Dear Chris,
Hi! I've got a bit of a problem and I think it is connected with my access
to ferrets anonymous or my hook up with internet. I received e-mail from a
hacker today who said he "hacked" my AOL file and obtained enough information
about me in order to run me through a number of government databases. As a
result, he was able to recite to me a great deal of personal information,
including my status as a peace officer (usually more difficult to obtain).
He stated that he has no malicious intent. His intent is to sell his
services. Nontheless, this is pretty serious. I'm somewhat naive about what
hackers do and how common this is but I'm concerned. I spoke with the FBI
and an attorney friend. This is indeed serious. One issue that I discussed
with the attorney was that this could be entrapment. Perhaps there is a law
enforcement agency looking for people who will nibble at this deal. It is
possible that perhaps they are attacking those who are associated with
ferrets anonymous. Possible? This guy said he was an expert hacker. Could
he be breaching your security somehow? At any rate, my first contact with
internet was when I signed up with you a few days ago. I've never had any
trouble until now. Thus, I see a connection. Bottom line is that perhaps the
other subscribers should be warned. I don't know how serious or commonplace
this whole deal is to you. Its new to me and it freaked me out that someone
could invade my privacy so easily. Let me know what you think. By the way,
this guy calls himself "salvage-expert hacker."
Thanks for lending an ear,
[This could have been answered privately, but I thought it worth airing
the issue a bit...
- I am a consultant in computer security for very large computer
environments, presently working at a very large corporation. At
least they seem to think I know my business - just received a Merit
Award for nailing a "Cuckoo's Nest" type hacker half-way round the
world. By "nailing", I mean we got him so good he does jail time.
(and I got to buy a new woodworking power tool, Arr! Arr! ;-)
[I also tracked down the forged messages sent to the FML a year or
so ago that some of our subscribers may remember... ;-)]
- All I know about you is your first name, and your AOL account. I do
not know what your surname, or location is. In fact, there is no
indication anywhere that you're "anon". There is very little
information to be gotten from me.
- The list exploder on cunyvm (where most subscription addresses
reside) has no indication that you are an anon-user, and only knows
the same things about you that I do.
- Bill Gruber, who operates the list exploder, knows that I consider
the subscriber list confidential information, and will not divulge
it to anyone. Neither will I.
- As far as I am aware, the LISTSERV is not subject to VRFY-like
attacks (because it isn't SMTP) and only Bill and I know the password
for retrieving the subscriber list. [Bill, any comments you
might add?]
- There is no way on earth for anyone to figure out that you sent
a message to FML anonymously, except by having access to my
Internet provider and seeing the mail logs, having access
to your account on AOL or AOL's mail logs, sniffing packets
on the external internet, or breaking into my system.
My internet provider is out, because they're pretty paranoid.
Sniffing packets requires far more expertise than hackers usually
have at their disposal. Hackers are, for the most part, rather
unsophisticated (we watched every keystroke made by the hacker
we caught. He was so stupid it was embarassing.)
The exploder does not know what you've sent.
I do, for I keep records for a while of where I received articles,
but see below:
HOWEVER, all the above is moot, because this is the first message
you've sent to the FML, so even if the hacker could snoop in the
"right places", there is NO data to find...
- My system is "safe". How can I say this? Because:
- my machine is not IP connected, and so no Internet attacks are
possible.
- I'm running a mail system that has never been reported to have
security problems. Unlike, for example, sendmail.
- All my external connections (which are a restricted number) are
via passworded interconnects, and are owned by people that for
the most part I believe I can trust. At least as far as aiding
and abetting a penetration from an American ;-)
- File transfer permissions are screwed down as tight as they'll
go, so even if a connection was spoofed, they couldn't retrieve
anything.
- I am not running "standard" software here, so there is no
way that someone would know *what* to retrieve even if they
could retrieve something.
- I am the only person who can log into this machine, aside from my wife
(who is even more security conscious than me ;-)
- I monitor all traffic, and have various prototype security alarms
in operation.
- Even if vrfy reverse attacks were possible on my mail system,
the people on the exploder aren't in the aliases, so nothing
useful is retrievable.
- my house hasn't been broken into, nor my computer stolen.
Now to the specific. By "hacking an AOL file", your "friend" is basically
saying that he penetrated your AOL account, and was able to peruse
your files. Which would probably tell him you subscribe to the FML, and
possibly that you send anonymously (though, it probably wouldn't mean
much). Unless he mentioned the FML, I don't think he caught the
significance (if there actually is one). And access to your file
would tell him a lot of other things, like your full name, probably
that you're a peace officer, and likely all of the other things he
repeated to you.
Thus, I believe that the security problem is on AOL, that he's
bluffing about scanning government databases, and it is only coincidental
that it happened close to your subscription to the FML.
My suggestion to you is, provided you take steps to shield your ferret
(if you do have one in a FFZ), is to get the FBI to assist you in
trapping the guy. Nowadays, I'm sure that they would be quite
interested. Don't change your password yet, because that may tip
the hacker that you didn't swallow his line about where you got the
data. [And eat this message after reading. ;-)] More to the point,
*plant* some information, and see what happens. Like a love letter
to a non-existant SO - that'll get his ears flapping ;-) Don't
plant anything that sounds illegal tho, otherwise you may have some
difficult explaining to do if it is your government trying to
trap you. Which is *probably* unlikely. But I wouldn't count
on it.
The other approach is to report it to AOL, and let them handle it.
They'll probably take it quite seriously too. Unless you were sloppy
with your password.
What kind of services is this guy offering?]
[Posted in FML issue 0922]
|