Gembe managed to hack into the internal network of game developer Valve and steal the source code of its highly anticipated game “Half Life 2”, which was under development, as well as other related intellectual property. Gabe Newell, CEO and co-founder of the company, not only turned to law enforcement – but also to fans – in hopes of identifying the perpetrator. Newell posted a message in the game’s forums confirming the breach, as well as providing a few details of what happened, requesting the community to provide leads if they have any. While the community’s involvement did not lead to a coveted breakthrough in the investigation, it was only after the hacker approached Newell on his initiative that he was arrested.

Perhaps a more recent and relevant example to the abilities of the crowd in cybercrime investigations is the recent Sony breach. The breach was followed by a lot of misinformation, stemming from un-credible claims made in the underground. These claims included information on what was supposedly stolen, who did it and also – a censored chat log of the alleged hackers. Wired’s security blog “Threat Level” posted several days later that “Armchair cybersleuths on the trail of the PlayStation Network hackers” not only found an uncensored version of the chat logs, but were able to identify the real identity of one of the nick names in the chat, “Trixter”. The identity of another member, “SKFU”, was also implied.

Multiple other examples can be found on the opposite camp – the cybercriminals. Fraudsters traditionally out the members of their communities who rip them off, to the degree of posting those members’ real identities out in the open, including name, address and even pictures. The “Anonymous” group provides yet another example. Early May, one member of “Anonymous” had attempted a coup in order to crown himself as leader of the group. To do so, the member, “Ryan”, initiated a DDoS attacks on resources used by the group. This has caused a split within the group, as “Ryan” had a couple of domains used by “Anonymous” under his control. In a counter-strike, the opposing party managed to gain control over Ryan’s domains and used it to post his real-life identity information for all to see – including name, address, possible mobile, host name, E-mail, aliases, Skype and Paypal accounts. The intimate knowledge with “Ryan” until the attempted coup is what enabled the other members to obtain and share so much information about his alleged identity.

Of course, sharing information of an on-going investigation is not without its share of problems. Law enforcement could use this tactic as a last resort of a dead-end investigation. The “public” could take the IP addresses, domains, E-mail addresses, known monikers and other information related to the case that was uncovered in the traditional investigation – and use that information to extract additional leads. This is not much different from the WANTED posters, where the public receives information about the suspect’s physical appearance and last known whereabouts and is requested to share information if they have any.

Such a community effort of a cyber investigation would have a big challenge of managing the information. On one hand, the bigger the community the better are the chances of obtaining new leads. On the other, this means that there would be better chances that a black hat or even the criminal himself will have access to the investigation and even be able to manipulate data or submit false information. Without proper controls, the criminal could know the distance of his/her pursuers and, unlike the real world, take proper measures to cover the digital tracks. Additionally, there are many connections that are not exactly black and white. Some links between online resources are circumstantial – a domain with a similar name, a shared hosting, etc. Without proper guidance and information verification, the community can go after the wrong person and get completely off-track. Finally, there’s a certain line that most law enforcement officials do not cross. If during an investigation a suspect’s E-mail address and password are obtained, they will go through due process to gain permission to access the E-mail and its content. Certain community members may not be so scrupulous. Such actions can have serious ramifications.

There are certain closed circles today in which law enforcement agencies and the security industry discuss cybercriminal activities. However, these discussions are not the same as the mass-distributed WANTED posters of real-world criminals. Crowd sourcing investigations is just one method in which agencies could harness the power of the web and its population, which still remain today as an untapped market. For this to happen, law enforcement agencies will have to open up and share additional information – not only with the security industry, but with the rest of the world.

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.