Honeypots mailing list archives
RE: what to do with a script kiddie
From: "Stejerean, Cosmin" <cstejere () cti depaul edu>
Date: Sun, 5 Jun 2005 14:19:19 -0500
Personally, I think it would be an extremely dangerous action to join him on IRC - having been in the hot seat some time ago and now experiencing life from the security world, I know only too well how powerful a gatherer of information gathering tool an established IRC session can be to someone that has ""muscle" on an IRC server.
[...]
Your best bet is to contant your local law enforcement agency (in person, not over the phone - being in person makes you a lot more credible) and
let
them know that you have a "hacker" activly bouncing through your machine
and
ask them if they wished to monitor his activities also to make an easy prosecution - most legal agencies will jump over this like crazy.
Hamish Stanaway, CEO
I must disagree with some of the points you made. 1. If you think you are already done studying the attacker it might be worth to join him in an IRC channel in a last attempt to gather some useful information. 2. I am not sure what the computer crime laws are in New Zealand but in the US unless you can prove $5000 of damages it doesn't even qualify as a crime, not to mention that it was a research honeypot he broke into. Not to mention that prosecuting an international hacker is very expensive and time consuming which means that the damage might have to be a lot higher to be worth prosecuting. 3. As a researcher you would really be wasting time attempting to contact the police in the first place. And here are some ideas from my experience... I was dealing with an intrusion on one of our computers. I suspected the machine was connected to a botnet. I identified the IRC server channel and password. I looked at the logs from the past day to get an idea of who I am dealing with. It was a group of French hackers. I jotted down some of the names and attempted to join the chat with one of their nicknames. As soon as I joined they engaged me in a conversation. I don't know French at all so I ended up using babelfist.altavista.com to translate things from French to English and vice versa. This went on for a while but I had more work to do so I decided to reveal my identity but I didn't have to, I could have easily signed off and it would have taken them a while to figure out what happened. They were really surprised when I told them I didn't speak French. (I can imagine my French didn't look to authentic but given the grammar of script kiddies on IRC I didn't worry much about it). The point is that there is a lot to be learned from personal interaction with attackers as well. And although it might not be legal, the chances of an attacker pressing charges against you when they could easily disappear are incredibly slim. Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting / -= KoRe WoRkS =- Internet Security Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz http://www.koreworks.com
Attachment:
smime.p7s
Description:
Current thread:
- RE: what to do with a script kiddie, (continued)
- RE: what to do with a script kiddie Stejerean, Cosmin (Jun 04)
- Re: what to do with a script kiddie ilaiy (Jun 04)
- Re: what to do with a script kiddie Lance Spitzner (Jun 04)
- Re: what to do with a script kiddie MrDemeanour (Jun 05)
- Re: what to do with a script kiddie Dave Dittrich (Jun 06)
- Re: what to do with a script kiddie MrDemeanour (Jun 06)
- Re: what to do with a script kiddie Dave Dittrich (Jun 06)
- Re: what to do with a script kiddie Andre Ludwig (Jun 06)
- RE: what to do with a script kiddie Stejerean, Cosmin (Jun 04)
- Re: what to do with a script kiddie David Jiménez Domínguez (Jun 06)
- Re: what to do with a script kiddie Valdis . Kletnieks (Jun 06)
- RE: what to do with a script kiddie Hamish Stanaway (Jun 07)