Slashdot Mirror

← Back to Stories (view on slashdot.org)

Getting Law Enforcement Action for a Large-Scale Hack?

Posted by Cliff on from the oh-my!-who-do-you-call dept.

HeelToe asks: "Two nights ago, I sat down to do a few chores with finance websites and check my mail. To check my mail, I use an ssh connection and read it via mutt. I had already hit Slashdot for my semi-hourly dose of content, but then noticed my ssh client complaining about a difference between its cached copy of the server key and the server key presented, so I started investigation. After figuring out what was going on, I contacted the tech support line for my service provider (Charter Communications) to no avail, as well as the FBI and NIPC, again, both to no avail. There are all these laws and all this hype about enforcing these computer crime laws - what must an end user do to get some enforcement done? Read on for more, much more..." Update: 06/21 19:13 GMT by C :As it turns out, the issue wasn't a hack at Charter but a particularly nasty form of Spyware. Stll, the question is valid, and some of the suggestions already given, have been real informative. Keep 'em coming!

"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).

On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.

Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.

With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.

I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.

I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?

With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?

I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"

29 of 721 comments (clear)

  1. Post it to Slashdot by ites · · Score: 5, Funny

    Which will do two things:

    1. you will get realtime help. OK, there are better ways but this is a _big_ audience you have here.

    2. post a link to the offending server, and the /. effect will wipe it out.

    --
    Sig for sale or rent. One previous user. Inquire within.
  2. Busted by Anonymous Coward · · Score: 1, Funny

    Stoopid P2P Terrorist. It was probably the FBI watching you and you were dumb enough to blab to them that you had spotted their tap. Get ready to drop the soap in the near future.

  3. There's your problem... by Anonymous Coward · · Score: 5, Funny

    You called Chater tech support?

    It's a wonder they didn't tell you to reboot your modem, reboot your PC and verify that the network card is listed in Device Manager.

    That's about all I've ever gotten out of them.

  4. These laws are not made for you! by Anonymous Coward · · Score: 1, Funny

    These laws were enforced by lobbists with THEIR and not YOUR money. So you have no right to take advantage of these laws :)

    1. Re:These laws are not made for you! by Sloppy · · Score: 2, Funny
      Yeah, I'm getting tired of these guys. They always use the same argument, "It's not stealing! When I benefit from a law, the corporation that bought it, still gets to benefit from the same law! Laws aren't divisible and you can't 'use them up!'" the idiots say.

      How stupid. These longhairs don't realize that when you use an existing law instead of purchasing a new one, you depress the legislation market. Longhairs, think about it: When you recycle legislation, your senator's next election campaign isn't getting funded. Your city councilor isn't getting his beer money. Do you expect these people to work for free? It's ludicrous. Try to imagine your communist unAmerican utopia, where founders get the laws correct one time, and then everyone lives by the same old laws. The legislators' campaign bank accounts would all be a joke, and any regular Joe off the street, would be able to afford to run against them in the TV ads.

      Foreigners might even get in on it! Do want an America run by foreigners!? Do you want your senator's re-election campaign run from an office in New Delhi, by people who have never tasted apple pie or seen a baseball game? Our legislators need protection, and it should be supplied by the government itself. We should have the government hire lobbyists to lobby itself, in order to keep the jobs safe.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  5. Very interesting.... by arf_barf · · Score: 2, Funny

    Is this an encouragement to hacking? I guess the moral of the story is that as long as the loot is below 10K, itâ(TM)s fairly safe for the hackers :-)

  6. Tell them you're with by CodeHog · · Score: 2, Funny

    the RIAA. Then maybe you'll get action.

    --
    Fat, drunk, and stupid is no way to go through life, son.
  7. Something similar happened to me once by PhysicsGenius · · Score: 1, Funny
    As you are probably already aware, I run one of the biggest nuclear (research) installations in the US. This means that I have to be constantly on the lookout for security issues. Well, like you, one night I noticed a hack in progress. Some guy was trying to gain access to our plutonium containment facility computer. I was on the phone to the FBI ASAP, as you can imagine. They gave me some similar runaround, so I decided to do a little investigation myself. I ran some pings, traceroutes and a couple of items I have in my toolkit (proprietary, so please don't ask) and figured out where it was coming from.

    cia.gov!!

    You can bet I shut my PC down and walked right out of there and never mentioned this little incident again until now. BTW, this was in early-to-mid September, 2001.

  8. Re:semi-hourly dose of content ? by aridhol · · Score: 4, Funny

    How did he go through the chaff so quickly?

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  9. Re:Domain suffix fun.. by Jellybob · · Score: 2, Funny

    The address doesn't work.

    I just get a bunch of stuff about buying domains.

  10. Re:F*ck the police by druxton · · Score: 2, Funny

    I've been mugged, robbed, and assulted multiple times in my life

    Ever thought of moving?

