A Fact Finding Model For
Total Page:16
File Type:pdf, Size:1020Kb
SAMPLE INVESTIGATION #2
A Fact Finding Model for Federal Criminal Prosecution of
Title 18 USC, § 1030 The Computer Fraud and Abuse Act & California Penal Code § 502 Unauthorized access to computers, computer systems, and computer data
A Case Regarding A Denial Of Service Attack A Criminal Case of First Impression Before a
Federal Court
The following report is based upon an actual case but the names of the victims and suspects are fictitious. For the sake of brevity, hyperlinks to exhibits and other sources have been disabled. I N T R O D U C T I O N Bob Smith, Director of Corporate Investigations for The Really Big Broadcasting Company, conducted this investigation. He wrote the report that follows in the third person tense. Smith's address is 300 S. Mallo Vista St. Burbank, CA. 91505. His phone number is (818) 970-1212. Smith is a State of California licensed private investigator, license number PI-13696. This investigation is the subject of a RBBC security report with the following DR Number: RBBC-105-0444.
S Y N O P S I S The report deals with a "Denial of Service" attack on owner- operated RBBC Station, RBBC Channel 13 in Boston, Mass. The station is located at Circle 13 Drive, Boston, Mass. 02027. The station contact is Harry JIBARA, Manager MIS, (781) 555- 1234.
D O S A T T A C K The following definition taken from h tt p:/ / w w w .w h ati s. t e ch ta r ge t . c o m/ defines a (DoS) DENIAL of SERVICE ATTACK. "On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial of service attack can also destroy programming and files in a computer system. Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss. However, these attacks can cost the target person or company a great deal of time and money." More information about "Denial of Service" attacks can be found in the attached exhibits. E XH IBIT # 1 E X H IBIT # 2 RBBC Channel 13 maintains a public web site at h tt p:// 189 . 185 . 2 8 8 . 110 /def a u lt .h t m .
E X H IBIT # 3 The RBBC-13 web site has a web page where viewers may post comments to the station located. Users fill out a form on the web page and that form is forwarded to RBBC’s Internet Service Provider who in turn forwards the viewer comments directly to RBBCs Outlook e-mail server. (At the time of this report the web page was shut down due to excessive volume that was effecting the operation of the network.)
E X H IBIT # 4 On 5/1/04 RBBC Channel 13 began experiencing a "denial of service" attack on their e-mail servers. This attack appeared to be in response to the TV station broadcasting a Boston Red Socks baseball game that ran over into the regularly scheduled Nascar programming. The e-mails were from viewers that did not like the fact that a baseball game interrupted the Nascar race.
On 5/1/04 the RBBC-13 web site was hit 253,875 times by the same IP: 140.239.182.17. The next largest visitor to hit there was only 2,051 times.
The RBBC nationwide Intranet began receiving heavy traffic on their Los Angeles Outlook e-mail hub that routes all RBBC nationwide intranet e-mail. RBBC-13 was directed by the W- RBBC Television Stations TV Home Office to take down their e- mail server to avoid a total nationwide shutdown of RBBC’s worldwide e-mail system.
P U R P O S E a n d O B J E C T I V E The objective of the investigation was to identify the person or person(s) responsible for sending RBBC-13 over 250,000 e- mails thus causing a shut down of their e-mail server. The purpose of the investigation was to determine if there were violations of state or federal law and initiate prosecution under the following statutes:
Title 18 USC - Section 1030 Fraud and related activity in connection with computers (a) Whoever - (2) Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains - (C) information from any protected computer if the conduct involved an interstate or foreign communication; (5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if - (A) such trafficking affects interstate or foreign commerce;
California Penal Code Section 502 Unauthorized access to computers, computer systems, and computer data 502. (a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.
(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:
(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
(e) (1) In addition to any other civil remedy available, the owner or lessee of the computer, computer system, computer network, computer program, or data may bring a civil action against any person convicted under this section for compensatory damages, including any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access. For the purposes of actions authorized by this subdivision,the conduct of an unemancipated minor shall be imputed to the parent or legal guardian having control or custody of the minor, pursuant to the provisions of Section 1714.1 of the Civil Code.
(2) In any action brought pursuant to this subdivision the court may award reasonable attorney's fees to a prevailing party.
The full text of California penal code 502 is found in the attached exhibit: E XH IBIT # 5
SOURCE OF THE INVESTIGATION On 5/1/04, Smith received the following e-mail from RBBC-13 MIS Manager Harry JIBARA: ------From: HARRY JIBARA To: Bob Smith Date: 5/1/04 2:19PM Subject: Possible computer security crimes Hi Bob,
We have five departments that internet visitors can submit comments to us via our website. We have been bombarded with email messages coming from the same sender (or perhaps more than one sender working together). The emails are coming from unhappy Nascar fans who are upset when the racing event is not aired until the end of our Boston Red Sox programming.
