RE: [funsec] McColo: Major Source of Online Scams andSpams KnockedOffline (fwd)

["Nick Newman" <NNewman () nw3c org>]

There's a common misconception of what LE does online (and when I say LE, I'm talking mostly state/local agencies): if 
you watch CSI or any other show that has anything to do with computer crimes, there is always a team of uber-geeks at 
every single agency (no matter how big it is) who spend 50% of their time online looking for phishing sites, CP sites, 
fraud sites and on and on.  The real world isn't like that at all.  For example, one state police agency we're familiar 
with has a team of *two guys* that do almost all of the computer forensics work for the *entire state*.  Considering 
the caseload they have (if I remember correctly, a computer has a turn-around time of 6 months, a cell phone about a 
week; this is because every avenue a defense attorney is going to take has to be covered), there quite simply is not 
time to do anything proactive online (such as analyze spam to find out most of it is coming from a couple particularly 
nasty web hosting companies on the other side of the country).  In most small agencies, the "computer forensics guy" is 
just the guy that knows more about computers than anyone else (read as, he figured out which port on the back of the 
computer was the USB port to hook up a new printer).  A handful of agencies nationwide are fortunate enough to have a 
CSI-esque computer forensics unit, but most do not.

Let's compare these two scenarios:

1. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company 
in California.  They've determined that the majority of spam world-wide originates from this company offering 
bullet-proof hosting.  So they call the upstream providers and get them cut off.  NastySitesUnlimited tries to switch 
providers, but are disconnected again.  And again.  And again.  A few days later, company files for bankruptcy because 
no one will give them an uplink to the 'net.  Problem solved.  End of story.

2. Some LE agency serves a search warrant for "any digital evidence" and collects hundreds of terabytes of worth of 
data.  5 years later, after everything is processed (and during this time, things at Nasty Hosting Company have 
continued as normal, thanks to regular backups), charges are finally brought against some entity in the business, he 
gets thrown in jail for a few years and fined heavily, business gets renamed (VP takes over) and it's almost like 
nothing ever happened.

Which happened faster and was more effective?

On to the question about how network operators can help LE: *Collect the data that proves a company such as 
Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's 
Attorney General's office) (or both) and submit a complaint at IC3's website  (www.ic3.gov) because we have an 
excellent team of analysts that track information like that.  Package up the evidence you have and send it out.  

If we lived in a perfect world, there would be a third scenario:

3. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company 
in California.  So they gather an abundance of super-damning evidence and submit it to LE.  LE starts an investigation 
with the outstanding leads provided in the package, and starts making arrests.  The CEO and a few others at 
NastySitesUnlimited get sentenced and thrown in jail.  Business at NastySitesUnlimited continues as usual until they 
are cut off from the Internet a few days later because no one will give them upstream service.  It took a little bit 
longer, but the culprits are in jail and the business has been lynched.

Kee had an excellent question when he asked if anyone tried notifying LE, and the answer to that is probably not.  It's 
hard to tell what would've happened if LE was involved (who knows, maybe SS or FBI were working on it). LE does care, 
it's just a matter of resources available.  If you get the evidence together and in a matter that explains itself, it 
will get handled effectively (though probably not as fast as "Intercaging" a company).

-- Nick



Nicholas R. Newman
Computer Crimes Specialist
National White Collar Crime Center
1000 Technology Drive, Suite 2130
Fairmont, WV 26554
 
1-877-628-7674 x2244
nnewman () nw3c org


-----Original Message-----
From: Jeff Shultz [mailto:jeffshultz () wvi com] 
Sent: Wednesday, November 12, 2008 3:56 PM
To: NANOG list
Subject: Re: [funsec] McColo: Major Source of Online Scams andSpams KnockedOffline (fwd)

Jason Ross wrote:
> On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman () nw3c org> wrote:
> > How many cops does it take to throw a community lynching?
>
> None.
> The question that remains is: Why is the community having to resort to lynching?
>
> Following the metaphor and using the US "Old West" as an example,
> lynchings were largely due to one of the following:
>
>    * a lack of organized law enforcement
>    * a lack of effective law enforcement

The problem is that to fix either of those problems you'd have to wade 
through a fever swamp of "facists online!" claims from all the 
pseudo-anarchists who start twitching at the thought of any agency 
imposing it's will on the internet.

-- 
Jeff Shultz