The Strange Case of Ms. Julie Amero: Commentary by Detective Mark Lounsbury

["Richard M. Smith" <rms () computerbytesman com>]

http://www.networkperformancedaily.com/2007/01/the_strange_case_of_ms_julie_
a_3.html#more

The Strange Case of Ms. Julie Amero: Commentary by Detective Mark Lounsbury



Detective Mark Lounsbury is the crime prevention officer with the Norwich
Police Department. He has served with the Norwich PD for 18 years - eight of
them as a detective, and for the past seven years he has been the sole
proprietor of the Norwich computer crime and cybercrime units, which deals
with online sexual crimes against children. 

He has received training from the State of Connecticut Municipal Police
Training Academy, and from the FBI in basic network intrusion and advanced
network intrusion in Unix. 

In an effort to dispel rumor and produce a more accurate understanding of
the Amero case to the public, we have invited Detective Lounsbury to talk
about his position and computer crime related investigation in general,
although he cannot talk about the Amero case specifically until after Ms.
Amero's sentencing. This article continues our coverage of the Amero case,
with previous articles offering commentary from defense witness
<http://www.networkperformancedaily.com/2007/01/the_strange_case_of_ms_julie
_a_1.html> Mr. Herb Horner. 

Generally speaking, if police receive a complaint from a victim or victims
who report seeing an individual who is engaged in criminal activity, the
police are responsible to the victim or victims and investigate accordingly.
The police take into account all the available facts and circumstances, for
example: who was the individual, what was the individual doing, when were
they doing it, where were they doing it, and how long was the individual
engaged in the observed activity? (A minute, twenty minutes, two hours?)

Including the account of the accused individual is important but, sometimes
the individual refuses to speak to the police and retains legal
representation. 

Physical evidence and electronic evidence is collected. In the case of
crimes involving computers, the evidence is collected with tools designed to
find the evidence. This evidence includes internet history, content, and
registry data, including "typed URLs". It's these "typed URLs," gleaned from
the registry, which are identified - not pop ups. 

(Continued...)

Additional tools which search for specific viruses, trojans, and worms by
their unique hashes can be brought into play to search for the known bad
code. 

Once evidence is located, police take note of the date and time it was
created, modified, and last accessed. When the evidence (malware, .jpg, web
page) was created is the "when" in "who, what, when, where, how and why."
So, if malware was created at the same time the web pages and images were
created, was the malware spawned by the "typed URL", by its content (i.e.
Web Attacker kit), or mouse napping (click-throughs)? If there's no malware
created prior to a web page with questionable content how do you end up at
said web page? 

I ask this rhetorical question: Where does objectionable material come from
- a site like Disney.com or the pornographic dot coms? Where do abusive
JavaScript and Web Attacker kits reside? What about zero-day Internet
Explorer Exploits such as the one discussed at this site on
<http://techfeed.net/blog/index.cfm/2006/9/21/ZeroDay-Internet-Explorer-Expl
oit-Found-on-Porn-sites> techfeed.net: "A security hole in IE was
<http://www.microsoft.com/technet/security/advisory/925568.mspx> recently
confirmed by Microsoft. Now exploits that install tons of adware have been
<http://news.com.com/Porn+sites+exploit+new+IE+flaw/2100-7349_3-6117407.html
> spotted on Porn sites. This exploit is reportedly easy to duplicate, and
experts expect the problem to spread quickly to other shady sites across the
Internet." 

 <http://www.bewebaware.ca/english/pornography.aspx> What about a certain
industry's favorite money making tools? 

"The online pornography industry is highly competitive and adult marketers
are continually developing new strategies to drive traffic to their sites. 

Some of their tactics are: 

'Click-throughs': Every time someone clicks through an adult site to another
one, the site's advertising revenues go up. To increase the number of
click-throughs, some sites use pop-up windows. Known as 'mouse napping,'
this technique traps users in an endless loop of porn.

'Home page hi-jacking': This involves planting a Java script command on
computers to change the user's default home page to a porn site. Changing
the home page back to its original setting appears to solve the problem
until the computer is rebooted, then the offensive site re-appears as the
home page.

'Stealth' sites: These are porn sites that steer users their way through a
variety of techniques, including buying up expired domain names, exploiting
common misspellings, or using well-known names of companies or artists.

Using hidden key words that are picked up by search engines: Porn operators
bury key words, including brand names of popular toys, in the code of their
Web sites to attract children." 

Maybe it's  <http://en.wikipedia.org/wiki/DNS_cache_poisoning> DNS
Poisoning? I'm not an expert on this subject and never said I was. When it
comes to investigations where evidence is located on a computer and other
resources are not available I use a simple tool [
<http://www.computercop.com/prof.html> ComputerCOP Professional v.3.16.3] to
search for the evidence. The tool provides me with an audit trail, evidence
log, the evidence, web content log, and visited sites log. 

Technorati Tags:  <http://technorati.com/tag/Julie+Amero> Julie+Amero
<http://technorati.com/tag/Connecticut+Schoolteacher>
Connecticut+Schoolteacher  <http://technorati.com/tag/Spyware> Spyware
<http://technorati.com/tag/Connecticut+Justice+System>
Connecticut+Justice+System  <http://technorati.com/tag/Law> Law
<http://technorati.com/tag/Network+Security> Network+Security 



Wednesday, January 24, 2007 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.