someone got a hold of a customers password and username and broke into my website this weekend. They did no damage, but they viewed stuff that is confidential. They did it from a kinkos.
I've been trying to access this kinkos office with no luck. My questions:
1. Do I have ANY legal rights to pursue acquiring info on who did this? It was clearly a case of a stolen password used illegally, but no physical damage was done, but intellectual property was viewed/stolen.
2. Who should I call?
I want to bury this fucker. I have two suspects, no proof right now.
Any thoughts from the experts here?
Question regarding website security and a break in
Moderator: ElTaco
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
-
The Whistle Is Screaming
- Left-handed monkey wrench
- Posts: 2882
- Joined: Fri Jan 14, 2005 2:24 pm
- Location: Eat Me Luther, Eat Me!
MB,
Start with a call to your lawyer. He/she will let you know where to start, if they don't know, 1st get a new lawyer familiar with Intellectual Property law & then ask them. Intellectual property is just as, if not more valuable than material property. Breaking into a database and viewing confidential information is no different than breaking into someone’s physical office and opening a locked file cabinet to view its contents*. Good luck and fry the fucker.
*My opinion, local laws may vary, I'm not a lawyer, have your lawyer look into the UCC as we use it at my office for some legal issues it may or may not be applicable here.
Start with a call to your lawyer. He/she will let you know where to start, if they don't know, 1st get a new lawyer familiar with Intellectual Property law & then ask them. Intellectual property is just as, if not more valuable than material property. Breaking into a database and viewing confidential information is no different than breaking into someone’s physical office and opening a locked file cabinet to view its contents*. Good luck and fry the fucker.
*My opinion, local laws may vary, I'm not a lawyer, have your lawyer look into the UCC as we use it at my office for some legal issues it may or may not be applicable here.
Ingse Bodil wrote:rich jews aren't the same as real jews, though, right?
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
No, No software failure. Not sure yet how, but access was gained via an existing customers password without their knowledge, nor was it anywhere near the city where their offices are located.PSUFAN wrote:is this a software failure, or did someone have access to passwords from the inside?
I'm calling a lawyer today. I've had no luck getting a response from the kinkos people so far.
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
Contact your local police *after* you talk to a lawyer. IF they can help, they will have a forensic guy who knows how to work with computers, get evidance and most importantly preserve any clues they might find. Please realize a couple things. The computer that accessed your server may have been hacked so the person may not have been at the kinkoes when they hacked in. If the hacker is good, they also may have altered the log files so what you are looking at wasn't actually the machine used at all. Also you might want to hire a company to do some forensic analisys as soon as possible. They can correctly make a copy of the HD.
The problem is this. If you try to go all the way, that might require taking the HD out of the PC. This could mean some downtime. You usually have to weight the cost of the trial/investigation/downtime vs the benefit/$ you can get back from the trial. If you want to go the legal route, you will have to do it the correct way. If not then you can skip all that crap, the problem is that kinkoes won't just tell you who used their PCs. If you can get access to an administrator, they might hook you up but I bet kinkoes has some company policy against that until they see some kind of legal documentation. Big guys like the FBI only get involved if and when you can prove that you lose at least $5k or more (usually need a lot more before you get any timely response). Remember that if state lines were crossed, your local police can only do so much so it either needs to go up to the FBI because it broke interstate laws or you would need cooperation from the local cops.
That is all I know about all this stuff and most of that is 2nd hand knowledge so a lawyer is your best bet for information. I would look around carefully though because you will need a lawyer with experiance and they cannot do the forensic stuff by themselves unless they have the skills/certs to do it, which most of them don't (but they try to do the recovery anyway because how hard can it be). The good ones usually have some contacts in companies with people who have some law-enforcement experiance (military/cops/fbi/etc...) with forensic stuff and use them to ensure the evidence will stand up in court.
The problem is this. If you try to go all the way, that might require taking the HD out of the PC. This could mean some downtime. You usually have to weight the cost of the trial/investigation/downtime vs the benefit/$ you can get back from the trial. If you want to go the legal route, you will have to do it the correct way. If not then you can skip all that crap, the problem is that kinkoes won't just tell you who used their PCs. If you can get access to an administrator, they might hook you up but I bet kinkoes has some company policy against that until they see some kind of legal documentation. Big guys like the FBI only get involved if and when you can prove that you lose at least $5k or more (usually need a lot more before you get any timely response). Remember that if state lines were crossed, your local police can only do so much so it either needs to go up to the FBI because it broke interstate laws or you would need cooperation from the local cops.
