On Thursday, February 10, U.S. Attorney General Janet Reno announced an FBI investigation. “We are committed in every possible way,” Reno declared, “to tracking down those responsible.”
On Friday, February 11, the San Francisco Examiner reported that the attack on
CNN’s Web site had been tracked to the University of California, Santa Barbara (UCSB).
On the same day, Reuters reported that NetCologne, a German ISP, had traced an attack back to a German university, which in turn took one of its servers off-line after it had been found to be running TFN “zombie” code.
On Saturday, February 12, Stanford and the University of California, Los Angeles (UCLA) were added to the list of launching pads (at least for the assault on CNN). On Sunday, February 13, someone identifying himself as Coolio vandalized a Web site belonging to RSA Data Security. Numerous Internet postings attributed to Coolio led some investigators to believe the 17-year-old New Hampshire resident to be a suspect in the DDoS attacks on Yahoo!, eBay, etc. The FBI questioned him.
But apparently there are no forthcoming charges involving this particular Coolio, at least related to the DDoS attack. Coolio is allegedly responsible for several unrelated crimes, including vandalizing Web sites for the Drug Abuse Resistance Education (DARE) program, a Chemical Weapons Convention site maintained by the U. S. Commerce Department, and the RSA site.
On March 9, Dennis Moran, a.k.a. Coolio, a 17-year-old hacker questioned by the FBI about the DDoS attacks, was charged with vandalizing the DARE Web site. He was charged with two counts of unauthorized access to a computer system. Each charge is punishable by up to 15 years in prison. Moran allegedly hacked into the Los Angeles Police Department Web site DARE.com twice in November and defaced it with two pro-drug slogans and images, including one depicting Donald Duck with a hypodermic syringe in his arm.
Several other Coolios are under investigation.
CHAPTER 8 HACKTIVISTS AND CYBERVANDALS 129
On February 15, U.S. President Bill Clinton held a White House summit on the impli- cations of the attack. Invited attendees included Rich Pethia of CERT; Vinton Cerf of MCI Worldcom; Stephen Kent of BBN Technologies (GTE); Mudge from @stake (of L0pht fame); representatives from Yahoo!, eBay, Excite, and E*Trade; and yes, Eugene Spafford of CERIAS. Several of CERIAS’s sponsors also participated in the meeting (e.g., AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel, and Cisco).
Government participants included President Clinton himself, as well as Attorney General Reno, Secretary of Commerce William Daley, and Richard Clarke of the National Security Council.
Spafford posted an eyewitness report to his friends.
I came away from the meeting with the feeling that a small, positive step had been made. Most importantly, the President had made it clear that information security is an area of national importance and that it is taken seriously by him and his administration. By having Dave Farber of University of Pennsylvania and myself there, he had also made a statement to the industry people present that his administration takes the academic community seriously in this area. ( Whether many of the industry people got that message—or care—remains to be seen.)
Meanwhile, on the same day as the White House summit, the Washington Post
reported that 26-year-old Robert Heath Kashbohm was arrested for allegedly launch- ing a denial of service attack against the Virginia Department of Motor Vehicles (DMV ) Web site. The site was shut down for approximately 45 minutes on Sunday February 13. Investigators took less than an hour to trace the source of the attack. The suspect was apprehended about 24 hours later.
Why did I include this sad little news item? Well, it is a good reminder that those who launched the attack against Yahoo! and others were competent.
It has become conventional wisdom that nowadays, due to the widespread availabil- ity of automated attacks, just about anybody could do something similar.
Yes, it is true that hackers could download the software and figure out how to launch the attack. But how many novices would remain untraceable and avoid arrest for even this long? Whoever went after the icons of the Internet with the hammer of DDoS didn’t do it from his or her home PC.
On Thursday, February 17, the Associated Press reported that federal investigators had “fast-breaking leads” but that the perpetrator(s) disguised themselves well. FBI Director Louis Freeh said that Bureau field offices in five cities (Los Angeles, San Francisco, Atlanta, Boston, and Seattle) had opened investigations. Freeh confirmed that agents in other cities and overseas were involved as well.
On February 20, 2000, CNN provided its viewers with a rare glimpse into the foren- sic investigation:
The bureau is better equipped now to handle the investigation than it has been in the past. In this search, investigators are using specialized filtering software to isolate suspicious computer traffic. By systematically removing nor- mal message traffic, the FBI can focus on the far fewer strands of unusual traf- fic, which have odd signatures.
But once the sinister traffic is located, the game of connect-the-dots has just begun.
While the FBI has located some of the computers used in the attack, they are still trying to find those computers directing them. The trigger computer has been directed through dozens of others, masking the origin.
In a tedious process, investigators work backward, going to each site and looking for logs that provide directions to the previous site, each time getting one step closer to the original attacker.5
The cybercops were looking for a single needle in several hundred haystacks.
In April, law enforcement uncovered at least one of the needles hidden under one of the haystacks.
On April 18, 2000, CNN reported that a Canadian juvenile had been arrested and charged in connection with the DDoS attacks.
Sources familiar with the investigation said the arrest involves a Canadian juvenile who goes by the computer name “mafiaboy.” The individual is believed to have played a role in the attack against CNN.com, and investigators are continuing to examine whether he played a role in other attacks.
The Royal Canadian Mounted Police (RCMP) said in a written statement that charges were brought “against a person stemming from cyber-attacks that were launched in the beginning of the month of February 2000 in the United States against many Internet sites, namely CNN.com, Yahoo!, eBay, Amazon.com, Excite and Etrade.”
In mid-February, Internet Direct, a Canadian Internet Service Provider, was inter- viewed by the RCMP, which took a lead role in the overall investigation. Mafiaboy had two accounts on an ISP acquired by Internet Direct. A representative for Internet Direct said the accounts were canceled for terms of service violations. Mafiaboy will be charged under the Computer Fraud and Abuse Act, which was expanded in 1996 to cover all computers used in commerce. It prohibits the unauthorized access to obtain information, the transmission of anything that causes damage, fraud and extortion. Penalties can include up to 6 months in jail or 10 years for a repeat offender and twice the gross monetary loss to the victim.6
CHAPTER 8 HACKTIVISTS AND CYBERVANDALS 131
5. CNN, February 20, 2000
6. “Canadian juvenile charged in connection with February ‘denial of service’ attacks,” by Pierre Thomas and D. Ian Hopper, CNN, April 18, 2000
I would be very surprised if “mafiaboy” was the sole perpetrator of these attacks. I would not be surprised if he was the only one ever charged with the crime.