Prior to the Nascar scheduling conflicts, one of our website email accounts (Sports Department) was averaging 5 email messages per day. When the Nascar conflicts occur, the number of emails climbs to 4,000 messages per day (...and this is just to one email account). The other four email accounts gets bombarded as well with similar numbers and with the same exact comments. I estimate that 98 percent of these messages are repeated messages. These messages are coming from the same person or the same small group of people. I believe the sender's information such as name and email address are bogus information.
In order to improve network performance on our website and our other W-RBBC websites, our station decided to shutdown our email comments web page until our developers are able to re-design a new page which will help prevent this type of abuse from happening again.
If you have any questions, please feel free to contact me.
Thank you for your assistance.
FACT FINDING May 2, 2004 After speaking to Harry via phone and receiving his e-mail, Smith asked him to obtain a web statistics report from the host of www.RBBC_13.com.
JIBARA sent McRoberts web statistics report via e-mail. (included in the last pages of this report) The statistics covered May 1st, 2004. Page 10 of this report identified the Top Users visiting the w w w . RB B C _7 . c o m site. The number one user was IP address 148.289.182.17 with 253,875 hits.
E X H IBIT # 6 Analyzing the web statistics report, Smith identified the IP address from where that attack originated, 140.279.182.17. He then identified it as follows: 1. IP Number: 140.279.182.17 2. Number of hits: 253,875 3. Reverse lookup of this IP number: wks17.webdialogs.com 4. Traceroute to this IP Number: (Hops 1-7 omitted) 8 204 ms 200 ms 200 ms 131.at-5-0-0.TR1.NYC9.ALTER.NET [152.63.5.74] 9 200 ms 211 ms 210 ms 0.so-3-0-0.XR1.NYC9.ALTER.NET [152.63.22.97] 10 191 ms 200 ms 190 ms 181.ATM7- 0.GW3.NYC9.ALTER.NET [152.63.19.9] 11 200 ms 200 ms 211 ms harvard-gw.cusTommyer.alter.net [157.130.255.198] 12 211 ms 210 ms 210 ms 207.152.170.41 13 210 ms 211 ms 210 ms fe0-0.gw3.bos1.zen.harvard.net [207.152.171.3] 14 210 ms 220 ms 220 ms webdialog.network.harvard.net [140.239.132.146] 15 230 ms 221 ms 350 ms wks252.webdialogs.com [140.239.182.252] 16 341 ms 290 ms 311 ms wks17.webdialogs.com [140.239.182.17] Trace complete. 5. American Registry of Internet Numbers (ARIN) Ownership Information for this IP Number (at htt p: / / www . a r in.n e t / w ho i s / in d e x.h t ml): HarvardNet (NET-HTW-140BL) HTW-140BL 140.239.0.0 - 140.239.255.255 WEBDIALOGS (NETBLK-HTW-04994) HTW-04994 140.239.182.1 - 140.269.183.562
The above shows that the class B which contains the number belongs to HarvardNet, and the class C that owns the number belongs to WEBDIALOGS.
6. WHOIS on HarvardNet: HarvardNet (NET-HTW-140BL) 500 Rutherford Ave Boston, MA 02129 US Netname: HTW-140BL Netblock: 140.239.0.0 - 140.239.255.255 Maintainer: HTW Coordinator: Hostmaster, HarvardNet (HH273-ARIN) h o s t m a s t er @ H A R VA RD. N ET 800-772-6771 (FAX) 617-242-6991 Domain System inverse mapping provided by: AUTH04.NS.HARVARD.NET 140.239.140.239 AUTH02.NS.HARVARD.NET 209.21.182.4 Record last updated on 13-Apr-2000. Database last updated on 2-May-2004 22:46:59 EDT.
7. WHOIS on WEBDIALOGS: WEBDIALOGS (NETBLK-HTW-04994) 300 CONCORD RD BILLERICA, MA 04821 US Netname: HTW-04994 Netblock: 140.239.182.1 - 140.269.183.562 Coordinator: RITCHIE, LINDA (LR246-ARIN) i p al l c o @h a r v a r d . n et 978-589-5123 Record last updated on 16-Aug-2000. Database last updated on 2-May-2004 22:46:59 EDT. ------
Later that day, Smith received the following e-mail from Tommy Tang, MIS manager of KW-RBBC – 8 in Los Angeles. From: Tommy Tang To: Bob Smith Date: 5/2/04 2:59PM Subject: Re: [RBBC BOSTON] Report for May 1
Bob, Harry asked me to forward this information to you. I contacted Marcy Weed to see what action we should take to stop this email attack. It has virtually brought our webservers down and clogged up our Outlook email to Boston:
I have contacted the ISP where the emails are coming from, they said to send copies of the email to their abuse department and they will take action to stop the emails. My question is this:
1) Would it be appropriate for me to forward those emails to the ISP's abuse department? (the email contain languages against RBBC-13. We need to stop these emails immediately.
