Death threats posted on a musician's Web site put his tour of the
UK in jeopardy but thanks to the efforts of independent information
security specialist Peter Drabwell the cybercriminal was tracked
down and caught. Here the cybersleuth highlights the dos and don'ts
of an online investigation
If you were a victim of an e-crime what steps would you take? Would
you report it? If so, to whom? Would you ignore the offence and
simply carry on in the hope that the problem would go away by
itself? Would you attempt to conduct your own investigation, and if
so, would you have the resources and knowledge to cope?
In recent debates, notably the European Information Society Group
(Eurim) briefing on e-crime and the Eurim/
Computer Weekly IT
power debate on e-crime in April, the message from representatives
of the National High-Tech Crime Unit has been consistent and clear:
victims of e-crime should report such offences to their local
police, who have the resources, training and experience to
investigate.
An incident took place towards the end of 2001 which illustrates
the steps needed to produce a satisfactory outcome, as well as the
effectiveness of the organisations involved.
I had been working in the security field for a number of years,
predominantly with large international companies Nortel and BT. I
was introduced to the incident via a colleague who knew of my
background and thought that I would be able to help.
The case involved an musician who was in the middle of preparing
for a UK tour to promote a new album. While the rehearsals and
management were all going to plan, he had become justifiably
concerned at a number of death threats posted to his Web site
message board. Given the nature of message boards and news groups,
there will often be a fair number of trivial items that divert from
the main thread, and most can be discarded as such.
However, what made these particular threats more serious was the
level of inside knowledge they demonstrated, combined with the
explicit nature of the content. As the threats were openly
displayed on the message board, other site visitors could read
them, and some posted follow-up messages, questioning the
perpetrator of the original threats. This in turn led to further
threats and copycat messages, all of which heightened the anxiety
of the artist.
Primary objective
The primary objective was to
identify who was posting the threats before the UK tour started -
the alternative would have been to cancel various concerts as a
precaution.
The perpetrator demonstrated an inside knowledge of the tour
itinerary before it had been made public, in addition to claiming
that the artist's own security team would support him and stand
aside in the event of any personal attack. Such threats had to be
taken seriously, to the extent of an independent, additional
security team being considered to watch over both internal and
external tour personnel.
In light of the above events, the artist already had contacted his
Internet service provider (ISP) which had taken a copy of the
site's log files and recommended that the police also be contacted.
The police took a copy of the message board content and filled out
a crime report, although their "investigation" was limited to
stating that as the individual posting the threats claimed to be
from the US, (the messages were all signed to this effect), there
was little they would be able to do since the offence fell outside
their jurisdiction. Despite good intentions the general lack of
police resources and knowledge had effectively left us to solve the
crime on our own.
Meanwhile, the ISP had mislaid the original site log files and it
took a combination of personal networking (I had worked with some
members of the company's security team) and the knowledge that the
incident had been reported to the police, for the ISP to accelerate
its efforts. It subsequently explained that although it has a
dedicated abuse-report team, the team's resources are stretched to
such an extent that investigating all incidents would be nigh on
impossible.
Once I had correlated the relevant updates to the message board
with the log files, a pattern of site visits via a particular proxy
server was identified. I was then able to trace the server to a
London-based company, and contact its management.
Fortunately the company concerned was co-operative and
professional. Not only did it first establish my credentials,
checking with the police that the incident had indeed been
reported, but it also maintained up-to-date system usage records.
These allowed its IT managers to check through their proxy server
logs, where they found instances of an individual visiting the
musician's site over the period in question. This in turn led to
the identification of an employee user account - it looked as if we
had found our man.
Don't jump to conclusions
However, it was important at
this stage to be thorough and not jump to any conclusions. We
analysed the content of the messages to establish whether they
showed any recognisable grammatical style and turn of phrase. We
also looked at the possibility that another user may have had
knowledge of his account details and password. Could he have left
his terminal open to a guest, incorrectly logged out of a session
and/or been away from the office or desk at the time the events
occurred? Could someone with administrative rights have been using
his account to cover their tracks?
It was only when we could say with a greater (albeit never 100%)
degree of confidence that we fully compiled all our findings and
sought to address the situation. As the company concerned owes a
duty of care to its customers and staff it was the individual's
manager who confronted the suspect with the evidence. The person
admitted to the offence and apologised for causing offence or harm,
claiming that it had merely been a prank that had got out of hand.
