Max Ray Butler in Trouble Again

In my first book I wrote the following on p 170:

WHO WROTE PRIVMSG?

The author of Privmsg served one year in prison after pleading guilty in a U.S. District Court to a single count of computer intrusion. In May 1998 he compromised numerous government, military, and academic servers running BIND and installed back doors on those systems. He was caught thanks to skillful use of session data by analysts at the AFCERT and by Vern Paxson from Lawrence Berkeley Labs. See http://www.lbl.gov/Science-Articles/Archive/bro-cyber.html for more information on Paxson’s use of Bro and the “boastful and self-justifying” e-mail the intruder sent to Paxson. For details on the intruder, see Wired’s account at http://www.wired.com/news/culture/0,1284,54838,00.html. Kevin Poulsen’s story at http://www.securityfocus.com/news/203 has more details.

The bottom line is it does not pay to infiltrate government machines -- especially Air Force servers or computers monitored by IDS researchers.

I didn't name Max Ray Butler (aka "Max Vision") as the author of Privmsg, but if you followed the stories you would have figured that out yourself.

I also didn't publicize this August 2002 post by Max to the SecurityFocus Jobs mailing list, subject line bay area security professional, $6.75/hr... Please read below!:

Greetings security employers:

I have an unusual situation that I would like to describe to you, and in doing so I am asking that anyone who can immediately employ me in the San Fransisco Bay Area, please read this email and consider taking advantage of my availablity and temporarily low cost.

I am...
o a seasoned professional with extensive security skills and experience
o a once convicted hacker (DOD, 1998)
o local to the San Fransisco Bay Area, I live in Oakland
o willing to work for mimimum wage (for the next two months)
o eager to work 60 hour weeks; I don't mind nights/weekends/holidays...

My Conviction (why I am desperate)

I am not proud of being convicted of a felony, but it is important that a potential employer know of my status. Apparently if you have FDIC insurance there is a clause stating that you cannot hire a convicted hacker on your projects. It is also because of my status that I am desperate for security-related or even internet-related work.

The truth is, I am living in a federal halfway house transitioning out of prison back into society. I have to find local work to meet their requirements, and they haven't approved any telecommute offers I have had so far. The director of the facility told me that if I don't find a job in the next week or so he will send me back to prison (my sentence actually ends October 12th)...

Sincerely,

Max Vision

That's one of the saddest and most pathetic posts I've ever read.

So where are we now, five years later? Check out Max Vision charged with hacking -- again:

In a five-count indictment unsealed on Tuesday, federal prosecutors allege that Butler ran a scheme to hack into computers at financial institutions and credit-card processing centers, stealing account information and selling the data to others. Butler also ran the online carders' forum, CardersMarket, under the name "Iceman" and "Aphex" as a way to coordinate illegal activities and meet people with similar interests, according to an affidavit penned by the U.S. Secret Service, which spearheaded the investigation...

During the 16-month investigation, the Secret Service maintained two confidential informants, one of which was an administrator on the CardersMarket forum. The informants gave the investigators an eye-opening view of the inner workings of the carders' world, the affidavit stated.

Butler purportedly used at least five different handles -- including "Iceman," "Aphex," and "Digits" -- in an attempt to confuse law enforcement and keep his administrative activities on CardersMarket separate from his outright illegal activities, the affidavit maintains...

A federal grand jury indicted Butler on charges of wire fraud and identity theft. If Butler is found guilty of all five charges, he could face up to 70 years in prison and a fine of $1.5 million, according to the U.S. Attorney's Office in Pittsburgh. Butler is currently being held in San Francisco until he appears in court on Monday.

I know Mr Butler is innocent until proven guilty in US courts, but human evidence gathered by informants is going to be tough to beat.

Show this post to your kids if they think "[malicious] hacking is cool." If you think "[malicious] hacking is cool," remember Mr Butler's fate the next time you break the law.

