funsec mailing list archives
The Strange Case of Ms. Julie Amero: Commentary by Detective Mark Lounsbury
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sun, 28 Jan 2007 14:22:12 -0500
http://www.networkperformancedaily.com/2007/01/the_strange_case_of_ms_julie_ a_3.html#more The Strange Case of Ms. Julie Amero: Commentary by Detective Mark Lounsbury Detective Mark Lounsbury is the crime prevention officer with the Norwich Police Department. He has served with the Norwich PD for 18 years - eight of them as a detective, and for the past seven years he has been the sole proprietor of the Norwich computer crime and cybercrime units, which deals with online sexual crimes against children. He has received training from the State of Connecticut Municipal Police Training Academy, and from the FBI in basic network intrusion and advanced network intrusion in Unix. In an effort to dispel rumor and produce a more accurate understanding of the Amero case to the public, we have invited Detective Lounsbury to talk about his position and computer crime related investigation in general, although he cannot talk about the Amero case specifically until after Ms. Amero's sentencing. This article continues our coverage of the Amero case, with previous articles offering commentary from defense witness <http://www.networkperformancedaily.com/2007/01/the_strange_case_of_ms_julie _a_1.html> Mr. Herb Horner. Generally speaking, if police receive a complaint from a victim or victims who report seeing an individual who is engaged in criminal activity, the police are responsible to the victim or victims and investigate accordingly. The police take into account all the available facts and circumstances, for example: who was the individual, what was the individual doing, when were they doing it, where were they doing it, and how long was the individual engaged in the observed activity? (A minute, twenty minutes, two hours?) Including the account of the accused individual is important but, sometimes the individual refuses to speak to the police and retains legal representation. Physical evidence and electronic evidence is collected. In the case of crimes involving computers, the evidence is collected with tools designed to find the evidence. This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs," gleaned from the registry, which are identified - not pop ups. (Continued...) Additional tools which search for specific viruses, trojans, and worms by their unique hashes can be brought into play to search for the known bad code. Once evidence is located, police take note of the date and time it was created, modified, and last accessed. When the evidence (malware, .jpg, web page) was created is the "when" in "who, what, when, where, how and why." So, if malware was created at the same time the web pages and images were created, was the malware spawned by the "typed URL", by its content (i.e. Web Attacker kit), or mouse napping (click-throughs)? If there's no malware created prior to a web page with questionable content how do you end up at said web page? I ask this rhetorical question: Where does objectionable material come from - a site like Disney.com or the pornographic dot coms? Where do abusive JavaScript and Web Attacker kits reside? What about zero-day Internet Explorer Exploits such as the one discussed at this site on <http://techfeed.net/blog/index.cfm/2006/9/21/ZeroDay-Internet-Explorer-Expl oit-Found-on-Porn-sites> techfeed.net: "A security hole in IE was <http://www.microsoft.com/technet/security/advisory/925568.mspx> recently confirmed by Microsoft. Now exploits that install tons of adware have been <http://news.com.com/Porn+sites+exploit+new+IE+flaw/2100-7349_3-6117407.html
spotted on Porn sites. This exploit is reportedly easy to duplicate, and
experts expect the problem to spread quickly to other shady sites across the Internet." <http://www.bewebaware.ca/english/pornography.aspx> What about a certain industry's favorite money making tools? "The online pornography industry is highly competitive and adult marketers are continually developing new strategies to drive traffic to their sites. Some of their tactics are: 'Click-throughs': Every time someone clicks through an adult site to another one, the site's advertising revenues go up. To increase the number of click-throughs, some sites use pop-up windows. Known as 'mouse napping,' this technique traps users in an endless loop of porn. 'Home page hi-jacking': This involves planting a Java script command on computers to change the user's default home page to a porn site. Changing the home page back to its original setting appears to solve the problem until the computer is rebooted, then the offensive site re-appears as the home page. 'Stealth' sites: These are porn sites that steer users their way through a variety of techniques, including buying up expired domain names, exploiting common misspellings, or using well-known names of companies or artists. Using hidden key words that are picked up by search engines: Porn operators bury key words, including brand names of popular toys, in the code of their Web sites to attract children." Maybe it's <http://en.wikipedia.org/wiki/DNS_cache_poisoning> DNS Poisoning? I'm not an expert on this subject and never said I was. When it comes to investigations where evidence is located on a computer and other resources are not available I use a simple tool [ <http://www.computercop.com/prof.html> ComputerCOP Professional v.3.16.3] to search for the evidence. The tool provides me with an audit trail, evidence log, the evidence, web content log, and visited sites log. Technorati Tags: <http://technorati.com/tag/Julie+Amero> Julie+Amero <http://technorati.com/tag/Connecticut+Schoolteacher> Connecticut+Schoolteacher <http://technorati.com/tag/Spyware> Spyware <http://technorati.com/tag/Connecticut+Justice+System> Connecticut+Justice+System <http://technorati.com/tag/Law> Law <http://technorati.com/tag/Network+Security> Network+Security Wednesday, January 24, 2007
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The Strange Case of Ms. Julie Amero: Commentary by Detective Mark Lounsbury Richard M. Smith (Jan 28)