Getting Law Enforcement Action for a Large-Scale Hack? 721
"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).
On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.
Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.
With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.
I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.
I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?
I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"
This is giving me the cold sweats (Score:5, Interesting)
"No financial losses" my ass. Lets see what Visa's customers have to say about that when the logins for half a million credit card e-banking systems get compromised. Hmm, almost makes me wish I could detect a similar attack so we could see what the UK police would do. "Intarweb, sir? Nah, not on our patch, you seee...."
Domain suffix fun.. (Score:5, Interesting)
I also have my webserver set up so that if you surf to a hostname that doesn't exist, it serves up the google I'm Feeling Lucky page for the hostname.. "Collecting ancient art? Why, I happen to have a website on that, just go to collecting.ancient.art.mydomain.com."
Contact the police local to the offenders (Score:5, Interesting)
Read the Cuckoo's Egg. (Score:5, Interesting)
Re:This is giving me the cold sweats (Score:1, Interesting)
http://www1.ifccfbi.gov/index.asp (Score:3, Interesting)
When I ran a small ISP (Score:5, Interesting)
It was strange, because the FBI had actually sent a couple of agents to our office to introduce themselves, pass out business cards, and the like. But when we had trouble, we called them up and those guys basically said, "there's not much we can do."
When the agents introduced themselves, they gave us a questionaire to fill out, and there was a question about encryption -- had we noticed anyone using it?
The questionaire (which I didn't complete), and the lack of response when we actually needed help, sort of soured me on the beaureau. The agents were nice guys, and I had the feeling that they were sincere when they were talking to us, but the organization itself didn't seem to be too helpful.
I don't really have a problem with them paying more attention to hacks on major e-commerce sites or banks than on my little ISP (which has long since been sold). The reality is that there's so much cracking going on, and it's so hard to track it down, that chasing small incidents isn't really practical. If a big ecommerce site gets cracked, a lot of people get hurt, the situation is really different.
The lesson that I learned is that you're basically alone when you get attacked. No one cares, and no one will help. Your ISP won't do anything, law enforcement won't do anything, and your customers will be incredibly angry with you. The only way to deal with it is to do whatever you can to secure yourself up front.
what to do: (Score:5, Interesting)
First of all, file the report. Ask the support person if you can fax in the report because you don't want to inform the hacker that (s)he's been spotted and you are reasonably clear that you can't get a secure channel to their web server.
If they absolutely insist that you go through their web pages, then do so. Give enough information to prove that you understand what's going on, and inform the person on their support line that you'll b expecting someone to call you with a phone number that you can call them back at.
(This is to prevent impersonation. I'd actually check the number to make sure that it belongs to the company in question) -- remember, the hacker may be seing your on-line communications.
Basically, the cops are right... about the only people who can force a real police investigation are at the ISP in question. If they can show that a couple hundred (or thousand) people have been affected by this hack then the cops may get involved.
If you want to be snarky, then you can ask the name of a good local journalist that you can tell your story to.. That might also light a fire somewhere. If nothing else, people in your community need to know that their communications are being logged by someone with clearly malicious intent. Be prepared to spend some time explaining things to the reporter. Someone with the stature to get furr flying is also unlikely to have serious technical computer knowledge. Be ready with a lead-in line to get his attention fast, like:
Law enforcement staffing (Score:2, Interesting)
The best place to call would be local law enforcement (eg. county or state). Depending on their practices, you may or may not get a response. However, the unfortunate reality is most law enforcement agencies are too understaffed and underfunded in their computer crimes departments to be able to give an effective response to individuals. This goes for organizations from the FBI all the way down to your local PD.
All of the money being currently allocated to cyber crime is more geared toward terrorism (Since that's the buzzword these days), or general attacks on public infrastructure, government and large businesses. Furthermore, attacks on individuals are so prolific that I don't think any PD would even know where to begin.
As if that wasn't enough, there is such a shortage of law enforcement professionals who understand and can perform an effective incident response, that even if such PDs and agencies had the cash, they couldn't hire many more quality people. The best security professionals often tend to make their way toward the private sector (Again serving big business or big government contracts) where they'll make real money.
Sadly, you're just not going to get much help these days from government. Someone earlier mentioned posting your problem on slashdot or somewhere else (Does anyone know of a good site to post for home incident response advice), and that's probably the best idea, because you're better off just defending yourself.
