FBI to investigate Internet’s role in attacks

More than 22,700 tips have poured into the special Web site set up by the FBI to manage leads in the investigation of Tuesday’s terrorist attack against the World Trade Center in New York and the Pentagon, Attorney General John Ashcroft said last week.

At a press briefing last week, Ashcroft characterized many of the tips as useful to the investigation and said the number of accomplices who may have assisted the estimated 18 hijackers is likely “significant.”

Meanwhile, officials at two major Internet service providers (ISP) have acknowledged that they are cooperating with the FBI in the search for data that could help lead investigators to individuals who may have assisted the hijackers. Executives at Dulles, Va.-based America Online Inc. and Atlanta-based EarthLink Inc. said they are assisting authorities with information from their user and connection logs.

The FBI wouldn’t confirm whether it’s looking into any ISP records, nor would the agency say whether its controversial Carnivore e-mail monitoring program was being used. Carnivore, which is now known as DCS1000, has raised fears among privacy advocates who have said the software could lead to random surveillance of e-mail messages unrelated to an FBI investigation.

Sifting through the mountain of data from various ISPs may be difficult, however. AOL membership recently surpassed 31 million accounts, with more than seven million added during the past year alone. EarthLink has about five million subscribers and more than 8,800 dial-up points around the nation.

Richard Forno, a security administrator with a major domain-name registration firm in Virginia, said it would be easy for authorities to piece together information from ISP records, but how useful those records would be to the investigation is unclear.

Brian O’Higgins, chief technology officer at Entrust Inc., an Internet security firm in Plano, Texas, said the information garnered from ISP logs could help the FBI narrow down where and against whom to conduct future communications-intercept operations.

“Once you have the e-mail, you can look at all the other information in it, including the entire route,” said O’Higgins.

Doug Barbin, principal consultant and security architect at Waltham, Mass.-based Guardent Inc., said any information in ISP logs that might be of use to investigators could have come from a variety of places, including Web sites, chat rooms and e-mails that can point law enforcement officials to foreign ISPs.

However, unless authorities already know which users they are looking for they may find it difficult to uncover a lot of data because ISPs regularly delete logs, said Barbin. ISPs don’t have the storage space to store logs indefinitely and periodically delete user session information out of concern for privacy, he said. Although ISP practices differ, logs are deleted anywhere from every few days to every month.

What federal authorities are likely doing, said Barbin, is requesting that ISPs don’t delete any logs for the foreseeable future so that they can uncover communications that are now taking place.

“Some providers have trace-back ability of phone numbers, but sometimes the trace-back ability can only lead you to a geographic area,” said Barbin. But some ISPs have the capability to trace an e-mail back to a specific user and can then obtain the user’s account information, including a name, address, phone number and credit card number, he said.

In addition, “there are Web sites out there that are very secure and that we don’t know about,” Barbin said. “If a person was at least moderately technically savvy, they would be able to communicate across the Internet in a secure manner.”