  11. Call the big boys.. by Trunkboy · · Score: 2, Funny

    Just report to the RIAA that these individuals were trying to rip the Madonna CD from your CD-ROM. That should do it. ;o)

    --
    ...Life is like a bad analogy
  12. THANKS FOR THE GEAR DUDE! LOVE, THE COPS by Anonymous Coward · · Score: 2, Funny

    That shit was sweet. Thanks for leaving it in your car. Talk about window shoppin'!

  13. Simple.... by PortHaven · · Score: 3, Funny

    If you can't beat em, join'em!

    First off, do the terrifying...submit to CNN.com or ZDNEWS....

    "Entire Charter One Internet Communications Divisions Security Jeopardized....what data was collected? Why was nothing done to stop this...even after a client reported the crime in progress!"

    Than file a lawsuit or insinuate, by paying a lawyer to make a call and claim that his client is considering filing for damages....blah..blah..blah.

    But the truth of the matter, most of our recent laws are there for two reasons.... a) to protect the powerful, b) to keep the massess subdued.

    Almost none of them are designed to punish actual criminals or protect the common citizenry. Face it, our justice system in America is dying...

    1. Re:Simple.... by Hank+Reardon · · Score: 2, Funny
      Actually, this might not be such a bad idea.

      With the over-the-top reactions reported in the media, this might be exactly what is needed to force Charter One to deal with their fucked setup.

      --
      There's so little difference between politics and jihad lately...
  14. Re:Ratchet the wench some more. by mattsucks · · Score: 2, Funny

    Ratchet the wench

    I've never heard it called _that_ before.

  15. Re:use of SSL/SSH by Rude+Turnip · · Score: 2, Funny

    Agreed. When I need to check my confidential email, I fly from NJ to the hosting center in Texas where my domain is hosted. From there, I plug my laptop into the serial port on the server and run minicom to get in. You just can't be too careful nowadays!

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  16. Re:No you were running spyware! by bsiggers · · Score: 2, Funny

    Sssh! No good advice here!

  17. Re:Call tech support, but by Anonymous Coward · · Score: 2, Funny

    Call Homeland Security. Tell them you want to report a terrorist attack.

  18. the Washington snipper by Mantorp · · Score: 2, Funny

    performing illegal male circumcisions, and various amputations in the DC area

  19. Re:nothing at all by Anonymous Coward · · Score: 1, Funny

    You got it all wrong. The cops are there to make sure that the world is not flooded with donuts...

  20. Re:F*ck the police by throbbingbrain.com · · Score: 2, Funny

    How to not get your ass kicked by the police.

  21. Re:Call tech support, but embarrass them too by tigris · · Score: 4, Funny


    Heh, just thinking of my local Fox station - they'd have a field day with this:
    ::scary music/graphics::
    "Have CABLE INTERNET? YOUR passwords are being STOLEN! CHARTER doesn't CARE! FOX 5 DOES! Story at 10"

  22. Re:No you were running spyware! by cruelworld · · Score: 3, Funny

    Only a terrorist would suggest something like that! You're in on it aren't you!!! Goddamnit, I knew I shouldn't have sent my tinfoil hat out to be drycleaned.

  23. Re:use of SSL/SSH by Amer · · Score: 2, Funny

    He's serious, of course. He also goes to his bank datacenter and connects his laptop straight to the database every time he wants to check his checking account. The guys at the bank get a bit pissy, though...

    --
    -- To gain that which is worth having, it may be necessary to lose everything else. Bernadette Devlin McAliskey
  24. Re:Call tech support, but by Greedo · · Score: 2, Funny

    This post not intended to constitute legal advice: if you need such advice, see an attorney, not slashdot.

    Ah ... so that's what I've doing wrong all these years.

    --
    Tuus crepidae innexilis sunt.
  25. If you want to get someone's attention... by scovetta · · Score: 2, Funny

    just trade an MP3 and wait for the RIAA to contact the FBI for you!

    --
    Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
  26. Just eatin donuts? by NewtonsLaw · · Score: 2, Funny

    You've got to wonder what all these Federal Justice employees do with their days.

    Before I started my low-cost cruise missile project, I emailed the FBI and the relevant defense program, letting them know what I planned to do, offering to take on board any suggestions they might have and making my objectives quite clear.

    I got no response at all, save an automated acknowedgement from the FBI.

    After the project captured the media's attention and got broadcast around the world, the authorities stated that they weren't happy and that my actions were "unhelpful."

    Well excuse me! Don't these people read their damned email? If they have a problem with what I'm doing why didn't they simply contact me in the several weeks between when I notified them and when the media picked up the story?

    However, in the wake of the media-coverage and the authorities' apparent dissatisfaction with what I was doing, I sent a follow-up email to the FBI (using the contact form on their website) and the relevant defense agency.

    Guess what -- still no response.

    Has a stack of Federal donuts fallen over and crushed everyone responsible for dealing with incoming email or something???? Or maybe it's just easier to moan about things than actually do something about them.

    Sigh!

  27. Re:it's all about cc: by Anonymous Coward · · Score: 1, Funny

    hmmm. I love the "NOT Counting the Media". What do you think /. is?