|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
FBI follows Internet chat room leads in hacker probe
Investigators seek 2 named suspects; UCLA says it was victimized, too
WASHINGTON (CNN) -- The FBI is pursuing a number of promising leads, including Internet chat room conversations, in the probe of last week's hacker attacks on several top Web sites, according to sources familiar with the investigation.
Law enforcement sources told CNN the FBI is planning to interview a number of Internet users -- including two known as "Coolio" and "mafiaboy" -- identified by university and business security experts through their own internal investigations.
"Coolio" is thought to be a man living in the Midwest, while "mafiaboy" is believed to be Canadian.
Industry security experts and the FBI have linked names and addresses to those aliases. The FBI plans to begin interviews and to seek search warrants over the next few days. Canadian officials are cooperating in the investigation.
Suspects or witnesses?
In last week's "denial of service" (DoS) assaults, hackers launched a series of electronic attacks on popular commercial Web sites, leading to losses of millions of dollars and heightening fears over Internet safety.
Law enforcement officials said "Coolio" and "mafiaboy" could emerge as suspects in the DoS investigation, but it also was possible they may only have information about the case and could be witnesses.
Computer security experts and the FBI have also identified other people who may have been involved.
Law enforcement sources say the FBI information is coming primarily from two tracks:
" Server logs provided by officials from universities whose computers were used in the attack
" Tips coming in from the Internet hacker community.
The person suspected of mounting the first attacks was named in a three-page e-mail sent to FBI agents last Wednesday by two computer experts, the Washington Post reported.
Online conversations studied
Sources told CNN that on the Internet Relay Chat (IRC), "Coolio" claims responsibility for an attack on a server in Russia and the defacement of the Web site belonging to RSA Security, a leading Internet encryption firm.
Some chat room logs refer to "Coolio" as a "DoS kiddie," a reference to the way eBay, CNN.com, Yahoo! and other Web sites were made inaccessible to users last week.
IRC, a real-time network of chat servers separate from the World Wide Web, allows a number of computer users to share a typed conversation.
The IRC conversations dealing with "Coolio" were compiled by security experts at Stanford University and at Kroll-O'Gara, a computer consulting firm.
Joel de la Garza, who works for both RSA Security and Kroll-O'Gara, told CNN he found information that identifies the specific way that "Coolio" broke into the Russian computer. That method is called a network protocol exploit. Computers at both Stanford and the University of California at Santa Barbara were used in a similar way in last week's attacks on eBay and CNN.com.
In addition to UCSB and Stanford, computers on the UCLA campus were also used in last week's attacks, according to the university. College investigators are still checking the extent of the activity, but they are "confident" that the hacker was not based on the UCLA campus. A UCLA spokesman confirmed that the machines were used in the attack on e-commerce site Amazon.
David Brumley, a network security administrator at Stanford University, said he and de la Garza believe that last week's spate of attacks weren't done by "Coolio" alone.
"We believe that there are two parties. Some were done by one, some by another, " Brumley said.
When he defaced the RSA Web site, "Coolio" reportedly not only signed his vandalism, he made a reference to one of his hunters in an apparent attempt to taunt the investigator.
According to Recourse Technologies, a security firm dedicated to tracking down hackers, "mafiaboy" is a 15-year-old copycat attacker.
He is believed to use a software program called Tribal Flood Net designed by the German programmer "Mixter" to launch denial of service attacks. The Tribal Flood Net program and other programs are widely available and almost anyone can use them.
De la Garza said he's continuing to amass data and other evidence against "Coolio," and says he is "85 percent" sure that "Coolio" is responsible for many of the attacks. De la Garza's company hosts the popular "PacketStorm" security Web site.
Justice Department Correspondent Pierre Thomas and CNN Interactive Technology Editor D. Ian Hopper contributed to this report.
President to announce creation of national cyber security center
Federal Bureau of Investigation
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.