They're not the feds, but they're taking down hackers, organised criminals, script kiddies, and other threats to your company. A report from the front lines.

For Charles Neal, a 20-year veteran of the FBI, Mafiaboy was the watershed case for cybercrime. On Monday, February 7, 2000, a 15-year-old from suburban Montreal with the online moniker Mafiaboy launched a weeklong Internet attack on Yahoo, CNN.com, Amazon.com, eBay, Dell, Buy.com, and several others, causing losses estimated in the millions.

The hacker hit the companies with what is now commonly known as a distributed denial-of-service attack, which flooded the victims' Internet servers with messages until they collapsed. The teen later told investigators in a taped interview that when he saw the chaos his attack caused he almost wet his pants.

Mafiaboy was not a sophisticated hacker. He begged the softwareâ€"now widely available on several Internet hacker sitesâ€"from other hackers and then used it to break into and gain root access to more than 50 servers, most of them located at American universities. He then used those servers to launch his assault.

That morning, calls began coming into Neal's office at the FBI's Los Angeles computer intrusion squad, a group he formed in 1995 that had investigated computer-crime cases including those of Kevin Mitnick and the Solar Sunrise attacks against the Pentagon. Neal sent an agent to the data centre of Exodus Communications, one of the world's largest IP networks, whose corporate customers include many of Mafiaboy's victims. Neal wanted to see what Exodus's server logs would reveal about the attacks.

The agent showed up at Exodus but was turned away and told not to come back without a subpoena. The high-tech industry has developed an almost institutional fear of bad publicity, reasoning that covering up attacks is better than letting FBI agents poke around their systems and launch a very public investigation.

When Neal found out, he was apoplectic. "These were their clients!" he says. He finally reached Exodus's chief security officer, Bill Hancock, who had started work that day. "I said, 'Bill Hancock! This is Charles Neal of the FBI and you have some very rude people working for you!' " Hancock, who had met Neal at security conferences, told him, "That's all going to change today."

Neal's team soon began poring over Exodus's logs, ultimately tracing the attacks to Mafiaboy's home computer. Jill Knesek, the case agent, then flew to Montreal where the Royal Canadian Mounted Police were placing a phone tap on Mafiaboy's house. "There were two kids in the house," remembers Knesek. "And we had to figure out which was actually doing the attacks."

What made Mafiaboy so important? It proved to Neal that anybody, even someone with very limited talent, could launch a massive cyberattack. And while Mafiaboy primarily targeted dot-coms, almost every company, and maybe your home, is now online and networked to some extent. The case exposed two trends in cybercrime: The weapons are becoming increasingly easy to use, and the pool of potential victims is expanding.

Neal also concluded that maybe the FBI wasn't the best way to combat cybercrime. Had Mafiaboy been smart enough to route his attacks through an offshore country, as most experienced hackers do, Neal's investigation would have been over. "Once it goes overseas it's dead," says Neal. "The FBI can't, by law, investigate any further. If we even want to call a police department overseas we have to call our State Department, which calls the people over there, and on down. It can take months! And we don't have that much time in these cases."

That March, then-FBI director Louis Freeh flew to Los Angeles to award Neal his 20-year pin. Two months later, Neal, with seven years left until mandatory retirement, resigned from the bureau. He wanted to form a new computer-crime squad, one with a global reach that was part of the private sector, staffed with law-enforcement veterans and technologists. The idea was to respond to cyberattacks, but also to pursue hackersâ€"organised criminals, script kiddies (amateurs like Mafiaboy), competing companies, or even foreign countriesâ€"like it would any legal case. Neal envisioned changing the way companies approach cybercrime, encouraging them to seek prosecution instead of living in terminal fear of bad publicity.

He landed at Exodus Communications.

The hole in the Internet

Cybercrime is, as Neal puts it, "a growth business," but it remains largely unreported. The most comprehensive study on the subject is the 2001 Computer Crime and Security Survey conducted by the Computer Security Institute and the FBI's San Francisco office. The study revealed that 47 percent of the companies surveyed had their systems penetrated from outside. A full 90 percent reported at least some form of electronic vandalism, and 13 percent reported stolen transaction information (personal data and credit card numbers, for example).

