RE: what to do with a script kiddie

["Stejerean, Cosmin" <cstejere () cti depaul edu>]

> Personally, I think it would be an extremely dangerous action to join him
> on IRC - having been in the hot seat some time ago and now experiencing 
> life from the security world, I know only too well how powerful a gatherer
> of information gathering tool an established IRC session can be to someone
> that has ""muscle" on an IRC server.

[...]

> Your best bet is to contant your local law enforcement agency (in person, 
> not over the phone - being in person makes you a lot more credible) and
let 
> them know that you have a "hacker" activly bouncing through your machine
and 
> ask them if they wished to monitor his activities also to make an easy 
> prosecution - most legal agencies will jump over this like crazy.

> Hamish Stanaway, CEO

I must disagree with some of the points you made.

1. If you think you are already done studying the attacker it might be worth
to join him in an IRC channel in a last attempt to gather some useful
information.

2. I am not sure what the computer crime laws are in New Zealand but in the
US unless you can prove $5000 of damages it doesn't even qualify as a crime,
not to mention that it was a research honeypot he broke into. Not to mention
that prosecuting an international hacker is very expensive and time
consuming which means that the damage might have to be a lot higher to be
worth prosecuting.

3. As a researcher you would really be wasting time attempting to contact
the police in the first place.


And here are some ideas from my experience...

I was dealing with an intrusion on one of our computers. I suspected the
machine was connected to a botnet. I identified the IRC server channel and
password. I looked at the logs from the past day to get an idea of who I am
dealing with. It was a group of French hackers. I jotted down some of the
names and attempted to join the chat with one of their nicknames. As soon as
I joined they engaged me in a conversation. I don't know French at all so I
ended up using babelfist.altavista.com to translate things from French to
English and vice versa. This went on for a while but I had more work to do
so I decided to reveal my identity but I didn't have to, I could have easily
signed off and it would have taken them a while to figure out what happened.
They were really surprised when I told them I didn't speak French.

(I can imagine my French didn't look to authentic but given the grammar of
script kiddies on IRC I didn't worry much about it).


The point is that there is a lot to be learned from personal interaction
with attackers as well. And although it might not be legal, the chances of
an attacker pressing charges against you when they could easily disappear
are incredibly slim.



Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com

Attachment: smime.p7s
Description: