THE LURE THE TRUE STORY OF HOW THE DEPARTMENT OF JUSTICE BROUGHT DOWN TWO OF THE WORLD’S MOST DANGEROUS CYBER CRIMINALS By Steve Schroeder Course Technology PTR A part of Cengage Learning Australia, Brazil, Japan, Korea, Mexico, Singapore, Spain, United Kingdom, United States The Lure: The True Story of How the Department of Justice Brought Down Two of the World’s Most Dangerous Cyber Criminals By Steve Schroeder Publisher and General Manager, Course Technology PTR: Stacy L Hiquet Associate Director of Marketing: Sarah Panella Manager of Editorial Services: Heather Talbot Marketing Manager: Mark Hughes Acquisitions Editor: Heather Hurley © 2012 Course Technology, a part of Cengage Learning ALL RIGHTS RESERVED No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be e-mailed to permissionrequest@cengage.com All images © Course Technology unless otherwise noted Project/Copy Editor: Kezia Endsley All trademarks are the property of their respective owners Interior Layout Tech: William Hartman Library of Congress Control Number: 2010926272 Cover Designer: Luke Fletcher Indexer: Sharon Shock Proofreader: Megan Belanger ISBN-13: 978-1-4354-5712-6 ISBN-10: 1-4354-5712-9 eISBN-10: 1-4354-5713-7 Course Technology, a part of Cengage Learning 20 Channel Center Street Boston, MA 02210 USA Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd For your lifelong learning solutions, visit courseptr.com Visit our corporate Web site at cengage.com Printed in the United States of America 13 12 11 To my wonderful wife, Cheryl, and our five great children, Jessica, Andrea, Molly, Chris, and Reid, whose unflagging support for this project made it possible About the Author Steve Schroeder grew up in the Bitterroot Valley in western Montana and attended the University of Washington, where he graduated in 1968 Following three years of duty as a Marine Officer, he attended the University of San Diego School of Law, earning a J.D in 1974 He was a trial attorney and an Assistant United States Attorney for the United States Department of Justice from 1974 until his retirement in July 2002 He specialized in whitecollar crime and corruption prosecutions until 1992, when he prosecuted his first computer crime case, an intrusion into the Federal Court House network From that point on, he became immersed in the growing field of computer crime cases He became a charter member of the Department of Justice Computer and Telecommunications Coordinator program at its inception in 1995 He was a member of the national working group that advises the Attorney General on computer crime issues, and is a frequent lecturer on computer crime and electronic evidence He is currently an Adjunct Professor at Seattle University School of Law, where he teaches Computer Crime He has also taught computer forensics in the Department of Computer Science and Software Engineering at Seattle University, and is a Senior Lecturer at the University of Washington, where he teaches a class on Computer Forensics and the Law He currently lives in the Seattle, Washington, area with his wife, Cheryl, with frequent visits from their five grown children Acknowledgments The many people who have given me a leg up during the course of my career are too numerous to list (It is tempting to attempt to so, however, as each person named is more likely to buy a copy of this book.) The contribution of Phil Attfield to both the success of this case and to the advancement of my own knowledge should be evident to anyone who reads this book Curtis Rose and Kevin Mandia, whose consummate professionalism was inspirational, helped me get my foot in the door at the publishing world I owe much of my enthusiasm for computer crime problems to Scott Charney and Marty Stansell-Gamm, the first two Chiefs of the Computer Crime and Intellectual Property Section Both were instrumental in creating a national computer crime program that became a model for the world It was noteworthy for its emphasis on practical solutions to nascent problems in cyberspace that had real-world analogies The FBI hierarchy has a perhaps well-deserved reputation for being stuffy The working agents—the men and women of the FBI who investigate iv cases—are the best of the best The public should feel privileged to have them watching their backs In this case, Special Agents Dana Macdonald, Marty Prewett, Mike Schuler, Melissa Mallon, Milan Patel, and Marty Leeth reflect great credit on law enforcement Leslie Sanders, who created and managed the digital images used in the trial, was an asset beyond belief My Legal Assistant, Sal Nouth, was truly a partner on the case, handling the difficult document preparation, as well as keeping happy the numerous out-of-town