The little engineer further explained that such computers are put into a “VLAN”—a virtual network. Since the programs or servers that do this job log everything they do, including the checks they performed and the reasons they quarantined a machine, the log manager showed us that the machine had been separated from the network because it was considered compromised by intruders.
“
But, how come we never got any alerts about all this?” asked the astonished David.
“
It’s very simple,” said the log manager, “Victor lowered the priority of those messages so they would not issue alerts. It looks like he had been fighting off intruders that were invading the system and had finally thwarted them by isolating a machine they were trying to penetrate.”
“
OK, so can we go look at that machine and see what’s in it?” asked Lombardo.
“
Let’s find out first which one it is,” said David.
Another series of log entries scrolled on the screen:
[**] [1:1407:9] SN
MP trap udp [**] [Description: Attempted unauthorized login] [Priority: 0] 03/06-8:14:09.082119 112.147.1.167:1052 -> 110.30.156.27:143 UDP TTL:118 TOS:0x0 ID:150947 IpLen:50 DgmLen:47
11:14:07 P
M,"Trigger ""Block Windows File Sharing"" blocked (112.147.1.54, netbios-ssn(139)).","Rule ""Block Windows File Sharing""blocked (112.147.1.54, netbios-ssn(139)). Inbound TCP connection. Local address,service is (UNIMTY(102.30.128.27),netbios-ssn(139)). Remote address,service is (112.147.1.54,39922). Process name is ""System""."
3/3/2006 9:04:04 AM,Firewall configuration updated: 398 rules.,Firewall configuration changed: 254 rules.
11:33:50 P
M,Definition File Download,UNIMTY,userk,Definition downloader 3/4/2006 11:33:52 PM,AntiVirus Startup,UNIMTY,userk,System 3/3/2006 3:56:46 PM,AntiVirus Shutdown,UNIMTY,userk,System
240203071234,16,3,7,UNIMTY,userk,,,,,,,16777216,”Virus definitions are corrupted.”,0,,0,,,,,0,,,,,,,,,,SAVPROD,{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx },End User,(IP)-192.147.1.121,,GROUP,0:0:0:0:0:0,9.0.0.338,,,,,,,,,,,,,,,
DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
“
Man, look at all the stuff that was going on!” said the log manager.
David moaned and said, “We’d better have a look at the audit records.”
David explained that there would be a lot of security information in the audit logs. If someone was trying to gain access to the computers and had failed to login several times, it would show up there. Also, if rules, regulations, or policies had been violated or sidestepped, the audit information would tell us.
What amazed David and the log manager was the amount of activity of account creation and account deletions, changes to privileges in the accounts and then changes denied. It had been a battle between someone trying to gain access and giving himself or herself privileges to do very much what he or she pleased, and Victor trying to deny the intruder access. Then a “strange” security log entry appears on the auditing system.
Event Type: Success Audit Event Source: Security Event Category:
(1) Event ID: 517 Date: xx/xx/xxxx Time: 1:16:40 AM User: SYSADMIN AUTHORITY\SYSTEM Computer: UNIMTY-2 Description: Cleared Audit Log Primary User Name: SYSADMIN Primary Domain: UNIMTY AUTHORITY Primary Logon ID: (0x0,0x4F9) Client User Name: SYSADM-0909 Client Domain: UNIMTY Client Logon ID: (0x0,0x22ACC)
Victor had quarantined the
server; then, he did something very unusual for a Systems Manger—he cleared the Audit Log.
According
to this trail of electronic evidence, Victor had spent part of the night following an intruder; he then quarantined the computer the intruder had tried to penetrate. He must have had been confident that he had expelled the intruder and that it wouldn’t be back because after midnight he had worked on the quarantined computer and his login had remained there for an hour. After he was done, he cleared the audit files so that no trace would remain of what he had done, and since he had lowered the priorities of the security system no one would be
alerted as to what had happened. Before he left, he brought system alerts back up to normal security levels.
But, if we had seen the battle, or the signs of the b
attle that were left here and there, the intruder too must have realized it had been defeated and that whatever it had been after was now inaccessible.
“
So, if I understand his correctly,” said Lombardo summing up, “someone came into your system to try to get something. Victor fought them off, denied them whatever it was they wanted, and then hid it in a quarantined
computer. But, whatever it was he hid, and whoever it was he fought off, he did not want anyone here in the Center to know.”
“
That about sums it up,” said the little log manager.
“
And since they could not get it that way,” said David, “they came and got him.”
“
That too sums it up,” Lombardo said.
There followed a deep silence after which Lombardo said, “Let’s have a look at what he hid in the quarantined system.”
The little guy gained access to the suspect computer th
rough what he called a “tunnel,” which is a virtual pathway through a network.
Upon inspection, most of the files in the machine were humdrum copies of files and archives that were on other machines.
“
Yeah, this machine is used mostly for backups,” said David. “Most of this stuff is old anyway and should be deleted.”
“
Maybe so,” said Lombardo, “but not now.”
“
Let’s look at the files by date of creation,” said the little guy. As he listed them, a file showed up at the top with a date and time very close to the date and time the machine was quarantined.
“
What’s this, what’s this?” asked David as he tried to list the contents of the large file. His laptop beeped and clacked and displayed gibberish on the screen.
“
It’s encrypted,” said the little log manager.