Read More

Monitoring and Investigation Lessons

Thanks to 27B Stroke 6 I learned that cybercriminal Jerome Heckenkamp (sorry Kevin, he's no "superhacker") will stay a criminal. The U.S. 9th Circuit Court of Appeals refused to overturn Heckenkamp's conviction. According to this DoJ announcement:

Mr. Heckenkamp's sentence results from his guilty pleas in January 2004 to two counts of gaining unauthorized access into a computer and recklessly causing damage, in violation of 18 U.S.C. §§ 1030(a)(5)(B). In pleading guilty, Mr. Heckenkamp admitted that he gained unauthorized access to eBay computers during February and March 1999. Using this unauthorized access, Mr. Heckenkamp admitted that he defaced an eBay Web page using the name "MagicFX," and that he installed "trojan" computer programs - or programs containing malicious code masked inside apparently harmless programs - on the eBay computers that secretly captured usernames and passwords that Mr. Heckenkamp later used to gain unauthorized access into other eBay computers.

Mr. Heckenkamp also admitted that he gained unauthorized access to Qualcomm computers in San Diego in late 1999 using a computer from his dorm room at the University of Wisconsin-Madison. Once he gained this unauthorized access, Mr. Heckenkamp admitted that he installed multiple "trojans" programs which captured usernames and passwords he later used to gain unauthorized access into more Qualcomm computers.

The new court decision involves the Qualcomm intrusion. The source of the intrusion was traced to UWM, where network investigator Jeffrey Savoy discovered that Heckenkamp's machine was attacking Qualcomm. Essentially, Savoy logged into Heckenkamp's machine to validate that it was the machine in question, and then contacted the authorities to physically visit Heckenkamp's dorm room.

I found these excerpts from the ruling (.pdf) to be noteworthy:

The government does not dispute that Heckenkamp had a subjective expectation of privacy in his computer and his dormitory room, and there is no doubt that Heckenkamp’s subjective expectation as to the latter was legitimate and objectively reasonable...

We hold that he also had a legitimate, objectively reasonable expectation of privacy in his personal computer...

The salient question is whether the defendant’s objectively reasonable expectation of privacy in his computer was eliminated when he attached it to the university network. We conclude under the facts of this case that the act of attaching his computer to the network did not extinguish his legitimate, objectively reasonable privacy expectations...

However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user...

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that “[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the state.”

When examined in their entirety, university policies do not eliminate Heckenkamp’s expectation of privacy in his computer. Rather, they establish limited instances in which university administrators may access his computer in order to protect the university’s systems. Therefore, we must reject the government’s contention that Heckenkamp had no objectively reasonable expectation of privacy in his personal computer, which was protected by a screensaver password, located in his dormitory room, and subject to no policy allowing the university actively to monitor or audit his computer usage. (emphasis added)

Wow, so far it's looking good for Jerome. So what happened?

Although we conclude that Heckenkamp had a reasonable expectation of privacy in his personal computer, we conclude that the search of the computer was justified under the “special needs” exception to the warrant requirement. Under the special needs exception, a warrant is not required when “ ‘special needs, beyond the normal need for law enforcement, make the warrant and probable-cause requirement impracticable.’ ”

If a court determines that such conditions exist, it will “assess the constitutionality of the search by balancing the need to search against the intrusiveness of the search..."

Here, Savoy provided extensive testimony that he was acting to secure the Mail2 server, and that his actions were not motivated by a need to collect evidence for law enforcement purposes or at the request of law enforcement agents. This undisputed evidence supports Judge Jones’s conclusion that the special needs exception applied.

The integrity and security of the campus e-mail system was in jeopardy... Under these circumstances, a search warrant was not necessary because Savoy was acting purely within the scope of his role as a system administrator. Under the university’s policies, to which Heckenkamp assented when he connected his computer to the university’s network, Savoy was authorized to “rectif[y] emergency situations that threaten the integrity of campus computer or communication systems[,] provided that use of accessed files is limited solely to maintaining or safeguarding the system.”

Savoy discovered through his examination of the network logs, in which Heckenkamp had no reasonable expectation of privacy, that the computer that he had earlier blocked from the network was now operating from a different IP address, which itself was a violation of the university’s network policies.

