Update NCIS videos 23/4/06 – Scroll Down to Update FBI & CCIPS Videos
- 1996 - "Gritón", Julio Cesar Ardita
Este hacker Argentino conocido como Griton, fue sentenciado En los Estados Unidos a 3 años de libertad bajo palabra y pagar una multa de 5000 dolares por interrumpir redes militares y universitarias en el transcurso del año 95 y con solo 21 años de edad. A simple vista parece una persona común y corriente. Pero Julio César Ardita pasó a la historia por ser el primer hacker latinoamericano que fue juzgado y condenado en Estados Unidos. El joven se colgó en el 95 de las redes de Telecom y de allí logró acceder a la Universidad de Harvard, a la Marina de Estados Unidos y al mismísimo Pentágono.
FOR IMMEDIATE RELEASE CRM
FRIDAY, MARCH 29, 1996 (202) 616-2771
TDD (202) 514-1888
WASHINGTON, D.C. -- The first use of a court-ordered wiretap on a computer network led today to charges against an Argentine man accused of breaking into Harvard University's computers which he used as a staging point to crack into numerous computer sites including several belonging to the Department of Defense and NASA.
The wiretap, on the computer of Harvard's Faculty of Arts and Sciences during the last two months of 1995, resulted in the filing of a criminal complaint against 21-year-old Julio Cesar Ardita of Buenos Aires. An arrest warrant has been issued for Ardita.
Attorney General Janet Reno and United States Attorney Donald K. Stern of the District of Massachusetts said a wiretap order, typically employed to monitor telephone conversations of organized crime and drug suspects, was used to trace and identify the illegal intruder while preserving the confidentiality of legitimate communications.
The Attorney General said Ardita was believed to have illegally entered computer systems at additional U.S. universities, including Cal Tech, the University of Massachusetts, and Northeastern University, and sites in other countries such as Korea, Mexico, Taiwan, Chile and Brazil.
She said Ardita obtained access to computer systems containing important and sensitive information in government research files on satellites, radiation and energy related engineering. Ardita was not accused of obtaining classified information related to the national security.
The intruder was identified by using a specially configured monitoring computer that conducted the complex searches needed to isolate his activities. Law enforcement agencies have done electronic surveillance on computer systems in the past with the consent of the users. Court authorization was deemed necessary in this case because the Harvard computer system does not post a banner informing users who log onto the system that their communications might be monitored.
"This is an example of how the Fourth Amendment and a court order can be used to protect rights while adapting to modern technology," said Attorney General Reno. "This is doing it the right way," she said. "We are using a traditional court order and new technology to defeat a criminal, while protecting individual rights and Constitutional principles that are important to all Americans."
According to the complaint, the international hacker invaded the Harvard computer through a broadly accessible modem bank and the Internet, and there stole a series of accounts and passwords.
Using these stolen accounts as his base, Ardita gained unauthorized access to computers at various U.S. military sites across the country, including the Navy Research Laboratory, NASA's Jet Propulsion Laboratory and Ames Research Center, the Los Alamos National Laboratory and the Naval Command Control and Ocean Surveillance Center. He also tried repeatedly but unsuccessfully to enter the Army Research Laboratory computer system.
On December 28, 1995, Ardita's computer files and equipment were seized at his home in Buenos Aires by authorities acting on information supplied by Telecom Argentina which U.S. authorities had contacted for assistance in tracking the intruder.
"This is a case of cyber-sleuthing, a glimpse of what computer crime fighting will look like in the coming years," said U.S. Attorney Donald K. Stern. "We have made enormous strides in developing the investigative tools to track down individuals who misuse these vital computer networks."
The investigation consisted of three phases: First, in late August, 1995, the Naval Command and Control Ocean Surveillance Center detected an intrusion into its computer network, which contains sensitive, but not classified, Navy research files on such things as aircraft design, radar technology and satellite engineering. The intruder was discovered to have broken into other computer networks, as well, from the Harvard Faculty of Arts and Sciences (FAS Harvard) host computer. Initially, it was impossible to identify the intruder or where he was coming from. The FAS Harvard computer is widely accessible to approximately 16,500 account holders through modems and through the Internet, and the intruder was stealing and then using many different Harvard account holders' passwords.
However, according to the government's complaint, analysis of the intruder's electronic habits revealed certain patterns. The Naval Criminal Investigative Service did a painstaking analysis of the intruder's activities. Investigators were able to identify words and phrases used by the intruder not commonly used in the same manner by legitimate users of Harvard's network. The patterns included signature programs he used to intercept passwords, pirated accounts he used as a basis for his criminal activity, and sets of overlapping computer systems he seemed to break into and work through.
"These patterns of behavior provided us with a general description of the intruder -- we knew his modus operandi, his hangouts, his patterns of computer speech, the computer tools he used for his break-ins, and his disguises," said Stern.