witnesses who were subpoenaed for the trial Her tireless efforts and unfailing good humor were assets of incalculable value Among my numerous friends and colleagues at the United States Attorney’s Office in Seattle, several enthusiastically supported my involvement in the national computer crime program United States Attorney Kate Pflaumer was among the first in the nation to recognize the importance of developing a national computer crime program, and welcomed my interest Mark Bartlett, as Criminal Chief and First Assistant United States Attorney, not only endorsed the program, but had my back, protecting me from having too many routine ankle-biter cases assigned that might interfere with my duties as Computer and Telecommunications Coordinator Finally, my colleague Floyd Short jumped into the case on rather short notice, bringing his considerable knowledge and drive to the case Other local colleagues provided unstinting support My friend Ivan Orton at the King County Prosecutor’s Office was a pioneer in the computer crime arena, and has been my primary resource in the field over the years, beginning at a time when the two of us were the only people in the state who were working those cases Dr Barbara Endicott-Popovsky, the Director of the Center for Information Assurance and Cybersecurity University of Washington, sponsored my entry into academia at Seattle University and the University of Washington Also, a tip of the hat is due to Kirk Bailey, the charismatic founder of the Agora, the regional gathering of cyber security professionals His support of the Gorshkov prosecution was central, not least his introduction of Phil Attfield to the case My editors at Cengage Learning, Kezia Endsley and Heather Hurley, provided support and expert feedback with unfailing good humor, even in the face of the seemingly interminable delays in getting the manuscript cleared by the Department of Justice A special thanks is due to Vernon Lewis at the Executive Office for US Attorneys for his efforts to move the review process forward Finally, the importance of the support of my cherished wife, Cheryl, and our talented children, Jessica, Andrea, Molly, Chris, and Reid, throughout the process of writing this book cannot be overstated Their unflagging belief in the project carried me through the rough spots v Contents Introduction xiii Part I: The Investigation Chapter 1: Speakeasy The Birth and Evolution of the Internet .5 An Intruder Enters Speakeasy .7 Speakeasy Responds 12 An Important Customer Is Harmed 14 Chapter 2: The Investigation Begins 19 The Landmark Privacy Act Case .21 The Secret Service Gets Involved 21 Steve Jackson Games Sues the Secret Service 23 Aftermath .24 Steve Schroeder Becomes an Assistant United States Attorney and Moves to Seattle 25 Steve Becomes a Computer Crime Specialist 26 The Seattle FBI Office Forms a Computer Crime Squad 28 Amazon.com Is Defrauded from Russia 30 Chapter 3: The Lure 33 Multi-District Cooperation Begins 34 Online Information Bureau in Connecticut Is Hacked .35 The Investigation Expands 36 Defeated by the Young Hacker, Lightrealm Attempts to Co-Opt Him .38 The Lure Begins .40 “Invita” Is Born 40 Vasily Gorshkov Puts in an Appearance 44 A Honeynet Is Created to Test the Hackers’ Skills 47 Alexey Demonstrates His Skill .51 vi Contents Chapter 4: The Sting 55 The Russian Hackers Arrive in Seattle 57 At the Undercover Site .60 While Alexey Views Websites, Vasily Takes Charge 62 Gorshkov Connects to tech.net.ru 65 Gorshkov Continues to Display His Knowledge .66 The Take-Down .72 Chapter 5: In Custody 75 The Ivanov Interview .76 Gorshkov’s Interview 78 The Prosecutors Stand By 80 The Interviews Resume .81 A Lawyer Is Arranged for Gorshkov 83 The Russians Have Their First Appearance in Court .85 Special Agent Schuler Connects to the Russian Computers 86 Special Agent Schuler Gets Expert Help .88 The Department of Justice Is Informed of the Initial Download 89 The Downloads Are Vetted 91 Chapter 6: PayPal 95 The National Infrastructure Protection Center Offers Its Help 96 Floyd Short and Phil Attfield Join the Team 97 User Accounts Are Scrutinized 100 The Trial Is Postponed Until Spring 102 PayPal and eBay .103 How Hackers Got In—Or Did They? .105 Greg Stivenson Makes an Appearance 108 Steve and Marty Visit PayPal .110 John Kothanek Refines His Loss Figures 114 Tad Brooker, an Online Seller of Computer Components, Ships Processors to Greg Stivenson in Kazakhstan .117 Chapter 7: A (Not So) Brief Primer on National Security Investigations 119 Technology Always Evolves Faster than the Law 120 The Supreme Court Limited the Applicability of the Fourth Amendment to Searches Involving Physical Trespass 121 Nearly 40 Years Later, the Fourth Amendment Was Reinterpreted to Cover Telephone Conversations 122 Were Wiretaps Simply General Searches? 