Getting Law Enforcement Action for a Large-Scale Hack? 721
"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).
On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.
Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.
With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.
I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.
I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?
I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"
Post it to Slashdot (Score:5, Funny)
1. you will get realtime help. OK, there are better ways but this is a _big_ audience you have here.
2. post a link to the offending server, and the
Busted (Score:1, Funny)
There's your problem... (Score:5, Funny)
It's a wonder they didn't tell you to reboot your modem, reboot your PC and verify that the network card is listed in Device Manager.
That's about all I've ever gotten out of them.
These laws are not made for you! (Score:1, Funny)
Very interesting.... (Score:2, Funny)
Tell them you're with (Score:2, Funny)
Something similar happened to me once (Score:1, Funny)
cia.gov!!
You can bet I shut my PC down and walked right out of there and never mentioned this little incident again until now. BTW, this was in early-to-mid September, 2001.
Re:semi-hourly dose of content ? (Score:5, Funny)
Re:Domain suffix fun.. (Score:3, Funny)
I just get a bunch of stuff about buying domains.
Re:F*ck the police (Score:2, Funny)
Ever thought of moving?
Call the big boys.. (Score:2, Funny)
THANKS FOR THE GEAR DUDE! LOVE, THE COPS (Score:2, Funny)
Simple.... (Score:3, Funny)
First off, do the terrifying...submit to CNN.com or ZDNEWS....
"Entire Charter One Internet Communications Divisions Security Jeopardized....what data was collected? Why was nothing done to stop this...even after a client reported the crime in progress!"
Than file a lawsuit or insinuate, by paying a lawyer to make a call and claim that his client is considering filing for damages....blah..blah..blah.
But the truth of the matter, most of our recent laws are there for two reasons.... a) to protect the powerful, b) to keep the massess subdued.
Almost none of them are designed to punish actual criminals or protect the common citizenry. Face it, our justice system in America is dying...
Re:Ratchet the wench some more. (Score:3, Funny)
I've never heard it called _that_ before.
Re:use of SSL/SSH (Score:2, Funny)
Re:These laws are not made for you! (Score:2, Funny)
How stupid. These longhairs don't realize that when you use an existing law instead of purchasing a new one, you depress the legislation market. Longhairs, think about it: When you recycle legislation, your senator's next election campaign isn't getting funded. Your city councilor isn't getting his beer money. Do you expect these people to work for free? It's ludicrous. Try to imagine your communist unAmerican utopia, where founders get the laws correct one time, and then everyone lives by the same old laws. The legislators' campaign bank accounts would all be a joke, and any regular Joe off the street, would be able to afford to run against them in the TV ads.
Foreigners might even get in on it! Do want an America run by foreigners!? Do you want your senator's re-election campaign run from an office in New Delhi, by people who have never tasted apple pie or seen a baseball game? Our legislators need protection, and it should be supplied by the government itself. We should have the government hire lobbyists to lobby itself, in order to keep the jobs safe.
Re:Simple.... (Score:3, Funny)
With the over-the-top reactions reported in the media, this might be exactly what is needed to force Charter One to deal with their fucked setup.
Re:No you were running spyware! (Score:2, Funny)
Re:Call tech support, but (Score:2, Funny)
the Washington snipper (Score:2, Funny)
Re:nothing at all (Score:1, Funny)
Re:F*ck the police (Score:3, Funny)
Re:Call tech support, but embarrass them too (Score:5, Funny)
Heh, just thinking of my local Fox station - they'd have a field day with this:
::scary music/graphics::
"Have CABLE INTERNET? YOUR passwords are being STOLEN! CHARTER doesn't CARE! FOX 5 DOES! Story at 10"
Re:No you were running spyware! (Score:4, Funny)
Re:use of SSL/SSH (Score:2, Funny)
Re:Call tech support, but (Score:3, Funny)
Ah
If you want to get someone's attention... (Score:3, Funny)
Just eatin donuts? (Score:3, Funny)
Before I started my low-cost cruise missile project, I emailed the FBI and the relevant defense program, letting them know what I planned to do, offering to take on board any suggestions they might have and making my objectives quite clear.
I got no response at all, save an automated acknowedgement from the FBI.
After the project captured the media's attention and got broadcast around the world, the authorities stated that they weren't happy and that my actions were "unhelpful."
Well excuse me! Don't these people read their damned email? If they have a problem with what I'm doing why didn't they simply contact me in the several weeks between when I notified them and when the media picked up the story?
However, in the wake of the media-coverage and the authorities' apparent dissatisfaction with what I was doing, I sent a follow-up email to the FBI (using the contact form on their website) and the relevant defense agency.
Guess what -- still no response.
Has a stack of Federal donuts fallen over and crushed everyone responsible for dealing with incoming email or something???? Or maybe it's just easier to moan about things than actually do something about them.
Sigh!
Re:it's all about cc: (Score:1, Funny)