Re:This is giving me the cold sweats (Score:2, Interesting)
I think I've protected myself from this kind of thing. I've hard-coded the numeric IP addresses for DNS servers. Somebody correct me if I'm wrong and should be worried.
Re:nothing at all (Score:5, Interesting)
Kind of reminds me of Guillian's (NYC mayor) statement that letting people get away with small crimes usually leads to them committing major ones. Also reminds me of the Washington snipper case-- had the cops cared more about documenting and investigating their convenience store robbery, they would have probably been caught a lot sooner.
Do we really have so much crime in this country that the city cops do not have the resources to care about $10000 crime?
Writer is an idiot. He has C2Media ad/spyware!! (Score:5, Interesting)
Hurricane Electric HURRICANE-3 (NET-66-220-0-0-1)
66.220.0.0 - 66.220.31.255
C2 Media Ltd HURRICANE-CE1076-331 (NET-66-220-17-0-1)
66.220.17.0 - 66.220.17.255
This is the infamous lop.com customized ad/spyware, see lop.com and wrn.net. The thing with the domain suffix is a trick with 127.0.0.1. This type of software typically installs a search toolbar in IE and they seem to come in a multitude of different versions. It's the worst of breed.
C2 Media claims that people click through an EULA and know what they're installing. I know all this because my Dad had a "weird extra toolbar and popups to go online gambling". He found the running binairy, I looked through a hexdump of it and there was their EULA alright. But he never saw it. This critterware can even get installed by merely mousing over a banner.
Don't believe me? Google for "lop.com, adware, toolbar"...
Try calling Scottland Yard (Score:5, Interesting)
Lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
Domain name: LOP.COM
Administrative Contact:
Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743
Technical Contact:
Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743
Registrar of Record: TUCOWS, INC.
Record last updated on 12-Mar-2003.
Record expires on 06-Oct-2005.
Record Created on 07-Oct-1998.
Domain servers in listed order:
NS1.LOP.COM 66.220.17.5
NS2.LOP.COM 66.220.17.5
Re:Writer is an idiot. He has C2Media ad/spyware!! (Score:1, Interesting)
However, your claim that this can be installed by merely mousing over a banner is misleading--this can only happen if you have done something stupid with your security settings (e.g., set to Low or other custom values that are similar).
Re:Who did you talk to? (Score:1, Interesting)
> at an ISP and explain to them that it wasn't
> *your* problem, but *their* problem
I did that once, in a different context. The company was losing sales because, somehow, their traffic was being directed to me. (Error in published contact info or some such, never did find out.)
When I told them about their problem, they raged at me for causing the problem and demanded that I stop!
No, this doesn't make any sense. It's true, but doesn't make any sense.
up the ladder/phones calls are wrong way to turbo (Score:5, Interesting)
This "turbo" link gives advice better than most, but it's still not right. I have read so many times on slashdot posters' advice to work your way up the chain of command in a corporation. That is inefficient and won't get you results.
The turbo article says, "phone the CEO's office". That's better, but a phone call is too easy to blow off and it easily gets lost in the shuffle.
From experience within corporations at the highest levels, here is what works best. When you get blown off by lower level tech support, immediately write a letter to the highest people in the corporate food chain, its Board members or CEO. What typically happens is the letter will be passed down the line to the High Level Person who can handle it (some VP, for example) with instructions scrawled on the letter using a pen by the CEO which says something like, "Look into this, handle it, and let me know what happened."
This is real life, people. Now you've got VPs at the highest level running around trying to solve your problem, who are required to report back quickly to a quixotic boss who has the power to fire them. This process is a model of efficiency - you quickly wrote a letter; the CEO very quickly scanned it, acknowledged the problem and quickly prescribed that a solution be found - and now the engines of the corporation are at work scrambling to solve your problem.
Doing it in writing makes it easier for the CEO to pass the responsibility on quickly. All he has to do is take a few seconds to read your letter, and a few seconds to delegate the solving of your problem. He doesn't even have to try to re-articulate what your problem is through phone calls and garbled telephone tag -- you've done this for him already.
So, this turbo approach gets it only half right. Yes, they're right - working your way up the ladder doesn't work, only down the ladder works. But, you've got to do it in writing, and quickly. That's the way to get fast results.
Re:nothing at all (Score:3, Interesting)
Re:This is giving me the cold sweats (Score:1, Interesting)
It took me a long time to figure out why all these Canadian systems were poking me with DNS requests. One day I got lucky and started trying variants and sure enough, the PTR was something obvious like ns1.foobar.ca.