123 How Could Law Enforcement Particularly Describe Conversations that Had Not Yet Taken Place? 124 vii The Lure As the Telephone Replaced Physical Letters as a Means of Communication, the Government’s Ability to Lawfully Seize Communications Eroded 125 The Standard Quickly Evolves to Allow Limited Wiretaps .126 Domestic Security Wiretaps Are Covered by the Fourth Amendment 127 What About Foreign Intelligence Gathering? 128 How the Fourth Amendment Affects Foreign Intelligence Surveillance 130 Chapter 8: The Motion to Suppress and Preliminary Skirmishing 133 Privacy Laws and Precedent on the Internet 135 The David Case Had Something for Everybody .136 Courts in the U.S Lacked Jurisdiction to Issue a Warrant to Seize Information in Russia 137 The Temporary Impounding of Evidence to Protect It from Destruction Is Generally Okay 139 “Search” and “Seizure” Are Not the Same Thing 140 The Act of Copying the Information Did Not Amount to a Seizure 141 District Judge John Coughenour Is a Quick Study 142 The Hearing Begins 144 The Sentencing Guidelines Discussed .148 U.S Requests for Assistance Went Unacknowledged .151 Communications Regarding Gorshkov Are Introduced 154 Gorshkov’s Interview 158 The Undercover Agent Testifies .159 Eliot Lim Takes the Stand 161 The Cross-Examination of Eliot Lim 164 Mike Schuler Takes the Stand 166 Robert Apgood Testifies as a Defense Witness 168 Chapter 9: Preparing for Trial 177 The FBI’s Download of Data from Russia Had Not Run Afoul of the Fourth Amendment 179 A Final Continuance 181 Paperless Trials Are Not Really Paperless 182 A Creative Solution Is Found .183 Alchemy Did Not Turn Lead into Gold, but It Worked Pretty Well 184 viii Contents The Case for CTS, eBay, and PayPal .184 Assessing the Damage to PayPal 185 Assessing the Damage to eBay 185 Assessing the Damage to CTS 189 The Successful Trip Wraps Up 199 The Case for Credit Cards and Banks 200 The National Infrastructure Protection Center at FBI Headquarters Issues an Advisory, Warning the IT Community of the Activities from Russia .203 Part II: The Trial Chapter 10: The Trial Begins 207 Early Skirmishing 208 The Jury Is Empanelled 211 The Government’s Opening Statement 211 The Defense’s Opening Statement 215 The Trial Proper Begins 220 Special Agent Patel Introduces the Communications with the Defendant 222 Special Agent Mallon Sets the Scene 225 The Jurors Hear Gorshkov Talking About His Company 226 The Undercover Recording Is Played 226 The Parties Had Some Disputes Over the Transcript .227 The FBI’s Russian Language Expert Authenticates the Transcript 228 Curtis Rose of Sytex Explains the Hacks into His System .231 The Cross-Examination of Curtis Rose 240 The Trial Day Was Over, but the Work Was Not 244 Issues with the Transcript, Revisited 244 The Taped Telephone Conversation with Alexey Is Played 246 The Undercover Videotape Is Played 248 Ken Kanev Cross-Examines on the Recordings 250 Redirect and Day’s End .255 Chapter 11: The Download Revisited 257 The Trial Is Delayed 258 Witnesses Had to Be Rescheduled .260 The Trial Re-Commences with Technical Evidence 260 Rob Apgood Cross-Examines Eliot 264 On Redirect, Eliot Is Allowed to Clear Up Possible Confusion 268 ix The Lure 952 File named A192.168.0.1-192.168.0.255.log” from bd directory 953 File named dir from bd directory 954 File named dirlist_c from bd directory (first 10 and last pages) 955 File named dirlist_d from bd directory (first 10 and last pages) 956 File named dirlist_e from bd directory (first 10 and last pages) 957 File named ipconfig.log from bd directory 958 File named mount.log from bd directory 959 File named net_view.lo1 from bd directory 960 File named net_view.log from bd directory 961 File named netstat.log from bd directory 962 File named pwdump.log from bd directory 963 File named serv.log from bd directory 964 File named serv1.log from bd directory 965 Executable named 1433.exe from bd directory (pages 1, 12, 13, and 19-21) 966 Executable named 21.exe from bd directory (pages 1, 12, 13 and 19-21) 967 Executable named 26405.exe from bd directory (pages 1, 12, 13, 19-21) 968 Executable named gzip.exe from bd directory (pages 1and 1019) 969 Executable named kill.exe from bd directory 970 Executable named lomscan.exe from bd directory (pages and 14-19) 971 Executable named lsaprivs.exe from bd directory (pages and 7-10) 972 Executable named mount.exe from bd directory 973 Executable named ntalert.exe from bd directory (pages 1, 12, 13 and 19-21) 974 Executable named proxy.exe from bd directory (pages and 38-44) 975 Executable named pslist.exe from bd