That is all I know about all this stuff and most of that is 2nd hand knowledge so a lawyer is your best bet for information. I would look around carefully though because you will need a lawyer with experiance and they cannot do the forensic stuff by themselves unless they have the skills/certs to do it, which most of them don't (but they try to do the recovery anyway because how hard can it be). The good ones usually have some contacts in companies with people who have some law-enforcement experiance (military/cops/fbi/etc...) with forensic stuff and use them to ensure the evidence will stand up in court.
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
You are right on, ET. I received a response from Kinkos, and they will cooperate fully provided a lawyer or a police officer sends them a subpoena. They store all info on a central computer somewhere.
I tried to find a lawyer in the local phone book who covered this area, but I couldn't. Now I'm trying to weigh the cost of pursuing this vs the potential outcome. I believe I know who did this but I have no actual proof, kinkos does have the proof, but I'd need to hire that lawyer, file a complaint, pay for the investigation, etc. At this point no way would the FBI touch it. There has been no discernable financial loss, but the potential for it exists, and the only way to be sure would be to go down this road. I think it may have been a fishing expedition, but they went into the wrong side of the website, so the most valuable stuff was not seen, however enough stuff was for it to make me think hard over what to do about it. Fortunately my business is 99% reputation, and I have a very good one with all my customers.
I have a long time friend who is a detective. He's my next stop.
The server and website are remote hosted, BTW. It is certainly possible that someone hacked into the IP, but I contacted the trunk provider and one of their techs saw no evidenc of that, but if it is who I think is responsible, they would not have the hack expertise to do that, and would think using a kinkos shop in another city would be anonymous enough.
I'll let ya know what comes of this. Thanks for the input, I figured you'd have a solid take on it.
I tried to find a lawyer in the local phone book who covered this area, but I couldn't. Now I'm trying to weigh the cost of pursuing this vs the potential outcome. I believe I know who did this but I have no actual proof, kinkos does have the proof, but I'd need to hire that lawyer, file a complaint, pay for the investigation, etc. At this point no way would the FBI touch it. There has been no discernable financial loss, but the potential for it exists, and the only way to be sure would be to go down this road. I think it may have been a fishing expedition, but they went into the wrong side of the website, so the most valuable stuff was not seen, however enough stuff was for it to make me think hard over what to do about it. Fortunately my business is 99% reputation, and I have a very good one with all my customers.
I have a long time friend who is a detective. He's my next stop.
The server and website are remote hosted, BTW. It is certainly possible that someone hacked into the IP, but I contacted the trunk provider and one of their techs saw no evidenc of that, but if it is who I think is responsible, they would not have the hack expertise to do that, and would think using a kinkos shop in another city would be anonymous enough.
I'll let ya know what comes of this. Thanks for the input, I figured you'd have a solid take on it.
dawg,truthfully,you'll be better off trying to tighten the security than find out who broke it.
not knowing what kind of login you're using I really can't tell you much about how to further restrict it.
but knowing from experience There has been no discernable financial loss nobody is gonna do nuthin.
primarily because this happens millions of times a day in some form of unauthorized access.
even if you lost a few bucks you'd prolly still be screwed.
so many people doing it coupled with so few people investigating it means the higher the loss the better your chances are of having somebody look into it.
I've been breaking into shit for over 5 years regularly
and only once did I get anything from my ISP about my suspicious activities.
they demanded something,like an explanation within blah blah hours or else.
I just deleted it and kept doing what I was doing.
it's been to the point for so long now I seldom bother with anonymity.
now of course I seldom deface and never steal anything (except the latest Bangbus documentary :P )
but I've done a lil malicious shit and never gave a damn.
chances are somebody used a cached password recovery tool such as Cain&Abel http://www.oxid.it/cain.html
to obtain the user:pass.
in your case with there being a distance between the two it was most likely obtained by some sort of password stealing trojan operating remotely.
you know how prevalent those are these days.
a quick memo about the importance of good virus protection would help.
consitantly reviewing your logs will help providing you know what to look for.
basically you're not going to catch this clown THIS TIME but tighten up to reduce the possibilty of a next time.
not knowing what kind of login you're using I really can't tell you much about how to further restrict it.
but knowing from experience There has been no discernable financial loss nobody is gonna do nuthin.
primarily because this happens millions of times a day in some form of unauthorized access.
even if you lost a few bucks you'd prolly still be screwed.
so many people doing it coupled with so few people investigating it means the higher the loss the better your chances are of having somebody look into it.
I've been breaking into shit for over 5 years regularly
and only once did I get anything from my ISP about my suspicious activities.they demanded something,like an explanation within blah blah hours or else.
