Internet Interests

FBI Sting Operation: Candyman

Last month, the FBI's sting operation named Candyman, designed to capture child pornographers, successfully rounded up over 80 criminals who were using the Internet (in particular, chat-rooms) to distribute child pornography and to arrange meetings.  The ASIS San Francisco Bay Area Chapter commends the FBI for their spectacular work in capturing these pedophiles.

Below is a copy of the article from the FBI website and following this will be information to assist you in helping to prevent child pornography in your workplace and how to assist authorities conducting these types of investigations.

 

Innocent Images
Operation Candyman
Phase I
March 18, 2002

On 01/02/2001, FBI Houston initiated an investigation after an undercover agent identified three Yahoo! Egroups involved in posting, exchanging and transmitting child pornography. One website depicted the Egroup as the following: "This group is for People who love kids. You can post any type of messages you like too or any type of pics and vids you like too. P.S. IF WE ALL WORK TOGETHER WE WILL HAVE THE BEST GROUP ON THE NET." (SIC)

An Egroup is described as an "Electronic Group" or "community" of people communicating via the Internet, for one purpose and/or issue (i.e.: child pornography). These groups can be "closed" or "open" communities. In a closed community you must be invited in by a member of the group and the identity of the group cannot be identified by non-members searching the Internet. In open communities, such as "Candyman," any person searching the Internet can conduct a search by title or category, locate the group, and may be granted membership by the monitor of the group. The monitor may be the creator of the group or a member selected by the group.

Through the issuance of a court order to Yahoo!, FBI Houston concentrating on the Candyman Egroup, identified 7,000 unique E-mail addresses with 2,400 of the addresses outside of United States and 4,600 located domestically. Subpoenas were issued on all of the Internet providers for the addresses within the United States. Information on approximately 1,400 subjects were provided to Houston. Due to the large volume of subjects, Houston divided the investigation into two Phases. In Phase I, Houston set leads on 707 subjects. At least one subject was located in every FBI field office's territory with some field offices having up to 45 targets within their respective territories.

On 03/18/2002, FBI Houston is coordinating a Nationwide enforcement action against certain individuals who have been associated with Egroup, Candyman. To date, 231 searches have been executed, 86 individuals have been charges in over 26 states, 27 of these individuals admitted to the prior molestation of over 36 children. Many more arrests are anticipated during the week of 03/18/2002 and coming months. The occupations of some of the subject's have been a school bus driver, photographer, law enforcement personnel, members of clergy, and teacher's aide.

 

Internet Monitoring and Filtering Comparison

The following is a side-by-side comparison of the two major technologies used by Information Services departments to control and monitor their company's employee access to the Internet.

Pass-Through Technology

Defintion: Pass-through technology requires all Internet-bound traffic to pass through a central point, ex: firewall or proxy server.

Major Players: SurfControl, Elron Software, Websense, Symantec, N2H2

Pros: Every packet going to the Internet is inspected before being forwarded to the web server.

Can integrate into existing hardware/software.

If a proxy server is in place, it shouldn’t require major network changes.

Cons: Requires all Internet packets to go through the machine and held until the defined rules permit the traffic, delaying connection to the website.

If Monitoring/Filtering machine goes down, Internet connection is down until the machine is restored.

If network is not configured properly, easy to by-pass Monitoring/Filtering computer.

Could possibly crash Firewall/Proxy Server

 

Pass-By Technology

Definition: Pass-by technology requires all Internet-bound traffic to pass by a central point where the packets can be sniffed. Major Player: SurfControl

Pros: If the Monitoring/Filtering machine goes down, the Internet connection stays alive.

Computer can be taken down with no adverse affect on network Internet connection, with exception of no monitoring/blocking.

Does not hold Internet-bound packets, so it does not delay connection to Internet website.

Cons: Requires all traffic to go through a hub, reducing speed to Internet connection.

Can create additional ICMP traffic on the LAN.

 
All of the above solutions allow companies to block access to certain websites. Generally, you can control the access by categories. i.e. Allow access to sites that are news related, but do not allow access to adult oriented websites.

All of the above solutions can do reporting on where users have been browsing and how much time they spend browsing.

Investigation Preparation and Assistance

Prevention Preparation

bulletWeb Browser History
bulletMinimum 90 days – company wide
bulletFrequent computer file backups (entire drive for better detection)
bulletUsing a Proxy Server to record Internet usage

Data Capturing

bulletCollect from computer backup disks
bulletInvestigate web browser caches for all web browsers on the computer
bulletSearch hard drive for documents/spreadsheets/databases that may have images embedded in them.
bulletSearch hard drive for images (perhaps with misleading filenames)
bulletInvestigate office for suspicious floppy disks
bulletCreate a list of pedophilia buzzwords and then use this list to search for file content on the suspect computer.

Reducing the Opportunities

bulletCreate a company policy that specifically prohibits the use of company resources for the acquisition, distribution, or creation of [child] pornography and other inappropriate materials.
bulletReview this policy with employees and have them sign an acknowledgment.
bulletAdd this policy to your new hire packet and make it a required condition for employment.
bulletAdvise employee that their computer(s) are subject to periodic random searches for specifically this type of content.
bulletAdvise employee that this policy applies to all company resources that they may use from their homes, remote offices, or while on the road.
bulletAdvise employee that this policy applies to their home equipment that is being used on behalf of the company. (For example; an employee may not use the company’s dial-up server from their home in order to perform these illegal activities.)
bulletAdvise employee that all evidence will be made available to the proper legal authorities and that it may be done without the prior consent or foreknowledge of the employee. [Should imply that there will have been a proper search and discovery warrant served.]

Summary

Due to the ease with which child pornographers are now able to access this illegal content through the Internet, it is incumbent upon security professionals to actively seek out and report on illegal and suspicious activities involving child pornography.  The child you save, may be your own.

Respectfully submitted by Steve Duell
SFBA Chapter Webmaster
Send replies to webmaster@sfasis.org