RE: How to stop a consistent cracker.

["Andrew van der Stock" <ajv () e-secure com au>]

Prosecution is very rarely successful. There are so many different ways to
lose a case, and it's likely that:

a) evidence hasn't been handled properly
b) the attacker is likely to be under 18
c) the "cost" is under the FBI's (or your country's equivalent) minimal
damage required to start prosecution, particularly if extradition is
required
d) the logs are all over the place wrt to time and timezone, and a good
lawyer will be able to squirm their way through that one
e) most countries do not have extradition agreements for this type of
offense; the attacker must be using your host for something that is truly
offensive to the voters to get the bureaucracy to move for you. Things to
look for are kiddie porn and bomb making recipies. As these occurances are
rare (most s'kiddies are just using you as a base for further attacks, not
as storage), forget it. Remember, if you don't have good evidence handling
procedures and terrific untampered verbose logs, the s'kiddies lawyer will
be able to disassociate their client from the  activity and it's very
unlikely anything will come of it.

The cost of mounting a civil case in the US (and most other countries) is
prohibitive, even though it is more likely that it will succeed than a
criminal case. In most countries, what you're asking them to penalise their
clients for is not a crime, and you'll be wasting your valuable time.

Hypothetically, if I was notified of someone from another country hacking
into a host I control, the best bet is to simply take it off the net, take
an offline copy, reformat, reinstall and harden. There's no way I can
recover the cost. If someone asked me to continue hosting the attacker,
there's no way I'd agree to that. It's too risky for not much value.

However, if my hypothetical breached hosts are posing a clear and present
danger to other hosts on the Internet and *I* could get my ass sued for
continuing to allow the attacker access, hell yes I will IMMEDIATELY pull
the (network) plug. The risk reduction and denial of yet another compromised
host will reduce the attacker's range of hosts to conduct further attacks
from my network. This should be the aim of each and every one of us.

If you want to do some offline browsing of the attacker's modus operandi, by
all means take an offline dd or a Ghost of the disks, but don't allow a
compromised host to stay alive. And check all your other systems to make
sure that they are not compromised either, and ensure that you have the
latest patches installed to prevent re-infection.

Andrew

-----Original Message-----
From: Yotam Rubin [mailto:yotam () makif omer k12 il]
Sent: Sunday, 10 June 2001 06:39
To: incidents () securityfocus com
Subject: How to stop a consistent cracker.


Greetings,

        I have recently had the displeasure of reporting approximately 6
security incidents to various .edu's. The contacted .edu's have been
compromised by by one ^0wn^, a paradigmic script kiddie. His recent victims
include (I do not maintain a full account of actions)
humphrey.ocean.washington.edu, news.waterford.org, ns0.street.tv,
SIDHE.MIT.EDU,
rahul.engr.CSUFresno.EDU and auction2.csc.ncsu.edu. This must come to an
end.
The problem is that none of the contacts were willing to pursue the matter
legally, I advised everyone *NOT* to remove the compromised box. Some
replied
and tried to explain their motives, and some simply ignored me and removed
the host (A good example for this is the admin of
humphrey.ocean.washington.edu)
How can one stop this malicious user? Is it even possible when nobody is
willing to cooperate? Even while writing this letter, this guy is DoS'ing me
from 152.15.21.19.

        Regards, Yotam Rubin