I just deleted it and kept doing what I was doing.
it's been to the point for so long now I seldom bother with anonymity.
now of course I seldom deface and never steal anything (except the latest Bangbus documentary :P )
but I've done a lil malicious shit and never gave a damn.
chances are somebody used a cached password recovery tool such as Cain&Abel http://www.oxid.it/cain.html
to obtain the user:pass.
in your case with there being a distance between the two it was most likely obtained by some sort of password stealing trojan operating remotely.
you know how prevalent those are these days.
a quick memo about the importance of good virus protection would help.
consitantly reviewing your logs will help providing you know what to look for.
basically you're not going to catch this clown THIS TIME but tighten up to reduce the possibilty of a next time.
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
Yeah, what dit said. You might also want to a: make sure all your customers are using good passwords and b: enforce it in the system. Make sure they adhere to the
Use 3 out of 4:
a-z
A-Z
1-0
Special characters.
Also make them use 8 or more characters. That way other people can't guess the passwords and it will take a lot of work to crack your passwords in your password file. You can enforce these rules under Winblows and Linux/Unix. Also as an added security measure, run some password cracker on your password file and see if you can crack their passwords. If you can, make them change it.
Use 3 out of 4:
a-z
A-Z
1-0
Special characters.
Also make them use 8 or more characters. That way other people can't guess the passwords and it will take a lot of work to crack your passwords in your password file. You can enforce these rules under Winblows and Linux/Unix. Also as an added security measure, run some password cracker on your password file and see if you can crack their passwords. If you can, make them change it.
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
DiT, ET
Yes, that is all good advice, and we are currently pursuing increased security. Fortunately they broke into the wrong side of the site. All the real critical data is well protected. We're developing code that will match up IPs with usernames, and if it comes up different than the established one, they will have to answer a security question to proceed. All of my customers have static IP blocks.
After checking with a lawyer and the cops, I eseentially have no recourse unless I wish to spent a lot of money and press charges. At this point, given the information taken, it is not financially worth it. Down the road if anything comes of it, I will hopefully still be able to gain access to the info from Kinkos. We'll see. It is a wake up call for sure.
Yes, that is all good advice, and we are currently pursuing increased security. Fortunately they broke into the wrong side of the site. All the real critical data is well protected. We're developing code that will match up IPs with usernames, and if it comes up different than the established one, they will have to answer a security question to proceed. All of my customers have static IP blocks.
After checking with a lawyer and the cops, I eseentially have no recourse unless I wish to spent a lot of money and press charges. At this point, given the information taken, it is not financially worth it. Down the road if anything comes of it, I will hopefully still be able to gain access to the info from Kinkos. We'll see. It is a wake up call for sure.
-
ElTaco
- Networking Securely
- Posts: 907
- Joined: Fri Jan 14, 2005 4:12 pm
- Location: Northern VA
- Contact:
I wouldn't bet on that.
They may only have very limited personal info on who actually used the PC. They will probably only keep such info for a certain amount of time. And finally even if they can tell you who sat at that terminal, they may not have infomation on what specifically they accessed. And even if they show that that person accessed your IP, they probably couldn't prove that they did hacking unless they can tie that IP to your logs, which you are deleting and making useless as we speak.
They may only have very limited personal info on who actually used the PC. They will probably only keep such info for a certain amount of time. And finally even if they can tell you who sat at that terminal, they may not have infomation on what specifically they accessed. And even if they show that that person accessed your IP, they probably couldn't prove that they did hacking unless they can tie that IP to your logs, which you are deleting and making useless as we speak.
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
well ET, unless I invest several thousand into it (with no hope of resolution), I am stuck right here.
Tomorrow I make an important call to the k's legal department. I'll learn what the half life of that info is.
Tomorrow I make an important call to the k's legal department. I'll learn what the half life of that info is.
If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator." —GWB Washington, D.C., Dec. 19, 2000
Martyred wrote: Hang in there, Whitey. Smart people are on their way with dictionaries.
War Wagon wrote:being as how I've got "stupid" draped all over, I'm not really sure.
-
Mister Bushice
- Drinking all the beer Luther left behind
- Posts: 9490
- Joined: Fri Jan 14, 2005 2:39 pm
Not sure what you could do, unless you have the keys to the kinkos use log server. The fucker who did it went to a public computer station.
If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator." —GWB Washington, D.C., Dec. 19, 2000
Martyred wrote: Hang in there, Whitey. Smart people are on their way with dictionaries.
War Wagon wrote:being as how I've got "stupid" draped all over, I'm not really sure.