When The FBI Knocks, A First-Person Account

[William Knowles <wk () C4I ORG>]

Found this on Slashdot this morning.

http://devrandom.net/~dilinger/


Preamble:

I'm writing this for three reasons:
1) I'm getting tired of explaining it over and over to friends.
2) I wanted to try out mozilla composer.  ;)
3) To make people aware that they're not being paranoid enough.  This
   story should scare you.


Those of you who know me know that I am in no way a script kiddie,
l33t h4x0r, or any other variation.  I'm simply an RPI student, admin,
and programmer (C/perl/whatever) who likes to dabble in cryptography,
kernel hacking, data compression, and whatever else the topic of the
week happens to be.  I also have a short attention span, skipping from
project to project, subject to subject.  I do not claim to be an
expert in any field, but I know my way around.

Story:

Last saturday afternoon (Oct. 28, ~4 PM), the FBI let themselves into
my dorm (good ol' RPI gave them the keys), waking me up.  They showed
me a badge, handed me a warrant, and took me into another room to ask
me questions.  They had every intention of seizing all my computer
hardware before even questioning me, which should worry you greatly.
They initially began asking me if I was a baseball fan, which confused
me.  After answering with a "no", they explained that I was under
investigation for the break in that had occurred the previous day to
the Yankees website.  I breathed a sigh of relief (my initial reaction
was "oh shit, someone's pissed about my 30 gig mp3 collection"), as I
figured I could simply explain to them what happened, and they'd leave
my stuff alone.  I was wrong.

The previous day, I was doing my usual routine for a friday with no
class; up at 7 AM, catch up on slashdot/k5/lwn/sinfest/etc, do some
coding on the project of the week (mdidentd/avifile/pharmacy/etc), and
do some homework.  Of course, the whole time, I'd be on IRC (EFNet,
OPN), talking with people.  During a conversation about Microsoft's
break in, and how the stolen source code would affect things like
wine, a friend mentioned that Yankees.com had also just been hacked (I
found out later that he got that infomation from The Register,
specifically here, which in turn found out from here).

Being the curious individual that I am, I went to the webpage, and
discovered that it had, indeed, been cracked (and replaced with a
rather amusing picture, and a "yankees suck!" banner).  I then began a
post-mortem inspection; I always find this to be very interesting, as
several friends have basically handed me linux boxes (not physically
handed, of course), and asked me to rid them of a pesky cracker.  The
last time I did this, I discovered the intruder had gotten in through
a (well-known) wu-ftpd exploit that affected redhat 6.2, and was using
the box as a "zombie" (a daemon was listening for UDP packets, and was
then running a DoS against the IP supplied by the client).

I first checked port 21 of www.yankees.com, noticing that it was
running wu-ftpd-2.6.0; the same version that had been exploited in the
aforementioned cleanup.  That didn't sound right to me; it was
www.yankees.com, they had to have better security than that.  So, I
did a zone transfer of yankees.com (host -l -t any yankees.com), and
noticed an old.yankees.com.  Upon going there, I saw what I thought to
be the original site, so I figured this whole "crack" was simply a dns
redirect.  I checked the bind version that yankees.com's primary
nameserver was running (dig @ns1.icsnet.net version.bind chaos txt),
and saw that it was running the latest version (well... patch ;) of
bind.  I figured they wouldn't have broken in through this (at least,
I HOPED not), and checked other ports on ns1 for banners; 21, 25, 110,
143, etc; the most commonly exploited daemons.  I got no where with
this (whether it was due to a firewall, I do not know), so I returned
to my IRC client, said "Looks like a dns hack...", and and the
conversation went elsewhere.  The entire thing lasted possibly five
minutes, and occupied no more than 3 or 4 lines on IRC.

The next day, I was sitting in a chair in the lounge, with an older
FBI agent and another person who had not identified himself (but had a
clue about computer stuff).  I tried to explain the situation as best
as possible; I probably did a horrible job, as they had just woken up
(brutal LAN party the night before :) and really didn't remember many
of the details.  It was a 5 minute segment of my previous day, and I
had spent much time coding and on IRC.  The FBI started grilling me on
IPs; if I had accounts on various machines, etc.  At first, I had no
idea where they were going with this.  I assumed they had RPI's
firewall logs, and saw many, many connections to my machine.. After a
while of this (which was quite exhaustive, and seemed to piss off the
older FBI agent when I answered with "sf.home.com?  I probably know
someone there.. well.. I think.. maybe.. give me a second"), I
realized that they were seeing hits from my webpage, which had such
things as a hacked version of xmms-avi (I posted it in freshmeat's
comments), a hacked version of popwatch (exim authentication through
pop3.  Good stuff ;).  I answered their questions as best I could,
even though I was told I did not have to; I had nothing to hide.

Overall, they were pretty nice.  They took 3 computers, 2 books (ORA's
DNS &Bind, and a book on kernel hacking), and various scraps of
papers, which contained jotted down algorithms, code, and other stuff
I had written while bored or designing.  They let me go through these
notes, and pick out stuff I needed for class; they also (upon my
request) let me keep my "junk box" (cardboard box w/ various pieces of
hardware), as well as 80 cd-r's, which contained MP3's, DIVX's, and
porn (they just wanted to make sure there was no kiddie porn) that
were clearly marked as such.  As you can see, they really only cared
about cracking, which I had nothing to worry about.  Unfortunately,
they took all my backups (jaz disks).

I have not been formally charged yet, nor do I fear I will be.  I'm
worried most about the data on my drives, which is a combination of
source code (much of it not checked into any CVS servers), various
scripts and tweaks I had done to my Debian boxes over the 2 years I've
been running it, and essential data (email addresses of friends,
developers; class projects, some of which I HAVE needed since then;
email itself; etc).

This brings me to the whole point of this: you are not being paranoid
enough.  The FBI managed to get a search warrant based on logs from a
firewall, that showed my IP only connecting, not even logging in,
hours after news of the cracking had appeared on news sites.  If they
can get a search warrant this easily, your data is not safe, sitting
on your hard drive.  For the past two months I've been living in this
dorm, I locked my doors, securified my boxes, and backed up my
essential things.  I never even imagined the federal government would
just let themselves in and take it.

The moral of the story is: encrypting all sessions, through ssh, scp,
and tunnels, is not enough.  Nor is making back ups.  Make off-site
backups.  The FBI can arrive at your doorstep, with every intent of
taking your precious data, and not returning it for a loooong time.

To those interested, mozilla composer still has some annoying bugs (I
had to remove a lot of extra spaces afterwards, for example.  No
crashes, though. The formatting is mozilla's.).  Oh well.  :)

Andres Salomon


P.S. Many thanks to people have given me advice (yes, I have talked to
a lawyer, and no, I have not heard back from the FBI yet), lent me
computers (ian, you rock! :), or otherwise helped me through this.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".