Slashdot Mirror
Getting Law Enforcement Action for a Large-Scale Hack?
"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).
On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.
Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.
With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.
I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.
I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?
I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"
It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I'm not sure if you came off the right way. You may have wanted to ask to talk to a manager at an ISP and explain to them that it wasn't *your* problem, but *their* problem.
Most of the tech support people are used to handling stupid people with simple problems, and probably didn't believe, or realize how bad the actual problem was.
Level 1 support at most ISPs don't have any technical skills. They walk through a series of scripted interactions and weed out the 99% of calls that are simple to solve. Good for the ISP, but bad for the 1% highly technical callers.
It's also possible that there is a specific security group that you could contact. You might have to be persistent to find them, however.
I can't help you with getting the attention of law enforcement or the service provider, but when all is said and done, I bet Peter Neuman at the ACM RISKS Digest would love to publish your story. The RISKS readers would be interested in the original hijacking, and just as interested in the lackadaisical response by those who could do something about it. The risks posed by both problems are the forum's reason for being.
look it up, it matches the IPs. they're spyware. looks like they're doing some serious assholish stuff
This is a very standard type of attack and a standard FBI response. FBI damage trigger is $5,000 IIRC. If the ISP calls the FBI, they can get the ball rolling. You can't, and frankly it's none of your business since it's the ISP server that got hacked. I wouldn't do anything beyond calling the ISP. You can't claim financial losses, because you didn't lose any money directly as a result of this hack.
Of course, that only affects those who use passwords for SSH. I generally prefer RSA user authentication. One of the reasons is laziness - I only have to enter my key's password once, and it authenticates to SSH servers for me. And, of course, there's security. Because I don't enter my password over the wire, there's no way for it to be intercepted.
I can't say that I don't give a fuck. I've just run out of fuck to give.
Our biggest problem isn't breakins, it's posting web site passwords on the net.. Hey, it's still someone using an illegal means to access materials (yada, yada, yada).
/24's doing the fraud.. They were coming back about once per day and doing the same scam. Each one was a Internet cafe thing, so fairly obviously it's someone sitting on a public machine trying not to get caught. But, they were both at least 1000 miles from where we were, so it was pretty useless for us to catch them. It would have just been so easy for the FBI to send one agent out. $10,000 fraud on one site is nothing. I'd be more than willing to bet that they were hammering a whole bunch of sites with those same transactions.
We do our own defenses, but I always see the users or proxies attempting crap.. I tried calling a few providers, but they're completely dense when you say "someone on your network is attacking one of my servers." Somehow they manage to get the stupidest people handling their support desk, who can't even comprehend what a server is. If you do manage to get to an abuse department, they'll rarely do much.
A few years ago, I got tired of fucking with the help-desk people to complain to, so I called the FBI. They took my information, and had an agent call me back.. It took a couple weeks to get the return call, but I did. He was actually well informed, and seemed to know at least the basics of how the Internet worked. He also said that I'd have to prove a monetary loss. The mininum amount was $5,000, if I recall correctly. It isn't enough that someone can abuse the shit out of your system, you have to prove that you were loosing money in the process.. So I have to make the decision, do I set up the system poorly enough so we do loose sales/members over fairly simple attacks, or do I just forget trying to get anyone to help.
Recently, a friend of mine rewrote a site for selling calling cards on the net.. The company is an established real-world business, they just wanted to expand... So, she spent a few months putting together a kick-ass site, with all the bells and whistles that the owner asked for.. About a month after it went live, someone started hitting it with fraudlent transactions. Even with all her normal precautions (and a few of mine), and using a 3rd party billing company with their own precautions, they still got hammered for about $10,000 worth of fraud.. The FBI was willing to take a report on this one, but never investigated, and never did anything about it.. She (the programmer) had got the IP's of the users, found out who owned the blocks. We actually knew where they physically were and told the FBI. If they were interested, they'd only need to send one agent where we told them, and close the case. They didn't. It's still an open case with no leads. {sigh}
There were IP's in two different
We called the cafe owners and told them what was happening. Their suggestion was to call the police, they weren't going to stop anything. {sigh}
Knowing how bad they are to stop things, I wonder if I'm doing the wrong thing, staying on the legitimate side of things. If we can literally say "They guy sitting in this cafe is running tens of thousands of dollars in fraudelent transactions per day, and stole from us" with proof, and they won't touch it, how much evidence do they really need against someone to do something?
Ya, we see the big "some hacker caught" stories occasionally, but honestly with all the crime going on (yes, there's lots), it's only rarely that you hear about someone getting caught.
Serious? Seriousness is well above my pay grade.
