ad info

 
CNN.com  U.S. News
  Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
U.S.
TOP STORIES

California braced for weekend of power scrounging

Court order averts strike against Union Pacific railroad

U.S. warning at Davos forum

Two more Texas fugitives will contest extradition

(MORE)

TOP STORIES

Thousands dead in India; quake toll rapidly rising

Davos protesters confront police

California readies for weekend of power scrounging

Capriati upsets Hingis to win Australian Open

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

POLITICS

LAW

TECHNOLOGY

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


FBI follows Internet chat room leads in hacker probe

Investigators seek 2 named suspects; UCLA says it was victimized, too

graphic

February 15, 2000
Web posted at: 4:45 p.m. EST (2145 GMT)


In this story:

Suspects or witnesses?

Online conversations studied

RELATED STORIES, SITES icon



WASHINGTON (CNN) -- The FBI is pursuing a number of promising leads, including Internet chat room conversations, in the probe of last week's hacker attacks on several top Web sites, according to sources familiar with the investigation.

Law enforcement sources told CNN the FBI is planning to interview a number of Internet users -- including two known as "Coolio" and "mafiaboy" -- identified by university and business security experts through their own internal investigations.

 RESOURCES
 
 ALSO
 
  MESSAGE BOARD
 

"Coolio" is thought to be a man living in the Midwest, while "mafiaboy" is believed to be Canadian.

Industry security experts and the FBI have linked names and addresses to those aliases. The FBI plans to begin interviews and to seek search warrants over the next few days. Canadian officials are cooperating in the investigation.

Suspects or witnesses?

In last week's "denial of service" (DoS) assaults, hackers launched a series of electronic attacks on popular commercial Web sites, leading to losses of millions of dollars and heightening fears over Internet safety.

Law enforcement officials said "Coolio" and "mafiaboy" could emerge as suspects in the DoS investigation, but it also was possible they may only have information about the case and could be witnesses.

Computer security experts and the FBI have also identified other people who may have been involved.

Law enforcement sources say the FBI information is coming primarily from two tracks:

" Server logs provided by officials from universities whose computers were used in the attack

" Tips coming in from the Internet hacker community.

The person suspected of mounting the first attacks was named in a three-page e-mail sent to FBI agents last Wednesday by two computer experts, the Washington Post reported.

Online conversations studied

Sources told CNN that on the Internet Relay Chat (IRC), "Coolio" claims responsibility for an attack on a server in Russia and the defacement of the Web site belonging to RSA Security, a leading Internet encryption firm.

Some chat room logs refer to "Coolio" as a "DoS kiddie," a reference to the way eBay, CNN.com, Yahoo! and other Web sites were made inaccessible to users last week.

IRC, a real-time network of chat servers separate from the World Wide Web, allows a number of computer users to share a typed conversation.

The IRC conversations dealing with "Coolio" were compiled by security experts at Stanford University and at Kroll-O'Gara, a computer consulting firm.

rsa site
Sources say "Coolio" takes credit for defacing the Web site of RSA Security, a leading Internet encryption firm.  

Joel de la Garza, who works for both RSA Security and Kroll-O'Gara, told CNN he found information that identifies the specific way that "Coolio" broke into the Russian computer. That method is called a network protocol exploit. Computers at both Stanford and the University of California at Santa Barbara were used in a similar way in last week's attacks on eBay and CNN.com.

In addition to UCSB and Stanford, computers on the UCLA campus were also used in last week's attacks, according to the university. College investigators are still checking the extent of the activity, but they are "confident" that the hacker was not based on the UCLA campus. A UCLA spokesman confirmed that the machines were used in the attack on e-commerce site Amazon.

David Brumley, a network security administrator at Stanford University, said he and de la Garza believe that last week's spate of attacks weren't done by "Coolio" alone.

"We believe that there are two parties. Some were done by one, some by another, " Brumley said.

When he defaced the RSA Web site, "Coolio" reportedly not only signed his vandalism, he made a reference to one of his hunters in an apparent attempt to taunt the investigator.

According to Recourse Technologies, a security firm dedicated to tracking down hackers, "mafiaboy" is a 15-year-old copycat attacker.

He is believed to use a software program called Tribal Flood Net designed by the German programmer "Mixter" to launch denial of service attacks. The Tribal Flood Net program and other programs are widely available and almost anyone can use them.

De la Garza said he's continuing to amass data and other evidence against "Coolio," and says he is "85 percent" sure that "Coolio" is responsible for many of the attacks. De la Garza's company hosts the popular "PacketStorm" security Web site.

Justice Department Correspondent Pierre Thomas and CNN Interactive Technology Editor D. Ian Hopper contributed to this report.



RELATED STORIES:
President to announce creation of national cyber security center
February 14, 2000
Hacker hunters follow lead to Germany
February 13, 2000
Consulting firm says its server was used to attack AOL
February 11, 2000
FBI agents focus on university, business computers as cyber-attack launch pads
February 10, 2000
Denial of service hackers take on new targets
February 9, 2000
Cyber-attacks batter Web heavyweights
February 9, 2000
'Immense' network assault takes down Yahoo
February 8, 2000
Legendary computer hacker released from prison
January 21, 2000

RELATED SITES:
Federal Bureau of Investigation
  "  National Infrastructure Protection Center: CyberNotes
RSA Security Inc.
Internet Relay Chat (IRC) Help
Kroll-O'Gara
Recourse Technologies, Inc.
HNN - HackerNewsNetwork

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.