In the second phase of the investigation, the Naval Criminal Investigative Service and the FBI obtained court authorization from a federal judge in Boston to conduct electronic surveillance of the intruder's communications to and from the FAS Harvard host computer.
"We intercepted only those communications which fit the pattern," explained Stern. "Even when communications contained the identifying pattern of the intruder, we limited our initial examination to 80 characters around the tell-tale sign to further protect the privacy of innocent communications."
During the course of this electronic surveillance, the intruder was observed referring to himself by the moniker "griton," which is Spanish for "screamer." He also was repeatedly observed accessing the FAS Harvard host computer from four computer systems in Buenos Aires.
In the third phase of the investigation, the Department of Justice confirmed the real identity of "griton." Among other things, investigators discovered that defendant Ardita had used the name "griton" years before on a computer bulletin board. That old bulletin board had been posted publicly on the Internet by its creator, and so was accessible to investigators. Ardita advertised his own hacker bulletin board, "Scream!," in his posting and listed a telephone number at his residence where the Scream! bulletin board could be also accessed. Records in the United States and Argentina were analyzed, which further confirmed Ardita's telephone line in Argentina was being used to unlawfully access the Harvard system.
In addition to facing U.S. felony charges, Ardita is under investigation in Argentina. The two governments have been exchanging information. "We will work with our foreign counterparts to achieve justice," said the Attorney General. "International teamwork is being applied to international crimes," she said.
In the United States, the charges are: fraudulent possession of unauthorized computer passwords, user identification names, codes and other access devices; destructive activity in connection with computers; and illegal interception of electronic communications. These are contained in a criminal complaint issued by U.S. Magistrate Judge Marianne Bowler.
"This case demonstrates that the real threat to computer privacy comes from unscrupulous intruders, not government investigators," said Attorney General Reno. She complimented the agents who worked on the case for developing procedures that assured that monitoring would be focused on the intruder's unlawful activities.
This case was investigated by Naval Criminal Investigative Service and the Federal Bureau of Investigation. Stephen P. Heymann, Deputy Chief of the Criminal Division of the United States Attorney's Office for the District of Massachusetts, is prosecuting the case, and supervised the electronic surveillance with the assistance of Department of Justice Attorneys Marty Stansell-Gamm of the Criminal Division's Computer Crime Unit and Janet Webb of the Electronic Surveillance Unit of the Criminal Division's Office of Enforcement Operations.
In Boston, additional information can be obtained from Joy Fallon or Anne-Marie Kent, 617-223-9445.
NCIS NORFOLK - NCIS Norfolk is one of 13 field offices around the world — 10 in the United States and three overseas. “We have about 1,200 agents worldwide,” said Warmack. “And we have about 1,000 support people; investigative assistants, analysts, and lab technicians who work in our own internal lab for forensic evidence. ”With 85 agents and 60 support personnel, the Norfolk office manages the largest staff of all. That is due to the largest concentration of sailors being stationed around Hampton Roads. But its jurisdiction doesn’t end there. “NCIS is everywhere the Navy is, and our agents go everywhere Norfolk sailors and Marines go, including to sea and to the war zones.”At sea, it’s called the Special Agent Afloat Program. Every aircraft carrier has an NCIS special agent assigned to it, and no matter if the ship is sitting at the pier or out on a six-month deployment, that agent is on board.“They are the lead investigative entity, but they also provide the counterterrorism, espionage and counterintelligence support for the ship,” said Warmack. “They work criminal investigations at sea, but when the ship is preparing to pull into a foreign port that agent is part of the advanced team and goes in to meet with the NCIS agent assigned to that country who understands the language and environment. Together they access any criminal threats and health safety of the port for the Navy.”In essence, they become the chief of police on the ship and for the battle group. The agents aren’t undercover, but since ships are so large, Warmack believes a lot of people don’t know they are there, until they do something wrong. “There are a lot of civilians who deploy on the ships for various reasons,” said Warmack. “So the sailors may see an agent and think he’s just another civilian contractor, until they have to deal with him or her.” (The Flagship)
NCIS v. Porn 13/12/04
Nathan A. Wilson - Virginia Beach PD
Arrested - Nathan A. Wilson, 25, of Virginia Beach. Was a member of the United States Navy. Charged with 57 counts of producing child pornography. Police say the arrest was the result of several months of investigation that began after federal Immigration and Customs Enforcement (ICE) agents, working with Naval Criminal Investigative Service (NCIS) agents, learned that the man had been accessing known child pornography Web sites. Police say a forensic examination of the computer later revealed that Wilson was taking pornographic pictures of three young girls under the age of 10. He allegedly placed the photographic images on his computer.