Now the wannabe computer criminals know that there is little to no danger in pulling off such computer crimes, because those that care enough to act are too small to be heard, and those that are large enough to be heard don't care enough to act.
It is quite sad that the ISP took no interest in a breach of its own security, which only encourages future breaches, since the perpetrators know that they will get away with it, not because they are 1337 h4x0rz, but because nobody will look into it.
It won't be long before such attacks become as common place as email viruses if the proper authorities don't act now, and, more importantly, the ISPs don't take heed of this danger. Lack of enforcement does indeed encourage crime.
Oh, was that my outside voice?
Now what? How do I know when I am at risk? What does the normal schmo do in a situtation like this?
Should I stop accessing any financial websites that I use?
This is the one thing that's always made me paranoid, so what if I have a firewall, if my ISP is hijacked, then what do you do? It's not like I have options out here, Charter is it, unless I want to bend over for Sprint's DSL (which they charge you tons of cash to cancel your account among other nefarious things...) or satelite (ugh)
So what does it take to get the FBI to investigate? There are about 4 different things the bad guys could do:
The problem is you don't fit into any of these categories for the FBI. Suppose you did come up with the required damages. Then the FBI have to choose whether to pursue your case or another. If someone else is causing more problems, they'll investigate them instead of your case. If you don't have any idea whose doing the hacking, then again they'll probably go after someone who they think is easier to catch. Last, they'll try to decide whether or not they think the case will lead to an easy conviction. If not, again your screwed.
Basically it's a matter of priorities, and this doesn't sound like a large enough hack to be more than the blip of a Cessena at an international airport full of 747's.
It sucks, but that's how it is. What would be good is if hacking resulted in a fine, or some other misdemener. Then convictions would be easy, and the bad guys would quickly learn crime doesn't pay in the small case, and the big cases result in the FBI actually going after them.
Ha, no doubt. The police are definitely not there to serve the people. They're there, apparently, to direct traffic from parking lots (drive around Seattle at 4-5PM some time and count 'em - I've seen at least 6, in Seattle Police uniforms, indicating they're working for the city).
It sounds to me like we need to cut back on police spending if they're not going to help the taxpayerfolk.
- Email Extraction Software
- Realtime IP Tracking - Buy 25,000 visitors
- Create freedom,wealth,...
and so on.If nothing else, the attack you describe is a way to harvest current email addresses.
I spoke to an FBI agent about this once. She told me that their computer crimes division is so extreemly busy that they only concerntrate on the cases involving about 250K or more since they don't have the resources to investigate everything. Additionally, she told me that when making a case to the FBI, that including your time and expenses in the initial investigation are valid monitary losses and can be included in the net loss resulting from the hack. However, you need to have suffered serious losses to get your case looked at by the FBI.
Sorry. But they are busy.
Troy
The government is worthless in this. They're reactionary, not preventative, and even then will only give you the time of day if there's hard money or data loss involved.
! %2 0NET-66-220-17-0-1
Charter was woefully unconcerned, and as their customer, I'd raise hell, escalating up their corporate food chain.
To get at the actual attacker, go the next rung, look at who owns/controls the IPs that you're being redirected to.
http://ws.arin.net/cgi-bin/whois.pl?queryinput=
CustName: C2 Media Ltd
Address: P.O. Box 1113
City: Shalimar
StateProv: FL
PostalCode: 32579
Country: US
who are in turn a customer of Hurricane Electric
TechHandle: ZH17-ARIN
TechName: Hurricane Electric
TechPhone: +1-510-580-4100
TechEmail: hostmaster@he.net
OrgTechHandle: ZH17-ARIN
OrgTechName: Hurricane Electric
OrgTechPhone: +1-510-580-4100
OrgTechEmail: hostmaster@he.net
Go to Hurricane, and ask them why they're letting this go on. They'll be more concerned. You've indemnified Charter in your service agreement, most likely, and can't sue them. Hurricane has no such protection from you and will, ironically, be more responsive than your own ISP.
Second, hey guys, the site's still up. Get off your lazy asses. ;)
-Looking for a job as a materials chemist or multivariat
I really don't know what to say, except what I put in the subject line.
You're overreaching a bit.
The end-user isn't an official representative of the victim. Obviously, law enforcement isn't going to deal with him. Firstly, for (the feds) to get involved, they need at least $5000 damage, which he couldn't speak to. They're not going to waste their time unless there is a willingness to prosecute, which - guess what - also requires an offical representative to commit to. Finally, if they do get involved, their next step is to ask for logs and other evidence - which, at best, the end-user only has symptoms of. Again, they need to deal with the duly authorized representative of the ISP to get anywhere.