I don't have that much space - a
My take on this is that I'm running a server that's purposely configured to hand out certain addresses for testing. If you want to ask it questions too, that's your problem. Nobody forced you to take my bandwidth and resources by pointing a resolver at me.
Re:Domain suffix fun.. (Score:3, Interesting)
well, it's not just Windows that does that it is, in fact, part of address resolution that the first thing that gets checked is
Go to the press (Score:3, Interesting)
And some poor spokesman for Charter will have to go on the news and say some crap like "This incident will be thoroughly investigated" or "We take the security of our customers very seriously" or some similar horseshit. Either that, or the TV news dorks will say, with ominous overtones in their voice, "Charter Communications did not return our calls".
Then Charter will either have to do something about it, or they will suffer damage to their image and ultimately to their business. The latter won't help you much, but if it turns out that way, then you know for sure that you've got to stop doing business with them. And you've given them a little bit of hurt that they certainly deserve.
FBI/Federal attitude... (Score:5, Interesting)
I have a dialup inet connection at home. Sux, but that's my only viable option at the moment. I stuck a 6.1 or 6.2 Redhat box on the modem and set it up as a firewall/default gateway for the other 3 (Windows) pc's in the house. The kids have to play online games, etc, ya know. I stupidly left the ftp server running for some reason. Worked flawlessly for 2 years. One day I came home and the box had crapped out in the midst of booting with a strange error. Finally got it up and things didn't even look right. Yup, I had finally had my first experience at being rootkit'd. Fortunately they had used a screwed up rootkit and it didn't like something about my system or the OS and it crashed on reboot.
I freaked out and called the FBI right away in case they wanted the box to 'collect forensic evidence' or something. The conversation went like this, and the money figure is the one he used:
"Hello, FBI"
"Hi, I got my computer system hacked into. What do we do now?"
"Uh, did you lose at least $50,000.00?"
"No..."
"Sorry, we could care less then. Goodbye"
My other story, and I was more upset on it, happened when I worked at the courthouse when the 'dad's'(or mom's) paid the support there so the court could track the payments, then we would deposit it and write our own check to the 'mom's' (or dad's) and mail them out. A person we sent a check to lived in an apartment, but had moved and hadn't given us his/her new address. Someone else was now living in the apartment where we sent the check. To top it off, the post office had mis-delivered the check to a different apartment in the complex. (I know, it is confusing) Anyway, the person who got the check didn't know that the person it was made out to had moved. This person, knowing it was a check for a substantial amount of money, went to the address on the envelope and told the person who (now) lived there that they would only hand over the check for a certain percentage of the amount!!! This person said she would think about it and immediately called us. At this point we have the perfect 'sting' waiting to happen, and all the authorities have to do is be present when the blackmailer returns to settle the deal! So I called the FBI and they said they didn't care, and I should call the postal inspectors office. So I did. This guy said if there wasn't 'thousands and thousands' of dollars at stake he wasn't interested in the least.
So here we have a real crime happening and no one cares, but when some kid goes out and knocks over a few mailboxes they throw the book at em. Those two events alone were more than enough to tell me to NEVER trust the federal gov't nor rely on them to do the right thing where individuals citizens are involved. and this was all before that moron Ashcroft got in charge. (who is unfortunatelly from my state, and boy were we glad to get rid if him, or so we thought!)
Re:F*ck the police (Score:1, Interesting)
Depends where you live, and if you fit their profiles (e.g., driving while black).
Me? I had a similar experience to yours during my grad school years in Boston.
Now I live in $SMALL_UNIVERSITY_TOWN where the citizenry are contented cows, every crime is a newsworthy event, and the tax base supporting the local police is huge.
A few years ago I was shocked when my place was broken into and some jerk carted off everything he could cram into a couple of my suitcases. The shocking part wasn't the break in, but the police response.
It was a Friday night, I called the non-emergency phone number for the police. In less than five minutes my place was swarming with 3 police officers collecting finger prints and a german shepherd trying to pick up a scent. About a week later, I was called back by a detective (!) who apologized (!!) that they had been unable to close the case.
Fuck the police? Not in my town.
