Tracking Down the Nasty Guys

By eweek  |  Posted 2001-12-17

Tracking Down the Nasty Guys

In the formative days of organized crime—the Prohibition era of the 1920s—federal agents such as the legendary Eliot Ness knew exactly where to find mob bosses like Al Capone: usually in full-furred and fedora-topped public view, seemingly untouchable. The tougher problem was finding evidence of mob crimes.

Today, in the formative days of Internet-based cyber-crime, that situation is reversed. Evidence of crimes in the form of child porn sites and chat rooms is, unfortunately, all too easy to find online. Tracking down those responsible, given the anonymity of the Web, is the hard part, particularly because operators of sites that exploit children move their content from server to server often to elude law enforcement, experts say.

Now, however, one private, nonprofit organization has found a way to help law enforcement get one step closer to quickly locating the perpetrators of online child sexual exploitation. The National Center for Missing and Exploited Children, in Alexandria, Va., has deployed an advanced IP trace route tool—VisualRoute from Visualware Inc.—that allows it, in many cases, to quickly identify the source and even the physical location of servers hosting possibly illegal Web sites.

The tool has helped the organization cope with a steadily rising tide of calls and e-mail messages to its CyberTipline from individuals complaining about sites that seem to exploit children and to quickly turn the most serious over to federal or local law enforcement, often before the bad guys have a chance to run. In fact, officials said, the tool has played a key role in the arrests of hundreds of individuals on child- exploitation-related charges.

"When we get a tip on a site, time is critical," said Kathy Free, program manager of NCMECs exploited-child unit. "Weve been able to enforce a two-day turnaround on leads so that law enforcement has a way to see the evidence and act on it quickly."

The ability to learn more about whos behind a particular Web site or e-mail is not just important to law enforcement and its helpers. Increasingly, enterprises and service providers will want to know more about whos attacking their networks or appropriating their copyrighted material and where they can be found, said Pete Lindstrom, an analyst at Hurwitz Group Inc., in Framingham, Mass. Thats particularly true, Lindstrom said, as the federal government strengthens the ability of law enforcement to monitor and act against online miscreants through legislation such as the USA Patriot Act, passed in October.

For example, service providers such as the Atlanta-based eDeltacom ISP (Internet service provider) division of ITC DeltaCom Inc. are using VisualRoute to track down hackers who attack sites belonging to eDeltacoms hosting clients.

Who are You


Who are You?

In some ways, the visualroute tool being used by NCMEC represents not much more than a repackaging of functionality already available through public domain IP monitoring tools. VisualRoute, for example, can be used to ping a Web site or perform a standard who-is or trace route search, all common online procedures that normally dont tell you much about the physical source of a Web site or e-mail. VisualRoute, which runs on a server or PC usually inside the corporate firewall, can be accessed from a Java front end and provides graphical displays for easier viewing of information.

Where VisualRoute adds value, say experts, is in its ability to quickly provide information on the location—usually the city—of a server hosting a Web site or delivering an e-mail message. The tool includes a proprietary rules-based engine and a frequently updated database that associates IP addresses with the physical location of registered service providers. According to Visualware Marketing Director Julie Lancaster, in Centreville, Va., the database is populated with proprietary information and data from the public domain American Registry for Internet Numbers database.

At NCMEC, the VisualRoute tool is used as part of the triage process that takes place when tips—many of them anonymous—are received via phone or e-mail through the organizations CyberTipline ( Before passing information on to law enforcement authorities, NCMEC investigators quickly attempt to determine if the site in question is, in fact, dealing in child porn or other exploitative content. Sites are assigned a priority level. Investigators, looking more closely at the high-priority cases, use the VisualRoute tool to determine if the site is hosted in the United States and, if so, where.

Between 10 percent and 15 percent of high-priority cases are then turned over to local law enforcement agencies in those cities and states that have anti-online-child-exploitation laws. The rest are sent to federal agencies such as the FBI, U.S. Customs Service and U.S. Postal Inspection Service.

Besides giving law enforcement a jump on tracking down the bad guys, the graphical interface of the VisualRoute tool has enabled NCMEC investigators to reduce the amount of time it takes to sort through a growing number of tips.

Federal regulations enacted last September require ISPs and other service providers to report incidents of child pornography among their clients to the NCMEC for investigation. As a result, tips, which were running at about 300 per week earlier this year, have increased to 500 per week and are expected to grow eventually to 2,000 per week, according to NCMEC officials.

As much as VisualRoute has helped the NCMEC keep on top of all those tips, its not perfect. Visualware officials admit that because of incomplete information in the tools database, VisualRoute doesnt give accurate location information all the time. Lancaster estimated that between 60 percent and 80 percent of server locations provided by VisualRoute are accurate. Another user of the tool, James Moore, eDeltacom senior manager of information security group, said accuracy is often much lower.

Still, officials at NCMEC arent complaining. They welcome any tools that help make cyber-criminals a little less untouchable.

Rocket Fuel