He was, nevertheless, dismissed from the company and a file was
sent to the police for their records.
The matter was concluded three days before the first concert was
due to take place, much to the relief of the musician, who embarked
on his UK tour without any further disruption.
Legal perspective
From a legal perspective, there is a
fundamental difference between making a threat and having the
intent to carry it out. The police have to assess and prioritise
such cases and will devote the appropriate effort to them relative
to their own resources and the quantity of coherent evidence
available. Most victims of such threats would be advised to revise
their communications methods - change their e-mail address or phone
number and/or remove or filter message boards - and (as in the case
of my client's experience) cancel any functions that the threats
relate to.
In the musician's case our focus and determination, combined with
the support and co-operation of key personnel, led to a successful
conclusion. The suspect in question had not used any sophisticated
masking or evasion techniques and had assumed that his anonymity
would be preserved on a Web message board behind his company's Web
proxy server - a mistake that made the investigation more
straightforward.
However, what became clear as I was investigating was the lack of
knowledge, resources and ability for the police to pursue such
cases, in addition to ISPs whose teams are also stretched to their
limits. Many e-crime incidents go unreported, and so long as
victims remain silent, the priority of such offences will continue
to remain low within law enforcement circles. The perpetrators of
such offences will continue to remain comfortable in the knowledge
that their targets will not report their activities, leading to a
further rise in such offences.
The importance of reporting e-crime and encouraging good
co-operation between users, business and law enforcement agencies
cannot be overstated. For despite the limited resources of the
police, an increased record of occurrences can only help to push
this long-neglected category of offence further up the priority
list. Today, while many e-crimes go unreported the situation can
unfortunately only stagnate.
Peter Drabwell is an independent security specialist
What should you do if you are a victim on an
e-crime?
The following general steps are based upon the
premise that you have become a victim of a security breach through
an intruder (as opposed to a human/software error) and that
sufficient harm has been done to warrant further investigation.
- Maintain all logs. Don't be tempted to sacrifice logs and
spring-clean your data storage medium to gain a minimum
space/performance improvement. If you have no logs to turn to,
you've just kissed goodbye to vital evidence. In addition, don't
edit the original log files, but leave them fully intact in their
original format, thus preserving the evidence. Taking a back-up of
the log files is also vital, especially as any intruder may try to
wipe the logs to cover their tracks
- Keep an incident log and make good notes. Be thorough and
record every observation of the case. Good incident reporting
practice suggest that a bound notebook be used for such tasks,
taking note of everything you witness and recording the date/time
of each observation. Such an organised approach will further aid
your investigation and provide a solid record to return to
- Report the offence to the police. While not every station will
have the knowledge and experience to help pursue the case, the key
to reporting the offence is to ensure that there is an official
record of the incident, and that a crime number is generated. This
fact will help when dealing with Internet service providers (ISPs)
and third parties as they will take your case more seriously, and
can share their information with the police (in accordance with the
Data Protection Act)
- Report the offence to your ISP - armed with a police crime
report number your inquiry should rise up the ISP's support
priority list and the technical support team will take your case
more seriously
- Where possible, keep existing channels/services open. This is
not always feasible - for example, it the perpetrator has done harm
to your system, the priority will be to contain/prevent damage. In
the case of my client, an early suggestion by his Web site designer
was to pull down the message board service in light of the obscene
threats received on it. However, I felt that if we could tolerate
the nature of the content, keeping the existing service online
would generate further evidence that could only help our cause.
This method paid off as the perpetrator did indeed continue to
visit the site
- Deal with the cause of the breach - if someone has breached
your system, revising your security/operational measures is most
important. Take this opportunity to revise your security options
and ensure that you have addressed them fully before proceeding to
recover your system. Such security issues tend to fall into two
main categories; human error (in which case some awareness training
may be required for staff); or malicious intent (someone
deliberately sets out to interfere with your system, probably
requiring the involvement of the police)
- Perform a strategic recovery. Depending on the scale of/damage
to your system, issues to consider here include filing related
insurance policy claims, restoration of all user services and (in
the case of large, high-profile groups) a related PR campaign to
quell any negative rumours and restore user confidence.