The statistic most overlooked in the CSI survey, however, is that only 14 percent of the companies queried even responded. "I get these people asking me, 'What can we do to stop this?' " Neal says in total exasperation. "I tell them, 'Well why don't you start reporting it? Answer the survey!' "

Few dispute the fact that cybercrime statistics are underreported. "I have a saying," says Bill Swallow (pictured), a former special agent with the Department of Defense's Defense Criminal Investigative Service who participated in the first undercover operation in which federal agents posed as hackers. "If it's not hardened [protected], it's hacked. And it's getting worse. The type of automation that is going on is scary." Swallow is talking about May's cyberwar between Chinese and U.S. hackers in which a group called the Honker Union of China unleashed an automated program that scanned the Internet for sites with a particular technical weakness. It took over those Web pages and defaced them with messages like "Beat down Imperialism of American!"

Automation, Swallow argues, is the future of cybercrime, and it will open it up to all sorts of groups, from hacktivists to career criminals and even terrorists. Most attacks could be thwarted easily if tech staff more diligently downloaded and applied software patches. A patch to fix one of the holes that the Honker Union of China attacks preyed on, for example, has been available for three years.

"You want to hear something really incredible?" Swallow asks. "Today, more than half of the boxes that are compromised are NT or Windows 2000 servers, and most of that is done with an exploit called Unicode. The patch for that has been out since last October!

"You've got to continually update your security," he adds. "But these IS guys are the busiest guys in the whole company and their first job is to just make sure that their server doesn't crash."

This begs the question: Is the information these servers hold really worth protecting? "It's everything that's in your company," sighs Swallow. "If somebody gets 'root' they can see it all: e-mail, personal information, Social Security numbers, company secrets, whatever. I can tell you there is a concerted effort to steal credit card numbers. I've seen intellectual property theft and corporate espionage, and we've started seeing indications of organised crime on the Web. The problem is huge."

Crime squad for hire

The Exodus data centre in California, one of 43 worldwide, sits utterly undistinguished amid the sprawl fanning out from Los Angeles International Airport. The company's name doesn't even appear on the building, but the unassuming facade, which is wrapped in bulletproof Kevlar, belies its extremely high security, almost to the point of paranoia.

Inside, a biometric hand scanner, another layer of bulletproof glass, two Pinkerton security guards, and a 500-pound door block access to 66,000 climate-controlled square feet of Internet servers, the online backbones of Exodus clients like Best Buy, eBay, KPMG Consulting, British Airways, Virgin, Merrill Lynch, Yahoo, and some 4,500 other customers. It's estimated that as many as one-third of all Internet clicks pass through Exodus servers. In a real sense what's behind that 500-pound door is, well, the Internet.

If Exodus is the Internet, then Neal's Cyber Attack Tiger Team, or CATT, aspires to be the Internet's detectives. The group aims to sell managed security services to Exodus's clients. So far it's signed up more than 250 of the most security-conscious among them.

CATT's thesis is relatively simple: Internet security is complex. If you have poor security, you will be hacked. If you have the latest security hardware but don't use it properly, you will be hacked. Furthermore, if you are hacked, and you do nothing about it, you will be sued.

For roughly US$5,000 a monthâ€"the price varies widely depending on a company's needs and sizeâ€"a CATT infrastructure team installs a "content integrity monitoring system" on the client's servers. The CIMS can tell if key data is ever altered (like select passwords). An unexpected change probably means a hacker has breached the system, which pages one of CATT's incident responders, who then immediately sets to work ejecting the intruder. At the same time, the team starts investigating where the hack originated, what systems the hacker used, and exactly who it is. Meanwhile, an intelligence group monitors hacker sites, interviews insiders, and lurks undercover in hacker chat rooms.

One of Neal's first hires at Exodus was Swallow. He then tapped Knesek, the Mafiaboy case agent, and Mitch Dembin, an assistant U.S. attorney. Dembin's job, in part, is to make sure that evidence and investigations are handled legally, so that if companies want to pursue the hackers criminally the case is ready-madeâ€"just add a prosecutor.

