How to catch a cracker in the US?
Hi, I'm an ISP in Germany and a cracker (not a hacker :) ) has targeted a customers of mine in the last days. The cracker was successful and caused financial damage / was successful with data theft. I set a trap and finally caught his real IP address - a Comcast user in the US (100% not a proxy or bot). What would be the next steps to pursuit him? If I contact local authorities here in Germany I'm afraid months will pass by and Comcast will have possible already deleted their logs by then (?). Any advice? Thank you! Markus
On Mar 11, 2014, at 2:00 PM, Markus <universe@truemetal.org> wrote:
Any advice?
Start with CERT-BUND, maybe? Although it's questionable whether or not it's possible to remotely absolutely ascertain whether the attacking machine in question was being operated by miscreants unbeknownst to its actual owner. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
From: Dobbins, Roland [mailto:rdobbins@arbor.net] Sent: Tuesday, March 11, 2014 8:06 AM Although it's questionable whether or not it's possible to remotely absolutely ascertain whether the attacking machine in question was being operated by miscreants unbeknownst to its actual owner.
Though it's 100% correct would this withstand in the court? e.g. nope wasn't me downloading that movie, must have been a hacker misusing my PC, I didn't even know there's a "torrent client" as you guys call it installed on my PC I only use it to play solitaire.
On Mar 12, 2014, at 5:10 PM, Vitkovský Adam <adam.vitkovsky@swan.sk> wrote:
Though it's 100% correct would this withstand in the court?
TIINAL - The Internet Is Not A Lawyer. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
There's an almost, I don't know the right word, jealous reaction to someone asking for help like this sometimes where people speculate on the legal success etc generally concluding failure. There are many good reasons to try to track a criminal. For one thing, often this is not their only criminal activity so plausibly denying this one activity may not help them in the end. But not if everyone throws up their hands and focuses only on the difficulties! Also, if they stole money or identity information and used it then there should be a trail of that activity. If I steal your credit card and it got used and it got used by the person you suspect stole it for other reasons (e.g., a phishing site was running at their IP) then that's a pretty good hint beyond just proving the one fact (it was their IP.) On the one hand this is not a great forum for getting this advice because of this sort of thing, people who have little to offer in advice start speculating on legalities etc. OTOH, it is likely that people on this list have had first-hand experience with this sort of thing and can usefully recommend what the OP might do next. I've had good and not so great experiences, but it's changed over the years. I've seen real creeps tracked aggressively in real time with warrants flying. I've also had LEO shout at me that they have only very limited resources which sounded like "if they rob a congressman call us, otherwise call your congressman and get us more budget first!" -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Mar 11, 2014 3:09 AM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
On Mar 11, 2014, at 2:00 PM, Markus <universe@truemetal.org> wrote:
Any advice?
Start with CERT-BUND, maybe?
That is the correct answer, if you want something less settle (and possibly illegal), there were discussions on 'hacking back'. That is, basically having malicious documents with fake (or not) bank/personal information. If you can find who is using the info (some Comcast business IPs have the address in whois) and go OSINT from there (though if you go this route, try to contact LE before you post something and burn bridges). A note on terminology - whether you know what you're doing, actually break into a system, or obtain a thumb drive with data that you weren't supposed to have - it has the same end so I'd refer to it by the same term - hacking. Trying to differentiate terms based on skill, target, or data type is kinda dumb.
On 3/13/14, 12:35 AM, "shawn wilson" <ag4ve.us@gmail.com> wrote:
A note on terminology - whether you know what you're doing, actually break into a system, or obtain a thumb drive with data that you weren't supposed to have - it has the same end so I'd refer to it by the same term - hacking. Trying to differentiate terms based on skill, target, or data type is kinda dumb.
If one came up in this field with a mentor who was old school, or if one is old school oneself, one tends use the original (as I understand it) definitions--a "cracker" breaks security or obtains data unlawfully, a "hacker" is someone who likes ethically playing (in the "joyful exploration" sense) with complicated systems. People who are culturally younger tend use "hacker", as you are doing, for the former and as far as I can tell no specific term for the latter. If you ask me, this is something of a cultural loss. --Josh
On Thu, 13 Mar 2014 13:22:40 -0000, "Sholes, Joshua" said:
If one came up in this field with a mentor who was old school, or if one is old school oneself, one tends use the original (as I understand it) definitions--a "cracker" breaks security or obtains data unlawfully, a "hacker" is someone who likes ethically playing (in the "joyful exploration" sense) with complicated systems.