directory (pages and 10-13) 976 Executable named pwdump.exe from bd directory (pages and 9-12) 977 Executable named redirect.exe from bd directory (pages and 8-10) 978 Executable named serv.exe from bd directory (pages and 710) 979 Executable named startcmd.exe from bd directory (pages 1, 5, and 11-12) 526 Appendix E Exhibit List 980 Executable named transcmd.exe from bd directory (pages 1, 7, and 13-15) 981 Executable named zip.exe from bd directory (pages and 2531) 982 emoney_in.emoneyin2 (customer database (with CC #’s) belonging to Emoney) (pages 1-25; 578 and 579) (cd2.tar.gz > cd2/ctsavi.7.19/emoney_in.emoneyin2) 983 Backup_Orders.txt.TestVendor (first 25 pages and last page) (cd3.tar.gz > cd3/fsi/fsiwebs_ccs_arc.gz > fsiwebs_ccs_arc > fsiwebs_ccs/Backup_Orders.txt.TestVendor) 984 Backup_Orders.txt.Capresso (first 25 pages and last pages) (cd3.tar.gz > cd3/fsi/fsiwebs_ccs_arc.gz > fsiwebs_ccs_arc > fsiwebs_ccs/Backup_Orders.txt.Capresso) 985 Backup_Orders.txt.ePhonecard (first 25 pages and last pages) (cd3.tar.gz > cd3/fsi/fsiwebs_ccs_arc.gz > fsiwebs_ccs_arc > fsiwebs_ccs/Backup_Orders.txt.ePhonecard) 986 Backup_Orders.txt.Pelikan (first 25 pages and last pages) (cd3.tar.gz > cd3/fsi/fsiwebs_ccs_arc.gz > fsiwebs_ccs_arc > fsiwebs_ccs/Backup_Orders.txt.Pelikan) 987 Backup_Orders.txt.RoyalCrownWigs (first 25 pages and last page) (cd3.tar.gz > cd3/fsi/fsiwebs_ccs_arc.gz > fsiwebs_ccs_arc > fsiwebs_ccs/Backup_Orders.txt.RoyalCrownWigs) 988 websites.zip (cd1.tar.gz > cd1/ctsavi/websites.zip) 990 E-mail message from Alexey Ivanov to Jim Fitzgerald of CTS, dated July 1, 2000 991 List of files in ctsavi/[space] directory (cd1.tar.gz > cd1/ctsavi/ /) 992 su.c (cd1.tar.gz > cd1/ctsavi/ /su.c) 993 su.log (cd1.tar.gz > cd1/ctsavi/ /su.log) 994 PERL scripts relating to PayPal 994A Email from J Fitzgerald transmitting same 995 boydurak CTS Account documents 996 skyhuy CTS Account documents 997 brian123 CTS Account documents 998 skyfly CTS Account documents 999 ctsavi CTS Account documents 999A subbst and subbsta CTS Account documents K LIGHTREALM COMMUNICATIONS (HOSTPRO) 1001 talk_with_mike (correspondence between IVANOV and Mike Smith) (tech.net.ru: /home/subbsta/enc/disk1.tar > /disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/talk_with_mike) 527 The Lure 1002 mbox (e-mail correspondence to and from IVANOV) (tech.net.ru: /home/subbsta/ne/soft/mbox) 1003 bp (business plan) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta/work /lightrealm/bp) 1004 bero (e-mail to Ray Bero, Lightrealm) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta/work/lightrealm/mail/bero) 1005 bero@lightrealm.com-1 (correspondence between IVANOV and Ray Bero, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/bero@lightrealm.com-1) 1006 bero@lightrealm.com-2 (correspondence between IVANOV and Ray Bero, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/bero@lightrealm.com-2) 1007 bero@lightrealm.com-3 (correspondence between IVANOV and Ray Bero, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/bero@lightrealm.com-3) 1008 bero@lightrealm.com-4 (correspondence between IVANOV and Ray Bero, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/bero@lightrealm.com-4) 1009 bero@lightrealm.com-6 (correspondence between IVANOV and Ray Bero, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/bero@lightrealm.com-6) 1010 jyoung@vservers.com (e-mail address for J Young at Lightrealm) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta /s.tgz > /Stuff/Stuff/Users/subbsta/work/lightrealm /mail/jyoung@vservers.com) 1011 msmith@lightrealm.com-1 (correspondence between IVANOV and Mike Smith, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/msmith@lightrealm.com-1) 1012 msmith@lightrealm.com-2 (correspondence between IVANOV and Mike Smith, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/msmith@lightrealm.com-2) 1013 msmith@lightrealm.com-3 (correspondence between IVANOV and Mike Smith, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/msmith@lightrealm.com-3) 1014 msmith@lightrealm.com-4 (correspondence between IVANOV and Mike Smith, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/msmith@lightrealm.com-4) 528 Appendix E Exhibit List 1015 msmith@lightrealm.com-5 (correspondence between IVANOV and Mike Smith, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/msmith@lightrealm.com-5) 1016 msmith@lightrealm.com-6 (correspondence between IVANOV and Mike Smith, Lightrealm) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /work/lightrealm/mail/msmith@lightrealm.com-6) 1017 AVI_Resume.txt (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Users/subbsta /Resumes/AVI_Resume.txt) LIGHTREALM CUSTOMERS’ DATABASES FOUND ON TECH.NET.RU 1050 