From the sound of it, they actually went out of their way to try and help him reach the minimums to be considered a valid case himself. That's actually pretty amazing by itself.
Here are the local TV stations for St Louis. It probably a big "who cares?" to them. They seem to like stories about lost puppies and sick kittens more than real news.
http://www.ksdk.com (NBC #1 in ratings)
http://www.kmov.com (CBS #2 in ratings)
http://www.fox2ktvi.com (Fox #3 in ratings, good investigative reporters)
(ABC affiliate gave up on local news)
Tack on Charters accounting scandals for more ammo.
Those who can do. Those who can't sue.
In general the reason being: it's not a federal issue until it hits >$5,000 in damages. Until then you are supposed to deal with your local organizations (there is a reason for your local government, you know. Does one go directly to the CEA to get more toiletpaper in the batchroom?).
In this case specifically a resonable analogy would be, a technically competent end-user in a corporate environment doesn't contact the FBI their IT dept does. The user here doesn't have control over the DHCP/DNS servers, doesn't manage them in anyway. What do you expect from a federal organization in this situation... 20 feds flown down to look at an end-users system that hadn't receive any monetary losses yet?
A more defined notification authority would be nice, but you can't expect every single end user to call the FBI. As an end-user contact you local officials you are paying taxes for them, if you are the owners of the compromised systems and you incurred financial loss then you can bump it up to a federal level (remember local/state organizations can sometimes even provide better service than the FBI, and then there are some that are stupid)
You know, you don't need to present your ID to a police officer...They can't even prevent you from walking away from them if you aren't being charged with a crime...
Read up on some ACLU stuff...their site is pretty interesting. I think they have a little card you can carry in your wallet which lists your Civil Rights. I find it very informative.
I hate our damn system where everything has to be taken to court, but it sounds like you are out of options. Get somone from the ISP on the phone, and make sure to ask them for their first and last name. Then mention that you haven't gotten any kind of reasonable response to your issue, and how you wouldn't want it to have to degenerate to a small claims court case. Ask for their manager, and I am sure they will get them for you.
If you make them aware of the issue, and they refuse to respond to it, they are negligent. For crying out loud, you are trying to HELP them. Be sure to point that out, politely, of course. Make them realize that they want to resolve the situation.
My beliefs do not require that you agree with them.
Heard of fax? hand-delivery? overnight mail? The fast delivery problem is readily solved.
Secretary screening? In my experience, not many people are writing these types of letters, they're too busy working their way inefficiently up the ladder. Also in my experience, these letters get noticed and do make it to the CEO's desk or get otherwise appropriately addressed. Exceptions happen, I'm sure. But the method which was described usually does work best.
Did you so much as read the entire body of text?
He never said that he was hacked, he said that there was some sort of DNS poisoning at his ISP's DNS servers.
What you say is technically true, but ssh1 users are still vulnerable to man in the middle attacks even if RSA user authentication is used.
The attack relies on an incredibly non-obvious flaw in the ssh1 protocol which was fixed in the ssh2 protocol. While an attacker cannot get your passwords using this attack, he can interpose between the client and server and intercept all traffic for that session. The error message saying the server host key has changed is your only clue that such an attack is going on.
You can read about the details in this paper. Unless you are using ssh2, you should be very wary of sudden changes in the server host key, even if you are using RSA authentication, and even if you appear to be connected to the correct server.
1) Book Mark this site. This is the first and best place to go when hacked and is a great source of education in general for victims of hacking.
2) You're right about the FBI. They are very limited in their scope of assistance. The only other victims they would take immediate action with are attacks on other State, local or US governmental sites (ie. State Funded Universities, Governmental offices, etc.)
3) Scan your logs on a regular basis.
4) Check this link out. This is the NSA'a recommendations on how to hammer down Cisco Routers, Windows 2K, XP, and NT4 Operating systems. These should be used as a guide as following all the steps in this manual would turn your machine(s) into bastion servers.
5) Be Prepared for the ISP not talking to or Working with you on this issue. Prodigy, Qwest, and Sprint used to be and in some cases are REALLY bad at this.
Dolemite
______________________
Save the World! Use a Quote!
Here's how you remove it:
LOP Removal
Excerpt:
Lop masquerades as an mp3 search engine. It is capable of:
Hijacking your starting page
Adding the Lop Toolbar to Internet Explorer
Adding the Lop Toolbar to Windows Explorer
Causing frequent Windows Explorer & Internet Explorer crashes
Popup advertisements
Adding Lop links to your Bookmarks (Favorites)
Installing software on your PC without your consent
Tracking your site visits and reporting them back to Lop (for advertising purposes)
Now where's my check for the 5 minutes that it took to google for this? Your question of "Why doesn't these agencies handle these kinds of problems?" is ironically answered by your real issue. The FBI is not your local computer repair shop.