Camera discovered in women's shower on USS Monterey 3/4/04
A female officer on board Guided Missile Destroyer USS Monterey discovered a wireless surveillance camera in the female shower area.At about 6:30 p.m. Monday, the officer noticed a metal bracket mounted in the changing area of the female shower. Further inspection revealed a small black wireless camera. When the officer notified security personnel on the ship, the area was closed off and an investigation began. The Navy says that the ship’s chain of command was immediately notified along with the Navy's investigative unit NCIS, which is currently conducting an investigation.It appeared that the camera had been recently installed and may not have been working. No receiver was located, and the cable connecting the camera may have had a bad connection, because it did have a crimped-on connector. The Navy says that so far, there is no evidence suggesting that any pictures or video had been taken, or that anyone's privacy had been compromised. In 2002, a camera was discovered in a female restroom aboard another Norfolk-based ship, the Briscoe. In that case, the Navy believes the camera had been in place for almost a year, and had taken pictures of female sailors. The incident aboard Monterey took place while the ship was in port at Naval Station Norfolk.
In July 1996 the Naval Criminal Investigative Service (NCIS) collaborated with then CHIPS on an article discussing various aspects of our agency's law enforcement involvement in "computer crime".
The "virtual landscape" at that time - for law enforcement and non-law alike - was primarily one of limited awareness and reliance on networks and the Internet, and somewhat limited comprehension of the impact of technology on our daily existence. This applied to law enforcement and non-law enforcement alike. Much has happened to demand the attention of the Department of the Navy (DoN) personnel at all levels.
NCIS has made significant progress in the development of our agency's capability and is factoring in the new challenges we anticipate into our mission/vision. Perhaps the most important realization is that of the relevance of Law Enforcement and Counterintelligence (LECI) into the overall response to this challenge. We bring a capability to the process that is finite, yet critical.
Law Enforcement is an essential module in the mission of computer network defense, bringing the capability of pursuit to the process. Establishing culpability is a critical factor when seeking to assign attribution for these incidents. NCIS is the primary DON entity with the legal authority to conduct felony investigations, apply to the Court for electronic intercepts, court orders, arrest warrants, search warrants - and serve them. We collect, retain, and process physical evidence to facilitate criminal prosecution or other judicial or administrative action. We can collect certain types of information and conduct other activities that are legally permissible for law enforcement personnel.
In 20th century terms, residents and businessmen in "Yourtown, USA" are responsible for the security of their homes and businesses. Generally, security measures will depend on the threat in the area and may range from simple door locks to guards and dogs. When a break-in occurs, the police conduct an investigation, which sometimes leads to the arrest of the individual(s) responsible. Locks, alarms and other hardware solutions keep burglars and other unwanted persons out of our homes and businesses. However, many devices quickly become outdated by technology or human ingenuity defeats them. In this new environment, total reliance upon a hardware solution may in some respects equate to an electronic Maginot line.
In 1996, NCIS established the Intrusion Response Group (IRG) at the Fleet Information Warfare Center (FIWC). Since that time, the IRG has expanded and is now fully integrated into the Navy Computer Incident Response Team (NAVCIRT) processing of network related events. The IRG is the largest concentration of NCIS Special Agents assigned to one command outside the agency.
As a unit, IRG is engaged in a number of activities, all of which are directed toward our LECI mission. At the beginning of this partnership in 1996, there were 17 "intrusions" reported to NAVCIRT. Not unexpectedly, as policy and monitoring capability improve, statistics have increased. During fiscal year 1999, there were more than 14,000 reportable incidents from hundreds of thousands of reports received from intrusion detection systems (IDS) and system administrators. The incident reports are simultaneously provided to the IRG for "triage" to determine the relevance and level of NCIS involvement, investigative merit and potential operational consideration. This process is significant because it reduces the law enforcement response time to literally seconds, in many instances, nearly eliminates overlap or confusion in the equally important administrative response and technical resolution from NAVCIRT.
As reliance on technology within the DON has increased, a number of events have gained the attention of senior decision makers within DON, DoD and other government agencies. These events are each, in some way, responsible for our current position in addressing the issues confronting the Navy on a daily basis.
"Eligible Receiver 97," a network vulnerability exercise in the spring of 1997 highlighted the issues of network connectivity, vulnerability, event response and coordination. As a result, NCIS and the other Military Criminal Investigative Organizations (MCIO's) are now included in the planning of network exercises.
In February 1998, "Solar Sunrise" compelled each of the MCIO's to better coordinate information and the investigative response. It provided an opportunity for the sharing of LECI information, which is a legally and culturally difficult challenge to work through. This case focused on the realization that young adults were able to conduct criminal computer acts from within the United States and abroad, despite the concentration and reliance on the hardware side of network security.
In 1998 Presidential Decision Directive 63 established the National Infrastructure Protection Center (NIPC), hosted within FBI Headquarters. NCIS was the first MCIO to assign a Special Agent as a member, and we continue to view this as "value added" from both a coordination perspective and the investigative response.
