Information Security News mailing list archives
When The FBI Knocks, A First-Person Account
From: William Knowles <wk () C4I ORG>
Date: Tue, 31 Oct 2000 11:58:50 -0600
Found this on Slashdot this morning. http://devrandom.net/~dilinger/ Preamble: I'm writing this for three reasons: 1) I'm getting tired of explaining it over and over to friends. 2) I wanted to try out mozilla composer. ;) 3) To make people aware that they're not being paranoid enough. This story should scare you. Those of you who know me know that I am in no way a script kiddie, l33t h4x0r, or any other variation. I'm simply an RPI student, admin, and programmer (C/perl/whatever) who likes to dabble in cryptography, kernel hacking, data compression, and whatever else the topic of the week happens to be. I also have a short attention span, skipping from project to project, subject to subject. I do not claim to be an expert in any field, but I know my way around. Story: Last saturday afternoon (Oct. 28, ~4 PM), the FBI let themselves into my dorm (good ol' RPI gave them the keys), waking me up. They showed me a badge, handed me a warrant, and took me into another room to ask me questions. They had every intention of seizing all my computer hardware before even questioning me, which should worry you greatly. They initially began asking me if I was a baseball fan, which confused me. After answering with a "no", they explained that I was under investigation for the break in that had occurred the previous day to the Yankees website. I breathed a sigh of relief (my initial reaction was "oh shit, someone's pissed about my 30 gig mp3 collection"), as I figured I could simply explain to them what happened, and they'd leave my stuff alone. I was wrong. The previous day, I was doing my usual routine for a friday with no class; up at 7 AM, catch up on slashdot/k5/lwn/sinfest/etc, do some coding on the project of the week (mdidentd/avifile/pharmacy/etc), and do some homework. Of course, the whole time, I'd be on IRC (EFNet, OPN), talking with people. During a conversation about Microsoft's break in, and how the stolen source code would affect things like wine, a friend mentioned that Yankees.com had also just been hacked (I found out later that he got that infomation from The Register, specifically here, which in turn found out from here). Being the curious individual that I am, I went to the webpage, and discovered that it had, indeed, been cracked (and replaced with a rather amusing picture, and a "yankees suck!" banner). I then began a post-mortem inspection; I always find this to be very interesting, as several friends have basically handed me linux boxes (not physically handed, of course), and asked me to rid them of a pesky cracker. The last time I did this, I discovered the intruder had gotten in through a (well-known) wu-ftpd exploit that affected redhat 6.2, and was using the box as a "zombie" (a daemon was listening for UDP packets, and was then running a DoS against the IP supplied by the client). I first checked port 21 of www.yankees.com, noticing that it was running wu-ftpd-2.6.0; the same version that had been exploited in the aforementioned cleanup. That didn't sound right to me; it was www.yankees.com, they had to have better security than that. So, I did a zone transfer of yankees.com (host -l -t any yankees.com), and noticed an old.yankees.com. Upon going there, I saw what I thought to be the original site, so I figured this whole "crack" was simply a dns redirect. I checked the bind version that yankees.com's primary nameserver was running (dig @ns1.icsnet.net version.bind chaos txt), and saw that it was running the latest version (well... patch ;) of bind. I figured they wouldn't have broken in through this (at least, I HOPED not), and checked other ports on ns1 for banners; 21, 25, 110, 143, etc; the most commonly exploited daemons. I got no where with this (whether it was due to a firewall, I do not know), so I returned to my IRC client, said "Looks like a dns hack...", and and the conversation went elsewhere. The entire thing lasted possibly five minutes, and occupied no more than 3 or 4 lines on IRC. The next day, I was sitting in a chair in the lounge, with an older FBI agent and another person who had not identified himself (but had a clue about computer stuff). I tried to explain the situation as best as possible; I probably did a horrible job, as they had just woken up (brutal LAN party the night before :) and really didn't remember many of the details. It was a 5 minute segment of my previous day, and I had spent much time coding and on IRC. The FBI started grilling me on IPs; if I had accounts on various machines, etc. At first, I had no idea where they were going with this. I assumed they had RPI's firewall logs, and saw many, many connections to my machine.. After a while of this (which was quite exhaustive, and seemed to piss off the older FBI agent when I answered with "sf.home.com? I probably know someone there.. well.. I think.. maybe.. give me a second"), I realized that they were seeing hits from my webpage, which had such things as a hacked version of xmms-avi (I posted it in freshmeat's comments), a hacked version of popwatch (exim authentication through pop3. Good stuff ;). I answered their questions as best I could, even though I was told I did not have to; I had nothing to hide. Overall, they were pretty nice. They took 3 computers, 2 books (ORA's DNS &Bind, and a book on kernel hacking), and various scraps of papers, which contained jotted down algorithms, code, and other stuff I had written while bored or designing. They let me go through these notes, and pick out stuff I needed for class; they also (upon my request) let me keep my "junk box" (cardboard box w/ various pieces of hardware), as well as 80 cd-r's, which contained MP3's, DIVX's, and porn (they just wanted to make sure there was no kiddie porn) that were clearly marked as such. As you can see, they really only cared about cracking, which I had nothing to worry about. Unfortunately, they took all my backups (jaz disks). I have not been formally charged yet, nor do I fear I will be. I'm worried most about the data on my drives, which is a combination of source code (much of it not checked into any CVS servers), various scripts and tweaks I had done to my Debian boxes over the 2 years I've been running it, and essential data (email addresses of friends, developers; class projects, some of which I HAVE needed since then; email itself; etc). This brings me to the whole point of this: you are not being paranoid enough. The FBI managed to get a search warrant based on logs from a firewall, that showed my IP only connecting, not even logging in, hours after news of the cracking had appeared on news sites. If they can get a search warrant this easily, your data is not safe, sitting on your hard drive. For the past two months I've been living in this dorm, I locked my doors, securified my boxes, and backed up my essential things. I never even imagined the federal government would just let themselves in and take it. The moral of the story is: encrypting all sessions, through ssh, scp, and tunnels, is not enough. Nor is making back ups. Make off-site backups. The FBI can arrive at your doorstep, with every intent of taking your precious data, and not returning it for a loooong time. To those interested, mozilla composer still has some annoying bugs (I had to remove a lot of extra spaces afterwards, for example. No crashes, though. The formatting is mozilla's.). Oh well. :) Andres Salomon P.S. Many thanks to people have given me advice (yes, I have talked to a lawyer, and no, I have not heard back from the FBI yet), lent me computers (ian, you rock! :), or otherwise helped me through this. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- When The FBI Knocks, A First-Person Account William Knowles (Nov 02)