Thursday, April 05, 2007

Monitoring and Investigation Lessons

Thanks to 27B Stroke 6 I learned that cybercriminal Jerome Heckenkamp (sorry Kevin, he's no "superhacker") will stay a criminal. The U.S. 9th Circuit Court of Appeals refused to overturn Heckenkamp's conviction. According to this DoJ announcement:

Mr. Heckenkamp's sentence results from his guilty pleas in January 2004 to two counts of gaining unauthorized access into a computer and recklessly causing damage, in violation of 18 U.S.C. §§ 1030(a)(5)(B). In pleading guilty, Mr. Heckenkamp admitted that he gained unauthorized access to eBay computers during February and March 1999. Using this unauthorized access, Mr. Heckenkamp admitted that he defaced an eBay Web page using the name "MagicFX," and that he installed "trojan" computer programs - or programs containing malicious code masked inside apparently harmless programs - on the eBay computers that secretly captured usernames and passwords that Mr. Heckenkamp later used to gain unauthorized access into other eBay computers.

Mr. Heckenkamp also admitted that he gained unauthorized access to Qualcomm computers in San Diego in late 1999 using a computer from his dorm room at the University of Wisconsin-Madison. Once he gained this unauthorized access, Mr. Heckenkamp admitted that he installed multiple "trojans" programs which captured usernames and passwords he later used to gain unauthorized access into more Qualcomm computers.


The new court decision involves the Qualcomm intrusion. The source of the intrusion was traced to UWM, where network investigator Jeffrey Savoy discovered that Heckenkamp's machine was attacking Qualcomm. Essentially, Savoy logged into Heckenkamp's machine to validate that it was the machine in question, and then contacted the authorities to physically visit Heckenkamp's dorm room.

I found these excerpts from the ruling (.pdf) to be noteworthy:

The government does not dispute that Heckenkamp had a subjective expectation of privacy in his computer and his dormitory room, and there is no doubt that Heckenkamp’s subjective expectation as to the latter was legitimate and objectively reasonable...

We hold that he also had a legitimate, objectively reasonable expectation of privacy in his personal computer...

The salient question is whether the defendant’s objectively reasonable expectation of privacy in his computer was eliminated when he attached it to the university network. We conclude under the facts of this case that the act of attaching his computer to the network did not extinguish his legitimate, objectively reasonable privacy expectations...

However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user...

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that “[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the state.”

When examined in their entirety, university policies do not eliminate Heckenkamp’s expectation of privacy in his computer. Rather, they establish limited instances in which university administrators may access his computer in order to protect the university’s systems. Therefore, we must reject the government’s contention that Heckenkamp had no objectively reasonable expectation of privacy in his personal computer, which was protected by a screensaver password, located in his dormitory room, and subject to no policy allowing the university actively to monitor or audit his computer usage.
(emphasis added)

Wow, so far it's looking good for Jerome. So what happened?

Although we conclude that Heckenkamp had a reasonable expectation of privacy in his personal computer, we conclude that the search of the computer was justified under the “special needs” exception to the warrant requirement. Under the special needs exception, a warrant is not required when “ ‘special needs, beyond the normal need for law enforcement, make the warrant and probable-cause requirement impracticable.’ ”

If a court determines that such conditions exist, it will “assess the constitutionality of the search by balancing the need to search against the intrusiveness of the search..."

Here, Savoy provided extensive testimony that he was acting to secure the Mail2 server, and that his actions were not motivated by a need to collect evidence for law enforcement purposes or at the request of law enforcement agents. This undisputed evidence supports Judge Jones’s conclusion that the special needs exception applied.

The integrity and security of the campus e-mail system was in jeopardy... Under these circumstances, a search warrant was not necessary because Savoy was acting purely within the scope of his role as a system administrator. Under the university’s policies, to which Heckenkamp assented when he connected his computer to the university’s network, Savoy was authorized to “rectif[y] emergency situations that threaten the integrity of campus computer or communication systems[,] provided that use of accessed files is limited solely to maintaining or safeguarding the system.”

Savoy discovered through his examination of the network logs, in which Heckenkamp had no reasonable expectation of privacy, that the computer that he had earlier blocked from the network was now operating from a different IP address, which itself was a violation of the university’s network policies.

This discovery, together with Savoy’s earlier discovery that the computer had gained root access to the university’s Mail2 server, created a situation in which Savoy needed to act immediately to protect the system.


That is fascinating. Because administrator Savoy sought to protect university resources when he logged into Heckenkamp's computer, Savoy's search was justified. Also, Heckenkamp had no expectation of privacy over network logs, which also traced Heckenkamp's computer to Qualcomm.

This may be one small step towards taking the fight to the enemy, but please be aware of the extremely limited nature of this event. I recommend reading the whole ruling (it's only 13 pages) for details.

Update: In Jennifer Granick's story she notes that Savoy logged into Heckenkamp's computer as user temp password temp, based on credentials found in a file on his mail server.

5 comments:

Kai Roer said...

Its interesting to see how it is ok for Savoy to break into the computer of Heckenback because he was protecting the university. It is a matter of US laws, which is reknown to accept behaviours of self defence (Savoy was defending himself).
In Europe, this is not the case. Over here, only the Police is allowed to "break in" to collect evidence.
I love your wit and comments, though :)

Sean D said...

This statement “a situation in which Savoy needed to act immediately to protect the system.” makes me wonder if they played on the ignorance of the court. If immediate action was required, why was to port on the switch not shutdown, why was the MAC not blocked, there were other methods in which immediate action could have been conducted with out the violation of the law.
I do not in any way condone the actions of Heckenkamp, just as I do not believe organizations (private or commercial) have a right to claim victimization when their ill configured networks (mail2 server) and improperly trained staff (Mr. Savory) become compromised.
Mr. Bejtlich, usually I agree with you on many of your views concerning security. But, “one small step towards taking the fight to the enemy” I can not agree with as I see this as playing the technical ignorance of the court and not a retaliatory strike or an offensive maneuver.

Richard Bejtlich said...

Sean,

Read the decision. Shutting down the port would not have achieved the goal of determining if the system in question (120) was the same as the one seen earlier (117). Logging in achieved that goal and allowed other defensive actions to take place.

Anonymous said...

How are we to believe Richard's statements when he can't get the facts straight? Consider his opening line, "...Jerome Heckenkamp will stay in jail."

It's been years since Jerome has been in jail. He has a great job and is currently living a very full and happy life.

Sorry Richard.

Richard Bejtlich said...

Anonymous,

Oh, that's right. Thanks for the info -- I updated my post. I got confused by all the voluntary time Mr. Uberhacker spent in jail. I figured he might still be there since he appeared to like that lifestyle.