This discovery, together with Savoy’s earlier discovery that the computer had gained root access to the university’s Mail2 server, created a situation in which Savoy needed to act immediately to protect the system.

That is fascinating. Because administrator Savoy sought to protect university resources when he logged into Heckenkamp's computer, Savoy's search was justified. Also, Heckenkamp had no expectation of privacy over network logs, which also traced Heckenkamp's computer to Qualcomm.

This may be one small step towards taking the fight to the enemy, but please be aware of the extremely limited nature of this event. I recommend reading the whole ruling (it's only 13 pages) for details.

Update: In Jennifer Granick's story she notes that Savoy logged into Heckenkamp's computer as user temp password temp, based on credentials found in a file on his mail server.

Read More

Remember that TJX Is a Victim

Eight years ago this week news sources buzzed about the Melissa virus. How times change! Vulnerabilities and exposures are being monetized with astonishing efficiency these days. 1999 seems so quaint, doesn't it?

With the release of TJX's 10-K to the SEC all news sources are discussing the theft of over 45 million credit cards from TJX computers. I skimmed the 10-K but didn't find details on the root cause. I hope this information is revealed in one of the lawsuits facing TJX. Information on what happened is the only good that can come from this disaster.

It's important to remember that TJX is a victim, just as its customers are victims. The real bad guys here are the criminals who compromised TJX resources and stole sensitive information. TJX employees may be found guilty of criminal negligence, but that doesn't remove the fact that an unauthorized party attacked TJX and stole sensitive information. Unfortunately I believe the amount of effort directed at apprehending the offenders will be dwarfed by the resources directed at TJX. That will leave those intruders and others like them to continue preying on other weak holders of valuable information.

Update: At least US credit card holders don't have it as bad as our friends in the UK.

Read More

When Lawsuits Attack

I haven't said anything about the intrusions affecting TJX until now because I haven't felt the need to contribute to this company's woes. Today I read TJX Faces Suit from Shareholder:

The Arkansas Carpenters Pension Fund owns 4,500 shares of TJX stock, and TJX denied its request to access documents outlining the company's IT security measures and its response to the data breach.

The shareholder filed the lawsuit in Delaware's Court of Chancery Monday afternoon under a law permitting shareholders to sue for access to corporate documents in certain cases, The Associated Press reported. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data, the news agency said.

Imagine having your security measures and incident response procedures laid bare for everyone to see. (It's possible there might not be anything to review!) How would your policies and procedures fare?

The following sounds like many incidents I've investigated.

The TJX breach was worse than first thought, TJX officials recently admitted. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation has turned up evidence that the thieves also were inside the network several other times, beginning in July 2005.

Originally the company was compromised for nine months, but now the scope could reach almost a year prior. The question is whether this is evidence of compromise by another group or the same group. In either case the company's security posture looks terrible.

The sad part about this sort of incident is that most if not all of the preventative systems TJX might have applied are worthless for response and forensics. I'm guessing TJX is relying on host-centric forensics like analysis of MAC times of files on artifacts on victim servers to scope the incident. I bet TJX is paying hundreds of thousands of dollars in investigative consulting right now, beyond the damage to their brand and other technical and financial recovery costs.

Hopefully these lawsuits will shed some light on TJX's security practices so other companies can learn from their mistakes. This is the sort of incident that my future National Digital Security Board would do well to investigate and report.

Read More

Intruders Selling Security Software

If you read my coverage of the UBS trial, you'll remember the controversy involving Karl Kasper's "hacker" background. I said in that post:

All the wanna-be hacker kiddies should remember that grown-ups don't trust the opinions of "hackers" in courts of law.

If you wouldn't trust what a "hacker" says in court, would you trust software sold by an intruder?

Yesterday I read this article: Ex-hacker helps companies get defensive. It contains this news:

A reformed computer hacker is winning big clients for open-source software and hardware products that protect a company's network from intruders...