orderhandler.cg (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /orderhandler.cg) 1051 orders.tx1 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /orders.tx1) 1052 orders.tx5 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /orders.tx5) 1053 orders_1.xls (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /orders_1.xls) 1054 orders_2 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /orders_2) 1055 pluscellular.com-1999.10.08 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /pluscellular.com-1999.10.08) 1056 pluscellular.com~orders-1999.10.25 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /pluscellular.com~orders-1999.10.25) 1057 www.alderac.com (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding /CreditCards/www.alderac.com) 1058 www.alderac.com~orders-1999.10 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: 529 The Lure /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards/www.alderac.com~orders1999.10) 1059 www.a-market.com~orders-1999.10.08 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards/www.a-market.com~orders1999.10.08) 1060 www.bowwowvw.com~orders-1999.10.10 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards /www.bowwowvw.com~orders-1999.10.10) 1061 www.comunicacion.com (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta /enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding /CreditCards/www.comunicacion.com) 1062 www.pluscellular.com (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta /enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding /CreditCards/pluscellular.com) 1063 www.portolano.com~orders-1999.1 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards/www.portolano.com~ orders-1999.1) 1064 www.richmondhillinn.com~Jan-23-2000 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards/www.richmondhillinn.com~J an-23-2000) 1065 www.richmondhillinn.com~orders.10.09 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards/www.richmondhillinn.com~ orders.10.09) 1066 www.sa-trading.co.za (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta /enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding /CreditCards/www.sa-trading.co.za) 1067 www.sa-trading.co.za~orders-1999.10.08 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta /s.tgz > /Stuff/Stuff/Carding/CreditCards/www.satrading.co.za~orders-1999.10.08) 1068 www.supoutlet.com (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta /enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding /CreditCards/www.supoutlet.com) 530 Appendix E Exhibit List 1069 www.supoutlet.com~orders-1999.11.20 (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc/disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding/CreditCards/www.supoutlet.com~orders1999.11.20) 1070 www.uspaintball.com (Database (formatted) of customers and CC#’s of Lightrealm client) (tech.net.ru: /home/subbsta/enc /disk1.tar > disk1/subbsta/s.tgz > /Stuff/Stuff/Carding /CreditCards/www.uspaintball.com) 1071 merchants (tech.net.ru: /home/subbsta/enc/disk1.tar > /disk1/subbsta/s.tgz > /Stuff/Stuff/Hack/Domains /com/lightrealm/merchants) 1072 credit_cards (tech.net.ru: /home/subbsta/enc/disk1.tar > /disk1/subbsta/s.tgz > /Stuff/Stuff/Hack/Domains /com/lightrealm/credit_cards) L MISCELLANEOUS BUSINESS RECORDS 1151 FDIC Certificate of Proof of Insured Status for Nara Bank 1152 FDIC Certificate of Proof of Insured Status for Central National Bank M OTHER EXHIBITS 1E Excerpt of transcript of Exhibit A-1 Hacker notes maintained by Cliff Brown, EDE (E-Money) A-2 A-3 Tech.Net.Ru tar listing A-4 kvakin-home directory listing (Windows Format) A-5 Web page A-6 Web page A-7 Web page A-8 Web page A-9 Web page 531 This page intentionally left blank Index Numerics 9-1-1 system (BellSouth), 21–25 1337 (elite hacker jargon), 14–15 A ACH (Automatic Clearing House) transaction, 111–112 ad hominem, 430 Advanced Research Projects Agency Network (ARPAnet), 5–6 advisory, NIPC, 203–204 Air Force Office of Special Investigations, 22 Albrecht, Brad, 44–45 Alchemy program, 184 Amazon.com, 30–32 American Express, 306–308 American Registry for Internet Numbers (ARIN), 273 American Standard Code for Information Interchange (ASCII), 182 Apgar, Mike, 4, 11 Apgood, Robert cross-examination of Lim, 264–268 as defense witness, 168–174 appeal rights, 445–447 ARIN (American Registry for Internet Numbers), 273 Arizona v Hicks, 141 ARPAnet (Advanced Research Projects Agency Network), 5–6 arrest, Gorshkov and Ivanov, 72 ASCII (American Standard Code for Information Interchange), 182 Attfield, Phil cross-examination of, 342–353, 355–358 on file system reconstruction, 345–351 on password-cracking program, 326–328 PERL script explanation, 322–323, 335–338 recruitment