FBI Gets Its First Break in Hacker Investigation
The FBI scored its first major break in efforts to find the saboteurs responsible for this week’s hacking assault on major Internet Web sites.
A standard desktop personal computer in a UC Santa Barbara research lab played a role in the attack on the Web site CNN.com. The discovery by university officials could provide an important first step in following an electronic road map that eventually leads back to the hackers.
“It was a somewhat sloppy [hacking] job,” said Kevin Schmidt, a UCSB network administrator, who would not specify the evidence uncovered. But he noted: “There were some sorts of signs, or we wouldn’t be talking with the FBI.”
The FBI declined to comment. But experts consider the development important.
“My guess is that they did find something significant, because some questions being asked by the FBI lead us to believe that they are making progress on the case,” said Amit Yoran, president of the high-tech security firm RipTech in Alexandria, Va., and formerly a top vulnerability assessment official for the Department of Defense.
The discovery was reported by CNN.com on Friday. UCSB officials say they are cooperating fully with the FBI and have no evidence to connect school personnel with the attack.
To use the UCSB machine, hackers gained access over the Internet and installed a software program that directed the PC to participate in a widespread attack on CNN.com that helped overload the site. The process of downloading and installing that program creates a log file that records details about the network activity; such files would normally be erased by careful hackers.
“They must not have fully erased the logs,” said Doug Tyger, a computer science professor at UC Berkeley. If true, he added, “it’s a pretty serious mistake. . . . This could lead to really substantial influence on tracking where the attack originated from.”
The discovery came late Tuesday evening with signs “of some anomalous network traffic coming from UCSB,” Schmidt said. “I just observed some information that seemed inconsistent with our day-to-day traffic.”
Besides the log files, the hackers may have left behind a “root kit”--a series of programs and techniques used to control a system remotely. And if the hackers failed to remove them, they would contain leads to assist investigators, according to Yoran.
In this week’s attacks, hackers used a “distributed denial of service attack” in which up to thousands of computers across the Internet were directed to send an avalanche of bogus requests for service, overloading Yahoo, EBay, Excite@Home and E-Trade and blocking legitimate users’ access.
The UCSB computer could have been one of several “masters” or one of a multitude of “agents” in the attack, Yoran said. Master computers direct the efforts of agents, which flood the targeted sites.
In either case, he said, “they could find a tremendous amount of [incriminating] information from such a system.”
In other developments Friday, the computer security company Network Associates Inc. in Santa Clara said it had identified another computer used to launch the recent attacks; that machine, in Germany, was disconnected from the Internet.
And Seaford, N.Y-based Envisioneering Group, a technology consultant, announced that in late January its e-mail server was hijacked by a hacker using the name “Batman” who rigged the machine to send thousands of e-mails per hour to America Online and Yahoo.
Richard Doherty, the company’s director of research, said that the tactic was repeated this week during the height of the attacks on major Web sites. But in each case the company shut down the e-mail server as soon as the problem was noticed. Doherty said that the FBI had not contacted his company for assistance.
Reuters was used in compiling this report.
* KEY HACKING FIGURE: A hacker who probably enabled the attacks expresses dismay. A1
