Re: I got an intruder ...

Diane Davidowicz (diane_d@sun1.wwb.noaa.gov)
Mon, 20 Nov 1995 08:30:01 +1100 (EST)
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Julian Assange: "Re: I got an intruder ..."
Previous message: keithp@attsa.com: "Re: Security"
Maybe in reply to: Benoit Dicaire: "I got an intruder ..."
spaf@cs.purdue.edu (Gene Spafford) wrote:
>  2) Don't push an investigation yourself until you have contacted law
>enforcement, if you have any possible intent in prosecution.  The
>reason for this is that certain acts must be done in the right order,
>and with proper record keeping.  If you investigate too far, you may
>contaminate evidence that is needed for prosecution.  Furthermore, you
>may actually muck up the trail to where it is not possible to track
>the intruder.  The majority of system admins do not have the necessary
>training or legal background to do this by themselves.  Get law
>enforcement and other professionals involved early.

This is a very important issue and can not be overemphasized. If your 
company/organization decides for whatever reason (policy, deterrence,
revenge, etc. ) to proceed with investigating with the hopes of prosecuting, 
the law enforcement agents will advise you along every step of the way. 
Even to the point where they can determine whether the case can be brought 
to court. Its just like any other criminal law, if there is enough evidence 
to prosecute and convict, then it might be worth bringing a case to court. If 
the evidence lacks minimum criteria such as proving a hacker's intent as 
defined in the Federal Computer Fraud and Abuse Act of 1986, they will tell 
you this as well. It's not that it isn't worth their time, its that the laws 
state you must provide hard facts of such activity and this can sometimes be
a very difficult thing to do. 

>  3) The field of computer crime investgation is new.  Law enforcement
>personnel are learning as they go.  They need good cases and cooperation to 
>get that experience, though.

The "learning as they go" is quite true and most unfortunate, because it 
instills a lack of confidence when you deal with the law enforcement agents 
that exhibit such deficiencies. It's typical that they aren't as familiar 
with all the ins and outs of, say, a Unix box as you would expect, but it also 
does not mean that they don't know the law, which is where they will 
benefit you the most. Perhaps the field *is* too new for law officers to be 
up to par with expectations of system proficiency, but I think it goes deeper 
than that. How many law enforcement officers turned computer crime 
investigators do you expect to become overnight systems experts or even have 
the time to invest in doing so? :-(  Probably not too many, but it still 
does not mean that, for example, while reviewing a keystroke monitoring log 
with them, you shouldn't share your in depth knowledge of the hackers 
activites if you notice that the law officer is not up to par. Remember what 
comes around goes around :-)

I would like to add one more thing since I am on the topic of sharing
information with the law officers. I personally know of an unfortunate change 
in policy that one law enforcement agency has recently undergone.  They have
decided to keep a tight lip on their knowledge of the on going hacking
activity in which your systems are involved (i.e., the victims get very little 
feedback as to the overall activities of the hackers). IMO, this a 
bad idea. In dealing with them in the past, they have given much needed 
information to track down and prosecute hackers. In two investigations of 
which I know led to arrests, this information pacified and calmed management 
as tracking and tracing the hackers continued for over a month. Without the 
intelligence feedback, the investigation would have been halted by management 
because there was too much at risk.  By deciding to not provide this "crucial" 
feedback, it will become  much harder for companies and organizations to want
to pursue the investigation till arrests are made mostly because management
does not know what is going on and that is too much liability to put on their 
shoulders.  The result of this is that many companies unable to hire private 
investigators will simply employ security measures to shut the door on the 
hacker(s) and not investigate. This, in return, will probably undermind the 
comes around goes around :-)

I would like to add one more thing since I am on the topic of sharing
information with the law officers. I personally know of an unfortunate change 
in policy that one law enforcement agency has recently undergone.  They have
decided to keep a tight lip on their knowledge of the on going hacking
activity in which your systems are involved (i.e., the victims get very little 
feedback as to the overall activities of the hackers). IMO, this a 
bad idea. In dealing with them in the past, they have given much needed 
information to track down and prosecute hackers. In two investigations of 
which I know led to arrests, this information pacified and calmed management 
as tracking and tracing the hackers continued for over a month. Without the 
intelligence feedback, the investigation would have been halted by management 
because there was too much at risk.  By deciding to not provide this "crucial" 
feedback, it will become  much harder for companies and organizations to want
to pursue the investigation till arrests are made mostly because management
does not know what is going on and that is too much liability to put on their 
shoulders.  The result of this is that many companies unable to hire private 
investigators will simply employ security measures to shut the door on the 
hacker(s) and not investigate. This, in return, will probably undermind the 
ability to create an ora of deterrence on the Internet as Spaf had talked 
about.

Diane Davidowicz
Next message: Julian Assange: "Re: I got an intruder ..."
Previous message: keithp@attsa.com: "Re: Security"
Maybe in reply to: Benoit Dicaire: "I got an intruder ..."