of, 98–102 testimony, 314–315, 318–320, 324 authentication of CTS evidence, 304–306 authentication of transcript, 228–231 B bank intrusion, 200–203, 288–290 bash history files, 337 Basic computer language, 405 Basic Input Output System (BIOS), 310–311 Beck, James, 20 BellSouth 9-1-1 system, 21–25 Bennett, Bob (law firm), 34 Berger v New York, 122 Bero, Raymond, 37–39, 361–363 BIOS (Basic Input Output System), 310–311 Blankenship, Lloyd, 22–23 Boldt Decision (United States v Washington), 25 bot, 371 BP Radio (Broadcast Programming), 14–17 Brooker, Tad, 117–118, 375 The Lure C Califano, Mark, 34 California Civil Code, 16 carders, 451 CART (Computer Analysis and Response Team), 96, 309–311 CCIPS (Computer Crime and Intellectual Property), 27–28 Central National Bank-Waco, 203, 519 Certification of Service, 472–478 Chandler, Max, 9–11 Charney, Scott (CCIPS), 27 Chelyabinsk, Russia, city, 12 Christie, Scott, 40 Christmas Eve, 1999, 13 Citibank, 201–202 Classified Information Procedures Act, 148, 150 closing arguments of counsel, 421–429 defense, 429–431 exhibit, 422 CNBWaco, 203, 519 co-conspirator, 320 complex case, 376–378 Computer Analysis and Response Team (CART), 96, 309–311 Computer Crime and Intellectual Property (CCPIS), 27–28 computer crime specialist, 26–28 Computer Crime Squad, 28 Computer Fraud and Abuse Act, 26–27, 30 Computer Security Institute (CSI), 20 consular notification, 80 Coughenour, John, 142–144 counterfeiting, 21 cracker, 241 Crontab exploit, 10 cross-border search or seizure, 92 cross-examination Attfield, 342–353 Gorshkov, 414–420 Kim, 294 Lim, 164–166, 264–268 534 process, 342 on recording, 250–255 Rose, 240–244 Schuler, 278–280 technical, 280–281 CSI (Computer Security Institute), 20 CSI/FBI Survey, 20 CTS Network Service authenticated and admitted evidence, 304–306 damage assessment, 189–199 Exhibit List, 523–527 review of evidence, 192–194 threatening email to, 195 undertaking to co-opt hacker, 194–199 witnesses, 294–295 CuteFTP program, 90, 276, 358 D daemon, 10 damage assessment CTS Network Service, 189–199 eBay, 185–189 PayPal, 185 Daubert v Merrell Dow Pharmaceuticals, Inc., 298 DCC (Direct Client to Client), 11 De Louraille, Philip, 368–375 defense closing arguments, 429–431 opening statement, 215–220 defense case concerns, 385–387 defense witness, 168–174 Delphi computer language, 405 Department of Defense, 22 dictionary attack, 326–327 Direct Client to Client (DCC), 11 DNS (Domain Name System), Downing, Richard, 89 download Department of Justice informed of, 89–91 FBI download of Russia data, 179–181 media interest assumption, 91–92 seeking search warrant for, 91–94 Index E eavesdropping, 120 eBay damage assessment, 185–189 Exhibit List, 519 fraudulent inquiries identified, 368–374 history of, 186–187 intrusion, 103 elite hacker jargon (1337), 14–15 E-Money, Inc., 198 evidence Federal Rules of Evidence, 393 temporary impounding of, 139–140 Executive Order 13010, 28 exhibit BP Radio customer information compromise, 14–15 closing argument, 422 eBay feedback file, 374 eBay log file, 370 eBay new item configuration, 372 email solicitation, 376 Exhibit List, 302–303, 506–531 king.cts.com bd directory, 326 L0phtCrack program output, 328 Memphis School District fax, 285 MyOwnEmail domain names, 334 PERL script, 300 scanning program output, 330 spam solicitation, 287 Speakeasy network, stolen credit card account, 426 stolen password, 424 tech.net.ru directory tree, 329 user account directory mail, 351 Verio related directories, 365 expert witness allowance to express opinion, 297–300 on PERL script, 295–297 “eyeball” computer, 8, 12–14 F Farrell, Joseph, 333–335 Federal Court etiquette, 339 Federal Criminal Code (Title 18), 42 Federal Detention Center, 446 Federal Rules of Criminal Procedure (Rule 15), 43 Federal Rules of Evidence, 393 Federal Sentencing Guidelines, 113, 148–151 final continuance, 181–182 Financial Services, Inc., 40 firewall, foreign intelligence gathering, 128–130 foreign intelligence surveillance, 130–132 Fourth Amendment FBI download of Russia data, 179–181 foreign intelligence surveillance, 130–132 reinterpretation, 122–123 Supreme Court limiting applicability of, 121–122 views, 120–121 wiretapping and, 123–128 freebas.tech.net.ru directory tree, 101–102 FTP program, 90–91, 320 G G8 (Group of Eight) conference, 99 GID (group ID), 358 Gorshkov, Sergei (brother of Vasily), 401–403 Gorshkov, Vasily arrest of, 72 arrival in Seattle, 57–59 cross-examination, 414–420 display of hacking knowledge, 66–72 home directory as incriminating evidence, 321–322 interview, 78–83, 158, 272–273 introduction of communications regarding, 154–158 lawyer assigned to, 83–85 password-cracking program, 326–328 