Re: Cracked; rootkit - entrapment question?

[JNelson () CMCCONTROLS COM (CL: Nelson, Jeff)]

> Is this all a load of crap from people who don't have a clue or are all
these
> stories and quotes BS?

I have contacted the FBI regarding several issues. Some of those issues were
scans from foreign countries not necessarily friendly to the U.S. We have
one case pending with them for prosecution (stateside). Seth is correct. The
FBI will not pursue a case if there is not a specific minimum dollar amount
associated with the loss. The last I heard from them on this (over 1 year
ago) that amount was $25,000. Our loss, per the FBI, is tallied based upon
time and materials used to stop the attack and to repair. I calculated our
loss for the case we have pending to be less than $15,000. I am expecting
the agents in charge of this case to tell me they will not be able to go
further.

And, <soapbox = 1> I have to say this really pisses me off. It cost us
almost $7,000 in software licensing, multiple hours through the normal
business day and over 30 hours straight for two of my staff. Yet, the
'person' that did this gets away with absolutely no consequence. So,
basically, I can start attacking and cracking away, causing massive amounts
of lost time and money to thousands of companies and not suffer any
repercussions. Half the time, during other of the attacks/scans we undergo,
I'm able to get on the phone with the administrator of that IP block and we
have the individual red-handed. But, I can't do anything and the ISP or
whomever slaps them on the wrist and away they go. <soapbox = 0>

As for the FBI's use of what they can do with the honey pot idea. Well, they
can use that information for prosecution if it relates to a case underway.
With some of the foreign scans we have been getting, it would be very
interesting to find out exactly what they are trying to do. That way, if the
FBI has any other similar activity elsewhere, they can better prepare for
it.

Cheers,

Jeff

> > > > > > > > > > > > > > > > > > > > > > > > > > <<<<<<<<<<<<<<<<<<<<<<<<<<
Jeffrey L. Nelson        | Cleveland Motion Controls
Network Manager          | 7550 Hub Parkway
                         | Cleveland, Ohio 44125
jnelson () cmccontrols com  | 216-642-5147
> > > > > > > > > > > > > > > > > > > > > > > > > > <<<<<<<<<<<<<<<<<<<<<<<<<<

> -----Original Message-----
> From: Seth Georgion [mailto:sysadmin () SASSPRODUCTIONS COM]
> Sent: Sunday, March 12, 2000 12:41 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Cracked; rootkit - entrapment question?
>
>
> I keep reading various news articles that indicate that federal law
> currently states that the FBI is not allowed to investigate
> if they believe
> that the damage is under 5,000 dollars per computer and if
> they find out,
> during the course of the investigation, that the damages are
> less they must
> stop. I've seen a couple of articles on this on MSNBC, Yahoo
> and HNN over
> the past weeks with the DoS happening and all. They seem to
> all indicate it
> is part of Title 80 law but if so I ask this to the group
> then; Why is it
> that everyone talks about getting the authorities involved
> when almost all
> computer crime occurs state to state rather than intrastate?
> Doesn't a honey
> pot, by nature, eliminate the damage factor? Maybe all of
> these articles are
> completely bogus but I saw a quote from Janet Reno where she
> was urging the
> 5,000 dollar rule to be dismissed and most experts will tell
> you that the
> FBI will not investigate if the damage is under 10,000. So
> what's the deal?
> All I hear about is  trapping someone for the authorities and
> "I always
> alert the Authorities!" and "It's a wiretap! be careful if you want a
> conviction!" Is this all a load of crap from people who don't
> have a clue or
> are all these stories and quotes BS?
>
> By the way our company investigated pursuing damages once,
> just for kicks,
> and our legal representatives informed us that damage can
> only be calculated
> as loss of critical business and whatever the dollar amount
> per hour of the
> employees involved amounts to. This would only include time
> spent fixing it
> not time BSing and investigating and stopping work just
> because you'd like
> to verify that all 24,000 company computers weren't subject to attack.
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Craig H. Rowland
> Sent: Thursday, March 09, 2000 8:25 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Cracked; rootkit - entrapment question?
>
>
> Hi Lamont
>
> On Fri, 3 Mar 2000 lamont () icopyright com wrote:
>
> > On Thu, 2 Mar 2000, Craig H. Rowland wrote:
> > > If you are facing a serious compromise situation where an
> attacker has
> > > gained full internal access, and you want to contain and
> analyze the
> > > damage, you may wish to deploy a honey pot. For most
> cases though I
> think
> > > running a honey pot on your external border is not a good idea.
> >
> > I've pretty much shared your opinion about honey pots, but
> one idea I've
> > been toying with recently is deploying "canary" systems
> internally so that
> > if someone smarter than me does get through the perimeter,
> if they hit the
> > canary system it'll alert me.  I'd probably use just a
> default redhat 6.0
> > install (got enough root holes there to make it east), call
> it something
> > tempting like "cybercash" and then modify sh/bash and
> csh/tcsh to e-mail a
> > warning anytime they are run (and turn off cron jobs to
> eliminate the
> > false positives).
>
> I know several people who do this, but they generally make the systems
> hard to crack and just put up a boatload of port monitoring
> software/sniffers to detect the probes. It seems to be a
> little more sane
> than leaving a vulnerable system hanging around.
>
> I just get edgy when people want to coax another person into
> performing a
> particular type of action. Unfortunately you just can't rule out the
> attacker doing something to surprise you that falls outside
> of the planned
> response that may have been established. Humans have a way of being
> unpredictable at times (or lucky -- as the case may have it).
>
> As I posted in a previous message and on my website, I think
> putting up
> honey pots before doing other tangible security measures (filters,
> patches, etc.) is just not a good plan of attack. Besides giving an
> attacker a potential toe-hold onto your network, you provide
> the positive
> feedback necessary to encourage them into looking further.
>
> The one key item I've found that differentiates a successful
> attacker from
> an unsuccessful one is time. The shorter amount of time you give an
> attacker to look/poke/prod your network the less chance they
> have to find
> success.  Unfortunately, leaving a vulnerable system around affords an
> attacker more time. Not a good thing -- IMHO.
>
> -- Craig