July 3, 2000Late last year, Aaron J. Eden, a disgruntled Army private stationed in Indianapolis, Ind., hacked into the Army's Enlisted Records and Evaluation Center system and deleted 38,000 personnel-related files. At work, he was able to install Back Orifice 2000, a remote control software program that allowed him to access Army computers from his home. He also installed a "sniffer," an application that gathered passwords for him clandestinely. By using these tools, Eden was able to pass himself off as a systems administrator. Eden covered his tracks by deleting the log files of any computer that would have revealed his activities, a common hacker ploy. But like many hackers, he couldn't keep his mouth shut. Eden had a buddy on the Internet he met in a chat room with and bragged about his exploits. In the end, Eden helped himself get caught. He forgot to delete those chat files. And when Army investigators came knocking at his door after their detective work turned him up as a suspect, his forgotten files amounted to a confession. In May, he pled guilty to conspiracy as well as intentionally accessing and damaging a government computer. Special agents at the Army's new Computer Crimes Investigative Unit (CCIU) based at Ft. Belvoir, Va., broke the case and produced the damning evidence. James Smith, commander of the CCIU, calls his six agents "geeks with guns." The Eden case is one of the first successes of the CCIU. The Army's Criminal Investigation Command recently formed the CCIU as a result of an increasing number of hacking incidents and more serious intrusions. Hackers attempted to break into Army systems 3,077 times in 1999. So far this year, there have been 3,371 hacking incidents. But the number the agents worry about most are actual intrusions. In 1999, the Army's computer security was breached 58 times. This year, that number is already at 49. While none of the hacks have been of the magnitude that would have brought the Army to its knees, the agents want to investigate and eventually prosecute as many hackers that target Army systems as they can. The CCIU formally began operations in March and is made up of agents who have picked up significant computer forensic experience. Operating out of a newly designed lab, they have access to multiple operating systems and even a self-contained network for trying out the latest hacking techniques. The CICU is not yet a fully funded entity within the Criminal Investigation Command. Its its function is too new for a budget process that is already set five years out. So for now, the command is "taking funding for the CCIU out of its hide," said an Army spokesman. But the leaders of the investigation command have decided that computer crime potentially touches every aspect of the work they do, which includes investigations of contract fraud, supply theft and other criminal activities. So far, the CCIU has spent $67,000 on equipment for its lab. Some agents have as many as four computers in their work areas. These include a laptop, a unit running Microsoft's Windows NT or Windows 2000 operating systems, another computer running Unix and most likely a final with Linux installed. When agents travel to a crime scene, which could be anywhere in the world, they bring a "lunch box"-a special computer designed for the gathering of forensic computer evidence. The office is expanding to help agents handle the increasing caseload. Already there is a legal advisor who helps agents prepare subpoenas and deal with the State Department when their investigations take them across jurisdictional and national boundaries-as often happens. Currently, the agents are investigating a hacker who compromised six Army systems in a distributed denial of service attack similar to those that brought down Amazon.com, eBay, E-Trade and Yahoo! earlier this year. The special agents began two investigations last month as a result of what they called "significant intrusions."
July 3, 2000