I'm an ISP in Germany and a cracker (not a hacker ) has targeted a customers of mine in the last days. The cracker was successful and caused financial damage / was successful with data theft. I set a trap and finally caught his real IP address - a Comcast user in the US (100% not a proxy or bot). What would be the next steps to pursuit him? If I contact local authorities here in Germany I'm afraid months will pass by and Comcast will have possible already deleted their logs by then (?). Any advice?
Although it's questionable whether or not it's possible to remotely absolutely ascertain whether the attacking machine in question was being operated by miscreants unbeknownst to its actual owner.
From: Dobbins, Roland [mailto:rdobbins@arbor.net]
Sent: Tuesday, March 11, 2014 8:06 AM
Although it's questionable whether or not it's possible to remotely absolutely
ascertain whether the attacking machine in question was being operated by
miscreants unbeknownst to its actual owner.
Though it's 100% correct would this withstand in the court?
e.g. nope wasn't me downloading that movie, must have been a hacker misusing my PC, I didn't even know there's a "torrent client" as you guys call it installed on my PC I only use it to play solitaire.
1. Ask Comcast to preserve the records associated with the IP
addresses and timeframe in which the problem occurred. They can't give
them to you absent a valid US subpoena but they can save them from
automatic deletion while you work on that.
2. Be specific about the problem. Be liberal with the shared details!
Comcast can be your partner in this endeavor. If you treat them as
your enemy by being cagey, they may behave as your enemy by doing the
minimum required by law. Which turns out to be not much.
3. Once you have done these things, then go to the police. Share
information about your specific contact with Comcast with the police
and share your specific police contact with Comcast. This will start
them talking, which is half the battle in getting the police to
investigate a computer crime. Who knows, U.S. authorities may already
be investigating the same user which would make your job so much
easier.
There ARE rules in the environment, however. For example, there is one that I am too lazy to look-up that argues for the use of a .sig separator "-- ".
.. Who knows, U.S. authorities may already
be investigating the same user which would make your job so much
easier.
<lurker mode off>Also, if you just want a deterrent. Having a cop
visit the home of the cracker just making questions may send the
message "we know where you live, so calm the fuck up".</lurker mode
I found that finding them on IRC, or wherever it is that they congregate, and simply talking to them until they incriminate themselves tends to work best. I also found that firewalls, IDS, security audits, antivirus, antimalware etc work almost not at all. The reason for this is pretty simple. Cybercrime is not a technical problem and does not have a technical solution. The solution is just like any other criminal act, find them, get them to confess, and then put a real world face and location to the IRC persona. Easy.
Being caucasian myself, I am inherently aware of the terminology
“cracker". How a joke relating to catching crackers with “cheese” was
translated into a racial slur is completely beyond my comprehension. In my
country, we eat cheese with crackers .. So it would be safe to assume the
entirety of my comment was related to molded milk fat and baked grain.
And if they were the intended application of the term, I would think that
“cheese” would not the the appropriate choice to catch them. However,
cheese and crackers would seem to be more a snack, which is at least how
There's an almost, I don't know the right word, jealous reaction to
someone asking for help like this sometimes where people speculate on
the legal success etc generally concluding failure.
There are many good reasons to try to track a criminal.
For one thing, often this is not their only criminal activity so
plausibly denying this one activity may not help them in the end. But
not if everyone throws up their hands and focuses only on the
difficulties!
Also, if they stole money or identity information and used it then
there should be a trail of that activity.
If I steal your credit card and it got used and it got used by the
person you suspect stole it for other reasons (e.g., a phishing site
was running at their IP) then that's a pretty good hint beyond just
proving the one fact (it was their IP.)
On the one hand this is not a great forum for getting this advice
because of this sort of thing, people who have little to offer in
advice start speculating on legalities etc.
OTOH, it is likely that people on this list have had first-hand
experience with this sort of thing and can usefully recommend what the
OP might do next.
I've had good and not so great experiences, but it's changed over the
years. I've seen real creeps tracked aggressively in real time with
warrants flying. I've also had LEO shout at me that they have only
very limited resources which sounded like "if they rob a congressman
call us, otherwise call your congressman and get us more budget
first!"
I'm an ISP in Germany and a cracker (not a hacker ) has targeted a
customers of mine in the last days. The cracker was successful and caused
financial damage / was successful with data theft. I set a trap and finally
caught his real IP address - a Comcast user in the US (100% not a proxy or
bot). What would be the next steps to pursuit him? If I contact local
authorities here in Germany I'm afraid months will pass by and Comcast will
have possible already deleted their logs by then (?). Any advice?
Hi Markus,
A couple of suggestions:
1. Ask Comcast to preserve the records associated with the IP
addresses and timeframe in which the problem occurred. They can't give
them to you absent a valid US subpoena but they can save them from
automatic deletion while you work on that.
2. Be specific about the problem. Be liberal with the shared details!
Comcast can be your partner in this endeavor. If you treat them as
your enemy by being cagey, they may behave as your enemy by doing the
minimum required by law. Which turns out to be not much.
3. Once you have done these things, then go to the police. Share
information about your specific contact with Comcast with the police
and share your specific police contact with Comcast. This will start
them talking, which is half the battle in getting the police to
investigate a computer crime. Who knows, U.S. authorities may already
be investigating the same user which would make your job so much
easier.
how long ago did this happen?
they preserve subscriber information forever, and dhcp logs for
quite a long time.
the police = your local federal police.
there is an mlat between .de and .us which means the us police has to
cooperate and pursue german cases and vice versa. yes, it takes longer.
there is also a hotline system where the .de police can request
records preservation by US entities with the promise that an
mlat request is forthcoming.
Were you not aware that in the U.S., every statement you could
possibly make as well as no statement at all is racist, sexist or in
some other way impugns anyone wishing to take offense?
The retort, "That's racist!" is made tongue in cheek. Similar to
Freud's phallic symbols, it's offered in response to the use of any
word or phrase which has the slightest connection in any context to
racism. Which is most of them.
If I said, "The snow is falling, covering the dirty city in a layer of
pristine white," it would be perfectly normal for someone to jokingly
return, "That's racist!" By describing the *city* as *dirty* and then
changed not just to *white* but *pristine* white I practically begged
for it.
When someone says something that actually is racist, we have a whole
different vocabulary for expressing disgust.
) has targeted a customers of mine in the last days. The cracker was successful and caused financial damage / was successful with data theft. I set a trap and finally caught his real IP address - a Comcast user in the US (100% not a proxy or bot). What would be the next steps to pursuit him? If I contact local authorities here in Germany I'm afraid months will pass by and Comcast will have possible already deleted their logs by then (?). Any advice?
) has targeted a