The 27-year-old [name deleted] got his start at the U.S. Department of Defense in an auspicious way: He agreed to work in information warfare after he was arrested at age 17 for hacking into a government network. In return, he served no jail time.

I'm appalled by this story. First, it demonstrates the press' obsession with using the term "hacker" to describe an intruder Second, the intruder is posting word of this story on the front page of his company's Web site. Third, this intruder worked for a variety of companies in sensitive positions -- including, supposedly, our own government. I wonder which of those post-arrest companies knew about this intruder's arrest? I wonder if this is the first time his customers will learn of his past?

Read More

Signs of Desperation from Duronio Defense Team

It sounds to me like the Duronio defense team has nothing left in its tank, so it's attacking Keith Jones directly. The latest reporting, UBS Trial: Defense Suggests Witness Altered Evidence, shows how ridiculous the defense team sounds:

"So when you talked about putting pieces of the puzzle together, you were missing three-quarters of the pieces for the [central file server] alone?"" [defense attorney] Adams asked.

"The puzzle pieces I had to put together formed the picture I needed," Jones replied. "If the puzzle was of a boat, then I had enough pieces to form the picture of the boat."

Adams countered, "But you might not see all the other boats around it."

Jones replied, "But the second boat won't get rid of the first boat. It's simple mathematics that when you add data, you don't subtract data. There was nothing in that data set that could remove the data I already had."

It sounds like Keith has more testifying in store for next week. Stay tuned.

Read More

A Real Logic Bomb

Logic bomb is a term often used in the media, despite the fact that almost all reporters (there are notable exceptions) have no clue what it means. Well, now we can look at a real one, thanks to forensics work by Keith Jones. He found a real logic bomb while doing forensics on the United States v. Duronio case. I worked the very beginning of this case while Keith and I were both at Foundstone. My small part involved trying to figure out how to restore images of AIX machines from tape. I even bought an AIX box on eBay for experimentation.

You can read about Keith's testimony in this Information Week article. This is the "logic bomb" Keith recovered:



One of the neat aspects of this case is its age: over four years. The media and elsewhere are abuzz with stories of "insider threats," but this has been a problem for a very long time. Congratulations to Keith for testifying on such an important case. If the jury has a clue, the defendant doesn't have a chance.

Update: This story specifically examines the code in question.

Read More

Congratulations to Feds

I'd like to congratulate the United States Attorney's Office, Central District of California for indicting a bot net controller. According to the press release and the indictment (.pdf), up to 400,000 victims were compromised. You can track the progress of this case through the Post Indictment Arraignment Calendar.

This is exactly the sort of work that needs to be done. Security professionals cannot win against intruders if only the "vulnerability" variable of the risk equation is addressed. We need law enforcement to reduce the "threat" variable as well. The suspect in this case is a 20-year-old living in California. This is the sort of perpetrator who can be deterred, unlike a foreign intelligence agent or member of organized crime. The more bot net operators who are put in jail, the fewer lower-end threats we will need to stop.

Read More

Great Reporting by Brian Krebs

During the Mike Lynn affair I found Brian Krebs' reporting to be invaluable. Now he has provided an excellent story on the arrest of the Zotob and Mytob worm authors. I recommend you read the story linked from Brian's blog. Highlights include:

"Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft...

The author of the original Blaster worm remains at large, and Microsoft has offered a $250,000 bounty for information leading the arrest and conviction of that person...

[E]vidence indicates Ekici paid Essebar to develop the worms, which the two used for financial gain...

[T]he two men are alleged to have forwarded financial information stolen from victims' computers to a credit card fraud ring.

[P]olice who raided Essebar's home found a computer that contained the original programming instructions for the first version of the Zotob worm."

I am glad to see action against a different leg of the risk triad, namely threats. It's no use to only address vulnerabilities if the threats who exploit those vulnerabilities are free to constantly develop innovative new attacks.

Ryan Naraine also wrote a good article called Inside Microsoft's Zotob Situation Room.

