Caught in the act

Death threats posted on a musician's Web site put his tour of the UK in jeopardy but thanks to the efforts of independent...

Death threats posted on a musician's Web site put his tour of the UK in jeopardy but thanks to the efforts of independent information security specialist Peter Drabwell the cybercriminal was tracked down and caught. Here the cybersleuth highlights the dos and don'ts of an online investigation

If you were a victim of an e-crime what steps would you take? Would you report it? If so, to whom? Would you ignore the offence and simply carry on in the hope that the problem would go away by itself? Would you attempt to conduct your own investigation, and if so, would you have the resources and knowledge to cope?

In recent debates, notably the European Information Society Group (Eurim) briefing on e-crime and the Eurim/ Computer Weekly IT power debate on e-crime in April, the message from representatives of the National High-Tech Crime Unit has been consistent and clear: victims of e-crime should report such offences to their local police, who have the resources, training and experience to investigate.

An incident took place towards the end of 2001 which illustrates the steps needed to produce a satisfactory outcome, as well as the effectiveness of the organisations involved.

I had been working in the security field for a number of years, predominantly with large international companies Nortel and BT. I was introduced to the incident via a colleague who knew of my background and thought that I would be able to help.

The case involved an musician who was in the middle of preparing for a UK tour to promote a new album. While the rehearsals and management were all going to plan, he had become justifiably concerned at a number of death threats posted to his Web site message board. Given the nature of message boards and news groups, there will often be a fair number of trivial items that divert from the main thread, and most can be discarded as such.

However, what made these particular threats more serious was the level of inside knowledge they demonstrated, combined with the explicit nature of the content. As the threats were openly displayed on the message board, other site visitors could read them, and some posted follow-up messages, questioning the perpetrator of the original threats. This in turn led to further threats and copycat messages, all of which heightened the anxiety of the artist.

Primary objective
The primary objective was to identify who was posting the threats before the UK tour started - the alternative would have been to cancel various concerts as a precaution.

The perpetrator demonstrated an inside knowledge of the tour itinerary before it had been made public, in addition to claiming that the artist's own security team would support him and stand aside in the event of any personal attack. Such threats had to be taken seriously, to the extent of an independent, additional security team being considered to watch over both internal and external tour personnel.

In light of the above events, the artist already had contacted his Internet service provider (ISP) which had taken a copy of the site's log files and recommended that the police also be contacted. The police took a copy of the message board content and filled out a crime report, although their "investigation" was limited to stating that as the individual posting the threats claimed to be from the US, (the messages were all signed to this effect), there was little they would be able to do since the offence fell outside their jurisdiction. Despite good intentions the general lack of police resources and knowledge had effectively left us to solve the crime on our own.

Meanwhile, the ISP had mislaid the original site log files and it took a combination of personal networking (I had worked with some members of the company's security team) and the knowledge that the incident had been reported to the police, for the ISP to accelerate its efforts. It subsequently explained that although it has a dedicated abuse-report team, the team's resources are stretched to such an extent that investigating all incidents would be nigh on impossible.

Once I had correlated the relevant updates to the message board with the log files, a pattern of site visits via a particular proxy server was identified. I was then able to trace the server to a London-based company, and contact its management.

Fortunately the company concerned was co-operative and professional. Not only did it first establish my credentials, checking with the police that the incident had indeed been reported, but it also maintained up-to-date system usage records. These allowed its IT managers to check through their proxy server logs, where they found instances of an individual visiting the musician's site over the period in question. This in turn led to the identification of an employee user account - it looked as if we had found our man.

Don't jump to conclusions
However, it was important at this stage to be thorough and not jump to any conclusions. We analysed the content of the messages to establish whether they showed any recognisable grammatical style and turn of phrase. We also looked at the possibility that another user may have had knowledge of his account details and password. Could he have left his terminal open to a guest, incorrectly logged out of a session and/or been away from the office or desk at the time the events occurred? Could someone with administrative rights have been using his account to cover their tracks?

