[iwar] Historical posting
From: Fred Cohen
From: fc@all.net
To: iwar@onelist.com
Mon, Jan 1, 1999
fc Mon Jan 1, 1999
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA15269 for iwar@onelist.com; Tue, 18 Apr 2000 05:21:43 -0700
To: iwar@onelist.com
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, Jan 1, 1999
From: Fred Cohen
Reply-To: iwar@egroups.com
Subject: [iwar] Historical posting
While I am sure to be taken to task for this...
Just as we security professionals had to learn sometimes at great pains how
certain things worked or didn't, so too is the FBI learning. They are
experts in a form of forensics, but the area of IT forensics is more fluid
than the physical trails they are accustomed to and have well-proven methods
to address. Contrary to popular misconception, a true pro at hacking can
very effectively cover his tracks in such a way that the trail disappears.
Despite the appearance of ineptness, the FBI remains one of the world's
foremost investigative operations. That they are not infallible or
prescient is to be expected. We IT security professionals can appreciate
this (in this context) better than anyone for having slogged through audit
logs more than once to piece together a trail. Let's not forget where we
came from, and give credit and respect where they're due.
When all is said and done, the Bureau will have accomplished some very
important things:
1. They will have revised and improved their analytical techniques for
dealing with this type of event;
2. They will have learned a lot and become more knowledgeable IT forensic
investigators;
3. They will have a much greater appreciation for these events, their
significance, and their perpetrators;
4. They will apply what they have learned to the more serious case of
Critical Infrastructure protection.
In short they will behave like the pros they are, and like the pros we have
become. As those among who support the actual effort know, there is a lot
of synergy to be had through such a relationship, and everyone involved
comes out of it better than they were when they went in.
Ross A. Leo
Ross A. Leo, CISSP, CBCP
Director, Information Assurance & Security
Omitron/CSOC Houston
Voice: 281.853.3516
Fax: 281.853.3140
> ----------
> From: Fred Cohen[SMTP:fc@a...]
> Reply To: iwar@onelist.com
> Sent: Tuesday, February 22, 2000 05:48
> To: iwar@onelist.com
> Subject: [iwar] News
>
> From: Fred Cohen fc@a...
>
> Trail Grows Cold in Hunt for Web Hackers
> FBI Defends Pace of Investigation
> Feb. 17, 2000
>
> By David Noack
>
> NEW YORK (APBnews.com) -- Despite leads, log files, interviews and even
> some in the Internet community claiming responsibility for last week's
> massive cyberattack, it is unclear when the probe will end and how many
> people will be implicated.
>
> Some computer security experts today raised the issues of the
> investigation's length and probability of success, saying parts of the
> case are growing cold.
>
> "It's possible that the FBI is closing in on the people who launched the
> [denial-of-service] attacks against E*Trade, Amazon and the other sites
> that were hit on the second day," said a member of the Cult of the Dead
> Cow, a hacker organization.
>
> "As far as the person who launched the Yahoo attack, I have a sneaking
> suspicion that the only way they'll be able to find them is if somebody
> tips them off."
>
> Looking for braggarts
>
> One computer security expert, who asked not to be identified because he
> consults with law enforcement, said the best chance of catching the
> culprits was in the early stages of the investigation, when the
> information was fresh and there was a better likelihood the culprit
> would brag.
>
> "This is going to drag on for a while," the security expert said. "They
> are grasping at straws. They were ill-prepared to investigate this, and
> there was a sweet spot -- particularly when the hackers would go out and
> brag, usually three to four days after they would pull a stunt like
> this.
>
> "You collect the information and pop somebody before the bragging stops.
> The bragging has stopped. The mischief has stopped," said the source.
>
> Since the end of the large-scale attacks last week, for the most part,
> denial-of-service attacks have stopped. And it's unclear whether the
> few subsequent mini-attacks were the result of copycats or the original
> perpetrators.
>
> FBI: 'There is no quick end'
>
> The FBI defended the pace of its investigation.
>
> "This is going to take as long as it takes," said Debbie Weierman, an
> FBI spokeswoman. "These are incredibly complicated investigations. One
> hacking incident alone is very time-consuming, resource-draining type of
> investigation, and [here] you have a multitude of them going on at the
> same time.
>
> "There is no quick end to this story. This investigation, like other
> FBI investigations, have to be thorough; it's not something that we can
> accomplish in a 24-hour period."
>
> She said all available resources are being dedicated to the case.
>
> "There are no real physical fingerprints with these crimes; we have to
> go into an electronic world to collect fingerprints, and it does take
> some time. I think it might be a premature assertion by our critics to
> say that we've lost our opportunity to catch the criminals," Weierman
> said.
>
> Melissa virus solved quickly
>
> She said that while some people may claim they launched the
> cyberassault, there are no more than two or three people responsible.
>
> Dave Dittrich, an expert in denial-of-service attacks and a consultant
> for the University of Washington's Computing & Communications Client
> Services group, said he believes investigators are working rapidly.
>
> "It is not a simple matter just to sift through megabytes of logs,
> packet traces, etc., and put all the pieces together," Dittrich said.
> "I can't comment on the number of suspects, but it would not be
> unreasonable for the FBI to do a lot of interviews to determine the
> associations between individuals and groups, as well as what and how
> many nicknames belong to which people."
>
> Mark Rasch, a former federal prosecutor who is now vice president of
> Global Integrity Corporation, said it's difficult to predict when the
> case will be cracked.
>
> "I would not have predicted that the Melissa virus case would have been
> cracked that quickly," said Rasch, referring to last year's computer
> virus case, which was resolved in a few days.
>
> 'This is a media mess'
>
> Space Rogue, editor of the Hacker News Network and a research scientist
> at the newly formed e-commerce security company @Stake, said he's unsure
> how long the investigation will last.
>
> "I think this is a media mess. I don't think that Mafiaboy has anything
> to do with it. If you go out onto any IRC network now you will find a
> 'mafiaboy' -- lots of people are using that nick[name]," he said.
>
>
> David Noack is an APBnews.com staff writer (david.noack@a...).
>
> ========================================================================
>
> FBI unplugs McCain copycat site
>
> Lookalike online contribution page took donations from supporters of
> presidential candidate John McCain.
>
> By Brock N. Meeks, MSNBC
> February 19, 2000 10:43 AM PT
>
> The FBI Friday shut down a Web site collecting political contributions
> for presidential candidate Senator John McCain hours afterMSNBC began
> making inquires into its legal status.
>
> The site, run by MediaKing International, a California based Internet
> services firm, had exactly copied McCain's online campaign contribution
> Web page and hosted it on its own servers, without permission and with
> no official affiliation to the McCain campaign.
>
> Unwitting McCain going to the unauthorized site had no idea they weren't
> directly donating to the McCain campaign. Like the official McCain
> site, the unauthorized site collected donations via credit card.
>
> ========================================================================
>
> ------------------------------------------------------------------------
> Shop the web for great deals. Save on Computers,
> electronics, Home furnishings and more.
> http://click.egroups.com/1/1559/5/_/_/_/951220128/
> ------------------------------------------------------------------------
>
> ------------------
> http://all.net/
>