Incidentally, Andy Sullivan of Reuters is another great "old media" reporter. He's written about Def Con and other issues.

Read More

Credit Card Intrusion Detection

I just received a call from a computer at Citicards, the company that issued one of my credit cards. Twice in the past few years that card was stolen by credit card number thieves. I found the exchange with the computer interesting.

First it announced that it was calling from the Citicards fraud department. Next it asked if I was "Richard Bejtlich," using the best pronounciation of my last name a computer could muster. (It's "bate-lik", by the way.) Then it asked me to verify the zip code of the billing address for the credit card. At this point I figured providing a zip code was a low-risk activity, in the event this was a sophisticated social engineering attempt.

Once I "authenticated" via zip code, the computer asked if I had made a purchase of $6.37 yesterday at "fast food" something-or-other. I recognized this as the dinner I bought at the incredibly high-brow Chick-fil-A drive-thru window at 9 pm last night. I pressed "one" to validate the transaction. Next the computer asked if I had spent money at an automated data which I recognized as the gas I bought prior to driving to Columbia, MD. I validated that transaction. At that point the computer was satisfied. It told me to call 1-800-950-5114 if I had any concerns.

I believe Citicards alerted to my two recent transactions because I hardly use that card. It's also possible they are edgy after the recent CardSystems Solutions heist. It's even possible my card is on a watch list of some sort. Thanks to John Ward for pointing out I was probably working with the Citicards Fraud Early Warning program.

Read More

Investigating the Paris Hilton Incident

More details are emerging regarding the Paris Hilton cellphone incident. I'd like to use this case to take a look at the various approaches used to perform incident response. The first two methods are technical, and the third is non-technical.

First we have the assessment approach. This involves probing target systems which may have been involved in the incident. Assessors look for security weaknesses in services and applications they believe could have yielded the information acquired by the intruders. Jack Koziol's recent blog entry is an example of this approach.

In my opinion this method is least likely to yield useful information, and is often a waste of time, as far as determining the details of the incident at hand. The assessment approach is largely speculation, albeit with access to some or all of the systems which could have been victimized. From a forensic standpoint, this is a poor way to investigate an intrusion. Assessors typically interact directly with victimized or potentially victimized systems. Their "investigation" risks damaging evidence that could be retrieved by a forensic investigator. Despite the harm caused by this method, I have read the CSO of an immense security company advocate this approach in her most recent book.

The assessment approach is useful for incident recovery. It is important to know the scope of a target's vulnerabilities before declaring a case "solved." It does no good to patch one hole if three remain open. I wrote about combining assessment with incident response in a whitepaper for Foundstone titled Expediting Incident Response with Foundstone ERS. Jack's probing of the T-Mobile site is valuable in that it shows they still have problems. The assessment method may in some cases yield the answer to a problem by constructing an experiment resembling the incident. Professor Feynman's O-ring in ice water experiment shows the power of doing "what-if" incident response. The problem I've seen in the digital realm is that the assessment-minded conduct their "investigation" on the original evidence (the victimized systems), thereby spoiling information for the next phase...

The second technical way to investigate an incident is the forensic method. This process centers on examining digital evidence collected from victimized or potentially victimized systems in a forensically sound manner. Evidence is acquired carefully, in accordance with procedures most likely to withstand an adversarial legal system. This contrasts starkly with the assessment method, where assessors typically "race to root" on the target and then declare "victory."

The weakness of the forensic method lies in the lack of evidence or an absence of useful evidence. I have performed many incident responses where I only acquired case-solving information by collecting it with my own products and processes. Frequently the victim has not enabled sufficient logging, or he has trounced the evidence by performing his own amateur investigation. While the former is usually not excusable, the second can often not be avoided. If an administrator suspects something is wrong with one of her servers, she is most likely going to check it out before calling in outside forensic help. Unfortunately, this destroys evidence that could have been collected in a fairly easy manner.

The third way to investigate an intrusion is the law enforcement method. I do not necessarily mean law enforcement is involved, although they are most likely to follow this technique. Rather, I am referring to a non-technical, human source-oriented means of investigating an incident. This method relies on cultivating informants, interviewing various parties, and conducting open research on threats that may have had the capabilities and intentions to harm a victim.

Several examples can be found on the Web. Brian McWilliams reports the following:

"An anonymous source provided O'Reilly Network with a screen grab, proving he was able to access the contents of Hilton's T-Mobile inbox as of Tuesday morning. Another image confirmed that Hilton's 'secret answer' was her dog's name."

This Rootsecure.net story mixes the assessment and law enforcement methods, but it points to the existence of tMobile_exploit_tools.zip, a program to gain access to T-Mobile Web accounts.

Incidentally, CSC posted an advisory last August saying "T-mobile Wireless and Verizon Northwest are vulnerable to caller-ID authentication spoofing, enabling arbitrary compromise of customer
voicemail/message center." Essentially, the phones can be set up to trust callers and play voicemail based on caller ID, which can be spoofed.

The law enforcement method can be the most successful means to resolve an intrusion. It is especially helpful when digital evidence is lacking. Often an investigator (most likely a real law enforcement agent) can acquire evidence pointing to the physical intruder, usually by speaking with informants. The law enforcement agents then obtain digital, hard-copy, and physical evidence by obtaining a search warrant for the suspected intruder's home or office. This is generally the only way to tie a person to a keyboard, which is the best means to successfully prosecute an intruder.

Read More

Further Musings on Digital Crime

Adam Shostack posted a response to my Thoughts on Digital Crime blog entry. Essentially he questions the "bandwidth" of the law enforcement organizations I listed, i.e., their ability to handle cases. The FBI CART Web page says "in 1999 the Unit conducted 2,400 examinations of computer evidence." At HTCIA I heard Mr. Kosiba state that thus far, in 2004, CART has worked 2,500 cases, which may involve more than one examination per case. The 50+ CART examiners and support personnel and 250 field examiners have processed 665 TB of data so far this year! The CART alone spends $32,000 per examiner on equipment when they are hired, and another $12,500 per year to upgrade each examiner's equipment.

This is a sign that the DoJ is pouring money into combatting cyber crime. Of course local and state police do not have the same resources, but especially at the state level we are seeing improvements.

If more resources are being plowed into cybercrime, what is the likelihood that law enforcement will decline from prosecuting juveniles? I believe being a teenager isn't a viable way to escapae prosecution either. During HTCIA I attended a talk by Rick Aldrich, former AFOSI legal advisor. He explained how it has been traditionally difficult to prosecute juvenlile offenders in federal court. The state of California, however, has a special unit set up to investigate and prosecute juvenile cybercriminals. Other states who identify underage intruders now look for ways to get California to prosecute these offenders, due to California's system.

The last way to avoid a trip to the pokey is to hack from overseas locations. A visit to Cybercrime.gov shows plenty of active prosecutions for "hacking," including some foreigners. It's true that the people least likely to be prosecuted are those who physically reside in a country whose law enforcement agencies dislike working with the US government. However, even a country like Romania is working to catch intruders. I still believe all of this does not bode well for low- to mid-level cyber crininals -- you will be caught. Justice may be slow but it does not appear to give up. I have one caveat -- there must be evidence to support a prosecution. If a victim doesn't collect the sorts of high-fidelity data which can show damage and link it to the intruder's action, it's difficult to attract law enforcement's interest.

Read More

Thoughts on Digital Crime

Last week I spoke at and attended the High Technology Crime Investigation Association International Conference and Expo 2004. The keynote speaker was US Attorney General John Ashcroft. Although I spent time furiously copying notes on his speech, the text is online. Not printed in that text was the AG's repeated theme: the US Department of Justice and Federal Bureau of Investigation are committed to "protecting lives and liberty." I thought this was a curious stance given the recent efforts to scale back the Patriot Act. The AG mentioned that "protect[ing] the United States against cyber-based attacks and high-technology crimes" is the number 3 FBI priority.

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.

Read More