Honeypots mailing list archives
RE: what to do with a script kiddie
From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Tue, 07 Jun 2005 16:00:47 +0000
Hey again everyone,Just a quick notification - I am guessing that many have taken the "local law enforcement agency" part of my last post in a way I did not intend. By local law enforcement, I meant local law enforcement of the highest jurisdiction e.g. local FBI office for US citizens, Scotland Yard etc. Obviously, it makes no sense to contact a local sheriff or sheriffs department, Im sorry to those that thought that was the suggested intention. Of course Justin is right, you sometimes local law enforcement isn't enough - but there are always powers above with the jurisdiction in your area to investigate (e.g. the FBI). These people will help you with your case if it is presented to them well enough - but don't expect them to if you haven't already done the hard work.
Have a good day / afternoon / night everyone! Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com
From: "Polazzo Justin" <Justin.Polazzo () facilities gatech edu> To: <honeypots () securityfocus com> Subject: RE: what to do with a script kiddie Date: Tue, 7 Jun 2005 09:21:00 -0400 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.26]) by mc9-f20.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 7 Jun 2005 07:47:40 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mail.hotmail.com [65.54.166.99]) with ESMTP; Tue, 7 Jun 2005 07:47:40 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with SMTP id DF3C4152D84for <koremeltdown () hotmail com>; Tue, 7 Jun 2005 08:22:34 -0600 (MDT)Received: (qmail 26749 invoked by alias); 7 Jun 2005 15:15:33 -0000 Received: (qmail 11727 invoked from network); 7 Jun 2005 13:56:20 -0000 X-Message-Info: JGTYoYF78jEw74+Lqxt9hWSImxjcNrJvZBIPZYx6LtI= Mailing-List: contact honeypots-help () securityfocus com; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: <honeypots.list-id.securityfocus.com> List-Post: <mailto:honeypots () securityfocus com> List-Help: <mailto:honeypots-help () securityfocus com> List-Unsubscribe: <mailto:honeypots-unsubscribe () securityfocus com> List-Subscribe: <mailto:honeypots-subscribe () securityfocus com> Delivered-To: mailing list honeypots () securityfocus com Delivered-To: moderator for honeypots () securityfocus com content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: what to do with a script kiddieThread-Index: AcVpbSO93Gw/gSBkRDic+2oEhn6vxgAkx21wAFjCuAA=Return-Path: honeypots-return-3398-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 07 Jun 2005 14:47:42.0135 (UTC) FILETIME=[DBB21470:01C56B6F]Contacting your local law enforcement might be a waste of time. These guys are often not trained or equipped to deal with computer forensics. There is usually a specialty department that deals with IT related incidents. -JP -----Original Message----- From: Stejerean, Cosmin [mailto:cstejere () cti depaul edu] Sent: Sunday, June 05, 2005 3:19 PM To: Hamish Stanaway; carnack () gmx net; honeypots () securityfocus com Subject: RE: what to do with a script kiddie > Personally, I think it would be an extremely dangerous action to join > him on IRC - having been in the hot seat some time ago and now > experiencing life from the security world, I know only too well how > powerful a gatherer of information gathering tool an established IRC > session can be to someone that has ""muscle" on an IRC server. [...] > Your best bet is to contant your local law enforcement agency (in > person, not over the phone - being in person makes you a lot more > credible) and let > them know that you have a "hacker" activly bouncing through your > machine and > ask them if they wished to monitor his activities also to make an easy > prosecution - most legal agencies will jump over this like crazy. > Hamish Stanaway, CEO I must disagree with some of the points you made. 1. If you think you are already done studying the attacker it might be worth to join him in an IRC channel in a last attempt to gather some useful information. 2. I am not sure what the computer crime laws are in New Zealand but in the US unless you can prove $5000 of damages it doesn't even qualify as a crime, not to mention that it was a research honeypot he broke into. Not to mention that prosecuting an international hacker is very expensive and time consuming which means that the damage might have to be a lot higher to be worth prosecuting. 3. As a researcher you would really be wasting time attempting to contact the police in the first place. And here are some ideas from my experience... I was dealing with an intrusion on one of our computers. I suspected the machine was connected to a botnet. I identified the IRC server channel and password. I looked at the logs from the past day to get an idea of who I am dealing with. It was a group of French hackers. I jotted down some of the names and attempted to join the chat with one of their nicknames. As soon as I joined they engaged me in a conversation. I don't know French at all so I ended up using babelfist.altavista.com to translate things from French to English and vice versa. This went on for a while but I had more work to do so I decided to reveal my identity but I didn't have to, I could have easily signed off and it would have taken them a while to figure out what happened. They were really surprised when I told them I didn't speak French. (I can imagine my French didn't look to authentic but given the grammar of script kiddies on IRC I didn't worry much about it). The point is that there is a lot to be learned from personal interaction with attackers as well. And although it might not be legal, the chances of an attacker pressing charges against you when they could easily disappear are incredibly slim. Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com
Current thread:
- Re: what to do with a script kiddie, (continued)
- Re: what to do with a script kiddie MrDemeanour (Jun 05)
- Re: what to do with a script kiddie Dave Dittrich (Jun 06)
- Re: what to do with a script kiddie MrDemeanour (Jun 06)
- Re: what to do with a script kiddie Dave Dittrich (Jun 06)
- Re: what to do with a script kiddie Andre Ludwig (Jun 06)
- Re: what to do with a script kiddie David Jiménez Domínguez (Jun 06)
- Re: what to do with a script kiddie Valdis . Kletnieks (Jun 06)
- RE: what to do with a script kiddie Hamish Stanaway (Jun 07)