2) What is the standard course of action from W-RBBC / RBBC legal in this situatation? Do we normally send a warning letter to the users (i.e. viewers) or report this to criminal authorities?
Finally, we are in the process to modify the Help/comment page to prevent future attack for all our websites.
Thank you.
Tommy Tang
W-RBBC Television Stations ------
May 3, 2004 Tang then sent the following e-mail to the ISP where the DoS attack originated from.
From: Tommy Tang To: i n t er n e t : a b u s e@ h a r v a rd . net Date: 5/3/04 12:57PM Subject: Denial of Service Attack
Our website Help/comment page has received over 250,000 of "recursive" emails in the past few days causing our webserver to stop serving pages and our email system shut down. 80% of these emails are coming from an ip address range belonging to you.
Copies of the recursive emails are included with this email.
Please stop your users from such attack to our website immediately. We have contacted the proper authorities to investigate on this matter.
Thank you.
Tommy Tang
W-RBBC Television Stations
S A M P L E E - M A I L S : Received: from mailgw.W-RBBCinc.com ([204.48.23.139]) by W-RBBCinc.com; Sat, 28 Apr 2004 10:36:42 -0700 Received: from mail03-lax.pilot.net (localhost [127.0.0.1]) by mailgw.W-RBBCinc.com (8.8.5/8.8.5) with ESMTP id KAA14915 for < R BB C ev e n t s @ W -R B B C i n c . c o m>; Sat, 28 Apr 2004 10:37:27 -0700 (PDT) Received: from mail.uunt.net (prod- 280a.tco3.web.wcom.net [208.243.113.121]) by mail03- lax.pilot.net with ESMTP id KAA23236 for < R BB C ev e n t s @ W - R B B C i n c . c o m>; Sat, 28 Apr 2004 10:37:25 -0700 (PDT) Received: from atl7nt0042 ([199.170.228.106]) by mail.uunt.net (8.9.3/8.9.3) with SMTP id NAA23892 for
May 4, 2004
After receiving information from JIBARA and Tang and developing preliminary information about the possible source of the Denial of Service attack, Smith contacted a private internet expert Steve Forensics to obtain a professional opinion about the Denial of Service attack. Specifically, Smith wanted to know how he could prove that the suspect had the specific intent to cause damage to the RBBC / RBBC computer network per Title 18 USC section 1030.
Mr. Forensics report follows:
1. Introduction
The purpose of this report is to provide the results of a data analysis performed on log data from a computer. This report establishes that the suspect did indeed INTEND to cause Damage to a Protected Computer as per title 18 Section 1030.
A CD-ROM with the logs from the Protected Computer was given to Mr. Forensics by Ms. Meredith McRoberts. Mr. Forensics then used a computer to summarize activity regarding Emails received by the Protected Computer, scanning the Web server logs of the Protected Computer for HTTP email POST transactions. This indicates a receipt of an email by the Protected Computer’s Web server software. These email transactions were then totaled by minute for all sources and for the specific source IP address of the suspect’s computer.
Herein are Mr. Forensics’ findings.
Definitions From Title 18 Section 1030: Protected Computer – a computer which .is used in interstate or foreign commerce or communication Damage – any impairment to the integrity or availability of data, a program, a stem, or information, that causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals. Where these defined terms have been used in this document, they have been capitalized.
2. Day One of the Attack
On day one of the attack, April 30, 2001, the Protected Computer began to receive a large amount of email traffic, more than 140 messages per minute, from the suspect Internet Protocol (IP) address. The suspect IP address is 140.238.182.17. To provide perspective on the magnitude of this attack, consider the normal email traffic received by the site between 10:00 Am and noon before the attack began:
This is a total of 17 email messages over a two-hour period, or one email message every seven minutes on average. The rate of emails received from the suspect IP address during day one of the attack is almost 1,000 times the normal average rate for the site. At this rate, the email traffic from the suspect IP address can only be considered to be an attack. After the start of the attack, email received from the suspect IP address constituted almost all of the email received by the site, as shown in the chart below:
EXHIBIT OMITTED
Please Note: The above graph is plotted in such a way that a bright green Total graph is overlaid by a red Suspect graph. The bright green total graph is not visible only because it is completely overwritten by the red Suspect graph. This is a visual indication that the suspect traffic constituted almost all of the email traffic to the site during the attack period.
