follow me on Twitter

    Saturday, November 15, 2008

    Maine's Biggest Cyber Crimes Case--James Wieland

    All day Thursday of this week, I got e-mails from friends in different computer law, hacker, cyber crimes, and computer forensics communities. They'd ask, “Did you see the hacker case? What do you think? Did he do it?”

    The case to which they are referring is, to date, Maine’s biggest cyber crime’s case. This is bigger than the warez sales going on in Portland back in 2005.

    But there is something different about this case that’s intriguing to me. In the warez case, there was a group out to profit from copying software; it was an unsophisticated, but high volume, operation. The warez trade isn’t too difficult to do and it’s not terribly interesting.

    This case is different. Although I’ve spoken to James, we knew better than to discuss the case. The facts about which I write are only what are available to the public via news organizations. The news articles—from here down to the D.C. area—all have the same theme of, “evil hacker breaks and steals stuff,” but what’s really going on behind these headlines, only time will tell as the facts--especially the technical aspects of the case--are presented in court. Was this curiosity and experimentation that went beyond rational bounds or, on the other hand, was this a well-designed and calculated attack with fraudulent intent?

    The news reports state that James Wieland, student at University of Maine, spread a Trojan horse program (don’t know if it was a worm or virus, but this will matter in the case) by adding it as an attachment to an e-mail that contained a video game. When the recipients opened the attachment, the malicious program was executed. The Trojan reportedly contained a keystroke logger program. It was reported that James has been collecting and storing that data since August 2007. But the intriguing part—and I’m sure an aspect of the case that will be highly-debated in court—is why James allegedly collected this information and why he didn’t do anything with it? There were no reports that he used anything he allegedly collected.

    There are some hypotheses in the case: 1) James was the victim of a botnet attack on his computer meaning that he didn’t know about the Trojan or what it would do; 2) He released the Trojan as a curious experiment (didn’t write the code, but in script kiddy fashion, applied it and released it) but didn’t quite know what it was doing or how to stop it (classic Morris Worm case); 3) He wrote the code and released the Trojan with malicious intentions and wanted to collect private data from the victims and either sell it or use it for nefarious or fraudulent purposes.

    What’s striking to me about this case is that James has a lot to loose. He just got engaged in Italy last month, worked for a Christian school, has his own business consulting and web design company, and seems to be just starting his professional and family life. He just doesn’t fit the typical profile of a malicious cracker. If convicted, these felony charges could be more than 5 years in prison. The District Attorney states that the 5 year sentencing estimate may be just a start and that there might be more incriminating data found now that they’ve cleaned his place out of all electronic equipment.

    I wonder if University of Maine’s policy of attaching students' and faculty’s first and last names to our host names (HEY DEFENSE COUNSEL, YOU LISTENING?) had anything to do with them tracing an IP address to James Wieland? This can be spoofed, and if James was clever enough to write the program and orchestrate this attack, wouldn’t he have also been able to obscure his IP address?

    What I can do is bring as much as I can from Wieland’s case to our computer law and ethics class, COS 499, at University of Southern Maine in spring 2009. Like everything in my class, we analyze computer law and cyber crimes cases from a non-biased perspective. I have hackers as guest speakers as well as a few influential FBI and CIA agents discussing different perspectives regarding electronic crimes and how to prevent them with better computer security built from the ground up into software, hardware and network design practices we teach at U. Maine.

    I will be going to as many of Wieland’s hearings as I can; most certainly, I’ll be at the arraignment in January 2009. No matter the outcome of the case, there is a lot that security researchers, information technologists, and computer scientists can learn from this case. A lot of lessons will be learned both by James Wieland and by the University of Maine.

    I urge readers to please hold judgment until the facts—especially the technical aspects—are presented. I want to read more articles or hear in court that this is more than tracing an IP address to Wieland. Right now, there are no details beyond that.

    When we hear about the Trojan’s code (such as how it worked—I want the functions of the key algorithms discussed in court!), how and where the data was obtained and stored, 4th amendment practices (forensic hashing of the hard drive), access to the data files, and the Internet access to Wieland’s computer network, then we’ll discuss what went wrong.

    I’ll keep you updated. If you see news articles or find information online, please e-mail them to me.

    No comments: