We’ve seen them on TV. Hunched over their keyboard, they type with amazing speed. A concerned group stands around staring at the screen. Even while typing and still following every move of the cyber hacker, our heroic cyber cop is concerned but steely calm. Even in the midst of outsmarting the hacker, they are able to converse with the assembled group and give a play by play, explaining each movie this high-speed digital cat and mouse game. Occasionally puzzled, but always able to think strategically, frustrating the attack while simultaneously pinpointing the criminal’s location, triangulating their cell signal or mapping that IP address to a street address.
For most Canadians, that’s what a cyber cop does. And nothing could be further from the truth. The reality is, it’s much more interesting than what we see on TV.
I was invited, as a CIO and not as a journalist, to the annual EPIC conference on cybersecurity in Canada. EPIC is sponsored by the Canadian Advanced Technology Alliance (CATA) and features law enforcement and industry experts from across Canada who come together to discuss how they can work towards excellence in the prevention and investigation of cybercrime. This two-day summit is packed with information, the opportunity for discussion and real-world stories from the reality of our cyber cops. While the discussion is open and frank, care is always taken to ensure that privacy and security are respected. But in the public sessions, I was able to get some great insight into the real day to day workings of the “think blue cyber-wall” that protects us.
The EPIC conference gives out some awards for both innovation and investigation. The “fireside chat” at the EPIC conference gives us a rare insight into the day to day activity of cyber investigations in Canada. To be honest, it was far more interesting than what we see on TV or in the movies.
Shane Cross, Cyber Intelligence Officer
Calgary Police Services
A woman goes missing and the disappearance in reported to the police. The usual investigative methods are put to work. There is a press release. The family makes an appeal. The police interview friends and family and any other potential witnesses. With no results, foul play has to be a consideration.
Enter the cyber cop. No, not a former hacker or some MIT (or in our case Waterloo) graduate who has joined law enforcement. Nope. Our cyber cop is a former K9 unit officer who was injured on the job and while in recovery “fell in love with cyber.” Cop first. IT guy second. But today this cop has an 11 page CV, worked through all the training available in police college and is working on his Masters’ Degree. Not quite your TV cyber cop.
There’s always value in calling police after cyber incident, says Toronto cop
In this case, the police did investigate the husband although he was no longer living with the woman who disappeared. Although the husband had a new girlfriend, the relationship between the husband and his former wife who had disappeared seemed amicable. There were even some indications that there was a sort of “consensual open marriage” and an acceptance of the husband and girlfriend.
As part of a modern investigation, the husband and girlfriend cooperated when asked to turn over their phones. In fact, as a bonus in the investigation, the police uncovered the missing woman’s phone. So they had access to three phones – the husband, the girlfriend and the missing woman.
If this were a TV show, the police would have been going through the phone’s contents and text messages. Or perhaps they confined the last number dialled from the SIM card. It turns out, in the real world, none of these are that easy. Phones are protected and even if you know the number, you have to get a warrant for any text messages. And even if you do get a warrant, telco’s don’t store the content of a message – only the metadata. Shane’s solution to finding out where the missing woman had been was ingenious. He asked for a warrant for one text message. Getting a warrant for a single message is relatively easy and that warrant asked the telco to forward one message – from a Google password reset.
The police then reset the password and had access to all her Google data, including location services. Now they can see where she has been. With this and some comparisons to the husband and girlfriend’s phones, he found a curious similarity. All of the phones had a “blackout period” where they were not online — all at about the same time. Remember on TV where you see the SIM card removed? It turns out that even with the card removed the phone still pings for Google’s location services.
Using this data the police closed in on the husband and ended up with enough information to successfully prosecute him.
RCMP, Surrey B.C.
It’s lunchtime and Chris is doing what a good cyber cop does on his break – browsing the internet. He comes across an incident where someone is spamming the chat sessions on Twitch. Twitch is a live streaming platform, a subsidiary of Amazon, where people watch world-class gamers. The chat sessions are essential to gamers and they are the main source of their subscriptions and subscribers are how these gamers make money.
Spamming happens from time to time and gamers have ways to deal with it. But this hacker was unique in many ways. He was selling his Spam Bot as a Service, advertising it in hacker forums. The Bot was notoriously effective as he designed it to get around many of the defences that gamers could use. For example, the bot created random Gmail accounts so as soon as it was blocked, it generated a new email to attack with.