DNS redirecting is not dangerous, complaciancy is. (Score:2, Interesting)
Don't wait around for law enforcement. When someone lift's your wallet, whom do you call? VISA or the FBI?. Perhaps you need to learn from this hijack, don't go nuts, screaming rape... Fix it!, put in static IP's, don't use a proxy unless you control it, after all, your ISP could be lookin' at your passwords, and cookies etc. Use SSL and SSH, and know what's going on. When something goes boom, fix it.
Of course the FBI won't help, if it's their hack (Score:3, Interesting)
There could be a whole bundle of subpoenas giving them permission to monitor all communication on Charter's server... or Charter could have simply pointed an FBI agent toward the server room door and given him/her the key. Either way, you have no way of knowing that Big Brother is watching you.
Hopefully, if it's the feds doing the hacking, they're looking for something or someone in particular. Where a hacker might dig through all the transmissions that include 16-digit numbers, the feds may be looking for all requests that include a particular email address. Let's just hope that it's not *your* email address.
Or maybe they've got the digital signature of a prosecutable image -- if it comes across, they check out who it went to and who it came from. You'd better hope you hit the "back" button in time! Of course, you have the 4th amendment to prevent anything they discover from being used against you in court... but that doesn't keep them from using what they find out "off the record" to get "on the record" evidence they can use.
I'm not terribly concerned about the feds (or other gov't agencies) using such a hack to compile a dossier on every Netizen, simply because 1) the signal/noise ratio is too low and 2) the government's built-in inefficiency is the best guarantor of our continued freedom.
volunteer... if you dare. (Score:5, Interesting)
I love all the "I hate the X&!#@ Cops!!" trolls that inhabit this place; youthful rage directed at "the man"... with no concept of what it would be like to live without them.
Here's my challenge to all those who hate the police so much: If you think you can do their job so much better than they can, go help them out. I'm serious... this is a put-up-or-shut-up challenge. I want you to spend some time in the belly of the beast.
When I was a teen, I didn't like cops... but a funny thing happened to me on the way to my current job, I became a police officer, and it's got to be one of the nastiest jobs in the world. As a doc, I deal with drunks/pimps/bangers/dealers all the time, but thankfully they are usually cuffed and/or exhausted by the time they get to me (and some of them STILL fight... ER workers get assaulted all the time by these types. Fortuntately, the pharmacy is mighter than the sword). I deal with them, but I have a full contigent of burly guys +/- drugs to help me out... taking them on mano-a-mano on the street is a very different scenario. I take care of the bad people, but I also take care of the cops that get hurt fighting them. BE THANKFUL cops are out there... you don't even want to know the kind of sociopaths cops deal with everyday, for pretty low pay. You want to live in a world without cops? Go ahead, but be prepared to do your own dirty work. Think you've got what it takes? You'd better be right, because you're betting you life and the lives of your family on it.
Yes, I can hear the "boo hoo! poor cop! go eat more donuts!" trolls now... save it. You trolls can scoff all you want. Feel free to live in your "no cops" world... sounds great on the surface... but getting your ass kicked by some gangbangers when you're walking home from the LAN party some night might change your tune.
If you've got a beef with the "racist, motherf*cking police" and want to change things, then quit complaining and start working. Learn something about the police... volunteer some of your time (it's called community service; look into it). Go to a reserve police academy and get sworn, do some ride-alongs, or donate some of your 3l337 technical skills to their investigative unit (maybe they need computer forensics help).
Try to make things better instead of indulging in typical slashdot cop-bashing... in addition to the satisfaction of helping out your community, you might be surprised by what you learn.
What have you got to lose? Do it.
Comment removed (Score:5, Interesting)
damages caused (Score:2, Interesting)
i hope charter does not call the FBI, cause my suspicion is that is way more than 5000$.
Re:F*ck the police (Score:2, Interesting)
Darn right. Several court cases have determined that the police cannot be sued for failure to protect. That means that yes, despite the "To protect and to serve" motto, it is still your own responsibility to defend yourself. Government does not take responsibility for this, though it likes to try to take away the right.
Sort of ironic thing is, though, that some cops in CCW states (where carrying a weapon is obviously legal, as if the 2nd Amendment didn't make it obvious enough) were asked what they would do if, during a routine traffic stop with a completely ordinary driver, they happened to notice a gun in plain sight. There were responses like, "Call for backup, you never know if the guy is a nut," and, "Get him out of the car to cuff him and then hold on to the weapon." You'd think the police would have a better understanding of what it means for citizens to act legally and within their rights. Unfortunately, many (not all, and I wouldn't even say most) cops have an "us vs. them" attitude.
