Security Incidents mailing list archives
Re: hacked server, DDoS bin installed
From: Paul Robertson <compuwar () gmail com>
Date: Fri, 9 Dec 2005 11:03:08 -0500
On 12/7/05, Jay D. Dyson <jdyson () treachery net> wrote:
The FBI will not take the case unless you can provide concrete evidence that your customer suffered more than $10,000 in losses due to the intrusion. Failing that, there's nothing the FBI will do unless your customer is very well-connected politically.
This is no longer true- while the "loss guidance" that started this is still in a lot of people's minds, the FBI will often take cases outside that range depending on industry, crime, circumstances and location. Even if they don't take it and just "paper" it, they might be interested in the data, as it may link to another already-open case- which would tie into an active investigation. For instance, if the original poster had logs of packets from their server hitting Black Helicopter and Jeep Co., or Pointdexter's Carnivore++ Software Company, they'd likely take the case no matter what the original reporter's losses. Also, the FBI will also investigate things which the US Attny won't prosecute- so the real hurdle is at the USA level. My local AUSAs are concerned with damage levels, but not over important stuff. They're not going to do a lot with a small fish though, they have way too much "big stuff" to do and prefer the locals handle smaller things. While "customer who's politically connected" was a good standard even 5 years ago (and still works,) "industry percieved as infrastructure" tends to be a better one today. If there are 40 compromised systems on the channel, it's probably more interesting to them, and if there are 200, they'll likely take it anyway. Heck, I've had a field office actually send out CART to image drives for me and send them to me for analysis during a commercial engagement where the actual company loss would have been near zero (turned out to be non-criminal) in the last 3-4 years. For the most part, the FBI now "gets it" when it comes to computer crime, they just don't have the manpower to chase everything. If the customer is in a business where a positive LE relationship is a good thing, then calling the local field office and going through the motions on something that's likely to be papered is still extremely productive in buidling a one-on-one relationship with the guys 'n gals who'll likely investigate your next case. Also, you don't need concrete numbers, it just has to feel right; damages often include the cost of downtime, forensics, clean-up and associated integrity investigation- meething the dollar threshold isn't all that difficult unless you're a very small company (at my last company, our forensics service tended to be way over the then limit.) I just went to a sentencing a couple of months ago where the convicted's counsel decided to challenge the PI's costs, but not ~$50,000 of my and my collegue's costs because the judge's line of questioning on it pretty much made it clear he was eating that no matter what[1]- it was a multi-month project to do the forensics and associated loss and damage assessment.) I second the suggetion to contect the Internet Complaint Center, even if you're not going to persue (assuming the customer is ok with LE contact.) If the compromise wasn't big, it's probably also easier to go local if your jurisdiction has a computer crime squad, unless the industry is financial where either the FBI or USSS would be a better choice for the relationships going forward. Paul [1] Something along the lines of "So, you're challenging damages[2]; You think that it was unreasonable for $victim to pay for expert computer forensics analysis and then to figure out the risk to their business and reduce the risk from your client's activity by using experts in the field?" "Um, no your honor, um, the PI firm going overseas on the investigation, we thought that was unreasonable..." [2] When the guy's plead out, all you can do is say what they did wasn't so bad. -- www.compuwar.net
Current thread:
- hacked server, DDoS bin installed naptime (Dec 07)
- Re: hacked server, DDoS bin installed Val Kaelin (Dec 07)
- Re: hacked server, DDoS bin installed Andrew Sledge (Dec 07)
- RE: hacked server, DDoS bin installed J B (Dec 07)
- Re: hacked server, DDoS bin installed Jay D. Dyson (Dec 07)
- Re: hacked server, DDoS bin installed Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Dec 08)
- Re: hacked server, DDoS bin installed RonaldJW (Dec 08)
- Re: hacked server, DDoS bin installed Paul Robertson (Dec 12)
- RE: hacked server, DDoS bin installed richardcg (Dec 08)
- Re: hacked server, DDoS bin installed -- To put it another way... Ron (Dec 08)
- RE: hacked server, DDoS bin installed -- To put it another way... richardcg (Dec 12)
- Re: hacked server, DDoS bin installed -- To put it another way... Thorsten Holz (Dec 12)
- Re: hacked server, DDoS bin installed -- To put it another way... Rembrandt (Dec 12)
- Re: hacked server, DDoS bin installed -- To put it another way... Christine Kronberg (Dec 14)
- Re: hacked server, DDoS bin installed -- To put it another way... Paul Robertson (Dec 12)
- Re: hacked server, DDoS bin installed -- To put it another way... Ron (Dec 12)
- RE: hacked server, DDoS bin installed -- To put it another way... Tim Hollebeek (Dec 12)
- <Possible follow-ups>
- RE: hacked server, DDoS bin installed k levinson (Dec 07)