BusinessWeek on Hacker Hunters

prostoalex writes "You keep hearing about FBI, Secret Service or other law enforcement authorities involved in pursuing international cybercrime gangs, but who are those people and how does the cyberlaw enforcement work? Business Week talks about hacker hunters and people they're after. A large portion of the article is dedicated to describing the global scope of such activities with Russia, Eastern Europe and China leading the ranks for criminal hideouts."

Pfft. They care so much.

[lithium+bandit]

As someone who works in the security field and comes across hacked systems all the time, I'll believe they give a damn when they start returning my calls. Sounds like PR to get someone more funding. Trying to get someone at the FBI to care when you come across bot networks at an ISP, bank, or even a power company is next to impossible.

SCO mydoom

[Camel+Pilot]

Kudos to Buinessweek as one of only a few news sources that got the SCO, linux and MyDoom virus story right. From the fine article:

In January, 2004, a new virus called MyDoom attacked the Web site of the SCO Group Inc. (SCOX ), a software company that claimed the open-source Linux program violated its copyrights. Most security experts suspected the virus writer was a Linux fan seeking revenge. They were wrong. While the SCO angle created confusion, MyDoom acted like a Trojan horse, infecting millions of computers and then opening a secret backdoor for its author.

McBride however is remembered as calling the resulting DOS attacks "the darker side of the Linux community we've been fighting."

Re:Pfft. They care so much.

[5cary]

And as one of the "Hacker Hunters" (pffft), I can tell you that it's not the FBI (or any other LE agents) that don't care.

There's *no* point in an agent taking a case or even wasting his/her time returning your call (one of many every day) when he/she already knows that an Assistant United States Attorney (AUSA) won't take the case for prosecution. The threshold set by AUSAs can amazingly high for damages in most cases. Where I work, it is around $50,000 before they'll even talk to you. There's just too much already out there.

Criminal Investigations are all about prosecution. They all have too many cases as it is, all of which they hope to get prosecuted. There's no way an agent will waste their time on an unprosecutable intrusion.

Unprosecutable because:
1) damages don't meet the threshold.
2) the system was unpatched and "invited" the hacker in - I hate this the most.
3) the system was not bannered "..by clicking ok, you agree to give up your expectation of privacy"... - also a stupid reason, but the case law is there.
4) the hostile systems are difficult to obtain evidence from (read: overseas, unfrienldy).
5) the hostile is obviously a script kiddie (stupid warez, IRC, etc.). Experience shows that the effort put forth to go after these idiots is not worth the 30 days probation a juvenile gets in MOST cases - damage dependant.

Experience will tell you what kind of effort your phone call is worth to an investigator. After he delete's your message, there are probably 3 or 4 more waiting to make their own report.

The agency I work for forwards intrusion reports to us via e-mail. I ignore 90% of them. If I responded to them all (or even half), I'd NEVER have the time to go after the important ones. That's life.

Re:The Hacker is the problem

[Stonehand]

Harmless? No. In either case, a compromised system should be fully audited and rebuilt, barring certainty about the limits of potential damage. Any information that passed through that system also has to be considered compromised with potentially widespread effect. That costs non-trivial time and money.

Re:Please Explain further?

[AndroidCat]

Slashdot blocks out the IP addresses and ranges of abusers. Abusers use proxies and zombies to relay their connection to Slashdot from somewhere else to avoid the blocks. Slashdot checks for common proxy/zombie software by attempting to connect to various ports and proxy connect through your machine back to Slashdot.

Firewall Kazowie reads ZoneAlarm logs and plays sounds effect wavs in real time depending which port was hit. On my box, I have a Star Trek themed sound effect on each port that Slashdot hits in sequence. Useless but entertaining.

Re:Please Explain further?

[iamcf13]

Scanning known proxy ports at incoming IPs and using them to access the Internet (or back to Slashdot.org) is proof that the incoming IP address is some sort of proxy. Probably Slashdot 'gave up' and have a strict 'No Proxies' policy to post here. If so, that keeps the crapflooding 'jerks' like the GNAA and the like out.

If you don't like the port scanning or can't stand to wait to post, don't post to Slashdot.

As for 'Firewall Kazowie', here is the blurb about it:

When the Internet becomes a battleground, you need cool sound effects!

Firewall Kazowie adds sound effects to your firewall by port/protocol, without affecting security. Now you can get real-time audio alerts when someone is knocking at your ports. (ZoneAlarm currently supported, XP SP2 Firewall next.) Build 1.0.1.1

This software is supported by feedback. Drop me a note if you've tried it.

Re:Pfft. They care so much.

[5cary]

Can you post some links from a .gov site documenting these requirments? It would be nice to point the PHBs at it.

I wish I could. That list is based on plain old experience. There's no way they'd ever admit to that. Although, as you can see from the other comments, it pretty obvious.

Those are not "documented" requirements. They are plain realities.