Chapter
23: Double, Double, Toil and Trouble
Lombardo strolled slowly into the Investigations Department’s building, his head hanging down, his hands in his pockets, his black mackintosh flapping in the draft of the corridor, looking like a don walking in the mall of some English University.
Most of the people that passed him did not greet him and the few that did were not greeted in return.
When he reached his desk, he called to the policewoman that handled the Department’s file section and asked her to open an
averiguación previa
(preliminary investigation) file.
These preliminary investigation files hold not only all the documents and evidence that stems from the initial investigation, which might include the original complaint, accounts by witnesses, and statements made by individuals, but may also include any medical and expert reports called
peritajes
in Spanish legal jargon. It also includes all of the reports made by the investigating officer or officers and has to be filed under a unique reference number before the judicial process begins. If legal action is deemed necessary by the Public Ministry, the file is turned over, or at least copies of all the documents, to the judge assigned to review the case.
For several years now, these files had been digitized
. It was not only a way of having faster and ubiquitous access to the information, but it was also as a means of safe keeping it, given that in the past, reports, evidence, and statements had disappeared from the files; and indeed, there had been instances where the entire file itself had mysteriously vanished.
Since the accused, the victims, and their respective lawyers have a right to demand copies of the files, the electronic archives made a lot of sense. The State of Nuevo León, always having prided itself that its industry, commerce, and general population were in the forefront in adopting new technologies, had a vast pool of information systems talent from which to hire people when it decided to computerize all of its documentation and archives.
Although,
Article 16 of the Federal Code of Criminal Procedures states that only the accused, the victim, and their respective legal representatives may have access to the records of the preliminary investigation, it does not bar officials from the Federal Prosecutor’s Department or the State Judicial Police from obtaining a copy of the preliminary investigation file and only needs the authorization of the public Prosecutor responsible for the investigation.
According to
Mexican law, a preliminary investigation file can be assigned one of the following statuses: if more evidence is needed to warrant pursuing the case, the file can be put on hold while such evidence is sought; if the case grows cold and/or the investigation cannot prove there is a case or that there was any criminal or civil wrongdoing, it can be archived which means that there will be no legal action pertaining to the case; finally, it can be forwarded to the court, in which case the public Prosecutor can request an arrest warrant given that the preliminary investigation’s evidence has gathered enough evidence to justify one.
What is not very clear in this legal tangle of laws and responsibilities is the dividing line between federal and state jurisdiction. The division between the two is often shifted in accordance to political expediency of the time, Presidents or Governors pushing through legislation obeying public pressure, or sometimes in response to legislation and/or pressure from its giant neighbor to the north. The line is further blurred by the arbitrary way certain officials—Presidents, Governors, and legislators—often stretch the boundaries of jurisdiction to fit their political purposes during election periods. This was particularly true during the more than seventy years of the one-party rule Mexico suffered during the twentieth century.
As Lombardo was filling out another of the preliminary reports of the investigation, his telephone buzzed. The Director wanted to see him so he left his paperwork and walked over to the Director’s office.
Before he even sat down, the Director picked up a sheet of paper from his desk and said,
“Read this.”
Lombardo took it and sat down to read.
M E M O R A N D U M
Subject: Death of subject, named Victor Delgado Ramirez
Directive: 1005938: Office of the Governor
State authorities have determined that the murder of the person named Victor Delgado Ramirez could be linked to organized crime. Therefore, it is hereby ordered that the investigation and pertinent judicial procedures that stem from said investigation be turned over to the jurisdiction of the Office of the Federal Prosecutor.
The Office of the State Prosecutor
stated that there is sufficient evidence to suspect that elements of organized crime participated in the death of the above named, and that his execution in the early morning hours of the 15th of this month, was conducted by a person or persons linked to the organized crime elements operating in the State of Nuevo León.
The State Prosecutor
, Alejandro Peniche Saldivar, stated that “there is credible evidence” to strongly suggest that this is the line of investigation that should be followed and that “now it should be the Federal Prosecutor who should continue with further investigations.”
Peniche Saldivar pointed out that from the moment he was informed of Delgado Ramirez’ execution he issued instruction to the State´s Public Ministry to use every resource possible during the investigation of the crime, but that it should be recognized that there has been no substantial progress.
The head of the State’s Public Ministry has stated that although his organization will continue its own investigations, unfortunately as of today there has been no progress.”
The
State’s Public Ministry Director in a communiqué to the Governor stated that given the nature of the crime he believes that it falls under the jurisdiction of the federal police.”
The G
overnor of the state agreed with both the Director of the State’s Public Prosecutor’s Office and the State’s Public Ministry that the case should be turned over to federal authorities given that “the state does not have sufficient resources to deal with this kind of problem.”
Governor
Platón Sanchez Reyes said that these violent acts “not only shame city, state, and federal authorities, but they are the bloody evidence that proves how organized crime has extended throughout the entire country.”
For his part, the mayor of the city, Nestor Villarreal, insisted that “there should be ample cooperation between the city, state, and federal authorities as Governor Sanchez has instructed,”
He added that “this is something that concerns the Federation and is clearly under its jurisdiction but we will not shirk from our responsibilities and will aid in the investigation until those responsible are brought to justice and the groups that have organized to break state and federal laws are brought under control.”