For the old-schoolers, a "cracker" would violate the CFAA to get into a system. A hacker would produce a long list of ways to get in without violating the CFAA. Unfortunately, we no longer have a well-established word for the latter class of people.
On Thu, Mar 13, 2014 at 10:13 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 13 Mar 2014 13:22:40 -0000, "Sholes, Joshua" said:
If one came up in this field with a mentor who was old school, or if one is old school oneself, one tends use the original (as I understand it) definitions--a "cracker" breaks security or obtains data unlawfully, a "hacker" is someone who likes ethically playing (in the "joyful exploration" sense) with complicated systems.
For the old-schoolers, a "cracker" would violate the CFAA to get into a system.
A hacker would produce a long list of ways to get in without violating the CFAA.
Unfortunately, we no longer have a well-established word for the latter class of people.
You're all talkin' 1990s redefinitions here. 1980s crackers cracked the copy protections on software (DRM in modern parlance) while hackers broke in to online systems. Even that is a redefinition. Before that, hackers were anyone who jovially pranked a system in a manner typically unlawful which involved creativity and technical challenge. For example, "hackers" might arrange for live cattle to appear on the top of the great dome at MIT. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mar 13, 2014, at 11:08 AM, William Herrin <bill@herrin.us> wrote:
On Thu, Mar 13, 2014 at 10:13 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 13 Mar 2014 13:22:40 -0000, "Sholes, Joshua" said:
If one came up in this field with a mentor who was old school, or if one is old school oneself, one tends use the original (as I understand it) definitions--a "cracker" breaks security or obtains data unlawfully, a "hacker" is someone who likes ethically playing (in the "joyful exploration" sense) with complicated systems.
For the old-schoolers, a "cracker" would violate the CFAA to get into a system.
A hacker would produce a long list of ways to get in without violating the CFAA.
Unfortunately, we no longer have a well-established word for the latter class of people.
You're all talkin' 1990s redefinitions here. 1980s crackers cracked the copy protections on software (DRM in modern parlance) while hackers broke in to online systems. Even that is a redefinition. Before that, hackers were anyone who jovially pranked a system in a manner typically unlawful which involved creativity and technical challenge.
For example, "hackers" might arrange for live cattle to appear on the top of the great dome at MIT.
Regards, Bill Herrin
And Bill documents yet another redefinition. Prior to that time, at MIT a “hacker” produced a novel variation of technology using it in ways not previously envisioned but not necessarily unlawful. Mating two different generations of telephone keysets or reducing a complex rack mount filter to a single small circuit board with an FET or two are just a couple of examples. One was just a “hack”, the other an “elegant hack”. We just called the moving of the rocket a “prank”. Cutler
On Thu, Mar 13, 2014 at 11:45 AM, James R Cutler <james.cutler@consultant.com> wrote:
And Bill documents yet another redefinition. Prior to that time, at MIT a "hacker" produced a novel variation of technology using it in ways not previously envisioned but not necessarily unlawful.
Mating two different generations of telephone keysets or reducing a complex rack mount filter to a single small circuit board with an FET or two are just a couple of examples. One was just a "hack", the other an "elegant hack". We just called
Hi James, Correct me if I'm wrong, but by the time "hacker" emerged as a word distinct from "hack" it already carried implications of mischief and disregard for the rules in addition to the original implication of creatively solving a technical challenge. Is that mistaken? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Thu, 13 Mar 2014 12:46:06 -0400, William Herrin said:
Correct me if I'm wrong, but by the time "hacker" emerged as a word distinct from "hack" it already carried implications of mischief and disregard for the rules in addition to the original implication of creatively solving a technical challenge. Is that mistaken?
To the contrary - there was a period of time when "hacker" included those who were responsible for creative hacks that followed the rules *as they actually were*, not as they were generally believed to be. "It had the virtue of never having been tried before". James T Kirk was (will be?e?) an old-school hacker of epic level. (Contemplate for a bit why Kirk wasn't bounced out on his butt from the Academy)
Another use of 'hacking' has been around in software for awhile ... Newsgroups: comp.lang.perl.misc Subject: Re: Who is Just another Perl hacker? From: merlyn@stonehenge.com (Randal L. Schwartz) Message-ID: <M1HFPVH2JQ.FSF@HALFDOME.HOLDIT.COM>
"Juho" == Juho Cederstrom writes:
To the contrary - there was a period of time when "hacker" included
Juho> But when do I become Just another Perl hacker? Who are they? I've read Juho> the FAQ, but it doesn't answer my question. If I replace my email Juho> signature with JAPH, do I break some kind of law? Juho> Or is Just another Perl Hacker a person who just hacks Perl? Well, this ol' JAPH thing started back in 88-ish when I was posting to a bunch of different newsgroups, and would sign each message somewhat individualized above the "-- " cut. For a while, it was stuff like: Valdis.Kletnieks@vt.edu wrote on 03/13/2014 02:09:34 PM: those who
were responsible for creative hacks that followed the rules *as they actually were*, not as they were generally believed to be.
On Mar 13, 2014, at 12:46 PM, William Herrin <bill@herrin.us> wrote:
On Thu, Mar 13, 2014 at 11:45 AM, James R Cutler <james.cutler@consultant.com> wrote:
And Bill documents yet another redefinition. Prior to that time, at MIT a "hacker" produced a novel variation of technology using it in ways not previously envisioned but not necessarily unlawful.
Mating two different generations of telephone keysets or reducing a complex rack mount filter to a single small circuit board with an FET or two are just a couple of examples. One was just a "hack", the other an "elegant hack". We just called
Hi James,
Correct me if I'm wrong, but by the time "hacker" emerged as a word distinct from "hack" it already carried implications of mischief and disregard for the rules in addition to the original implication of creatively solving a technical challenge. Is that mistaken?
Regards, Bill Herrin
Bill, Mistaken? Yes. As of early 1960’s - See history of WTBS, Ralph Zaorski, Dick Gruen, Alan Kent, and many others - The then current usage of “hacker” was simply one who produced a “hack” - an unusual or unexpected design or configuration or action which either did the same old thing done more simply/elegantly or which did something new or unexpected altogether. Putting an Western Electric power plant on an Automatic Electric step-by-step for the East Campus telephone switch was one of my “hacks”. James R. Cutler - james.cutler@consultant.com PGP keys at http://pgp.mit.edu
On Thu, Mar 13, 2014 at 3:15 PM, James R Cutler <james.cutler@consultant.com> wrote:
As of early 1960's - See history of WTBS, Ralph Zaorski, Dick Gruen, Alan Kent, and many others - The then current usage of "hacker" was simply one who produced a "hack" - an unusual or unexpected design or configuration or action which either did the same old thing done more simply/elegantly or which did something new or unexpected altogether.
Hi James, I'm afraid my google-fu doesn't reach back to the 1960's. You don't happen to have a handy reference do you? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mar 13, 2014, at 12:24 PM, William Herrin <bill@herrin.us> wrote:
I'm afraid my google-fu doesn't reach back to the 1960's. You don't happen to have a handy reference do you?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/13/2014 12:30 PM, James Downs wrote:
On Mar 13, 2014, at 12:24 PM, William Herrin <bill@herrin.us> wrote:
I'm afraid my google-fu doesn't reach back to the 1960's. You don't happen to have a handy reference do you?
See also the seminal book by Steven Levy: https://en.wikipedia.org/wiki/Hackers:_Heroes_of_the_Computer_Revolution - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMiCLgACgkQKJasdVTchbIXyQD/dWWRPOhRO+1f7qUTRcHJzxUd IhYnNime7L3jSOP15gAA/2GKBai4KZf8hfSPiPgmGl6te+2QwznZ5Js9KouIpk7l =qLdK -----END PGP SIGNATURE-----
On Mar 13, 2014, at 2:30 PM, James Downs wrote:
On Mar 13, 2014, at 12:24 PM, William Herrin <bill@herrin.us> wrote:
I'm afraid my google-fu doesn't reach back to the 1960's. You don't happen to have a handy reference do you?
On Mar 13, 2014, at 3:24 PM, William Herrin <bill@herrin.us> wrote:
On Thu, Mar 13, 2014 at 3:15 PM, James R Cutler <james.cutler@consultant.com> wrote:
As of early 1960's - See history of WTBS, Ralph Zaorski, Dick Gruen, Alan Kent, and many others - The then current usage of "hacker" was simply one who produced a "hack" - an unusual or unexpected design or configuration or action which either did the same old thing done more simply/elegantly or which did something new or unexpected altogether.
Hi James,
I'm afraid my google-fu doesn't reach back to the 1960's. You don't happen to have a handy reference do you?
Regards, Bill Herrin
I carry that data in wet storage, interfaced via voice or eyes-on-screen/fingers-on-keyboard. I haven’t been on the MIT campus for more than a few minutes since late 1963. Regarding the Wikipedia entry for “Hacker”: The TMRC/MITAL history ignores the pioneering audio systems work that came out of WTBS (pre-sale to Ted). Ralph Zaorski and Barry Blesser were the best around at that.
