RE: what to do with a script kiddie

["Polazzo Justin" <Justin.Polazzo () facilities gatech edu>]

 Contacting your local law enforcement might be a waste of time. These
guys are often not trained or equipped to deal with computer forensics.
There is usually a specialty department that deals with IT related
incidents.

-JP



-----Original Message-----
From: Stejerean, Cosmin [mailto:cstejere () cti depaul edu] 
Sent: Sunday, June 05, 2005 3:19 PM
To: Hamish Stanaway; carnack () gmx net; honeypots () securityfocus com
Subject: RE: what to do with a script kiddie

> Personally, I think it would be an extremely dangerous action to join 
> him on IRC - having been in the hot seat some time ago and now 
> experiencing life from the security world, I know only too well how 
> powerful a gatherer of information gathering tool an established IRC 
> session can be to someone that has ""muscle" on an IRC server.

[...]

> Your best bet is to contant your local law enforcement agency (in 
> person, not over the phone - being in person makes you a lot more 
> credible) and
let 
> them know that you have a "hacker" activly bouncing through your 
> machine
and 
> ask them if they wished to monitor his activities also to make an easy

> prosecution - most legal agencies will jump over this like crazy.

> Hamish Stanaway, CEO

I must disagree with some of the points you made.

1. If you think you are already done studying the attacker it might be
worth to join him in an IRC channel in a last attempt to gather some
useful information.

2. I am not sure what the computer crime laws are in New Zealand but in
the US unless you can prove $5000 of damages it doesn't even qualify as
a crime, not to mention that it was a research honeypot he broke into.
Not to mention that prosecuting an international hacker is very
expensive and time consuming which means that the damage might have to
be a lot higher to be worth prosecuting.

3. As a researcher you would really be wasting time attempting to
contact the police in the first place.


And here are some ideas from my experience...

I was dealing with an intrusion on one of our computers. I suspected the
machine was connected to a botnet. I identified the IRC server channel
and password. I looked at the logs from the past day to get an idea of
who I am dealing with. It was a group of French hackers. I jotted down
some of the names and attempted to join the chat with one of their
nicknames. As soon as I joined they engaged me in a conversation. I
don't know French at all so I ended up using babelfist.altavista.com to
translate things from French to English and vice versa. This went on for
a while but I had more work to do so I decided to reveal my identity but
I didn't have to, I could have easily signed off and it would have taken
them a while to figure out what happened.
They were really surprised when I told them I didn't speak French.

(I can imagine my French didn't look to authentic but given the grammar
of script kiddies on IRC I didn't worry much about it).


The point is that there is a lot to be learned from personal interaction
with attackers as well. And although it might not be legal, the chances
of an attacker pressing charges against you when they could easily
disappear are incredibly slim.



Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New
Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com