In December 1998, DoD established the Joint Task Force - Computer Network Defense (JTF-CND). Within JTF-CND, an LECI cell was established to provide a focal point for related matters. NCIS is in a leadership role within JTF-CND and because of our initiatives, law enforcement and counterintelligence are key components in the DoD response to these events. In the immediate future, a Special Agent will be assigned full time to the Navy Component Task Force (NCTF) to further coordinate law enforcement into the Navy response.
From the growth perspective, NCIS has recognized the paradigm shift in the manner in which we address network and computer issues. In 1997, NCIS Director David L. Brant established the Computer Investigations and Operations Department to address all aspects of the criminal and counterintelligence threats to the Navy Information Infrastructure. We have trained computer investigators in nearly all of our field offices, worldwide and frequently deploy to afloat elements or other areas where trained personnel are not located.
NCIS faces the problem that intrusion investigations and adversarial or criminal information infrastructure attacks present massive amounts of disparate data. Traditional modes of dealing with large volumes of data are overwhelmed by the enormity of the task. Adversaries (criminal or foreign government sponsored) attempting to exploit or attack the U.S. national information infrastructure frequently change modus operandi. As a result, law enforcement, counterintelligence, and computer security organizations attempting to resolve these issues are repeatedly forced into a reactive mode, attempting to pursue an adversary that has already changed tactics and targets, rendering the investigative effort irrelevant.
Traditional analytic centers exploit large quantities of information, but ultimately rely on a human analyst to cull through the data and make sense of it. Technology has been harnessed to a limited degree to enhance this process and ease the burden of the analyst by using databases, electronic search engines, word processing packages and spreadsheet software.
As the response capability grew, NCIS conceived and implemented a plan for the creation of our Operations Analysis Center (OAC) to fuse and analyze LECI information with other relevant data sources. The goal was to develop a common operational picture of criminal and foreign threats to DON's information infrastructure. OAC has CND-based Knowledge Discovery System (KDS) dedicated to the enhancement of NCIS operations and investigations while providing relevant timely threat products in support of DoN CND.
The OAC KDS is based on a fusion analysis process that begins with an investigation or operation. These data are fed to a data warehouse, and then into an analytic cycle where they are fused with other data sets from disparate sources. The analysis process is complex, consisting of multiple data scrubs and comparisons, application of sophisticated analytic tools to enhance production and speed processing of unprecedented amounts of data. As this process progresses and an understanding of the data is achieved a product set is identified and disseminated. A feedback loop begins at the same time with the new data set being made available to the ongoing analysis cycle. The data set is also fed back to the data warehouse where it can be reconstituted and compared with fresh incoming investigative data. A research and development component runs in tandem, monitoring the process and ensuring technology is exploited to maximize the efficiency of the analytic cycle.
The OAC is a fresh approach to tackling the problem using technology as a force multiplier to enhance the analytic effort, meeting its mission by design. The intellectual synergy driving OAC shortens the decision cycle and speeds production allowing the analytic cycle to become predictive vice reactive.
The rapid deployment of new technologies in the 21st century operational environment requires a willingness to apply new ideas and innovative thought processes in order to maintain mission relevance.
In April 1996, NCIS co-chaired an Office of the Secretary of Defense (OSD) level-working group to determine the feasibility of creating a joint Computer Investigations Training Program and Computer Forensic Laboratory. This initiative was undertaken after recognition of the potential impact that network reliability would have on the DoD.
In February 1998, the Defense Computer Investigations Training Facility (DCITP) (www.dcitp.gov) and the Defense Computer Forensic Laboratory (DCFL) (www.dcfl.gov) were established on paper and in September 1999, the ribbon was cut at the facility in Linthicum, Maryland.
DCITP has a staff of 35 with five state-of-the-art classrooms currently on-line. Courses include Introduction to Computer Search and Seizure, Introduction to Networks and Computer Hardware, Basic Forensic Examinations and a Network Investigations Course.
To date, more than 700 students have been trained. Additional courses are being developed to meet community needs. The DCITP has a vital interest in establishing community-wide training standards for computer crime investigators and the ongoing development of this new discipline is a major priority.
As we settle into the 21st century, NCIS is responding to computer related crime and counterintelligence issues. We are working to provide agency answers to DON questions in the areas of technology protection, electronic commerce and electronic business, Navy and Marine Corps Intranet "insider" threats, and exploitation of DON families by network predators.
In the July 1996 CHIPS article, we made the analogy that the law enforcement environment at that time was similar in some respects to that of a Marshall in West Texas during the 1870's. While we have made significant progress since then, but so have the "bad-guys." We have an outstanding opportunity to continue developing and implementing LECI initiatives, at the same time our adversaries are developing theirs.
Editor's Note: The July 1996 CHIPS article about NCIS is available on our Web site: www.chips.navy.mil.