sentencing, 441–445 testimony, 403–414 Government’s opening statement, 211–214 Government’s Response, 472–496 “Grace” server, 8, 12 535 The Lure initial discussions with Speakeasy, 8–12 initial testing of hacker skills, 47–50 interview with, 7, 76, 78 Invita initial discussion with, 40–45 Online Information Bureau hack, 34–39 original place of residence, 12 taped telephone conversation with, 246–248 H Hacker Quarterly, The, 24 hacker vs cracker, 241 hacking tools, 329–331 Harrington, Perry, 366–367 hash, 310 hearing, 144–148 hearsay rule, 307 Hillier, Tom, 83–84 Holland, Tom, 29–30 I ICVerify machine, Illinois v McArthur, 140 “Illuminaiti” computer billboard, 22–23 Immigration and Naturalization Service project, 26, 99 Indian fishing rights case, 25 Internet birth and evolution, 5–7 Internet protocol directory, 273 interview Gorshkov, 78–83, 158, 272–273 Ivanov, 76–78 investigation computer crime squad formation, 28, 30–31 Fourth Amendment and, 120–123 Secret Service involvement, 21–23 technological advancement and, 120–130 Invita company (fictitious business) Exhibit List, 506–508 Gorshkov puts in appearance, 44–46 initial contact with Ivanov, 40–45 test network, 236 IP address, 8, 273 IRC chat, ISDN line, 17 IT fear of reporting security incidents, 20–21 Ivanov, Alexey arrest of, 72 arrival in Seattle, 57–59 background and personality, 449–455 demonstration of skill, 51–53 file, script, and program Exhibit List, 508–509 536 J Jackson, Steve (Games), 22–24 John Marshall Award (Schroeder), 26 jurisdiction, 137–139 jury, 211 K Kanev, Ken, 147–148 Katz v United States, 126 Kill.exe command, 302 Kim, Joseph, 288–290 cross-examination, 294 Nara Bank intrusion explanation, 288–293 Kluepfel, Henry (BellSouth), 21–22 Kothanek, John, 105–112, 114–117 Kumbo Tire Co Ltd v Carmichael, 299 L L0phtCrack program, 326–328 LAN (local area network), LANMAN (Local Area Network Manager), 326 leading questions, 352 Leeth, Marty, 57, 159–161 Lightrealm Bero as witness, 361–363 Exhibit List, 527–531 intrusion, 37–39 Lim, Eliot assistance in question, 281–284 cross-examination, 164–166, 264–268 recruitment, 88–90 testify, 161–164 Litschewski declaration, 174–175 local area network (LAN), Index Local Area Network Manager (LANMAN), 326 log files, 344–345 Lomscan.exe command, 302 lure fictitious company formation, 40–46 Ivanov demonstration of skill, 51–53 multi-district cooperation, 34–39 testing of hackers’ skills, 47–50 M MacDonald, Dana, 28–29, 56–57 Madison, James, 121 Mallon, Melissa, 60, 225 Material Witness, 43 Micron Electronics, Inc., 39 Microsoft Sequel Server service, 322 Mingazov, Rustam, 31–32, 79 MLAA (Mutual Legal Assistance Agreement), 151 MLAT (Mutual Legal Assistance Treaty), 93 Moscow Times, The 448 Motion to Continue, 181–182 Motion to Suppress, 134–137, 142, 144 mount.exe command, 302 multi-district cooperation, 34–39 Mutual Legal Assistance Agreement (MLAA), 151 Mutual Legal Assistance Treaty (MLAT), 93 MyOwnEmail company, 333–335 N Nara Bank Exhibit List, 516–518 intrusion, 288–290 Nasirov, Murat, 104 negative publicity, 20 NetBIOS (Network Basic Input/Output System), 237–238 New York Liquor Authority, 122–123 NIPC (National Infrastructure Protection Center), 28, 96–97, 203–204 NT password hash, 326 O ODBC (Open Database Connectivity), 49 OIB (Online Information Bureau), 35 Olmstead v United States, 120 Omidyar, Pierre, 186 opening statement defense, 215–220 Government, 211–214 Order, 498–504 overt act, 84 ownership and control of file, 100 P paperless trial, 84, 182–183 password sniffer, 13 password-cracking program, 326–328 Patel, Milan, 41, 44, 222–225 Patriot Act, 440 Patterson, Mike (undercover name), 41–42 PayPal damage assessment, 185 Exhibit List, 519–521 functioning of, 103 intrusion, 104–118 presentation of evidence, 378–381 PERL script, 50, 103 analysis, 322–325 exhibit, 300 expert witness on, 295–297 explanation of, 335–337 opening of email account designed, 331–333 solded script, 335 Phoenix computer billboard, 22 Piro, Craig, 306–308 postgres computer, 11 postponement, 102–103 presidential campaigns, 22 Prewett, Marty, 29–31, 41, 44 Privacy Act case, 21–25 privacy law, 135–136 prosecution, 80–81 proxy, 104 537 The Lure proxy.sql analysis, 323–325 Pslist.exe command, 302 Putt, Archibald (Putt’s Law), R “rain forest puppy” (RFP), 331 RDS (Remote Data Service) program, 49 reasonable doubt, 422 rebuttal, 431–435 reciprocity, 92–93 request for assistance, 151–154 RFP (“rain forest puppy”), 331 RIPE (Réseaux IP Européens), 273 Rose, Curtis, 47 cross-examination of, 240–244 explanation of computer system hack, 231–239 Rule 15 (Federal Rules of Criminal Procedure), 43 Russia criminal case, 447–448 map, 12 perspective on hacking and