ISP Support (Score:2, Interesting)
I have had (and am still having) to contact Comcast's technical support for their customers' machines that are infected with Nimbda and are attacking my web server. Ideally, these systems are violating Comcast's (and any ISP's) Acceptable Use Policies.
So, I first was just sending an email for each day's activity to their typical complaint email (abuse [atsign] isp.net) and receiving the automatic response. I figured I could build up a history of reporting before up'ing the ante with my provider.
After a month, I started calling technical support. This basically got me up to tier two (since no one on tier one knew what I was talking about). Later, I got more long distance numbers for internal Comcast contacts, but which, in reality, went no where or to a pre-recorded message.
Next, after two months, I filed a better business bureau (bbb.org) report. _This_ got their attention (when it eventually found the right department). I now have one tech and the tech's boss assigned to my problem. So, now I send my daily (ok, so, I dont send one every day, just one for each day's activity) acitivity to the default abuse line and to the two other people.
Actually, this has been effective. I went from seeing from 500 to 1200 hits a day from Nimbda infected machines to less than 300 a day (on average). There was even a day when it was less than 50, but I found out later that one of their network nodes went down.
sTc
Re:Call tech support, but (Score:3, Interesting)
Play hardball... if the ISP is refusing to admit that their machines are hacked, then they must be doing this on purpose.
I would report to the FBI that the ISP is redirecting all traffic and running man in the middle attacks on you and their other customers and you have discovered it...
If it works, then that at least gets the ball rolling on the investigation and when they find out that the ISP is a hapless victem, then they will have the full attention of the ISP directly in dealing with the issue.
Oh yea... and get a better ISP.
-Steve
Re:Call tech support, but embarrass them too (Score:5, Interesting)
Don't be. Serious threats get blown-off all the time by law enforcement and business. Sad, but true
You need to read Clifford Stoll's The Cuckoo's Egg [amazon.com]. It is an amazing account of how he helped track down the Hanover Hacker (a paid Soviet spy).
The FBI blew him off too, at first. He discovered a hacker was moving through the UC Berkley computer systems at will and using it to crack other systems. He discovered this when he was investigating a 75 cent discrepancy in the departmental billing for computer time. The FBI told him: "don't call us unless it is at least $1 million in damages". Eventually he convinced one agent of the seriousness of the problem (HH was using Berkley and other systems to try to crack DoD systems). Over the course of 3 years, Stoll was instrumental in helping the FBI/CIA and others crack one of the biggest international computer spy rings ever. Stoll was a grad student in astronomy at the time. Great book. Oh and he threw in a really good chocolate chip cookie recipe too.
Get the book, you won't regret it.
I.V.
Local Law Enforcement is the way. (Score:2, Interesting)
If you contact Law enforcement at all, they can come in and take your equipment with a court order at anytime, and they are generally NOT nice about it! Most of the collection personnel do not even know what the lawsuit is about, and as far as they know, youâ(TM)re a pedophile.
Generally, it is not this way with correct cooperation and procedures, however be prepared for anything.
Good luck.
Re:My experience with the feds (Score:3, Interesting)
It's understandable that they may get confused.. They'll start browsing to one server, but eventually requests go to other servers, or come from the wrong IP. Our big site has 16 IP's on just over half as many machines. Some of the machines use teql to manage their load across two ethernet cards, so they hit one IP, but the traffic comes back from another. I've let a few newbie abuse people know that port 80 is the web server (they had no clue), but most of them look at the reports and let the user know straight off that it's their firewall.
I'm very happy with Level3's abuse department. They're careful to forward every real abuse complaint to me quickly. There was a hosted machine broken into once that was port scanning machines, which I did unplug then fix. The hosting customer wasn't very happy that I unplugged his machine, but hey, he didn't take care of security on it, dammit. Most of the time, I think I'm being wierd that I actually reply to every abuse report, no matter how they come in.. It's wierd how many abuse reports end up going to the billing department first..
It's cool that you take care of all your abuse cases too.. We're a rare bunch out on the Internet, but we're making sure at least our chunk of the net is secure.
I agree, it's frequently older people. The worst complaints I get are from older folks who say they've been programming on the Internet for 40+ years (ummm, the 1960 Internet?). I haven't gotten many of those lately. Most of those came in back in the