It was only when we could say with a greater (albeit never 100%) degree of confidence that we fully compiled all our findings and sought to address the situation. As the company concerned owes a duty of care to its customers and staff it was the individual's manager who confronted the suspect with the evidence. The person admitted to the offence and apologised for causing offence or harm, claiming that it had merely been a prank that had got out of hand. He was, nevertheless, dismissed from the company and a file was sent to the police for their records.

The matter was concluded three days before the first concert was due to take place, much to the relief of the musician, who embarked on his UK tour without any further disruption.

Legal perspective
From a legal perspective, there is a fundamental difference between making a threat and having the intent to carry it out. The police have to assess and prioritise such cases and will devote the appropriate effort to them relative to their own resources and the quantity of coherent evidence available. Most victims of such threats would be advised to revise their communications methods - change their e-mail address or phone number and/or remove or filter message boards - and (as in the case of my client's experience) cancel any functions that the threats relate to.

In the musician's case our focus and determination, combined with the support and co-operation of key personnel, led to a successful conclusion. The suspect in question had not used any sophisticated masking or evasion techniques and had assumed that his anonymity would be preserved on a Web message board behind his company's Web proxy server - a mistake that made the investigation more straightforward.

However, what became clear as I was investigating was the lack of knowledge, resources and ability for the police to pursue such cases, in addition to ISPs whose teams are also stretched to their limits. Many e-crime incidents go unreported, and so long as victims remain silent, the priority of such offences will continue to remain low within law enforcement circles. The perpetrators of such offences will continue to remain comfortable in the knowledge that their targets will not report their activities, leading to a further rise in such offences.

The importance of reporting e-crime and encouraging good co-operation between users, business and law enforcement agencies cannot be overstated. For despite the limited resources of the police, an increased record of occurrences can only help to push this long-neglected category of offence further up the priority list. Today, while many e-crimes go unreported the situation can unfortunately only stagnate.

Peter Drabwell is an independent security specialist

What should you do if you are a victim on an e-crime?
The following general steps are based upon the premise that you have become a victim of a security breach through an intruder (as opposed to a human/software error) and that sufficient harm has been done to warrant further investigation.

  • Maintain all logs. Don't be tempted to sacrifice logs and spring-clean your data storage medium to gain a minimum space/performance improvement. If you have no logs to turn to, you've just kissed goodbye to vital evidence. In addition, don't edit the original log files, but leave them fully intact in their original format, thus preserving the evidence. Taking a back-up of the log files is also vital, especially as any intruder may try to wipe the logs to cover their tracks

  • Keep an incident log and make good notes. Be thorough and record every observation of the case. Good incident reporting practice suggest that a bound notebook be used for such tasks, taking note of everything you witness and recording the date/time of each observation. Such an organised approach will further aid your investigation and provide a solid record to return to

  • Report the offence to the police. While not every station will have the knowledge and experience to help pursue the case, the key to reporting the offence is to ensure that there is an official record of the incident, and that a crime number is generated. This fact will help when dealing with Internet service providers (ISPs) and third parties as they will take your case more seriously, and can share their information with the police (in accordance with the Data Protection Act)

  • Report the offence to your ISP - armed with a police crime report number your inquiry should rise up the ISP's support priority list and the technical support team will take your case more seriously

  • Where possible, keep existing channels/services open. This is not always feasible - for example, it the perpetrator has done harm to your system, the priority will be to contain/prevent damage. In the case of my client, an early suggestion by his Web site designer was to pull down the message board service in light of the obscene threats received on it. However, I felt that if we could tolerate the nature of the content, keeping the existing service online would generate further evidence that could only help our cause. This method paid off as the perpetrator did indeed continue to visit the site

  • Deal with the cause of the breach - if someone has breached your system, revising your security/operational measures is most important. Take this opportunity to revise your security options and ensure that you have addressed them fully before proceeding to recover your system. Such security issues tend to fall into two main categories; human error (in which case some awareness training may be required for staff); or malicious intent (someone deliberately sets out to interfere with your system, probably requiring the involvement of the police)

  • Perform a strategic recovery. Depending on the scale of/damage to your system, issues to consider here include filing related insurance policy claims, restoration of all user services and (in the case of large, high-profile groups) a related PR campaign to quell any negative rumours and restore user confidence.

Read more on IT risk management