Twitch tried everything. They went to PayPal, to CloudFlare, to the host they tracked — even to Shaw, the internet provider they thought the traffic was coming from. No success.
But Chris was interested in this hacker. One reason? The hacker himself was not only obsessed with Twitch, but he also seemed to target female gamers. Secondly, there was something about the email address that Chris surfaced as he did some digging. He’d seen it before. [email protected] is not a name that you easily forget.
He found his old case file and got the lawyer’s name from the file. Once again, the “grunt work” of cyber investigation proceeded. Hours of online investigation followed by more hours of paperwork, consultation with Twitch and with lawyers from the past case yielded an address and a warrant to search the house where the hacker lived. The hacker managed to wipe his hard drive and zero out his PayPal account, but the police managed to recover a USB key with the encryption codes. From this, they found the source code, bank documents and did the standard police work of “following the money trail.”
The irony of cyber investigations – it’s a lot of paperwork
These are two fascinating case studies, but the reality is that what cybercops do on a day to day basis is a lot of what other investigators do. It’s minutes or hours of action followed by days and days of analysis and paperwork. Chris’ accidental discovery is the exception and not the rule. For the most part, our cybercops are heads down just trying to keep up. These cops do have an additional layer of challenge. They are conducting investigations where the culprits can be half a world away and outside the jurisdiction of law enforcement. Which brings us to some other cybercops that few people notice or even think of, but which are essential to our security.
Stephane Sirard, Fintrac
“Follow the money”
Any good detective story of modern crime starts with the advice given by informant Deep Throat to Woodward and Bernstein in the Watergate investigation they covered in the Washington Post. “Follow the money.” As it turns out, we have a group of cybercops who do just that – day in and day out.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) operates silently in the background but is an essential party of Canada’s international role in the fight against cybercrime. Its mandate is to facilitate the detection, prevention and deterrence of money laundering and the financing of terrorist activities while ensuring the protection of personal information under its control.
From my one on one chat with Sirard, there is a distinct lack of ‘cloak and dagger’ but there is a tremendous amount of high volume analytics. For anyone who thinks they are struggling with ‘big data,’ you have to try to take in the amount of data collected and analyzed but his group. Every financial transaction in Canada over a certain threshold falls under their mandate as they attempt to “follow the money” that enables terrorists and cyber-criminals. But they face more than the challenge of the volume of data. They have to constantly ensure that this data – almost all of it personal and private — doesn’t itself fall victim to security breaches.
Chris Lynam, Director General, NC3 – National Cybercrime Coordination Unit
National and International Coordination
One of the newest groups on the scene is the National Cybercrime Coordination Unit. This group is composed of RCMP officers and civilians from a variety of backgrounds. As you can imagine, cybercrime knows no boundaries and effective pursuit requires coordination across the country and around the world. NC3 was set up to work law enforcement and other partners including police, federal departments and agencies, international law enforcement and even non-governmental players in the public and private sector.
This group officially launches April 2020 but and is in high growth mode, struggling to hire staff in a very competitive landscape. Chris told me that he has put a lot of his focus working hard to hire the right people – but it seems to be paying off. In a world where talent is scarce, the group was up to 38 staff as of January of this year with a target of 44 by April 2020.
Chris and his team are determined to hit the ground running. Even before its start date the group already has a web page with some great information including a link to n RCMP report which, among other things, is an excellent factual primer on the different types of cybercrime prevalent in the Canadian landscape.
The real world of investigation
An officer with the Toronto Police once described his job as hours and hours of tedium followed by a few minutes of high-intensity adrenaline drive activity. I was reminded of that as I got to meet and speak with these highly talented and dedicated individuals.
While they follow the path of a detective mystery, they also show the reality that cyber investigations are mostly hard work with little of the technical glitz we see on TV or in movies. Routine? Hard work. Yes. Boring? Never. Their professionalism and discipline were absolutely evident in all they did. But underneath, you could sense a real passion for their job and maybe, just a little bit of mystery. The romance of the thin blue line is still there — even if it’s drawn with a digital stylus.