Re: hackers vs crackers I was at one of the early "Hackers Conferences" in the late 1980s, organized by Stewart Brand (The Whole Earth Catalog, The Well.) The attendees were quite impressive, not sure why I was invited :-) Todd Rundgren, Jerry Pournelle, Ted Nelson, the founders of a number of now big famous companies who probably would rather I didn't list their names, etc were all just some of the attendees. Although there were a lot of computer and network people they were maybe a bare majority. There were also authors, social innovators, artists, etc. Just "interesting people". The press heard the word "HACKERS" and showed up convinced this was a black hat conference. Nothing would dissuade the reporters and wow people tried. They kept churning out 6PM news reports and articles during the conference about how this was a black hat conference where nefarious no-goodniks had gotten together to create evil plots to (who knows what?) Based on nothing, absolutely nothing. They were even given access to the conference to see what was going on for themselves. All because of the word "hackers" in the conference name. And this was the late 1980s, few of them even knew what a hacker might hack. But it was good press (as in: got eyeballs)! And then of course law enforcement saw the TV spots etc. and showed up to ask some questions and infer some threats. Fortunately not much bad really happened but it was more than a little distracting from the intent of the conference which was just to bring some really bright and creative people together with little structure and let them interact. Hmm, I vaguely rememember someone was in the midst of a criminal case or on parole for something like political activism and was forced to leave (not by the conference, by their parole officer or lawyer or court or some such) because their status forbid "consorting with known criminals" and they were "just asking for trouble". A lot of us vowed to try to keep the "hackers" vs "crackers" distinction alive in the public's mind but I can't say it worked. Having lost that battle I guess the term "Makers" is used today. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On 3/13/14, 1:23 PM, "Barry Shein" <bzs@world.std.com> wrote:
A lot of us vowed to try to keep the "hackers" vs "crackers" distinction alive in the public's mind but I can't say it worked.
Yeah, that battle had already been lost by the time I entered the field (even though I tried to fight it for a while anyway.)
Having lost that battle I guess the term "Makers" is used today.
I will note that "hackerspace" seems to be somewhat more common parlance than "makerspace" in the circles I operate in as a description of "area where a bunch of people in various disciplines go to create things in a shared environment", so that's some reclamation of what I would consider the original meaning of "hacker". -- Josh
On 3/13/14 6:22 AM, Sholes, Joshua wrote:
If one came up in this field with a mentor who was old school, or if one is old school oneself, one tends use the original (as I understand it) definitions--a "cracker" breaks security or obtains data unlawfully, a "hacker" is someone who likes ethically playing (in the "joyful exploration" sense) with complicated systems.
And both terms are so defined in RFC 1392, dates January 1993. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
On 03/16/2014 08:51 PM, Jay Hennigan wrote:
On 3/13/14 6:22 AM, Sholes, Joshua wrote:
If one came up in this field with a mentor who was old school, or if one is old school oneself, one tends use the original (as I understand it) definitions--a "cracker" breaks security or obtains data unlawfully, a "hacker" is someone who likes ethically playing (in the "joyful exploration" sense) with complicated systems.
And both terms are so defined in RFC 1392, dates January 1993.
... but that's only informational. :)
On Tue, Mar 11, 2014 at 3:00 AM, Markus <universe@truemetal.org> wrote:
I'm an ISP in Germany and a cracker (not a hacker :) ) has targeted a customers of mine in the last days. The cracker was successful and caused financial damage / was successful with data theft. I set a trap and finally caught his real IP address - a Comcast user in the US (100% not a proxy or bot). What would be the next steps to pursuit him? If I contact local authorities here in Germany I'm afraid months will pass by and Comcast will have possible already deleted their logs by then (?). Any advice?
Hi Markus, A couple of suggestions: 1. Ask Comcast to preserve the records associated with the IP addresses and timeframe in which the problem occurred. They can't give them to you absent a valid US subpoena but they can save them from automatic deletion while you work on that. 2. Be specific about the problem. Be liberal with the shared details! Comcast can be your partner in this endeavor. If you treat them as your enemy by being cagey, they may behave as your enemy by doing the minimum required by law. Which turns out to be not much. 3. Once you have done these things, then go to the police. Share information about your specific contact with Comcast with the police and share your specific police contact with Comcast. This will start them talking, which is half the battle in getting the police to investigate a computer crime. Who knows, U.S. authorities may already be investigating the same user which would make your job so much easier. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 12 March 2014 14:56, William Herrin <bill@herrin.us> wrote:
.. Who knows, U.S. authorities may already be investigating the same user which would make your job so much easier.
