Re: hacked server, DDoS bin installed

[Paul Robertson <compuwar () gmail com>]

On 12/7/05, Jay D. Dyson <jdyson () treachery net> wrote:
>         The FBI will not take the case unless you can provide concrete
> evidence that your customer suffered more than $10,000 in losses due to
> the intrusion.  Failing that, there's nothing the FBI will do unless your
> customer is very well-connected politically.

This is no longer true- while the "loss guidance" that started this is
still in a lot of people's minds, the FBI will often take cases
outside that range depending on industry, crime, circumstances and
location.  Even if they don't take it and just "paper" it, they might
be interested in the data, as it may link to another already-open
case- which would tie into an active investigation.  For instance, if
the original poster had logs of packets from their server hitting
Black Helicopter and Jeep Co., or Pointdexter's Carnivore++ Software
Company, they'd likely take the case no matter what the original
reporter's losses.  Also, the FBI will also investigate things which
the US Attny won't prosecute- so the real hurdle is at the USA level. 
My local AUSAs are concerned with damage levels, but not over
important stuff.  They're not going to do a lot with a small fish
though, they have way too much "big stuff" to do and prefer the locals
handle smaller things.

While "customer who's politically connected" was a good standard even
5 years ago (and still works,) "industry percieved as infrastructure"
tends to be a better one today.  If there are 40 compromised systems
on the channel, it's probably more interesting to them, and if there
are 200, they'll likely take it anyway.

Heck, I've had a field office actually send out CART to image drives
for me and send them to me for analysis during a commercial engagement
where the actual company loss would have been near zero (turned out to
be non-criminal) in the last 3-4 years.  For the most part, the FBI
now "gets it" when it comes to computer crime, they just don't have
the manpower to chase everything.

If the customer is in a business where a positive LE relationship is a
good thing, then calling the local field office and going through the
motions on something that's likely to be papered is still extremely
productive in buidling a one-on-one relationship with the guys 'n gals
who'll likely investigate your next case.

Also, you don't need concrete numbers, it just has to feel right;
damages often include the cost of downtime, forensics, clean-up and
associated integrity investigation- meething the dollar threshold
isn't all that difficult unless you're a very small company (at my
last company, our forensics service tended to be way over the then
limit.)

I just went to a sentencing a couple of months ago where the
convicted's counsel decided to challenge the PI's costs, but not
~$50,000 of my and my collegue's costs because the judge's line of
questioning on it pretty much made it clear he was eating that no
matter what[1]- it was a multi-month project to do the forensics and
associated loss and damage assessment.)

I second the suggetion to contect the Internet Complaint Center, even
if you're not going to persue (assuming the customer is ok with LE
contact.)

If the compromise wasn't big, it's probably also easier to go local if
your jurisdiction has a computer crime squad, unless the industry is
financial where either the FBI or USSS would be a better choice for
the relationships going forward.

Paul
[1] Something along the lines of "So, you're challenging damages[2]; 
You think that it was unreasonable for $victim to pay for expert
computer forensics analysis and then to figure out the risk to their
business and reduce the risk from your client's activity by using
experts in the field?"  "Um, no your honor, um, the PI firm going
overseas on the investigation, we thought that was unreasonable..."
[2] When the guy's plead out, all you can do is say what they did wasn't so bad.
--
www.compuwar.net