computers, 452–453 Russian Consulate, 81 S scanning program, 330 Schroeder, Steve Amazon defrauded from Russia investigation, 30–32 as Assistant U.S Attorney, 25–26 as computer crime specialist, 26–28 and Computer Crime Squad, 28–30 hearing begins, 145–147 Immigration and Naturalization Service project, 26 John Marshall Award, 26 Public Integrity Section, D.C., 25 retirement, 440–441 United States Justice Department prosecutor, 25 white-collar crime and corruption cases, 26 538 Schuler, Mike, 40, 86–88, 166–168 cross-examination, 278–280 Russian computer connection, 86–89 as witness, 269–272 script kiddie, 14–15 search and seizure, 140–142 search warrant affidavit, 84–85, 91 Secret Service BellSouth 9-1-1 system involvement, 21–25 roles, 21–22 Steve Jackson Games versus, 23–24 sector, 315 security birth of Internet, 6–7 IT fear of reporting incident, 20–21 Security Survey, 20 Segura v United States, 139 seizure, 137–142 Semenov, Maxim, 398–401 sentencing, 441–447 Sentencing Commission, 442 Sentencing Guidelines, 113, 148–151 Short, Floyd, 29, 97–100 Skoll, Jeff, 186 Smith, Mike, 37 Smith, Shawn (BP Radio), 14–17 spam solicitation exhibit, 287 Speakeasy, Inc BP Radio compromise, 14–17 credit card transaction, development and early management, 4–5 Exhibit List, 514–515 eyeball computer, 8, 12–14 Grace server, 8, 12 initial discussions with Alexey Ivanov, 7–12 local area network (LAN), network, 8–9 Spector Net, 13 SQL Server service, 322 SQL (Structured Query Language), 47–49 St Clair County Intermediate School District evidence, 284–287 Exhibit List, 522–523 Index Stansell-Gamm, Marty, 27, 89 sting Gorshkov display of hacking knowledge, 66–72 initial discussion with Ivanov and Gorshkov, 62–64 Russian hackers arrival, 57–59 undercover site arrival, 60–62 stipulation, 267 Stivenson, Greg, 104, 108–110 Stoller, Andreas, 7–12 Stored Communications Act, 23–24 Structured Query Language (SQL), 47–49 SuperScan tool, 51, 309 superseding indictment, 460–469 surnet.ru, 11 surveillance foreign intelligence, 130–132 wiretapping, 61, 123–128 Sytex, Inc., 47–50 T take-down, 66–72 tape recording cross-examination on, 250–255 Ivanov telephone conversation, 246–248 review of, 226–227 tar command, 219 TCPDump, 47 TCP/IP (Transmission Control Protocol/Internet Protocol), tech.net.ru system diagram, 100 directory tree diagram, 329 Exhibit List, 509–514 telnet connection, 276–277 workplace, 271 technological advancement, 120–130 telephone proliferation, 125 test network, Invita company, 236 Title 18 (Federal Criminal Code), 42 transcript authentication of, 228–231 dispute, 227–228 revisited issues, 244–245 Transmission Control Protocol/Internet Protocol (TCP/IP), trespass, 120–122 trial authentication of transcript, 228–231 communications with defendant, 222–225 Curtis Rose testimony, 231–244 defense’s opening statement, 215–220 delay in, 258–260 early skirmishing, 208–210 Government’s opening statement, 211–214 jury empanelling, 211 setting the scene, 225 shortening, 315–318 tape recording playback, 226–227 transcript disputes, 227–228 trial postponement, 102–103, 181–182 trial preparation briefing, 178 credit card and bank case, 200–203 CTS damage assessment, 189–199 CTS evidence review, 192–194 CTS undertaking to co-opt hacker, 194–199 eBay damage assessment, 185–189 FBI download of Russia data, 179–181 NIPC advisory, 203–204 paperless trial, 182–184 PayPal damage assessment, 185 U UID (user ID), 358 undercover agent testify, 159–161 United States v Booker, 113 United States v David, 135–137 United States v United States District Court, 128 United States v Verdugo-Urquidez, 87, 137–138, 158 United States v Washington (Boldt Decision), 25 Ural Mountains, 12 user account scruitinized, 100–102 539 The Lure V W verdict, 436–437 Verio/Webcom.com Exhibit List, 521 intrusion, 363–367 videotape, 62, 248–250 Warden v Hayden, 125 Webcom.com/Verio intrusion, 363–367 Whitman, Meg, 186 WinWhatWhere program, 85, 274–276 wiretap statute, 61, 123–128 witness CTS Network Service, 294–295 defense, 168–174 expert, 295–300 Material Witness, 43 Schuler, 269–272 WorldCom, 194 540 ... Luke Fletcher Indexer: Sharon Shock Proofreader: Megan Belanger ISBN-13: 97 8-1 -4 35 4-5 71 2-6 ISBN-10: 1-4 35 4-5 71 2-9 eISBN-10: 1-4 35 4-5 71 3-7 Course Technology, a part of Cengage Learning 20 Channel... and the University of Washington Also, a tip of the hat is due to Kirk Bailey, the charismatic founder of the Agora, the regional gathering of cyber security professionals His support of the. .. real-world analogies The FBI hierarchy has a perhaps well-deserved reputation for being stuffy The working agents the men and women of the FBI who investigate iv cases—are the best of the best The