I would run a program like Ad-Aware to remove any other spyware that you have installed. And next time that you're "hAx0r3d" go to google and search for "hostnamethatisHax0ringme.com spyware"
Um, no. SPD are allowed to wear their uniforms while they are off-duty, providing security or directing traffic for private companies. Have you ever seen a cop standing around in a grocery store late at night? They're paid by the store, not the city.
No, a successful man-in-the-middle attack will affect anyone using SSH, whether they use passwords, RSA keys, or anything else.
Because I don't enter my password over the wire, there's no way for it to be intercepted.
Not your login password, no. But anything else you enter or view can be. Su to root? Now they know your root password. Read your mail? They did too.
My future's determined by Thieves, thugs, and vermin -- The Offspring
True, snail mail will take a couple of days, but it will get there -- a phone call might not.
If the issue is important enough to you to spend a few bucks on, send it Priority Mail or FedEx or equivalent. Not only will it get there faster (especially FedEx etc), it will be perceived as More Important and less likely to get hung up with a secretary.
-- Alastair
Hope you didn't give them you're /. user id and pass.
1)If you are/were due a refund there are no penalties. If you owed you would have received a bill for late filing late payment and interest.
2)The Pitney Bose meter is not a valid proof of mailing- for exactly the reason you describe. Only the official rubber date stamp at the post office(and now UPS, and I believe FedEx)
Actually, it was not spyware.
I queried the dhcp server from a unix-alike box and got the same response back from it for the connection's dns domain as I did under windows. The DHCP server was handing it out for sure.
Failure to do so makes you subject to arrest for failing to obey an officer. Once you are under arrest, the game is over. You can be searched and the offier may then proceed with his 'investigation.'
I think reading and believing what the ACLU says about anything is a lot more likely to get you arrested and jailed than simply obeying and cooperating with that officer ACLU or not, until that police officer dismisses you in the course of the lawful discharge of his duties, you are obliged to obey his lawful orders.
Dawn of the Dead
True, if a police office orders you to do stay and talk, you must stay. However there is no requirement to talk. If the officer demands identification and doesn't need it (He must charge you for a crime unless you are in a car, or other situation where you must present id, not all of which I know), you should not give it. You should however demand his badge id, which he is required to give you. If the officer needs identification, which will be most of the time they ask, provide it.
Anytime you think a cop is doing something wrong, or even questionable, get his badge id. Write it down. If the cop has a pen and refuses to lend it to you to write his id number down, that is his right, but be sure your complaint includes how unhelpful he is. The badge id is the best way to ensure that the cop causing you trouble gets into trouble. Trouble that appears on his record. It may or may not result in action, but it normally stays on the record. If this is an isiolated incidence we can all forgive it, if this is not, eventially someone will make a big stink about it, and then all the other incidences will come to light.
BTW, make sure you save those badge ids yourself, along with a note on exactly what happened. If you hear about some officer doing "bad things" (which normally means bad enough that it gets attention, may or may not be really bad), contact a reporter, and suggest that they examiningg that officers files to make sure your report is there. They might not be able to, but it makes a really good follow up story to be able to say that the officer did "bad things, of other nature" before and nothing was done about it. Makes a local story into headline news all over the state, and reporters love that.
Of the bad ones, Lop (which you have) is far and away the most difficult to get rid of. It has many separate components, a Browser Helper Object, an executable launched at startup via an entry that's in your registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run key, (and possibly in RunOnce and/or RunServices, plus in the same path under each user as well), and others. I think it may even replace your WSOCK32.DLL but I don't remember if Lop is that one. If it is, it certainly would explain why your DNS went haywire. The deal with Lop is that all these components watch over each other. If you delete or disable one component, the others silently patch the hole next chance they get.
To answer your question, I've never heard of it affecting a firewall/router. (I kind of assume you're running a Linksys, but regardless of the make & model make sure you don't still have the default password on it.) If Lop patched your winsock layer, the Windows box would be completely unable to tell you the truth about DHCP or DNS.
It's not quite as bad as kudzu, but it's definitely not something you want.
Anyway, I've found Spybot S&D to be a most excellent tool with frequent and current updates. It's the first thing I run every time I visit friends or family and they want me to look at their computers. It's also free, (but donations are welcome.) I switched from the paid version of AdAware+ after they failed to release V 6.0 on time. I do wish that the anti-virus vendors would block some of this crap.
Other things I run to defend my Microsoft equipment from this stuff?
John