<lurker mode off>Also, if you just want a deterrent. Having a cop visit the home of the cracker just making questions may send the message "we know where you live, so calm the fuck up".</lurker mode on> -- -- ℱin del ℳensaje.
On Mar 12, 2014, at 9:56 AM, William Herrin <bill@herrin.us> wrote:
On Tue, Mar 11, 2014 at 3:00 AM, Markus <universe@truemetal.org> wrote:
I'm an ISP in Germany and a cracker (not a hacker :) ) has targeted a customers of mine in the last days. The cracker was successful and caused financial damage / was successful with data theft. I set a trap and finally caught his real IP address - a Comcast user in the US (100% not a proxy or bot). What would be the next steps to pursuit him? If I contact local authorities here in Germany I'm afraid months will pass by and Comcast will have possible already deleted their logs by then (?). Any advice?
Hi Markus,
A couple of suggestions:
1. Ask Comcast to preserve the records associated with the IP addresses and timeframe in which the problem occurred. They can't give them to you absent a valid US subpoena but they can save them from automatic deletion while you work on that.
2. Be specific about the problem. Be liberal with the shared details! Comcast can be your partner in this endeavor. If you treat them as your enemy by being cagey, they may behave as your enemy by doing the minimum required by law. Which turns out to be not much.
3. Once you have done these things, then go to the police. Share information about your specific contact with Comcast with the police and share your specific police contact with Comcast. This will start them talking, which is half the battle in getting the police to investigate a computer crime. Who knows, U.S. authorities may already be investigating the same user which would make your job so much easier.
how long ago did this happen? they preserve subscriber information forever, and dhcp logs for quite a long time. the police = your local federal police. there is an mlat between .de and .us which means the us police has to cooperate and pursue german cases and vice versa. yes, it takes longer. there is also a hotline system where the .de police can request records preservation by US entities with the promise that an mlat request is forthcoming.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Tue, Mar 11, 2014 at 2:00 AM, Markus <universe@truemetal.org> wrote:
Hi,
Your goal should be to keep together and preserve all the evidence/documentation you have: make sure you have and can verify the authenticity and chain of custody for all relevant materials that you say evidence attacks and their source, including your "trap" and how that works, and how it proves the apparent source/origin, contact the local authorities. By the way, without surveillance of the source network, it is really quite impossible to 100% prove that a given IP address is not running a bot and not being used as a proxy or traffic relay. This does not necessarily preclude contacting Comcast as well, to request they preserve records.
I'm an ISP in Germany and a cracker (not a hacker :) ) has targeted a customers of mine in the last days. The cracker was successful and caused financial damage / was successful with data theft. I set a trap and finally caught his real IP address - a Comcast user in the US (100% not a proxy or bot). What would be the next steps to pursuit him? If I contact local authorities here in Germany I'm afraid months will pass by and Comcast will have possible already deleted their logs by then (?). Any advice?
Thank you! Markus
-- -JH
I’ve seen past employers contact the FBI for a similar issue, but we had control of the network and logs in question so that made it easier. You may be able to contact interpol or a similar agency in the EU. They will at least be able to tell you the right agency to call. You can also have a lawyer contact comcast on your behalf. Many times a company will retrieve and store logs in preparation of various legal proceedings. Comcast is a very large company so there’s no way to be sure that this will spur them into action, but it’s a start. On Mar 11, 2014, at 3:00 AM, Markus <universe@truemetal.org> wrote:
Hi,
I'm an ISP in Germany and a cracker (not a hacker :) ) has targeted a customers of mine in the last days. The cracker was successful and caused financial damage / was successful with data theft. I set a trap and finally caught his real IP address - a Comcast user in the US (100% not a proxy or bot). What would be the next steps to pursuit him? If I contact local authorities here in Germany I'm afraid months will pass by and Comcast will have possible already deleted their logs by then (?). Any advice?
Thank you! Markus
participants (20)
-
Barry Shein
-
Chris Boyd
-
Dobbins, Roland
-
Doug Barton
-
James Downs
-
James R Cutler
-
Jay Hennigan
-
Jimmy Hess
-
Joe Loiacono
-
joel jaeggli
-
Keegan Holley
-
Mark Seiden
-
Markus
-
Paul Ferguson
-
shawn wilson
-
Sholes, Joshua
-
Tei
-
Valdis.Kletnieks@vt.edu
-
Vitkovský Adam
-
William Herrin