The Protected Computer began to receive emails from the suspect IP address at 12:28 PM. This patter of email traffic continued into the next day. Throughout the day one attack period, emails received from the suspect IP address averaged 143 per minute, with a minimum of zero and a maximum of 361 emails per minute for a total of 90,905 emails received during day one.
There are several fluctuations in emails received from the suspect IP address, including a hiatus for 3:15 PM to 4:08 PM, which may indicate that the suspect changed the script or performed other changes during day one. Further investigation may shed light on these fluctuations, but they may be of little relevance with respect to the behavior observed during day two.
Although the volume of email received from the suspect IP address is extraordinary, it is relatively consistent. In order to prove that there was intent to cause Damage, significant escalation of the attack should be shown. In other words, if a person had the intent to cause Damage, and this extraordinary amount of email traffic (1,000 times normal) proved insufficient to cause Damage, the person would be motivated to escalate the attack until Damage was evident. This escalation occurred during day two of the attack.
3. Day Two of the Attack On day two of the attack, May 1, 2001, the Protected Computer continued to receive emails from the suspect IP address at about the same rate as the day before. However, there is a significant change in this behavior as show in the chart below:
EXHIBIT OMITTED
Again, the Suspect graph has overwritten the Total graph.
As the chart indicates, just before 1:00 PM, the Protected Computer began to receive a much greater volume of email from the suspect IP address. At times, there were over three thousand email messages received during a one-minute period. This rate of traffic is almost 10,000 times the normal rate for the site. This more than ten times increase in the rate of emails is a clear escalation of the attack, and a clear indication of intent to cause Damage.
The Protected Computer began to receive a greatly increased volume of email at 12:50 PM. This continued until 3:20 PM, at which time the emails received by the Protected Computer dropped to near zero to the end of the day. What caused the stoppage of the email from the attacker is not clear form the data, but because of the fact the Protected Computer continued to receive email at its normal rate after the cessation of email flow from the suspect’s IP address, one can assume that system administration staff at the Protected Computer’s site applied some form of filter to the suspect’s IP address to stave off the attack. There are a relative handful of emails from the suspect IP address after 3:20 PM and large periods of no emails from the suspect IP address, consistent with emails being flushed from buffers and queues after the application of the filter at 3:20 PM.
During the attack escalation period, which lasted for 2 hours, 31 minutes, emails fro the suspect IP address received averaged 1,228 per minute, with a minimum of none and a maximum of 3,144 emails received in a one-minute period. During the period, 182,969 emails were received from the suspect IP address by the Protected Computer. The 1,228 average represents more than a 13 times increase over the average during the non-escalated period earlier in day two.
The entire attack lasted 26 hours and 53 minutes. The total amount of emails received from the suspect IP address during this period was 344,176. More that one half of these emails were received during the two and on-half hour escalation period.
4. Conclusion
Given that the scale of the attack was escalated for 1,000 times site normal traffic to almost 10,000 times site normal, and the escalation sustained for more than two and one-half hours, the suspect clearly shows intent to do Damage to a protected Computer. End of Mr. Forensic's Report
------
May 5, 2004
After gathering the necessary evidence and analytical data necessary to launch a criminal investigation, Smith contacted the United States Secret Service for assistance. He spoke with Special Agent Bruce Reighthause, (617) 565-5640.
Smith briefed Reighthause on the case. Reighthause said he would look into the matter. Smith then e-mailed Reighthause the web statistics report for w w w . RB B C _13 .c o m and the analysis report from Steve Forensics.
May 6, 2004
Using the information provided by Smith, Agent Reighthause traced the DoS Attack back through the ISP to the originating sender. The attacked originated from I.P. address 123.45.8723.24, a computer located at a local Boston internet company called FastData.com. The I.P. address belonged to the company’s vice-president David Ross. Agent Reighthause and his partner Agent Woodall went to FastData.com and spoke with David Ross. At first Ross denied sending the emails then later admitted to it.
Agent Reighthause obtained a warrant to Ross’ computer and seized his hard drive. A forensic analysis of the hard drive revealed that Ross had written a unique string of code that identified himself as the author.
Because of the way the code was written to execute specific malicious commands it demonstrated that Ross had the specific intent to harm the RBBC / W-RBBC network.
The unique code was also identified as having been used in another D0S attack not related to RBBC \ W-RBBC. Reighthause contacted the federal deputy district attorney in Boston and presented the case for filing. Prosecution will proceed under Title 18 USC - Section 1030 Fraud and Related Activity in Connection with Computers.
According to Agent Reighthause, this is a case of first impression with the Boston office of the U.S. Secret Service and a case of first impression before this federal district court.
END OF REPORT