But Neal's team has been less than successful at persuading companies to take legal action. It is working with the FBI on no more than a half-dozen cases. "That's been one of our major disappointments," Dembin says. "Companies aren't looking at these issues the right way. They just want us to kick [hackers] out. But then we start asking them, what if it's an employee? What if it's a former employee? Then they start to get a little interested. But by far the majority just want us to kick the people off."

Want to Prosecute?

Not every company can afford the services of an expert, but more companies want to prosecute cybercriminals or sue for damages. Some tips from Exodus's Bill Hancock on supporting your case.

• Determine "investigatability."
  If you can't pinpoint where the attack came from, you have no case. If you do not keep log data from your servers, there is no evidence. And if you can't match the specific attack to a financial loss, you won't have a case in most courts.
• Assess damage in dollar values.
  Look at the cost of the personnel needed to fix the problem, loss of productivity, loss of customers, slowdown or stoppage in manufacturing or creating your product or service, and loss of revenue due to bad publicity.

The case file

Neal sits in his spartan office above the El Segundo data centre. He wants to talk about the cases they're investigating to shed light on the problemâ€"and his groupâ€"but he doesn't want to fuel corporate paranoia about bad publicity. So he agrees to talk without mentioning clients' names.

Neal admits that much of the cybercrime involves teenagers: "It's true, we get busy from Friday after school to Monday morning." But he says it's the sheer volume of hacking and criminal activity that is more shocking. "I knew that this was being underreported when I was at the FBI," he says. "But I didn't realise by how much until I came here."

It isn't all about teen geeks. Neal's first case at Exodus centred on a European client in a lawsuit with a competitor. In court one day the competitors showed up with a thick stack of e-mail messages from Exodus's client that they claimed had been mailed to them anonymously. In truth the competitor had hired a hacker to break into Exodus's client's network and steal its e-mail database. The hacker-for-hire, whom Neal interviewed later, ultimately came forward because he felt underpaid for his services.

Before he left the FBI, Neal worked a case in which a high-level executive was fired. While negotiating his severance package the executive broke into his former employer's server and viewed every document related to his termination. "At the negotiations this guy knew everything," Neal says, "and they couldn't figure it out."

This past spring, a high-tech client in California was in the running for a large contract that promised to make or break its business. Company executives detected something suspicious on their networks and contacted Exodus. Neal's group ran forensic tests on the client's servers to find that its primary competitor for the contract had broken into the network to steal trade secrets. "On that one," Neal says, sounding relieved, "we are working with the FBI."

On Guard

Why don't companies have better security? Because it's not easyâ€"and it's expensive. A strategy for protecting your company from the security pros at Exodus.

• Define what's important.
  You can't secure every machine, because it's too expensive. Pinpoint your most important assetsâ€"information you don't want anyone else to have.
• Guard it heavily.
  You must have actively managed firewall and intrusion detection systems. Check www.securityfocus.com for a useful list of security tools, some of which are free.
• Develop a policy and enforce it.
  The most basic security policy that Charles Neal encourages is requiring strong passwords for network access (at least eight charactersâ€"and no words): "There are programs that can find a word in a few minutes." You'll find prewritten security policies at www.baselinesoft.com.
• Keep your security current.
  "Apply new patches!" barks Bill Swallow. If your tech guys are overburdened, hire somebody else to do it.

The lawyers are coming

Remember this scenario, because it will happen: A company comes under a cyberattackâ€"theft of secrets, denial-of-service, or some other hack. After hiring an expensive consultant to handle damage control, the company goes looking for someone to blame. When it finds out that the attack came from another company's server, it sues. The first company's lawyer has a case, claiming that the second company's lax security left his client wide open to the attack.

"I think we are absolutely going to see something like that happen," says Mitch Dembin, who as an assistant U.S. attorney specialised in cybercrime prosecution and is now a member of Exodus's CATT team. "We are just ahead of the curve on this issue, but it's coming," he says.

Dembin says, "The key to these cases will be establishing what is called a 'duty of care.' " That is, the minimum a company must do to secure its networks to keep hackers from using them to launch attacks. Companies that don't meet that will be considered negligent. "That's when companies are really going to start seeing the importance of security," Dembin says

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.