From: Poteau Daily News & Sun [pdns@pdns.com] Sent: Monday, August 20, 2001 11:51 AM To: burtonld@pickett.com Subject: Re: Brian K. West This is the story that ran back in February 2000 Hacker says he broke into PDN&S site By John M. Corbitt, Managing Editor As the world focuses on damage to huge Internet companies by computer hackers, the story has been brought home with a vengeance at the Poteau Daily News & Sun. According to Federal court records in Muskogee, a search warrant was served Monday on CWIS Internet Services at 203 North Broadway in Stigler. In the documentation with the warrant, Special Agent Christopher Headrick of the Federal Bureau of Investigation, assigned to the Oklahoma City Division. He is investigating an alleged violation of federal law by unauthorized access to an Internet web page owned by the Poteau Daily News & Sun (PDN&S) that is housed by Cyberlink Rural Telecommunications, Inc. (CRTI). Headrick said in the affidavit attached to the warrant that he had acquired information from other FBI agents and witnesses. Cyberlink provided PDN&S with an Internet web page that the newspaper uses to post news stories and advertisements. Access to the site is limited to system administrators at CRTI and reporters at PDN&S by user identification and password. The affidavit explains that James W. McCoy Jr. wrote a program in Practical Extraction and Report language (Perl) software that allows reporters in the field to access the news service website and make updates remotely. "Many large news agencies have in house computer programmers or hire companies to write custom software to allow for remote update to their websites. CRTI anticipated marketing their Perl script program as an off-the-shelf software package that could be customized and sold to medium and small news agencies," he said. Headrick went on to explain that CRTI anticipated selling the software package for about $4,000 to $6,000 per copy. CRTI was testing the Perl script called E-Z Net News at PDN&S. According to the document, PDN&S Publisher Wally S. Burchett reported that Brian West, known to Burchett as a salesman for CWIS Internet Services, recently posted advertisements in the PDN&S newspaper. According to the affidavit, when Burchett met West on Jan. 31, West indicated to him that he wanted to advertise CWIS Internet Services on the PDN&S website. Burchett provided West advertising rates for the service and West indicated that he would soon contact Burchett. On Feb. 2, according to the federal document, West allegedly telephoned Burchett to ask if Burchett "realized that his website at www.pdns.com was not secure." West allegedly indicated to Burchett that he had accessed the website by obtaining usernames and passwords. Burchett reportedly contacted West at CWIS to discuss how West had accessed the website, and recorded the conversation, that he provided to Det. Jim Craig of the Poteau Police Department. On the tape, West allegedly told Burchett that anyone with Microsoft Front Page, Internet programming software, could enter the PDN&S website, and that there are no safeguards at all. West allegedly said he had done a security overview of the site and provided a technical explanation to Burchett of how to log on with a user password to PDN&S and "edit your stories." "Subsequent investigation determined that this intrusion was not done inadvertently," Headrick wrote in the affidavit. According to court records, West told Burchett on Feb. 7 that he had "inadvertently" entered the website of First National Bank in McAlester, and looked at customer checking and saving accounts and the transfers of funds. West reportedly told an officer at the bank about the event and the bank's lack of security. He said the bank officer thanked him but reacted "in a hostile manner." He said he had accessed the bank's website on two other occasions, then contacted a senior vice president of an Oklahoma City branch of First National to advise him of what had been done. User logs from PDN&S computer indicate that hundreds of attempts to connect to the PDN&S website were made Feb. 1 from three specific Internet addresses owned by Webzone of Tulsa, CWIS Internet Services, and Voltage Networks of Mena, Ark. The computer logs indicate that at least 30 attempts to connect to the newspaper's server from those addresses were made between 4:05 p.m. and 4:48 p.m., according to the court document. It goes on to say that group of attempts were followed by at least five separate attempts to connect to the same computer at PDN&S from the site in Mena. The affidavit said that the logs reflect that many of the attempts to connect were "not simply requests to view the web page, but attempts to access the files and Perl scripts that cause the web page to operate." The document said that a computer operator managed to log into the newspaper 's web page edit program from the Mena site at 7:50 p.m. using the user identification and password of CRTI employee James W. McCoy, Jr. Headrick said that an interview with McCoy revealed that he did not access the PDN&S web page program on Feb. 1 and did not authorize anyone to use his user ID and password. Headrick said that he found that the Internet provider in Mena is owned by CWIS, and that he believes there is an ongoing business relationship between CWIS Internet Services and Webzone in Tulsa and Voltage Networks in Mena. Headrick wrote that he has learned from FBI Computer Crimes Investigator Matthew T. Harper that a computer can be linked so that a person at the Tulsa site could appear to be accessing the web page from Mena, but that computer would show that link. The affidavit said that a CWIS system administrator would be asked to assist the FBI in the search of records on their equipment, but that a member of the FBI Computer Analysis Response Team (CART) would conduct the search if CWIS personnel did not choose to assist the agency. The affidavit accuses West of "conducting computer intrusion activities in violation of Title 18, United State Code, Section 1030(a)(2)(C)." It goes on to allege that the computer used in the crime would be found at CWIS in Stigler. Confiscated in the search were backup data disks and tapes. As of press time Wednesday, no arrests had been made. ----- Original Message ----- From: "Larry D. Burton" To: Sent: Monday, August 20, 2001 8:25 AM Subject: Brian K. West > I just read this article: > > http://www.linuxfreak.org/post.php/08/17/2001/134.html > > and would like to hear your side of this story. > > Regards, > > Larry Burton > Pickett, Tarpley & Associates, Inc. > (423) 875-8034 voice > (423) 875-2672 FAX >