Posted on: Tuesday, September 2, 2003
Cybercops say amateur pranksters can't quite hack it
By Beatrice E. Garcia
Knight Ridder News Service
How do you track down an 18-year-old with a computer and a determination to create chaos in the cyberworld? It's actually quite easy if you know where to look.
Just about every movement on the Internet leaves a trail.
For instance, there's the IP or Internet protocol address. As a request for a Web site from a browser passes through routers and servers, the IP address of the computer that initiated the request is logged at each stop along the way.
Another place to search would be chatrooms where hackers are known to congregate — and boast about their activities.
A Google search with a few keywords such as "I wrote a virus yesterday" could turn up a wealth of information, said Chuck Phillips, a network security engineer at CyberGuard, a Fort Lauderdale, Fla.-based computer security firm.
"Most people don't know how easily their steps on the Internet can be traced," said Samuel Lewis at Feldman, Gale & Weber in Miami, a lawyer who specializes in computer law. "With the growing threat of cyberterrorism, everyone is paying more attention to details and doing more logging and more filtering."
In the case of Jeffrey Lee Parson, the teenager in Hopkins, Minn., arrested last week by the FBI after he admitted to writing a variant of the Blaster worm, cybercops got a break because he didn't take enough steps to conceal himself.
In fact, the code in the version Parson wrote pointed directly to him. Once Microsoft engineers broke down the virus code, they found that it directed infected computers to a site set up by Parson.
In court documents released Friday, investigators said they were able to track Parson down after interviewing the person who hosted his Web site, www.t33kid.com. The FBI said the site listed at least one of the codes. The site was registered by Parson to an address in Hopkins, a Minneapolis suburb.
Cybersleuths work backwards from the infected computers to the Internet service providers where an IP address is registered and then to the user's account and the telephone number used to dial up the Internet.
With cable modems, they can track IP addresses down to a specific home or business.
The next step is to contact the Internet service providers, asking them to save the log, which is usually kept for about 24 hours to a week.
Getting the data requires a subpoena. So local, state or federal agents have to be brought in.
Once cybercops get their hands on telltale information, there are forensic tools to recover data that might have been deleted from a directory but actually still reside in the computer.
Paul Henry, a CyberGuard vice president, says such tools are available free on the Web. There also are applications that companies and consumers can buy.
Even if hackers know how to cover their tracks and scrub the files on their computers, the FBI and other government agencies have software and other tools that can recover data on a hard drive, even if it has been reformatted, Henry said.
Computer experts say it's fairly easy to start trouble on the Internet. Henry said bits and pieces of virulent computer code are available on the Web.
Most supposed hackers are what Henry calls "script kiddies" — usually high school or college age —who scour the Internet looking for a code that will do specific functions. They can download the code, piece it together and unleash it.
Sharon Ruckman, senior director at Symantec's security response center in Santa Monica, Calif., said law enforcement agencies will go to the computer security industry for help in understanding exactly what a computer virus or worm can do.
Anti-virus vendors will also share samples of a virus once it's identified so other firms can write patches to stop the bug.
Ruckman said samples often are tested in "virus labs" that are cut off from the Internet and the rest of the world so experts can see how they are supposed to work.
