Re: Cracked; rootkit - entrapment question?

[Hal.Lockhart () STORAGENETWORKS COM (Hal Lockhart)]

It would be nice if somebody from DOJ or FBI would respond to this. I assume
they read this list. (I know they read BUGTRAQ.)

At a public meeting in January in Boston (Cambridge actually) a
representative of the Boston office of the FBI stated that they had received
orders from Washington that for the present (timeframe unspecified) they
should not be limited to damages of $5K or more, but were free to
investigate any report.

I have no idea what the current situation is in light of the DDOS
investigation. I understand it has sucked up resources from all over the
country.

Hal

===========================================================
Harold W. Lockhart Jr.             StorageNetworks, Inc.
Voice: 781-434-6741                100 Fifth Avenue
Fax:   781-434-6799                Waltham, MA 02451
hal.lockhart () storagenetworks com   www.storagenetworks.com
===========================================================

> -----Original Message-----
> From: Seth Georgion [mailto:sysadmin () SASSPRODUCTIONS COM]
> Sent: Sunday, March 12, 2000 12:41 AM
> Subject: Re: Cracked; rootkit - entrapment question?
>
>
> I keep reading various news articles that indicate that federal law
> currently states that the FBI is not allowed to investigate
> if they believe
> that the damage is under 5,000 dollars per computer and if
> they find out,
> during the course of the investigation, that the damages are
> less they must
> stop. I've seen a couple of articles on this on MSNBC, Yahoo
> and HNN over
> the past weeks with the DoS happening and all. They seem to
> all indicate it
> is part of Title 80 law but if so I ask this to the group
> then; Why is it
> that everyone talks about getting the authorities involved
> when almost all
> computer crime occurs state to state rather than intrastate?
> Doesn't a honey
> pot, by nature, eliminate the damage factor? Maybe all of
> these articles are
> completely bogus but I saw a quote from Janet Reno where she
> was urging the
> 5,000 dollar rule to be dismissed and most experts will tell
> you that the
> FBI will not investigate if the damage is under 10,000. So
> what's the deal?
> All I hear about is  trapping someone for the authorities and
> "I always
> alert the Authorities!" and "It's a wiretap! be careful if you want a
> conviction!" Is this all a load of crap from people who don't
> have a clue or
> are all these stories and quotes BS?
>
> By the way our company investigated pursuing damages once,
> just for kicks,
> and our legal representatives informed us that damage can
> only be calculated
> as loss of critical business and whatever the dollar amount
> per hour of the
> employees involved amounts to. This would only include time
> spent fixing it
> not time BSing and investigating and stopping work just
> because you'd like
> to verify that all 24,000 company computers weren't subject to attack.
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Craig H. Rowland
> Sent: Thursday, March 09, 2000 8:25 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Cracked; rootkit - entrapment question?
>
>
> Hi Lamont
>
> On Fri, 3 Mar 2000 lamont () icopyright com wrote:
>
> > On Thu, 2 Mar 2000, Craig H. Rowland wrote:
> > > If you are facing a serious compromise situation where an
> attacker has
> > > gained full internal access, and you want to contain and
> analyze the
> > > damage, you may wish to deploy a honey pot. For most
> cases though I
> think
> > > running a honey pot on your external border is not a good idea.
> >
> > I've pretty much shared your opinion about honey pots, but
> one idea I've
> > been toying with recently is deploying "canary" systems
> internally so that
> > if someone smarter than me does get through the perimeter,
> if they hit the
> > canary system it'll alert me.  I'd probably use just a
> default redhat 6.0
> > install (got enough root holes there to make it east), call
> it something
> > tempting like "cybercash" and then modify sh/bash and
> csh/tcsh to e-mail a
> > warning anytime they are run (and turn off cron jobs to
> eliminate the
> > false positives).
>
> I know several people who do this, but they generally make the systems
> hard to crack and just put up a boatload of port monitoring
> software/sniffers to detect the probes. It seems to be a
> little more sane
> than leaving a vulnerable system hanging around.
>
> I just get edgy when people want to coax another person into
> performing a
> particular type of action. Unfortunately you just can't rule out the
> attacker doing something to surprise you that falls outside
> of the planned
> response that may have been established. Humans have a way of being
> unpredictable at times (or lucky -- as the case may have it).
>
> As I posted in a previous message and on my website, I think
> putting up
> honey pots before doing other tangible security measures (filters,
> patches, etc.) is just not a good plan of attack. Besides giving an
> attacker a potential toe-hold onto your network, you provide
> the positive
> feedback necessary to encourage them into looking further.
>
> The one key item I've found that differentiates a successful
> attacker from
> an unsuccessful one is time. The shorter amount of time you give an
> attacker to look/poke/prod your network the less chance they
> have to find
> success.  Unfortunately, leaving a vulnerable system around affords an
> attacker more time. Not a good thing -- IMHO.
>
> -- Craig